ASM Enablement Learning Plan

This learning plan uses the ASM Demos and Exercises to increase your knowledge and understanding of
BIG-IP ASM. You are welcome to go through the demo and exercise guides in any order you like,
however this learning plan has been written for a new ASM user and will guide you from basic,
introductory concepts to advanced policy building and security policy options.

ASM Level 1

1) Exercise – SE Technical Boot Camp Hands-on Exercises

The purpose of this exercise is to show how to use ASM to protect web applications. You’ll start by
accessing the DVWA web site and submitting SQL injection, cross-site scripting, and forceful browsing
attacks. You’ll then create an ASM security policy using the Rapid Deployment policy template and view
user requests in the event log. In the second exercise you’ll add file type enforcement by adjusting
settings on the Learning and Blocking Settings page, generating learning suggestions, and then manually
adding file types to the security policy. In the last exercise you’ll examine file type attribute enforcement,
then you’ll create a new security policy in automatic mode using trusted requests, then you’ll generate
learning suggestions using a Firefox iMacro, and then you’ll view ASM updating a parameter’s attributes
and modifying its enforcement.

2) Demo – Simple Security Policy and L7 DoS Protection Deployments

The purpose of this demo is to show how simple it is to create both security policies and DoS profiles
using BIG-IP ASM. You’ll start by creating a security policy for the Hackazon web application using Rapid
Deployment. You’ll then attempt several layer 7 attacks including command execution, SQL injection, and
cross-site scripting, all of which will be blocked. You’ll then create a layer 7 DoS profile and launch several
DoS attacks against the Hackazon web application. You’ll use the ASM event log and bot defense log to
show that all DoS attempts are blocked by ASM’s DoS protection.

3) Demo – Blocking Common Web Vulnerabilities

The purpose of this demo is to show how ASM blocks three common web application attacks, SQL
injection, cross-site scripting, and forceful browsing. You’ll start by showing these attacks against a
vulnerable web application. You’ll then attach an ASM security policy that you created before starting the
demo and show the same attacks being blocked by ASM. You’ll then update the security policy by adding
a blocked URL and a blocked parameter. Finally, you’ll show how to use the event log to identify why
requests were blocked and then view the ASM security reports.

4) Demo – Blocking SQL Injection Attacks

The purpose of this demo is to show how to create an ASM security policy that will protect a web
application against SQL injection attacks. You’ll start by showing several SQL injection attacks on a
vulnerable web site. You’ll then create a security policy using the Rapid Deployment policy template.
You’ll then show the same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM
logs to view the attack signatures that were detected by ASM.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 1

 5) Demo – Blocking Cross-Site Scripting Attacks
The purpose of this demo is to show how to create an ASM security policy that will protect a web
application against cross-site scripting attacks. You’ll start by showing several cross-site scripting attacks
on a vulnerable web site. You’ll then create a security policy using the Rapid Deployment policy template.
You’ll then show the same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM
logs to view the attack signatures that were detected by ASM.

6) Using DataGuard and PCI Compliance

The purpose of this demo is to show how ASM provides PCI compliance for organizations. You’ll start by
showing the risks of information leakage. You’ll then view and update the PCI compliance report. You’ll
then add the DataGuard feature to mask credit card numbers. Finally, you’ll view the completed PCI
compliance report.

ASM Level 2

1) Demo – Using Rapid Deployment

The purpose of this demo is to show how to create a security policy using Rapid Deployment. You’ll start
by showing SQL injection, cross-site scripting, and forceful browsing. You’ll then create a simple security
policy. You’ll then enforce attack signatures and show that the same attacks are now blocked by the
security policy.

2) Demo – Using Manual Policy Building

The purpose of this demo is to show how to use manual security policy building. You’ll start by simulating
traffic to the web application and then viewing the Traffic Learning page. You’ll continue to generate
traffic and see how it affects the suggestion learning scores. You’ll then manually add file types,
parameters, and cookies to the security policy. You’ll then demonstrate the beginning of the staging
process for parameters.

3) Demo – Using Automatic Policy Building

The purpose of this demo is to show how to use the ASM automatic policy builder using trusted IP
addresses. First, you’ll create a new comprehensive security policy using trusted IP addresses. You’ll then
access the web application from a trusted IP address and view the policy builder results. You’ll then adjust
the learning speed values and generate much more traffic from a trusted IP address. You’ll then stabilize
the security policy which ensures that entities such as file types and parameters are being enforced.
Finally, you’ll test the security policy by attempting to attack the web application with application layer
attacks.

4) Demo – Enforcing File Types

The purpose of this demo is to show how to enforce specific file types in a security policy with BIG-IP ASM.
You’ll first show an existing security policy with no file type enforcement enabled. You’ll then enable file
type learning and generate requests using the web application. You’ll then show how the allowed file type
list changes based on requests from trusted sources. Finally, you’ll ensure the file type list is stabilized,
then disable new learning, and then test the security policy for file type enforcement.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 2

 5) Demo – Applying Global File Type Settings
The purpose of this demo is to show how you can control attributes for file types at the global level
(without needing to learn specific file types). You’ll start by creating a security policy for the DVWA web
application using Rapid Deployment. You’ll then modify the query string length and HTTP request length
values for the wildcard (*) file type. You’ll then make requests for different file types that violate the
global length values, and then examine the ASM event log to view why the requests were blocked.

6) Demo – Applying Global Parameter Settings

The purpose of this demo is to show how you can control attributes for parameters at the global level
(without needing to learn specific parameters). You’ll start by creating a security policy for the DVWA web
application using Rapid Deployment. You’ll then modify a couple of attributes for the wildcard (*)
parameter. You’ll then submit requests using different parameters that violate the global parameter
settings, and then examine the ASM event log to view why the requests were blocked.

ASM Level 3

7) Demo – Building Security Policies using Trusted vs Untrusted Requests

The purpose of this demo is to explain the difference between building security policies using untrusted
and trusted requests (based on the client IP address). You’ll start by creating a new security policy that
builds the policy using untrusted requests. You’ll then show how client requests create learning
suggestions, and the learning score is slow to increase from untrusted requests. You’ll then add a trusted
IP address for building the security policy, and then show how the policy building process differs using
trusted requests.

8) Exercise – Understanding Learning and Enforcement

The purpose of this exercise is to explain the difference between file type and parameter learning,
updating parameter attributes during the staging process, and how parameter enforcement affects
malicious requests. You’ll start by creating a new security policy and adjusting the learning settings for file
types and parameters. You’ll then access the web application and examine the file types that ASM learned
and add the correct file types to the security policy. You’ll then use a couple of parameters in the web
application and examine the parameters that ASM learned and add the correct parameters to the web
application. You’ll then submit different data into a parameter and examine how ASM suggests modifying
the attributes of a parameter. Finally, you’ll examine how a non-enforced and an enforced parameter
treat malicious requests.

9) Demo – Working with Parameters

The purpose of this demo is to show how to work with parameters in a security policy with ASM. First,
you’ll show the configuration options for user-input parameters, including maximum length and allowed
meta characters. You’ll then show how to define and configure an integer parameter. You’ll then
configure a static content value parameter which ensures users enter values from a defined list. You’ll
then configure a dynamic content value parameter and an extraction list, which enables ASM to ensure
that parameter values aren’t tampered with by man-in-the middle attacks.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 3

 10) Exercise – Understanding Entity Enforcement
The purpose of this exercise is to explain how entity enforcement affects the ASM security policy behavior
(allowing or blocking an illegal request). There are four entity types in ASM, file types, URLs, parameters,
and cookies. In this exercise you’ll focus on file types and parameters. You’ll create a new security policy
and add file type learning and enforcement. You’ll then update attributes for a specific file type and
attempt to violate the attributes while the file type is not enforced, and once the file type is enforced.
You’ll then repeat the steps for parameters. By the end of the exercise you should understand why entity
enforcement is so important with ASM security policies.

11) Demo – Protecting Against Cookie Modification

The purpose of this demo is to show how to an ASM security policy can protect a web application from
malicious cookie modification. You’ll first show how to modify a cookie value using Burp, and then show
the results in the ASM event log. You’ll then enforce the cookie entities and attempt the cookie
modification again, this time getting blocked.

12) Demo – Using Security Logging and Reporting

The purpose of this demo is to show how to use the BIG-IP ASM event log and reporting. Before the demo
begins you’ll launch several attacks using iMacros for Firefox. You’ll start the demo by examining the ASM
event log in detail, showing how to find specific log entries, how to filter log entries, and the vast amount
of data that ASM logs. You’ll then show how to create a custom ASM report. Finally, you’ll examine the
built-in ASM report and show how to view attack data in many formats.

13) Demo – Updating Security Policies Manually

The purpose of this demo is to show how to manually update a completed ASM security policy when the
web application has been updated. You’ll show how to add new file types, URLs, parameters, and
overridden signature violations.

14) Demo – Updating Security Policies Automatically

The purpose of this demo is to show how to automatically update a completed ASM security policy when
the web application has been updated. You’ll show how to add new URLs and parameters based on
requests from a trusted source.

15) Demo – Using Attack Signatures

The purpose of this demo is to show how ASM uses attack signatures to block malicious requests. You’ll
start by showing some common attack types. You’ll then create a security policy and configure attack
signatures. Next, you’ll submit several attacks against the web site and view the event log to identify the
attack signatures that were matched.

16) Demo – Using CSRF Protection

The purpose of this demo is to show how ASM protect web applications against cross-site request forgery
(CSRF) attacks. You’ll start by showing how a CSRF attack works and what the possible results could be.
You’ll then add CSRF protection to an existing security policy. You’ll then attempt the same CSRF attack to
show that ASM blocks the attack. Finally, you’ll show how CSRF protection is enabled by ASM.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 4

ASM Level 4

17) Demo – Using Layered Policies

The purpose of this demo is to show how to use layered security policies with ASM. First, you’ll show the
settings and inheritance properties of an existing parent policy. You’ll then show the settings and
inherited properties of an existing child policy. You’ll then create another child security policy using
different inheritance options. You’ll then examine several security policy settings to show which settings
can and can’t be modified in a child security policy. You’ll then use an iMacro in Firefox to build both child
security policies and show results in the configuration utility. Finally, you’ll create a custom signature and
add it to the parent policy and illustrate how this affects the child security policies.

18) Exercise – Understanding Parent and Child Security Policies

The purpose of this exercise is to show how to use parent and child security policies with ASM. First, you’ll
create a parent security policy and define the inheritance requirements. You’ll then create two child
security policies using different inheritance options. You’ll then examine several security policy settings to
show which settings can and can’t be modified in a child security policy. You’ll then use an iMacro in
Firefox to build both child security policies and show results in the configuration utility. Finally, you’ll
create a custom signature and add it to the parent policy and illustrate how this affects the child security
policies.

19) Demo – Using Custom DataGuard Settings

The purpose of this demo is to show how to use custom DataGuard settings. You’ll start by showing the
current DataGuard settings, which are masking an entire credit card number. You’ll then configure custom
DataGuard settings that will mask the first 12 digits but leave the last four visible. You’ll then create a
custom DataGuard pattern for a company ID number.

20) Demo – Using Custom Attack Signatures

The purpose of this demo is to show how ASM uses custom attack signatures to block malicious requests.
You’ll start by showing some common attack types which are already blocked. You’ll then show a new
zero-day attack, which is not blocked. You’ll then create a custom signature to block a zero-day attack.

21) Demo – Blocking Brute Force Attacks

The purpose of this demo is to show how to protect a web application against brute force attacks. You’ll
launch a brute force attack on an unprotected web application, then configure brute force protection, and
then show the results when attempting the attack again. You’ll also show the ASM event log and security
charts.

22) Demo – Blocking Web Scraping Attacks

The purpose of this demo is to show how to protect a web application against web scraping attacks. You’ll
launch a web scraping attack on an unprotected web application, then configure web scraping protection,
and then show the results when attempting the attack again. You’ll also show the ASM event log and
security charts.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 5

 23) Demo – Using Login Page Enforcement
The purpose of this demo is to show how to prevent users from bypassing the login page of a web
application. First, you’ll showing examples of bypassing a login page. You’ll then add a login page and login
page enforcement in the security policy, then show the previous attempts being blocked, and then show
the ASM log file.

24) Demo – Stabilizing a Security Policy

The purpose of this demo is to show how to stabilize a security policy with BIG-IP ASM. The stabilization
process encompasses both the learning and staging process. While entities (such as file types, URLs, and
parameters) are still in staging (not enforced), the security policy is not yet stabilized. You’ll first show an
existing security policy that includes a file type list, URL list, and parameter list. All entities are still in
staging. You’ll then simulate a large amount of user requests to the application, and then show how ASM
automatically configures entity attributes and entity enforcement. You’ll continue this process until the
security policy is stabilized, meaning that all entities are out of staging and enforced. You’ll then test the
security policy by attempting malicious requests that violate the file type and parameter lists, as well as
file type and parameter attributes.

25) Demo – Advanced Policy Building Options

The purpose of this exercise is to introduce you to some advanced options used when creating security
policies using ASM. You will start by creating a new security policy using the automatic policy builder and
the comprehensive policy template. You’ll adjust the learning options for file types, URLs, and parameters.
You’ll then generate traffic and view the ASM audit log. You’ll then adjust the learning speed to simulate
more traffic over more time to stabilize the security policy. You’ll continue to monitor the ASM audit log
to identify changes to the security policy. You’ll examine the ASM tree view and the enforcement
readiness summary. You’ll view the ASM action items page as well as the ASM audit reports. Finally, you’ll
finalize the security policy and submit several illegal requests to the web application. You’ll view the
security logs to identify why each request was blocked, and then update the security policy by adding a
couple of blocked requests that were actually false positives.

ASM Level 5

26) Demo – Using Layer 7 Bot Protection

The purpose of this demo is to show how ASM protects web applications from layer 7 DoS bot attacks.
You’ll start by showing several layer 7 DoS bot attacks against a web application. You’ll then create an
ASM DoS profile and enable proactive bot defense and bot signatures. You’ll then attempt the same layer
7 DoS bot attacks and show using the ASM event log and the bot defense log that all attack traffic is being
blocked. Finally, you’ll create a custom DoS report.

27) Demo – Blocking Suspicious Browsers

The purpose of this demo is to show how ASM protects web applications from suspicious browsers. You’ll
start by submitting several requests to a web application using incorrect user-agent values. You’ll then
create an ASM DoS profile and enable proactive bot defense. You’ll then attempt the same requests and
show how ASM either blocks the request or presents a CAPTCHA challenge.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 6

 28) Demo – Using IP Geolocation Enforcement
The purpose of this demo is to show how to block requests based on the origin’s IP geolocation. You’ll
start by showing how ASM logs geolocation details. You’ll then identify the origin of several malicious
requests, then block all requests from that geolocation, and then show the results. You’ll then add
another geolocation to the disallowed list and show the results. Finally, you’ll show ASM reporting.

29) Exercise – Using Layer 7 DoS Protection

The purpose of this exercise is to show how ASM protects web applications from layer 7 DoS attacks.
You’ll start by launching several layer 7 DoS attacks against a web application. You’ll then create an ASM
DoS profile and enable several features including proactive bot defense, bot signatures, and TPS-based
detection. You’ll then attempt the same layer 7 DoS attacks and show using the ASM event log and the
bot defense log that all attack traffic is being blocked. Finally, you’ll view DoS reporting and create a
custom DoS report.

30) Demo – Using Cookie Hijacking Protection

The purpose of this demo is to show how ASM can protect web applications from cookie hijacking, a
malicious activity involving stealing a user’s cookie to hijack their session. You’ll start by giving an example
of how a malicious user can steal a victim’s session cookie and hijack their session. You’ll then add a
security policy (created before the start of the demo) to the virtual server. This security policy is
configured for protection against stealing session cookies. You’ll then attempt to steal the victim’s session
cookie again and show how ASM blocks the request.

31) Demo – Using ASM Cookie Hijacking Protection

The purpose of this demo is to show how ASM can protect web applications from session hijacking, a
malicious activity involving stealing session cookies. You’ll start by giving an example of how a malicious
user can steal a victim’s session cookie and hijack their session. You’ll then add a security policy (created
before the start of the demo) to the virtual server. This security policy is configured for protection against
stealing session cookies. You’ll then give an example of attempting to hijack a victim’s session by stealing
both their session cookie and the ASM cookie used to prevent session hijacking. Finally, you’ll add ASM
cookie hijacking protection to the security policy and show the results.

32) Demo – Using Client-Side Integrity Defense

The purpose of this demo is to show how ASM protects web applications from layer 7 DoS attacks using
client side integrity defense. You’ll start by showing a layer 7 DoS attack against a web application. You’ll
then create an ASM DoS profile and enable proactive bot defense and client side integrity defense. You’ll
then attempt the same layer 7 DoS attack and show using the ASM event log, the bot defense log, and the
BIG-IP statistics that all attack traffic is being blocked.

33) Demo – Using Violation Detection by Usernames

The purpose of this demo is to show how BIG-IP ASM can be used to protect web applications from
malicious users based on their session details. You’ll start by showing how ASM logs requests without
username tracking enabled. You’ll then enable violation detection by username and illustrate how an
administrator can block a known malicious user from accessing the web application.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 7

 34) Demo – Using Violation Detection by Device IDs
The purpose of this demo is to show how BIG-IP ASM can be used to protect web applications from
malicious users based on their device ID. You’ll start by showing how ASM logs requests without session
tracking enabled. You’ll then enable device ID tracking and show the results in the ASM logs. You’ll then
enable violation detection by device ID and illustrate how BIG-IP ASM can identify and block requests
from a specific device after repeated violations.

35) Exercise – Using WebSocket Protection

The purpose of this exercise is to show how to use WebSocket protection with ASM. First, you’ll create a
pool and virtual server for an external web site hosting a WebSocket application. You’ll then create a
security policy using the Comprehensive template for the WebSocket application. You’ll then examine the
WebSocket protection included with the Comprehensive template. You’ll then add a WebSocket URL to
the security policy. Finally, you’ll use and configure the WebSocket protection for the URL.

WWFE Guides – ASM – WAF Enablement Learning Plan Page | 8