Forum Discussion

Nimbostratus

Mar 22, 2017

Some questions about ASM module from a beginner

Hello Everyone, My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only accoun...

ASM Advanced WAF

asm deployment

asm policy configuration

Nimbostratus

Hello all,

So I finally was able to perform some tests on a lab on VMWare Workstation on a lab with Hack-it-yourself PHP. I reproduced one attack to see the behavior of both policy construction (automatic and manual): . Here are the scenario for both construction mod after creation :

Manual:

Signature stagging : enabled

Renforcement Mod: Blocking

Learn Alarm Block checked for 3

ERP: 7 Days

Automatic:

Signature stagging : enabled

Renforcement Mod: Blocking

Learn Alarm Block checked for 3.

Policy Builder Enabled

ERP: 7 Days

Policy mod : Comprehensive

When I uncheck "signature stagging" on manual policy, the script is blocked right away but when i do it with the automatic policy, it doesn't block it and i can't figure out what prevent me to block it. My guess is the policy builder but when i disable it, it still doesnt block my script request so someone can explain to me the behaviour of a automatic policy, the policy builder and the policy mod. this is the kind of log i have with automatic policy:

https://puu.sh/vMtRL/0ba67eb302.png

Also where do you decide if this specific request is a false positive?

If I understand it correctly, this is where you decide if a signature is a false positive (screenshot below) but where do you precise request and request coming from a specific IP is safe?

https://puu.sh/vMu3R/aa50bc2da4.png

Another "strange" behaviour i have, as you can see i have signature stagging enabled and my policy in blocking mod. Doesnt the security policy suppose to not block the traffic that triggered some signature and just report them where i decide afterward if i block them or not? I'm asking you that because my policy still keep blocking the traffic that triggers the signature :

https://puu.sh/vMubP/996be50a7e.png

BlackBolt_22590

Nimbostratus

Jun 29, 2017

Thanks Leonardo for your answer. One more thing (maybe the last :)), it's about ressources and deployement. I have about 400 VS to protect with ASM. Some Nodes and pools that are used multiple times. I am planning to deploy a policy by pool (if Pool A is used in VS 1,2,3 & 4 i'm going to deploy a policy for VS 1 to 4), do you think the ressources are enough to deploy this way knowing i'll create about 20-30 policies?

Regards,

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Some questions about ASM module from a beginner

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Managing NGINX App Protect WAF for Beginners

F5 - Certification Path - Beginner

How To learn F5 for beginner

Customer driven Site Deployment Using AWS and F5 Distributed Cloud Terraform Modules

Ansible module to update BIG-IP root/admin passwords

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS