Forum Discussion

Paul_Ryan_73610's avatar
Icon for Nimbostratus rankNimbostratus
Jul 06, 2011

Policy Builder Modes




Just wondering if somebody can clarify this process for me... I am running through the deployment wizard and have chosen to manuayl build the policy which will mainly be on untrusted traffic. From what I understand the manual policy uses wildcards for entities for a certain period before tightening? In which period I can clear violations as they occur and remove false positives....




Is this the correct way to build a policy?




Thanks guys






1 Reply

  • I think you find that policy building is more of an art than a science. You can definately do it the way you described, however the way I try and build policy is a little different. I try to get a construct of the application from my developers first, (Methods, Cookies, File Types, URLs, Parameters) then manually input those into the policy. I then use Staging on the File Types and Parameters in order to learn lengths Value Type, Data Type and so on. Optimally I prefer to get all that information up front but that is not always something they can provide easily. This process may require a little more manual work on the part of the policy admin up front, but then I don't have to have them run through their application to get all the learning suggestions worked out, and then have them test it all again after I put it in blocking mode to make sure nothing was missed.



    Also I would say it is important to determine what sort of blocking you are going to do for the particular application you are working on. There is some stuff that should probably be turned on for every application but there are others that are dependant on what type of app it is. For example if there is no XML in the application then there is no need to turn on blocking for those.



    I do not really prefer using the automated policy builder unless it is just a huge application I have just found it to be more cumbersome than anything else. That may just be my preference though.