Forum Discussion

Altostratus

May 09, 2021

HTTP Profile

Is it mandatory to have SSL Profile if I have selected HTTP as my profile and on top of that selected virtual server standard type ?

application delivery

LTM

profiles

Dario_Garrido
May 09, 2021
Hello Sushant.

AWAF is able to protect web portal because it interprets and analyzes HTTP traffic searching for potential attacks. So, configuring a HTTP profile is mandatory. That means that you have to be able to interpret the whole set of OSI layers (from L4 to L7).

First question you have to ask you is:
Is my backend server (API server) using TLS?
If the answer is yes, you have to put a server SSL profile in your VS.

Second question is:
Do I want to use TLS in my front-side communication for the VS?
If the answer is yes, so I also need to put a client SSL profile in my VS.

Remember that without SSL profiles, F5 won't be able to decrypt that trafffic and without decrypting it there is no WAF protection possible.

Regards,
Dario.

Dario_Garrido

MVP

May 09, 2021

Hello Sushant.

Actually, you can select each profile independently. But if your communication has TLS it will fail.

You should understand the F5 profiles as OSI layers that are interpreted by the device. So, you cannot understand HTTP layer (with an HTTP profile) if you didn't decrypt your flow first (with a SSL Profile).

Regards,

Dario.

Sushant
Altostratus
May 09, 2021
Hello Dario,

Thank you for the reply .Lets take an example. I have selected Standard Virtual server with L4 profile as TCP and Application profile as HTTP both on the client and server side. In this case I have not used SSL profile but tend to open my application directly using public IP ...shouldn't it work ? in my case it is not working.....

The real scenario is I have an API that communicates with a public IP directly not with any specific domain and my API also directly has an IP with no domain associated. I would like to use AWAF, DOS, Bot profile with it and as you are well aware AWAF,DOS and BOT profile doesn't work until we associate HTTP profile with it .In the case of standard virtual server, I came to find out that if I use HTTP as my profile it is compulsory to use SSL profile otherwise it simply wont work. In my case there is no SSL profile. So, how can i make my security profile working without using HTTP profile ?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HTTP Profile

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

irule VS http profille

HTTPS communication and client and server ssl profile

Regular Stream profile not working

ASM Logging profile w/ Remote Storage

Oneconnect profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS