Can we create single security policy in ASM for multiple applications?

Hi,

you can have but it will not be a good idea. Suppose if one application does not work due to a signature hit and you want to disable that signature then it would be disabled for all the applications.

+1 what you could do is using templates for employment thus each app will have a dedicated policy which can evolve.

In addition to what the others said, my answer would be yes but with some caveats. I have a single security policy in front of hundreds of VS's / applications, however, each application is simply a unique installation of our custom SIS application for varying customers. Code base is the same, signature requirements are identical, and any variations in parameters, etc learned from a connection to Customer A's instance may also be application to Customer B, and so on. Even if they are not there is not enough variation to justify the added work of maintaining unique policies for each customer VS. My plan is that should something pop up necessitating a unique configuration for a specific customer, then I'll move to a unique policy for that customer only. There are probably several ways to go about this but what I'm doing works well for us.

The policy should entirely sync with the underlining web application and its architecture. I had thought about having single policy during our initial configuration but F5 recommended not to go for this unless each of the application uses same SDLC process and architecture. It will be difficult to manage in the later stage.