Application Security Manager gives you the ability to import a vulnerability assessment from a wide variety of scanners such as: Qualys, IBM Appscan, ImmuniWeb, Quotium Seeker, and White Hat Sentinel. Each scanning tool is configured slightly different.
First, run the scan. Once it has completed, view the report for that scan and download the XML file on your local machine. F5’s Application Security Manager only allows you to import XML files for vulnerability assessment.
Login to the GUI of the active F5 that you would like to import the policy on. To do this go to: Security > Application Security > Vulnerability Assessment > Settings.
Next, we must enter which scanning tool we are using before importing the XML file. After selecting the tool used, go to: Security > Application Security > Vulnerability Assessment > Vulnerabilities
Click import on the top right and select the XML file that we just downloaded from our scanning tool. If it imported successfully, we should see the number of vulnerabilities that were discovered. After seeing the vulnerabilities, we can make changes to secure our policy.
Tweaking the Imported Results
The ASM will give you the following options to secure the newly found vulnerabilities:
Resolve and Staging: Adds the change to the policy, but does not enforce. This is helpful if the policy is in blocking mode since the change will not have the chance of blocking traffic.
Resolve: Adds the change to the policy and enforces. This will enable the change to take immediate effect. This can be dangerous if it creates a rule that restricts legitimate traffic to your application.
Ignore: Specifies that you do not want to make a changed based on the output of your scanning tool.
If you chose “Resolve,” under the column “ASM Status,” you will see “Mitigated.” This means the ASM is doing its job at mitigating the vulnerability by exercising the appropriate defenses.
Be sure to click “apply policy” in the upper right corner for your changes to take effect.
The vulnerability assessment tool is an excellent addition to the toolset that Application Security Manager offers. However, this is not an absolute security method— these scanning tools do not always pick up on every threat. You still need to actively monitor the policies that are set in place. The scan can be automated to run anytime that fulfills your security needs and requirements.
To read more about the Qualys Community Edition scanning tool take a look at this guide: Qualys Setup.