F5 Distributed Cloud JA4 detection for enhanced performance and detection
JA4+ is a suite of network fingerprinting methods. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.
Introduction
In a previous article, Identity-Aware decisions with JA4+ we discussed using JA4 fingerprints with BIG-IP. In this article, we are exploring the use of JA4 in F5 Distributed Cloud.
A very useful use case for using JA4 in F5 Distributed Cloud is explained at F5 App Connect and NetApp S3 Storage – Secured Scalable AI RAG.
Let's go through the steps of getting the JA4 fingerprints applied to a traffic sample.
Implementation
In this example we are using NGINX instance deployed via F5 Distributed Cloud Distributed Apps.
- Deploy Virtual K8s through Distributed Apps.
- Create service policy with the matching JA4 fingerprints to block.
- JA4 Database can be found over here JA4 Database
Service policy creation
- From Distributed Cloud UI > Distributed Apps > Manage > Service Policies > Service Policies
- Add Service Policy
- Add name: ja4-service-policy
- Under rules, select Custom rules and then click configure
- Click Add item
- Update the below,
- Add name, Actions.
- Show advanced fields in the client section.
- TLS Fingerprint Matcher: JA4 TLS Fingerprint
Click Configure JA4 TLS Fingerprint
- Click Add item and match the needed JA4 fingerprint. In our case, we are blocking curl, wget fingerprints.
- Click Apply, to save, then Save, and Exit.
Now, we attach the service policy to our HTTP Load balancer.
- Manage > HTTP Loadbalancer > Click Manage configurations
- Click Edit Configurations
- At Common Security Controls section, Select Apply Service Policies and click Edit Configurations.
- Select the configured policy, then Apply.
Testing
- From Firefox browser
- From Ubuntu using curl
- Observing logs from F5 Distributed Cloud
- From HTTP Loadbalancers > select the created loadbalancer and click Security Monitoring
- Click Security Events to check the requests
- You can see the events with the requests and client information
- From Action column, you can select Explain with AI to gain further information and recommendations.
- From HTTP Loadbalancers > select the created loadbalancer and click Security Monitoring
We have the service policy configured and attached. It can be attached as well to different component for client identification as well.
Related Content
- F5 App Connect and NetApp S3 Storage – Secured Scalable AI RAG | DevCentral
- Fingerprint TLS Clients with JA4 on F5 BIG-IP using iRules
- JA4 Part 2: Detecting and Mitigating Based on Dynamic JA4 Reputation | DevCentral
- Identity-Aware decisions with JA4+ | DevCentral
- Setting Up A Basic Customer Edge To Run vk8s in F5 Distributed Cloud App Stack | DevCentral