Forum Discussion
AltocumulusVAPT or APT tools scan prevention
Hello
When the security team starts Vulnerability Assessment and Penetration Testing (VAPT) or Application Security Testing (APT) on a web application, then it can go and test those web pages that only registered users can browse. Is there any way I can block this with Big-IP.
Sorry if my question is silly.
10 Replies
- Nikoolayy1
MVP
Maybe you should configure brute force and login page enforcement as people who have not authenticated to not be able open certain urls BIG-IP AWAF Demo 32 - Use Login Page Enforcement with F5 BIG-IP Adv WAF (formerly ASM) . The VAT will then will need to support authenticated scan and you could see the new F5 scanner Introducing F5 Distributed Cloud Web App Scanning / Web App Scanning Overview | F5 Distributed Cloud Technical Knowledge or other smart scanning tools.
RockBDI want to block unregistered user access from outside world to my web systems. outside access can be VAPT scans or other for unregister users.
- zamroni777
in that case, you can try adding APM access profile's authentication page to the LTM vserver.
it's not tunnel mode so shouldnt need apm ccu license.i implemented such mechanism using other ADC brand for a corporate banking website.
surely vapt can still access that webpage but bigip wont forward unauthenticated requests to backend ltm pool members.
- RockBD
I am sure which module you're talking about. We are using WAF and Big-IP 17.1.1.4 build 0.14.9
- RockBD
I am sure which module you're talking about. We are using WAF and Big-IP 17.1.1.4 build 0.14.9.
