Forum Discussion

draco_184361's avatar
draco_184361
Icon for Nimbostratus rankNimbostratus
Aug 14, 2017

Enforcement Readiness for F5 ASM

Under Each URL entity or certain entities , there is selection we can make depending on the whether it enforcement ready or not- choices available are -not enforced , have suggestion and ready to be enforced. When does it become enforcement ready ? After the enforcement period we have mentioned under policy building ?and when does the entities state move from staging to " having suggestions ?

 

Does it depend on the tighten policy setting under " learning and blocking settings " ?

 

Can i have link to implementation guide to f5 asm of version 12.1.2 and above? i could find only till 11.

 

ASM Advanced WAF
BIG-IP
security
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2017

    "When does it become enforcement ready? After the enforcement period we have mentioned under policy building?"

     

    Voila. It depends on enforcement readiness period as set in your policy settings. By default it is 7 days.

     

    "And when does the entities state move from staging to having suggestions? Does it depend on the tighten policy setting under learning and blocking settings?"

     

    Learning suggestions are raised only if you have enabled Learning Mode in policy settings. When enabled, and a request comes in which gets blocked, then a suggestion may be raised. This is basically self-intelligence of BigIP whereby it tries to guess what's best action for you to take. Personally I do not trust this feature. You can see a better description here if you Ctrl + F for encounters of "learning suggestion" and "learning mode": ASM Ops Guide

     

    • draco_184361's avatar
      draco_184361
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2017

      Thanks Hannes . I have one more question :-

       

      I was testing something .So i was testing XSS . I have the PHP auction site deployed in my lab. Have done via F5 virtual lab as well. In one of the form entry area, for eg " sell an item" in the site, i entered the basic alert script eg :- It doesn't seem to be blocking it .Policy applied on the VS , logging is enabled, attack signature is moved from staging as well, so all are enforced. But yet, it isn't logged nor getting blocked. Is there anything else i need to do ?

       

      Thanks and Regards

       

      Divya S

       

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2017

      If you have ASM enabled:

      Make sure the following signatures are Enabled and Enforced. In particular, 200000098 and 200001475 should be relevant for search input fields.

      XSS script tag (Headers)    200000097
XSS script tag (Parameter)  200000098
XSS script tag (URI)    200000099
XSS script tag end (Headers)    200000091
XSS script tag end (Parameter) (2)  200001475
XSS script tag end (URI)    200000093
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Aug 14, 2017

    "When does it become enforcement ready? After the enforcement period we have mentioned under policy building?"

     

    Voila. It depends on enforcement readiness period as set in your policy settings. By default it is 7 days.

     

    "And when does the entities state move from staging to having suggestions? Does it depend on the tighten policy setting under learning and blocking settings?"

     

    Learning suggestions are raised only if you have enabled Learning Mode in policy settings. When enabled, and a request comes in which gets blocked, then a suggestion may be raised. This is basically self-intelligence of BigIP whereby it tries to guess what's best action for you to take. Personally I do not trust this feature. You can see a better description here if you Ctrl + F for encounters of "learning suggestion" and "learning mode": ASM Ops Guide

     

    • draco_184361's avatar
      draco_184361
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2017

      Thanks Hannes . I have one more question :-

       

      I was testing something .So i was testing XSS . I have the PHP auction site deployed in my lab. Have done via F5 virtual lab as well. In one of the form entry area, for eg " sell an item" in the site, i entered the basic alert script eg :- It doesn't seem to be blocking it .Policy applied on the VS , logging is enabled, attack signature is moved from staging as well, so all are enforced. But yet, it isn't logged nor getting blocked. Is there anything else i need to do ?

       

      Thanks and Regards

       

      Divya S

       

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Aug 15, 2017

      If you have ASM enabled:

      Make sure the following signatures are Enabled and Enforced. In particular, 200000098 and 200001475 should be relevant for search input fields.

      XSS script tag (Headers)    200000097
XSS script tag (Parameter)  200000098
XSS script tag (URI)    200000099
XSS script tag end (Headers)    200000091
XSS script tag end (Parameter) (2)  200001475
XSS script tag end (URI)    200000093