F5 BIG-IP Virtual Patching With Web App Scanning Results

Key Concepts

• Virtual Patching: The process of applying security policies to mitigate vulnerabilities at the WAF level without modifying the underlying application code.
• F5 Distributed Cloud (XC) Web App Scanning: A cloud-native tool used to identify security weaknesses in web applications.
• F5 BIG-IP Advanced WAF (Web Application Firewall): An on-premises or hybrid security solution that protects applications from exploits.
• OWASP Top 10: A standard awareness document for developers and web application security, used here to categorize vulnerabilities.
• CVE (Common Vulnerabilities and Exposures): A list of publicly disclosed computer security flaws, each assigned a score to indicate severity.
• Vulnerability Assessment Baseline: A specific policy template in BIG-IP Advanced WAF designed to integrate external scan data.

1. Workflow for Virtual Patching

The process integrates cloud-based scanning with on-premises enforcement to secure applications efficiently.

1. Scanning: Perform a scan using the F5 Distributed Cloud Web App Scanning tool.
2. Exporting: Generate an XML report from the scan results containing identified vulnerabilities and their associated CVE scores.
3. Policy Creation: Create a new security policy in the BIG-IP Advanced WAF using the "Vulnerability Assessment Baseline" template.
4. Importing: Import the XML file into the BIG-IP policy settings.
5. Mitigation: Review, stage, and resolve the vulnerabilities within the WAF policy.
6. Verification: Re-run the scan to confirm the reduction in vulnerability count.

2. Step-by-Step Implementation Details

Phase 1: Scanning and Data Export

• Navigate to the F5 Distributed Cloud Console and access the Web App Scanning UI.
• Select the target application to view the dashboard, which displays metrics categorized by the OWASP 2025 Top 10.
• Identify vulnerabilities with high CVE scores.
• Export the findings as an XML file, which serves as the input for the WAF policy.

Phase 2: Configuring BIG-IP Advanced WAF

• In the Application Security Policy UI, create a new policy.
• Crucial Step: Select "Vulnerability Assessment Baseline" as the policy template.
• Assign the policy to the appropriate Virtual Server and set the enforcement mode to "Blocking".
• Navigate to Vulnerability Settings and select "Generic Scanner" as the tool.
• Import the previously downloaded XML file. The wizard will display the domains affected; select the relevant services domain.

Phase 3: Remediation and Enforcement

• Review the list of vulnerabilities. For each, the user can choose to "Resolve in Stage" (testing phase) or "Resolve" (active enforcement).
• Staging: Apply the policy in a staged state to ensure no false positives or service disruptions occur.
• Finalization: Once verified, mark the vulnerabilities as "Resolved" and apply the policy changes to the production environment.

3. Results and Impact

• Before Patching: The application showed over 1,700 vulnerabilities with high CVE scores.
• After Patching: Following the import and application of the security policy, the number of vulnerabilities dropped to 55.
• Outcome: The organization successfully mitigated over 1,600 severe vulnerabilities through automated policy updates rather than manual code remediation.

4. Synthesis and Conclusion

The integration between F5 Distributed Cloud and BIG-IP Advanced WAF provides a streamlined "Virtual Patching" framework. By leveraging automated scanning data to inform WAF policies, security teams can significantly reduce the attack surface of their applications. The use of the "Vulnerability Assessment Baseline" template is the critical technical link that allows the WAF to ingest external scan data and automatically configure blocking rules, effectively bridging the gap between cloud-based vulnerability discovery and on-premises threat mitigation.