cancel
Showing results for 
Search instead for 
Did you mean: 

Managing many WAF policies

Abed_AL-R
Cirrostratus
Cirrostratus

Hello guys

My question is more likely to be administrative question, and less technical. And I need some advices on this.

We're managing so many WAF policies for so many websites. About 50+ policies. And each website has his own developers. So each time there is WAF suggestions on each policy we contact each developer to tell us if we should accept those suggestions or discard them. And this is a lot of work.

Those developers has no access to the F5 machine and even have no clue how to manage it.

I thought about creating an FTP server where I can upload those suggestions there and give access to developers and then they will update me which suggestions to approve and which not. But I'm not sure if this is creative solution, plus there will be a lot of work of exporting and uploading suggestiins.

Has any one faced the same thing and came up with a creative solution and made it easy to manage this amount of policies with those amount of developers? What do you think about this?

 

3 REPLIES 3

xRes
Cirrus
Cirrus

Hi

I think you need to change the approach to your WAF implementation and maintaining policies. With this amount of policies and learning suggestions you cannot do it efficiently "by hand". Involving developers each and every time is not a good approach too - sooner or later they will hate you and end-up with answers "this is good - accept this" 🙂 Developers should not be the only source of truth - usually they do not know much about security. Do they know what modules are installed on servers if they do not use them? These modules may be exploitable and you should worry about these too.

You may find this article helpful: https://support.f5.com/csp/article/K07359270

Regards

xRes

Abed_AL-R
Cirrostratus
Cirrostratus

First, thanks for your reply.

Second, I have not mentioned the conversations between us and the developers. Of course we always check the security before accepting there acceptance. Developers will always say 'yes accept this', and by always I mean literally always. So we envolve other ways and security staff to doublecheck there answers.

But what I'm asking here is, if we have about 50+ policies, and each days there many so many suggestions, beside ignoring repeatative suggestions and fine tuning the policy to not suggest unnecessary suggestions, is there another creative approache for make it easy for us to manage those suggestions.

For example yesterday I found two nice CLI command that I could make a scheduled script to sent by mail to us the output of those commands. This will save us maybe 10-15 minutes check each day 🙂

 

https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/analytics/analytics_asm-learning-suggestions_report.html

 

I hope now my question is much clear.

Ismael_Goncalves
F5 Employee
F5 Employee

Hi,

Have you tried using the Automatic Learning mode? One of the main goal of this mode is to reduce administrative effort. 

Also, check this small tool:

https://github.com/irgoncalves/f5-waf-quick-view

It reports on which policies have learning suggestions and the amount of them. This could identify which policies you want to look right away.