Question about WAF Enforced with has suggestion Signature
Hello, everyone I have a question about the WAF signature. Recently, I blocked the Ready to be enforced signatures. A few days later, Some of these signatures are in an enforced state, and they have entered a has-suggestion state.(About 30 of them) What is the state of being in an enforced state and at the same time has suggestion? And some of the enforced&has-suggestion signatures are unblocked and there are also staged logs. It's in enforced mode, is this a possible situation? F5 WAF engineer with similar experience, please help me. Thank you very much.17Views0likes1CommentHow to accept Application requests at WAF F5
Dear All, I just apply WAF policy. The enforcement mode is blocking. Policy Building learning mode "Manual" Policy Builder Learning Speed "Medium" Other setting is default setting. After apply this kind of configuration, the user can't finish registering an account at our website. When go to Event Logs -> Application the show the traffic has been blocking. Attack Types "JSON Parser Attack" But this is valid traffic. I try to accept this traffic, but after test again. The traffic will block again. So my question is, how to I permanently accept this traffic and no blocking in future.41Views0likes4CommentsDifference between BT(Upgraded to ADD-ASMAWF ) vs BTA device
Hi All I have a running BT i15800 upgraded to ADD-ASMAWF device onsite, i want to add add another device, now i have a F5-BIG-BTA-i15800 option to add, i want to know is there any technichal difference between these two device ? should i consider anything for this matter or not ? Thanks68Views0likes3CommentsIncosistent forwarding of HTTP/2 connections with layered virtual
Hi, I'm using a layered virtual configuration: Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/sni-routing-with-big-ip/282018) Tier2: Virtual applies SSL termination and delivering the actual application, with the required profiles, iRules, .... If the required, an additional LTM policy is applied for URI-based routing and forwards to Tier3 VS. Tier3 (optional, if required): Virtual delivers specific applications, like microservices, usually no monolithical apps. This configuration is very robust and I'm working with it successfully since years. Important: The tier1 uses one single IP address and a single port. So all tier2 and tier3 virtuals MUST be externally available through the same IP address and port. Now I have to publish the first HTTP/2 applications over this concept and see strange behavior of the BIG-IP. User requests www.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests, based on the SNI, to tier2 virtuals "vs-int_www.example.com". Within www.example.com there are references to piwik.example.com, which is another tier2 virtual, behind my tier1 virtual. User requests piwik.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests to "vs-int_www.example.com" instead of "vs-int_piwik.example.com". Probably not based on SNI, but on the existing TCP connection. I'm afraid, that this bahvior is a result of HTTP/2, especially because of the persistent TCP connection. I assume that, because the connection ID (gathered from browser devtools) for requests to www.example.com and piwik.example.com is identical. From the perspective of the browser I wouldn't expect such a behavior, because the target hostname differs. I didn't configure HTTP/2 in full-proxy mode, as described in several articles. I've just enabled it on the client-side. I would be very happy for any input on that. Thanks in advance!196Views0likes11CommentsLoadbalancing WAF appliance using F5 LTM
Hello, I have 5 WAF devices that do not have HA and Loadsharing capabilities! (Please don't ask because I don't know myself :D) I want to balance the incoming traffic to them by placing an LTM in front of them. Unfortunately, my F5 equipment only has LTM capability and our company does not want to buy or upgrade the license for AWAF capability. In your opinion, does this method work and if it does, please tell me what is the most suitable mode for VirtualServer? Thankful74Views0likes3CommentsMicroservices priority, Blocked Request (Redirect URL)
Hi, please, I have two little questions about microservices (BIG-IP / WAF / ASM) for example: Policy: WAF-TEST.xyz Contain microservices (both transparent-mode): *.test.xyz/* *.dev.test.xyz/* 1.Q: When I have definied separe microservice: dev.test.xyz , it will work? Or it will take the settings from microservice: test.xyz ? 2.Q: Currently I would like to turn on blocking on dev and set the redirect url (blocking responses), but I can't find that there is a different blocking page for a different microservices. Is it even possible? e.g. https://www.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> https://www.dev.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> thank you very much for any advice!Solved87Views0likes2CommentsRemote log WAF based on number of violations
Hi All, At a customer I have configured a WAF to protect their web applications. Also configured a Logging Profile to send the logging to a remote server. This works fine. But customer would like to have some control on what is being send to the remote server and when. So the log of a violation that only occurs once (within a certain time frame) does not need to go to the remote log server. But a (identical) violation that occurs serveral times and has a high security violation needs to be send to the remote server I know I can configure a filter to include or exclude what is being send to the remote server. But can the F5 WAF send logs to a remote server based on number of events within a time frame? Hope you can help or point me to some useful links or documents. Regards, Martijn47Views0likes2CommentsiRule condition - request contains more than 10000 parameters
Hello, is it possible to create an iRule: "When request contains more than 10000 parameters then disable ASM policy at request time" (Requests with more than 10000 parameters are dropped / hard reset in default when ASM policy is used.)84Views0likes2CommentsEnterprise Security best practices with F5 WAF
When it comes to responsibilities of each layer in an enterprise (i.e. DMZ/ WAF, application, SoR etc), and provided F5 Advanced WAF is deployed on the DMZ, should other layers assume primary responsibility of mitigations supported out-of-the-box by F5 WAF. i.e. Provided that F5 WAF supports bot defense, should the the layer below (application layer) as well be hardened to defend against bots by implementing features like fingerprinting, validating remote IPs based on HTTP headers etc? Certain defense mechanisms - specifically in the case of bot defense, go beyond the expertise of typical application development and having application developers to harden their apps against bots will just add overhead IMO, however one can still argue it's agains defense in depth. What's the best practice and guideline F5 provides?116Views0likes2CommentsASM instance creation
HI Team , I have to create an WAF instance similar to the one which is already available . I need help on creating the ASM policy similar to the one which is already used by other VIP . So my ASM policy name is ASM_NETWORK_443 and I have to create an identical policy with name ASM_DRNETWORK_443 . Is there any option to clone the ASM policy or export and import the policy and rename the Policy name ? Kindly help me on this .64Views0likes2Comments