Environment
- Essential App Protect Service (EAP)
Procedure
The Essential App Protect Service can be set up using either the API or the portal through a series of forms. Setup instructions using the API can be found in the API User's Guide. To set up the Essential App Protect Service with the portal, follow the steps below:
1. Go to the Essential App Protect Service
On Your F5 Cloud, click the Essential App Protect tab in the Cloud Services navigation menu. Since you don’t have any protected applications, you will see the WorldWide Threat Map view.
2. Provide application details
On the WorldWide Threat Map view, click the Start protecting your app button. This will show a multi-step slide panel on the right side of the screen. Enter the following fields:
- Fully Qualified Domain Name (FQDN) - This is the domain you wish to protect.
- Name this application - This is how Essential App Protect will refer to this instance of the service. For example, this is the name you will select in the View menu to see this service.
- Add a description (optional) - Add a longer, more detailed description of this service.
- Choose an application encoding - This tells Essential App Protect which type of characters are used for your application. If you’re not sure, use the default since over 90% use UTF-8
When you are finished, press Save & Continue
3. Confirm endpoints and regions
Essential App Protect will look for the FQDN you entered and show you the results. If this is correct, you can select the appropriate region for this IP endpoint.
Note: If you have multiple endpoints and multiple regions, you can add these later. Go to the Protect Application - General topic and look at the DEPLOYED REGIONS section to learn how do add, modify, and remove regions.
If you make changes on this tab, press the Update button to save the changes.
Press Save & Continue to move to the next step
4. Set up SSL/TLS
First, enable one or both listeners for this application, and specify a port for each listener enabled.
If your application encrypts data between server and browser (uses HTTPS), then you must add an SSL or a TLS certificate so that Essential App Protect can work with your application’s encrypted communications. You have the option to add the certificate later, but then you will only have protection when your site is used without encryption (uses HTTP).
To add a certificate, you can select an existing certificate from the dropdown menu, or there is an option to Add a new one at the bottom of the menu.
Certificates that you add must be PEM encoded. For more details on certificates for Essential App Protect, see How do I import an SSL/TLS X.509 certificate.
To add a new certificate, either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, then you must check the Add a certificate chain (optional) checkbox and enter the chain into the field below it.
The option, I want to redirect my traffic from HTTP to HTTPS will cause all HTTP traffic coming into your Essential App Protect service instance to be redirected to HTTPS, so your application will only ever see HTTPS traffic.
Press Save & Continue to move to the next step.
5. Choose protection features
The APP PROTECT FEATURES step gives you the ability to enable the various methods of protection offered by Essential App Protect. Regardless of your choice, you can change the feature later by clicking on the PROTECT APPLICATION card on the Essential App Protect dashboard while viewing your protected application. You can get more details on each feature by clicking the view feature details button or one of the links below:
6. Configure DNS
Your Essential App Protect instance has been created and it is ready to start protecting your application. The last step is to change your DNS settings so that all of your application’s traffic goes through your Essential App Protect instance. This is done by creating a CNAME record in the zone file for your application through your application’s hosting provider. For more information, see Protect Application - DNS Settings.
After you’ve updated DNS records, it can take up to 72 hours for it to fully propagate, but it’s typically much faster. Once this process is complete, your application is actively protected by Essential App Protect.
| Note |
|---|
| Creating a CNAME can look to some security systems like a newly-registered domain (NRD) or a newly-seen domain (NSD). Research shows that NRDs are far more likely to be malicious, suspicious, or not safe for work, so many companies block NRDs. If your customers have difficulties connecting to your site after creating the CNAME, have them add the CNAME to their allow list, destination list, or other named list that keeps their security system from blocking access to your site. |
7. Add deployment regions to allow list
The last step is to ensure that all traffic reviewed and passing inspection in Essential App Protect can be successfully relayed to your application. To do this, you’ll need to add the deployment region IP addresses used by Essential App Protect to the allow list for your application. All traffic coming from Essential App Protect to your application will come from one or more of the IP addresses listed below. Therefore, you should add all the IP addresses listed for the regions you use to the allow list. For maximum flexibility, you should add all listed IP addresses to the allow list. Additionally, if you want to ensure that no traffic to your application bypasses Essential App Protect, then you should only accept requests from the following addresses.
| Region | Zones | Region | Zones |
|---|---|---|---|
|
ap-east-1
(Hong Kong)
|
18.162.185.175
18.163.219.21
18.163.39.86
|
eu-central-1
(Frankfurt)
|
3.126.252.37
3.127.90.102
52.58.211.135
|
|
ap-northeast-1
(Tokyo)
|
13.114.106.40
52.199.194.253
54.95.59.57
|
eu-west-2
(London)
|
3.10.135.70
35.176.145.242
35.179.50.207
|
|
ap-northeast-2
(Seoul)
|
15.164.11.190
3.34.70.66
3.34.84.254
|
eu-west-3
(Paris)
|
15.188.13.137
15.188.30.71
15.236.68.31
|
|
ap-south-1
(Mumbai)
|
13.126.218.61
3.7.76.98
3.7.88.250
|
sa-east-1
(São Paulo)
|
18.229.181.176
54.94.56.215
54.94.83.17
|
|
ap-southeast-1
(Singapore)
|
18.141.87.26
52.221.8.87
54.169.6.87
|
us-east-1
(N. Virginia)
|
3.89.239.134
3.90.67.167
34.192.178.6
34.194.59.77
34.201.76.2
35.171.31.31
52.70.78.148
52.90.96.210
52.204.48.4
54.92.160.87
54.146.236.204
54.196.59.146
|
|
ap-southeast-2
(Sydney)
|
13.238.204.166
13.239.74.79
13.55.30.15
|
us-east-2
(Ohio)
|
3.12.21.33
3.136.204.72
3.18.8.186
|
|
ca-central-1
(Central Canada)
|
15.222.171.216
15.222.68.186
15.223.90.142
|
us-west-2
(Oregon)
|
35.155.82.220
52.12.226.166
54.70.11.143
|
Deployment regions download: F5_Essential_App_Protect.Deployment.Regions_V1.1.json