Welcome to the new Web Application Security Forum

Thanks for creating this forum. I am looking forward to its becoming as valuable as the others on DevCentral.

 

 

Don

 

Good to see this forum. Here is the first question on ASM configuration of policies :

 

 

For Allowed URL's Is it ok to create a wildcard URL "*" (indicating it allows all traffic using HTTP/HTTPS protocol) and perform staging on it ?

 

 

Hi Nik,

 

 

Staging is used to test a tighter configuration in transparent mode before putting it in blocking. You'd probably want to create the * URL and enable tightening on it if you want to define URLs more specifically while you allow any URL.

 

 

Aaron

Nik,

 

So I guess that all depends on what you are asking when you say is it ok to do this.

 

 

If you are asking from an F5 configuration standpoint, I agree with Aaron that if you are learning URLs tightening would be your best option using the *.

 

 

However if you are asking from a Security standpoint, my personal opinion on tightening is that I don't do in the production environment, I do 99.9% of tightening and staging (policy building) in a controlled test environment and then copy that policy to production. I have occasionally done some very targeted staging for parameters in production and I do stage new Attack Signatures, but that is about it. Unless you can control who is hitting your site during your tightening period I would restrict it to test environment only. Just my personal opinion.

 

 

Mike