NimbostratusAccording to the online resources, the data guard features will mask response containing sensitive data or block the response. However, if the application itself displays the sensitive information which might be not from the response, will the sensitive information be masked or blocked?
MVPIt is not clear from your question where the sensitive information is generated and if it passes through f5 or not. As long as the data is passing through F5 and visible by the WAF module then it can be masked/blocked.
NimbostratusSupposedly if we enable data guard for the policy by navigating through “Security” -> “Application Security” -> “Data Guard”, and also enable the "Learn, Alarm and Block" in "Security” -> “Application Security” -> “Policy Building” -> “Learning and Blocking Settings”, then it can be considered passing through f5 right?
MVPBy passing through F5, I meant the sensitive data is going through a published virtual server which has WAF enabled.
If you enable dataguard learn, alarm, block for a policy in blocking mode, and enable dataguard itself, then sensitive data will cause a blocking page
Nacreousyou can apply different waf policy to specific url path.
create new waf policy without data guard, then create new local traffic policy for the url path and the new waf policy, then assign this new local traffic policy to the virtual server
NimbostratusIf the policy is created for each web application deployed in the LTM, in other words, every application has its own policy. By applying different waf policy to specific url path, will it making the waf policy harder to manage? My concern is that there may have many different applications needs to be protected and there are a lot of urls in each application.
MVPAlso for more granular stuff a DLP agent systems could be used like Best Data Loss Prevention Reviews 2024 | Gartner Peer Insights as F5 BIG-IP WAF is like a Swiss army knife but for granular control there are dedicated DLP systems. F5 can also integrate with network based DLP using ICAP F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature | DevCentral
NimbostratusMay I know how granular control does the DLP system could provide? I am thinking to utilize the existing Data Guard feature in f5 AWAF since it's already been there. However, it would be great to have other options in mind. If possible, could you provide a comparison between these two, as it would provide me with more insights to determine which one to use?
MVPee I don't think providing comparison is something for the F5 Devcentral community channel. F5 is great network based system and layer 7 proxy (especially for web traffic with the ASM/AWAF module) but you need to be aware what you want and what you are trying to achieve as you mentioned " which might be not from the response" if the sensitive information is autogenerated by a javascript on the customer devices (or in a mobile app) and not from a web response then endpoint DLP may do the job and you better review it with a DLP vendor of your choice.
Edit:
I forgot to add that for binary files that could be in the response you will need an external DLP to scan them as F5 AWAF/ASM is Web based solution and you then can use ICAP for this.