Forum Discussion
CirrusF5 ASM To Protect APM Web Portal
CirrusHey Kai,
ASM or any other WAF in from of the APM has it's added value since it has it's own signature mechanism and the ability to mitigate attacks which are not always included in the f5 apm module, such as Brute Force, CSRF and many others.
in my opinion it's adds another layer of security and visibility.
as to it's complex configuration, still haven't found a way to create such and i'm hoping one of the members here will have an idea of solving this.
Thanks Or.
- Kai_Wilke
MVP
Hi Or, Thanks for your insights. ;-) Your mileage may vary, especially when it comes to protection for yet unknown threats and the level of visibility. Personally I do believe that most of the ASM security features are not needed for APM and also I'm also not aware that APM module is subject to OWASP top 10 issues. But well, its all about believes, isnt it? So good luck finding a solution to get your desired configuration! Cheers, Kai 
amolariCirrostratus
availability? The way sessions are created on the APM and the MaxAccessSession which is not that high on low-middle end platforms... maybe
johnebgood_2404Nimbostratus
I have the same problem, I need end-to-end application attack visibility even in front of the APM module. As it stands we won't be able to tell what types of attacks are happening on the APM hosted pages and this is not acceptable. What are the issues with creating an ASM virtual server in front of the APM module or adding this as a feature? In my professional opinion it should be in front and not behind.
- Or_A_157009
Couldn't agree more. It should be obvious to a security company that APM module needs it's own protection. At the end it's still a web server and it has it's vulnerabilities, the same ones ASM blocks...
