Forum Discussion

suraj11's avatar
Icon for Nimbostratus rankNimbostratus
Nov 22, 2023

BIG ASM - WAF for https applications

WAF SSL Offloading, https traffic

As per most of the tutrorials and vidoes for utilizing the WAF feature URL is onboarded in a virutal server and http option is selected. Wanted to know can WAF inspect https traffic without implementation of SSL offloading in Big IP / ASM WAF. If the installed SSL cleint / certificates are expired are warning or error popped to notify expiration of certificates, furter can WAF still analyse https / encrypted traffic even if the onboarded SSL certificates have expired. Is there any other way the BIG IP ASM WAF can inspect https traffic after https url is onboarded since most of the websites and applicaitons now mandate https.

2 Replies

  • The inspection will still work if the cert is out of date.
    You'll have just lost your trust between browser and the f5 VIP. So you'll need to get through the client trust fail safes for it to work at all, but the waf will still work if the site comes up.

    • suraj11's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi Thanks for the reply,

      just wanted a little clarity in terms of analysis. An Organization has multiple URL's hosted which clients access for payments, updations, purchases, etc. Wanted to know when clients access these URL's whose traffic is routed via WAF are https / encrypted connections. As per my understanding SSL offloading decrypts the traffic only after that it can analyse the packet contents , payloads etc. So if the SSL certificate expires which is required for ssl decryption and encyption at WAF level, can WAF still analyse the packets, payloads, cookies and its contents, even if the traffic is via HTTPS / TLS / SSL.