F5 ASM deployment for production traffic in transparent mode.

Question

Hi Experts, &nbsp;
I'm new to the F5 ASM deployment, so posting here with my concerns. &nbsp;
Background information: I have enabled ASM for the VIPs which are already in production. I don't have any trusted testers, so I don't have chance to get some Trusted IP addresses that can be added. As its a production deployment, I chose the Transparent Mode with 7 days enforcement period with Automatic policy builder feature. &nbsp;
Application information: Tomcat based apps with SQL DB and with SSL enabled. &nbsp;
I'm seeing manual traffic learning stats as shown below.. &nbsp;
&nbsp;
Also, I could see the entries for under Enforcement readiness, there are too many signature suggestions. &nbsp;
&nbsp;
Could someone suggest me what is the next I should do? I'm seeing many other parameter violations and URL length, parameter input violations etc. &nbsp;
I'm trying make this policy as the bench mark for any other policies I'm going to enable.   As this is my first policy, I would like to be careful with the an changes to it as I want to export this policy for Blocking mode enforcement for other production VIPs. &nbsp;
Please help me with your suggestions. &nbsp;
thanks. &nbsp;

vijith_182946 · Answer

Hi, First of all, do you think 7 day enforcement is enough for traffic learning? We usually go for at least 14 days to a month. You need sufficient amount of traffic to get ASM learn the traffic behavior. Once we have enough traffic and violation events  perform the violation analysis one-by-one. You need to work with Apps team and challenge them about these violations, many cases you need to remediate the false positives and some other cases you need to challenge them. I think you also should decide on positive and negative security models you planning to go ahead. We usually go this flow of violations&nbsp;
1) RFC compliance 
2) Length Limits
3) Valid File Types
4) Valid URLs
5) Valid Parameters
6) Parameter Compliance
7) Valid meta characters
8) HTTP Method / Headers
9 Attack Signatures / Virus&nbsp;
hope this helps&nbsp;

newf5learner_13 · Answer

thanks for the reply. &nbsp;
What are the negative security violations in the traffic learning? &nbsp;
Can I accept the suggestions the policy builder listed above? Can I consider the suggestions  are the valid ones to be accepted in the policy and so that they will not be triggered as an event further?   &nbsp;

amine_kadimi · Answer

I'm not sure exporting an application security policy and reusing it for other VIPs will bring any advantage, as most applications don't share the same components and don't work similarly, each specific application will have its own urls, parameters, cookies, and file types that the ASM will have to know, this is positive approache. In the negative approach, each application will need each own sets of attack signatures targeting the specific components of the applications (OS, database, php, asp...).

newf5learner_13 · Answer

Thanks Amine and Vijith&nbsp;
I read some article where it was stated that F5 recommends creating a baseline policy for the environment which includes basic security requirements that are embedded into the policy components. And such policy can be considered as template which can be re-used. So, was thinking if I can make a standard policy and try replicating it in transparent mode with enforcement period of 7 days for all the other VIPs. &nbsp;
could you please let me know what are the negative security violations in the traffic learning? Should we allow them or enforce them?  &nbsp;

amine_kadimi · Answer

Negative security is "Allow all except what I already know is an attack"
Positive security is "Drop all except what I already know is not an attack"&nbsp;
For the former, you don't really need learning because ASM already knows the attacks that must trigger drops (signatures, HTTP Compliance...). You may need to activate staging for the signatures which may be considered as a kind of learning.&nbsp;
For the later, this is where the learning is really significant. The ASM needs to know what is the normal and legitimate traffic in order to drop anything else.&nbsp;
Yes, you need to activate the negative security violations (such as attack signatures). Enforcing an attack signature is actually removing the staging from it.&nbsp;

Forum Discussion

F5 ASM deployment for production traffic in transparent mode.

7 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Could not communicate with the system. Try to reload page.

DNS Traffic from floating IP to public IP of a VIP

Kubernetes cert-manager + LetsEncrypt + F5

ACME DNS RFC-2136 Let's Encrypt certs

MAC users unable to access Internet when on Netskope

Related Content

Where are F5's archived deployment guides?

Transparent Load Balancing in Azure

Security Best Practices for F5 Products

Transparent load balancing in Azure, Part 2

Automating F5 Application Delivery and Security Platform Deployments

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS