Question
- What does signatures in staging mean?
- Who removes the signatures from staging?
- How to move signatures from Staging to Enforcement
Environment
- ASM Signatures
- WAF proxies
Answer
What is Signature Staging?
Purpose: when new signatures are released and applied to policies, it is generally undesirable that those signatures should immediately block traffic. This can cause legit traffic to suddenly be blocked when a signature update is performed, if a new signature causes false positives in the application.
Instead, new signatures are placed into a non-enforcement state, which in F5 ASM land is known as Signature Staging.
- Signature Staging is a policy-level setting that is enabled by default on Silverline policy templates. It is NOT recommended to disable it.
- All new F5 ASM/AWAF Attack Signatures are placed into Staging when they propagate to Silverline devices -- This means the signature is enabled but not enforced.
- Violations triggered by staged signatures DO NOT BLOCK the request, but instead generate "passed" violation logs
- "Signature staging" is NOT the same as signatures that are in alarm/learn/transparent mode or disabled
- Signatures stay in Staging until manually de-staged. Must move signatures from Staging into Enforcement, otherwise they stay in staging forever and degrade the policy's security posture -- See How to Move Signatures from Staging to Enforcement
- Silverline uses "All Signatures" set
- Silverline uses NO OTHER signature sets for production customers
- Other signature sets are (a) *limited* in scope and (b) already a part of the 'all signatures' set
How to Move Signatures from Staging to Enforcement
SOC Recommendation: Perform an analysis of any violations occurring on those staged signatures, remediate any false positives, and then move the staged signatures to enforcement.
- Analyze the passed violations and decide if you want to move the Signatures into Enforcement
- Open a ticket with SOC
- SOC Analyst moves the staged signatures to enforcement