Cloud Apps Protection
Hello Everyone, I hope you're well, I realize a deploy A F5 Big-IP. I have two doubts: Can the Big-IP on-premise solution protect external web applications hosted on AWS and Azure? Can the WAF module in Big-IP on-premise protect mobile applications (APP Mobile)? Would it be possible in scenarios On-Premise , or I need to opt for a Distributed Cloud or Hybrid solution?
F5 bot defense - false positives
I'm hoping someone can offer some advice. We have a Bot defense service (ex Volterra I think?) running on our WAF, and we're getting a lot of false positives, far greater than what we'd initially expected or what I've seen estimated online. It's an angular application with a .NET back end. There's a range of services, mostly internal that are also running. At the moment, we're only covering a small range of endpoints as a test, but the results have not been great and at some point in the use of the application, almost every customer is being flagged as a bot while tracking through the user experience. I have read elsewhere that we might need to force the application to load the interstitial JavaScript file. It's currently marked as synchronous, then it loads a couple of other JS files asynchronous, these seem to be called from the first js file. The tag is first in line after the HEAD html tag. I am currently concerned that loading order could be the cause? But might only account for the false positives at the startup/entry point of the application. There's nothing else particularly special happening with the application, it's a publicly accessible Angular web app with a range of backend services, some called internally, some called directly through an API. As it is at the moment, I'm not exactly sure how we can trust the results and what the point even is if the false positives are so much higher than expected. I realise this is a complicated problem to get 100% right, but I'd expected a lot more for what I believe is a significant annual cost. Can anyone please confirm if this is a common concern or if it is expected and normal? or if there is something we're missing here? Any pointers for what we can do at the application level to resolve this? Thanks a lot. Dudley.
Need step-by-step guidance for migrating BIG-IP i2800 WAF to rSeries (UCS restore vs clean build)
Hello DevCentral Community, We are planning a hardware refresh migration from a legacy BIG-IP i2800 running WAF/ASM to a new rSeries platform and would like to follow F5 recommended best practices. Could you please advise on the step-by-step process for this migration, specifically around: o Whether UCS restore is recommended versus building config fresh o BIG-IP version compatibility considerations during the migration o Interface/VLAN mapping differences between iSeries and rSeries hardware o Best approach to migrate WAF/ASM policies and tuning after migration o Common issues or lessons learned during real-world cutovers Current environment: " BIG-IP model: i2800 " BIG-IP version: 17.1.3 " WAF module: ASM / Advanced WAF " Deployment: Active/Active Thank you .
WAF Policy upload using AS3
I am using per-app declaration to upload multiple WAF policies in an app. when I post the declaration using POST command, i only get 202 accepted, and in the backend, the F5 uploads the ASM policies. How can I get to know iff all the policies are uploaded successfully or if any have failed? Is there any command or rest api? POST : https:/<f5ip>/mgmt/shared/appsvcs/declare/Demo/applications { "id": "per-app-declaration", "schemaVersion": "3.54.2", "controls": { "class": "Controls", "logLevel": "debug", "trace": true }, "WMS_ASM": { "class": "Application", "template": "generic", "wms_Dispatcher_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_Dispatcher_asm_file.xml" }, "wms_MessageStoreAPI_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_MessageStoreAPI_asm_file.xml" }, "wms_abdg_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_abdg_asm_file.xml" }, "wms_auth_asm_v173": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_auth_asm_file.xml" }, "wms_carrier-info_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_carrier-info_asm_file.xml" }, "wms_cas_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_cas_asm_file.xml" }, "wms_csdui_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_csdui_asm_file.xml" }, "wms_csrkodiak_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_csrkodiak_asm_file.xml" }, "wms_getContactAddlInfo_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_getContactAddlInfo_asm_file.xml" }, "wms_keymanagement_asm_v174": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_keymanagement_asm_file.xml" }, "wms_kodiakidsprov_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_kodiakidsprov_asm_file.xml" }, "wms_lcms_asm_v173": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_lcms_asm_file.xml" }, "wms_mcsxcap_asm_v173": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_mcsxcap_asm_file.xml" }, "wms_mobileapi_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_mobileapi_asm_file.xml" }, "wms_ngcat_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_ngcat_asm_file.xml" }, "wms_oidcxcap_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_oidcxcap_asm_file.xml" }, "wms_tpams_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_tpams_asm_file.xml" }, "wms_wcsr_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_wcsr_asm_file.xml" }, "wms_webdispatcher_asm_v172": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_webdispatcher_asm_file.xml" } } }
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.AS3 Storage
I declared 2 WAF polices using AS3, now I deleted one using the tmsh command. In the bigip.conf I can see only 1 WAF policy, but while I do a GET api call for that App, I am still getting 2 WAF policies. It is persistent on reboots. Where does F5 store the AS3 declaration? From where am I getting both the WAF policies (from where f5 is returning the original as3 declaration?) in Rest api : https:///mgmt/shared/appsvcs/declare/Dummy/applications/SYNCGW_Common "wms_egls_asm_v174": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_egls_asm_file.xml", "ignoreChanges": true }, "wms_egls_asm_v173": { "class": "WAF_Policy", "file": "/var/tmp/v17/wms_egls_asm_file.xml", "ignoreChanges": true } In Bigip.conf: asm policy /Dummy/SYNCGW_Common/wms_egls_asm_v174 { active encoding utf-8 }How to allow Request getting blocked due to Malformed JSON data
Hi Everyone, I've little trouble understanding how i can allow this request. Requests are getting blocked at WAF end due to "Malformed JSON data" violation (Illegal character encountered - json syntax error -" / ") Can i allow / (forward slash) character to provide exception for this violation & keep malformed json data blocking setting as it is. and how can i achieve this.
F5 ASM XML processing - policy name.
Hello, we have an error message in logs: ASM out of memory error: event code X89 Exceeded maximum memory assigned for XML processing we have already increased both variables total_xml_memory and additional_xml_memory_in_mb to 4GB but they still appear. What i wanted to ask if its possible to identify which ASM policy generates these logs? Or which policy is responsible for the most of xml memory usage? Is it possible to create an irule that will check this and assign custom violation with policy name (and request details) that raised this violation regarding xml memory? Because as it is now we would have to further increase additional xml memory variable and maybe its better to troubleshoot why is it getting exceeded in the first place?
