F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Mohamed_Lrhazi's avatar
Mohamed_Lrhazi
Icon for Altocumulus rankAltocumulus
Aug 10, 2019

Brute force protection for an API endpoint (no login page)?

Hello, Configuring Brute force protection entails declaring the login page(s).. Is it possible to use this protection on a site where every page is a login page, in a sense? It's an API endpoint and...
ASM Advanced WAF
security
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Aug 10, 2019

Hello Mohamed.

 

Actually, you have a default "Brute Force Attack Prevention" profile which applies to all the URLs not manually defined.

 

"You can add default brute force protection when creating a security policy using the Deployment wizard. If you do, the policy simply needs to know for which login pages to enforce brute force protection. The system creates a default brute force configuration that applies to all defined login URLs that are not associated with any other brute force configuration."

REF - https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/6.html

 

See this path ->

Security > Application Security > Anomaly Detection > Brute Force Attack Prevention

 

KR,

Dario.