Forum Discussion

suthomas1's avatar
suthomas1
Icon for Cirrostratus rankCirrostratus
Sep 06, 2020

Asm policy blocking

Good day all,

i have read that new ASM Policy is in learning mode for 7 days. After this period, is there manual action needed to put it in blocking mode after 7 days?

 

 

7 Replies

  • If you created your policy manually, then at the end of Enforcement Readiness Period you will have to manually place the policy into blocking mode. If you are using the Automatic policy building method, then ASM will do it for you. You don't mention which version of BIG-IP you're on. Prior to v15.x, the enforcement mode is at the top of the learning and blocking settings page. Does that help?

  • Adding to Erik's comment. Check out https://support.f5.com/csp/article/K13050156, and take a look at your policy building settings. Be careful with automatic learning mode, as malicious traffic can change your policy based on your learning settings.

     

    It sounds like you would benefit from a quick review of ASM F5 operations guide:

    https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20ASM

  • The http (and not https) virtual server must have been selected for protection when the policy was built. This would have been done manually after the policy was created, or as part of the policy building wizard. Navigate to Security > Application Security : Policy Building : Learning and Blocking Settings and check the Learning Mode. It will indicate Automatic based on the information you provided above.

  • Thank you Erik & LB. Big-IP is on 12.1, Is there any way to check if the current policies were manually done or was automatic?

    I notice that security policy is applied to http virtual server & not an https virtual server(even if one exists for the same service),is there any reason for this?

     

    "The Policy Builder last updated the security policy 15 minutes and 46 seconds ago"; where can i see what it has updated. (this is from a new automatic policy built recently)

     

  • Thanks Erik. I am creating a new policy, so the question if there is any reason i should be choosing http virtual server instead of https or vice versa?

    I want to be grasp the reason of choosing either one in the security policy.

  • The reason is that you must know if your application uses secure HTTP (that's what the "s" means in HTTPS) or unsecured HTTP for data transmission. Most applications today use HTTPS. Security is provided to data in transit by encrypting the payload using TLS (SSL). ASM cannot apply security processing to encrypted data. This data must be unencrypted first. To do that, you need to allow BIG-IP to handle the unencryption before it reaches the security policy. Here is a good explanation about the server vs. client SSL profiles which will facilitate this:

     

    https://support.f5.com/csp/article/K72355246

     

     

  • Again, just adding to what Erik stated.

     

    You need an http profile (https://support.f5.com/csp/article/K40243113) to allow deep packet inspection, which is required for ASM processing (https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/34.html >> control + find "http profile"). Any http/80 virtual server should redirect to 443 (hopefully the site is configured for https), and the ASM policy can be applied to both virtual servers (but it shouldn't matter over https if there's a redirect irule/traffic policy).