For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gajji's avatar
Gajji
Icon for Cirrostratus rankCirrostratus
Jun 19, 2024

F5 WAF risk assessment process

I got request to do f5 WAF risk assessment for my environment, do you have any suggestions how should i do  Any documents/steps/url that I can follow to do the same.   I don't have any vulnerabili...
application delivery
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 24, 2024

I wouldn't call that a risk assessment, but fine.

 

Tried searching for something from F5 itself but can't really find it. A WAF policy is something that differs per application so ONE best practice is not something easily written.

 

You can have a look at this dashboard, it tries to provide some guidance about what can be done:

https://clouddocs.f5.com/training/community/waf/html/waf111/module1/lab4.html

 

Gajji's avatar
Gajji
Icon for Cirrostratus rankCirrostratus
Jun 26, 2024

As you rightly said - A WAF policy is something that differs per application so ONE best practice is not something easily written.

But still there should be certain best practices that can still guide the creation and management of these policies to ensure a high level of security while maintaining application functionality.

that i can use to know whether my environment policies are according to the best practices or not..

Also it seems Compliance report provided by F5 device itself is not relevant/consistent according to everyone needs.