Thanks Erik for the reply, We have policies that works well. But what i am looking for is more of a business side of minimum/baseline level of security configuration (settings) when creating policies..like the acceptable length of URL to be 2048. We have many applications (legacy) that uses more than 2048 which is considered as a risk. If an alert occur and i go back to application team with recommended size of 2048 he is going to ask me the 'what is your baseline configuration settings'? or he will say 'What's F5 recommendation (i know its silly and hard to explain to these guys !) . We need this documentation to convince the client/business that you cannot deviate the standards. If deviation we will ask for RAF ( Risk acceptance Form) to be approved by management so that this risk wont kept on our (security guys) shoulder. Simply i need to noted down all the baseline configuration settings in a document and approved by security & application owner.