Installation

Configuring a virtual server and pool for PerimeterX backend requests

📘

Note

The BIG-IP device must have public internet access in order to communicate with the PerimeterX cloud services. Make sure to include the proper routing and gateway configuration.

Import the HSSR and HSSR-helper iRules downloaded from F5 DevCentral. These iRules are used for http client communication and TLS/SSL communication with PerimeterX backends.

📘

Important Note

Make sure that the iRule names are: HSSR and HSSR-helper (corresponding to each rule).

Configuring Pool: px_backend_pool

  1. Under Local Traffic > Pools > Pool List, create a new pool.
  2. Set the pool name to: px_backend_pool.
  3. Set Health Monitor to tcp_half_open.
  4. Select new FQDN Node.
  5. Set Node Name to your app ID.

📘

Note

App ID can be retrieved from the PerimeterX portal under Admin->Applications.

  1. Set Address to sapi-<APP_ID>.perimeterx.net
  2. Set the Service Port to 443.
  3. Set Auto Populate to Enabled.
  4. Click Add & Finished

Configuring Virtual Server: px_backend_vip

  1. Under Local Traffic > Virtual Servers > Virtual Servers List, create new virtual server.
    This virtual server must have external access for the pool members.
  2. Set Name to px_backend_<APP_ID>_vip (The naming convention is important as the PerimeterX iRule uses this vip to send backend requests).

📘

Note

Make sure to replace <APP_ID> with the same app ID used in the previous section.

  1. Set Source Address to 0.0.0.0/0
  2. Set Destination Address/Mask Set the IP of any node that does not already have an IP assigned to it (for example: 10.0.0.30).
  3. Set Service Port to a random, not publicly accessible port. (for example: port 55000).
  4. Set HTTP Profile to http.
  5. Configure the SSL Profile (Server) to use serverssl.
  6. Configure the Source Address Translation to Auto Map.
  7. Under Resources enable the HSSR-helper iRule.
  8. Set the Default pool to px_backend_pool.

Configuring Activities Report

this step is crucial for the PerimeterX iRule to send statistics to PerimeterX backend and show data in the portal.
In order to send statistics and logs from the PerimeterX module in an asynchronous way, we will use Syslog.

📘

Note

PerimeterX backends are set to reject any unauthorized IP address, please contact your designated PerimeterX Solution Architect to authorize your backends IP address with PerimeterX backends.

Configuring an SSL Server Profile

  1. Under Local Traffic -> Profiles -> SSL -> Server create a new profile.
  2. Set Name to px-syslog-ssl-profile.
  3. Set Parent Profile to serverssl-insecure-compatible.
  4. Click Finished.

Configuring Pool: px_secure_syslog_pool

  1. Under Local Traffic -> Pools -> Pool List create a new pool.
  2. Set Name to px_secure_syslog_pool.
  3. Set the node to New FQDN Node.
  4. Set Node Name to px_activities_node.
  5. Set FQDN to px-fst-syslog.perimeterx.net.
  6. Set Service Port to 6514.
  7. Set Auto Populate to Enabled.
  8. Click Add and Finished.

Configuring Virtual Server: px_syslog_vs

  1. Under Local Traffic -> Virtual Servers -> Virtual Servers List, create new virtual server. This virtual server must have external access for the pool members.
  2. Set Name to px_syslog_vs.
  3. Set Source Address to 0.0.0.0/0
  4. Set Destination Address/Mask Set any ip of a node that doesn't exist (for example: 10.0.0.20).
  5. Set Service Port to 514.
  6. Configure the SSL Profile (Server) to use px-syslog-ssl-profile.
  7. Set px_secure_syslog_pool as the Default pool.
  8. Click Finished.

Configuring Pool: px_syslog_pool

  1. Under Local Traffic -> Pools -> Pool List create a new pool.
  2. Set Name to px_syslog_pool. The naming convention is important as the PerimeterX iRule use this vip to send backend requests.
  3. Set Health Monitor to tcp_half_open.
  4. Set the node to New Node.
  5. Set Node Name to px_vs_syslog.
  6. Set Address to the same address as the px_syslog_vs virtual server (in the example above 10.0.0.20).
  7. Set Service Port to 514.
  8. Click Add and Finished.

Configure High Speed Login

  1. Under System > Logs > Configuration > Log Destinations create a new destination.
  2. Set Name to perimeterx_hsl.
  3. Set Type to Remote-High-Speed Log.
  4. Set Pool Name to px_syslog_pool.
  5. Set Protocol to TCP.
  6. Click Finished.

Configure Syslog

  1. Under System > Logs > Configuration > Log Destinations create a new destination.
  2. Set Name to perimeterx_syslog.
  3. Set Type to Remote Syslog.
  4. Set Syslog Format to Syslog.
  5. Set Forward To to perimeterx_hsl.
  6. Click Finished.

Configure Publisher

  1. Under System > Logs > Configuration > Log Publishers create a new publisher.
  2. Set Name to perimeterx-publisher.
  3. Under Destinations move perimeterx_syslog to Selected.
    This will forward the logs to the hsl we previously configured.
  4. Click Finished.

Configure Log Filters

  1. Under System > Logs > Configuration > Log Filters create a new filter.
  2. Set Name to perimeterx_filter.
  3. Set Severity to Debug.
  4. Set Source to all.
  5. Set Message ID to 01070410 (or any other random number).
  6. Under Log Publisher select perimeterx-publisher.
  7. Click Finished.

Configure PerimeterX iRule

  1. Create a new iRule named px.
  2. Copy the content of px.tcl into the px iRule and update the following keys under RULE_INIT:
  • APP_ID - The PerimeterX custom application id in the format of PX__ .
  • AUTH_TOKEN - The JWT token used for REST API. The Authentication Token is generated in PerimeterX Portal > Application page.
  • COOKIE_SECRET - The key used by the cookie signing page. The Cookie Key is generated in the PerimeterX Portal > Policy page.

📘

Note

If you configured a pool for PerimeterX activities report (px_syslog_pool) - uncomment the CLIENT_ACCEPTED rule (lines 2-4) in the iRule editor.

  1. Add the px iRule to the Virtual Server you want to protect with PerimeterX.

Did this page help you?