Forum Discussion

suthomas1's avatar
suthomas1
Icon for Cirrostratus rankCirrostratus
Oct 07, 2022

ASM policy

Good day all,

I had the following doubts in doing a new policy for a VS.

1) Is an HTTP profile necessary to attach an existing VS to the sec policy?

2) Initial mode is enforcement for 7 days as i understand. After 7 days, does it go to Blocking mode by itself or its manually done?

3) If its manual, once its changed to Blocking mode does it disrupt the VS connections generally except otherwise if any secuirty events against the sec policy blocks malicious attempts etc.?

4) what are the other things to be sure about when creating a new policy.

Appreciate all inputs, thanks in advance.

 

  • 1) Is an HTTP profile necessary to attach an existing VS to the sec policy?

    Yes, it is. HTTP profile purpose is to correctly parse HTTP data and identify the various elements of the request, so that your policy can verify and eventually match the violations. If you don't assign HTTP profile, traffic will be treated as a generic flow of data. 

    If  traffic is encrypted, of course you need SSL profiles as well.

     

    2) Initial mode is enforcement for 7 days as i understand. After 7 days, does it go to Blocking mode by itself or its manually done?

    Transition to blocking is manual. Also, depending on your learning configuration, some of the entities might require manual enforcement in order to be effectively deployed. 

     

    3) If its manual, once its changed to Blocking mode does it disrupt the VS connections generally except otherwise if any secuirty events against the sec policy blocks malicious attempts etc.?

    When you configure Blocking mode, the WAF policy will actively start to intercept all traffic that matches a violation. You should perform traffic learning on the application and tune your security policy accordingly before attempting this transition. 

     

    4) what are the other things to be sure about when creating a new policy.

    It's always best to have a good understanding of what the web application does and what type of traffic is expected, in order to avoid "loosening" the controls too much. A good WAF tuning is effective in intercepting zero-day attacks. 

    You should also know how often the application is subject to changes: if the application changes with monthly frequence (or more) it's pretty difficult to perform deep-learning of application traffic and a lot of false positives might show up. Also, knowing when application will change is important because WAF configuration will likely require some tuning in order to have the most effective protection. 

    Last thing worth mentioning, if you're scheduling extensive learning periods, make sure that NO pentesting/scans/... are performed (or at least bypass learning for those IP's) because it might leanr & allow some "bad" traffic which is actually not needed. 

  • Hello,

     

    Better read the F5 Advanced WAF/ASM operations guide as to have general knowedge about the product(it is not that long):

    https://support.f5.com/csp/article/K73819494

     

    Also F5 has great self-learnings or instructor trainings:

     

    https://www.f5.com/services/training#sort=%40f5_title_sort%20ascending&f:@f5_primary_product=[Advanced%20WAF]&f:@f5_document_type=[Instructor-led]

     

     

    Before there were F5 getting started series for every F5 module but for some reason they are removed. Still I found the getting started in youtube and for a fast review for 1 hour and get answers to your questions you can see it but still better after that to read the operations guide and if you are going to work with Advanced WAF it will be really good to go to the instructor training:

     

    https://www.youtube.com/watch?v=XmAreg7RNr0

  • 1) Is an HTTP profile necessary to attach an existing VS to the sec policy?

    Yes, it is. HTTP profile purpose is to correctly parse HTTP data and identify the various elements of the request, so that your policy can verify and eventually match the violations. If you don't assign HTTP profile, traffic will be treated as a generic flow of data. 

    If  traffic is encrypted, of course you need SSL profiles as well.

     

    2) Initial mode is enforcement for 7 days as i understand. After 7 days, does it go to Blocking mode by itself or its manually done?

    Transition to blocking is manual. Also, depending on your learning configuration, some of the entities might require manual enforcement in order to be effectively deployed. 

     

    3) If its manual, once its changed to Blocking mode does it disrupt the VS connections generally except otherwise if any secuirty events against the sec policy blocks malicious attempts etc.?

    When you configure Blocking mode, the WAF policy will actively start to intercept all traffic that matches a violation. You should perform traffic learning on the application and tune your security policy accordingly before attempting this transition. 

     

    4) what are the other things to be sure about when creating a new policy.

    It's always best to have a good understanding of what the web application does and what type of traffic is expected, in order to avoid "loosening" the controls too much. A good WAF tuning is effective in intercepting zero-day attacks. 

    You should also know how often the application is subject to changes: if the application changes with monthly frequence (or more) it's pretty difficult to perform deep-learning of application traffic and a lot of false positives might show up. Also, knowing when application will change is important because WAF configuration will likely require some tuning in order to have the most effective protection. 

    Last thing worth mentioning, if you're scheduling extensive learning periods, make sure that NO pentesting/scans/... are performed (or at least bypass learning for those IP's) because it might leanr & allow some "bad" traffic which is actually not needed. 

  • I have also noticed, policies under VS where it states what sub-links (eg. /abc /xyz from a site link) should be allowed.

    Is this actually part of ASM or is it different from ASM? Are the logs expected to be seen in ASM for these policies?