For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Or_A_157009's avatar
Or_A_157009
Icon for Cirrus rankCirrus
Dec 17, 2015

F5 ASM To Protect APM Web Portal

Hello,

 

I have an apm (web portal) for clients (ssl vpn). i would like to protect the portal using asm but i cant find a way to establish that.

 

i know that if the virtual server has an access policy attached to it and an asm security policy, than the apm takes the connection first and the asm has no meaning.

 

i tried to create a virtual server with asm that will forward the HTTPS traffic to an internal virtual server using an irule but the internal virtual server cannot be assigned without an http profile - a must for access policy.

 

any suggestions regarding this issue will be appriciated!

 

thanks

 

ASM Advanced WAF
BIG-IP Access Policy Manager (APM)
iRules
security

6 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 18, 2015

    Hi Or,

     

    I read alot about HTTP profile enable virtuals in front of APM enabled virtuals in a vip-targeting-vip configuration, but afaik is this configuration somewhat complex and also seems to have certain limitatations.

     

    Beside of the possibility to pull of that specific configuration trick, what is in your opinion the effective outcome of that approach? Is the ASM module more secure than the APM module? Why not use APM to filter out any anonymous request, before letting ASM parse the remaining attacks?

     

    Cheers, Kai

     

  • Or_A_157009's avatar
    Or_A_157009
    Icon for Cirrus rankCirrus
    Dec 18, 2015

    Hey Kai,

     

    ASM or any other WAF in from of the APM has it's added value since it has it's own signature mechanism and the ability to mitigate attacks which are not always included in the f5 apm module, such as Brute Force, CSRF and many others.

     

    in my opinion it's adds another layer of security and visibility.

     

    as to it's complex configuration, still haven't found a way to create such and i'm hoping one of the members here will have an idea of solving this.

     

    Thanks Or.

     

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Dec 19, 2015
      Hi Or, Thanks for your insights. ;-) Your mileage may vary, especially when it comes to protection for yet unknown threats and the level of visibility. Personally I do believe that most of the ASM security features are not needed for APM and also I'm also not aware that APM module is subject to OWASP top 10 issues. But well, its all about believes, isnt it? So good luck finding a solution to get your desired configuration! Cheers, Kai
    • amolari's avatar
      amolari
      Icon for Cirrostratus rankCirrostratus
      Dec 21, 2015
      availability? The way sessions are created on the APM and the MaxAccessSession which is not that high on low-middle end platforms... maybe
    • johnebgood_2404's avatar
      johnebgood_2404
      Icon for Nimbostratus rankNimbostratus
      Nov 30, 2016

      I have the same problem, I need end-to-end application attack visibility even in front of the APM module. As it stands we won't be able to tell what types of attacks are happening on the APM hosted pages and this is not acceptable. What are the issues with creating an ASM virtual server in front of the APM module or adding this as a feature? In my professional opinion it should be in front and not behind.