Book IndexHideShow
Back to topic

Advanced Bot Protection

Integrating Advanced Bot Protection with F5

Integrating Advanced Bot Protection with F5

Follow the procedure below to integrate Advanced Bot Protection with F5.

Verify that you meet the following prerequisites:

  • F5 LTM running 13.1.0 or later with iRules LX provisioned
  • Ability to run Docker containers

Notes:

  • These instructions include procedures for actions in F5. While these procedures were tested and found correct at the time of writing, they may change without Imperva's knowlege and thus Imperva cannot take responsibility for their accuracy. For more information, see the F5 documentation.
  • On every page that you want to protect in your web site, you must add the following line in the html header section:

<script type="text/javascript" src="<challenge-path-value>" async></script>

where challenge-path-value is the same text string that you enter into the CHALLENGE_PATH= statement in the settings.js file.

It is recommended that you create a name for the challenge path that looks as if it is part of your own web application. This will decrease the likelihood that the protection is blocked by adblockers.

  • The file `imperva.tcl` contains an example integration which will work out-of-the-box. It can be modified based on your requirements, however Imperva cannot guarantee functionality if the rule is modified.
  • For more information, see the Connector documentation at http://docs.distilconnector.com.

To integrate Imperva Advanced Bot Protection with F5:

  1. Configure the javascript and tcl files:
    1. Get the example integration code - the Reference Implementation - by clicking on the appropriate link in the Advanced Bot Protection Integration Library. Download the zip file to a location on your computer.
    2. Unzip/unpack the zip file to a location on your computer.
    3. Log into your Advanced Bot Protection account in your browser.
    4. In your Advanced Bot Protection account, select the site whose bot protection you wish to configure. The Website Group Configuration window opens.
    5. If you have not yet configured a Website Group, configure one by referring to Creating a Website Group and Editing a Website.
    6. Under Credentials, select and copy the block of code.
    7. In your unzipped/unpacked folder/directory that contains the Reference Implementation, locate the file credentials.js and open it using a text editor like Notepad++.
    8. Paste the copied block of code from Credentials as the entire content of the credentials.js file. Save the file
    9. Open the settings.js file using a text editor and edit is as follows:

      {

      "CHALLENGE_PATH": </my-challenge-path>,

      "SDK_CHALLENGE_PATH": </my-sdk/v1/challenge>,

      "TLS_TO_ORIGIN": "false"

      }

      where

      • </my-challenge-path> is the path that the Connector will use to inspect traffic. It is recommended that you make this path look like part of your website so that it is not blocked by end user's addons and adblockers.
      • </my-sdk/v1/challenge> is the path that the Imperva Advanced Bot Protection Mobile SDK will use to transmit challenge data to the Imperva backend.
      • TLS_TO_ORIGIN - If your load balancer uses HTTPS to communicate with your backend pools, set this value to the string "true". If not, leave it as "false", in order to have the load balancer offload SSL and communicate with the backend pools via HTTP.
    10. Save the settings.js file.
  2. Create the F5 plugin:

    Note: Since the Advanced Bot Protection plugin requires the f5-nodejs library which is provided by F5, you must provide an exported workspace to be repackaged. If you do not have such a plugin you may create one with the following steps.

    1. Login to your F5 instance.
    2. Navigate to Local Traffic > iRules > LX Workspaces.
    3. Click Create. The Workspace window appears.
    4. Type a Name for the Workspace.
    5. Click Finished.
    6. Click Add Extension. The Extension window appears.
    7. Type a Name for the Extension and click OK.
    8. Navigate to Local Traffic > iRules > LX Workspaces.
    9. Check the newly-created Workspace.
    10. Click Export… The Workspace is downloaded to your computer to your default download location as an archive.
    11. Copy the downloaded LX workspace archive into the config_gen folder in the extracted Reference Implementation directory. Do not extract the LX workspace archive.
    12. Using the command line, navigate to the directory where you extracted the Imperva provided Reference Implementation.
    13. Build the config generator docker container by running the following command:

      docker build -t imperva-config .

    14. Run the container sharing the current directory with the container's /usr/imperva-f5 directory. Examples for various shells are as follows:
      • bash: docker run -it --rm -v $(realpath .):/usr/imperva-f5 imperva-config
      • fish: docker run -it --rm -v $PWD:/usr/imperva-f5 imperva-config
      • powershell: docker run -it --rm -v ${pwd}:/usr/imperva-f5 imperva-config

    Notes:

    • If you see a pop-up about sharing your filesystem with the container, select allow.
    • If no pop-up appears and the container gives an error about lack of filesystem permissions, open your Docker settings, go to Resources > File Sharing and click on the + icon to add a new directory. Add the directory from step 1 where you extracted the Imperva provided archive and click on Apply & Restart.
    • If your shell is not one of those in the above examples, refer to the Docker documentation to see how to share your local fileystem with the container.

     

    After the container runs, there will be a new file in your directory imperva-f5.tgz. You will use this file in the next section to install the integration.

  3. Upload the archive to the workspace:
    1. Login to your F5 instance.
    2. Select Local Traffic > iRules > LX Workspace. The LX Workspaces window appears.
    3. Click Import. The New Workspace… window appears.
    4. Under Name, type imperva-f5.
    5. Check the Archive File option.
    6. Click Choose File. In the dialog box, navigate to the generated packaged plugin that you created in Step 3 above.
    7. Click Import. The new Workspace appears in your Workspaces.
  4. Create the imperva-f5 LX Plugin:
    1. Select Local Traffic > iRules > LX Plugins.
    2. Click Create...
    3. Under Name, type imperva-f5.
    4. Under From Workspace, click the drop down menu and select imperva-f5.
    5. Click Finished.
  5. Create a new pool for the analysis request:
    1. Select Local Traffic > Pools > Pool List. The Pool List window appears.
    2. Click Create. The New Pool window appears.
    3. Under Name, type imperva.
    4. Under New Members:
      • Select New FQDN Node.
      • Under Node Name, give it a name of your choice.
      • Under Address, copy and paste the analysisHost value from the credentials.js file.
      • Under Service Port. Select HTTPS.
      • Ensure that the Auto Populate drop down is set to Enabled.
    5. Under Health Monitors, use the buttons to move tcp_half_open from Available to Active.
    6. Click Add.
    7. Click Finished.
  6. Enable protection on a virtual server:
    1. Select Local Traffic > Virtual Servers > Virtual Server List. The Virtual Server List window appears.
    2. Select one of the servers that you want to protect. Verify that in Configuration > SSL Server, serverssl is in the Selected box.

      Note: The default serverssl profile is acceptable if none is already in use. Click update if adding the server SSL profile

      Adding this profile when offloading SSL on the load balancer and sending HTTP requests to the origin (TLS_TO_ORIGIN: "false") may cause an outage until the integration is activated. Be sure to activate this profile during a scheduled maintenance window only.

    3. Under the server's Resources tab, under iRules, click Manage.
    4. Use the buttons to move imperva-f5 to Enabled.
    5. Repeat for each virtual server you want to protect.
  7. Test your integration. For more information, see Testing the Integration of Advanced Bot Protection with Third Party Products.

Join the Discussion