Hello All,I am trying to create a WAF policy and Test it as well which will be applied to the Virtual Server. Hence would like to know Is there any checklist i need to follow while cretaing my WAF policy. Please share me if there.What are the things i need to take into considerations while creating a WAF policyAfter creating, Is there any WAF tester available?How can I test it in my production Environment.Would like to know the complete process fo testing scenarios.

Hi Ashis_K_Patra , It depends on each application. But it's good to start your AWAF policy by ( Rapid deployment with transparent mode ) and define your server technologies well. and start your way to fine tune your policy depending on learning. there is no standard way to implement your policy it depends on what are you going to achieve from this AWAF policy for EX >> you want to use ( Positive security module or negative security module ) you need to restrict parameters , file types , URIs , you want to configure Cookies protections or not and stuff like this.you have to narrow your options to start from it , AWAF has a huge features , you have to define your needs from AWAF policy first. About testing >>> you can use the policy in test environment to simulate your application , then enforce your policy into blocking mode and test all features that you configured. such as try to perform and attack script and see if the AWAF policy blocked it or there is missing configs needed , check a disallowed url and see if AWAF blockes your or still need further configuration , and stuff like this.

Hi Ashis_K_Patra , No everything will be recoreded in your AWAF policy even if you disable it from virtual server to another. this not affect on Policy learning suggestions or settings. By the way , you can test it on a lab >>> Create AWAF policy and test some traffic and disable it on the current Virtual server then attach it to another >>> you will find all settings exist , and If you leant traffic from the newly virtual server and move this Policy to another Virtual server you will find all learnt suggestions and so on. By the way , you can attach single AWAF policy in multiple Virtual sever >>> but don't do this in your current scenario as you want to test without affecting the production encironment.Also For your info , you can use two or more AWAF policies with single virtual server , but by using iRules or LTM policy.

HI Mohamed_Ahmed_Kansoh I really Thank you for your help. I learned a lot from you. I will test and will analyse as you said. Thanks whisperer for your contribution as well

If you do not plan to pay a real pentester but just do basic tests tools like OpenVas, Nessus free edition or Qualys community edition or Burp as mentioned but the trial enterpise edition that has web scanner can be used. Also kali linux ZAP can be used. https://www.youtube.com/watch?v=koMo_fSQGlk&t=81s https://www.qualys.com/community-edition/ https://www.youtube.com/watch?v=TA1rCRyHRsM&pp=ygUGbmVzc3Vz https://www.youtube.com/watch?v=Yorjo1nsEew

Ashis_K_Patra see How to copy BIG-IP ASM security policy with a new name (f5.com) also BIG-IP ASM Security Policy may be changed due to import (f5.com) Exporting BIG-IP ASM learning suggestions (f5.com) Also can you mark the answers that solved your issue as accepted as several months have passed?

Testing a WAF policy

15 Replies

Mohamed_Ahmed_Kansoh
MVP
Jul 27, 2023
Hi Ashis_K_Patra ,

It depends on each application.

But it's good to start your AWAF policy by ( Rapid deployment with transparent mode ) and define your server technologies well.

and start your way to fine tune your policy depending on learning.

there is no standard way to implement your policy it depends on what are you going to achieve from this AWAF policy for EX >> you want to use ( Positive security module or negative security module )
you need to restrict parameters , file types , URIs , you want to configure Cookies protections or not and stuff like this.

you have to narrow your options to start from it , AWAF has a huge features , you have to define your needs from AWAF policy first.

About testing >>> you can use the policy in test environment to simulate your application , then enforce your policy into blocking mode and test all features that you configured. such as try to perform and attack script and see if the AWAF policy blocked it or there is missing configs needed , check a disallowed url and see if AWAF blockes your or still need further configuration , and stuff like this.
- Ashis_K_Patra
  Altocumulus
  Jul 27, 2023
  Thanks Mohamed_Ahmed_Kansoh ,
  I will be using in
  Rapid Deployment mode without any modification.
  Keeping it as Transparent.
  And put the Signatures in Staging stage.
  Later on we will analyse the logs and then we will decide on the modification, part. And then we can apply the policy in Negative Security Model.
  So, regaridng the testing, I dont have a test environment, however I have UAT Applications hosted in my Prod enviroment and I will be testing in those apps first and based on the result I will implemnet in the Prod app.
  So, I need your help in testing some scenarios, if there are any tools (kindly share link). and what could be the testing scenarios in a prod enviroment.
  This part is new to me and learning to implement with some test scenarios. Please guide me 🙂
  - whisperer
    MVP
    Jul 27, 2023
    A tool used by many to test we applications behind the F5 security modules is Burb suite by portswigger:
    https://portswigger.net/burp/enterprise
    Once you have policies in place, you can test using this tool. More than likely it will generate violations which you then review and accept.
    Also, if you have a good number of testers or your application team has a scripted unit testing suite, you can white list their IPs and more quickly train the F5 security models on what is expected behavior for the application.
    Hope this helps. Best is to work in tandem with the application team or developers and have them assist in configuring entities and expected behaviors in terms of parameters.
Nikoolayy1
MVP
Jul 28, 2023
If you do not plan to pay a real pentester but just do basic tests tools like OpenVas, Nessus free edition or Qualys community edition or Burp as mentioned but the trial enterpise edition that has web scanner can be used. Also kali linux ZAP can be used.

https://www.youtube.com/watch?v=koMo_fSQGlk&t=81s

https://www.qualys.com/community-edition/

https://www.youtube.com/watch?v=TA1rCRyHRsM&pp=ygUGbmVzc3Vz

https://www.youtube.com/watch?v=Yorjo1nsEew
whisperer
MVP
Jul 26, 2023
I would suggest pen testing services via a 3rd party.
Ashis_K_Patra
Altocumulus
Jul 26, 2023
Thanks , but I would need a bit explained solution for all my points.
- whisperer
  MVP
  Jul 26, 2023
  Your question is loaded. I would suggest professional services. This forum can't explain WAF and all security implications.
Ashis_K_Patra
Altocumulus
Jul 27, 2023
Can someone please help on this, at least on the Tetsing scenarios and testing tool details ? I posted my entire questions in order to explain the scenario.