Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. Application Security Policy Templates in F5 ASM

Security Policy Enforcement Modes

  1. Transparent (Staging):

    • Description: The policy logs all requests and violations but does not block any requests.

    • Use Case: Ideal during the initial policy building phase to observe traffic behavior without impacting application availability.

    • Outcome: Provides insights into potential violations without enforcement.

  2. Blocking:

    • Description: In addition to logging, this mode blocks all requests that trigger violations.

    • Use Case: Suitable once the policy has matured and is ready for full enforcement.

    • Outcome: Ensures strict security by preventing malicious activities from reaching the application.

Learning Modes

Learning modes define how the system processes and applies learning suggestions during policy building.

  1. Automatic:

    • Learning suggestions are automatically applied when the Learning Score reaches 100%.

    • Pros: Minimal administrative overhead; suitable for well-understood traffic patterns.

    • Cons: Potential for false positives if not carefully monitored.

  2. Manual:

    • Administrators must manually accept learning suggestions, refining the policy incrementally over time.

    • Pros: High precision; reduces false positives and unnecessary policy changes.

    • Cons: Requires ongoing administrative involvement.

  3. Disabled:

    • The learning process is deactivated; no suggestions are made, and the policy remains static.

    • Use Case: Appropriate for environments where the policy is stable and does not require updates.

Traffic Sampling (Learning Speed)

The Traffic Correlation Engine analyzes incoming traffic samples to determine patterns and make learning suggestions. The speed setting influences the number of samples and the learning rate.

  1. Slow:

    • Characteristics:

      • Examines more traffic before making learning suggestions.

      • Designed for applications with high client diversity and public exposure.

    • Use Case: Reduces the risk of inaccurate suggestions in high-risk environments.

    • Outcome: Slower but more precise policy refinement.

  2. Medium (Default):

    • Characteristics:

      • Balances traffic analysis speed and suggestion accuracy.

      • Suitable for most web applications with moderate traffic.

    • Outcome: Offers a practical middle ground for learning efficiency.

  3. Fast:

    • Characteristics:

      • Requires fewer traffic samples to generate suggestions, enabling rapid policy changes.

      • Designed for low-traffic or controlled environments, such as test setups.

    • Use Case: Accelerates policy development in low-risk scenarios.

    • Outcome: Quick learning with potential trade-offs in accuracy.

Comparison Table

Feature

Transparent Mode

Blocking Mode

Primary Purpose

Logging and observation

Full security enforcement

Blocking Behavior

No blocking

Immediate blocking of violations

Use Case

Policy building

Mature policies ready for enforcement

Learning Mode

Automatic

Manual

Disabled

Process

Automatically applies suggestions

Admin manually refines policy

No learning suggestions

Pros

Fast and hands-free

High precision

Stable policy

Cons

Risk of false positives

Time-intensive

Static policy

Traffic Sampling

Slow

Medium

Fast

Traffic Analyzed

Large volume

Moderate volume

Small volume

Learning Rate

Low

Moderate

High

Accuracy

High

Balanced

Moderate

This setup ensures that administrators can tailor enforcement and learning to match their application’s complexity, traffic behavior, and security needs.

PreviousApplication Security Policy LifecycleNextSecurity Policy Violation Flags

Last updated 3 months ago