If I assign the same DoS profile to provide application protection for all my virtual servers is automatic threshold learning done at the virtual server level or is it applied to the overarching policy itself?
Hi @etherchannel01 , It is Not Recommended at all , you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles.
I say that to prevent a huge headache in troubleshooting in issues. Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on.
Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion.
Each Application has different behavior and traffic processing, if you use an automatic threshold with many applications to create a DDOS profile, it could extend the threshold to some application that doesn´t need it, I recommend you create a DDOS Profile for each application Virtual Server, this automatic process will take the maximum threshold of all Virtual Servers that have applied this profile.
Hi @etherchannel01 , It is Not Recommended at all , you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles.
I say that to prevent a huge headache in troubleshooting in issues. Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on.
Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion.
So i've got a configuration of vip targetting vip, when it comes to dos profiles i was planning on putting this on the front level vip which is where the TCP packet will terminate, as well as the bot profile.
If i put a dos and bot profile on each virtual server, would the vip in front of it hide any off the traffic that might trigger these protection features? Would i need a dos/bot profile on the front vip AND the backend vips holding the services?
Hi @PSFletchTheTek , I want to clarify more please. you have 2 VIPs Vip sends traffic to the other one , Are both of VIPs in same appliance or separte appliance ? I need to know more about the traffic flow. But from the first look I see that putting Dos and Bot Profiles is sufficient in the first " Front VIP " only.
You setup sounds like something from the F5 401 exam 😀
If using local traffic policy or irule with a virtual command and the external VIP having http profile then I will answer A) On the public facing VIP.
There was an old f5 trainning Securing Apps with F5 Solutions and it had this with virtual to virtual.
But if you do not do ssl decryption and have a http on the external vip I can't tell if this is a valid setup (you said " TCP packet will terminate" and that could be the tricky part of the question 😉 ), but if it works as I have to check this in the labn then my answer will B) DOS and Bot profiles on the internal VIP.
I hope we are talking only DOS with ASM not AFM as then even without SSL decryption we can do the DOS profile on the external VIP.
@Mohamed_Ahmed_Kansoh you already answered the question but now @PSFletchTheTek is giving you bonus one and sorry for me also commenting but this is some good stuff 😁
