F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Andre_Iseli_136's avatar
Andre_Iseli_136
Icon for Nimbostratus rankNimbostratus
Nov 03, 2013

F5 ASM blacklist/whitelist vs. NIPS

We have endless questions with a customer about pros/cons of a WAF and a NIPS and where to do what. I'm interest if you could share some thoughts around this and also about where to do what kind of b...
deployment
nips
security
waf
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Nov 03, 2013

There's certainly no wrong or right answer - it depends on your circumstances.

 

If the F5 is already inline in the traffic path it is already in a position to see all traffic - all you have to do is add the ASM module and configure. It's also going to be performing SSL offload and potentially re-encrypting so it is in a unique position to be able to see traffic contents.

 

An all-purpose NIPS either has to be inserted into the traffic path (for IPS), or you need to use a precious SPAN session to send traffic to it (for IDS). In addition in order to see encrypted traffic it will need to have certs added, or be in the traffic path behind the SSL Offloader.

 

The WAF is specific to web applications whereas the NIPS will alert on all types of signatures, so it really depends on your requirements.