Forum Discussion

ghaidaF's avatar
Icon for Nimbostratus rankNimbostratus
Feb 13, 2024

enable ASM (WAF) on VIP


I create a new VIP, it request to add WAF on it.
I tired to allow/disable ASM policy with HTTP Profile (Client): http & SSL Profile (Client) but I get error below:
400 Bad Request
The plain HTTP request was sent to HTTPS port

the VIP open only when I remove SSL Profile (Client) & HTTP Profile (Client): none

Note: same certificate applied on backend side( VM) 

when I remove SSL Profile (Client) and set HTTP Profile (Client): http the curl command & browser stuck until shows timeout

Please your assistance to have workable VIP and I can add WAF on it.

5 Replies

  • Hi, you need to have client SSL Profile, Server SSL profile and HTTP Profile applied to the VIP. Make sure the client SSL profile includes the proper certificate/key pair of your FQDN. 

    • ghaidaF's avatar
      Icon for Nimbostratus rankNimbostratus

      thank you for your quick response. 

      When I tried I get this error message, 

      An error occurred during a connection to SSL received a record that exceeded the maximum permissible length.


      I'm think to remove SSL client as it exists same on backend side , i thought it is enough

      is there any solution to add Policy ( asm-waf) without choosing any protocol on  HTTP Profile ?
      I tried to chose none but it choose the below when i tried to add policy 

      : Web Security profile requires an HTTP profile to be associated with the virtual server

  • Also I observe the error message below when I add the SSL Profile (Client), even when the HTTP profile :none

    400 Bad Request
    The plain HTTP request was sent to HTTPS port

    • Hi ghaidaF,


      HTTP profile at the client side is mandatory for the correct waf configuration because the HTTP profile instructs the virtual server to interact with the protocol.

      Some question:

      1. Do you have configured an IP for the virtual server in destination example "172.X.X.X"
      2. wich type of virtual server do you have created?
      3. SSL client profile is necessary in the case the traffic is encrypted, always keep the traffic encrypted and use the F5 to decrypt the traffic and process the WAF.
      4. The server is encrypted? in this case you have to configure an SSL server profile, you can use the default provided by F5.


      Hope its work.

      • Sebastiansierra's avatar
        Icon for MVP rankMVP

        Hi again,

        If the application is only port 80 you don´t need to apply SSL profiles, only enable the HTTP profile, the waf policy, and the logging profile.