Forum Discussion

Ppp2016_241036's avatar
Ppp2016_241036
Icon for Nimbostratus rankNimbostratus
Feb 04, 2016

F5 ASM Testing Environment Setup with legitimate traffic (Please Advise)

The production F5 is going to install ASM module.

 

I try to figure out what is the good way to setup the testing environment with legitimate traffic, to ensure the policies will not break the applications.

 

The most ideal way is to able to get the production traffic to the testing environment, so that I can develop the security policies. But the network engineer says it is impossible to do that. I have no idea what is the good way to do.

 

I know I can setup automatic policies with transparent mode, but I do not feel comfortable without a testing environment that can mirror production environment and traffic.

 

Any advise and recommendations are welcome

 

ASM Advanced WAF
security
waf

2 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Feb 12, 2016

    You can give the test environment a different IP and test it by changing the hosts file for a small number of clients. Or you can capture production traffic and direct it to a platform using netcat or a similar test tool.

     

    If you want lots of data then you can use a clone pool on the production F5 and send it to the test system

     

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Feb 12, 2016
    A clone pool would be a good idea, as it would send all of your production traffic to the secondary bigIP. Be aware that you can also configure the ASM in transparent mode and watch the production traffic itself. The ASM will flag all the traffic as if it was blocking, but won't actually block. The other things to keep an eye out for are Dataguard, and javascript injection. I have seen situations where a site's javascript won't play nice with the injections from the ASM, but it's rare. Pete is also correct in that you can simply configure a virtual server either on another IP or another port (may require some work with local traffic policies to keep to that port) and have a subset of users test the ASM that way.