Forum Discussion
NimbostratusASM: convert from rapid deployment to comprehensive -- how to
We have a few old ASM policies that were implemented via rapid deployment. These policies are used in production (public-facing). We want to convert them to comprehensive. Has anyone out there done anything like this, and if so, how would you recommend it be done? My thought is to create a new policy in the non-prod environment with a set of trusted IPs that are internal users who can thoroughly test the app. Has anyone come up with a better approach to achieving this goal?
Erik_NovakEmployee
Building a policy using traffic from trusted IPs is always advisable. However, the conversion idea is trickier. Your rapid deployment template-based policies rely heavily on attack signatures, RFC compliance, and other negative security elements. Once you create a policy from a template, you cannot change the template, even if you export it and use it to build a new policy. What is your goal for deploying a policy based on the comprehensive template? The learning and blocking settings for comprehensive are much different than those for rapid deployment: There will be learning suggestions for file types, parameters, URLs, etc. that don't exist in the rapid deployment-based policies. One option would be to export your existing policies, and then modify the learning method (manual or automatic) and the learn, alarm, and block flags for the violations you are interested in implementing to build your new policy. By running trusted traffic, you will certainly reduce the number of false positives, but you should be prepared for some manual tuning.