Get Ahead of Web App Security by Migrating from BIG-IP ASM to F5 Advanced WAF

Navpreet Gill 缩略图
Navpreet Gill
Published June 11, 2021

As application technology evolves, so does the threat landscape. Robust security measures must follow suit. Unfortunately, web application attacks are a reality and happen every minute across the globe. In addition, new attack vectors that target mobile apps and APIs are emerging. Now, more than ever, comprehensive web and API security tools are needed.

F5 continues to invest in web app and API security, with a broad portfolio of solutions to protect apps wherever they are deployed. As a result of the evolution in the WAF portfolio, F5 has officially placed BIG-IP Application Security Manager (ASM) into End of Sale (EoS) status as of April 1st, 2021 (F5 Support Announcement – K72212499).

F5 initially offered ASM starting in 2004. Our WAF portfolio has expanded significantly since then to include F5 Advanced WAF, F5 Silverline Managed WAF, and NGINX App Protect (NAP). We want to ensure you’re getting the best solution from F5 that addresses your specific needs while also streamlining our offerings. Advanced WAF has been the premier WAF offering since its introduction, as it includes all the features and functionality of BIG-IP ASM in addition to several expanded capabilities.

As a BIG-IP ASM customer, you can continue to consume ASM until the end of your contract or subscription (if you choose to) without any impact. You will be able to renew your service agreement based on your initially purchased license. But you will no longer be eligible to buy or trade-in for a new BIG-IP ASM license as of the EoS date.

Another alternative—and perhaps a better one for the many reasons listed below—is for existing customers to upgrade to Advanced WAF version 14.1 or higher (or switch license if running ASM 14.1) at no cost as of the EoS date. Since Advanced WAF is based on the same proven technology as BIG-IP ASM, the migration is straightforward. To leverage this no-cost migration, simply reactivate your license key, and after migrating, you will start seeing the Advanced WAF feature flags listed here:

F5’s Advanced WAF offers improved usability and application protection enhancements, including new guided configurations that simplify deployment, dashboards that provide greater visibility, expanded L7 DoS protection capabilities, DataSafe feature that protects sensitive data fields from compromise in real-time, and protection for APIs. Some augmentations such as Threat Campaigns are also available as add-ons for purchase once a license has been reactivated and upgraded to BIG-IP version 14.1 or greater. Another benefit of this no-cost migration is that you’ll just continue to pay for support fees associated with your original purchase. Your ASM support terms will continue to apply after you migrate to Advanced WAF—great news! Please note that the no-cost migration only applies to Advanced WAF version 14.1 or greater. To learn more about activating your license key and additional details on how the Advanced WAF license differs from ASM, please visit DevCentral.

Yet another reason for you to migrate from the end of sale BIG-IP ASM to F5 Advanced WAF is the enhanced API protections and integration with modern application development frameworks.

With Agile development models in place, it has become difficult for SecOps to keep pace with applications developers and DevOps teams to implement security controls properly. Modern applications are comprised of microservices and APIs, and use open-source software, increasing risk and the threat surface area. A recent Gartner eBook points out cybersecurity mesh as this year’s (2021) #1 security and risk. Why does security continue to be a challenge?

Contemporary development processes are based on continuous integration/continuous development (CI/CD) principles, where security controls—especially WAF—are often placed at the end or out of the Software Development Life Cycle (SDLC). So, if DevOps runs into a failed test at the “Operate” stage, it’s treated as a security misconfiguration. This can create tension between DevOps and SecOps (once again) and force DevOps to go back to the code, repair it, and then again press onward to deploy, operate, and monitor—missing time to market and reducing competitive advantage.

However, when we shift security controls left in the CI/CD pipeline, DevOps and SecOps share the responsibility of security throughout the process and treat any “security misconfiguration” as missing test use cases in the development phase.

To better address this situation, F5 can align WAF policy construction and baselining into the development process. F5 leverages an approach that enables both infrastructure and security policy controls to be provided as code in the form of a declarative API. This allows F5 Advanced WAF customers to automate both application deployment and WAF policies, as depicted in the diagram below:

And just like application source code, F5 WAF policies can reside in a repository, enabling SecOps to own and maintain common security controls that can be integrated into the development pipeline just like any other piece of code. This approach helps DevOps and SecOps bridge operational gaps and bring apps to market faster with lower cost and higher security efficiency. Check out this Solution Guide to learn more about security automation for DevOps with F5 Advanced WAF.

Another option for BIG-IP ASM customers who may be looking to migrate is NGINX App Protect (NAP), which delivers F5 WAF technology on the NGINX platform. NGINX App Protect is simple, lightweight, and easy to operate, delivering proven security from Advanced WAF, as the Advanced WAF engine serves as the foundation of NGINX App Protect.

F5’s Advanced WAF engine is also the foundation for F5’s web application security services, including Silverline Managed WAF, which provides the robust app security controls of Advanced WAF as a fully managed service. By incorporating the Advanced WAF engine into Silverline, customers can easily apply current ASM security policies to Silverline Managed WAF.

The F5 Advanced WAF engine enables consistent WAF protection policies to be portable to any environment, including public/private clouds, on-premises, and even hybrid environments. The familiarity of the user interface, similar policies, and policy creation across F5 offerings leveraging the F5 Advanced WAF engine (F5 Advanced WAF, Silverline Managed WAF, and NGINX App Protect) provides customers a simple, unified, consistent experience across F5’s WAF portfolio.

To learn more about migrating from BIG-IP ASM, please contact F5 or your applicable channel partner. In addition, attend the upcoming live webinar at 10 a.m. PT on Tuesday, June 15: Upgrade Your F5 Advanced WAF Protection and Stop Unwanted Bot Traffic