Forum Discussion

etherchannel01's avatar
etherchannel01
Icon for Nimbostratus rankNimbostratus
Jan 11, 2023

DoS Profiles

If I assign the same DoS profile to provide application protection for all my virtual servers is automatic threshold learning done at the virtual server level or is it applied to the overarching poli...
Security
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Jan 11, 2023

    Hi etherchannel01 , 
    It is Not Recommended at all , 
    you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles. 

    I say that to prevent a huge headache in troubleshooting in issues. 
    Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on. 

    Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion. 

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Jan 11, 2023

Hi etherchannel01 , 
It is Not Recommended at all , 
you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles. 

I say that to prevent a huge headache in troubleshooting in issues. 
Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on. 

Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion. 

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for MVP rankMVP
    Jan 11, 2023

    Hi,

    So i've got a configuration of vip targetting vip, when it comes to dos profiles i was planning on putting this on the front level vip which is where the TCP packet will terminate, as well as the bot profile.

    If i put a dos and bot profile on each virtual server, would the vip in front of it hide any off the traffic that might trigger these protection features?
    Would i need a dos/bot profile on the front vip AND the backend vips holding the services?

    Thanks - Fletch

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Jan 11, 2023

      Hi PSFletchTheTek , 
      I want to clarify more please. 
      you have 2 VIPs Vip sends traffic to the other one , 
      Are both of VIPs in same appliance or separte appliance ? 
      I need to know more about the traffic flow. 
      But from the first look I see that putting Dos and Bot Profiles is sufficient in the first " Front VIP " only. 

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Jan 12, 2023

      You setup sounds like something from the F5 401 exam 😀

      If using local traffic policy or irule with a virtual command and the external VIP having http profile then I will answer A) On the public facing VIP.

       

      There was an old f5 trainning Securing Apps with F5 Solutions and it had this with virtual to virtual.

       

      But if you do not do ssl decryption and have a http on the external vip I can't tell if this is a valid setup (you said " TCP packet will terminate" and that could be the tricky part of the question 😉 ), but if it works as I have to check this in the labn then my answer will  B) DOS and Bot profiles on the internal VIP. 

      I hope we are talking only DOS with ASM not AFM as then even without SSL decryption we can do the DOS profile on the external VIP.

       

      Mohamed_Ahmed_Kansoh you already answered the question but now PSFletchTheTek  is giving you bonus one and sorry for me also commenting but this is some good stuff 😁