Best way to let developers adjust ASM policy
Hello Everyone, Intro: Behind our F5's we have multiple web servers managed be different dev teams with different security levels and also working with different technologies. I'd like to ask you, based on your practical experience, what is the best way to adjust ASM policy to current Release of the web application? I know there is learning mode and also we do have test env., but you might test how long you want and you will never caught all possible causes and so in PROD env. you will have to solve quite lot ASM issues (ilegal parameter type, ilegal URL ... etc). Is there any way to offer developers some page/script/scantool/iApp that would help them to adjust ASM policy by them self? If yes which one is prefered way? Or shall I just developed one (shouldn't be hard just couple of forms saving result in .xml)? I don't beleive I'm only one with this needs/question. Thank you. YSolved428Views0likes5CommentsSome questions about ASM module from a beginner
Hello Everyone, My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only account so it's pretty hard to run some tests and that's why i have some questions for you: 1/What's the difference between Transparent and blocking in Enforcement mod and what suits the most with both of them in signature set (learn/alarm/block)? 2/What does "staging signature" means? What if i dont set a signature set, what does the policy block? 3/ What's the difference between Block in policy (enforcement mod) and block in signature set option? Also correct me if i'm wrong but learn allows me to use the "manual traffic learning" option to see which threats the policy has detected and alarm is a log system-like? 4/What happen if i activate both block option? 5/Scenario that would be much alike what i will do to deploy my policies: I want to observe which threats and who are doing them on my VS already in production before deciding what to block, what would be the best configuration: Transparent as "enforcement mod", "attack signatures configuration" in learn/alarm mod with and ERP of let's say 30 days or something else? After finishing my analyzes, where can i see what have been signaled by the signatures and where can i decide if i block then or not. 8/What happen once the ERP is over? Do I have to change the enforcement mod once the analyse is over (Transparent ->blocking for exemple). Will my policy keep checking if new threat will be detected? I know it's a lot of questions to answer but i have no one else to turn to so thank you very much in advance. Regards,580Views0likes5CommentsASM: About the effects of "Real Traffic Policy Builder" to "Perform Staging"
Hi All My ASM's configuration as follow: Security ›› Application Security : Policy Building : Real Traffic Policy Builder® Settings is DISABLED Security ›› Application Security : Parameters : Parameters List ›› Parameter Properties :Perform Staging is ENABLED I think close "Real Traffic Policy Builder" then "Perform Staging" as invalid ,But why I needs to DISABLED Parameter's "Perform Staging" to be Block the Parameter's viloations? Thanks D.Luo283Views0likes2CommentsASM - The difference between Real Traffic Policy Builder & Staging & Learn .
Hi All Who can particular tell me about three configuration the "difference" and "relationship". About their configuration path at ASM Web GUI: (1)Security ›› Application Security : Policy Building : Settings -> "Real Traffic Policy Builder" (2)Security ›› Application Security : URLs/Attack Signatures Configuration/Parameter .... ->"Perform Staging" (3)Security ›› Application Security : Blocking : Settings -> "Learn" Many Thanks D.LuoSolved579Views0likes8Comments