Forum Discussion

jlsantini's avatar
Icon for Altocumulus rankAltocumulus
May 09, 2024

WAF Organizational Processes


I'm a project manager responsible for our WAF implementation and likely more engaged in WAF care and feeding that most project managers.  😀

I'd like to understand from others their WAF organizational processes with the goal of improving ours.

I'm responsible for hosting a weekly WAF tuning meeting.  Our WAF admin pulls data from our Splunk logs and brings up samples for policies that we've not yet put into production mode.  Our WAF admin wants our two application developers on our WAF team to say "yea" or "nay" for each sample to be tuned.  This is incredibly tedious but our hope is to reduce false positives.  How do other orgs handle pre-production tuning?

We have a similar process if a production deployed policy receives a block.  Our business owner for the application opens a ticket for their end user.  Since I'm not allowed access to F5 WAF, I use the support ID to look up the WAF report in an Apex application one of our developers wrote.  I provide this report to our WAF admin who waits for one of our WAF team app devs to say "yea" or "nay" on whether it's legit traffic.  If it's legit, he tunes the policy but sometimes still with apprehension.  This results in either my needing to schedule a special meeting with our WAF team (includes me, 2 apps devs, WAF admin, sys admin manager, my manager, and 1-2 reps from security) or taking time in a tuning meeting to review the tuning adjustment that was made and get a ruling on whether it it's too risky to keep in place or it's safe to remain.  How do your organizations handle reports of blocks from your business owners and their end users?

I truly feel we can and should improve so I'm eager to hear what others in the community are doing.

Thank you!


1 Reply

  • my suggestion, if havent, the waf should be managed by application/application security team, instead of network security because waf config must match the characteristic of the application, e.g. request and response data spec, session persistence mechanism, etc.
    same thing applies for LTM / load balancing module due to same reason.

    waf config principle basically configure it as restrictive/secure as possible while still allowing legitimate access.

    therefore, waf learning process should not use traffic from common users, but use traffic from designated app testers because common users may consist hackers in addition of legitimate users.
    this can be done easily in f5 by using test virutal server for designated app tester then apply the verified learning result to waf policy of common users' virtual server.