Merge pull request #68 from f5devcentral/alfredo

Alfredo

docs/class4/module1/lab3/lab3.rst

@@ -29,7 +29,7 @@ Test your modern API application protection
 Check the logs
 --------------
 
-* Go tho the security dashboard (Overview > Security)
+* Go to the security dashboard (Overview > Security)
 * Scroll down and click on your ``sentence`` LB
 * Click on ``Security Analytics``
 

docs/class4/module2/lab1/lab1.rst

@@ -93,7 +93,7 @@ Update your API Load Balancer
       :align: left
       :scale: 50%
 
-.. note:: ``Fall Through Mode`` set to ``Allow`` means the system allows unknwon endpoints. In a nutshell, any unknown API endpoint is not be blocked and the API Discovery process takes care of it.
+.. note:: ``Fall Through Mode`` set to ``Allow`` means the system allows unknown endpoints. In a nutshell, any unknown API endpoint is not be blocked and the API Discovery process takes care of it.
 
 .. warning:: Why not to block unknown endpoint? Because this endpoint could be legitimate by the Dev team, but SecOps are not aware "yet". And it is better to have a visilibity on what is unknown instead of impacting the application and the business.
 

docs/class4/module2/lab3/lab3.rst

@@ -21,14 +21,14 @@ Understand the API Discovery elements
 
 On the top left corner, there are 3 important elements:
 
-* **Inventory** : Endpoints known by the OpenAPI Spec file
+* **Inventory** : Endpoints known from the OpenAPI Spec file
 
   * In our lab, there are 3 endpoints know (adjectives, animals, locations)
 
-* **Discovered** : What the F5 XC platform is sees from traffic (Known and Unknown endpoints)
-* **Shadow** : What is ``Discovered`` but **NOT PART** of the ``Inventory``
+* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints)
+* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory``
 
-You can filter on ``Shadow`` only for instance. You can see the ``/colors`` as a Shadow API.
+You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API.
 
 .. image:: ../pictures/shadow.png
    :align: left
@@ -102,7 +102,7 @@ AI/ML Security Posture
 
 * Click on an endpoint with the highest ``Risk Score``
 * And click on the ``Security Posture`` tab
-* Review the recommandations done by AI/ML engines
+* Review the recommandations done by the AI/ML engine
 
 .. image:: ../pictures/security-posture.png
    :align: left

docs/class4/module3/lab1/lab1.rst

@@ -26,7 +26,7 @@ First of all, you need several inputs
 * A RSA public key, and RSA private key
 * A JWKS (an array with the public key)
 
-In order to keep this lab easy, we will **NOT** explain how to generate a JWT or JWKS. In an netshell, the JWT is signed with the private key, and the JWKS is composed of the public key to verify the signature.
+In order to keep this lab easy, we **don't** explain how to generate a JWT or JWKS. In an nutshell, the JWT is signed with the private key, and the JWKS is composed of the public key to verify the signature.
 
 The JWT to use in this lab
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -119,41 +119,41 @@ Test your configuration with Postman
 
 * Use CURL to test your configuration
 
-* Send the below request (without JWT) to /api/animals. As a reminder, we **DID NOT** enabled JWT validation on this endpoint.
+* Send the request below (without JWT) to /api/animals. As a reminder, we **haven't** enabled JWT validation on this endpoint.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/animals'
 
   * It **passes** without any JWT because JWT Validation is only enabled on /locations
 
-* Send the below request (without JWT) to /api/locations. As a reminder, we **enabled** JWT validation on this endpoint.
+* Send the request below (without JWT) to /api/locations. As a reminder, we **have** enabled JWT validation on this endpoint.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/locations'
 
-  * It **DOES NOT** pass because JWT validation is enabled on /locations
+  * It **doesn't** pass because JWT validation is enabled on /locations
 
-* Send the below request (with JWT) to /api/animals.
+* Send the request below (with JWT) to /api/animals.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/locations' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGNVhDIEpXVCBkZW1vIiwic3ViIjoic2FAZjUuY29tIiwiYXVkIjoibXlsYi1mNXhjLmY1c2UuY29tIiwiaWF0IjoxNzEzNTM4NTAxLCJleHAiOjE3MTM1MzkxMDEsIkdpdmVuTmFtZSI6IkJvYiIsIkxhc3ROYW1lIjoiVGhlU3BvbmdlIiwiRW1haWwiOiJib2JAZjUuY29tIiwiUm9sZSI6IlNBIn0.bz6XTCLN6Nioz56pzs8nJTJ4OExkNsYNiGmHa23BEbcWRA4O3UFPBfII110yd4l2wbYuaaWbEWXZLkkqRb-0LJHyOMg1TvI15HZKvwqVN7nj4g-qtSpfnrmd4w2pAyRvMeqxt_r2apAzmyjvTrwFamxKtZ9IDhQ7CB1O8XsT0yJB2lpU9tS09PrM3kJNbbr5yzgVCk1eSOGE0Uh7qhcgrnDqpHcGVd0pm_Z2R-mZH-DMN99jwcgrFlOW28XYo9YWodHpwBAe3ZxWqnxDjIberk55EkfqlEPaFj6GK2IyzEsLbazMQuQB2meKeaPPsmcVeT9E7BAK_6aBZuA3mZwL-Q'
 
   * It **passes** because JWT is valid (signature is valid)
 
-* Send the same request, but with a wrong JWT signature. As a reminder, the JWT signature is the last section of the JWT. We purposely remove some characters from the signature section of the JWT.
+* Send the same request, but with a wrong JWT signature. As a reminder, the JWT signature is the last section of the JWT. We intentionally remove some characters from the signature section of the JWT.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/locations' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGNVhDIEpXVCBkZW1vIiwic3ViIjoic2FAZjUuY29tIiwiYXVkIjoibXlsYi1mNXhjLmY1c2UuY29tIiwiaWF0IjoxNzEzNTM4NTAxLCJleHAiOjE3MTM1MzkxMDEsIkdpdmVuTmFtZSI6IkJvYiIsIkxhc3ROYW1lIjoiVGhlU3BvbmdlIiwiRW1haWwiOiJib2JAZjUuY29tIiwiUm9sZSI6IlNBIn0.bz6XTCLN6Nioz56pzs8nJTJ4OExkNsYNiGmHa23BEbcWRA4O3UFPBfII110yd4l2wbYuaaWbEWXZLkkqRb-0LJHyOMg1TvI15HZKvwqVN7nj4g-qtSpfnrmd4w2pAyRvMeqxt_r2apAzmyjvTrwFamxKtZ9IDhQ7CB1O8XsT0yJB2lpU9tS09PrM3kJNbbr5yzgVCk1eSOGE0Uh7qhcgrnDqpHcGVd0pm_Z2R-mZH-DMN99jwcgrFlOW28XYo9YWodHpwBAe3ZxWqnxDjIberk55EkfqlEPaFj6GK2IyzEsLbazMQuQB2meK'
 
-  * It **DOES NOT** passe
+  * It **doesn't** pass
 
 * Now, check your API Security Events (Security Analytics tab).
 
-  * You can see API event with 401, 403 ... and more details in the JSON section of the Log Event
+  * You can see API events with 401, 403 ... and more details in the JSON section of the Log Event
 
   .. code-block:: bash
 
@@ -164,9 +164,9 @@ Test your configuration with Postman
 JWT Access Control
 ------------------
 
-JWT control consists of controlling if a Claim is present and if the value matches a requirement.
+JWT control checks if a Claim is present and if the value matches a requirement.
 
-In our lab, we will check if the user has a VP role. As a reminder, in the JWT token, the user has a SA role. We want to allow access to /api/locations only to VP. 
+In our lab, we check if the user has a VP role. As a reminder, in the JWT token, the user has a SA role. We want to allow access to /api/locations only to VP. 
 
 Enable JWT Access Control
 ^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -241,29 +241,29 @@ JWT Access Control is part of Service Policy.
 Test JWT Access Control
 ^^^^^^^^^^^^^^^^^^^^^^^
 
-* Start by sending a request to /api/animals. This endpoint is not protected by JWT validation.
+* Start by sending a request to /api/animals. This endpoint is not protected with JWT validation.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/animals'
 
-  * It still passes
+  * It still **passes**
 
 * Send a request to /api/locations but with a wrong Role. We send the same request as before, where the Role is SA.
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/locations' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGNVhDIEpXVCBkZW1vIiwic3ViIjoic2FAZjUuY29tIiwiYXVkIjoibXlsYi1mNXhjLmY1c2UuY29tIiwiaWF0IjoxNzEzNTM4NTAxLCJleHAiOjE3MTM1MzkxMDEsIkdpdmVuTmFtZSI6IkJvYiIsIkxhc3ROYW1lIjoiVGhlU3BvbmdlIiwiRW1haWwiOiJib2JAZjUuY29tIiwiUm9sZSI6IlNBIn0.bz6XTCLN6Nioz56pzs8nJTJ4OExkNsYNiGmHa23BEbcWRA4O3UFPBfII110yd4l2wbYuaaWbEWXZLkkqRb-0LJHyOMg1TvI15HZKvwqVN7nj4g-qtSpfnrmd4w2pAyRvMeqxt_r2apAzmyjvTrwFamxKtZ9IDhQ7CB1O8XsT0yJB2lpU9tS09PrM3kJNbbr5yzgVCk1eSOGE0Uh7qhcgrnDqpHcGVd0pm_Z2R-mZH-DMN99jwcgrFlOW28XYo9YWodHpwBAe3ZxWqnxDjIberk55EkfqlEPaFj6GK2IyzEsLbazMQuQB2meKeaPPsmcVeT9E7BAK_6aBZuA3mZwL-Q'
 
-  * It do not passe because Role claim is not VP
+  * It **doesn't** because the Role claim is not VP
 
 * Send a new request with the Role VP
 
   .. code-block:: bash
 
     curl -H "Content-Type: application/json;charset=UTF-8" --location 'http://sentence-re-$$makeId$$.workshop.emea.f5se.com/api/locations' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGNVhDIEpXVCBkZW1vIiwic3ViIjoic2FAZjUuY29tIiwiYXVkIjoibXlsYi1mNXhjLmY1c2UuY29tIiwiaWF0IjoxNzEzNTM4NTAxLCJleHAiOjE3MTM1MzkxMDEsIkdpdmVuTmFtZSI6IkJvYiIsIkxhc3ROYW1lIjoiVGhlU3BvbmdlIiwiRW1haWwiOiJib2JAZjUuY29tIiwiUm9sZSI6IlZQIn0.JAp4x3PWnV9Xbn4nNC0ug775UD-Jc0UngguA64VyAIC9olMImrkVhaMTJhlJMMtxsNhDAL8JDfihJ4isfYTuDN-L4e0RJb68YyRQ9mBFBDQcpEzJDyaYwLV9agavM3qCqeHz8l1VPFqjhiUJKbrGYLTiLZYfthRLrIw2rSO-lcBexnwMMcL9g3pekKuK0e-M_a3Z5OKuNpaY4Iaa3RIwCS_zFATssTzEhYsMbcKgWZqNchbe4C0l7dbz7n-xhpPHiemfZxIeCY-HIz2Gy6XVJxsBksgtML70_Z-lTOknoFEg-ufeZpy6_wHEHU-4Hzc0gGjQVLTpiMN5zAQHV68c8g'
 
-  * It passes because Role claim is VP
+  * It **passes** because the Role claim is VP
 
 
 Check API events

docs/class4/module3/lab2/lab2.rst

@@ -1,22 +1,26 @@
 Rate Limiting protection
 ========================
 
-There are many ways to do Rate Limiting in F5XC. In this lab, we will focus on API Protection Rate Limiting. 
+There are multiple options to do Rate Limiting in F5XC. In this lab, we will focus on API Protection Rate Limiting. 
 
 The goal is to rate limit an endpoint at risk because we discovered an attack or it is a shadow API we are not sure if we should allow or block it.
 
 Enable Rate Limiting from the Security Dashboard
 ------------------------------------------------
 
-* Go to the Security Dashboard and into your application API Endpoints screen.
+* Go to the Security Dashboard into your application API Endpoints screen.
 
   .. image:: ../pictures/security-endpoints.png
     :align: center
     :scale: 50%
 
-* Select ``/api/colors`` and click on the 3dots (...)
-* Edit Rate Limiting
-* The Rate Limiting config is preset automatically, keep ``1sec`` Threshold
+* Find ``/api/colors``, click on the 3dots at the right (...) and select ``Edit Rate Limiting``
+
+  .. image:: ../pictures/edit-rate-limiting.png
+    :align: center
+    :scale: 50%
+
+* Keep the default Rate Limit Threshold of 1 Second.
 
   .. image:: ../pictures/rl-colors.png
     :align: center
@@ -30,22 +34,22 @@ Test your Rate Limiting config
 It is time to run a traffic generator script to simulate traffic load
 
 * SSH or WEBSSH to the Jumphost
-* Run this script into /home/ubuntu/api-protection-lab folder
+* Run the script in the /home/ubuntu/api-protection-lab folder
 
 .. code-block:: none
 
    cd /home/ubuntu/api-protection-lab
    bash rate-limit.sh sentence-re-$$makeId$$.workshop.emea.f5se.com
 
-* You can see a respone code 429 - Too Many Requests
+* You should see a respone code 429 - Too Many Requests
 
 .. code-block:: HTML
 
   <html><head><title>Error Page</title></head>
   <body>The requested URL was rejected. Please consult with your administrator.<br/><br/>
   Your support ID is a8c0fa99-7f85-4c81-b245-2d7d94457f8a<h2>Error 429 - Too Many Requests</h2>F5 site: tn2-lon<br/><br/><a href='javascript:history.back();'>[Go Back]</a></body></html>
 
-* And you can see the logs in the Security Dashboard - Security Analytics
+* Also check the logs in the Security Dashboard - Security Analytics
 
   .. image:: ../pictures/rate-limit-logs.png
     :align: center