3.8. Creating an F5 Advanced WAF Service (Off-box)¶
3.8.1. What it is¶
BIG-IP Advanced WAF as an “off-box” inspection service allows you to configure the F5 BIG-IP Advanced WAF services on a separate BIG-IP device. The typical use case for this service type is in high-throughput environments where running SSL Orchestrator and F5 BIG-IP Advanced WAF on the same appliance exceeds the capacity of that appliance. Moving the F5 Advanced to a separate appliance provides additional scale and flexibility.
3.8.2. How to build it¶
The Advanced WAF service running on a separate F5 BIG-IP appliance must be configured as a transparent proxy (routing) application:
Type: Standard
Source Address: 0.0.0.0/0
Destination Address/Mask: 0.0.0.0/0 any port (or port 80)
Profile TCP: tcp
Profile HTTP: http
Translate Address: disabled
Translate Port: disabled
VLANs: listening on the internal SSL Orchestrator inbound WAF service network
Configure a system route on the F5 BIG-IP that points back to the internal SSL Orchestrator outbound WAF service network.
Assuming that the F5 BIG-IP WAF appliance can and will be handling multiple applications with separate WAF policies, the most optimal way to apply this is via CPM (LTM Policy) to dynamically assert a WAF policy to the an application based on the incoming HTTP Host header. For example, consider two applications with two separate WAF policies:
waf_policy_a
waf_policy_b
Apply the following CPM policy logic to the above transparent proxy application virtual server:
Rule 1: HTTP Host is “www.foo.com” on request -> enable asm and assign waf_policy_a
Rule 2: HTTP Host is “www.bar.com” on request -> enable asm and assign waf_policy_b
Rule 3: disable asm on request