For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RockBD's avatar
RockBD
Icon for Altocumulus rankAltocumulus
Jun 15, 2025

Can I use F5 Big-IP WAF as HoneyPot

Hi to all

Can anyone tell me if there any way so that I an use F5 BIG-IP WAF as a HoneyPot. 

application delivery
security

6 Replies

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 15, 2025

    Hi RockBD​,

    the answer is - it depends.
    You cannot create a high interaction honeypot with ASM or with iRules.
    With iRules you could do something like - if URL is /admin-login respond with a dummy form page.
    Or an iRule that just responds 200 OK to everything and logs all requests.
    In general, I see a honeypot more as something you would do with iRules rather then with ASM or LTM.

    With ASM you could use anomaly detection to redirect suspicious traffic to a honeypot server.
    Or, with the help of iRules, based on violations, you could redirect clients to a honeypot server.
    Or, again with iRules, you could setup fake URLs and redirect them to a honeypot server. 

    This github list a lot of honeypot systems: https://github.com/paralax/awesome-honeypots

     

    Cheers
    Daniel

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Jun 15, 2025

    You could have a VS fronting a dummy app and assign a transparent ASM policy logging all requests.

    But is it really a honeypot? Definitely not.

    And of course do not use a production BIG-IP for such case.

    • RockBD's avatar
      RockBD
      Icon for Altocumulus rankAltocumulus
      Jun 16, 2025

      Do you have any links where I can learn about VS fronting a dummy app and a transparent ASM policy? 

      Also, may I know why you are not suggesting not to host a honeypot in the production BIG-IP?

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Nacreous rankNacreous
        Jun 16, 2025

        I don’t have a specific link describing this exact use case, but you can refer to this F5 lab: https://f5-agility-labs-waf.readthedocs.io/en/latest/index.html#
        It walks you through setting up a basic transparent WAF policy.

        As for the backend app, you could use something lightweight and isolated, like a Docker container running Hackazon or OWASP Juice Shop.
        Alternatively, you could have the F5 itself respond with a simple 200 OK to all requests.

        Just keep in mind, exposing such a setup to the internet will likely attract a lot of unwanted traffic. Unless you have excess resources you don’t mind consuming, I wouldn’t recommend using your production F5 for this purpose.