F5 Resources Usage
I'm new to F5 AWAF. Considering WAF protection such as Bot Defense, Dos protection, would use high amount of resources, are there any guidelines on the resources such as CPU or memory to be allocated to these protections? Plus, imagining to have 1000 web applications to be protected, how to allocate resources properly so that F5 can handle all the protections properly? My concern is that F5 will be unable to handle the protection if there are too many application to be protected and the protection itself requires large amount of resources to work properly.Solved81Views0likes1CommentDos Attacks not showing on dashboard
Issue: DoS attacks are not showing on the DoS dashboard. Information: Strange part is this was working but then I made a few changes to split this particular virtual server into internal and external VIPs only apply DoS profile to external VIP. I have a DoS logging profile enabled on this VS I know attacks are happening as I can see them under Security > Event logs > DoS > Application Events However, any of the new attack ids don’t show under the DoS Dashboard located Security > Reporting > DoS > Dashboards Any thoughts on how to fix would be much appreciated? Thanks!460Views0likes2CommentsHow can I alert on an ASM Denial of Service event?
I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM so I was hoping I could just send a SYSLOG alert when the profile is triggered and mitigations are applied. Our SIEM is IBM QRadar and not Splunk or ArcSight so we're unable to use DoS high speed logging, which would be overkill anyways as I'm only looking for something to indicate there is a problem and not forward detailed information about what triggered the event. I've found the IN_DOSL7_ATTACK iRule event but so far I've found two issues I'm not sure how to capture what pool or DoS profile is firing. I need this to determine the criticality of the service. I cannot seem to get it to work, even when logging to local0: Here is what I could not get to work. It was applied to the correct pool and I was able to create a DoS event that showed up in Security>Reporting>DoS. when IN_DOSL7_ATTACK { log local0. "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION" } I'm looking at /var/log/ltm which is where I saw my other iRule logging. Is this the right location?Solved1.6KViews0likes13CommentsWhy does the Local Traffic policy allow Bot profile to be selected but the iRule can't ?
When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but the strangest thing is when I decide to attach a Bot profile with iRule it does not work but the Local traffic policies allow this. I will need to test this but is really strange. This is the first time something is only possible with Local Traffic Policies but I will have to test if it works 🙂Solved1.2KViews0likes2Commentstraffic flow between IPI, application security policy, bot detection, DoS protection, irule, and geolocation
I want to know how the traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and Geolocation (using irule for Geolocation). I am using Global IPI (mean IPI does not attached to any VS) and have an irule for Geolocation and only have module ASM and LTM (No APM and AFM). I understand that irule can be arranged by the order. The application security policy, bot detection, DoS protection, irule are attached to VS. Here is what I understand the traffic flow. The traffic hits Global IPI -> reached VS for irules in order (including Geolocation, I always put Geolocation at first place) -> Application security policy -> DoS -> Bot detection. Is this correct? Or will application security policy , Dos, Bot detection happen at the same time? What is the best practice for Geolocation? Using an irule for Geolocation or using Geolocation in application security policy?748Views0likes3CommentsDevice ID - Bot/Dos Profile
Will F5 generate any device id to the client if it is still in transparent mode ? Will my Device ID work in DOS profile if my Bot profile is still in transparent mode ? As for device id to work in context of DOS profile it must be configured under Bot profile as said so.Solved1.5KViews0likes8CommentsDOS Profile automatic threshold
Hi ! Which threshold is more preferable for DOS profile deployment automatic or manual. I have set automatic as I simply couldn't decide on manual threshold rate. If I have set my threshold to be automatic , how long should I wait before moving from transparent to blocking for my DOS profile ? I had somewhere read that F5 calculates the values using 7 days of historical data and sets threshold values to the highest levels during normal activity for automatic threshold ? Thanks in advanceSolved1.1KViews0likes4CommentsIP-Intelligence Manual Additions and Bad Actor Additions Not Working
Greetings dev central community, I have come to impasses in two goals on a 15.1.0.5 VE running in esxi related to IP-Intelligence configuration and I would very much appreciate direction for resolution. Impasse 1: Having my manually added IP address be respected by the IP-Intelligence policy.Though pre-existing blacklisted sources are dropped with my configuration, my manually added IP addresses added via are not respected. I'm adding the IP addresses to my categories configured for drop in my IP-Intelligence policy via Security ›› Network Firewall : IP Intelligence : Blacklist Categories >> Add to Category. I've tried with public and private IP's. I've tried with pre-existing and custom blacklist categories. My license is valid. iprep_lookup from the CLI shows no verdict/category for the manually added IP's. Where as the GUI "Check Entry" button shows the IP address as present in the blacklisted category. Impasse 2: DoS blacklisting via Bad Actor Detection is not updating the blacklist category with the offending IP address. My tests have been done via Device DoS Protection via ICMPv4 flooding. I can see the attack vector being rate limited in DoS logs. My settings to add to the bad actor to the blacklist category are set low (Sustained Attack Detection Time of 10 seconds). Even if my test source attacks for a prolonged period of time and is mitigated for this prologed period of time, the address never shows up in the blacklist category specified. I have tried custom categories as well as the pre-made denial-of-service category. I have selected to advertise externally and I have BGP setup to redistribute kernel. Regardless, the IP address that should be shunned does not show up in the routing table as a local blackholed kernel route nor does it show up in the upstream BGP peer as a blackholed route. Manually configured blackholed routes are propogated properly via redistribute kernel. GUI "Check Entry" button does not show the IP address as present in the specified bad actor specified category. I have tried triggering the attack vector/bad actor protection private IP's as well as spoofed public IP's. list security dos device-config dos-device-vector icmpv4-flood allow-advertisement enabled allow-upstream-scrubbing disabled attacked-dst disabled auto-blacklisting enabled auto-scrubbing disabled auto-threshold disabled bad-actor enabled blacklist-category denial_of_service blacklist-detection-seconds 10 blacklist-duration 14400 ceiling 200000 default-internal-rate-limit 100000 detection-threshold-percent 500 detection-threshold-pps 10000 enforce enabled floor 100 multiplier-mitigation-percentage 300 packet-types none per-dst-ip-detection-pps infinite per-dst-ip-limit-pps infinite per-source-ip-detection-pps 1000 per-source-ip-limit-pps 10000 scrubbing-category attacked_ips scrubbing-detection-seconds 10 scrubbing-duration 900 simulate-auto-threshold disabled state mitigate suspicious false threshold-mode manual-multiplier-mitigation valid-domains none607Views1like0CommentsCan the F5 Mitigate the HTTP/2 vulnerabilities?
Hi, We are considering implementing HTTP/2 in our environment at the moment. In August a number of DoS vulnerabilities were identified in HTTP/2. If we make the change for HTTP/2 on the F5, does the F5 do anything to mitigate the risk? https://nakedsecurity.sophos.com/2019/08/19/netflix-finds-multiple-http2-dos-flaws/ Are there ASM signatures that protect against these issues? If so, what about protection on APM if we add HTTP/2 there? Any information would be appreciated.362Views0likes0CommentsApply ASM DOS profile to a single virtual server? Different DOS thresholds to different virtual servers?
Env: LTM 11.5.2 on hardware appliances (4200, 2000) Maybe I'm just missing it and this is a stupid question - but is there a way to apply Denial of Service protections to a single virtual server's traffic in the ASM module? Or different thresholds for different virtual servers? Everything I'm reading seems to be implying that once you set a profile it applies to ALL traffic to the LTM. Is that correct? Thanks!322Views0likes1Comment