F5 WAF risk assessment process

Question

I got request to do f5 WAF risk assessment for my environment, do you have any suggestions how should i do
Any documents/steps/url that I can follow to do the same.

I don't have any vulnerability tool in my environment, so how should i go without that.

boneyard · Answer

I wouldn't call that a risk assessment, but fine.
&nbsp;
Tried searching for something from F5 itself but can't really find it. A WAF policy is something that differs per application so ONE best practice is not something easily written.
&nbsp;
You can have a look at this dashboard, it tries to provide some guidance about what can be done:
https://clouddocs.f5.com/training/community/waf/html/waf111/module1/lab4.html
&nbsp;

boneyard · Answer

You asked this before and got an answer there, what was not ok with that?
&nbsp;
Beyond that you give pretty limited information. Should the risk assessment be of the F5 WAF itself or the application beyond the F5 WAF?
&nbsp;
If you search the internet you can find many resources about risk assessments, it helps to make clearer what you want your scope is because else this becomes way too broad a question to answer.
&nbsp;
It is also always possible to get external help, perhaps your F5 partner or your security partner can assist with a start or the whole proces.
&nbsp;

gajji · Answer

The answer i got is to use vulnerability tool which i don't have in my environment.

Risk assessment be of the F5 WAF (Virtual Server's) , if it's been configured with best practices guideline if any like i found for Palo alto but not for F5. How to found any loophole in the configuration that bad actor can exploit blah blah....

in Front we have F5 silverline ddos protection that assessment also required but i dont find any guidelines for both fo this.

zamroni777 · Answer

you can use free assesment tools such as owasp zaphttps://www.zaproxy.org/

gajji · Answer

As you rightly said - A WAF policy is something that differs per application so ONE best practice is not something easily written.

But still there should be certain best practices that can still guide the creation and management of these policies to ensure a high level of security while maintaining application functionality.

that i can use to know whether my environment policies are according to the best practices or not..

Also it seems Compliance report provided by F5 device itself is not relevant/consistent according to everyone needs.

Forum Discussion

F5 WAF risk assessment process

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

Mitigating OWASP API Security risks using BIG-IP

Mitigate OWASP LLM Security Risk: Sensitive Information Disclosure Using F5 NGINX App Protect

Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform

Enabling F5 Distributed Cloud Fraud and Risk Solutions with ForgeRock Connector

End-to-End Fraud and Risk Detection with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS