The BIG-IP Application Security Manager Part 2: Policy Building

Praveen, thanks for the great questions!

 

 

1) You can place any security policy in transparent mode by selecting the policy and choosing the "transparent" radio button on the enforcement mode (see the last diagram in the article). In transparent mode, the policy will not block anything, but it will learn traffic patterns and collect log entries so that you can modify it according to your needs.

 

 

2) In order for a policy to block, it must be in blocking mode and signature staging must be turned off. When signatures are in staging mode, they are essentially learning traffic patterns on your network. The best way to implement a policy is to enable signature staging for a period of time (up to 2 weeks) and let the policy learn all about the traffic patterns of your application. Then, you can take the signatures out of staging mode and they will block the bad traffic. If you run into false positives, you can always look at your logs (Security > Event Logs > Application > Requests) and view the details of the violations. This view also gives you the option to "learn" a violation, so in the case of a false positive, you can simply "learn" the violation and your security policy will stop blocking on that specific request.

 

 

I hope this helps...let me know if you have any other questions!

 

 

John