Forum Discussion

RockBD's avatar
RockBD
Icon for Altocumulus rankAltocumulus
Jan 16, 2024

Need a Benchmark documents for F5 Advanced WAF or Big-IP or etc.

Hi All There are many other security product OEMs also provide Benchmark documents to configure their products to get maximum security or maximum utilization which leads to maximum profit for the us...
advanced waf
application delivery
BIG-IP
PhatANhappy's avatar
PhatANhappy
Icon for MVP rankMVP

this is another one of those "depends" on what you are looking for questions.

this is best answered via -a f5 sales rep / sales engineer combination as decision will need to be made all of which can alter the solution.  
i.e. -  is the physical equipment ( on prem  / colocation)?  Is this virtual equipment (vmware / cloud/ vcmp).   all of which have limitations that can be found 

https://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf

https://www.f5.com/pdf/products/big-ip-virtual-editions-datasheet.pdf

What modules do you plan on using?   How many vips do you plan on configureing? 

The f5 is a swiss army knife of an IT tool set, it can do a amazing amount of work, but if its not properly spec'd out, you can end up as an unsatisfied customer.  A good sales team is your best option. 

RockBD's avatar
RockBD
Icon for Altocumulus rankAltocumulus
Jan 18, 2024

Thanks for the reply.

After discussing it with your marketing team, I already got the physical appliance, but now I need to prepare benchmark documents for compliance. Do you know any document where I can find the configuration benchmark for the F5 WAF?

 

  • PhatANhappy's avatar
    PhatANhappy
    Icon for MVP rankMVP
    Jan 18, 2024

    Its less about the WAF - and more about what appliance you have deployed and how much resources it has- and how you plan on using it. 

    There are those that are using small appiances like a i2600 with AWAF, others with a i15000 and others that are using 8slot viprions.     These can be clustered to provide even more thruput as needed.

    Other factors include:    Are you in transparent mode or blocking mode?   are you using traditional syslog or HSL?   What is your network configuration GB, 10GB, teamed?  Is your appliance on a stick?  What components of AWAF are you deploying - IPI?  BOT? ddos, layer4 detections - layer7 detections,  Signatures only, threat campains, geoblocking,    Datagard etc.   What kind of cert are you using 2k - 4k other?  What kind of normal user load are you expecting 1000pps, 10,000pps?   Will the f5 be on the edge - will there be a firewall in front?  will there be any layer3/4 mitigations.

    FWIW - I deployed WAF before i deployied IPI.   Lesson learned:   
    WAF did its job -and the appliances were very busy inspecting packets and doing waf like things....
    Once i deployed IPI ,  the appiance dropped over 70% of traffic BEFORE waf inspection.   This resulted in much less resources consumed, and provided the needed  CPU to process more WAF requests.

    Any vendor that provides a "configuration bench mark"  - without defineing the hardware used -and the configuration deployed is providing bad data.  The real information that is needed is what is YOUR baseline before - and what are you deploying hardware and configuration --then what is the baseline AFTER.

    • RockBD's avatar
      RockBD
      Icon for Altocumulus rankAltocumulus
      Jan 18, 2024

      Thanks for the details.