ASM/WAF Management Automation - TMOS

Here's the short version of my recommendations on what to do with all of this information:

• Drop IP-Based Requests via iRule to make Learning Suggestions more accurate
• Use Manual Learning if your team has the manpower and expertise to review Learning Suggestions manually. Big-IQ script "Email Ready Learning Suggestions" can help you prioritize which policies to focus on by telling you how many 100% confidence suggestions each policy has. I personally go through all suggestions weekly 
• Enforce Ready Signatures on a weekly basis on all policies. This Big-IQ script can loop through all policies to enforce ready signatures on all of them: Automate ASM "Ready to Be Enforced" Attack Signatures | DevCentral 
  • This can also be fully automated by using Ansible Tower Scheduled Jobs. I can explain how to do that if anyone is interested
  • I also use Splunk alerts for internal hits against staged signatures so that I can disable them before I run the enforcement automation to reduce the chance of false positive blocks. I can provide more info on that too if anyone is interested 

Dan