Forum Discussion
DanSkow
Cirrus
CirrusASM/WAF Management Automation - TMOS
This post is to go over some of my thoughts on ASM/WAF management, and some custom solutions I've made to make it easier and more accurate. This will be highly technical and will apply to most use-ca...
DanSkowCirrus
CirrusHere's the short version of my recommendations on what to do with all of this information:
- Drop IP-Based Requests via iRule to make Learning Suggestions more accurate
- Use Manual Learning if your team has the manpower and expertise to review Learning Suggestions manually. Big-IQ script "Email Ready Learning Suggestions" can help you prioritize which policies to focus on by telling you how many 100% confidence suggestions each policy has. I personally go through all suggestions weekly
- Enforce Ready Signatures on a weekly basis on all policies. This Big-IQ script can loop through all policies to enforce ready signatures on all of them: Automate ASM "Ready to Be Enforced" Attack Signatures | DevCentral
- This can also be fully automated by using Ansible Tower Scheduled Jobs. I can explain how to do that if anyone is interested
- I also use Splunk alerts for internal hits against staged signatures so that I can disable them before I run the enforcement automation to reduce the chance of false positive blocks. I can provide more info on that too if anyone is interested
Dan