Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee


As people embraced the Internet as a part of their daily lives, businesses all over the world discovered an easier way to reach a large customer base that is not restricted by geographical boundaries.

While that is important, it has also provided an open platform for malicious users to look for potential security loopholes in order to break into the system and cause severe damage.

As a result, safeguarding business applications from such malicious user events is extremely critical.

F5 Distributed Cloud WAAP (Web Application and API Security) offers an AI/ML-based solution for monitoring such security events as well as the means to mitigate them.

In this series of articles, we will demonstrate enabling, configuring, monitoring, and mitigating malicious users using F5 Distributed Cloud console.



There are two ways to enable malicious user detection:

  1. Using Single Load Balancer ML configuration.
  2. Using Multi Load Balancer ML configuration.

Using Single Load Balancer ML Configuration:

In this mechanism, detection is enabled as part of the load balancer configuration and is only applicable to the load balancer on which it is configured.

Using Multi Load Balancer ML Configuration:

In this mechanism, detection is enabled as part of the app type configuration and is valid for all LBs configured with the same app type label.

In both of the mentioned ways, detection is dependent on the ML configuration derived from the app settings object, with the difference that in single load balancer ML config values are not configurable and are set to default, whereas in multi load balancer ML config values can be configured according to the need.

Once malicious user events have been identified, the next stage is to prioritize mitigation. The following are two ways of mitigating detected malicious user events:

  1. Using Load Balancer Security Monitoring.
  2. Using Load Balancer Advanced Security Configuration.

Using Load Balancer Security Monitoring

This is a manual way of configuring mitigation in which malicious user IPs are added to the allow/deny list.

Using Load Balancer Advanced Security Configuration

This is an automatic way of enabling mitigation in which the platform will apply the corresponding configured mitigation action for the specific threat levels.

The default identifier configured for addressing malicious user events is the client IP address but in the ever-evolving world of attacks spoofing identity is not a difficult task to perform and to uniquely identify a user we should have a set of other identification mechanisms keeping that in mind F5 Distributed Cloud console also provides you with the option to configure other parameters of identification like cookie name, header name, query parameter, ASN, TLS Fingerprint and combination of IP-header name & IP-TLS Fingerprint.

Follow the documentation for step-by-step configuration instructions


Demonstration (Using Single Load Balancer ML Configuration)

In this demonstration, we will generate XSS attacks, configure a WAF rule with enforcement mode as monitoring, and configure mitigation actions for medium and high threat levels.

Step1: Enable malicious user detection using Single Load Balancer ML config as mentioned in the document.

Step2: Create an app firewall and add it to the Load Balancer.

  • Go to WAAP->Manage->App Firewall and Click on Add App Firewall.
  • Add name and customize the fields as needed, Save & Exit.Shubham_Mishra_0-1653058438826.png

Step3: Configure mitigation actions

  • Go to WAAP->Manage->Shared Objects->Malicious User Mitigation and click on Add Malicious User Mitigation.
  • Add a name, set threat level and associated actions accordingly. Add Item, Save & Exit.


Step4: Add the WAF policy and malicious user mitigation settings to the LB.

  • From the Console homepage, Go to Load Balancers->Manage->Load Balancers->HTTP Load Balancers, select ‘Manage Configuration’ as an ‘Action’ to your LB and click ‘Edit Configuration’.


  • Go to ‘Security Configuration’, choose ‘App Firewall’ in ’Select Web Application Firewall (WAF) Config’ and set waf rule configured, Save & Exit.


  • In ‘Security Configuration’, ‘Select Type of Challenge’ as ‘Policy Based Challenge’, Click Configure, set malicious user mitigation settings as ‘custom’ and add the mitigation rule created, Apply. (Note: Here we have provided the flexibility to configure custom malicious user mitigation setting. However, users can also select default, which is a recommended setting).


Step5: Generate XSS attack (20+ requests in a minute) e.g., https://<domain>?a=<script>


Step6: Monitor the security events.

  • Go to WAAP -> Apps & APIs -> Security, Select your LB.
  • Select Malicious Users.


As you can see from the demonstration, even though the waf policy is set to monitoring mode, in the background, malicious user activity is continued to be tracked and the threat level kept increasing with the number of attacks being performed, and once the threat level reached ‘High’, configured mitigation action got triggered. (Note: Based on malicious user mitigation settings different threat levels will have different mitigation actions, for example: in default settings for low threat level, JavaScript Challenge will be applied, for medium threat level, Captcha Challenge will be applied and for high threat level, users will be temporarily blocked).

In this scenario, Customers can block attackers in real-time with very low risk of False Positives, as actions are taken based on observed user behavior over time.



In this article, we discussed how to enable malicious user detection and mitigation and how you can block attackers with a very low risk of False Positives.  In future articles, we will discuss other scenarios. So please stay tuned.


For further information or to get started:

  • F5 Distributed Cloud Platform (Link)
  • F5 Distributed Cloud WAAP Services (Link)
Version history
Last update:
‎15-Nov-2022 13:21
Updated by: