F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

abumo_1124's avatar
abumo_1124
Icon for Nimbostratus rankNimbostratus
Oct 20, 2010

critical severity violations

We have just created our first web application asm security policy. The policy was setup by f5 admin which he considers it is suitable for the web application. My job is kind of auditing this po...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Oct 21, 2010
Hi Abumo,

 

 

I wouldn't consider it a best practice to enable and configure every violation type that ASM can perform for every application. Ideally, the policy should be tuned to the application. For example, if the application performs proper session enforcement, there isn't a need to track that every request a client makes has gone through a successful authentication attempt. I would speak with the person that built the policy and possibly the people that built or administer the application to get a better understanding of what the application's security requirements are and why the policy was set up as it was.

 

 

Aaron