Welcome to the new Web Application Security Forum

Question

Welcome to the new Web Application Security discussion forum newly consolidated in the Security Groups. We've created this forum as a place to post questions and discuss design, configuration, and customization of F5's Application Security Manager (ASM). To get the background details on this powerful web application firewall, you can go here: http://www.f5.com/solutions/security/web-application/ &nbsp;
&nbsp;Additionally, you'll see some great answers and feedback from some of the leading security experts in the world - from F5 and other companies - that can help you determine the most effective way to protect your web application assets. Enjoy! &nbsp;
&nbsp;- Jeff

don_22992 · Answer

Thanks for creating this forum. I am looking forward to its becoming as valuable as the others on DevCentral. 
&nbsp;  
&nbsp; Don &nbsp;

nik_28578 · Answer

Good to see this forum. Here is the first question on ASM configuration of policies : 
&nbsp;  
&nbsp; For Allowed URL's Is it ok to create a wildcard URL "*" (indicating it allows all traffic using HTTP/HTTPS protocol) and perform staging on it ?  
&nbsp;  &nbsp;

hoolio · Answer

Hi Nik, 
&nbsp;  
&nbsp; Staging is used to test a tighter configuration in transparent mode before putting it in blocking.  You'd probably want to create the * URL and enable tightening on it if you want to define URLs more specifically while you allow any URL. 
&nbsp;  
&nbsp; Aaron

mike_maher · Answer

Nik,  
&nbsp; So I guess that all depends on what you are asking when you say is it ok to do this.   
&nbsp;  
&nbsp; If you are asking from an F5 configuration standpoint, I agree with Aaron that if you are learning URLs tightening would be your best option using the *.   
&nbsp;  
&nbsp; However if you are asking from a Security standpoint, my personal opinion on tightening is that I don't do in the production environment, I do 99.9% of tightening and staging (policy building) in a controlled test environment and then copy that policy to production.  I have occasionally done some very targeted staging for parameters in production and I do stage new Attack Signatures, but that is about it.  Unless you can control who is hitting your site during your tightening period I would restrict it to test environment only.  Just my personal opinion. 
&nbsp;  
&nbsp; Mike

Forum Discussion

Welcome to the new Web Application Security Forum

Recent Discussions

Can i apply ddos profile on virtual server using port range

I used the wrong email account when take Application Delivery Exam (101)

F5 iControl REST API - viewBy Parameter Issue in Analytics Report

'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

Disable ssl or https for the embed url

Related Content

Welcome HeyHack, Security Co-Pilot, and Roku Breach, March 10th – March 17th - This Week in Security

From ASM to Advanced WAF: Advancing your Application Security

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

Enhance your Application Security using Client-side signals

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS