WAF in F5 – how the application firewall works and what it protects against

A Web Application Firewall (WAF) is one of the key security components of any organization with web applications accessible from the Internet. Unfortunately, “we have a WAF” doesn’t always mean “we’re protected” – many WAF deployments operate in “monitor only” mode, have outdated signatures or are configured so carefully that they let most attacks through. WAF from F5 Networks is a solution that, when properly configured, truly protects applications, not just generates logs.

Table of contents

1. What is a WAF and how is it different from a network firewall?
2. How WAF F5 works – inspection mechanisms
3. OWASP Top 10 protection against attacks
4. API protection – why does the WAF need to understand the API?
5. Bot management – how to distinguish a good bot from a bad one?
6. WAF in learning mode – automatic configuration of policies
7. Key findings
8. FAQ
9. Summary

What is a WAF and how is it different from a network firewall?

A classic network firewall (L3/L4) controls the flow of packets based on IP addresses, ports and protocols – allowing or blocking TCP/UDP connections without insight into the content. WAF operates at the application layer (L7) and understands the HTTP/HTTPS protocol – it analyzes the content of requests and responses, HTTP headers, URL parameters, POST request body and JSON/XML structures.

This difference is fundamental: a SQL injection attack sent over port 443 (HTTPS) to a normal firewall looks like normal web traffic. WAF sees the content of the request, recognizes the SQL injection pattern and blocks it. The firewall protects the network, the WAF protects the application – and one does not replace the other.

F5 Networks offers WAF as both a hardware appliance (BIG-IP ASM), virtual software and a cloud service (F5 Distributed Cloud WAAP) – giving you the flexibility to fit different deployment architectures.

How WAF F5 works – inspection mechanisms

WAF F5 (Advanced WAF / BIG-IP ASM) uses several inspection mechanisms running in parallel. Signature inspection compares requests against a database of known attack patterns – hundreds of thousands of signatures for SQL injection, XSS, command injection, path traversal, SSRF and other categories. The signature database is regularly updated by F5 Threat Intelligence.

HTTP protocol analysis verifies that the request is a properly structured RFC-compliant HTTP request – protocol anomalies often indicate attacks or automated tools. Positive Security Model defines what is allowed (as opposed to negative security, which defines what is forbidden) – only requests that meet the defined format are allowed through, everything else is blocked.

Behavioral analysis analyzes user behavior over time – request patterns specific to automated tools (scanners, bots) are identified and blocked regardless of the signature of a specific attack.

OWASP Top 10 protection against attacks

The OWASP Top 10 is a list of the 10 most serious categories of web application vulnerabilities, published by the Open Web Application Security Project. WAF F5 is optimized to block each of these categories.

Injection (SQL, NoSQL, LDAP, OS Command injection) – WAF analyzes request parameters in search of sequences characteristic of code injection attempts. The mechanism is resistant to typical bypass techniques (encoding, fragmentation, SQL comments).

Cross-Site Scripting (XSS) – blocking attempts to inject JavaScript code into requests that could be made in other users’ browsers. F5 WAF understands context – the same keyword can be allowed in the content of a blog post and blocked in the search parameter.

Broken Access Control and Security Misconfiguration – WAF can enforce access policies at the URL level, blocking access to resources that a user should not have access to.

Combining WAF with next-generation firewall solutions creates a multi-layered protection from network to application.

API protection – why does the WAF need to understand the API?

Modern web applications are largely APIs – frontends communicate with the backend via REST APIs, microservices communicate with each other via APIs, mobile apps call APIs. This makes APIs an increasingly important attack surface that classic WAFs (designed for HTML web applications) do not handle well.

F5 Advanced WAF has dedicated API security that understands REST, JSON and GraphQL structure. API security policies can validate the JSON body structure (whether the request contains the required fields, whether the data types are valid), enforce rate limits for specific API endpoints, protect against OWASP API Security Top 10 (BOLA/IDOR, broken authentication, excessive data exposure and more), and manage API access through OAuth/JWT integration.

Bot management – how to distinguish a good bot from a bad one?

Not all bots are bad – Googelbot, monitoring bots, partner API bots are desirable traffic. Bad bots are: web scrapers stealing content, credential stuffing bots trying to take over accounts through a list of leaked passwords, bots clicking on ads, bots performing application DDoS attacks.

F5 Advanced WAF has a built-in bot management module that uses several techniques to identify bots. JavaScript challenge – the site sends a JavaScript challenge that must be executed by the browser. Bots without a JS engine will not pass the challenge. Browser fingerprinting – analysis of browser properties (fonts, plugins, WebGL, screen resolution) compared with expected values for the declared user-agent. CAPTCHA as escalation for suspicious traffic. Behavioral analysis – click patterns, mouse movement, time between actions specific to humans vs. automata.

WAF in learning mode – automatic configuration of policies

Configuring a WAF from scratch is a tedious process – especially for complex applications with hundreds of endpoints and thousands of parameters. F5 Advanced WAF offers a learning mode (automatic policy builder) that observes application traffic for a defined period and automatically generates security policies based on observed patterns.

In learning mode, WAF does not block anything, but collects information: what URLs are available, what parameters each endpoint accepts, typical values and data types. After the learning period, WAF generates a positive security policy proposal, which the administrator reviews and approves or modifies. This greatly speeds up implementation and reduces the risk of blocking valid traffic.

Key findings

• WAF operates at the L7 layer and understands HTTP/HTTPS – which allows it to inspect the content of requests and block application attacks invisible to the network firewall.
• F5 Advanced WAF combines signature inspection, positive security model and behavioral analysis.
• API protection is a separate, dedicated component – crucial for modern application architectures.
• Bot management distinguishes desirable automated traffic from malicious traffic through JavaScript challenges, fingerprinting and behavioral analysis.
• Learning Mode automatically builds security policies based on observations of actual traffic – reducing deployment time.

FAQ

Can WAF F5 cause false positives (blocking correct movement)? Yes – any WAF can generate false positives, especially when configured too aggressively. Learning mode and gradual tightening of policies minimizes this risk. F5 also offers a “transparent” mode (non-blocking monitoring) for calibrating policies before running blocking.

Does the F5 WAF support IPv6? Yes – F5 BIG-IP supports full dual-stack IPv4/IPv6.

How does F5 WAF update attack signatures? Signatures are updated automatically by F5 Threat Intelligence – new attack patterns are added regularly, often within hours of being detected in the wild.

Can WAF F5 be deployed in the cloud? Yes – F5 offers WAF in the form of: BIG-IP Virtual Edition (VM in the cloud), F5 Distributed Cloud WAAP (SaaS) and marketplace images for AWS/Azure/GCP.

Summary

WAF F5 is one of the most advanced web application protection solutions on the market – combining signature inspection with a positive security model, dedicated API protection and advanced bot management. However, a proper WAF implementation is not a one-time task, but an ongoing process of calibration and updates. Contact Ramsdata to learn how F5 Networks can protect your organization’s web applications.