Managing many WAF policies

Question

Hello guysMy question is more likely to be administrative question, and less technical. And I need some advices on this.We're managing so many WAF policies for so many websites. About 50+ policies. And each website has his own developers. So each time there is WAF suggestions on each policy we contact each developer to tell us if we should accept those suggestions or discard them. And this is a lot of work.Those developers has no access to the F5 machine and even have no clue how to manage it.I thought about creating an FTP server where I can upload those suggestions there and give access to developers and then they will update me which suggestions to approve and which not. But I'm not sure if this is creative solution, plus there will be a lot of work of exporting and uploading suggestiins.Has any one faced the same thing and came up with a creative solution and made it easy to manage this amount of policies with those amount of developers?&nbsp;What do you think about this?&nbsp;

xres · Answer

HiI think you need to change the approach to your WAF implementation and maintaining policies. With this amount of policies and learning suggestions you cannot do it efficiently "by hand". Involving developers each and every time is not a good approach too - sooner or later they will hate you and end-up with answers "this is good - accept this" 🙂 Developers should not be the only source of truth - usually they do not know much about security. Do they know what modules are installed on servers if they do not use them? These modules may be exploitable and you should worry about these too.You may find this article helpful: https://support.f5.com/csp/article/K07359270RegardsxRes

abed_al-r · Answer

First, thanks for your reply.Second, I have not mentioned the conversations between us and the developers. Of course we always check the security before accepting there acceptance. Developers will always say 'yes accept this', and by always I mean literally always. So we envolve other ways and security staff to doublecheck there answers.But what I'm asking here is, if we have about 50+ policies, and each days there many so many suggestions, beside ignoring repeatative suggestions and fine tuning the policy to not suggest unnecessary suggestions, is there another creative approache for make it easy for us to manage those suggestions.For example yesterday I found two nice CLI command that I could make a scheduled script to sent by mail to us the output of those commands. This will save us maybe 10-15 minutes check each day 🙂&nbsp;https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/analytics/analytics_asm-learning-suggestions_report.html&nbsp;I hope now my question is much clear.

ismael_goncalves · Answer

Hi,
Have you tried using the Automatic Learning mode? One of the main goal of this mode is to reduce administrative effort.&nbsp;
Also, check this small tool:
https://github.com/irgoncalves/f5-waf-quick-view
It reports on which policies have learning suggestions and the amount of them. This could identify which policies you want to look right away.

Forum Discussion

Managing many WAF policies

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

Related Content

Minimizing Security Complexity: Managing Distributed WAF Policies

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 4 - Policy Lifecycle management)

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Intro)