Hi Pete,

So what'eve we found is that once we add the /adfs to the URL, we get a 404 response code with no event logs for ASM.  We believe that using the ADFS Proxy setting on a virtual server, the BIG-IP will allow anything with /adfs in the URL to be processed by ASM but if a request doesn't start with /adfs in the URL, it immediately gives a 404 response code.  No iRules were in play to provide that.

While we're happy that APM is providing some sort of security, we get no logs out of this to send to our SIEM.  We looked at that article so we're looking into it.  We're onto another problem with version 15 not supporting ADFS 5.0.

It could be a url filter or layer 7 access list in the APM session policy or if there is a per-request policy. You can also enable APM HSM logging to try to see the APM logs that block this:

https://support.f5.com/csp/article/K45423041

See at the end of this link about HSM with APM:

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-imple...

ASM can use the APM session id for user session matching:

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/14.h...

As your APM is before the ASM you can also place the ASM before the APM to protect the login page or webtop if you use those. But in this case maybe the session feature will not work as the APM will be after the ASM but still the ASM may track by username by the login page:

https://support.f5.com/csp/article/K13315545

https://support.f5.com/csp/article/K54217479

I created a test adfs config and I take my words back as by default the ADFS config shouldn't provide any URL protections but if you modified it and if the ASM/Advanced WAF is the one doing this as it could block without returning custom page if someone has made it so.

ADFS config with APM authentication and F5 SMS OTP:

We're working with support on this issue but there is no APM policy that is in use for ADFS.  We are using the ADFS Trust portion that shows on a Virtual Server where you enter in Domain Admin creds to establish the trust and a certificate is autorenewed with the ADFS servers.  That's where you see that anything which does not include a "/adfs" is presented with a 404.  No ASM policy is in play.

Definitely a nice feature but if you're trying to put an AWAF policy in front, the violations are never triggered.  Looking into having a virtual server placed in front of the ADFS virtual server but that is challenging too

Hi

I am in planning stage to configure same scenario asm infront of adfs, kindly may you guide me the challenges you are encountring?

We ended up putting a virtual server for the AWAF policy and then sending it back to the ADFS virtual server.

Traffic -> AWAF VIP -> ADFS VIP

It would prefer if we could do everything on one VS but since APM is evaluated before AWAF, no violations will be triggered.  One day F5 may re-evalute it but today is not that day...haha.