New BIG-IP ASM v13 Outlook Web Access (OWA) 2016 Ready Template
F5 has created a specialized ASM template to simplify the configuration process of OWA 2016 with the new version of BIG-IP v13 Click here and download the latest version of XML file that contains the template: Outlook Web Access 2016 Ready Template v6.x Goal: Quick OWA 2016 base line policy which set to Blocking from Day-One tuned to OWA 2016 environment. Ready Template Deployment Steps Download the latest version of the policy XML file (click on the file --> Raw --> Save As) from the link above Update Attack Signature to the latest version: Click "Security Update" --> "Application Security" --> "Check for Updates" --> "Install Updates" Click "Application Security" --> "Import Policy" --> Select File" and choose the XML file Edit the policy name to the protected application name and click "Import Policy" Attach the policy to the appropriate virtual server Refine learning new records in "Application Security" --> "Policy Building" --> Traffic Learning" Observe no false positive occur by validating event logs: "Event Logs" --> "Application" --> "Request" Important: If the policy is not working properly, please ensure you are using the latest version. If you have any issues or questions, please send any feedback to my email: n.ashkenazi@f5.comF5 VELOS: A Next-Generation Fully Automatable Platform
What is VELOS? The F5 VELOS platform is the next generation of F5’s chassis-based systems. VELOS can bridge traditional and modern application architectures by supporting a mix of traditional F5 BIG-IP tenants as well as next-generation BIG-IP Next tenants in the future. F5 VELOS is a key component of the F5 Application Delivery and Security Platform (ADSP). VELOS relies on a Kubernetes-based platform layer (F5OS) that is tightly integrated with F5 TMOS software. Going to a microservice-based platform layer allows VELOS to provide additional functionality that was not possible in previous generations of F5 BIG-IP platforms. Customers do not need to learn Kubernetes but still get the benefits of it. Management of the chassis will still be done via a familiar F5 CLI, webUI, or API. The additional benefit of automation capabilities can greatly simplify the process of deploying F5 products. A significant amount of time and resources are saved due to automation, which translates to more time to perform critical tasks. F5OS VELOS UI Why is VELOS important? Get more done in less time by using a highly automatable hardware platform that can deploy software solutions in seconds, not minutes or hours. Increased performance improves ROI: The VELOS platform is a high-performance and highly scalable chassis with improved processing power. Running multiple versions on the same platform allows for more flexibility than previously possible. Significantly reduce the TCO of previous-generation hardware by consolidating multiple platforms into one. Key VELOS Use-Cases NetOps Automation Shorten time to market by automating network operations and offering cloud-like orchestration with full-stack programmability Drive app development and delivery with self-service and faster response time Business Continuity Drive consistent policies across on-prem and public cloud and across hardware and software-based ADCs Build resiliency with VELOS’ superior platform redundancy and failover capabilities Future-proof investments by running multiple versions of apps side-by-side; migrate applications at your own pace Cloud Migration On-Ramp Accelerate cloud strategy by adopting cloud operating models and on-demand scalability with VELOS and use that as on-ramp to cloud Dramatically reduce TCO with VELOS systems; extend commercial models to migrate from hardware to software or as applications move to cloud Automation Capabilities Declarative APIs and integration with automation frameworks (Terraform, Ansible) greatly simplifies operations and reduces overhead: AS3 (Application Services 3 Extension): A declarative API that simplifies the configuration of application services. With AS3, customers can deploy and manage configurations consistently across environments. Ansible Automation: Prebuilt Ansible modules for VELOS enable automated provisioning, configuration, and updates, reducing manual effort and minimizing errors. Terraform: Organizations leveraging Infrastructure as Code (IaC) can use Terraform to define and automate the deployment of VELOS appliances and associated configurations. Example json file: Example of running the Automation Playbook: Example of the results: More information on Automation: Automating F5OS on VELOS GitHub Automation Repository Specialized Hardware Performance VELOS offers more hardware-accelerated performance capabilities with more FPGA chipsets that are more tightly integrated with TMOS. It also includes the latest Intel processing capabilities. This enhances the following: SSL and compression offload L4 offload for higher performance and reduced load on software Hardware-accelerated SYN flood protection Hardware-based protection from more than 100 types of denial-of-service (DoS) attacks Support for F5 Intelligence Services VELOS CX1610 chassis VELOS BX520 blade Migration Options (BIG-IP Journeys) Use BIG-IP Journeys to easily migrate your existing configuration to VELOS. This covers the following: Entire L4-L7 configuration can be migrated Individual Applications can be migrated BIG-IP Tenant configuration can be migrated Automatically identify and resolve migration issues Convert UCS files into AS3 declarations if needed Post-deployment diagnostics and health The Journeys Tool, available on DevCentral’s GitHub, facilitates the migration of legacy BIG-IP configurations to VELOS-compatible formats. Customers can convert UCS files, validate configurations, and highlight unsupported features during the migration process. Multi-tenancy capabilities in VELOS simplify the process of isolating workloads during and after migration. GitHub repository for F5 Journeys Conclusion The F5 VELOS platform addresses the modern enterprise’s need for high-performance, scalable, and efficient application delivery and security solutions. By combining cutting-edge hardware capabilities with robust automation tools and flexible migration options, VELOS empowers organizations to seamlessly transition from legacy platforms while unlocking new levels of performance and operational agility. Whether driven by the need for increased throughput, advanced multi-tenancy, the VELOS platform stands as a future-ready solution for securing and optimizing application delivery in an increasingly complex IT landscape. Related Content Cloud Docs VELOS Guide F5 VELOS Chassic System Datasheet F5 rSeries: Next-Generation Fully Automatable Hardware Demo Video
F5 rSeries: Next-Generation Fully Automatable Hardware
What is rSeries? F5 rSeries is a rearchitected, next-generation hardware platform that scales application delivery performance and automates application services to address many of today’s most critical business challenges. F5 rSeries is a key component of the F5 Application Delivery and Security Platform (ADSP). rSeries relies on a Kubernetes-based platform layer (F5OS) that is tightly integrated with F5 TMOS software. Going to a microservice-based platform layer allows rSeries to provide additional functionality that was not possible in previous generations of F5 BIG-IP platforms. Customers do not need to learn Kubernetes but still get the benefits of it. Management of the hardware will still be done via a familiar F5 CLI, webUI or API. The additional benefit of automation capabilities can greatly simplify the process of deploying F5 products. A significant amount of time and resources are saved due to automation, which translates to more time to perform critical tasks. F5OS rSeries UI Why is this important? Get more done in less time by using a highly automatable hardware platform that can deploy software solutions in seconds, not minutes or hours. Increased performance improves ROI: The rSeries platform is a high performance and highly scalable appliance with improved processing power. Running multiple versions on the same platform allows for more flexibility than previously possible. Pay-as-you-Grow licensing options that unlock more CPU resources. Key rSeries Use-Cases NetOps Automation Shorten time to market by automating network operations and offering cloud like orchestration with full stack programmability Drive app development and delivery with self-service and faster response time Business Continuity Drive consistent policies across on-prem and public cloud and across hardware and software based ADCs Build resiliency with rSeries’ superior performance and failover capabilities Future proof investments by running multiple versions of apps side-by-side; migrate applications at your own pace Cloud Migration On-Ramp Accelerate cloud strategy by adopting cloud operating models and on-demand scalability with rSeries and use that as on ramp to cloud Dramatically reduce TCO with rSeries systems; extend commercial models to migrate from hardware to software or as applications move to cloud Automation Capabilities Declarative APIs and integration with automation frameworks (Terraform, Ansible) greatly simplifies operations and reduces overhead: AS3 (Application Services 3 Extension): A declarative API that simplifies the configuration of application services. With AS3, customers can deploy and manage configurations consistently across environments. Ansible Automation: Prebuilt Ansible modules for rSeries enable automated provisioning, configuration, and updates, reducing manual effort and minimizing errors. Terraform: Organizations leveraging Infrastructure as Code (IaC) can use Terraform to define and automate the deployment of rSeries appliances and associated configurations. Example json file: Example of running the Automation Playbook: Example of the results: More information on Automation: Automating F5OS on rSeries GitHub Automation Repository Specialized Hardware Performance rSeries offers more hardware-accelerated performance capabilities with more FPGA chipsets that are more tightly integrated with TMOS. It also includes the latest Intel processing capabilities. This enhances the following: SSL and compression offload L4 offload for higher performance and reduced load on software Hardware-accelerated SYN flood protection Hardware-based protection from more than 100 types of denial-of-service (DoS) attacks Support for F5 Intelligence Services Migration Options (BIG-IP Journeys) Use BIG-IP Jouneys to easily migrate your existing configuration to rSeries. This covers the following: Entire L4-L7 configuration can be migrated Individual Applications can be migrated BIG-IP Tenant configuration can be migrated Automatically identify and resolve migration issues Convert UCS files into AS3 declarations if needed Post-deployment diagnostics and health The Journeys Tool, available on DevCentral’s GitHub, facilitates the migration of legacy BIG-IP configurations to rSeries-compatible formats. Customers can convert UCS files, validate configurations, and highlight unsupported features during the migration process. Multi-tenancy capabilities in rSeries simplify the process of isolating workloads during and after migration. GitHub repository for F5 Journeys Conclusion The F5 rSeries platform addresses the modern enterprise’s need for high-performance, scalable, and efficient application delivery and security solutions. By combining cutting-edge hardware capabilities with robust automation tools and flexible migration options, rSeries empowers organizations to seamlessly transition from legacy platforms while unlocking new levels of performance and operational agility. Whether driven by the need for increased throughput, advanced multi-tenancy, the rSeries platform stands as a future-ready solution for securing and optimizing application delivery in an increasingly complex IT landscape. Related Content Cloud Docs rSeries Guide F5 rSeries Appliance Datasheet F5 VELOS: A Next-Generation Fully Automatable Platform Demo Video
Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
Introduction SSL Orchestrator enables you to maximize infrastructure and security investments with dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices. SSL Orchestrator is a key component of the F5 Application Delivery and Security Platform (ADSP). What are Security Services? SSL Orchestrator supports a wide variety of Security Services. A “Service” is defined as a device that SSL Orchestrator passes decrypted traffic to. A Service can be Layer 2 or 3. It can be unidirectional (TAP). It can be an ICAP server. It can be an Explicit or Transparent HTTP proxy. Security Services need to inspect content that is not encrypted. SSL Orchestrator handles the decryption so the Service can inspect it for threats, enforce certain policies, prevent sensitive data from leaving the network and much more. A Next Generation Firewall, or NGFW, is a common Service type. A NGFW is a network security device that extends traditional firewall capabilities by incorporating features like deep packet inspection, intrusion prevention, and application control to protect against advanced cyber threats. A NGFW is commonly deployed as a Layer 2 or 3 device. A sandbox is another common Service type. Sandboxes look for malware and other threats by analyzing potentially malicious content in a controlled environment. A sandbox is a secure, isolated environment where suspicious code or applications can be executed and observed without the risk of infecting the host or network. A Sandbox is commonly deployed as a Layer 2 device. A Secure Web Gateway (SWG) is a network security solution that acts as a central point of control for all web traffic, filtering and inspecting it to protect against malware, phishing, and other web-based threats, while enforcing security policies. This solution has evolved over the years and may also be referred to as a Secure Access Service Edge (SASE) or Security Service Edge (SSE). A SWG is often deployed as an HTTP Proxy. Data Loss Prevention (DLP) is a cybersecurity solution designed to prevent the unauthorized access, use, or transmission of sensitive data. DLP is often deployed as an ICAP server. A network TAP device is a passive component that allows non-intrusive access to data flowing across a network, enabling monitoring and analysis of network traffic without disruption. A TAP receives a copy of the decrypted traffic so it can analyze it in the background. An HTTP proxy is commonly used as a SWG solution but is flexible and can be used for other purposes. An HTTP proxy may be used to cache web content, authenticate users and log all connections. An HTTP proxy may also be used for what is called “Web Isolation” or “Browser Isolation”. This security solution acts as an intermediary between users and web content. Offering a virtualized “view” of web content that is completely safe to users and the network itself. Which vendors or products? SSL Orchestrator supports all leading NGFW vendors and has generic support for any NGFW that is not specifically supported. Vendors/products supported include Palo Alto Networks NGFW, Check Point Security, Cisco Firepower, Fortinet FortiGate, McAfee/Trellix, Trend Micro and more. SSL Orchestrator also supports all leading Sandbox vendors and has generic support for any Sandbox that is not specifically supported. Vendors/products supported include FireEye/Trellix, Symantec and more. Most Secure Web Gateway (SWG) solutions are supported by SSL Orchestrator. Vendors/products supported include Cisco WSA, Forcepoint, Fortinet, McAfee/Trellix, Symantec/Broadcom ProxySG and many more. SSL Orchestrator supports all leading Data Loss Prevention (DLP) vendors and has generic support for any DLP solution that is not specifically supported. Vendors/products supported include Digital Guardian, McAfee/Trellix, Opswat, Symantec/Broadcom and more. Some of the TAP vendors supported by SSL Orchestrator are Palo Alto, McAfee/Trellix, RSA Netwitness, Trend Micro and Netscout. SSL Orchestrator supports HTTP proxies from the following vendors: Cisco, Forcepoint, Fortinet, McAfee/Trellix, Symantec/Broadcom and Squid. Service Deployment type Services can be deployed in a variety of different ways. SSL Orchestrator supports most, if not all of these deployment types. The common deployments are listed and described below: A Layer 2 device (bridging/bump-in-wire) refers to connectivity without IP Address configuration. Layer 2 devices pass all traffic from one interface to another interface. A Layer 3 device (typical NAT) refers to IP Address to IP Address connectivity. Layer 3 devices must be specifically configured to work in a network. An Explicit Proxy device also utilizes IP Address to IP Address connectivity. However, in this case, web applications have to be specifically configured to use an Explicit Proxy. A Transparent Proxy device also utilizes IP Address to IP Address connectivity. In this case, web applications DO NOT need to be configured to use a Proxy. Other type of devices are supported, like an ICAP server or TAP device. An ICAP server is often used for Data Loss Prevention (DLP). A TAP device is often used for passive visibility as it receives an exact copy of the decrypted traffic. Service Creation Services can be added, removed or edited from the Services tab of the SSL Orchestrator configuration utility. Services are divided into the different Service deployment types. Layer 2 The following Layer 2 Services are available: Layer 3 The following Layer 3 Services are available: Inline HTTP The following Inline HTTP Services are available: ICAP The following ICAP Services are available: TAP The following TAP Services are available: F5 SSL Orchestrator also supports F5 Solutions as Services. The following F5 Services are available: Examples Here’s an example of a Cisco Firepower Service deployed in Layer 3 mode: An IP Address and VLAN are selected for connectivity to the Service. The IP Address of the Cisco Firepower is specified. An IP Address and VLAN are selected for connectivity from the Service. Here’s an example of a Palo Alto NGFW Service deployed in Layer 2 mode: A From and To VLAN is specified for connectivity from/to the Service. Note: IP addressing is not used with a Layer 2 Service Here’s an example of an Opswat MetaDefender ICAP Service: An IP Address and port are specified for connectivity To/From the ICAP server. Some ICAP server specific settings are also needed. Here’s an example of a Netscout TAP Service: The mac address of the Netscout is specified. The VLAN and interface for connectivity to the Netscout is also specified. Creating a Service Chain Service Chains are user-defined groupings of one or more Services. Multiple Service Chains are supported. There are no restrictions on the type of Services that can be in a Service Chain. For example: a Service Chain can consist of one or more Layer 2 devices, and one or more Layer 3 devices, and so on. Service Chains can be added, removed or edited from the Service Chains tab of the SSL Orchestrator configuration utility. Available Services will be listed on the left. One or more Services can be moved into the Service Chain. The Service Chain Order is easily configurable. Demo Video Conclusion F5 BIG-IP SSL Orchestrator makes it easy to simplify and deploy your security stack. SSL Orchestrator supports virtually all available security and visibility solutions. It is able to seamlessly integrate security solutions whether they are deployed as Layer 2, Layer 3, Inline HTTP, ICAP or TAP. Related Articles Introduction to BIG-IP SSL Orchestrator
Introduction to BIG-IP SSL Orchestrator
Introduction SSL Orchestrator enables you to maximize infrastructure and security investments with dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices. SSL Orchestrator is a key component of the F5 Application Delivery and Security Platform (ADSP). Demo Video What is SSL Orchestrator? F5 BIG-IP SSL Orchestrator is designed and purpose-built to enhance SSL/TLS infrastructure, provide security solutions with visibility into SSL/TLS encrypted traffic, and optimize and maximize your existing security investments. BIG-IP SSL Orchestrator delivers dynamic service chaining and policy-based traffic steering, applying context-based intelligence to encrypted traffic handling to allow you to intelligently manage the flow of encrypted traffic across your entire security stack, ensuring optimal availability. Designed to easily integrate with existing architectures and to centrally manage the SSL/TLS decrypt/re-encrypt function, BIG-IP SSL Orchestrator delivers the latest SSL/ TLS encryption technologies across your entire security infrastructure. With BIG-IP SSL Orchestrator’s high-performance encryption and decryption capabilities, your organization can quickly discover hidden threats and prevent attacks at multiple stages, leveraging your existing security solutions. BIG-IP SSL Orchestrator ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted—delivering enhanced visibility to mitigate threats traversing the network. As a result, you can maximize your security services investment for malware, data loss prevention (DLP), ransomware, and NGFWs, thereby preventing inbound and outbound threats, including exploitation, callback, and data exfiltration. Why is this important? Offload your SSL decryption compute resources to F5. Let F5 handle all the decrypt/encrypt functions so your security tools don’t have to. This will increase the performance capabilities of your existing security solutions. Easily create policy to bypass decryption of sensitive traffic like Banking, Finance and Healthcare related websites. Improve high availability by leveraging SSL Orchestrator to distribute load among a group of security devices, like Next Generation Firewalls. A comprehensive SSL decryption solution gives you much-needed visibility into encrypted traffic, which enables you to block encrypted threats. SSL Orchestrator integrates with your existing infrastructure An SSL Orchestrator “Service” is defined as a device that SSL Orchestrator passes decrypted traffic to. A Service can be Layer 2 or 3. It can be unidirectional (TAP). It can be an ICAP server. It can be an Explicit or Transparent HTTP proxy. A Layer 2 device (bridging/bump-in-wire) refers to connectivity without IP Address configuration. Layer 2 devices pass all traffic from one interface to another interface. A Layer 3 device (typical NAT) refers to IP Address to IP Address connectivity. Layer 3 devices must be specifically configured to work on a network. An Explicit Proxy device also utilizes IP Address to IP Address connectivity. However, in this case, web applications have to be specifically configured to use an Explicit Proxy. A Transparent Proxy device also utilizes IP Address to IP Address connectivity. In this case, web applications DO NOT need to be configured to use a Proxy. Other type of devices are supported, like an ICAP server or TAP device. An ICAP server is often used for Data Loss Prevention (DLP). A TAP device is often used for passive visibility as it receives an exact copy of decrypted traffic. Service Chains Service Chains are user-defined groupings of one or more Services. Multiple Service Chains are supported by Policy (see next section). There are no restrictions on the type of Services that can be in a Service Chain. For example: a Service Chain can consist of one or more Layer 2 devices, and one or more Layer 3 devices, and so on. Policy SSL Orchestrator supports a flexible policy editor that is used to determines what type of traffic to send or not to send to a Service Chain. For example: in the case of an Outbound (see next section) configuration, certain content can bypass SSL Decryption based on URL Categories like Banking, Finance and Healthcare. Topologies A Topology defines how SSL Orchestrator will be interested into your traffic flow. It is defined as either Incoming or Outgoing. High-level parameters for how/what to intercept are defined here. In an Inbound Topology, traffic comes from users on the internet to access an application like mobile banking or shopping. This may also be referred to as a reverse proxy. In an Outbound Topology, traffic comes from users on your network to access sites/applications on the internet. For example: a person who works at Apple HQ who is accessing the internet using the company’s network. This may also be referred to as a forward proxy. Conclusion F5 BIG-IP SSL Orchestrator simplifies and accelerates the deployment of SSL visibility and orchestration services. Whether for modern, custom, or classic apps, and regardless of their location—be it on premises, in the cloud, or at the edge—BIG-IP SSL Orchestrator is built to handle today’s dynamic app landscape. Related Articles Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
F5 BIG-IP AFM and FireMon Integration Guide
Introduction FireMon’s Policy Manager is the industry’s most trusted firewall policy automation platform enabling organizations to stay compliant, reduce risk, and accelerate secure access changes across all environments, from legacy data centers to multi-cloud deployments. Eliminate policy-related risk, accurately and quickly change rules, and meet internal and external compliance requirements. F5 BIG-IP Advanced Firewall Manager (AFM) is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. This product’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. Additionally, with BIG-IP AFM, organizations receive protection from more than 100 attack signatures—more hardware-based signatures than any other leading firewall vendor—along with unsurpassed programmability, interoperability, and visibility into threat conditions. AFM is a key components of the F5 Application Delivery and Security Platform (ADSP). Demo Video Deployment Prerequisites This guide was tested with the following software versions: F5 BIG-IP versions 15.1, 16.1, 17.5 FireMon version FMOS 2025.2.1 FireMon Configuration From the FireMon Administrative view, select Device > Devices On the right, click Create. Select F5, then BIG-IP. Give it a Name and optionally a Description. Enter the Management IP Address. Under Device Settings, enter a Username and Password that can be used to login to the BIG-IP. Expand Monitoring to review the configuration. Make changes if needed. Expand Retrieval to review the configuration. As best practice, you should schedule automatic retrieval. Click Save when done Then go to Workflow > Workflows. Under Policy Planner, click Create > Access Request. Give it a name and click Save. The Workflow screen should look like the image below. Do the same for the Policy Optimizer configuration. F5 BIG-IP AFM Configuration In the BIG-IP UI, navigate to System > Logs > Configuration > Remote Logging. Enter the IP address of the FireMon, then click Add. Click Update when done. FireMon Administration Click the 3 dots on the far right and select Retrieve Configuration. Click Retrieve You should see the following messages. Note the Health Status might be Critical This is because no Usage Data has been received. The Health should go to Normal once Usage Data is received. FireMon Security Manager Access the FireMon Security Manager from the menu on the top left. The main Dashboard gives an overview of your Device Inventory. It also has an intuitive Rule Search widget so you can easily find the rules you’re looking for. Select Policy then Security Rules. This gives you a detailed view of your F5 AFM Policy. The Compliance Dashboard is useful for getting a quick snapshot of your overall compliance. Assessment Results will show any previous results. Click Run Report to run the Assessment again. Select the Devices you want to run the assessment against. Enable any additional Options, then click Run Report. The Assessment Summary The Executive Summary Conclusion FireMon helps keep F5 firewalls running smoothly with a complete configuration management solution, including full support for the BIG-IP AFM line of network security platforms and appliances. FireMon monitors each appliance, capturing event and traffic logs in real time. All change events trigger a full configuration capture, including detailed change history and a full audit trail of operations. F5 AFM devices can be monitored directly or indirectly if another event collection system is in place. Related Content Boost Efficiency and Security with F5 BIG-IP Advanced Firewall Manager BIG-IP Advanced Firewall Manager
Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)
What is F5 BIG-IP Advanced Firewall Manager? F5 BIG-IP Advanced Firewall Manager (AFM) is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. BIG-IP AFM is a platform that works with F5’s Application Delivery Controller (ADC). It gives service providers a flexible, subscriber-aware platform that can grow and be used by many subscribers. It gives them the flexibility, performance, and control they need to stop aggressive distributed denial-of-service (DDoS) and protocol attacks before they overwhelm and damage services. BIG-IP AFM’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. It tracks the state of network sessions, maintains deep subscriber and application awareness, and uniquely mitigates attacks based on more granular details than traditional firewalls. With BIG-IP AFM, organizations can protect themselves from over 100 attack signatures. This is more hardware-based signatures than any other top firewall vendor. It also has unsurpassed programming, interoperability, and visibility into threat conditions. AFM is a key components of the F5 Application Delivery and Security Platform (ADSP). Demo Video Why is BIG-IP AFM important? Ensure services availability Secure the network edge and core from DDoS and protocol threats with in-depth rules customization, and increased performance and scalability. Protect with full proxy capabilities Inspect all incoming subscriber connections and server-to-client responses, and mitigate threats based on security and protocol parameters before forwarding them. Inspect SSL sessions Decrypt SSL traffic to identify potentially hidden attacks—at high rates and with high throughput. Automate security deployment Simplify configuration with security policies oriented around services and protocols and an efficient rules and policy GUI. Scale to meet network demand Meet demands for higher bandwidth usage and concurrency rates with F5’s proven virtual software editions and hardware systems to flexibly ensure performance while under attack. Consistent protection for containerized applications Protect container-based applications regardless of platform or location with attack detection and mitigation services to mitigate attacks and risks. Flexible automation options for ease of integration into operations Extensive integration with third-party and public cloud automation tools to speed BIG-IP AFM into production. Actionable reporting and visibility Easily understand your security status with rich telemetry that can be customized into reports and charts to provide insight into all event types and enable effective forensic analysis. Reduced Operational Complexity Single platform to consolidate and deliver Firewall, CGNAT, DNS, protocol protection and deep packet inspection to reduce operational complexity and costs. How does BIG-IP AFM do this? Network DDoS Protection The full proxy architecture of BIG-IP AFM helps to ensure the application infrastructure is protected using advanced capabilities to mitigate DoS and DDoS attacks. The out-of-the-box functionality includes a comprehensive set of signatures that enable organizations to defend against, track, and report a breadth of well-known network DDoS attacks and methodologies. IP Intelligence BIG-IP AFM integrates with F5 IP Intelligence Services for stronger context-based security that strategically guards against evolving threats at the earliest point in the traffic flow. IP Intelligence Services minimizes the threat window and enhances BIG-IP AFM DDoS and network defense with up-to-date network threat intelligence for stronger, context-based security. DNS Security BIG-IP® DNS delivers an intelligent and scalable DNS infrastructure that gives mobile users faster access and service response. This makes it easy for service providers to optimize, monetize, and secure their DNS infrastructures. F5 DNS is a high-performance, carrier-grade DNS solution that caches and resolves LDNS. It is a highly scalable authoritative DNS solution that can handle business growth and sudden demand spikes. Carrier-Grade NAT F5 BIG-IP Carrier-Grade NAT (CGNAT) has many tools that help service providers move to IPv6 successfully. It also helps them support and work with existing IPv4 devices and content. Intrusion Prevention Security BIG-IP’s AFM Intrusion Prevention System (IPS) delivers deep packet inspection and visibility for incoming network traffic. BIG-IP’s AFM IPS engine performs Layer 5-7 traffic inspection for security incidents, protocol/application violations and exploits to take appropriate action for prevention. It reviews traffic for adherence to 25+ protocol standards and matches it against hundreds of known attack signatures and exploits. Protection for Container-based Apps BIG-IP AFM Virtual Edition (VE) supports running in both public and private cloud environments and provides protection that readily secures container-based applications by off-loading the “North/South” decryption and encryption of traffic to and from container-based application environments. Deep Visibility and Reporting With advanced logging and intelligent threat reporting capabilities, BIG-IP AFM logs millions of records in real time, providing granular visibility into DDoS attacks for in-depth analysis of security events. BIG-IP AFM reports provide clear, concise, and actionable information highlighting attacks and trends with drill-down and page-view capabilities. BIG-IP AFM Policy Rule Options Contexts A context defines the scope of a firewall rule. This is also defined as the category of an object to which the rule applies. There are a total of six Contexts: Global Route Domain Virtual Server Self IP Management IP Global Drop Actions When creating a rule, there are four main actions. However, depending on the Context, these actions may differ. The four actions are: Accept – The packet can pass the rule and is then passed onto the next Context for processing. Drop – The packet is silently dropped. Reject – The packet is rejected and a Reset (RST) is sent back to the client if TCP is used. Otherwise, an ICMP Unreachable is sent. Accept Decisively – The packet is permitted and no further Context processing is performed. Each of the Contexts allows for the Actions of Accept, Drop or Reject. The Global and Route Domain Contexts also include the Accept Decisively Action. Processing Order Network Firewall The AFM's key feature is its ability to act as a network based (stateful) firewall. To understand the various options available, we will describe the functions and key components within the AFM Network Firewall. Active Rules / Policies - To permit or deny traffic, either use Active Rules or Policies. The differences are shown below. Active Rules - Can be assigned across all Contexts. Policies - Can be assigned across all Contexts. However, Policies can also be assigned to a Virtual Server and applied in Staging Mode only (i.e. do not perform an action-only log). Rule Lists - A Rule list, as the name suggests, is a collection of rules. IP Intelligence - IP Intelligence allows you to block traffic based on an IP block list. This list is retrieved either directly from F5 (an additional license is required) or you can use your own custom feed. Protocol Security Whereas the Network Firewall allows you to block (or permit) traffic at the transport layer (i.e. layer 4), Protocol Security allows you to block traffic based on certain conditions within the protocol itself. There are 2 protocols that can be configured. They are DNS and HTTP. To configure 'Protocol Security' a Security Profile is configured which is then assigned to the Virtual Server. An HTTP Security Profile has extensive options under Protocol Checks and Request Checks. DoS Protection DoS Protection can both alert and block network-based attacks. Within DoS Protection there are 2 key components - Protection Profiles and Device Protection. Protection Profiles AFM DoS can be configured at a Device level along with the ability to apply more specific DoS profiles to Virtual Servers, which enable granular policy management. Protected Objects, for example, are objects that have a DoS Profile associated to them (vs Device DoS). Protection Profile thresholds can be configured for Network, DNS or SIP. Once the Protection Profiles is configured, it can be assigned to a Virtual Server. Device Protection AFM, by default, blocks common network-based attacks such as ARP Floods, Fragmentation attacks, etc. Within AFM, each of these attacks has a set of thresholds that can be adjusted. These thresholds define the point at which AFM should either alert or block the attack. Logging AFM can be configured to either log locally or to send logs to a remote log server. There are 3 main components to logging. They are: Log Filters/Profiles - Defines what to log. This is configured via 'System > Logs > Configuration > Log Filters' Log Publishers - Is a container for 'Log Destinations' as shown below. This is configured via 'System > Logs > Configuration > Log Publishers' Log Destination - Defines where to send the logs. This is configured via 'System > Logs > Configuration > Log Destinations’ To configure logging, the Log Destination is assigned to the Log Publisher. The Log Publisher is then assigned to a Logging Filter/Profile. This Logging Profile can then be assigned to Contexts (i.e. Virtual Servers). Otherwise, simply turn the profile on or off from within a global rule. Conclusion BIG-IP AFM is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. This product’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. Additionally, with BIG-IP AFM, organizations receive protection from more than 100 attack signatures—more hardware-based signatures than any other leading firewall vendor—along with unsurpassed programmability, interoperability, and visibility into threat conditions.
Accelerate your AI initiatives using F5 VELOS
Introduction F5 VELOS is a rearchitected, next-generation hardware platform that scales application delivery performance and automates application services to address many of today’s most critical business challenges. F5 VELOS is a key component of the F5 Application Delivery and Security Platform (ADSP). Demo Video High-Throughput and Concurrency for AI Data Ingestion Given the escalating data demands of AI training and inference pipelines, there is a critical need to architect object-based storage systems, such as S3, and corresponding clients in a manner that ensures high-throughput, scalability, and fault tolerance under massive parallel workloads. S3 Storage Systems increase scalability and resiliency by distributing data objects across multiple storage nodes, leveraging a unified “bucket” abstraction to streamline data organization, access, and fault tolerance. S3 Client Implementations employ highly parallelized, and multi-threaded operations to maximize data transfer rates and throughput, satisfying the low-latency, high-volume requirements of AI and other computationally intensive workloads. Performance and Security for AI Workloads F5 BIG-IP delivers multi-layer load balancing reinforced by robust in-flight security services and performance thresholds engineered to meet or exceed the most demanding enterprise-scale capacity requirements. F5 VELOS Chassis & Blades have advanced FPGA accelerators, high-performance CPU architectures, and cryptographic offload engines. They are all combined with scaling to multi-terabit throughput to meet or exceed the most demanding enterprise capacity requirements. F5 BIG-IP and VELOS enable high-performance data mobility and security for AI workloads anywhere. Load Balancing for S3 AI Training Data Replication Data Replication for Training AI model training and retraining often requires the replication of data from web-service-based object storage tiers to high-performance clustered filesystems. Market Constraints Tier-1 storage systems command high costs, and the ecosystem of certified providers for AI-specific architectures remains comparatively narrow. High-Performance Requirements Effective model training demands access to Tier-1 storage that supports hardware-accelerated data transfers, ensuring rapid delivery of input to GPU memory. S3 Based Migration Replication from cost-efficient, lower-performance storage repositories to Tier 1 infrastructure is commonly orchestrated via the S3 protocol to maintain both scalability and performance. Tiered Storage S3 AI Training Data Replication F5 BIG-IP and F5 Systems, rSeries and VELOS Distributed, high-volume, high-concurrency, and low-latency load balancing solutions engineered to optimize S3 AI training data replication. BIG-IP Best-In-Class Traffic Management & Security: SPEED Smart Load Balancing & Security Directs traffic to the optimal storage for performance, security, and availability. Seamless Data Flow BIG-IP LTM ensures efficient, secure routing from external sources to local storage. Optimized S3 Routing BIG-IP DNS directs client connections to highly available storage nodes for smooth data ingestion. BIG-IP Best-In-Class Traffic Management & Security: SCALE High-Throughput Traffic Management Optimize TCP and HTTPS flows for seamless object storage access. Accelerated Packet Processing Leverage embedded eVPA in FPGA for high-performance L4 IPv4 throughput. Crypto Offload for Speed BIG-IP LTM offloads encryption to best-in-class hardware on rSeries and VELOS, boosting performance. BIG-IP Best-In-Class Traffic Management & Security: Security Robust DDoS Protection BIG-IP’s AFM defends against volumetric and targeted attacks. Secure Traffic Management BIG-IP LTM ensures efficient, secure routing from external sources to local storage. End-to-End Data Protection Safeguards AI workloads with policy-driven security and threat mitigation. F5 Systems Enables Accelerated AI Application Delivery F5 VELOS, rSeries, and BIG-IP Enable distributed, high-volume, high-concurrency, low-latency application delivery for S3. The All-New VELOS CX1610 Provides the multi-terabit throughput necessary for high-performance traffic orchestration. F5 BIG-IP App Services Suite Simplify and secure application delivery for the most demanding high-throughput AI infrastructure needs. Conclusion Unleash Massive Throughput The All-New VELOS BX520 Blade The All-New VELOS CX1610 Chassis Related Articles F5 VELOS: A Next-Generation Fully Automatable Platform F5 rSeries: Next-Generation Fully Automatable Hardware Realtime DoS mitigation with VELOS BX520 Blade
Addressing Shadow AI with F5 BIG-IP SSL Orchestrator
Introduction SSL Orchestrator enables you to maximize infrastructure and security investments with dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices. SSL Orchestrator is a key component of the F5 Application Delivery and Security Platform (ADSP). What is Shadow AI? Shadow AI is growing fast, and it might be slipping under your radar. Unauthorized generative AI tools are rapidly emerging as a critical blind spot for SecOps teams. They can increase the risk of data leaks, compliance violations, and costly breaches. Shadow AI is the unsanctioned use of AI tools by employees, contractors, or partners without IT or security oversight. What are the risks associated with Shadow AI? Shadow AI introduces critical blind spots and vulnerabilities, such as: Data exposure: Sensitive or proprietary information may be uploaded to external platforms, outside your organization’s control. Compliance risks: Unauthorized AI usage can violate industry and government regulations like GDPR, HIPAA, or PCI DSS. Hidden malware: AI platforms typically operate over HTTPS or TLS, limiting visibility and increasing the chance of encrypted threats slipping through undetected. Demo Video How can I address the risks of Shadow AI? F5® BIG-IP® SSL Orchestrator® is a key solution to securing Shadow AI usage without undermining productivity or innovation. With deep visibility into encrypted traffic, BIG-IP SSL Orchestrator enables a multi-layered approach to detect, control, and manage Shadow AI activity efficiently. Shadow AI usage is encrypted and cannot be inspected without decryption. That’s why SSL Orchestrator is needed to inspect and control Shadow AI content. Shadow AI usage can be blocked outright, but sometimes that can be counterproductive. SSL Orchestrator can be configured to do this but also has the flexibility of sending “Coaching” pages to users, advising them that they are accessing Shadow AI content that may expose them to unnecessary risks. These “Coaching” pages can be customized to include: A message warning the user they may be exposing their company to increased risk. The option to cancel the request or proceed to access the site. The option to include a “Justification” message and proceed to access the site. The option to include an html link in the “Coaching” page that directs the user to more information or spells out the Corporate IT Policy regarding Shadow AI. With a URL Categorization (URLDB) subscription, you can choose from the following Categories to identify Shadow AI usage: "Generative_AI" "Generative_AI_-_Text_&_Code" "Generative_AI_-_Conversation" "Generative_AI_-_Multimedia" Configuration Prerequisites BIG-IP software version 17.1.2 or newer SSL Orchestrator software version 11.1.8 or newer SSL Orchestrator Policy and Service Chain configured SSL Orchestrator Outbound Topology created and working properly Configuring SSL Orchestrator: Service Extensions SSL Orchestrator features many customization options we will refer to as Service Extensions. These Service Extensions provide a new Inspection Service that can be programmed directly inside the Service Chain. This gives the Service Chain a lot of security value without needing to add more external tools. One such use-case for Service Extensions is User Coaching. The GitHub repository for User Coaching Service Extension can be found here: User Coaching Service Extension and includes an installer to create all of the necessary objects: ## From the BIG-IP Shell, fetch the installer and make it executable: curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/user-coaching/user-coaching-installer.sh -o user-coaching-installer.sh chmod +x user-coaching-installer.sh ## Export the BIG-IP admin username and password for the installer to use: export BIGUSER='admin:password' ## Launch the installer: ./user-coaching-installer.sh Using the information above, you can download the installer from GitHub in the first step: Then change the permissions to make the installer executable: Export the BIG-IP admin username and password: Run the installer: The installer will create the default coaching and blocking HTML (iFile objects), the user-coaching iRule, and the new User Coaching Inspection Service. Once this is complete, simply add the new Service to your SSL Orchestrator Service Chain(s). With the defaults in place, and an active URLDB subscription on the BIG-IP, any attempt to access an AI-categorized site will return the User Coaching page. Clicking the Agree button generates a log entry detailing the source (user) and destination (IP and host). Next Steps: Add the User Coaching Inspection Service to a Service Chain From the SSL Orchestrator UI, navigate to Configuration > Service Chains > click the name of the Service Chain you want to add the User Coaching Service to. Move the User Coaching Service from Available to Selected. Click Deploy Click OK Click OK The SSL Orchestrator configuration is complete. Let’s test it out and see what it looks like. From a client computer when attempting to go to https://mem.ai I am presented with the following: Clicking Agree takes you to the website. Clicking cancel returns you to the previous website. Customizing the Coaching Policy The Coaching Policy is easily customizable. It can also be configured to block the request. Enable Blocking Mode Let’s enable blocking mode. From the BIG-IP UI, navigate to Local Traffic > iRules > iRule List. Click the “user-coaching-rule” at the bottom. Set the CATEGORY_TYPE to “sub_and_custom” Copy the COACHING_CATEGORIES Paste them into the BLOCKING_CATEGORIES Comment out the COACHING_CATEGORIES and click Update From a client computer, when attempting to go to https://mem.ai the request is blocked. Enable Justification Option Let’s enable the Justification option. Go back to the “user-coaching-rule” iRule. Scroll down until you see the section to REQUIRE_JUSTIFICATION. Change the value from 0 to 1, then click Update. Let’s test it out and see what it looks like. From a client computer when attempting to go to https://mem.ai I am presented with the following: Notice I am asked to enter a justification to access the site. I entered: I have a legitimate reason to access this site All of this will be logged. Customize the Coaching Page The Coaching Page itself can be customized to include images, email links and so much more. Let’s add some custom HTML files and configure the Coaching Policy to use them. From Local Traffic, go to iRules > iFile List. Click Create Give it a name, “Custom-Coaching-1” in this example. Click the + to add the html file Click Choose File. Select your HTML file and click Open. Give it a name and click Import. Click Finished. Multiple Custom Coaching Pages can be added here. In fact, I’ll add one more to show you something different. To use this Custom Coaching Page, navigate to Local Traffic > iRules > iRule List. Click the “user-coaching-rule” at the bottom. Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-1 in this example. Click Update From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page: Add an HTML link to the Coaching Page Let’s customize this even further by including an HTML link in the Coaching Page. This could be a link to the corporate internet guidelines or an email address to contact with any questions. Navigate to Local Traffic > iRules > iRule List. Click the “user-coaching-rule” at the bottom. Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-2 in this example. Click Update From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page: At the bottom of the Coaching Page is a link to an email address if there are any questions. Use a Custom Category Without a URL Categorization subscription, you can create a Custom Category and populate it with known Shadow AI web sites. While not exhaustive, this list of AI URLs can be used as a starting point: Custom List of AI URLs Run this curl command from the CLI: curl -s https://raw.githubusercontent.com/f5devcentral/sslo-script-tools/main/sslo-generative-ai-categories/sslo-create-ai-category.sh |bash It may take a minute to complete the task. This will create a Custom Category named “SSLO_AI_TOOLS”. You can edit this from the SSL Orchestrator UI by navigating to Policies > URL Categories. Expand Custom Categories and click SSLO_AI_TOOLS Here you can see the URLs in this category. URLs can be added or removed from this category as needed. Navigate to Local Traffic > iRules > iRule List. Click the “user-coaching-rule” at the bottom. Add the “SSLO_AI_TOOLS” category to the COACHING_CATEGORIES. Remove the 4 other subscription-based categories. Set the CATEGORY_TYPE to “custom_only” Click Update From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page: Conclusion SSL Orchestrator gives you the flexibility to decide how to address Shadow AI in your environment. Content can be blocked outright or “Coaching” pages can be used to warn users about the risks associated with Shadow AI sites. A URLDB subscription is recommended, but a Custom Category can be used without incurring additional costs. Related Content: Solution Overview: Control Shadow AI Risks with F5 BIG-IP SSL Orchestrator DevCentral article: Office 365 Tenant Restrictions DevCentral article: SSL Orchestrator Service Extensions: User Coaching GitHub repository for SSL Orchestrator Service Extensions Introduction to BIG-IP SSL Orchestrator Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
