cancel
Showing results for 
Search instead for 
Did you mean: 

WhiteHat and ASM existing policies

Mohamed_Lrhazi
Altocumulus
Altocumulus

Can one add WhiteHat  to existing, already in production, ASM policies?

Or does one have to start from scratch, and create a new policy?

 

The only documentation I found does not seem to mention the existing policies use case!

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-11-6-0/5.ht...

 

Thanks!

 

5 REPLIES 5

Mohamed_Lrhazi
Altocumulus
Altocumulus

The docs excerpt:

 

  1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  2. Click the Create button. The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
  • To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
    • To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
    • To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.
  1. The virtual server represents the web application you want to protect. The Configure Local Traffic Settings screen opens if you are adding a virtual server. Otherwise, the Select Deployment Scenario screen opens.

 

Erik_Novak
F5 Employee
F5 Employee

ASM can apply vulnerability assessment outputs to all policies, regardless of how they were created initially.

 

If the Vulnerabilities tab is accessed when the currently edited policy is not scanner-originated, users will see a warning message, asking them to choose a vulnerability assessment tool. The you can append the White Hat output to your existing policy.

0691T000009i9WkQAI.png

Mohamed_Lrhazi
Altocumulus
Altocumulus

Thanks Erik!

 

That is exactly my understanding, after playing with the product for a bit....

 

The problem is that our sales person claimed that policies must be created afresh and will be fully managed by WhiteHat... You cannot customize them before you add WhiteHat, and you cannot modify/tune them afterwards. WhiteHat fully managed the policies, or you do. You cannot mix.

 

That is very wrong understanding, right?

 

 

Erik_Novak
F5 Employee
F5 Employee

You are correct. You can indeed amend an existing policy, not created afresh, and not created by a 3rd-party vulnerability scanner such as WhiteHat. To be clear: WhiteHat will not "fully manage" the policy. WhiteHat will provide you with an XML file that contains a vulnerability assessment. You can import this file into any security policy--after you select WhiteHat as the vulnerability assessment tool. Then you can use ASM to resolve vulnerabilities reported by WhiteHat. I think the misunderstanding may be that once you select the vulnerability assessment tool, you cannot change it later--you can't mix multiple scanner outputs such as WhiteHat, Qualys, WebInspect, etc. within the same policy. Make sense?

Makes sense. Thanks a lot Erik!