Forum Discussion
Umm... The last incident was observed on 11.6.1 HF6. The signature got detected was "src http: (Parameter) (2)". However the old signature exist was "src http: (Parameter)" without (2).
The updated signature i.e. "src http: (Parameter) (2)" automatically took place and followed the ASM Policies' action i.e. Blocking.
So I think this needs to get verified.
- swo0sh_gt_13163Aug 09, 2016Altostratus
Hello Folks,
So this is confirmed. When you update ASM Signatures, newly updated signatures will never placed into Staging, even you click on the checkbox of "Place updated signatures in staging", it won't place the signature into staging.
This has been validated with F5 btw! The fix should be released in version 12.X as per the last update from F5.
- Hannes_RappAug 09, 2016Nimbostratus
@swoosh, stop spreading this non-sense.
- swo0sh_gt_13163Aug 09, 2016Altostratus
@Hannes Rapp, Well, that was rude. This community is built to exchange information and knowledge. And I don't see any issue putting that comment out there. I shared it because I got an update, and it might help others.
So better sharing your personal view and respect all the contributors to the community.
- Hannes_RappAug 10, 2016Nimbostratus
I'm not entirely accurate either, but this comment is just badly misleading. If it's F5's response, a lot has been taken out of context. That use use of words would make another party think that it's better to not install ASM signature updates at all in v11.x.
Here's how it works: If you check the tick-box "Place updated signatures in staging", this modifies the staging status of ALL already-existing-but-updated signatures across ALL the policies you already have. Unless you explicitly configure your policies so that signature staging is not allowed. Regardless if you check that box, entirely new signatures will always be put into Staging. In short, it certainly is possible to gracefully install signatures updates.
It's possible you had an incident where this feature did not work as intended, and the updated signatures remained in blocking status, but if that's the case, then it should be made clear under what circumstances the bug/issue is relevant.
- swo0sh_gt_13163Aug 10, 2016Altostratus
This is how the behavior is and commonly applied to the Signature update. To overcome this behavior, what we generally do is, Enable Staging (Security > Application Security > Attack Signature Configuration) on All the Security Policy, then from Signature List tab, manually enforce all the signatures. Follow the same on all the ASM Security policies.
So at the end, you will be having "Staging" enabled on all the Security Policies but none of the signatures inside will be under staging, as you have manually enforced it. Now if you update the Signature Database and use the checkbox to put "Place updated signatures in staging", will place ONLY newly updated signatures into Staging.
I hope this clarifies and will stop posting such harsh comment on public community.
- Hannes_RappAug 10, 2016Nimbostratus
This elaboration just turned that misleading nonsense to useful information that could help someone looking to upgrade signatures. Will send my apology to you via a DHL parcel. Was hesitating, but the comment downvote has been withdrawn too. Thx for the contribution.