Forum Discussion
Ashis_K_Patra
Altocumulus
AltocumulusTesting a WAF policy
Hello All, I am trying to create a WAF policy and Test it as well which will be applied to the Virtual Server. Hence would like to know Is there any checklist i need to follow while cretaing my W...
Ashis_K_PatraAltocumulus
AltocumulusThanks Mohamed_Ahmed_Kansoh ,
I will be using in
- Rapid Deployment mode without any modification.
- Keeping it as Transparent.
- And put the Signatures in Staging stage.
Later on we will analyse the logs and then we will decide on the modification, part. And then we can apply the policy in Negative Security Model.
So, regaridng the testing, I dont have a test environment, however I have UAT Applications hosted in my Prod enviroment and I will be testing in those apps first and based on the result I will implemnet in the Prod app.
So, I need your help in testing some scenarios, if there are any tools (kindly share link). and what could be the testing scenarios in a prod enviroment.
This part is new to me and learning to implement with some test scenarios. Please guide me 🙂
whisperer
MVP
MVPA tool used by many to test we applications behind the F5 security modules is Burb suite by portswigger:
https://portswigger.net/burp/enterprise
Once you have policies in place, you can test using this tool. More than likely it will generate violations which you then review and accept.
Also, if you have a good number of testers or your application team has a scripted unit testing suite, you can white list their IPs and more quickly train the F5 security models on what is expected behavior for the application.
Hope this helps. Best is to work in tandem with the application team or developers and have them assist in configuring entities and expected behaviors in terms of parameters.