Forum Discussion

RockBD's avatar
RockBD
Icon for Altocumulus rankAltocumulus
Jun 15, 2025

Can I use F5 Big-IP WAF as HoneyPot

Hi to all

Can anyone tell me if there any way so that I an use F5 BIG-IP WAF as a HoneyPot. 

application delivery
security

6 Replies

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 15, 2025

    Hi RockBD​,

    the answer is - it depends.
    You cannot create a high interaction honeypot with ASM or with iRules.
    With iRules you could do something like - if URL is /admin-login respond with a dummy form page.
    Or an iRule that just responds 200 OK to everything and logs all requests.
    In general, I see a honeypot more as something you would do with iRules rather then with ASM or LTM.

    With ASM you could use anomaly detection to redirect suspicious traffic to a honeypot server.
    Or, with the help of iRules, based on violations, you could redirect clients to a honeypot server.
    Or, again with iRules, you could setup fake URLs and redirect them to a honeypot server. 

    This github list a lot of honeypot systems: https://github.com/paralax/awesome-honeypots

     

    Cheers
    Daniel

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Cumulonimbus rankCumulonimbus
    Jun 15, 2025

    You could have a VS fronting a dummy app and assign a transparent ASM policy logging all requests.

    But is it really a honeypot? Definitely not.

    And of course do not use a production BIG-IP for such case.

    • RockBD's avatar
      RockBD
      Icon for Altocumulus rankAltocumulus
      Jun 16, 2025

      Do you have any links where I can learn about VS fronting a dummy app and a transparent ASM policy? 

      Also, may I know why you are not suggesting not to host a honeypot in the production BIG-IP?

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Cumulonimbus rankCumulonimbus
        Jun 16, 2025

        I don’t have a specific link describing this exact use case, but you can refer to this F5 lab: https://f5-agility-labs-waf.readthedocs.io/en/latest/index.html#
        It walks you through setting up a basic transparent WAF policy.

        As for the backend app, you could use something lightweight and isolated, like a Docker container running Hackazon or OWASP Juice Shop.
        Alternatively, you could have the F5 itself respond with a simple 200 OK to all requests.

        Just keep in mind, exposing such a setup to the internet will likely attract a lot of unwanted traffic. Unless you have excess resources you don’t mind consuming, I wouldn’t recommend using your production F5 for this purpose.