Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Knowledge sharing: An example of the general order of precedence for the BIG-IP modules. Also, the F5 ASM DDOS Protection or Bot Protection order of precedence explained.

Nikoolayy1
MVP
MVP

‎20-Aug-2021 07:51

For the General order of the modules in F5:

 

 

Packet Filter > AFM > iRule Flow Init event> LTM(or GTM/DNS) >APM > ASM .

 

 

Also in the AFM there is DDOS at Layer 3 or 4 that is before the AFM rules (the same as the ASM). For the AFM DDOS there is general device DDOS and virtual server specific DDOS and the Genaral Device DDOS takes precedence but it has higher by default thresholds and this why during attack the Virtual server DDOS will in most cases be first activated. The Device DDOS is present even without the AFM module but when there is AFM module it can actually be controlled and configured(not only using the default values). The AFM rules themselves have a conext order(https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-imple...). To see what part of the AFM is blocking you use the packet tracer tool:

 

https://clouddocs.f5.com/training/community/firewall/html/class1/module2/module2.html

 

 

 

If needed you can still place the ASM infront the APM by following:

 

https://support.f5.com/csp/article/K54217479

 

https://support.f5.com/csp/article/K13315545

 

 

 

 

Other F5 precedences is the GTM/DNS order :

 

https://support.f5.com/csp/article/K14510

 

 

 

 

The Local traffic object and VIP order for the LTM:

 

 

 

https://support.f5.com/csp/article/K9038

 

https://support.f5.com/csp/article/K14800

 

 

 

The F5 irule event order:

 

 

https://devcentral.f5.com/s/question/0D51T00006i7X94/irule-event-order-http

 

 

The picture of the F5 order is from the old F5 401 study guide:

 

 

 

0691T00000Dys9JQAR.png 

 

 

 

 

 

 

 

As in the newer F5 TMOS versions the Bot defense is seperated from the DDOS Protection and as my tests confirmed first the ASM DDOS is activated then the Bot defense and after that the ASM policy and in the most F5 documentation maybe not writen good this is the case. In the older versons also first the DDOS filtered requests and then the Bot Defense further filtered the traffic before the ASM policy. As of now the Bot protection also generates support id, so if you are blocked and you see support id but in the security policy searches you can't find anything also search the support id under the Bot defence request logs as I found this the hard way.

 

 

0691T00000DyqFPQAZ.png 

The Bot defence can also make in some cases dynamic signatures for the DDOS in order to stop the traffic at the DDOS checks but I still have not seen this done.

 

 

https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module4.html

 

 

 

For testing web DDOS attacks jmeter is a great free tool and for bigger commercial tests there is cloud platform named RedWolf but Jmeter in most cases will do just fine.

 

 

 

 

Labels:
0 Kudos
0 REPLIES 0
Copyright © 2022 Khoros, LLC