3.8. Creating an F5 Advanced WAF Service (Off-box)

3.8.1. What it is

BIG-IP Advanced WAF as an “off-box” inspection service allows you to configure the F5 BIG-IP Advanced WAF services on a separate BIG-IP device. The typical use case for this service type is in high-throughput environments where running SSL Orchestrator and F5 BIG-IP Advanced WAF on the same appliance exceeds the capacity of that appliance. Moving the F5 Advanced to a separate appliance provides additional scale and flexibility.

3.8.2. How to build it

The Advanced WAF service running on a separate F5 BIG-IP appliance must be configured as a transparent proxy (routing) application:

  • Type: Standard

  • Source Address:

  • Destination Address/Mask: any port (or port 80)

  • Profile TCP: tcp

  • Profile HTTP: http

  • Translate Address: disabled

  • Translate Port: disabled

  • VLANs: listening on the internal SSL Orchestrator inbound WAF service network

Configure a system route on the F5 BIG-IP that points back to the internal SSL Orchestrator outbound WAF service network.

Assuming that the F5 BIG-IP WAF appliance can and will be handling multiple applications with separate WAF policies, the most optimal way to apply this is via CPM (LTM Policy) to dynamically assert a WAF policy to the an application based on the incoming HTTP Host header. For example, consider two applications with two separate WAF policies:

  • waf_policy_a

  • waf_policy_b

Apply the following CPM policy logic to the above transparent proxy application virtual server:

  • Rule 1: HTTP Host is “www.foo.com” on request -> enable asm and assign waf_policy_a

  • Rule 2: HTTP Host is “www.bar.com” on request -> enable asm and assign waf_policy_b

  • Rule 3: disable asm on request