Manual Chapter : Using HTTP/3 with BIG-IP WAF

Applies To:

  • BIG-IP LTM

    21.1.0

back-action Managing Web Traffic over QUIC

Updated Date: 05/04/2026

Using HTTP/3 with BIG-IP WAF

BIG-IP supports Web Application Firewall (WAF) inspection of HTTP/3 client-side traffic. When a security policy is associated with an HTTP/3-enabled virtual server, traffic is inspected using the standard WAF processing pipeline. Inspection behaviour and enforcement actions are equivalent to those applied to HTTP/1.1 and HTTP/2 traffic. No additional WAF configuration is required specifically for HTTP/3 beyond associating a security policy with the virtual server.

Before enabling WAF inspection for HTTP/3 traffic, ensure that:

  • The virtual server Protocol is set to UDP.
  • A QUIC profile is assigned to the virtual server (client-side).
  • An HTTP/3 profile is assigned to the virtual server (client-side).
  • A Client SSL profile based on clientssl-quic is configured (TLS 1.3 is required).
  • HTTP/3 discovery is configured.
  • Browsers require HTTP/3 discovery before establishing HTTP/3 connections. Discovery can be configured using the - Alt-Svc response header or DNS HTTPS records to advertise HTTP/3 availability.
  • WAF provisioning and licensing are enabled.

Before associating a security policy, configure an HTTP/3-enabled virtual server. For detailed instructions on creating an HTTP/3 virtual server, see K60235402 – Configuring an HTTP/3 virtual server.

To attach a security policy:

  1. On the Main tab, click Security > Application Security > Security Policies.
  2. Create or select a security policy.
  3. Associate the policy with the HTTP/3-enabled virtual server.
  4. Save the configuration.

After the policy is associated, HTTP/3 traffic is inspected automatically.

When WAF is enabled on an HTTP/3 virtual server, all supported WAF protections are applied to HTTP/3 traffic, consistent with HTTP/1.1 and HTTP/2 inspection.

Additional protections can be enabled by associating the appropriate profiles with the virtual server:

  • Bot Defense (requires a Bot Defense profile)
  • Layer 7 DoS protection (requires an L7 DoS profile)

Enforcement actions (Alarm, Block, or other configured responses) are applied according to the security policy and associated profile configurations.