Enterprise Security best practices with F5 WAF
When it comes to responsibilities of each layer in an enterprise (i.e. DMZ/ WAF, application, SoR etc), and provided F5 Advanced WAF is deployed on the DMZ, should other layers assume primary responsibility of mitigations supported out-of-the-box by F5 WAF.
i.e. Provided that F5 WAF supports bot defense, should the the layer below (application layer) as well be hardened to defend against bots by implementing features like fingerprinting, validating remote IPs based on HTTP headers etc?
Certain defense mechanisms - specifically in the case of bot defense, go beyond the expertise of typical application development and having application developers to harden their apps against bots will just add overhead IMO, however one can still argue it's agains defense in depth.
What's the best practice and guideline F5 provides?