Newbie ASM questions...
Greetings!
I've been using the LTM on F5 for awhile now, but my company is getting ready to commit to the use of ASM on our public facing servers. I am more of a network (L2/L3) kind of person, which is most probably why I understand the LTM a whole lot better than ASM. I have been to the ASM class, but I am having trouble connecting all the "logical" dots together. I hope someone can help me better understand the workings of ASM.
So, a few months ago, I created a VIP with 3 nodes LB in a defined pool. I created a HTTP Class profile, and associated it with this VIP. With the help of F5 support, they help me configure the class profile, and told me the policy would be in staging mode for 7 days. Little was explained to me about how and what the policy does, except it learns the traffic pattern during the staging stage. Afraid that the policy might block legitimate traffic, I left the policy in transparent mode since it was staged.
My management wants to deploy ASM, but they want to make sure we are not blocking legitimate traffic. With little experience I have with ASM, I do not have the confidence to assure them of that. Currently, I look at Traffic Learning under "Manual Policy Building". I see two types of violations -- File type length error and Attack signature staging. Discussing it with the developers, the length violations are false positive. Here are my questions:
-- If the violation are false positive, do I just check the box and select "disable violation" and apply the policy? -- or should I just increase the max length value and re-apply the policy? -- since the policy is over the 7 days staging mode, when I reapply the policy with the new changes, does it go back to staging again?
I know there are plenty of information out on the net, but I have not found a good source to help me get comfortable working with ASM. There are a couple of good info on the introduction to ASM like
https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-1-what-is-the-asm.UmV0UFO91X9
and
https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-2-policy-building.UmV0LVO91X9
but I have not found an article on how to work with ASM during the staging-mode, or how to work with the policy during blocking mode. I think there is only a handful of people with in-depth understanding of the complex inter-working of ASM, and I have yet to find someone/knowledgebase to help me truly understand how to work with ASM. Can you? :)
Any help or direction is much appreciated...
Thank you.
Vincent