Attack Signature Sets¶
Overview¶
An attack signature set is a logical grouping of attack signatures based on defined filters, or type. F5 recommends using signature sets rather than applying individual attack signatures to a security policy. Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies based on your selected template. You can assign additional signature sets to the security policy.
Prerequisites¶
Install and deploy latest Live Updates for attack signatures.
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage signature sets¶
Manage policy signature sets enforcement status¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Attack Signatures.
The panel displays a list of Signatures defined in the policy.
Select the Signature Sets tab.
Select the checkbox next to the signature set(s) name(s). You can filter the signature set list by key words.
Click one of the enforcement statuses at the top right of the panel:
Alarm - Traffic with an attack signature that belongs to the signature set triggers alarm.
Alarm & Block - Traffic with an attack signature that belongs to the signature set triggers alarm, and the traffic is blocked.
Disable - Remove any alarms or enforcement against the detected attack signatures from the signature set.
Confirm the enforcement of the selected signatures. The new status is listed in the Action column.
If you have completed your changes to the policy, click Deploy to update associated BIG-IP Next instance(s).
To confirm the deployment, click Deploy.
Manage filter-based signature sets¶
You can add or remove filter-based signature sets from a policy.
Filter-based signature sets are based solely on criteria defined in the signature filter provided by WAF. Rather than applying several individual attack signatures to a security policy, you can apply the most relevant attack signature sets for the systems running your applications. Each policy template includes signature sets by default. See Reference: Attack Signature Sets for more information about the system-provided sets.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Attack Signatures.
The panel displays a list of Signatures defined in the policy.
Select the Signature Sets tab.
Click Settings from the top right of the panel.
A panel provides a list of the policy’s associated signature sets.
Select the arrow to the right of the Associated Signature Sets.
Select (or de-select) the check box next to the signature set you would like to add to the policy. You can filter the list by key words in the Search bar.
Click Save.
If you have completed your changes to the policy, click Deploy to update associated BIG-IP Next instance(s).
To confirm the deployment, click Deploy.
Resources¶
Manage using API¶
Other resources¶
Attack signature management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.