CirrostratusASM policy
Good day all,
I had the following doubts in doing a new policy for a VS.
1) Is an HTTP profile necessary to attach an existing VS to the sec policy?
2) Initial mode is enforcement for 7 days as i understand. After 7 days, does it go to Blocking mode by itself or its manually done?
3) If its manual, once its changed to Blocking mode does it disrupt the VS connections generally except otherwise if any secuirty events against the sec policy blocks malicious attempts etc.?
4) what are the other things to be sure about when creating a new policy.
Appreciate all inputs, thanks in advance.
1) Is an HTTP profile necessary to attach an existing VS to the sec policy?
Yes, it is. HTTP profile purpose is to correctly parse HTTP data and identify the various elements of the request, so that your policy can verify and eventually match the violations. If you don't assign HTTP profile, traffic will be treated as a generic flow of data.
If traffic is encrypted, of course you need SSL profiles as well.
2) Initial mode is enforcement for 7 days as i understand. After 7 days, does it go to Blocking mode by itself or its manually done?
Transition to blocking is manual. Also, depending on your learning configuration, some of the entities might require manual enforcement in order to be effectively deployed.
3) If its manual, once its changed to Blocking mode does it disrupt the VS connections generally except otherwise if any secuirty events against the sec policy blocks malicious attempts etc.?
When you configure Blocking mode, the WAF policy will actively start to intercept all traffic that matches a violation. You should perform traffic learning on the application and tune your security policy accordingly before attempting this transition.
4) what are the other things to be sure about when creating a new policy.
It's always best to have a good understanding of what the web application does and what type of traffic is expected, in order to avoid "loosening" the controls too much. A good WAF tuning is effective in intercepting zero-day attacks.
You should also know how often the application is subject to changes: if the application changes with monthly frequence (or more) it's pretty difficult to perform deep-learning of application traffic and a lot of false positives might show up. Also, knowing when application will change is important because WAF configuration will likely require some tuning in order to have the most effective protection.
Last thing worth mentioning, if you're scheduling extensive learning periods, make sure that NO pentesting/scans/... are performed (or at least bypass learning for those IP's) because it might leanr & allow some "bad" traffic which is actually not needed.
