Forum Discussion

Rchattop_307189's avatar
Rchattop_307189
Icon for Nimbostratus rankNimbostratus
Jan 22, 2017

Best practice to put security signatures in blocking mode

What is the best practice to put security signatures in blocking mode. Should we put security signatures in blocking mode before putting it in production or will put it in detection mode and after analyzing the traffic we will put them in blocking mode one by one? If we will follow second method is there any possibilities to block legitimate traffic suddenly when we will change any signature in blocking mode. Do we have any best practice document on this.

 

application delivery
ASM Advanced WAF
security

4 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jan 23, 2017

    im afraid there won't be any best practice because it just differs per requirements of the user.

     

    do you want to be more safe and risk (some) false positives, put them into blocking right away.

     

    do you want to be a little less safe put them info staging and see if they are hit, investigate and after staging enable them.

     

  • Rchattop_307189's avatar
    Rchattop_307189
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2017

    is it possible to put few of the known malicious signatures in blocking mode initially and rest of the signatures in detection mode.

     

  • nag_54823's avatar
    nag_54823
    Icon for Cirrostratus rankCirrostratus
    Jan 24, 2017

    Yes. It's possible. We need to enable signature staging and enforce each signature individually which will go to blocking mode.