Looking for experience with WAF + DHIS2 installations

Dear community,

We’re looking for some advice in how to deal with Web Application Firewalls and DHIS2. In particular we are managing a complex installation of DHIS2 in WHO, where multiple departments contribute, and there is an F5 BigIP WAF running in between the server and the clients.

Very recently we had an stability issue related to BigIP. As you may know, BigIP learns from the traffic that is crossing the network and adapt the rules applied to the traffic. So dynamically these rules can change and potentially impact this traffic if the application is not properly profiled to minimize the false positive in the attacks detection. In our stability issue, the requests never reached DHIS2 and since WHO is aiming for a zero trust network, client applications received invalid responses with a 200 HTTP code sent by BigIP that was blocking the traffic and replacing the payload by the number of incident that simultaneously it was writting to a log file. Obivously many core and third-party applications started immediately failing, and we detected the issue by the consequences for the users.

Seems like the work with BigIP is quite resource-demanding and we were wondering if there are other experiences with this particular software that you could share with us to learn from your experience. We don’t want to go for an unprotected platform, so we would like to learn better strategies for a good DHIS2 profiling in this software that could provide a minimum of false positives with the less maintenance LoE possible. Recommendations?

Thank you in advance!