Policy migration

According to Engineering principles application promoted into the QA environment should be regarded as complete and mimic production. It’s not acceptable to perform testing in the QA.

 

 

I need ideas in developing a strategy for security policy development throughout my environment. So by this token, assume a negative security model scenario.

 

Dev Virtual env: the WAF security policy will be developed in the Dev environment initially. Blocking on, making sure our policy blocks common attacks. Learning and Staging off

 

 

Test Virtual env: Push the asm policy to the Test Environment. Turnoff learning since app is still in infancy, Ram Cache is turned on. Develop irules.

 

QA Appliance Env: Promote asm policy to QA from Test env, learning on. Staging on and blocking turned on, Ram Cache is turned off to stop caching of illegals request. Perform formal regression via Trusted IP address surfing the entire site, Review violation, request, learned entities,(object types, objects, parameters and flows). Accept all false positives. Relax rules if needed. Copy edited QA policy back to Test Env.

 

 

Prod Appliance env: Promote to Production and set up notification on blocked request, eliminate any further false positive, relax rules if needed. Learning is off in Production.

 

 

Copy latest Production policy to Test and QA environment.

 

-----

 

On Test env, you’ll have 4 policy, dev, test, QA, and prod policy

 

On QA Env, you have 3 policies Test, QA and Prod

 

On Prod, you’ll have 2 policies, QA and Production policy