Forum Discussion

jerm1020_254086's avatar
jerm1020_254086
Icon for Nimbostratus rankNimbostratus
Aug 11, 2016

signature updates

I am curious as to how long newly input signatures as well as updates stay in staging after they have been downloaded. is this generally a formality and has minimal impact or are they heavy sig updates that must be monitored to ensure valid traffic is not blocked. F5 states that the updates go immediately to staging, but what is the period for this and how can I validate?

 

  • You didn't mention what version you're on, but from this page it looks like the default is 7 days.

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_attack_sigs.html1035741

     

  • 11.5.3, apologies for leaving that out, I am fairly new to F5 so I apologize for the entry level questions

     

  • Also, do only the updated signatures go into staging? is there somewhere to view those? I thought the default 7 days and enable staging option were for the policy itself

     

  • The default staging period is 7 days. After that period expires, any signatures which were not triggered will be moved to the "Ready to be Enforced" section of the Enforcement Readiness Summary Screen (Application Security: Policy Building: Enforcement Readiness.) If you built your policy using the manual method, you will have to enforce the signatures yourself. "Enforce" means that the signatures will be removed from staging. If you use the automatic method, then ASM will enforce them for you. You can check the staging status of each signature by viewing them in the Attack Signature List.

     

  • Erik, All I see under the attack signature list is the ID, type and whether it is user defined. I am unable to see a staging status for the specific signature. it is my understanding that only the new signatures are in staging, not the policy, is this correct?

     

  • ok, I see that, that makes sense to me. the issue I am having is the customer wants to physically see the updated or new signatures in staging. Do they only pop up in the enforcement readiness location after being triggered?

     

  • Well, there isn't anywhere in the GUI that shows a list of newly added signatures specifically, along with their staging status. However, after an update, you can go to Security>>Security Updates: Application Security, and you should see a list of Added Signatures that has a clickable link to each one.