For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daveram_265365's avatar
daveram_265365
Icon for Nimbostratus rankNimbostratus
Aug 01, 2016

How to create a Generic ASM Policy?

Hello, I am looking for a method to create a generic ASM policy until we have the time to learn and actually lock down each of our Web-based external applications. I was wondering if anyone has any links to show how to perform this? I have created the following "instructions" but as I am somewhat new to this, I would like someone more versed in ASM to review. It wouldnt let me attach with all the screenshots, so I summarized my steps below.

 

  1. Create a blank policy (don’t associate to a virtual server yet)
  2. Pick “Create a security policy manually or use templates (advanced)
  3. Fill out the defaults for the policy
  4. Choose the generic attack signatures to include (leave signature staging enabled)
  5. Since this is generic, change all explicit entities learning to (Never (wildcard only))
  6. Review the summary and click finish
  7. Apply to a virtual server
    • http profile
    • asm profile
    • logging profile (all events)
  8. After X days, review log entries and included any legitimate entries to whitelist activity.
  9. Disable Signature Staging
  10. Move policy into blocking mode

Would this protect the server from any of the signature-based attacks that were included in the policy and any other illegal syntax, etc (minus the file type, url, and parameters)?

 

ASM Advanced WAF
security

1 Reply

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Aug 02, 2016

    Hi,

     

    Maybe you should have a mix rapid deployment template with the exceptions that you want.

     

    It will protect the web site more than from a passive attack signatures.

     

    On another hand, it can possibly to increase false-positives, thus, you should mark "learn option" enabled to help you to treat all those possible false-positives more easily in traffic learning screen section.

     

    Finally, uncheck your exceptions that you can't learn, alarm or block requests (file type, url, etc) into the "learning and blocking settings" section, and keeping the wildcard entities enforced (no stagging), so when you change policy to the blocking mode, it will effective to the actions that you choose.

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-12-0-0/8.html?sr=56183871

     

    PS: Even if you want to make the policy with none template, keep in mind that you will need to remove the stagging flag from all the wildcard entities, not just from the attack signatures. So this way, Big-IP can block or alarm the suspicious requests, otherwise, it just can go to the learn screen.

     

    I hope this help you.