Forum Discussion

K-Dubb's avatar
K-Dubb
Icon for Nimbostratus rankNimbostratus
May 30, 2019

Can you have too long of an Enforcement Readiness period?

We are currently testing with a 30 day readiness period. The standard recommended seems to be 7. We have applications that may not have certain pages/functions hit in 7 days, and it may take 30 to ev...
ASM Advanced WAF
security
Andrew-F5's avatar
Andrew-F5
Icon for Employee rankEmployee
Jun 11, 2019

Q: Is this too long of an enforcement readiness period?

A: The enforcement readiness should suit your environment so the literal answer here is no. But as you noted in the remainder of your post there are certain risks.

 

Q: Do we run the risk of an actual attack or suggestion from an actual attack being lost because of such a long period? For example, say in a 7 day period signature x was not triggered and therefore ready to be enforced. However, in a 30 day period it was (yet it was an actual attack), so then it is moved to staging and never enforced in that period.

A: This may depend on whether you're using auto policy builder (APB) or not. If you are using APB within production traffic that will skew the results, ideally you only want to pass known good traffic through your ASM policy with APB enabled. If using manual learning then you will be manually enforcing suggestions regardless of the readiness period so you could have the same results between 7 or 30 days dependent on how often you're administering your policy.

 

Best,

Andrew