Forum Discussion

ee's avatar
ee
Icon for Cirrus rankCirrus
Aug 15, 2024

F5 AWAF Data Guard

According to the online resources, the data guard features will mask response containing sensitive data or block the response. However, if the application itself displays the sensitive information which might be not from the response, will the sensitive information be masked or blocked? 

  • It is not clear from your question where the sensitive information is generated and if it passes through f5 or not. As long as the data is passing through F5 and visible by the WAF module then it can be masked/blocked. 

    • ee's avatar
      ee
      Icon for Cirrus rankCirrus

      Supposedly if we enable data guard for the policy by navigating through “Security” -> “Application Security” -> “Data Guard”, and also enable the "Learn, Alarm and Block" in "Security” -> “Application Security” -> “Policy Building” -> “Learning and Blocking Settings”, then it can be considered passing through f5 right?

      • By passing through F5, I meant the sensitive data is going through a published virtual server which has WAF enabled. 

        If you enable dataguard learn, alarm, block for a policy in blocking mode, and enable dataguard itself, then sensitive data will cause a blocking page 

  • you can apply different waf policy to specific url path.

    create new waf policy without data guard, then create new local traffic policy for the url path and the new waf policy, then assign this new local traffic policy to the virtual server

    • ee's avatar
      ee
      Icon for Cirrus rankCirrus

      If the policy is created for each web application deployed in the LTM, in other words, every application has its own policy. By applying different waf policy to specific url path, will it making the waf policy harder to manage? My concern is that there may have many different applications needs to be protected and there are a lot of urls in each application. 

    • ee's avatar
      ee
      Icon for Cirrus rankCirrus

      May I know how granular control does the DLP system could provide? I am thinking to utilize the existing Data Guard feature in f5 AWAF since it's already been there. However, it would be great to have other options in mind. If possible, could you provide a comparison between these two, as it would provide me with more insights to determine which one to use?

      • ee  I don't think providing comparison is something for the F5 Devcentral community channel. F5 is great network based system and layer 7 proxy (especially for web traffic with the ASM/AWAF module) but you need to be aware what you want and what you are trying to achieve as you mentioned " which might be not from the response" if the sensitive information is autogenerated by a javascript on the customer devices (or in a mobile app) and not from a web response then endpoint DLP may do the job and you better review it with a DLP vendor of your choice.

         

         

        Edit:

         

        I forgot to add that for binary files that could be in the response you will need an external DLP to scan them as F5 AWAF/ASM is Web based solution and you then can use ICAP for this.