Forum Discussion
Joe_Brandon
Altostratus
AltostratusASM or AWAF Exchange 2019 OWA Protection against Brute force Attacks!
Hi everyone I am trying to figure out how is this possible to protect Exchange 2019 OWA from brute force attacks. for now we deployed iApps of the latest version of 16.x Virtual Edition (trial peri...
Hi Joe, not this is not a bug, as your policy is created from a template the setting to differentiate between HTTP and HTTPS URLs has been disabled in that template (which makes sense as OWA really should be served over HTTPS only).
When this setting is disabled you will not see HTTP/HTTPS dropdowns anywhere in the policy as it is assumed that all policy entities are of the same protocol . If you check the General Settings on the policy and scroll down you should see that the "Differentiate" setting is Disabled:
Don't let this confuse you - please note that F5 WAF was created in 2004 when many websites used to have a mixture of HTTP and HTTPS pages (e.g. only the credit card payment page on Amazon would be served over HTTPS) - that is the reason why WAF policies could be configured differently for pages served over HTTP and HTTPS.
Regards,
Sam
samstep
Cirrocumulus
CirrocumulusYou can stop Brute-force attacks against any web application (not necessarily OWA) using F5 ASM/AWAF.
The mitigation mechanism includes returning a blocking page, dropping the TCP connection, challenging the client with a CAPTCHA or injecting Client-Side Integrity JavaScript to identify a human user (moving mouse and pressing keys on the keyboard) vs a bot.
Here is the KnowledgeBase article "K18650749: Configuring brute force attack protection":
https://support.f5.com/csp/article/K18650749
Hope this helps,
Sam