For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

suraj11's avatar
suraj11
Icon for Nimbostratus rankNimbostratus
Nov 22, 2023

BIG ASM - WAF for https applications

WAF SSL Offloading, https traffic As per most of the tutrorials and vidoes for utilizing the WAF feature URL is onboarded in a virutal server and http option is selected. Wanted to know can WAF insp...
security
PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Nov 22, 2023

The inspection will still work if the cert is out of date.
You'll have just lost your trust between browser and the f5 VIP. So you'll need to get through the client trust fail safes for it to work at all, but the waf will still work if the site comes up.

suraj11's avatar
suraj11
Icon for Nimbostratus rankNimbostratus
Nov 27, 2023

Hi Thanks for the reply,

just wanted a little clarity in terms of analysis. An Organization has multiple URL's hosted which clients access for payments, updations, purchases, etc. Wanted to know when clients access these URL's whose traffic is routed via WAF are https / encrypted connections. As per my understanding SSL offloading decrypts the traffic only after that it can analyse the packet contents , payloads etc. So if the SSL certificate expires which is required for ssl decryption and encyption at WAF level, can WAF still analyse the packets, payloads, cookies and its contents, even if the traffic is via HTTPS / TLS / SSL.