For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Orchestrated Infrastructure Security - Advanced WAF

The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latest here. Introduction This article is p...
Updated Aug 11, 2022
Version 2.0
advanced
ASM Advanced WAF
BIG-IP
orchestration
secure
security
series-big-ip-ssl-orchestrator
series-orchestrated-infrastructure-security
sslo
waf
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
KevinGallaugher's avatar
KevinGallaugher
Icon for Employee rankEmployee
Oct 27, 2022

Hi Sanjay, sorry for the delayed response.

In a layer 2 mode there’s no pool. The BIG-IP does not participate in layer 3.

 

However, you can define different VIPs that define source and/or destination IP addresses that act as filters for the traffic. So for example:

 

  • Let’s say you have a backend application at 192.168.1.100. In a layer 2 mode it’s expected that the client will route directly to this destination IP address, where the BIG-IP is physically in the path. When the client request comes to the F5, the destination address will be 192.168.1.100, and you cannot NAT or SNAT at the BIG-IP.

 

  • If you want to create application specific VIPs, you can create different L2 VIP with different destination IP “filters”. So an L2 VIP with a destination address of 192.168.1.100 would only consume that traffic. Again, source and destination IPs in an L2 mode are just filters for the traffic. An L2 VIP otherwise has a virtual-wire VLAN attached, no pool, and address and port translation are disabled.

 

You could also just create multiple AWAF policies and attach a CPM policy to your L2 VIP that dynamically selects one of the AWAF policies based on the incoming HTTP Host header. For example:

 

  • CPM policy
    • Rule 1: HTTP Host is www.f5labs.com on request -> enable asm (waf_policy_a)
    • Rule 2: HTTP Host is www1.f5labs.com on request -> enable asm (waf_policy_b)
    • Rule 3: disable asm on request