3.8. Creating an F5 Advanced WAF Service (Off-box)

3.8.1. What it is

BIG-IP Advanced WAF as an “off-box” inspection service allows you to configure the F5 BIG-IP Advanced WAF services on a separate BIG-IP device. The typical use case for this service type is in high-throughput environments where running SSL Orchestrator and F5 BIG-IP Advanced WAF on the same appliance exceeds the capacity of that appliance. Moving the F5 Advanced to a separate appliance provides additional scale and flexibility.

3.8.2. How to build it

The Advanced WAF service running on a separate F5 BIG-IP appliance must be configured as a transparent proxy (routing) application:

• Type: Standard

• Source Address: 0.0.0.0/0

• Destination Address/Mask: 0.0.0.0/0 any port (or port 80)

• Profile TCP: tcp

• Profile HTTP: http

• Translate Address: disabled

• Translate Port: disabled

• VLANs: listening on the internal SSL Orchestrator inbound WAF service network

Configure a system route on the F5 BIG-IP that points back to the internal SSL Orchestrator outbound WAF service network.

Assuming that the F5 BIG-IP WAF appliance can and will be handling multiple applications with separate WAF policies, the most optimal way to apply this is via CPM (LTM Policy) to dynamically assert a WAF policy to the an application based on the incoming HTTP Host header. For example, consider two applications with two separate WAF policies:

• waf_policy_a

• waf_policy_b

Apply the following CPM policy logic to the above transparent proxy application virtual server:

• Rule 1: HTTP Host is “www.foo.com” on request -> enable asm and assign waf_policy_a

• Rule 2: HTTP Host is “www.bar.com” on request -> enable asm and assign waf_policy_b

• Rule 3: disable asm on request