Forum Discussion

dbaimakov's avatar
dbaimakov
Icon for Altocumulus rankAltocumulus
Sep 15, 2023

Understanding F5's Transparent Mode vs Blocking Mode with a Focus on Geo-Blocking

Hey everyone,

I've been working with F5 ASM and have some questions around its so-called 'Transparent Mode,' especially when it comes to enabling geo-blocking.

First off, can we all agree that the term "Transparent Mode" is somewhat misleading? It gives the impression that data isn't being transformed at all, which isn't the case. In this mode, a TS cookie gets inserted, sensitive data can be masked if Data Guard is enabled, and a JavaScript challenge might be added if you've set up fingerprinting options. So, it's hardly 'transparent'; 'Non-Blocking Mode' might be a more apt description.

Now, onto my main question: If I enable geo-blocking, will it actually block traffic in Transparent Mode? Has anyone tried this, or know how it works?

Looking forward to your insights.

Thanks

  • Enforcement mode defines how act when we apply this policy. In transparent mode, policy learning will work and traffic will not be manipulated. In blocking mode traffic will be dropped or manipulated based on the policy.

    when a WAF policy is in transparent mode all traffic will pass, so if you configured geo-location, and if I understood your question correctly, and your WAF policy is in transparent mode the traffic will pass and not block 

  • Hi dbaimakov , 

    like Amr_Ali said, 
    I want to add i your AWAF in Transparent mode and you configure Geo-location protection , your AWAF policy will not take any actions against these traffic it only presents it in event logs an Alarm logs if you checked the Alarm option here : 



    So you need to watchout on this. 
    Also have a look in this article about Geo-location Configs : https://my.f5.com/manage/s/article/K79414542#configure-1

    - For Transparent mode in general : AWAF in Transparent mode can pares http traffic , match it against all security controls and learn all of http parameters in the request , but not block the request if violates these security control. 

    So AWAF policy in transparent consumes CPU cycles because it's some how process in bigip and do it's work. 

    There is a clear difference between ( AWAF disabled on Virtual server and AWAF policy in Transparent mode ) as when it disabled >>> This policy will NOT Consume CPU cycle or do parsing for http requests or anything. 

    Sometimes we need to disable AWAF policy from Virtual server to troubleshoot in delay or drops issues ( even it is in transparent mode ) and return it back after troubleshooting is over. 

    I hope this gives you clear insight in addition to Amr_Ali  comment 🙂 

     

  • Enforcement mode defines how act when we apply this policy. In transparent mode, policy learning will work and traffic will not be manipulated. In blocking mode traffic will be dropped or manipulated based on the policy.

    when a WAF policy is in transparent mode all traffic will pass, so if you configured geo-location, and if I understood your question correctly, and your WAF policy is in transparent mode the traffic will pass and not block 

  • Hi dbaimakov , 

    like Amr_Ali said, 
    I want to add i your AWAF in Transparent mode and you configure Geo-location protection , your AWAF policy will not take any actions against these traffic it only presents it in event logs an Alarm logs if you checked the Alarm option here : 



    So you need to watchout on this. 
    Also have a look in this article about Geo-location Configs : https://my.f5.com/manage/s/article/K79414542#configure-1

    - For Transparent mode in general : AWAF in Transparent mode can pares http traffic , match it against all security controls and learn all of http parameters in the request , but not block the request if violates these security control. 

    So AWAF policy in transparent consumes CPU cycles because it's some how process in bigip and do it's work. 

    There is a clear difference between ( AWAF disabled on Virtual server and AWAF policy in Transparent mode ) as when it disabled >>> This policy will NOT Consume CPU cycle or do parsing for http requests or anything. 

    Sometimes we need to disable AWAF policy from Virtual server to troubleshoot in delay or drops issues ( even it is in transparent mode ) and return it back after troubleshooting is over. 

    I hope this gives you clear insight in addition to Amr_Ali  comment 🙂