Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. Application Security Policy Templates in F5 ASM

Explicit Entities Learning

1. “Add All Entities” / “Always”

  • Description:

    • This option creates a comprehensive whitelist policy by adding all explicit entities that match a wildcard.

    • Results in a strict and granular configuration.

    • Suitable for environments requiring maximum security.

  • Automatic Learning Mode:

    • Automatically adds all explicit entities matching a wildcard.

    • Once the policy stabilizes, the wildcard (*) is removed to enforce stricter entity control.

  • Manual Learning Mode:

    • Suggests explicit entities matching the wildcard for manual review and addition.

    • Does not remove the wildcard.

  • Use Case:

    • Best for organizations prioritizing high security over ease of management.

    • Works well for applications with predictable and well-defined entities.

2. “Never (Wildcard Only)”

  • Description:

    • The policy relies solely on the wildcard entity (*), resulting in a simpler policy with less granularity.

    • Easy to manage but less strict in terms of security.

  • Automatic Learning Mode:

    • Does not add explicit entities matching the wildcard.

    • Modifies the attributes of the wildcard entity to reflect new learning.

    • The wildcard is not removed.

  • Manual Learning Mode:

    • Does not suggest adding explicit entities matching the wildcard.

    • Suggests modifying attributes of the wildcard entity.

    • The wildcard remains in place.

  • Use Case:

    • Suitable for simpler environments with low risk or when minimal configuration is required.

    • Balances simplicity with basic protection.

3. “Selective”

  • Description:

    • A balanced approach between strictness, policy size, and maintenance.

    • Adds explicit entities only when false positives occur with the wildcard entity.

  • Automatic Learning Mode:

    • Adds explicit entities that do not match the wildcard’s attributes.

    • Does not remove the wildcard.

  • Manual Learning Mode:

    • Suggests adding explicit entities that match the wildcard for manual review.

    • Retains the wildcard in the policy.

  • Use Case:

    • Ideal for environments where false positives need addressing without overcomplicating the policy.

    • Offers a middle ground between security and ease of maintenance.

4. “Compact”

  • Description:

    • A compact approach that leverages scoring thresholds to determine whether new entities should be added to the policy.

    • Ensures the policy remains efficient and avoids bloating.

  • Settings:

    • add_entity_min_score: Threshold for adding new entities (default = 100%).

    • cleanup_entity_min_score: Threshold for removing unused entities (default = 10%).

    • cleanup_entity_min_seconds: Time threshold for removing unused entities (default = 24 hours).

    • To disable automatic cleanup: set cleanup_entity_min_seconds = -1.

  • Automatic Learning Mode:

    • Adds explicit entities matching the wildcard if their learning score meets the add_entity_min_score threshold.

    • The wildcard remains.

  • Manual Learning Mode:

    • Suggests adding explicit entities based on their learning score.

    • Does not remove the wildcard.

  • Use Case:

    • Best for environments prioritizing policy efficiency and size control.

    • Suitable for applications where traffic patterns are dynamic and change frequently.

Comparison Table

Option

Granularity

Ease of Management

Strictness

Use Case

Add All Entities

High

Low

High

Maximum security, predictable entities.

Never (Wildcard)

Low

High

Low

Simplified policy, basic protection.

Selective

Medium

Medium

Medium

Balance between security, size, and maintenance.

Compact

Low

High

Medium

Efficient policy management with minimal bloat.

Key Considerations

  • Policy Size: More explicit entities increase the size and complexity of the policy but improve precision.

  • Wildcard Usage: Retaining the wildcard simplifies management but sacrifices strictness.

  • False Positives: Choose "Selective" or "Compact" to address false positives effectively.

  • Scoring: "Compact" adds automation and efficiency using learning score thresholds.

PreviousSecurity Policy LevelsNextPolicy Modification

Last updated 3 months ago