WAF Organizational Processes
Hello! I'm a project manager responsible for our WAF implementation and likely more engaged in WAF care and feeding that most project managers. 😀 I'd like to understand from others their WAF organizational processes with the goal of improving ours. I'm responsible for hosting a weekly WAF tuning meeting. Our WAF admin pulls data from our Splunk logs and brings up samples for policies that we've not yet put into production mode. Our WAF admin wants our two application developers on our WAF team to say "yea" or "nay" for each sample to be tuned. This is incredibly tedious but our hope is to reduce false positives. How do other orgs handle pre-production tuning? We have a similar process if a production deployed policy receives a block. Our business owner for the application opens a ticket for their end user. Since I'm not allowed access to F5 WAF, I use the support ID to look up the WAF report in an Apex application one of our developers wrote. I provide this report to our WAF admin who waits for one of our WAF team app devs to say "yea" or "nay" on whether it's legit traffic. If it's legit, he tunes the policy but sometimes still with apprehension. This results in either my needing to schedule a special meeting with our WAF team (includes me, 2 apps devs, WAF admin, sys admin manager, my manager, and 1-2 reps from security) or taking time in a tuning meeting to review the tuning adjustment that was made and get a ruling on whether it it's too risky to keep in place or it's safe to remain. How do your organizations handle reports of blocks from your business owners and their end users? I truly feel we can and should improve so I'm eager to hear what others in the community are doing. Thank you! Jodi31Views0likes1CommentAPI feed for WAF Attack Signatures
Hi again! This is my 3rd question post today and I'll try to make it my last for today. 😄 I'm a project manager responsible for our WAF implementation and I'm more involved in WAF care and feeding than a project manager should be. Is there an API feed available for WAF attack signatures both current and staged? Our WAF logs are fed into Splunk and Oracle. In Splunk, I built an Excel spreadsheet that I use as a lookup table that has current and staged attack signatures. I had help pulling the JSON feed from the F5 attack signatures database. I have to manually add to this file as I suspect our logging activity is causing additional characters such as percent signs to show up in the sig_ids field for my Splunk reports. As mentioned in one of my other posts, my manager wants to move over to an Apex application that one of the application developers on our WAF team has been building. The goal is to allow our business owners to authenticate and view WAF related reports that we develop for their organization. If we move to Apex, this renders the Splunk lookup table I've built and maintain useless, thus, I'm on a hunt for an API. If anyone has suggestions for staged attack signature management, I'll take those as well. I was told that I should monitor them which I am but our tuning and remediation processes are so tedious that I'm not sure how to work in yet another meeting to review and discuss staged attack signatures. 😒 Thank you! Jodi18Views0likes0Commentsenabled the "AS2 (Applicability Statement 2) service on F5 LTM?
Hello, a team in our company has purchased the AS2 service. They want to publish this service via F5. I couldn't find a configuration example for this. Can someone with experience in this matter share their experience? https://www.seeburger.com/resources/good-to-know/what-is-as222Views0likes0CommentsLisa computer turns 40, Apple releases source code
I thought it might interest some folks here. Did anyone here use it back in the day? Computer History Museum given permission to release Apple Lisa source code "Happy40thBirthdaytoLisa!TheAppleLisacomputer,thatis.Incelebrationofthismilestone,CHMhasreceivedpermissionfromAppletoreleasethesourcecodetotheLisasoftware,includingitssystemandapplicationssoftware. Access the code here."1.4KViews4likes1CommentBIG-IQ AS3 declaration with TLS_Server defaulting parent profile.
Good Afternoon - I have deployed BIG-IQ for a central system to provide guidelines for our automation teams to following via the AS3 templates. Our migration aspect is going from a imperative to declaritive module, and I am running into some stumbling blocks. Today we default all of our profiles from our custom profiles, so defining to use our default TCP, Persistence & others works fine with the exception of the SSL profiles. Is there a way to tell the AS3 declaration to default from our custom SSL profile in stead of having to define this individually for every new app we deploy? There are multiple reasons we defuault from our custom profiles that default from F5's default profile. If we need to make a global change, I only need to modify our custom profile and not every applicaiton. Also it helps with the configuration getting bloated by re-defining all the same settings in every profile. So how can I update the AS3 template in BIG-IQ to default to my custom ssl profile instead of defaulting from F5's? "prof_sslc_xxxx.xxxx.com": { "certificates": [ { "certificate": "/Common/Shared/xxxx.xxxx.com" } ], "class": "TLS_Server", "tls1_0Enabled": true, "tls1_1Enabled": true, "tls1_2Enabled": true, "tls1_3Enabled": false, "singleUseDhEnabled": false, "insertEmptyFragmentsEnabled": true }, Thx Rich858Views0likes0Comments