Best practice to put security signatures in blocking mode

Question

What is the best practice to put security signatures in blocking mode. Should we put security signatures in blocking mode before putting it in production or will put it in detection mode and after analyzing the traffic we will put them in blocking mode one by one? If we will follow second method is there any possibilities to block legitimate traffic suddenly when we will change any signature in blocking mode. Do we have any best practice document on this.

boneyard · Answer

im afraid there won't be any best practice because it just differs per requirements of the user.&nbsp;
do you want to be more safe and risk (some) false positives, put them into blocking right away.&nbsp;
do you want to be a little less safe put them info staging and see if they are hit, investigate and after staging enable them.&nbsp;

rchattop_307189 · Answer

is it possible to put few of the known malicious signatures in blocking mode initially and rest of the signatures in detection mode.&nbsp;

nag_54823 · Answer

Yes. It's possible. We need to enable signature staging and enforce each signature individually which will go to blocking mode.&nbsp;

rchattop_307189 · Answer

thanks a lot&nbsp;

Forum Discussion

Best practice to put security signatures in blocking mode

4 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

AS3 Best Practice

F5 Certified Practice Exams

Using ChatGPT for security and introduction of AI security

Cipher Suite Practices and Pitfalls

Auditing Security Policy Updates