Forum Discussion

Sushant's avatar
Sushant
Icon for Altostratus rankAltostratus
May 09, 2021

HTTP Profile

Is it mandatory to have SSL Profile if I have selected HTTP as my profile and on top of that selected virtual server standard type ?
application delivery
LTM
profiles
  • Dario_Garrido's avatar
    Dario_Garrido
    May 09, 2021

    Hello Sushant.

    AWAF is able to protect web portal because it interprets and analyzes HTTP traffic searching for potential attacks. So, configuring a HTTP profile is mandatory. That means that you have to be able to interpret the whole set of OSI layers (from L4 to L7).

    First question you have to ask you is:

    Is my backend server (API server) using TLS?

    ​If the answer is yes, you have to put a server SSL profile in your VS.

    Second question is:

    Do I want to use TLS in my front-side communication for the VS?

    If the answer is yes, so I also need to put a client SSL profile in my VS.

    Remember that without SSL profiles, F5 won't be able to decrypt that trafffic and without decrypting it there is no WAF protection possible.

    Regards,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP
May 09, 2021

Hello Sushant.

AWAF is able to protect web portal because it interprets and analyzes HTTP traffic searching for potential attacks. So, configuring a HTTP profile is mandatory. That means that you have to be able to interpret the whole set of OSI layers (from L4 to L7).

First question you have to ask you is:

Is my backend server (API server) using TLS?

​If the answer is yes, you have to put a server SSL profile in your VS.

Second question is:

Do I want to use TLS in my front-side communication for the VS?

If the answer is yes, so I also need to put a client SSL profile in my VS.

Remember that without SSL profiles, F5 won't be able to decrypt that trafffic and without decrypting it there is no WAF protection possible.

Regards,

Dario.

  • Sushant's avatar
    Sushant
    Icon for Altostratus rankAltostratus
    May 09, 2021

    Hello Dario,

     

    Thank you replying back...

     

    Yes I did get your point and in order to use TLS as per my understanding a domain name must be there with their associated DNS record. But in my particular case API has only IP associated (no domain) with it which communicates using a layer2 MPLS link that means there wont be any domain associated with it as there will direct communication using IP over MPLS.

    The API is plainly working on HTTP as well so SSL profile is not required as well.

     

    Is there any workaround for these kind of scenarios where I could be using all security profiles ?

     

     

     

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      May 09, 2021

      Hello Sushant.

      I guess you are mixing concepts.

      TLS has different features:

      • Authentication
      • Key Exchange
      • Encryption
      • Integrity

      REF - https://youtu.be/ZM3tXhPV8v0

      And you require a domain name and a DNS entry just for the authentication step, which is not related with the encryption step.

      Said that, you have two chances:

      - Enabling WAF protection: TCP, SSL and HTTP profiles are required

      - Not enabling WAF protection: just the TCP profile is required.

      Regards,

      Dario.

    • Sushant's avatar
      Sushant
      Icon for Altostratus rankAltostratus
      May 09, 2021

      Can I use security profile If i have a vm running HTTP only not HTTPS ?

       

      as per my understanding under HTTP communication will be plain text no encryption no authentication nothing...so it doesnt require SSL inspection as well..