For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vincent_96223's avatar
Vincent_96223
Icon for Cirrus rankCirrus
Jun 14, 2014

General HowTo ASM guide...

Dear F5 ASM gurus,   First of, I want to apologize if I am asking a stupid question here, but I am at the point of desperation for someone to help me understand the basic understanding of ASM. I ...
ASM Advanced WAF
deployment
security
Vincent_96223's avatar
Vincent_96223
Icon for Cirrus rankCirrus
Jun 16, 2014

Kevin,

 

Thanks for taking the time to explain how ASM works. I am able to understand your explanation very clearly. I have been a firewall administrator for many years, so I understand the concept of positive and negative security models. In my training class, the instructor describes ASM as a positive security model, but your description is much more accurate. The signature database is static (pattern matching), as such depict a negative security model.

 

Do you know of any literature or examples on deploying a simple ASM policy? Here is what I do when I create a security policy. I go to Security --> application security --> security policies, click create and use the deployment wizard. I get information from my developers like the OS, web application type, database, scripts, etc and match the resources in the deployment wizard.

 

In version 11.4.1, it seems the wizard automatically puts the policy in "Blocking Mode", though according to the online manual, it does NOT really block anything until it has learnt enough traffic pattern. To give you an example, I create a new policy on Monday of last week. When I checked the general progress under Security --> Overview --> Application --> Action Items, the policy builder stayed at 5% progress for a couple of days.

 

I did see the policy detected some events. In the policy building status page, I click on each item in the detail section. It states it had detected some traffic (e.g 17/50), and "rule satisfied". I was trying to see what it was referencing, but could not get any details. I went ahead and click "enable" (I think!) or "accept". I can't really remember because the real traffic policy builder is now disabled, and it says the policy building process has stabilized. So in the six days the policy was created, it when from 5% General progress to "stabilized" in an instant.

 

So at this point, I am trying to figure out what I am suppose to do. Under Manual Traffic Learning, I see a couple of violations. When I click on the violations, it tells me how many times it has occured, and when I click on the occurances link, it tells me the source of the request and when it happened. But I don't see what triggered the event. I can check the violation to "accept" it. What does that do? Does it mean I have identified the violation as a false positive, and all such future occurrences is "acceptable", or does it look at other factors too (e.g source IP).

 

Then there are additional information under the Enforcement readiness. I see a bunch of parameters not enforced. when I click on the , I see the parameters, and most have staging=yes with the hour glass (waiting for additional traffic samples). Again, I could check the box and click enforce, but I am not sure what exactly it tells the ASM policy to do. Does it tell ASM those are expected parameters?

 

At this point, I had to go to the VIP and disable the security policy. I had a developer called stating one of the page on the site was getting blocked. Going to Security --> Event logs --> application, I could see the matching page that was blocked. How do I tell the policy the request was legitimate and it should be allowed?

 

I have not found a guideline on how to react to these type of responses. What I have described above is just a summary of the questions I have on enabling the ASM policy. Hopefully, you can give me a few more pointers to help me enable the policy.

 

Thanks again Kevin!

 

Vincent