Exporting Scan Results to F5 Big-IP ASM

Pre-Requisites

• Your F5 Big-IP ASM system configuration needs to be completed according to the networking environment surrounding your web application
• You must have completed a scan in Acunetix and created a WAF export file in F5 Big-IP ASM format.

Creating a Security Policy in F5 Big-IP ASM

• On the Main tab, click Security > Application Security > Security Policies > Policies List

• Click Create New Policy

• In the Policy Name field, type a name for the policy (example: AcunetixPolicy)
• Enter a description for your Policy (optional)
• Ensure the Policy Type is set to "Security"
• Set the Policy Template to "Vulnerability Assessment Baseline"
• For the Virtual Server, click on "Configure new virtual server"; this will determine where requests for the web application will be sent

• Specify whether the web application uses HTTP, HTTPS, or both in the field labelled "What type of protocol does your application use" (in this example: HTTP)
• Define a unique "Virtual Server Name" (example: MyWebApplication)
• Set the "HTTP Virtual Server Destination" fields to contain the IP address for the web application server (example: 192.168.0.23) and the service port number (example: 80)
• Set the "HTTP Pool Member" fields to the same values as for "HTTP Virtual Server Destination"
• Set the "Logging Profile" to "Log illegal requests"

• Click the "Create Policy" button at the top of the page.

Associate the Acunetix Scanner with the Security Policy

The Security Policy created in the previous section does not yet protect against the vulnerabilities found by Acunetix. The next step is to associate Acunetix Scanner with the Security Policy.

• On the Main tab, click Security > Application Security > Vulnerability Assessments > Settings.

• Ensure that the Current edited security policy is set correctly (in this example, to AcunetixPolicy)
• Set the Vulnerability Assessment Tool to "Generic Scanner" - a dialog will popup for you to confirm this choice
• Click Download Generic Schema to download the generic_scanner.xsd file
• Click the Apply Policy button to complete this step.

Import Vulnerabilities into the Security Policy

Once you have created your WAF export file from Acunetix, it's time to import it into the Security Policy created earlier.

• On the Main tab, click Security > Application Security > Vulnerability Assessments > Vulnerabilities

• In the Current edited security policy dropdown, ensure that you select the Security Policy created earlier
• Click the "Import…" button

• Click the "Browse…" button to select your Acunetix WAF export file
• Click the "Import" button

• The next dialog will confirm that the file is valid for import, and also which web application it will be use for
• Click the "Import" button to complete the import

Resolving vulnerabilities

Some vulnerabilities discovered by Acunetix can be resolved automatically by your F5 Big-IP ASM Web Application Firewall.

• On the Main tab, click Security > Application Security > Vulnerability Assessments > Vulnerabilities
• Adjust the "View" dropdown to show "Resolvable (Automatically)" items
• Ensure that you are viewing vulnerabilities with "Any" F5 Big-IP ASM Status
• Select a vulnerability you want to resolve

• Click and enable the checkbox next to the Vulnerability URL, and click the "Resolve" button
• Your WAF will check the request; if it needs to make any changes you will be asked for confirmation

• Now your WAF will mark the Vulnerability URL as "Mitigated"