Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Understanding F5's Transparent Mode vs Blocking Mode with a Focus on Geo-Blocking

Go to solution
dbaimakov
Altostratus
Altostratus

‎15-Sep-2023 08:47

Hey everyone,

I've been working with F5 ASM and have some questions around its so-called 'Transparent Mode,' especially when it comes to enabling geo-blocking.

First off, can we all agree that the term "Transparent Mode" is somewhat misleading? It gives the impression that data isn't being transformed at all, which isn't the case. In this mode, a TS cookie gets inserted, sensitive data can be masked if Data Guard is enabled, and a JavaScript challenge might be added if you've set up fingerprinting options. So, it's hardly 'transparent'; 'Non-Blocking Mode' might be a more apt description.

Now, onto my main question: If I enable geo-blocking, will it actually block traffic in Transparent Mode? Has anyone tried this, or know how it works?

Looking forward to your insights.

Thanks

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Amr_Ali
Cirrostratus
Cirrostratus

‎15-Sep-2023 13:59

Enforcement mode defines how act when we apply this policy. In transparent mode, policy learning will work and traffic will not be manipulated. In blocking mode traffic will be dropped or manipulated based on the policy.

when a WAF policy is in transparent mode all traffic will pass, so if you configured geo-location, and if I understood your question correctly, and your WAF policy is in transparent mode the traffic will pass and not block 

View solution in original post

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎15-Sep-2023 18:54

Hi @dbaimakov , 

like @Amr_Ali said, 
I want to add i your AWAF in Transparent mode and you configure Geo-location protection , your AWAF policy will not take any actions against these traffic it only presents it in event logs an Alarm logs if you checked the Alarm option here : 

Mohamed_Ahmed_Kansoh_0-1694828818170.png

So you need to watchout on this. 
Also have a look in this article about Geo-location Configs : https://my.f5.com/manage/s/article/K79414542#configure-1

- For Transparent mode in general : AWAF in Transparent mode can pares http traffic , match it against all security controls and learn all of http parameters in the request , but not block the request if violates these security control. 

So AWAF policy in transparent consumes CPU cycles because it's some how process in bigip and do it's work. 

There is a clear difference between ( AWAF disabled on Virtual server and AWAF policy in Transparent mode ) as when it disabled >>> This policy will NOT Consume CPU cycle or do parsing for http requests or anything. 

Sometimes we need to disable AWAF policy from Virtual server to troubleshoot in delay or drops issues ( even it is in transparent mode ) and return it back after troubleshooting is over. 

I hope this gives you clear insight in addition to @Amr_Ali  comment 🙂 

 

_______________________
Regards
Mohamed Kansoh

View solution in original post

2 REPLIES 2

Go to solution
Amr_Ali
Cirrostratus
Cirrostratus

‎15-Sep-2023 13:59

Enforcement mode defines how act when we apply this policy. In transparent mode, policy learning will work and traffic will not be manipulated. In blocking mode traffic will be dropped or manipulated based on the policy.

when a WAF policy is in transparent mode all traffic will pass, so if you configured geo-location, and if I understood your question correctly, and your WAF policy is in transparent mode the traffic will pass and not block 

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎15-Sep-2023 18:54

Hi @dbaimakov , 

like @Amr_Ali said, 
I want to add i your AWAF in Transparent mode and you configure Geo-location protection , your AWAF policy will not take any actions against these traffic it only presents it in event logs an Alarm logs if you checked the Alarm option here : 

Mohamed_Ahmed_Kansoh_0-1694828818170.png

So you need to watchout on this. 
Also have a look in this article about Geo-location Configs : https://my.f5.com/manage/s/article/K79414542#configure-1

- For Transparent mode in general : AWAF in Transparent mode can pares http traffic , match it against all security controls and learn all of http parameters in the request , but not block the request if violates these security control. 

So AWAF policy in transparent consumes CPU cycles because it's some how process in bigip and do it's work. 

There is a clear difference between ( AWAF disabled on Virtual server and AWAF policy in Transparent mode ) as when it disabled >>> This policy will NOT Consume CPU cycle or do parsing for http requests or anything. 

Sometimes we need to disable AWAF policy from Virtual server to troubleshoot in delay or drops issues ( even it is in transparent mode ) and return it back after troubleshooting is over. 

I hope this gives you clear insight in addition to @Amr_Ali  comment 🙂 

 

_______________________
Regards
Mohamed Kansoh
Copyright © 2023 Khoros, LLC