Forum Discussion
NimbostratusF5 VE WAF FINE TUNING
Hi everyone,
I am currently hardening a security setup involving two independent, standalone F5 BIG-IP virtual instances, each running its own WAF policy. Since there is no device group or synchronization (configsync) between these units, I am looking for advice on maintaining configuration consistency and ensuring best practices for this specific deployment.
To enhance our security posture, I am planning to implement the following on both instances:
Phase 1: VM and General System Settings: Establishing a secure baseline for the virtual machines and core system configurations.
Phase 2: LTM Review and Control: Auditing and hardening the Local Traffic Manager settings, including SNAT pool configurations and traffic isolation.
Phase 3: WAF and Advanced Settings: Refining WAF policies, implementing strict HTTP protocol compliance, and applying granular iRules for threat mitigation.
Since this is a standalone, non-clustered environment, I am particularly interested in any recommendations for avoiding "configuration drift" between the two instances. Are there specific workflows or automation strategies you suggest for ensuring parity between these two units during these three phases?
1 Reply
- Juergen_Mang
MVP
Use automation tools. AS3 for the LTM part and declarative WAF.
I build Restsh and released it as OpenSource that can be the foundation for such automation scenarios.
If you do not want to build it yourself, you can insert coins for the Axians Automation Framework, that bootstraps a ready-to-go GitOps environment to automate F5 BIG-IPs.
