Follow

Q&A: What does "Signatures in Staging" mean?

Question

  • What does signatures in staging mean?
  • Who removes the signatures from staging?
  • How to move signatures from Staging to Enforcement

 

Environment

  • ASM Signatures
  • WAF proxies

 

Answer

What is Signature Staging?

 

Purpose: when new signatures are released and applied to policies, it is generally undesirable that those signatures should immediately block traffic.  This can cause legit traffic to suddenly be blocked when a signature update is performed, if a new signature causes false positives in the application. 

Instead, new signatures are placed into a non-enforcement state, which in F5 ASM land is known as Signature Staging.

 

  • Signature Staging is a policy-level setting that is enabled by default on Silverline policy templates.  It is NOT recommended to disable it.
  • All new F5 ASM/AWAF Attack Signatures are placed into Staging when they propagate to Silverline devices -- This means the signature is enabled but not enforced
    • Violations triggered by staged signatures DO NOT BLOCK the request, but instead generate "passed" violation logs
    • "Signature staging" is NOT the same as signatures that are in alarm/learn/transparent mode or disabled
  • Signatures stay in Staging until manually de-staged. Must move signatures from Staging into Enforcement, otherwise they stay in staging forever and degrade the policy's security posture -- See How to Move Signatures from Staging to Enforcement
  • Silverline uses "All Signatures" set
    • Silverline uses NO OTHER signature sets for production customers
    • Other signature sets are (a) *limited* in scope and (b) already a part of the 'all signatures' set

 

How to Move Signatures from Staging to Enforcement

SOC Recommendation: Perform an analysis of any violations occurring on those staged signatures, remediate any false positives, and then move the staged signatures to enforcement. 

  1. Analyze the passed violations and decide if you want to move the Signatures into Enforcement
  2. Open a ticket with SOC
  3. SOC Analyst moves the staged signatures to enforcement

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request