ASM Policy Builder..

Question

Hi Everyone,&nbsp;
I am setting up and tunning ASM policy for one application.
When i generate SQL injection attack on purpose it is detected on ASM, rated as risk 5, listed in Violations but still rated as legal request and not listed under illegal requests.
My policy is on comprehensive level, in blocking mode.
Same when i try to trigger response on XSS activity.
Generally, almost none of risk rated (1-5) requests are blocked and i have put my policy in blocking mode. Less then 1% of suspicious requests are blocked and listed as illegal requests in Event Log.
I am little bit confused with this and need some clarification. If i click learn on each false positive and the accept it, will that make policy treat this type of request legal in future or only this request from that IP in that moment? If status is legal for request in event log but there is risk 1 or 2 if i ignore it and don't do anything i can assume production policy will ALLOW this TYPE of request in future, no need to click learn + accept on each false positive? How can i say to policy builder that some request listed as legal is actually illegal and i want it to block, i only see accept button not option for blocking this type of request in future?&nbsp;
Sorry for bunch of Qs, first policy of mine...&nbsp;
Thank You&nbsp;

mimlo_61970 · Answer

To answer one question:&nbsp;
"If i click learn on each false positive and the accept it, will that make policy treat this type of request legal in future or only this request from that IP in that moment?"&nbsp;
The policy will treat the request as legal going forward for all requests.  Sometimes there is some scope on this action, like "disable on parameters" which would only disable it if matched on a parameter(but not a header, or uri)   Also if you have specific parameters/url's defined it can be applied to only those, and not to everything(wildcard parameter if it exists)&nbsp;

nathe · Answer

Yes. Items in staging are classed as legal. At the end of the enforcement period either accept the false positives or not and enforce the other items e.g. attack signatures. These will now trigger illegal requests. N

ndlovumm · Answer

I think the best way to protect against sql injection and xss is by creating a Rapid Deployment policy instead of comprehensive nor fundamental. I have been busy with ASM labs and found out that the Rapid deployment template protects against such attacks from the go, you can then tune the policy to suit your requirements.  But the best way is by using the rapid deployment template

Forum Discussion

ASM Policy Builder..

3 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 5 - Working with Policy Builder)

iRule based RADIUS Health Monitor Builder

How long does it take for the automatic policy builder to build an AWAF or ASM policy? busy site

ASM policy

Compare two ASM Policies