Service Policy - enable logging request

USE CASE

A Must Have in a RFP is to define custom signature and deploy them in Audit mode, to detect False Positives in logs, before pushing them in blocking mode.

Really, the customer SecOps team can't push in production a custom waf signature without testing it in Audit mode on production traffic before to be in Blocking mode.


SOLUTION

A key differenciator with F5 XC is the high accuracy of the matchers in service policy rules, especially by using Transformers.

But in F5 XC you can't ceate a service policy or service policy rule in Audit mode. The "Audit mode" action is to allow the request AND generates a security event log.

I understand that Audit mode could generate a lot of logs if the matcher is too wide. However, the customer is ready to pay for this extra logs.


ASK

Could we have an option to enable logging in a Service Policy rule or at the Service Policy level?

  • Alexis DA COSTA
  • Aug 31 2023
  • Planned
  • Attach files
  • Alexis DA COSTA commented
    31 Aug, 2023 12:50pm

    Note the customer requirement: "Audit mode must not stop after the first matching rules to prevent false positives as much as possible"
    If we can't do that, it's OK to have a dedicated service policy for "custom waf signatures" on top is the service policy list, the next policy will be matched as usual.