• Feature Description
SecOps wants to lower the number of App FW object to maintain in XC. But, due to a constraint from SIEM / Cyber-SOC, they can’t.
The feature “add a custom label value in security event log” will allow it. This custom label value is different per FQDN (DNS domain), so it should be set per HTTP LB route.
• Problem Statement
Security event logs are sent to a SIEM (log receiver). The value of the key app_firewall_name (the name of the App FW object) is used by the SIEM to route the security event log to the right “Cyber-SOC” team, or at least is used by the shared Cyber-SOC team to call the right Business Unit team in case of a security incident.
But, the trend is to have one Business Unit team (Management Group) per Application (Landing Zone). So, one App FW policy object per App.
At the end, there will be to much App FW policy objects to manage by SecOps.
• Business Impact
Too many App FW policy objects to manage by SecOps.
• Security Considerations
Because there is too many App FW policy objects to manage by SecOps, an error could be done and not seen.
The goal to have ONE consistent security policy across apps is not possible due to the trend to have One App Fw policy per App.
• Competitive Landscape
Not Available
• Existing Workarounds
One App Fw policy per FQDN (DNS domain).
• Risks of Not Implementing
Fo F5 XC infra, too many App FW policy objects to store (etcd, memory) will impact F5 XC infra resources, so XC infra cost.