Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Important Tips about Security Policy in F5 ASM/AWAF

Here are some key points and best practices related to Security Policies in the F5 ASM/AWAF system:

Parent and Child Security Policies:

  1. Parent Policies:

    • A Parent Policy is a higher-level policy that is not directly assigned to any virtual server.

    • It serves as a template or framework for Child Policies.

  2. Child Policies:

    • Child Policies are assigned to virtual servers and enforce security configurations based on the parent policy.

    • Learning suggestions and Blocking enforcement are applied only to the Child Policy, not the Parent Policy.

    • After creating a security policy, certain settings, such as Web Application Language Encoding, HTTP/HTTPS differentiation, and Case Sensitivity, cannot be changed in the policy.

Application Language Encoding:

  • F5 ASM checks incoming requests to ensure they match the defined Application Language Encoding.

  • If the encoding is incorrect, the system attempts to parse the request with a different encoding and will not trigger a "Failed to Convert Character" violation if it successfully parses with a different encoding.

Blocking Response Page:

  • F5 Recommendation: Serve the Blocking Response Page assets from a local "sorry server".

  • This setup helps handle violations in a way that provides a clear message to the client along with the proper Support ID for troubleshooting.

Example script for redirecting blocked requests:

<script type="text/javascript">
window.location = "http://<FQDN or IP address>/defaultpage.php?parameter=<%TS.request.ID()%>";
</script>

This script redirects the user to a designated page with the Support ID for further investigation.

Learning Suggestions:

  • Learning Suggestions:

    • They do not sync or move between BIG-IP ASM systems.

    • They are only stored on the ACTIVE unit that learned the traffic.

    • Cleared when the system is upgraded, so it is important to accept or clear all learning suggestions before performing an upgrade to avoid losing valuable insights.

Attack Signature Overlapping and Updating:

  • Pre-v13.0 (Prior to BIG-IP v13.0):

    • When attack signatures are updated, they are removed from Enforcement Mode and placed in Staging mode. This change requires manual validation after the update.

  • v13.0+ (BIG-IP v13.0 and above):

    • Updated attack signatures remain in Enforcement Mode during the update process, ensuring that the security policy remains enforced without requiring manual intervention.

Deleting Inactive or Allowed Entities:

Starting with BIG-IP ASM v13.1, the Policy Builder detects entities that have not been observed in traffic for over 90 days. The system suggests manual deletion of these inactive or unused entities, which include:

  • File types

  • HTTP URLs

  • WebSocket URLs

  • Parameters

  • Cookies

  • Redirection domains

  • Hostnames

However, the Wildcard (*) entity is excluded from deletion suggestions.

Key Recommendations:

  1. Regularly Review and Clear Learning Suggestions: Always clear learning suggestions before an upgrade to ensure they are not lost, and the policy is up-to-date.

  2. Monitor Inactive Entities: Regularly check for inactive entities and follow the manual deletion suggestions to clean up your policy and improve performance.

  3. Parent-Child Policy Understanding: Ensure you understand the distinction between Parent and Child Policies and apply configurations at the child level as necessary.

  4. Proper Blocking Page Setup: Always use a local server for blocking response pages to provide better user experience and tracking for violations.

PreviousEvasion Technique Detection in F5 ASM/AWAFNextL7 DDoS Attack Protection Configuration

Last updated 3 months ago