False Positive on AWS WAF F5 Managed Rule F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body

Hello Deena,

i didn't migrate from this load balancer to F5 before, but you can check the below main points when you are migrating from any vendor to F5.

• If the current load balancer is used as a reverse proxy, start by checking the ports used by back end servers (the ports that the backend server is listeneing on) to replicate and configure the same on F5.
• Check the current health check monitors on the old load balancer (if exists) to be noted when you are making health check from F5.
• Check the certificate and key for the HTTPS services, if you are planning to make SSL offloading/bridging on F5.
• Start checking the VIPs on the old load balancer and decide whether the new VIPs on F5 will be the same IPs or new IPs.
• If you are going to use the same IPs on the old load balancer, don't connect the F5 to the network (disable the network TMM interfaced) until the cut over maintenance window just to avoid replicating the IPs.

The configuration on F5 is very simple and straigh forward as a load balancer. It is divided into three main objects as below:

1. Node (which is the backend server itself). you are defining the backend server and adding it's IP.
2. Pool (which is group of nodes "backend servers" for the same service). start adding the configured nodes and link each node with a port.
3. Vritual server or VIP, which is the IP that the client will be communicating with. And then you can assign the pool to that virtual server.

Good luck in your migration.

BR,

Mohamed Salah

I would really advise getting a consultant in for something like this. If not for the whole project, then for doing some knowledge transfer and best practices and such. Sure people will help you here as you see, but still having someone around (in front or as backup) who has done it before it very valuable.

DeenaFirst off I do not recommend doing this yourself if you have never configured an BIG-IP before because it's a lot of ground to cover. If you must configure it yourself you should be able to use the following article. One big piece to keep in mind is if you will be deploying your BIG-IP in path or out of path, by this I mean in order for your client to reach the BIG-IP and ultimately the servers does it have to go through the BIG-IP or no? If you deploy this out of path (one arm mode) this will require SNAT so if you have to preserve the client IP for the server to see that will no longer be possible.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-initial-configuration-11-6-0.html

Aside from that a gotcha after setup is making sure you record your master key otherwise your backups are useless if a failure ever occurs. I do not recommend carving out your BIG-IP into multiple route domains or partitions unless absolutely necessary because it adds unnecessary complexity, especially if you are new to BIG-IPs. The following are the sections of the BIG-IPs and a general description of what is configured in each section.

Local Traffic: This is where you configure load balancing
Network: This is where you configure all device IPs except the management interface IP, VLANs, and routing
System: This is where you configure almost everything for the management of the device such as SNMP, DNS, NTP, SSH, code upgrades, licensing, and so on.

This next article is a study guide for the BIG-IP but it might help you understand the device a bit better as well.

https://clouddocs.f5.com/training/community/f5cert/html/class1/class1.html