Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

suraj11's avatar
suraj11
Icon for Nimbostratus rankNimbostratus
Nov 22, 2023

BIG ASM - WAF for https applications

WAF SSL Offloading, https traffic As per most of the tutrorials and vidoes for utilizing the WAF feature URL is onboarded in a virutal server and http option is selected. Wanted to know can WAF insp...
security
PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Nov 22, 2023

The inspection will still work if the cert is out of date.
You'll have just lost your trust between browser and the f5 VIP. So you'll need to get through the client trust fail safes for it to work at all, but the waf will still work if the site comes up.

  • suraj11's avatar
    suraj11
    Icon for Nimbostratus rankNimbostratus
    Nov 26, 2023

    Hi Thanks for the reply,

    just wanted a little clarity in terms of analysis. An Organization has multiple URL's hosted which clients access for payments, updations, purchases, etc. Wanted to know when clients access these URL's whose traffic is routed via WAF are https / encrypted connections. As per my understanding SSL offloading decrypts the traffic only after that it can analyse the packet contents , payloads etc. So if the SSL certificate expires which is required for ssl decryption and encyption at WAF level, can WAF still analyse the packets, payloads, cookies and its contents, even if the traffic is via HTTPS / TLS / SSL.