Forum Discussion

Sushant's avatar
Sushant
Icon for Altostratus rankAltostratus
May 09, 2021

HTTP Profile

Is it mandatory to have SSL Profile if I have selected HTTP as my profile and on top of that selected virtual server standard type ?
  • Dario_Garrido's avatar
    May 09, 2021

    Hello Sushant.

    AWAF is able to protect web portal because it interprets and analyzes HTTP traffic searching for potential attacks. So, configuring a HTTP profile is mandatory. That means that you have to be able to interpret the whole set of OSI layers (from L4 to L7).

    First question you have to ask you is:

    Is my backend server (API server) using TLS?

    ​If the answer is yes, you have to put a server SSL profile in your VS.

    Second question is:

    Do I want to use TLS in my front-side communication for the VS?

    If the answer is yes, so I also need to put a client SSL profile in my VS.

    Remember that without SSL profiles, F5 won't be able to decrypt that trafffic and without decrypting it there is no WAF protection possible.

    Regards,

    Dario.