Distributed Cloud Services
API Docs Knowledge Base Training

Service Policy - enable logging request

USE CASE

A Must Have in a RFP is to define custom signature and deploy them in Audit mode, to detect False Positives in logs, before pushing them in blocking mode.

Really, the customer SecOps team can't push in production a custom waf signature without testing it in Audit mode on production traffic before to be in Blocking mode.


SOLUTION

A key differenciator with F5 XC is the high accuracy of the matchers in service policy rules, especially by using Transformers.

But in F5 XC you can't ceate a service policy or service policy rule in Audit mode. The "Audit mode" action is to allow the request AND generates a security event log.

I understand that Audit mode could generate a lot of logs if the matcher is too wide. However, the customer is ready to pay for this extra logs.


ASK

Could we have an option to enable logging in a Service Policy rule or at the Service Policy level?

  • Alexis DA COSTA
  • Aug 31 2023
Mesh / Security
  • Attach files
  • Alexis DA COSTA commented
    August 31, 2023 12:50

    Note the customer requirement: "Audit mode must not stop after the first matching rules to prevent false positives as much as possible"
    If we can't do that, it's OK to have a dedicated service policy for "custom waf signatures" on top is the service policy list, the next policy will be matched as usual.

    ×

    Attachments Open full size

Related ideas

© 2022 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information