F5 ASM Attack Signature Update

Hi sshssh,

I'm not sure there's a best practice, rather whatever suits the particular environment.

That being said I only ever do manual updates so I can have control over the whole process. It's more important to me that I can monitor the changes and keep an eye on any new/changed signatures being triggered than getting them applied in a more timely fashion if they were set to update automatically.

N

We utilize Enterprise Manager to notify us when new signatures are downloaded/available on EM. We then push the updates in non-prod and coordinate with app teams for testing, then move onto Prod. I don't believe we'll get to a more automated process as the need to for app reliability is most important.

is there an option to put new signatures in staging for a period of time , while policy mode is blocking ?

Yes, under Application Security, Policy, Policy, Properties there is a "Staging-Tightening Period" you can set. This defines the period in which any newly added signatures are placed in staging so, if triggered, just logs and doesn't block (even if policy mode is blocking). At the end of this period you can then enforce those sigs that haven't been triggered and/or make exceptions to any false positives that may have occurred on these new sigs (Policy Building - manual - Staging/tightening summary).

Also, you can choose to put updated sigs also in staging (check box when you do the update).

Hope this helps,

N