Support ID

In the previous lab exercises you may have noticed that a “support ID” appears when you trigger a WAF block.

The requested URL was rejected. Please consult with your administrator.

Your support ID is: 218bdf56-f34a-42f4-931b-1ba5f8873353

[Go Back]

We can use the reported support ID to disable specific signatures. Copy the value into your clipboard (i.e. highlight support ID in Chrome and select “Copy” / Ctrl-C)

Exercise 1: Generate Cross Site Scripting (XSS)

  1. Send the following request to your studentxxx.sales-public.f5demos.com site

    /headers/?username=<script>window.open(%27hello%20world%27);</script>

  2. Retrieve the “support ID” that is displayed.

  3. From the Volterra Console go back to “Security Events” (from Lab 2 / Exercise 6)

  4. Click on “Refresh” (on the page) until you see a request that matches the time of your most recent request.

    ../_images/screenshot-global-vip-public-security-events-refresh.png

  5. Click on “Add Filter” under Security events

    ../_images/screenshot-global-vip-public-security-events-add-filter.png

  6. Select “req_id”

    Warning

    If you do not see “req_id” you may need refresh your browser window. Also ensure that you see at least one event on the page.

  7. Select the Operator “In”

  8. Paste in the support ID.

    ../_images/screenshot-global-vip-public-security-events-paste-req-id.png

  9. Click on “Assign…”

    ../_images/screenshot-global-vip-public-security-events-paste-req-id-assign.png

  10. At the bottom of the page you should see the desired Security Event. Scroll to the far right to look for the “Actions” column and click on the three dots “…”

  11. Select “Create WAF Exclusion Rule” from the “Actions” menu

    ../_images/create-exception-rule-action.png

Exercise 2: Creating WAF Exclusion Rule

  1. Take note of the list of security IDs that are listed.

    ../_images/waf-exclusion-rules-ids.png

  2. Search for one of the IDs at: https://clouddocs.f5.com/cloud-services/latest/f5-cloud-services-Essential.App.Protect-Details.html For example searching for “200000091” should return a “XSS script tag end (Headers)” signature.

  3. Click on “Apply” you will now be taken into the HTTP Load Balancer configuration and you should see under “WAF Exclusion Rules” it should show as “Configured”

  4. Scroll to the bottom of the page and click on “Save and Exit”

  5. Retry visiting your site with the same URL to your studentxxx.sales-public.f5demos.com site

    /headers/?username=<script>window.open(%27hello%20world%27);</script>

Excercise 3: View Requests Log

We can also view requests that have been excluded from a WAF policy by viewing the requests log.

  1. From the “Security Events” page in VoltConsole click on the “Requests” menu item at the top of the page.

  2. Look for a “GET” request for /headers/ and click on the arrow on the left of the date to expand the entry.

  3. Observe that under “Policy Hits” you will see the WAF exclusion rule that was triggered.

    ../_images/requests-policy-exclusion.png

  4. Try visiting your site with the a different URL to your studentxxx.sales-public.f5demos.com site /txt/?username=<script>window.open(%27hello%20world%27);</script>

  5. Observe that this request is blocked. Volterra WAF can exclude signatures by both signature ID and path; and these exclusions are tied to a specific HTTP Load Balancer

Congratulations you have completed the lab!