For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hightower_m's avatar
hightower_m
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

Managing ASM policy after it's in blocking mode

So I'm fairly new to using ASM but have learned quite a bit. I need a little clarity on managing a policy in blocking mode. So my situation is that I have a policy (Real time builder enabled) that has gone through the Enforcement Readiness period and all items are reviewed and enforced. The status of the policy is 100% which should equal stable? So at this point I am ready to changed it to blocking mode.

 

A few questions:

 

  1. When I enable blocking mode what is the suggested best practice, if any, for leaving the Real Time builder setting enabled? Is this purely an administrative preference? If it's on then the ASM provides more help in the ongoing policy management vs. if I disable it then it's a more manual process to manage violations? That is assuming I have the "learn" option enabled in the settings.

     

  2. When new attack signatures are downloaded and put into staging for the Enforcement readiness period do they just show a "ready to be enforced" status on the enforcement readiness screen along with any suggestions after the time period is over? From that point I can manually go enforce them and apply the policy when I'm ready? I'm thinking in terms of dealing with a production website so I would need to schedule the changes into the policy during a maintenance window.

     

There's a lot of good information out here but I was hoping to get some more input for anyone.

 

Thanks!

 

application delivery
ASM Advanced WAF

1 Reply

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 16, 2016

    The answer to your questions is "yes". The benefit of the the Real Time/Automated builder constantly running is that it will Track the Site changes(provided this setting is on), so when your application changes the policy will learn the changes (makes sure you configure your Trusted IPs for that!). If your application is not changing (e.g. it is something like Web Outlook) then there is no need to learn - there will be nothing new.

     

    Once you understand ASM good enough you will be able to build your policies manually and switch off the RealTraffic builder. As an ASM consultant I always build all policies manually.