Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block all high/medium severity rules

Dear All,

I use F5-ASM, and it learning from my traffic now, but as I saw it catch only low severty rules.

Has any options in F5-ASM to set all high/medium severity rules to block state without traffic learning? Did anyone something like this?

Thanks,

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

Not sure if we are talking about same thing, but in ASM you have both "Attack Signatures" and "Violations". If the problem is with the "Attack Signatures" then you can modify your ASM policy to trig only on following "Attack Signatures" categories :

Signature Set Name :

  • High Accuracy Signatures

  • Medium Accuracy Signatures

To do this you have to go to "Security ›› Application Security : Policy Building : Learning and Blocking Settings" under "Attack Signatures" click on the "Change" button and replace the existing by above categories.

Regards

0
Comments on this Answer
Comment made 04-Jan-2018 by gh0st 62

Hello,

Sorry, Attack Signatures.

So I would like to block all high/medium attack signatures without traffic learning.

It will solve it?

Thanks,

0
Comment made 04-Jan-2018 by Jad Tabbara (JTI) 2360

Exactly if you want to limit false positives, you may select only medium and high accuracy attack signatures.

Once the learning period is end, you will need to make two steps to make you policy in blocking mode :

  • first, you have to enforce "Attack Signatures" entity (which mean that you will pass it from Staging to Enforced state)

  • second, you need to switch the ASM policy from "Transparent" to "Blocking" mode

Hope it helps

regards

0
Comment made 05-Jan-2018 by gh0st 62

Thanks :)

0