chaining with other WAF

Question

Hi,&nbsp;
For migration to F5 devices purpose, we will chain F5 with the current WAF. Then remove current one after validating the ASM policies.
We'll put the F5 in transparent mode for learning the traffic and build the policies. The flow will go to current WAF and then to endpoint (see pict below).&nbsp;
We will import the SSL certificates/keys of apps from current WAF to F5.&nbsp;
Question: how can we configure the client and server SSL profiles and avoid disturbing the apps during this chaining period? Current WAF should also keep the certificates/keys.&nbsp;
Client SSL profile with imported cert/key ?&nbsp;
Server SSL profile with imported cert/key ? default profile ?&nbsp;
&nbsp;
Thanks for your help.&nbsp;

leonardo_souza · Answer

Interesting drawing. :P&nbsp;
Try this in the future:&nbsp;
http://asciiflow.com/&nbsp;
You can use the standard setup with clientssl and serverssl, but that means ASM will terminate the SSL connection and start again.
However, there are some useful options in the ssl profile.
I never remember which one is for what, so here is both:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/14.html&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/15.html&nbsp;

Forum Discussion

chaining with other WAF

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Use F5 Distributed Cloud to service chain WAAP and CDN

GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack

JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)

APM Cookbook: SAML IdP Chaining

Project Chain Links: Introduction

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS