F5 Distributed Cloud JA4 detection for enhanced performance and detection

JA4+ is a suite of network fingerprinting methods. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more. 

 

Introduction

In a previous article, Identity-Aware decisions with JA4+  we discussed using JA4 fingerprints with BIG-IP. In this article, we are exploring the use of JA4 in F5 Distributed Cloud.

A very useful use case for using JA4 in F5 Distributed Cloud is explained at F5 App Connect and NetApp S3 Storage – Secured Scalable AI RAG. 

Let's go through the steps of getting the JA4 fingerprints applied to a traffic sample. 

 

Implementation 

In this example we are using NGINX instance deployed via F5 Distributed Cloud Distributed Apps. 

  • Deploy Virtual K8s through Distributed Apps. 
  • Create service policy with the matching JA4 fingerprints to block.

Service policy creation 

  • From Distributed Cloud UI > Distributed Apps > Manage > Service Policies > Service Policies

     

  • Add Service Policy 
  • Add name: ja4-service-policy 
  • Under rules, select Custom rules and then click configure
  • Click Add item 
  • Update the below, 
    • Add name, Actions. 
    • Show advanced fields in the client section. 
    • TLS Fingerprint Matcher: JA4 TLS Fingerprint 

Click Configure JA4 TLS Fingerprint 

  • Click Add item and match the needed JA4 fingerprint. In our case, we are blocking curl, wget fingerprints. 

  • Click Apply, to save, then Save, and Exit.

 

Now, we attach the service policy to our HTTP Load balancer. 

  • Manage > HTTP Loadbalancer > Click Manage configurations 

  • Click Edit Configurations 

     

  • At Common Security Controls section, Select Apply Service Policies and click Edit Configurations.

     

  • Select the configured policy, then Apply. 

 

Testing

  • From Firefox browser

  • From Ubuntu using curl 

  • Observing logs from F5 Distributed Cloud
    • From HTTP Loadbalancers > select the created loadbalancer and click Security Monitoring 

    • Click Security Events to check the requests 

       

    • You can see the events with the requests and client information 
    • From Action column, you can select Explain with AI to gain further information and recommendations. 

 

We have the service policy configured and attached. It can be attached as well to different component for client identification as well. 

 

Related Content

 

Published Jan 08, 2025
Version 1.0
No CommentsBe the first to comment