Forum Discussion

strongarm_46960's avatar
Icon for Nimbostratus rankNimbostratus
May 16, 2012

Policy migration

According to Engineering principles application promoted into the QA environment should be regarded as complete and mimic production. It’s not acceptable to perform testing in the QA.



I need ideas in developing a strategy for security policy development throughout my environment. So by this token, assume a negative security model scenario.


Dev Virtual env: the WAF security policy will be developed in the Dev environment initially. Blocking on, making sure our policy blocks common attacks. Learning and Staging off



Test Virtual env: Push the asm policy to the Test Environment. Turnoff learning since app is still in infancy, Ram Cache is turned on. Develop irules.


QA Appliance Env: Promote asm policy to QA from Test env, learning on. Staging on and blocking turned on, Ram Cache is turned off to stop caching of illegals request. Perform formal regression via Trusted IP address surfing the entire site, Review violation, request, learned entities,(object types, objects, parameters and flows). Accept all false positives. Relax rules if needed. Copy edited QA policy back to Test Env.



Prod Appliance env: Promote to Production and set up notification on blocked request, eliminate any further false positive, relax rules if needed. Learning is off in Production.



Copy latest Production policy to Test and QA environment.




On Test env, you’ll have 4 policy, dev, test, QA, and prod policy


On QA Env, you have 3 policies Test, QA and Prod


On Prod, you’ll have 2 policies, QA and Production policy


No RepliesBe the first to reply