# Important Tips about Security Policy in F5 ASM/AWAF

Here are some key points and best practices related to **Security Policies** in the **F5 ASM/AWAF** system:

***

#### **Parent and Child Security Policies**:

1. **Parent Policies**:
   * A **Parent Policy** is a higher-level policy that is not directly assigned to any virtual server.
   * It serves as a template or framework for **Child Policies**.
2. **Child Policies**:
   * **Child Policies** are assigned to virtual servers and enforce security configurations based on the parent policy.
   * Learning suggestions and **Blocking** enforcement are applied **only to the Child Policy**, not the Parent Policy.
   * After creating a security policy, certain settings, such as **Web Application Language Encoding**, **HTTP/HTTPS differentiation**, and **Case Sensitivity**, **cannot be changed** in the policy.

***

#### **Application Language Encoding**:

* F5 ASM checks incoming requests to ensure they match the defined **Application Language Encoding**.
* If the encoding is incorrect, the system attempts to parse the request with a different encoding and will not trigger a "Failed to Convert Character" violation if it successfully parses with a different encoding.

***

#### **Blocking Response Page**:

* **F5 Recommendation**: Serve the **Blocking Response Page** assets from a **local "sorry server"**.
* This setup helps handle violations in a way that provides a **clear message to the client** along with the proper **Support ID** for troubleshooting.

**Example script for redirecting blocked requests**:

```
<script type="text/javascript">
window.location = "http://<FQDN or IP address>/defaultpage.php?parameter=<%TS.request.ID()%>";
</script>

```

This script redirects the user to a designated page with the **Support ID** for further investigation.

***

#### **Learning Suggestions**:

* **Learning Suggestions**:
  * They **do not sync or move between BIG-IP ASM systems**.
  * They are only stored on the **ACTIVE unit** that learned the traffic.
  * **Cleared when the system is upgraded**, so it is important to **accept** or **clear all learning suggestions** before performing an upgrade to avoid losing valuable insights.

***

#### **Attack Signature Overlapping and Updating**:

* **Pre-v13.0 (Prior to BIG-IP v13.0)**:
  * When attack signatures are updated, they are **removed from Enforcement Mode** and placed in **Staging** mode. This change requires **manual validation** after the update.
* **v13.0+ (BIG-IP v13.0 and above)**:
  * Updated attack signatures **remain in Enforcement Mode** during the update process, ensuring that the security policy remains enforced without requiring manual intervention.

***

#### **Deleting Inactive or Allowed Entities**:

Starting with **BIG-IP ASM v13.1**, the **Policy Builder** detects entities that have not been observed in traffic for over **90 days**. The system suggests **manual deletion** of these inactive or unused entities, which include:

* **File types**
* **HTTP URLs**
* **WebSocket URLs**
* **Parameters**
* **Cookies**
* **Redirection domains**
* **Hostnames**

However, the **Wildcard (\*) entity** is excluded from deletion suggestions.

***

#### **Key Recommendations**:

1. **Regularly Review and Clear Learning Suggestions**: Always clear learning suggestions before an upgrade to ensure they are not lost, and the policy is up-to-date.
2. **Monitor Inactive Entities**: Regularly check for **inactive entities** and follow the manual deletion suggestions to clean up your policy and improve performance.
3. **Parent-Child Policy Understanding**: Ensure you understand the distinction between **Parent** and **Child Policies** and apply configurations at the child level as necessary.
4. **Proper Blocking Page Setup**: Always use a **local server** for blocking response pages to provide better user experience and tracking for violations.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nokron.net/waf-f5/big-ip-application-security-manager/important-tips-about-security-policy-in-f5-asm-awaf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.