ADFS Proxy, APM, ASM Craziness
We've been doing some testing recently with using the APM Proxy for ADFS which is basically a check box in the APM section of a virtual server that allows one to establish a trust with the ADFS backend servers for automagical certificate renewals.
What we are now adding on is an AWAF policy. I understand that APM comes before ASM when it comes to traffic processing order (https://support.f5.com/csp/article/K00363504). What we are experiencing in our testing, is that if we go to https://10.10.10.10/etc/passwd via cURL, an ASM event is not triggered for either "Host Header contains IP Address" or the attack signature "/etc/passwd" but rather a 404 response code.
When we add in https://10.10.10.10/adfs/ls/etc/passwd via cURL, a block event happens and we can view it in the ASM event logs. This to me indicates that the previous "/etc/passwd" doesn't even get processed by ASM and somehow, APM knows the URLs used by ADFS due to using the proxy setting on the virtual server and gives a 404 back, thus never even pushing to ASM.
I'm trying to look for some documentation on this functionality but can't seem to find anything. Does anyone know if there is documentation around the functionality fo the ADFS proxy with F5?
Any help is greatly appreciated!