For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JaZy's avatar
JaZy
Icon for Cirrus rankCirrus
Oct 23, 2025
Solved

XC -Web Application Firewall - Exclude FQDN but log security events

Hello all,

 

I have LB with many FQDNs. LB is with block waf policy. I want to add new application with another FQDN to same LB. During application onboarding I want to first review security events and then enforce policy to avoid false positives.

 

I have two options:

  1. I will add application to the LB and then define rule to skip WAF processing for application. But in this case I will not see security events. Can I enable logs for such configuration for purpose of the configuration of the WAF exclusion rules?
  2. I will create new LB and configure application there and after that I will move application to prod LB.

I prefer point 1 as in point two I will have to trigger Jenkins job to apply new Terraform config what will destroy resources and after that I will execute another job to recreate resources on productive LB. This will lead to the short outage. But due to this outage I have to follow up process what I would like to avoid.

 

Thank you.

application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Oct 23, 2025

    you can have different waf policy per fqdn or even per path
    Having multiple fqdns under same LB i gues you are already using routes
    so under routes advanced options  you can also select not to inherit LB's Waf but apply another one

7 Replies

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Oct 23, 2025

    Hi JaZy​ 

    you can apply a new waf policy for tne new fqdn with enforcemenet mode setted to "Monitoring"
    so you will block nothing but any violation will be logged

    • JaZy's avatar
      JaZy
      Icon for Cirrus rankCirrus
      Oct 23, 2025

      Hi Injeyan_Kostas​,

       

      How I can add additional WAF policy to the current LB?

      I can Disable/Enable WAF. When it's enabled I can choose one security policy per LB. In case that I will change policy to "Monitoring" all applications will be in "Monitoring mode" instead "Block".

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Nacreous rankNacreous
        Oct 23, 2025

        you can have different waf policy per fqdn or even per path
        Having multiple fqdns under same LB i gues you are already using routes
        so under routes advanced options  you can also select not to inherit LB's Waf but apply another one

    • JaZy's avatar
      JaZy
      Icon for Cirrus rankCirrus
      Oct 23, 2025

      Would be possible to point me when I can find such configuration or some link to KB article?

      In BIG-IP solution it's clear but seems that I am little lost in XC solution.

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP
        Oct 23, 2025

        You can make an XC route and attach separate waf policy. Just play on a test HTTP LB and see under an XC route the advanced options to select your own waf Policy not the default under the HTTP LB itself. Sorry did not see that you are talking about XC.

         

        Example nice article F5 Distributed Cloud Per-Route WAF 

         

        Just remember that the route should match match on Host header and be placed at the top. Other than that WAF exclusion rules or Service policy WAF exclusions need to also match the Host header as they otherwise will be global for the HTTP LB. The service policy has a nice domain match option that is better than matching the host headers by the way 😉