Forum Discussion
NimbostratusASM policy building
Hi
I am going to start deploying ASM policies for some applications in a site. Is there any document regarding what all information should be taken from the application team before starting off with the policy building on F5 ? I understand we need the web server , database server, framework details ,.//what else ?It would be of great help. Thank you.
Here's a series I wrote on the ASM (it's a little dated, but it might give you some good starting info). Here's the first in the series of articles (there are 10 total): https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-1-what-is-the-asm
- boneyard
MVP
i would really advise to involve your f5 partner in such a project, having experience is worth a lot on ASM, else it will most likely be a long and difficult road.
also be sure to involve the application / web team, ASM projects done by only the network / firewall guys usually don't go that well.
Simon_BlakelyEmployee
Make sure you understand the data being exchanged.
In particular, XML and JSON content profiles need be applied to the appropriate URLs/Content-Types.
KelSomething you may also want to do is get input from Security folks i.e. be able to cover your Organisational's security requirements which will translate to which settings you switch-on in your policy. A report from Application vulnerability assessment can also give you helpful answers.
- boneyard
it doesn't provide specific config or such but gives a good idea what you can focus on, with pros and cons:
https://support.f5.com/csp/article/K07359270
