F5 Networks
Exam: 303 BIG-IP ASM Specialist
Prerequisite: F5-CA | This Exam Based on v12.1
Important Notes:
There is no official book to study for the exam.
There is no dump for the exam, only practice exam offered by F5 to give you idea about exam questions.
Watching videos can help to speed up your learning, but not guaranteed to pass the exam you need to do a lot of reading and practice.
Download TMSH Command Reference , you don't have to read it all, only read related topics i.e how to create self-ip or vlan (net_self.html) & (net_vlan.html).
Download BIG-IP virtual edition from F5 Downloads and request license from Free Trials.
You can practice on VMware F5 WAF - Agility Labs.
Recommend to learn about http from Mozilla.
learn about PHP For Absolute Beginners (optional).
Yes, there are a lot of links, the goal is not only pass the exam but to be great WAF specialist.
Special thanks to ( Jason Rahm, John Wagnon and Peter Silva)
Study Plans
Plan 1:
Read (ASM Getting started, Implementation Guide, ASM Attack Signatures & Operations Guide) end to end.
Search for KBs for specific topics for more info.
Plan 2:
Follow the exam blueprint and the provided the below links in this blog post.
Reading before the exam blueprint
Section 1: Architecture/Design and Policy Creation
1.01 Explain the potential effects of common attacks on web applications:
Understand and describe how the ASM can affect clients and applications directly while in either transparent or blocking mode
Summarize the OWASP Top Ten
Enforcement Modes:
To block traffic that causes violations, select Blocking.
To not block traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select Transparent.
The system blocks requests that trigger the violation when:
(1) the security policy is in the blocking enforcement mode.
(2) a violation occurs.
(3) the entity is enforced.
The system sends the blocking response page (containing a Support ID to identify the request) to the client.
When you create a security policy using automatic learning mode, the system sets the enforcement mode to Blocking, but it does not block requests until Policy Builder processes sufficient traffic and sessions over enough time, adds elements to the security policy, and enforces the elements
ASM creates a security policy that immediately starts protecting your application. The enforcement mode of the security policy is set to Blocking. Traffic that is considered to be an attack such as traffic that is not compliant with HTTP protocol, has malformed payloads, uses evasion techniques, performs web scraping, contains sensitive information or illegal values is blocked. Other potential violations are reported but not blocked.
1.02 - Explain how specific security policies mitigate various web application attacks:
Understand/interpret an iRule or LTM policy to map application traffic to an ASM policy Explain the trade-offs between security, manageability, false positives, and performance
The Local Traffic Policies feature allows you to classify traffic based on a list of matching rules and then run specific actions.
The local traffic policy settings are organized into the following sections:
General Properties
Rules
Logical operators
Policy rule actions
1.03 - Determine the appropriate policy features and granularity for a given set of requirements:
Understand application (security) requirements and convert requirements to technical tasks
Some of the questions you might consider before you start create a security policy:
How strict a policy do you want to create? Fundamental or comprehensive?
How many applications do you want ASM to protect? If protecting multiple applications, how similar are they?
Do you want to develop one policy for multiple applications, or are the applications different enough that you want to create separate policies for them?
Are there a basic set of features that you want to control from a parent policy? Multiple policies can inherit settings from a parent policy.
How much traffic and what types of traffic do the applications handle? HTTP, HTTPS, or both?
Do the applications have lots of parameters and URLs associated with them? Or are they simple?
1.04 - Determine which deployment method is most appropriate for a given set of requirements:
Determine which deployment method is most appropriate given the circumstances (web services, vulnerability scanner, templates, rapid deployment model)
Covered in ASM Getting Started
1.05 - Explain the automatic policy builder lifecycle:
Create any profiles required to support the policy deployment (xml, JSON, logging profiles)
Implement anomaly detection appropriate to the web app (D/DoS protection, brute force attack, web scraping, proactive bot defense)
Policy Builder develops the policy using the following steps:
In the initial phase, the system identifies legitimate application usage and begins to build your security policy based on a statistical analysis of your traffic and the intended behavior of your application. In this phase, the system does not block requests until Policy Builder processes sufficient traffic and adds elements to the security policy. (Establish a baseline for normal traffic)
In the next phase, Policy Builder refines and tightens the security policy over time until the number of policy changes stabilizes (Seek/block/log anomalous traffic)
In the final phase, Policy Builder further refines the security policy until it is ready to enforce the necessary security features. (Automatically adjust policy settings: Staging vs. enforcement, attribute changes)
You can always control the way the security policy works by making changes manually (manual intervention is always permitted)
more info on Covered in ASM Getting Started
Read (Preventing DoS Attacks on Applications, Configuring Bot Defense, Mitigating Brute Force Attacks) from ASM Implementation guide
1.06 - Review and evaluate policy settings based on information gathered from ASM (attack signatures, DataGuard, entities):
Configure initial policy building settings (automatic policy builder settings)
1.07 - Define appropriate policy structure for policy elements:
Define appropriate policy structure for policy elements (URLs, parameters, file types, headers, sessions & logins, content profiles, CSRF protection, anomaly detection, DataGuard, proactive bot defense)
1.08 - Explain options and potential results within the deployment wizard:
Describe options within the deployment wizard (deployment method, attack signatures, virtual server, learning method
Select the appropriate ASM deployment model given the business requirements
Covering 1.06 to 1.08
Important note: security policy is core component of the ASM, make sure you fully understand it (80% of ASM related to the security policy)
You can start with:
ASM Demos playlist (1 to 27, 33, 34 & 35)
Refining Security Policies with Learning
Changing How a Security Policy is Built
Configuring Security Policy Blocking
Configuring What Happens if a Request is Blocked
Adding Entities to a Security Policy
Changing Security Policy Settings
Maintaining Security Policies
Attack Signature will be covered in 1.10
1.09 - Explain available logging options:
Explain the specifications of the remote logger (ports, types of logs, formats, address)
1.10 - Describe the management of the attack signature lifecycle and select the appropriate attack signatures or signature sets:
Understand management of attack signature lifecycle (staging, enforcement readiness period) and select appropriate attack signatures or signature sets.
Section 2: Policy Maintenance and Optimization
2.01 - Evaluate the implications of changes in the policy to the security and functionality of the application
Evaluate whether the rules are being implemented effectively and appropriately to meet security and/or compliance requirements and make changes as appropriate
2.02 - Explain the process to integrate natively supported third party vulnerability scan output and generic formats with ASM:
Refine appropriate policy structure for policy elements (URLs, parameters, file types, headers, sessions & logins, content profiles, CSRF protection, anomaly protection).
Explain how to manage policies using import, export, merge, and revert
Please check supplemental Info related to CSRF in K11930
2.03 - Evaluate whether rules are being implemented effectively and appropriately to mitigate violations:
Evaluate the implications of changes in the policy to the security and vulnerabilities of the application
2.04 - Determine how a policy should be adjusted based upon available data:
Tune an ASM policy for better performance, including use of wildcards to improve efficiency
2.05 - Define the ASM policy management functions:
Identify the status of the policy
Define the violation types that exist in ASM
Describe how to merge and differentiate between policies
Section 3: Review Event Logs and Mitigate Attacks
3.01 - Interpret log entries and identify opportunities to refine the policy:
Examine traffic violations, determine if any attack traffic was permitted through the ASM and modify the policy to remove false positives
Locate and interpret reported security violations by end users and application developers
Covered by provided links for Working with violations & Refining Security Policies
The BIG-IP ASM system supports a set of predefined HTTP request methods. From the list of predefined methods, a BIG-IP ASM policy allows the GET, HEAD, and POST methods by default
3.02 - Given an ASM report, identify trends in support of security objectives:
Understand and describe each major violation category and how ASM detects common exploits
Generate reporting for the ASM system and review the contents of the reports (anomaly statistics, charts, requests, PCI compliance status)
3.03 - Determine the appropriate mitigation for a given attack or vulnerability:
Take appropriate action on reported security violations by end users and application developers Modify ASM policy to adapt to attacks
Covered by provided links for ASM operations guide Chapter 4 , K32356471 & Changing Security Policy Settings
3.04 - Decide the appropriate method for determining the success of attack mitigation:
Choose an appropriate user defined attack signature to respond to particular traffic
Covered by provided links for Working with Attack Signatures & Attack and Bot Signatures
Section 4: Troubleshoot
4.01 - Evaluate ASM policy performance issues and determine appropriate mitigation strategies:
Analyze performance graphs and statistics along with ASM configurations to determine the root cause of performance issues and appropriate remediation to the configuration based on Guaranteed Logging
4.02 - Understand the impact of learning, alarm, and blocking settings on traffic enforcement:
Ensure that the security policy is inspecting web application traffic (application is functional and the policies are parsing the traffic)
Covered by provided links for Configuring Security Policy Blocking
4.03 - Examine policy objects to determine why traffic is or is not generating violations:
Examine Security Event Logs and ASM configurations to determine expected violations based on the logging profile assigned to the virtual server
Covered by provided links for Logging Application Security Events
4.04 - Identify and interpret ASM performance metrics:
Understand the impact of ASM iRules on performance.
Understand the impact of traffic spikes on ASM performance and available mitigation strategies
4.05 - Evaluate ASM system performance issues and determine appropriate mitigation strategies:
Correlate performance issues with ASM policy changes based on security policy history information and system performance graphs
4.06 - Recognize ASM specific user roles and their permissions:
Recognize differences between user roles/permissions
Recognize ASM specific user roles