OWA File Upload URIs for WAF Bypass
Hi All, We are using the OWA 2016 WAF application template (negative security model) and would like to know: The list of OWA URIs used for file uploads The recommended URIs to bypass or relax WAF inspection for uploads Our intention is to disable file upload/payload inspection and signature enforcement only for those URIs, while retaining HTTP compliance checks, as file scanning is handled via ICAP. Any guidance would be appreciated. Thanks.
New BIG-IP ASM v13 Outlook Web Access (OWA) 2016 Ready Template
F5 has created a specialized ASM template to simplify the configuration process of OWA 2016 with the new version of BIG-IP v13 Click here and download the latest version of XML file that contains the template: Outlook Web Access 2016 Ready Template v6.x Goal: Quick OWA 2016 base line policy which set to Blocking from Day-One tuned to OWA 2016 environment. Ready Template Deployment Steps Download the latest version of the policy XML file (click on the file --> Raw --> Save As) from the link above Update Attack Signature to the latest version: Click "Security Update" --> "Application Security" --> "Check for Updates" --> "Install Updates" Click "Application Security" --> "Import Policy" --> Select File" and choose the XML file Edit the policy name to the protected application name and click "Import Policy" Attach the policy to the appropriate virtual server Refine learning new records in "Application Security" --> "Policy Building" --> Traffic Learning" Observe no false positive occur by validating event logs: "Event Logs" --> "Application" --> "Request" Important: If the policy is not working properly, please ensure you are using the latest version. If you have any issues or questions, please send any feedback to my email: n.ashkenazi@f5.comF5 AWAF/ASM learning only from Trusted traffic?
I found this nice option "Only from Trusted Traffic" for the Policy Builder but this is seems to relevant only after the learning period has passed. I did increase the thresholds to the max possible value 1000000000 under "Loosen Policy" for "Untrusted Traffic "as to never learn from not trusted IP addresses in the initial learning period that is 7 days. I think that is the correct way ? I would have been nice to have a global option or option under "Loosen Policy" to learn from "Only from Trusted Traffic" like in "Track Site ".F5 VELOS: A Next-Generation Fully Automatable Platform
What is VELOS? The F5 VELOS platform is the next generation of F5’s chassis-based systems. VELOS can bridge traditional and modern application architectures by supporting a mix of traditional F5 BIG-IP tenants as well as next-generation BIG-IP Next tenants in the future. F5 VELOS is a key component of the F5 Application Delivery and Security Platform (ADSP). VELOS relies on a Kubernetes-based platform layer (F5OS) that is tightly integrated with F5 TMOS software. Going to a microservice-based platform layer allows VELOS to provide additional functionality that was not possible in previous generations of F5 BIG-IP platforms. Customers do not need to learn Kubernetes but still get the benefits of it. Management of the chassis will still be done via a familiar F5 CLI, webUI, or API. The additional benefit of automation capabilities can greatly simplify the process of deploying F5 products. A significant amount of time and resources are saved due to automation, which translates to more time to perform critical tasks. F5OS VELOS UI Why is VELOS important? Get more done in less time by using a highly automatable hardware platform that can deploy software solutions in seconds, not minutes or hours. Increased performance improves ROI: The VELOS platform is a high-performance and highly scalable chassis with improved processing power. Running multiple versions on the same platform allows for more flexibility than previously possible. Significantly reduce the TCO of previous-generation hardware by consolidating multiple platforms into one. Key VELOS Use-Cases NetOps Automation Shorten time to market by automating network operations and offering cloud-like orchestration with full-stack programmability Drive app development and delivery with self-service and faster response time Business Continuity Drive consistent policies across on-prem and public cloud and across hardware and software-based ADCs Build resiliency with VELOS’ superior platform redundancy and failover capabilities Future-proof investments by running multiple versions of apps side-by-side; migrate applications at your own pace Cloud Migration On-Ramp Accelerate cloud strategy by adopting cloud operating models and on-demand scalability with VELOS and use that as on-ramp to cloud Dramatically reduce TCO with VELOS systems; extend commercial models to migrate from hardware to software or as applications move to cloud Automation Capabilities Declarative APIs and integration with automation frameworks (Terraform, Ansible) greatly simplifies operations and reduces overhead: AS3 (Application Services 3 Extension): A declarative API that simplifies the configuration of application services. With AS3, customers can deploy and manage configurations consistently across environments. Ansible Automation: Prebuilt Ansible modules for VELOS enable automated provisioning, configuration, and updates, reducing manual effort and minimizing errors. Terraform: Organizations leveraging Infrastructure as Code (IaC) can use Terraform to define and automate the deployment of VELOS appliances and associated configurations. Example json file: Example of running the Automation Playbook: Example of the results: More information on Automation: Automating F5OS on VELOS GitHub Automation Repository Specialized Hardware Performance VELOS offers more hardware-accelerated performance capabilities with more FPGA chipsets that are more tightly integrated with TMOS. It also includes the latest Intel processing capabilities. This enhances the following: SSL and compression offload L4 offload for higher performance and reduced load on software Hardware-accelerated SYN flood protection Hardware-based protection from more than 100 types of denial-of-service (DoS) attacks Support for F5 Intelligence Services VELOS CX1610 chassis VELOS BX520 blade Migration Options (BIG-IP Journeys) Use BIG-IP Journeys to easily migrate your existing configuration to VELOS. This covers the following: Entire L4-L7 configuration can be migrated Individual Applications can be migrated BIG-IP Tenant configuration can be migrated Automatically identify and resolve migration issues Convert UCS files into AS3 declarations if needed Post-deployment diagnostics and health The Journeys Tool, available on DevCentral’s GitHub, facilitates the migration of legacy BIG-IP configurations to VELOS-compatible formats. Customers can convert UCS files, validate configurations, and highlight unsupported features during the migration process. Multi-tenancy capabilities in VELOS simplify the process of isolating workloads during and after migration. GitHub repository for F5 Journeys Conclusion The F5 VELOS platform addresses the modern enterprise’s need for high-performance, scalable, and efficient application delivery and security solutions. By combining cutting-edge hardware capabilities with robust automation tools and flexible migration options, VELOS empowers organizations to seamlessly transition from legacy platforms while unlocking new levels of performance and operational agility. Whether driven by the need for increased throughput, advanced multi-tenancy, the VELOS platform stands as a future-ready solution for securing and optimizing application delivery in an increasingly complex IT landscape. Related Content Cloud Docs VELOS Guide F5 VELOS Chassic System Datasheet F5 rSeries: Next-Generation Fully Automatable Hardware Demo Video
F5 rSeries: Next-Generation Fully Automatable Hardware
What is rSeries? F5 rSeries is a rearchitected, next-generation hardware platform that scales application delivery performance and automates application services to address many of today’s most critical business challenges. F5 rSeries is a key component of the F5 Application Delivery and Security Platform (ADSP). rSeries relies on a Kubernetes-based platform layer (F5OS) that is tightly integrated with F5 TMOS software. Going to a microservice-based platform layer allows rSeries to provide additional functionality that was not possible in previous generations of F5 BIG-IP platforms. Customers do not need to learn Kubernetes but still get the benefits of it. Management of the hardware will still be done via a familiar F5 CLI, webUI or API. The additional benefit of automation capabilities can greatly simplify the process of deploying F5 products. A significant amount of time and resources are saved due to automation, which translates to more time to perform critical tasks. F5OS rSeries UI Why is this important? Get more done in less time by using a highly automatable hardware platform that can deploy software solutions in seconds, not minutes or hours. Increased performance improves ROI: The rSeries platform is a high performance and highly scalable appliance with improved processing power. Running multiple versions on the same platform allows for more flexibility than previously possible. Pay-as-you-Grow licensing options that unlock more CPU resources. Key rSeries Use-Cases NetOps Automation Shorten time to market by automating network operations and offering cloud like orchestration with full stack programmability Drive app development and delivery with self-service and faster response time Business Continuity Drive consistent policies across on-prem and public cloud and across hardware and software based ADCs Build resiliency with rSeries’ superior performance and failover capabilities Future proof investments by running multiple versions of apps side-by-side; migrate applications at your own pace Cloud Migration On-Ramp Accelerate cloud strategy by adopting cloud operating models and on-demand scalability with rSeries and use that as on ramp to cloud Dramatically reduce TCO with rSeries systems; extend commercial models to migrate from hardware to software or as applications move to cloud Automation Capabilities Declarative APIs and integration with automation frameworks (Terraform, Ansible) greatly simplifies operations and reduces overhead: AS3 (Application Services 3 Extension): A declarative API that simplifies the configuration of application services. With AS3, customers can deploy and manage configurations consistently across environments. Ansible Automation: Prebuilt Ansible modules for rSeries enable automated provisioning, configuration, and updates, reducing manual effort and minimizing errors. Terraform: Organizations leveraging Infrastructure as Code (IaC) can use Terraform to define and automate the deployment of rSeries appliances and associated configurations. Example json file: Example of running the Automation Playbook: Example of the results: More information on Automation: Automating F5OS on rSeries GitHub Automation Repository Specialized Hardware Performance rSeries offers more hardware-accelerated performance capabilities with more FPGA chipsets that are more tightly integrated with TMOS. It also includes the latest Intel processing capabilities. This enhances the following: SSL and compression offload L4 offload for higher performance and reduced load on software Hardware-accelerated SYN flood protection Hardware-based protection from more than 100 types of denial-of-service (DoS) attacks Support for F5 Intelligence Services Migration Options (BIG-IP Journeys) Use BIG-IP Jouneys to easily migrate your existing configuration to rSeries. This covers the following: Entire L4-L7 configuration can be migrated Individual Applications can be migrated BIG-IP Tenant configuration can be migrated Automatically identify and resolve migration issues Convert UCS files into AS3 declarations if needed Post-deployment diagnostics and health The Journeys Tool, available on DevCentral’s GitHub, facilitates the migration of legacy BIG-IP configurations to rSeries-compatible formats. Customers can convert UCS files, validate configurations, and highlight unsupported features during the migration process. Multi-tenancy capabilities in rSeries simplify the process of isolating workloads during and after migration. GitHub repository for F5 Journeys Conclusion The F5 rSeries platform addresses the modern enterprise’s need for high-performance, scalable, and efficient application delivery and security solutions. By combining cutting-edge hardware capabilities with robust automation tools and flexible migration options, rSeries empowers organizations to seamlessly transition from legacy platforms while unlocking new levels of performance and operational agility. Whether driven by the need for increased throughput, advanced multi-tenancy, the rSeries platform stands as a future-ready solution for securing and optimizing application delivery in an increasingly complex IT landscape. Related Content Cloud Docs rSeries Guide F5 rSeries Appliance Datasheet F5 VELOS: A Next-Generation Fully Automatable Platform Demo Video
Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
Introduction SSL Orchestrator enables you to maximize infrastructure and security investments with dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices. SSL Orchestrator is a key component of the F5 Application Delivery and Security Platform (ADSP). What are Security Services? SSL Orchestrator supports a wide variety of Security Services. A “Service” is defined as a device that SSL Orchestrator passes decrypted traffic to. A Service can be Layer 2 or 3. It can be unidirectional (TAP). It can be an ICAP server. It can be an Explicit or Transparent HTTP proxy. Security Services need to inspect content that is not encrypted. SSL Orchestrator handles the decryption so the Service can inspect it for threats, enforce certain policies, prevent sensitive data from leaving the network and much more. A Next Generation Firewall, or NGFW, is a common Service type. A NGFW is a network security device that extends traditional firewall capabilities by incorporating features like deep packet inspection, intrusion prevention, and application control to protect against advanced cyber threats. A NGFW is commonly deployed as a Layer 2 or 3 device. A sandbox is another common Service type. Sandboxes look for malware and other threats by analyzing potentially malicious content in a controlled environment. A sandbox is a secure, isolated environment where suspicious code or applications can be executed and observed without the risk of infecting the host or network. A Sandbox is commonly deployed as a Layer 2 device. A Secure Web Gateway (SWG) is a network security solution that acts as a central point of control for all web traffic, filtering and inspecting it to protect against malware, phishing, and other web-based threats, while enforcing security policies. This solution has evolved over the years and may also be referred to as a Secure Access Service Edge (SASE) or Security Service Edge (SSE). A SWG is often deployed as an HTTP Proxy. Data Loss Prevention (DLP) is a cybersecurity solution designed to prevent the unauthorized access, use, or transmission of sensitive data. DLP is often deployed as an ICAP server. A network TAP device is a passive component that allows non-intrusive access to data flowing across a network, enabling monitoring and analysis of network traffic without disruption. A TAP receives a copy of the decrypted traffic so it can analyze it in the background. An HTTP proxy is commonly used as a SWG solution but is flexible and can be used for other purposes. An HTTP proxy may be used to cache web content, authenticate users and log all connections. An HTTP proxy may also be used for what is called “Web Isolation” or “Browser Isolation”. This security solution acts as an intermediary between users and web content. Offering a virtualized “view” of web content that is completely safe to users and the network itself. Which vendors or products? SSL Orchestrator supports all leading NGFW vendors and has generic support for any NGFW that is not specifically supported. Vendors/products supported include Palo Alto Networks NGFW, Check Point Security, Cisco Firepower, Fortinet FortiGate, McAfee/Trellix, Trend Micro and more. SSL Orchestrator also supports all leading Sandbox vendors and has generic support for any Sandbox that is not specifically supported. Vendors/products supported include FireEye/Trellix, Symantec and more. Most Secure Web Gateway (SWG) solutions are supported by SSL Orchestrator. Vendors/products supported include Cisco WSA, Forcepoint, Fortinet, McAfee/Trellix, Symantec/Broadcom ProxySG and many more. SSL Orchestrator supports all leading Data Loss Prevention (DLP) vendors and has generic support for any DLP solution that is not specifically supported. Vendors/products supported include Digital Guardian, McAfee/Trellix, Opswat, Symantec/Broadcom and more. Some of the TAP vendors supported by SSL Orchestrator are Palo Alto, McAfee/Trellix, RSA Netwitness, Trend Micro and Netscout. SSL Orchestrator supports HTTP proxies from the following vendors: Cisco, Forcepoint, Fortinet, McAfee/Trellix, Symantec/Broadcom and Squid. Service Deployment type Services can be deployed in a variety of different ways. SSL Orchestrator supports most, if not all of these deployment types. The common deployments are listed and described below: A Layer 2 device (bridging/bump-in-wire) refers to connectivity without IP Address configuration. Layer 2 devices pass all traffic from one interface to another interface. A Layer 3 device (typical NAT) refers to IP Address to IP Address connectivity. Layer 3 devices must be specifically configured to work in a network. An Explicit Proxy device also utilizes IP Address to IP Address connectivity. However, in this case, web applications have to be specifically configured to use an Explicit Proxy. A Transparent Proxy device also utilizes IP Address to IP Address connectivity. In this case, web applications DO NOT need to be configured to use a Proxy. Other type of devices are supported, like an ICAP server or TAP device. An ICAP server is often used for Data Loss Prevention (DLP). A TAP device is often used for passive visibility as it receives an exact copy of the decrypted traffic. Service Creation Services can be added, removed or edited from the Services tab of the SSL Orchestrator configuration utility. Services are divided into the different Service deployment types. Layer 2 The following Layer 2 Services are available: Layer 3 The following Layer 3 Services are available: Inline HTTP The following Inline HTTP Services are available: ICAP The following ICAP Services are available: TAP The following TAP Services are available: F5 SSL Orchestrator also supports F5 Solutions as Services. The following F5 Services are available: Examples Here’s an example of a Cisco Firepower Service deployed in Layer 3 mode: An IP Address and VLAN are selected for connectivity to the Service. The IP Address of the Cisco Firepower is specified. An IP Address and VLAN are selected for connectivity from the Service. Here’s an example of a Palo Alto NGFW Service deployed in Layer 2 mode: A From and To VLAN is specified for connectivity from/to the Service. Note: IP addressing is not used with a Layer 2 Service Here’s an example of an Opswat MetaDefender ICAP Service: An IP Address and port are specified for connectivity To/From the ICAP server. Some ICAP server specific settings are also needed. Here’s an example of a Netscout TAP Service: The mac address of the Netscout is specified. The VLAN and interface for connectivity to the Netscout is also specified. Creating a Service Chain Service Chains are user-defined groupings of one or more Services. Multiple Service Chains are supported. There are no restrictions on the type of Services that can be in a Service Chain. For example: a Service Chain can consist of one or more Layer 2 devices, and one or more Layer 3 devices, and so on. Service Chains can be added, removed or edited from the Service Chains tab of the SSL Orchestrator configuration utility. Available Services will be listed on the left. One or more Services can be moved into the Service Chain. The Service Chain Order is easily configurable. Demo Video Conclusion F5 BIG-IP SSL Orchestrator makes it easy to simplify and deploy your security stack. SSL Orchestrator supports virtually all available security and visibility solutions. It is able to seamlessly integrate security solutions whether they are deployed as Layer 2, Layer 3, Inline HTTP, ICAP or TAP. Related Articles Introduction to BIG-IP SSL Orchestrator
Introduction to BIG-IP SSL Orchestrator
Introduction SSL Orchestrator enables you to maximize infrastructure and security investments with dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices. SSL Orchestrator is a key component of the F5 Application Delivery and Security Platform (ADSP). Demo Video What is SSL Orchestrator? F5 BIG-IP SSL Orchestrator is designed and purpose-built to enhance SSL/TLS infrastructure, provide security solutions with visibility into SSL/TLS encrypted traffic, and optimize and maximize your existing security investments. BIG-IP SSL Orchestrator delivers dynamic service chaining and policy-based traffic steering, applying context-based intelligence to encrypted traffic handling to allow you to intelligently manage the flow of encrypted traffic across your entire security stack, ensuring optimal availability. Designed to easily integrate with existing architectures and to centrally manage the SSL/TLS decrypt/re-encrypt function, BIG-IP SSL Orchestrator delivers the latest SSL/ TLS encryption technologies across your entire security infrastructure. With BIG-IP SSL Orchestrator’s high-performance encryption and decryption capabilities, your organization can quickly discover hidden threats and prevent attacks at multiple stages, leveraging your existing security solutions. BIG-IP SSL Orchestrator ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted—delivering enhanced visibility to mitigate threats traversing the network. As a result, you can maximize your security services investment for malware, data loss prevention (DLP), ransomware, and NGFWs, thereby preventing inbound and outbound threats, including exploitation, callback, and data exfiltration. Why is this important? Offload your SSL decryption compute resources to F5. Let F5 handle all the decrypt/encrypt functions so your security tools don’t have to. This will increase the performance capabilities of your existing security solutions. Easily create policy to bypass decryption of sensitive traffic like Banking, Finance and Healthcare related websites. Improve high availability by leveraging SSL Orchestrator to distribute load among a group of security devices, like Next Generation Firewalls. A comprehensive SSL decryption solution gives you much-needed visibility into encrypted traffic, which enables you to block encrypted threats. SSL Orchestrator integrates with your existing infrastructure An SSL Orchestrator “Service” is defined as a device that SSL Orchestrator passes decrypted traffic to. A Service can be Layer 2 or 3. It can be unidirectional (TAP). It can be an ICAP server. It can be an Explicit or Transparent HTTP proxy. A Layer 2 device (bridging/bump-in-wire) refers to connectivity without IP Address configuration. Layer 2 devices pass all traffic from one interface to another interface. A Layer 3 device (typical NAT) refers to IP Address to IP Address connectivity. Layer 3 devices must be specifically configured to work on a network. An Explicit Proxy device also utilizes IP Address to IP Address connectivity. However, in this case, web applications have to be specifically configured to use an Explicit Proxy. A Transparent Proxy device also utilizes IP Address to IP Address connectivity. In this case, web applications DO NOT need to be configured to use a Proxy. Other type of devices are supported, like an ICAP server or TAP device. An ICAP server is often used for Data Loss Prevention (DLP). A TAP device is often used for passive visibility as it receives an exact copy of decrypted traffic. Service Chains Service Chains are user-defined groupings of one or more Services. Multiple Service Chains are supported by Policy (see next section). There are no restrictions on the type of Services that can be in a Service Chain. For example: a Service Chain can consist of one or more Layer 2 devices, and one or more Layer 3 devices, and so on. Policy SSL Orchestrator supports a flexible policy editor that is used to determines what type of traffic to send or not to send to a Service Chain. For example: in the case of an Outbound (see next section) configuration, certain content can bypass SSL Decryption based on URL Categories like Banking, Finance and Healthcare. Topologies A Topology defines how SSL Orchestrator will be interested into your traffic flow. It is defined as either Incoming or Outgoing. High-level parameters for how/what to intercept are defined here. In an Inbound Topology, traffic comes from users on the internet to access an application like mobile banking or shopping. This may also be referred to as a reverse proxy. In an Outbound Topology, traffic comes from users on your network to access sites/applications on the internet. For example: a person who works at Apple HQ who is accessing the internet using the company’s network. This may also be referred to as a forward proxy. Conclusion F5 BIG-IP SSL Orchestrator simplifies and accelerates the deployment of SSL visibility and orchestration services. Whether for modern, custom, or classic apps, and regardless of their location—be it on premises, in the cloud, or at the edge—BIG-IP SSL Orchestrator is built to handle today’s dynamic app landscape. Related Articles Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
F5 BIG-IP AFM and FireMon Integration Guide
Introduction FireMon’s Policy Manager is the industry’s most trusted firewall policy automation platform enabling organizations to stay compliant, reduce risk, and accelerate secure access changes across all environments, from legacy data centers to multi-cloud deployments. Eliminate policy-related risk, accurately and quickly change rules, and meet internal and external compliance requirements. F5 BIG-IP Advanced Firewall Manager (AFM) is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. This product’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. Additionally, with BIG-IP AFM, organizations receive protection from more than 100 attack signatures—more hardware-based signatures than any other leading firewall vendor—along with unsurpassed programmability, interoperability, and visibility into threat conditions. AFM is a key components of the F5 Application Delivery and Security Platform (ADSP). Demo Video Deployment Prerequisites This guide was tested with the following software versions: F5 BIG-IP versions 15.1, 16.1, 17.5 FireMon version FMOS 2025.2.1 FireMon Configuration From the FireMon Administrative view, select Device > Devices On the right, click Create. Select F5, then BIG-IP. Give it a Name and optionally a Description. Enter the Management IP Address. Under Device Settings, enter a Username and Password that can be used to login to the BIG-IP. Expand Monitoring to review the configuration. Make changes if needed. Expand Retrieval to review the configuration. As best practice, you should schedule automatic retrieval. Click Save when done Then go to Workflow > Workflows. Under Policy Planner, click Create > Access Request. Give it a name and click Save. The Workflow screen should look like the image below. Do the same for the Policy Optimizer configuration. F5 BIG-IP AFM Configuration In the BIG-IP UI, navigate to System > Logs > Configuration > Remote Logging. Enter the IP address of the FireMon, then click Add. Click Update when done. FireMon Administration Click the 3 dots on the far right and select Retrieve Configuration. Click Retrieve You should see the following messages. Note the Health Status might be Critical This is because no Usage Data has been received. The Health should go to Normal once Usage Data is received. FireMon Security Manager Access the FireMon Security Manager from the menu on the top left. The main Dashboard gives an overview of your Device Inventory. It also has an intuitive Rule Search widget so you can easily find the rules you’re looking for. Select Policy then Security Rules. This gives you a detailed view of your F5 AFM Policy. The Compliance Dashboard is useful for getting a quick snapshot of your overall compliance. Assessment Results will show any previous results. Click Run Report to run the Assessment again. Select the Devices you want to run the assessment against. Enable any additional Options, then click Run Report. The Assessment Summary The Executive Summary Conclusion FireMon helps keep F5 firewalls running smoothly with a complete configuration management solution, including full support for the BIG-IP AFM line of network security platforms and appliances. FireMon monitors each appliance, capturing event and traffic logs in real time. All change events trigger a full configuration capture, including detailed change history and a full audit trail of operations. F5 AFM devices can be monitored directly or indirectly if another event collection system is in place. Related Content Boost Efficiency and Security with F5 BIG-IP Advanced Firewall Manager BIG-IP Advanced Firewall Manager
