Contents x
    Installation
    • 09 Nov 2023
    • Print
    • Dark
      Light
    Contents

    Installation

    • Updated on 09 Nov 2023
    • Print
    • Dark
      Light
    Article Summary

    Configuring a virtual server and pool for HUMAN backend requests

    Note
    The BIG-IP device must have public internet access in order to communicate with the HUMAN cloud services. Make sure to include the proper routing and gateway configuration.

    Import the HSSR and HSSR-helper iRules downloaded from F5 DevCentral. These iRules are used for http client communication and TLS/SSL communication with HUMAN backends.

    Important Note
    Make sure that the iRule names are: HSSR and HSSR-helper (corresponding to each rule).

    Configuring Pool: px_backend_pool

    1. Under Local Traffic > Pools > Pool List, create a new pool.
    2. Set the pool name to: px_backend_pool.
    3. Set Health Monitor to tcp_half_open.
    4. Select new FQDN Node.
    5. Set Node Name to your app ID.
      Note
      App ID can be retrieved from the HUMAN portal under Admin->Applications.
    6. Set Address to sapi-<APP_ID>.perimeterx.net
    7. Set the Service Port to 443.
    8. Set Auto Populate to Enabled.
    9. Click Add & Finished

    Configuring Virtual Server: px_backend_vip

    1. Under Local Traffic > Virtual Servers > Virtual Servers List, create new virtual server.
      This virtual server must have external access for the pool members.
    2. Set Name to px_backend_<APP_ID>_vip (The naming convention is important as the HUMAN iRule uses this vip to send backend requests).
      Note
      Make sure to replace <APP_ID> with the same app ID used in the previous section.
    3. Set Source Address to 0.0.0.0/0
    4. Set Destination Address/Mask Set the IP of any node that does not already have an IP assigned to it (for example: 10.0.0.30).
    5. Set Service Port to a random, not publicly accessible port. (for example: port 55000).
    6. Set HTTP Profile to http.
    7. Configure the SSL Profile (Server) to use serverssl.
    8. Configure the Source Address Translation to Auto Map.
    9. Under Resources enable the HSSR-helper iRule.
    10. Set the Default pool to px_backend_pool.

    Configuring Activities Report

    this step is crucial for the HUMAN iRule to send statistics to HUMAN backend and show data in the portal.
    In order to send statistics and logs from the HUMAN  module in an asynchronous way, we will use Syslog.

    Note
    HUMAN backends are set to reject any unauthorized IP address, please contact your designated HUMAN Solution Architect to authorize your backends IP address with HUMAN backends.


    Configuring an SSL Server Profile

    1. Under Local Traffic -> Profiles -> SSL -> Server create a new profile.
    2. Set Name to px-syslog-ssl-profile.
    3. Set Parent Profile to serverssl-insecure-compatible.
    4. Click Finished.

    Configuring Pool: px_secure_syslog_pool

    1. Under Local Traffic -> Pools -> Pool List create a new pool.
    2. Set Name to px_secure_syslog_pool.
    3. Set the node to New FQDN Node.
    4. Set Node Name to px_activities_node.
    5. Set FQDN to px-fst-syslog.perimeterx.net.
    6. Set Service Port to 6514.
    7. Set Auto Populate to Enabled.
    8. Click Add and Finished.

    Configuring Virtual Server: px_syslog_vs

    1. Under Local Traffic -> Virtual Servers -> Virtual Servers List, create new virtual server. This virtual server must have external access for the pool members.
    2. Set Name to px_syslog_vs.
    3. Set Source Address to 0.0.0.0/0
    4. Set Destination Address/Mask Set any ip of a node that doesn't exist (for example: 10.0.0.20).
    5. Set Service Port to 514.
    6. Configure the SSL Profile (Server) to use px-syslog-ssl-profile.
    7. Set px_secure_syslog_pool as the Default pool.
    8. Click Finished.

    Configuring Pool: px_syslog_pool

    1. Under Local Traffic -> Pools -> Pool List create a new pool.
    2. Set Name to px_syslog_pool. The naming convention is important as the HUMAN iRule use this vip to send backend requests.
    3. Set Health Monitor to tcp_half_open.
    4. Set the node to New Node.
    5. Set Node Name to px_vs_syslog.
    6. Set Address to the same address as the px_syslog_vs virtual server (in the example above 10.0.0.20).
    7. Set Service Port to 514.
    8. Click Add and Finished.

    Configure High Speed Login

    1. Under System > Logs > Configuration > Log Destinations create a new destination.
    2. Set Name to perimeterx_hsl.
    3. Set Type to Remote-High-Speed Log.
    4. Set Pool Name to px_syslog_pool.
    5. Set Protocol to TCP.
    6. Click Finished.

    Configure Syslog

    1. Under System > Logs > Configuration > Log Destinations create a new destination.
    2. Set Name to perimeterx_syslog.
    3. Set Type to Remote Syslog.
    4. Set Syslog Format to Syslog.
    5. Set Forward To to perimeterx_hsl.
    6. Click Finished.

    Configure Publisher

    1. Under System > Logs > Configuration > Log Publishers create a new publisher.
    2. Set Name to perimeterx-publisher.
    3. Under Destinations move perimeterx_syslog to Selected.
      This will forward the logs to the hsl we previously configured.
    4. Click Finished.

    Configure Log Filters

    1. Under System > Logs > Configuration > Log Filters create a new filter.
    2. Set Name to perimeterx_filter.
    3. Set Severity to Debug.
    4. Set Source to all.
    5. Set Message ID to 01070410 (or any other random number).
    6. Under Log Publisher select perimeterx-publisher.
    7. Click Finished.

    Configure HUMAN iRule

    1. Create a new iRule named px.
    2. Copy the content of px.tcl into the pxiRule and update the following keys under RULE_INIT:
      • APP_ID - The HUMAN custom application id in the format of PX__ .
      • AUTH_TOKEN - The JWT token used for REST API. The Authentication Token is generated in HUMAN Portal > Application page.
      • COOKIE_SECRET - The key used by the cookie signing page. The Cookie Key is generated in the HUMAN Portal > Policy page.
        Note
        If you configured a pool for HUMAN activities report (px_syslog_pool) - uncomment the CLIENT_ACCEPTED rule (lines 2-4) in the iRule editor.
    3. Add the px iRule to the Virtual Server you want to protect with HUMAN.
    Was this article helpful?
    What's Next