Forum Discussion

F5Team's avatar
F5Team
Icon for Cirrus rankCirrus
Dec 05, 2023

ASM - Attack Signature - Miss Match on Active and Standby

ASM is on HA. Both are in Sync. We observe on multiple policies, that the number of signatures ready to be enforced and the suggestions available on Active and Standby are different. Is t...
security
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Dec 05, 2023

Hi F5Team,

Enforcement readiness is a per-policy behavior. Different policies have different set of attack signature based on the kind of environment and application those policy are protecting, Windows OS based policy signature list and number will be different from those for Linux based OS policy and so on.


Easiest way to find it will be in the GUI, and compare per policy on both boxes as different policies may have different sets of signature applicable based on the environment selection to get the clarity and let me know if stil discrepancies on the same name polices attack signatures :

move to Security > Policies > Policy List > (policy name) > Attack Signatures  menu, and filter Status: Ready to be enforced.

 

Enforcing entities

After you create a security policy and traffic is sent to the web application, new entities are added by means of learning explicit entities, and existing entities are modified through staging. You can review the entities and signatures that are in staging or that are ready to be enforced, and add them to the security policy.
  1. On the Main tab, click Security > Application Security > Policy Building > Enforcement Readiness. The Enforcement Readiness summary screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. To enforce all entities that are ready to be enforced, click Enforce Ready. If you select this option, you are done. Continue only if you want to enforce selected entities or signatures.
  4. In the Enforcement Readiness Summary, check to see if a number appears in the Not Enforced column. A number greater than zero indicates that entities of that type are in staging or with learn explicit entities enabled.
  5. Click the number in the Not Enforced column. The allowed file types, URLs, parameters, cookies, signatures or redirection protection list opens showing the entities that you can enforce.
  6. Select the entities you want the security policy to enforce, and click Enforce.
    The system removes the selected entities or signatures from staging. If any of the entities are wildcards that are learning explicit entities, the wildcards are deleted.
     
    Or, in older versions, move to the Application Security > Attack Signatures menu, select the intended policy from the drop-down menu, then expand the Advanced Filter and select "Ready to be enforced" for Staging. 
     

     

    HTH

    🙏