ASM Best Practice for Major Web Site Updates

Question

We are planning an ASM deployment, and we expect one of the web servers will have periodic significant upgrades. We are trying to determine what our approach will be when that happens. We're assuming in the mean time the policies will be converted into enforcement mode with signature staging enabled. I've been searching but haven't found a clear recommendation on this.&nbsp;
Should we re-enable Policy Builder prior to the update so that it starts learning any new file types, URLs, etc. that the policy hadn't seen before, and then disable PB once there's been enough traffic to validate those new elements? I don't really think we want to move the policy back to Transparent Mode because then we won't be blocking anything. &nbsp;
Thanks for any assistance.&nbsp;
 &nbsp;

mister_paul_717 · Answer

I recommend having ASM in your test environment.  Perform the upgrade in the test environment and test heavily.  In that environment, you probably won't have malicious traffic (unless you throw a tool or a pen tester at it), but if you fully exercise the functionality, especially the new functionality, you should be able to determine what needs to change. 
&nbsp;  
&nbsp; Paul

john_m_34866 · Answer

How do you migrate wherever you have learned in the test into production environment ? Do you merge the the two policies in production, if so what are the risks? 
&nbsp;  
&nbsp; Thanks.

Forum Discussion

ASM Best Practice for Major Web Site Updates

2 Replies

Recent Discussions

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

Related Content

AS3 Best Practice

Auditing Security Policy Updates

F5 Certified Practice Exams

Cipher Suite Practices and Pitfalls

Security Best Practices for BIG-IP & BIG-IQ systems