For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Edouard_Zorrill's avatar
Edouard_Zorrill
Icon for Nimbostratus rankNimbostratus
May 02, 2018

ASM Updates planning

Gents, just wanted to see what is the best practice. When you update ASM in a PROD environment, do you install updates in regular business hours or in a off-business hours window. I would have to tes...
ASM Advanced WAF
BIG-IQ
security
Super-NetOps
taunan_89710's avatar
taunan_89710
Historic F5 Account
May 15, 2018

Updating ASM Attack Signatures is generally considered extremely low impact, enough so that automatic updates are actually recommended, even in a prod environment:

 

https://support.f5.com/csp/article/K8217

 

You will have sufficient time to analyze any possible false positives as new signatures are placed into staging.

 

However major updates to a policy should have their impact fully understood before committing. If a full dev environment is not available at least a dev VS with a test policy may be the best option.

 

When it comes to full OS upgrades though this will always result in at least a brief outage. Best practices with an HA pair is to upgrade the standby unit of the pair first and failover to it once it becomes available again. Upgrade the previously active unit and then fail back to test. This way you have only two very quick failover events and you are effectively testing both units in the pair.

 

The question is fairly wide though. One should always adhere to their company change policies and fully understand impact before any change is made.

 

taunan_89710's avatar
taunan_89710
Historic F5 Account
May 15, 2018

Support is always available if you are unsure on any action you are about to take. Sev4 cases for unpublished or unclear information clarification are welcome :)