BlackBolt_22590
Mar 22, 2017Nimbostratus
Some questions about ASM module from a beginner
Hello Everyone,
My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only account so it's pretty hard to run some tests and that's why i have some questions for you:
1/What's the difference between Transparent and blocking in Enforcement mod and what suits the most with both of them in signature set (learn/alarm/block)?
2/What does "staging signature" means? What if i dont set a signature set, what does the policy block?
3/ What's the difference between Block in policy (enforcement mod) and block in signature set option? Also correct me if i'm wrong but learn allows me to use the "manual traffic learning" option to see which threats the policy has detected and alarm is a log system-like?
4/What happen if i activate both block option?
5/Scenario that would be much alike what i will do to deploy my policies:
I want to observe which threats and who are doing them on my VS already in production before deciding what to block, what would be the best configuration:
Transparent as "enforcement mod", "attack signatures configuration" in learn/alarm mod with and ERP of let's say 30 days or something else?
After finishing my analyzes, where can i see what have been signaled by the signatures and where can i decide if i block then or not.
8/What happen once the ERP is over? Do I have to change the enforcement mod once the analyse is over (Transparent ->blocking for exemple). Will my policy keep checking if new threat will be detected?
I know it's a lot of questions to answer but i have no one else to turn to so thank you very much in advance.
Regards,