cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Integrate mobile application with WAF

THE_BLUE
Cirrus
Cirrus

I have mobile app and I want to integrate it with WAF , the app using api and the server ip is used in api url ex: https://x.x.x.x/api , there is no domain name used. So I have assign public IP in virtual server , and replace server ip from api to public ip , so now the server ip in pool ..

I was thinking when open mobile app it will hit the api (that contain public ip) and from WAF the VS will reach the pool (server ip) but this does not works.

 

The app does not work and there is no hit or traffic in WAF .

 

Any idea ? is there any thing missing?

9 REPLIES 9

Samir
Nacreous
Nacreous

Not sure which app you are using and need to understand application traffic flow. API security (WAF/AWAF) play key role here. So, F5 consultant may help to optimize configuration based on your need.

 

Thanks

it is shared app , something like ERP

Ivan_Chernenkii
F5 Employee
F5 Employee

Does traffic pass through VS to backend without ASM policy?

If no, then most probably this is not WAF issue and you need to configure VS in specific way.

 

Thanks, Ivan

Actually I have test that with ASM (not blocking mode) , but I noticed that the public ip does not reach the backend server. Cuz the first page in app is a login page, when I try to enter my user and pass there is a message show "user name or pass not correct" this is when the public ip placed in api url . But when i replace public ip with the backend ip in api url the app works fine.

 

The idea from adding public ip in api url is to pass traffic through WAF and that public ip should reach the backend ip . I don't know of this the way doing that or not.

 

Thanks

Sorry, I am not sure, that I fully understand your use case. Could you provide some examples of request - what you send and what you expect?

I understand, that you want to protect your mobile APP with WAF, but again - does this  configuration work without WAF? Could you check it? It will help us better to understand on what side we have an issue.

 

Thanks, Ivan

without WAF it is working fine since the server ip is placed in api url..

 

my scenario is , i want to protect my application with WAF , i follow the normal process i have create virtual server , node, pool , policy ..

i have assign public ip in virtual server , placed server ip in node and assign it to pool , then assign pool to virtual server with policy, and the change i did i have replace server ip with public ip in api url ex:

old api url : https://10.x.x.x/api

new api url : https://82.x.x.x/api

82.x.x.x : it is the public ip in virtual server.

but this scenario does not work.

 

the app idea , is you have to login then you can request for annual leave .

 

but when i start the integration with WAF , when i try to access the app by enter username and password it show error and can not verify user/password.

and there is no block in WAF block mode not applied . so i think because i placed public ip in api url and that is why can not reach server.

 

 

So, now you have VS with public api with WAF. Right?

  1. What does happen if you remove ASM policy from this VS? Does traffic pass to your server through VS or you have the same problem?
  2. What error do you see in case of enter username/password with WAF?
  3. Do you see any requests on "Security ›› Event Logs : Application : Requests" page? If yes, then with what status (legal, alarmed, blocked)?

 

So, now you have VS with public api with WAF. Right? yes

  1. What does happen if you remove ASM policy from this VS? Does traffic pass to your server through VS or you have the same problem? i have not try it
  2. What error do you see in case of enter username/password with WAF? validation issue
  3. Do you see any requests on "Security ›› Event Logs : Application : Requests" page? If yes, then with what status (legal, alarmed, blocked)? no traffic

but if i try to access the api url through browser ex : https://82.x.x.x/api , i can see traffic in event log but with mobile application no traffic is showing.

OK, it seems I got you...

 

If you want to protect your mobile application with WAF policy, then:

  1. You need to configure Mobile Application at Bot profile (starting from v14.1.0) or at DOS profile (starting from v13.1.0 to v14.1.0).
  2. You need to attach this profile to the Virtual Server with WAF policy.

 

For additional protection you can integrate Anti-Bot Mobile SDK into your application.

 

Thanks, Ivan