Instructor Notes for F5 ASM / AWAF Hands-on Exercises

FYI: Answer to exercise guide “questions” are at the end of each lesson.

ASM Lesson 2 – Exercise – Use File Type Enforcement

Task 1
• Make sure students have run the TMSH commands at the beginning of the exercise. The TMSH
commands remove the security policy they created in the first exercise, which will then enable them to
create a new security policy with the same name in this exercise.
Task 2
• If students ask, we are using the iRule to modify the single source IP address of the Windows
workstation to random IP addresses. This is necessary to simulate requests coming from more than one
source (which is necessary to see the learning scores increase). Each request will generate a different,
random IP address. For this to work with an ASM security policy, we must enable the Trust XFF Header
option on the Policy Properties page.
Tasks 4 and 5
• It’s possible that if a student doesn’t follow the steps as written, all their file type suggestion scores may
not be within the expected ranges (valid file types: 25-100, non-valid file types: 0-24). If that happens,
they may need to either adjust the slider value or simply add the file type individually.
• Anywhere where the exercise guide specifies a New private window (Firefox), an InPrivate Browsing
window (IE), or a New incognito window (Chrome), it’s important that students follow the instruction.
If not, their web browser may fulfill the page request from cache and the request won’t go through the
BIG-IP system and ASM, which will result in no learning score increase.

ASM Lesson 3 – Exercise – Use Policy Building with Trusted and Untrusted Requests
Task 3
• It’s possible that the first time they run the iMacro ASM won’t fully populate the Parameters List page.
They may not see two Login, Submit, id, password, and username parameters. If that happens, have
them rerun the macro from a new private Firefox window and then check again.

ASM Lesson 4 – Exercise – Stage and Enforce Entities

Task 2
• Some students will want to know what all the numeric values are that they’re changing at the bottom of
the Learning and Blocking Settings page. Tell them that the specific values aren’t important, but as we
lower values (.0001 days is approximately 9 seconds), we’re drastically lowering the amount of time
ASM expects between requests from trusted sources to stabilize the security policy. We’re doing this to
simulate weeks and weeks of activity in just a few minutes.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 1
Task 3
• The purpose of this this task is to show how a security policy in automatic mode will change attribute
values and enforce entities automatically. Students are using the lowered learning values and the
iMacro to simulate a lot of web application traffic over time.

Task 4
• After the exercise, be sure to confirm with your students that they understand why the cross-site
scripting attack against the name parameter was blocked, but the initial SQL injection attack against
the id parameter wasn’t blocked. This is one of the most important “summaries” to get from this
hands-on exercise.

ASM Lesson 5 – Exercise – Use ASM Attack Signatures

Task 1
• The values listed in the guide (of the number of attack signatures) may change depending on
the BIG-IP version being used.

Task 2
• When the exercise guide states “Click the DVWA bookmark, then..”, they need to click the bookmark
first to clear out the previous signature violation.
Task 3
• If a student manually types the custom signature name, it’s likely they’ll miss the “.” between the % and
Chumbawamba. While this won’t prevent the exercise from working as written, it will make it hard to
locate the signature when they’re adding it to the signature set. However, if they manually type
chumbawamba for the rule and they make a typo, the rest of the task will not work as written.
The recommendation is for them to use the copy and paste guide in the Documents directory.

ASM Lesson 6 – Exercise – Use Brute Force Protection

Task 3
• If they aren’t getting the username details in the event logs (after having created the Login Page
element), it’s likely they didn’t configure the Login Page correct. Double-check the values in the table.

Task 4
• In this task they are presented with a CAPTCHA challenge, and then they view the corresponding event
log entry. However, if they either a) don’t enter the CAPTCHA challenge, or b) don’t enter it fast enough,
then there won’t be an event lot entry for this. ASM only tracks an event log entry when a user is
presented with a CAPTCHA challenge and successfully enters the challenge in a relatively short amount
of time (10 – 15 seconds). If the student has trouble seeing the event log entry, have then run the brute
force macro again, and immediately enter a successful CAPTCHA challenge, and then attempt to view
the log entry. It should be there.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 2
ASM Lesson 7 – Exercise – Use CSRF and Parameter Tampering Protection, and Geolocation
Enforcement
Task 1
• This exercise requires them to use Internet Explorer (the bookmarks aren’t in Chrome or Firefox).
It also requires them to use two tabs in Internet Explorer to see the CSRF attack succeed.

Task 3 and 4
• Sometimes Burp Suite doesn’t display the correct details after clicking the Submit button on
the DVWA page. If that happens, simply turn Intercept off again, reset the DVWA page to
the XSS reflected page, then turn Intercept back on and try it again.

Task 7
• Because the ASM report data takes up to 5 minutes to display, remind the students that they should
start a break when they’re prompted in the exercise guide.

ASM Lesson 8 – Exercise – Use DataGuard for PCI Compliance

Task 3
• Sometimes students won’t copy and paste the credit card numbers and instead type their own random
numbers. If they do that, it’s likely that the credit card number they enter won’t be masked, as it may
not fit the full guidelines of VISA credit card number formatting.

ASM Lesson 9 – Exercise – Use Parent and Child Security Policies

Task 4
• If the command execution attack isn’t blocked, it’s likely that the student didn’t select to place the
child policy in Blocking mode when they created it.

If Time Permits
• If the SQL injection attack isn’t blocked, it’s likely that the student didn’t select to place the child policy
in Blocking mode when they created it.

ASM Lesson 10 – Exercise – Use Login Enforcement and Violation Detection

Task 1
• Directly after they finish creating the new security policy, they open a new tab and click the DVWA
bookmark. This is simply so that the policy builder will add the login.php URL to the allowed URLs list.
After they disable learning and access the DVWA page again, this time it’s to see that there is now
username tracking taking place.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 3
Task 2
• When creating the login page element for this exercise, we don’t include the string that should not
appear in the response. That’s because we’re only looking for successful logins for this exercise; we’re
not concerned about failed logins.

Task 3
• The workflow in this task is: after the students set the username threshold to 10, they then log in and
submit 5 violations. When they examine the blocked log entries they should see that they were blocked
simply for signature violations. However, once they’ve submitted more than 10 violations, they should
see that the most recent requests were blocked due to access from disallowed user.

ASM Lesson 11 – Exercise – Use Cookie Hijacking Protection

Task 1
• The only way to copy the cookie value from PuTTY is to type Ctrl+C (you can’t right-click the mouse).

Task 2
• At the end of the task they disable ASM Cookie Hijacking protection. This is so they can see what
happens when this feature is disabled at the beginning of task 4.

Task 4
• For this task to work, they must see a second ASM cookie that begins with TSPD_101. If they don’t see
this cookie after they re-run the tail command, they should reload the page a few more times using
Ctrl+F5, then close the page, and then open a new InPrivate Browsing window and try again.

ASM Lesson 12 – Exercise – Use Layer 7 DoS Protection

Task 1
• For reporting to work in this exercise, students need to ensure their Windows desktop clock matches
the time on the BIG-IP system. They can do this be updating the system time per the instructors in
exercise guide.

Task 3
• It’s very important to re-iterate that after applying the bot defense profile that there are no longer
event log entries. This illustrates that all bot attack traffic is blocked before it reaches the ASM security
policy.

Task 5
• In this task, students access the web site from the Traffic Generator desktop. This is simply to illustrate
the client-side integrity defense only blocks requests from the source IP of the DoS attack. Other source
IP addresses can continue to access the web application.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 4
Task 6
• Because the ASM report data takes up to 5 minutes to display, remind the students that they should
start a break when they’re prompted in the exercise guide.

ASM Lesson 13 – Exercise – Use Distributed Brute Force and Credential Stuffing Protection
Task 1
• It’s very helpful if students have already performed the exercises for source-based brute force
protection from ASM lesson 6.
• In these exercises students will use Sentry MBA to launch the attacks instead of using a Firefox iMacro.

Task 2
• Directly after students finish creating the new security policy, they open a new tab and click
the Hack Login bookmark. This is simply so that the policy builder will add the /user/login URL to the
allowed URLs list.
• The purpose of task 2 is to show that source-based brute force protection is sufficient when the source
of the attack is coming from a single IP address. In the second part of the task they use an iRule that will
force every request to come from a random IP address, which will cause the source-based brute force
protection.

Task 3
• Students use Chrome to access the Hackazon login page to show that during a distributed brute force
attack, all users will be presented with the CAPTCHA challenge.

ASM Lesson 14 – Exercise – Use Behavioral DoS Protection

Task 1
• For reporting to work in this exercise, students need to ensure their Windows desktop clock matches
the time on the BIG-IP system. They can do this be updating the system time per the instructors in the
exercise guide.

Task 2
• It will take several minutes to fully generate the baseline. Remind the students that they should start a
break when they’re prompted in the exercise guide.
• It’s very important that students do not move on to task 3 until they have fully established their
baseline.

Task 3
• It’s possible that when students are refreshing the dynamic signatures page that the signatures will
disappear before they are able to approve them. That is not a problem; the rest of the exercise will work
as written.
• Students need to let the attack run for a few minutes to ensure that the source IP addresses get added
to the bad actor list.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 5
 • Ensure the students have performed the steps at the end of the exercise before they move on to the
next exercise.

PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 6