I am wondering how to best manage ASM policy - most of the VIPS can use a basic policy that only checks for signatures. Now, if one of the VIPS using this policy has a false positive, how can I disable the signature for only that VIP and not for all the VIPS using this policy?
Options 1. Create copy of existing asm policy and customise per requirement. Now assign new asm policy to particular vip.
Options 2. Use iRule and bypass certain signature id but not sure the feasibility.
You could create a Parent policy with attack signatures configured as optional. Use that parent policy as the basis for new policies. You can then disable the signature causing the FP, or leave it in staging, for that single policy only. The change will not affect the Parent policy or other policies based on the Parent.
Thanks guys, I have started to use a Parent policy as the base policy and build out the ASM on a per VIP basis.
Great input and thanks for validating some ops procedures for me.