Nous serions heureux de vous conseiller !
+33 1 84 19 32 26

Formations en ligne en classe virtuelle, e-learning
et autres méthodes pour votre télétravail

En savoir plus

F5 Advanced Web Application Firewall (AWAF) (AWAF)


Résumé du cours

The F5 Advanced Web Application Firewall (WAF) provides a powerful set of security features that will keep your Web Applications safe from attack. Many WAFs offer a basic level of protection from attack at the higher layers of the OSI stack, but the F5 Advanced WAF takes things even further with the following security features:

  • Proactive Bot Protection: Proactively defend your applications against automated attacks by bot and other attack tools. This prevents layer 7 DoS attacks, web scraping, and brute-force attacks. Proactive bot defense helps identify and mitigate attacks before they cause damage to the site.
  • DataSafe: Protect sensitive information from interception by encrypting data while it’s still in the browser. DataSafe encrypts data at the application layer to protect against malware and keyloggers. This renders leaked credentials or data useless.
  • Behavioral DoS: Behavioral DoS provides automatic protection against DDoS attacks by analyzing traffic behavior using machine learning and data analysis. By continuously monitoring server health and load, anomalies (performance slowdowns or traffic spikes) can be accurately detected and mitigated as needed.
  • Flexible Deployment: Available as a purpose-built appliance, a cloud-ready virtual appliance, or part of the F5 Silverline service
Moyens Pédagogiques :
  • Réalisation de la formation par un formateur agréé par l’éditeur
  • Formation réalisable en présentiel ou en distanciel
  • Mise à disposition de labs distants/plateforme de lab pour chacun des participants (si applicable à la formation)
  • Distribution de supports de cours officiels en langue anglaise pour chacun des participants
    • Il est nécessaire d'avoir une connaissance de l'anglais technique écrit pour la compréhension des supports de cours
  • Accessibilité aux Personnes en Situation de Handicap – nous contacter
Moyens d'évaluation :
  • Évaluations formatives pendant la formation, à travers les travaux pratiques réalisés sur les labs à l’issue de chaque module
  • Évaluation sous forme de questionnaire à l’issue de la formation


The BIG-IP Advanced Web Application Firewall (WAF) training will detail all the features described above. Throughout this training you'll also deploy and configure a BIG-IP with the Advanced Web Application Firewall (WAF) module to secure a web application from various threats. Among other things, you will learn how to :

  • - Mitigate Credential Stuffing using Advanced WAF
  • - Use DataSafe to Secure a Login URL
  • - Mitigating Bots using L7 BaDoS


Chapter 1: Threat Overview

  • a. Differentiate client-side and application-side vulnerabilities
  • b. Definition of F5 Advanced WAF
  • Lab 1.1: Advanced WAF license check/DataSafe/ASM provisioning
  • c. Definition of Advanced WAF-related configuration objects
  • Lab 1.2: Guided Configuration for Web Application Security (Creates rapid deployment based policy, transparent enforcement mode, generic attack signature set, logging profile, application language, virtual server, pool, and node.)

Chapter 2: Securing HTTP Traffic

  • a. HTTP request/response overview (brief)
  • b. How Advanced WAF parses the request
  • c. Reviewing Requests in Advanced WAF (define legal requests, review logging profile)
  • Lab 2.1: Fiddler lab (normal traffic to virtual server, i.e. /Login.php)
  • d. Identify headers
  • e. Identify methods
  • f. Identify POST data (username and password in the payload)
  • g. Locate legal requests, view source/destination IP, request status
  • h. Overview of application side vulnerabilities
  • Lab 2.3: Explore Vulnerabilities and Violations
  • i. Use Fiddler to send OPTION request (remove Fiddler User Agent)
  • j. nmap -sV –script=http-php-version 10.10.X.102 (reveals OS/PHP version)

Chapter 3: Policy Tuning

  • a. Handling learning suggestions
  • b. Enforcing attack signatures
  • c. Overview of file types (add a disallowed file type to prevent access to .txt files)
  • d. Policy enforcement
  • Lab 3.1: Mitigate vulnerabilities

Chapter 4: Threat Campaigns

  • a. Review attack signatures/regex example
  • b. Define Threat Campaigns in the context of accuracy
  • Lab 4.1: Trigger Threat Campaign (should be a 5-minute lab where we trigger something in a PHP Threat Campaign set).

Chapter 5: Mitigating Credential Stuffing

  • a. Overview of Credential Stuffing
  • b. Credential stuffing configuration (requires security policy and logon page.)
  • Lab 5.1: Mitigate Credential Stuffing using Advanced WAF

Chapter 6: DataSafe and Layer 7 Encryption/Obfuscation

  • c. Overview of DOM vulnerabilities
  • d. DataSafe anti-fraud profile configuration
  • Lab 6.1: Use DataSafe to Secure a Login URL

Chapter 7: Layer 7 Behavioral DoS

  • e. Overview of Proactive Bot Defense
  • f. Definition of dynamic bot signatures
  • g. Security Guided Setup for Behavioral Analysis DoS (setup does not include DoS logging profile at this time. This will need to be completed post-guided setup)
  • Lab 7.1: Mitigating Bots using L7 BaDoS
Formation en salle équipée

Durée 1 jour

Prix (Hors Taxe)
  • France: 995,– €

Actuellement aucune session planifiée