Forum Discussion

F5Team's avatar
F5Team
Icon for Cirrus rankCirrus
Dec 05, 2023

ASM - Attack Signature - Miss Match on Active and Standby

ASM is on HA. Both are in Sync.

We observe on multiple policies, that the number of signatures ready to be enforced and the suggestions available on Active and Standby are different.

Is this an issue or expected behaviour?
Will the signatures ready to be enforced and the suggestions available be in sync on Active and Standby?
If we have to failover, it might cause an issue as it's not in sync.

9 Replies

  • Hi F5Team,

    Enforcement readiness is a per-policy behavior. Different policies have different set of attack signature based on the kind of environment and application those policy are protecting, Windows OS based policy signature list and number will be different from those for Linux based OS policy and so on.


    Easiest way to find it will be in the GUI, and compare per policy on both boxes as different policies may have different sets of signature applicable based on the environment selection to get the clarity and let me know if stil discrepancies on the same name polices attack signatures :

    move to Security > Policies > Policy List > (policy name) > Attack Signatures  menu, and filter Status: Ready to be enforced.

     

    Enforcing entities

    After you create a security policy and traffic is sent to the web application, new entities are added by means of learning explicit entities, and existing entities are modified through staging. You can review the entities and signatures that are in staging or that are ready to be enforced, and add them to the security policy.
    1. On the Main tab, click Security > Application Security > Policy Building > Enforcement Readiness. The Enforcement Readiness summary screen opens.
    2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
    3. To enforce all entities that are ready to be enforced, click Enforce Ready. If you select this option, you are done. Continue only if you want to enforce selected entities or signatures.
    4. In the Enforcement Readiness Summary, check to see if a number appears in the Not Enforced column. A number greater than zero indicates that entities of that type are in staging or with learn explicit entities enabled.
    5. Click the number in the Not Enforced column. The allowed file types, URLs, parameters, cookies, signatures or redirection protection list opens showing the entities that you can enforce.
    6. Select the entities you want the security policy to enforce, and click Enforce.
      The system removes the selected entities or signatures from staging. If any of the entities are wildcards that are learning explicit entities, the wildcards are deleted.
       
      Or, in older versions, move to the Application Security > Attack Signatures menu, select the intended policy from the drop-down menu, then expand the Advanced Filter and select "Ready to be enforced" for Staging. 
       

       

      HTH

      🙏

       

       

     

     

  • Have you configured here?: Security -> Options -> Aplication Security -> Synchronization ->Application Security Synchronization

    • F5Team's avatar
      F5Team
      Icon for Cirrus rankCirrus

      I see it's configured on both Active and Standby devices.

       

  • The screenshot which i had shared is of the same policy on Active and Standby. The numbers are different.
    Likewise we have multiple policies for which the signatures ready to be enforced and the suggestions available are different on Active and Standby.

     

    Does configuring the Device group under this option keep this in sync. 

    Security -> Options -> Aplication Security -> Synchronization ->Application Security Synchronization

    I would verify this and confirm.

  • Thanks for updating in regards to the screenshot which you had shared is of the same policy on Active and Standby

    Do the config sync for ASM policies  only on one of the devices in Cluster

    Security -> Options -> Aplication Security -> Synchronization ->Application Security Synchronization

     

    • F5Team's avatar
      F5Team
      Icon for Cirrus rankCirrus

      I see it's configured on both Active and Standby devices.

      So should the device groups be removed on the standby and when we sync again from active, do we see the numbers for signatures ready to be enforced and the suggestions matching.

      What if the device failover and standby becomes active and it does not have the device group configured under below option so we cant sync the changes 

      Security -> Options -> Aplication Security -> Synchronization ->Application Security Synchronization

      Would it have any other impact removing the device groups on one of the device.

  • Here is the confirmation from F5 for reference.

    1. The number of "signatures ready to be enforced", and also "signatures have suggestions" are both related to traffic learning(Automatic Policy Builder-APB), which is built on real traffic passed on that device. Therefore, if the active and standby has different traffic traversed through them, the suggestions provided by traffic learning will be different for sure. 

    2. Basically, the active device may normally have more suggestions, since more traffic are taken by the active device.

    3. The learning suggestions of traffic learning are not synchronized by design, no matter ASM configuration synchronization is enabled or not. 

    4. ASM policies will be changed, only after you manually accept the suggestion to change ASM policies or APB updates a BIG-IP ASM policy automatically. If the changes are applied onto the ASM policies, and then this configuration change of ASM policies will be synchronized in the device cluster. 

    5. Therefore, the traffic processing will not have any difference, since the ASM policies are the same.

    6. When you perform a failover, the suggestions which are already applied are in Sync between the devices but the number of suggestions will always be different on active and standby and this is by design.

    7. In general, Real Traffic Policy Builder can run on only one system per security policy. For example, you can set up automatic security policy building on one system that is a member of an ASM-enabled device group, the policy is built on that system and then automatically updated on all of the systems in the device group.