Forum Discussion

AceHunter1965's avatar
AceHunter1965
Icon for Altostratus rankAltostratus
Feb 10, 2023

Introducing new services to be covered by BIGIP WAF

Hey all!

I work in a pretty large enterprise, and our BIGIP instances work as a gateway (both LTM & WAF) for a bunch of self-hosted services, including MLaaS services, OpenShift and more.

We've recently had several new services added to our internal network (each can be identified by its' own hostname, e.g. my-new-service.internal), and we wish those to be covered by the same WAF policy, and also accessible through the same LTM virtual listener (there is a single listener for the entire internal network). Problem is, there cannot be WAF blocks due to false positives, so we need a way to only enable learning (non-blocking) mode for the new hosts, until the WAF policy acclimatizes to the new hosts.

 

Is there something we can enable to create a 1-week learning period for new hosts, or alternatively redirect new hosts to a non-blocking policy?

 

Thanks!

1 Reply

  • Your second suggestion sounds most logical. Duplicate policy, enable learning and assign different policies with iRule or LTP based on host name.

    Beyond that 100% no false positives always feels like a impossible target. In this case sure, you can make it hurt way less. But there will be incidents with WAF at some point if you change the environment.

    You could also wonder if one policy for very different environement is a logical choice. If there very similar perhaps. But the more they differ, the more openings you create where they shouldn't be. You could look into parent and child policies and see if you can keep the exceptions more targetted.