ASM module - efficacy testing

Question

Hello everyone,
I've deployed an F5 BIG-IP 2000s with LTM and ASM inside my architecture and I need to test the efficacy of Web Application Firewall (ASM module).&nbsp;
I've deployed "WebGoat" application and load-balanced all the traffic to it. The ASM policy was enabled and in blocking mode (staging not enabled). 
Then I used "Imperva WAF Testing Framework" to test the efficacy of the module.&nbsp;
RESULT: The traffic was logged, but no request was blocked. &nbsp;
How can I solve this? How can I really test the efficacy of my WAF configuration?&nbsp;
Thank you in advance. &nbsp;

hannes_rapp · Answer

Although your policy is in the blocking mode, you've probably not enforced proper blocking settings. &nbsp;&nbsp;
Application Security -&gt; Blocking -&gt; Settings&nbsp;
1) Make sure the "Current edited policy" is relevant&nbsp;
2) Check the "block" tickbox where necessary. You probably have only "learn" and "alarm" tickboxes selected.&nbsp;&nbsp;
Use the "event logs" and "manual traffic learning" sections to find out the violation types of the requests which were not blocked.&nbsp;

shaggy · Answer

Verify that your ASM policy elements (parameters/attack signatures/URLs/etc.) are enforced and not in "staging". &nbsp;

gsharri · Answer

Check to see which entity (file types, urls, parameters) learning mode is in effect Application Security&gt;Policy Building&gt;Settings: Explicit Entities Learning.&nbsp;
If they are set to "Never, wildcard only" then all entity types are allowed by default due to the wildcards on the entities list. ASM will block a request only if it violates file type length limits set on the wildcard (to use file types example).&nbsp;
Check blocking settings as Hannes recommended.&nbsp;
Ensure relevant attack signatures are assigned to the security policy. &nbsp;

p_casoria_18761 · Answer

I think that I've solved the problem. &nbsp;
But I noticed that the ASM only blocks signatures contained in the URL (GET request) and not in packet payload (POST request). I'm actually only monitoring HTTP traffic.&nbsp;
Is there a way to solve this issue?&nbsp;
Thank you in advance.&nbsp;

gsharri · Answer

By default attack signatures apply to the entire content of a request. The http method does not matter. What is in the content of the post that you expected would be blocked? Does the post appear in the ASM request log?&nbsp;
Also additional information would be useful:&nbsp;
What version are you running? &nbsp;
How was the security policy created: manual? template? automatically? &nbsp;
Is the local traffic policy routing all requests through the security policy?&nbsp;
Which signature sets are assigned in the security policy?&nbsp;

Forum Discussion

ASM module - efficacy testing

8 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

TESTING / ARTICLE SAVE - 002LEZ

Khoros article scheduling test

Ansible module to update BIG-IP root/admin passwords

Hardware Security Modules

Ansible - Running bash commands with bigip_command module - How it's done