F5 Certified!

303 ASM Technology Specialist

CERTIFICATION RESOURCE GUIDE

Purpose of this Document

This document outlines topic areas covered on the F5 ASM Specialists
Certification Exam and resources available to help prepare test takers.

References
(Ref:1) Stuttard, Dafydd and Pinto, Marcus. 2008. The Web Application Hacker’s
Handbook: Discovering and Exploiting Security Flaws. Wiley Publishing, Inc.
Indianapolis, IN 46256. ISBN 978-0-470-17077-9
Release notes: http://support.f5.com/kb/en-us/products/big-
ip_asm/releasenotes/product/relnote-asm-11-4-0.html
Manual: http://support.f5.com/kb/en-us/products/big-
ip_asm/manuals/product/asm-config-11-4-0.html

Join the F5 Certified! Community on LinkedIn for more community created

study guides.

© 2014 F5 Networks, Inc.

ASM 303 Study Guide

Section 1: Assess security needs and choose an

appropriate ASM policy
Objective 1.01 Explain the potential effects of common attacks on web
applications.

Example: Summarize the OWASP Top Ten

Example: Describe how ASM addresses the OWASP Top Ten
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://devcentral.f5.com/tech-tips/articles/f5-security-on-owasp-top-10
Instructor Led Training: Configuring ASM: Module 3: Web Application
Vulnerabilities.

Objective 1.02 Explain how specific security policies mitigate various web
application attacks

Objective 1.03 Determine which ASM mitigation is appropriate for a particular

vulnerability
Example: Explain the purpose of vulnerability assessment tools

http://www.f5.com/pdf/white-papers/vulnerability-assessment-asm-wp.pdf
http://www.f5.com/pdf/white-papers/big-ip-asm-ips-differences-wp.pdf
Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment
Tools and Application Templates

Objective 1.04 Choose the appropriate features and granularity

Example: Describe the relationship between security policy and application
development

Example: Explain how specific security policies mitigate various web application attacks
Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack Signatures
Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building
Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools and
Application Templates
https://devcentral.f5.com/blogs/us/why-developers-should-demand-web-app-firewalls

ASM 303 Study Guide. | 2

ASM 303 Study Guide

Objective 1.05 Determine the most appropriate deployment method for a given
set of requirements
Example: Determine the appropriate deployment method when a “canned” deployment
method is not applicable.
Example: Evaluate the implications of changes in the policy to the security and
vulnerabilities of the application

Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack
Signatures

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-
11-4-0.html

Objective 1.06 Evaluate the implications of changes in the policy to the security
and vulnerabilities of the application (Same as Example 2?)
Example: Determine the rate of change of the application
Example: Explain the trade-offs between security, manageability, false positives, and
performance

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Section 2: Create and customize policies.

Objective 2.01 Determine the appropriate criteria for initial policy definition based
on application requirements (e.g. wildcards, violations, entities, signatures, user-
defined signatures
Example: Define the policy based on application requirements

Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack
Signatures
Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building
Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools
and Application Templates

Objective 2.02 Explain the policy builder lifecycle

ASM Study Guide 303. | 3

ASM 303 Study Guide

http://www.f5.com/pdf/deployment-guides/implementing-security-policy-dg.pdf
http://support.f5.com/kb/en-us/products/big-
ip_asm/manuals/product/bigipasm9_4/BIG_IP_9_4_ASM_Config_Gd-07-
1.html#wp1031040
Instructor Led Training: Configuring ASM: Module 12: Real Traffic Policy Builder

Objective 2.03 Review and evaluate rules based on information gathered from
ASM (e.g., attack signatures, DataGuard, parameters, entities)

http://www.f5.com/pdf/deployment-guides/implementing-security-policy-dg.pdf
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-
0/asm_parameters.html?sr=30303001
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-
0/asm_wildcard.html?sr=30303001
Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Objective 2.04 Refine policy structure for policy elements (e.g., URLs,
parameters, files types, headers, sessions and logins, content profiles, CSRF
protection, anomaly protection)

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building
Instructor Led Training: Configuring ASM: Module 13: Advanced Topics

Objective 2.05 Explain the process to integrate and configure natively supported
third-party vendors and generic formats with ASM (e.g., difference between
scanning modes, iCAP)
Example: Upload scan results from a third-party vendor into the ASM GUI.

Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools
and Application Templates
sol12984: BIG-IP ASM does not send requests to ICAP servers that exceed the
maximum request size : http://support.f5.com/kb/en-
us/solutions/public/12000/900/sol12984

ASM Study Guide 303. | 4

ASM 303 Study Guide

sol12128: The URI of an Internet Content Adaptation Protocol server for antivirus
protection is hard-coded: http://support.f5.com/kb/en-
us/solutions/public/12000/100/sol12128.html

Objective 2.06 Determine whether the rules are being implemented effectively
and appropriately to mitigate the violations
Example: Determine the appropriate violations to be enforced.

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Objective 2.07 Explain reporting and remote logging capabilities

Example: Determine whether the remote logger is accessible
Example: Determine the level of logging (i.e., all logs illegal requests, or responses)

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-
0/asm_monitoring.html#1046608
sol13238: The BIG-IP ASM bd process may crash when the remote logging profile
server is unavailable: http://support.f5.com/kb/en-
us/solutions/public/13000/200/sol13238.
sol6994: Configuring the BIG-IP ASM to send forensics data to a remote syslog
server: http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6994
sol10651: BIG-IP ASM syslog request format : http://support.f5.com/kb/en-
us/solutions/public/10000/600/sol10651.html
sol14020: BIG-IP ASM daemons (11.x): http://support.f5.com/kb/en-
us/solutions/public/14000/000/sol14020.html
http://www.thef5guy.com/blog/2009/05/big-ip-asm-4100-processes
Instructor Led Training: Configuring ASM: Module 4: ASM Configuration

Section 3: Maintain policy

Objective 3.01 Interpret log entries to identify opportunities to refine the policy

Example: Describe the various logs and formats

Example: Identify the current state of the policy (e.g., violation status, blocking mode)

ASM Study Guide 303. | 5

ASM 303 Study Guide

http://www.thef5guy.com/blog/2009/05/big-ip-asm-4100-processes
https://devcentral.f5.com/tech-tips/articles/big-ip-logging-and-reporting-toolkit-part-one
sol14020: BIG-IP ASM daemons (11.x): http://support.f5.com/kb/en-
us/solutions/public/14000/000/sol14020.html
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-
0/asm_apx_remote_logging_formats.html#1027259

Objective 3.02 Determine how a policy should be adjusted based upon available
data (e.g., learning suggestions, log data, application changes, traffic type, user
requirements)

Example: React to changes in the web application infrastructure

Example: Adjust the policy to address application changes
sol11914: Updating a BIG-IP ASM Security Policy when your website changes :
http://support.f5.com/kb/en-us/solutions/public/11000/900/sol11914.html
Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Section 4
Objective 4.01 Describe the lifecycle of attack signatures

sol8217: Updating the BIG-IP ASM attack signatures: http://support.f5.com/kb/en-

us/solutions/public/8000/200/sol8217.html
sol11303: Updated signatures are automatically removed from blocking mode and
placed into staging mode: http://support.f5.com/kb/en-
us/solutions/public/11000/300/sol11303.html
http://support.f5.com/kb/en-us/products/big-
ip_asm/manuals/product/config_guide_asm_10_2_0.html

Objective 4.02 Evaluate the impact of new or updated attack signatures on

existing security policies

sol8217: Updating the BIG-IP ASM attack signatures: http://support.f5.com/kb/en-

us/solutions/public/8000/200/sol8217.html

ASM Study Guide 303. | 6

ASM 303 Study Guide

sol11303: Updated signatures are automatically removed from blocking mode and
placed into staging mode http://support.f5.com/kb/en-
us/solutions/public/11000/300/sol11303.html
sol8517: Enabling attack signatures that were not triggered during the staging
process: http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8517.html
https://devcentral.f5.com/tech-tips/articles/asm-custom-signatures-oh-
my#.UcsPGT5gau8

Objective 4.03 Identify key ASM performance metrics (e.g., CPU report, memory
report, process requests, logging)

Example: Identify key ASM performance metrics

Example: Adjust the policy to address application changes
Example: Identify sources of resource consumption (e.g., large file uploads)

Objective 4.04 Interpret ASM performance metrics and draw conclusions

sol12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x):
http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12878.html
sol10227: BIG-IP ASM daemons (9.x - 10.x): http://support.f5.com/kb/en-
us/solutions/public/10000/200/sol10227.html

Objective 4.05 Identify and gather information relevant to evaluating the activity
of an ASM implementation

Objective 4.06 Interpret the activity of an ASM implementation to determine its

effectiveness

Example: Demonstrate the understanding of growth trajectories for appropriate ongoing

operations
Example: Appraise the ASM-specific system resources (e.g., box capacity)

ASM Study Guide 303. | 7

ASM 303 Study Guide

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building
https://devcentral.f5.com/community/group/aft/2166089/asg/39#2274656

Objective 4.07 Differentiate between blocking and transparent features

Example: Recognize the components of a PCI compliance report

Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting
sol8363: Using the Mask Data setting to protect sensitive data returned by the
BIG-IP ASM: http://support.f5.com/kb/en-us/solutions/public/8000/300/sol8363.html

Objective 4.08 Evaluate whether a security policy is performing per requirements

(i.e., blocking, transparent, or other relevant security features)

Example: Solve issues that are illustrated in the PCI compliance report
Example: Recognize the importance of trends and communicate to the necessary
stakeholders
Example: Explain risk management and the balance between availability and security
Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-
implementations-11-3-0.pdf?sr=30303269
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-
0.html

Objective 4.09 Define the ASM policy management functions (e.g., auditing,
merging, reverting, import, and export)

Example: Describe how to export/import policies

Example: Explain how to merge and differentiate between policies
Example: Describe how to revert policies
Example: Review the policy log
Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-
implementations-11-3-0/5.html?sr=30303001
http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-
implementations-11-3-0/4.html?sr=30303001

ASM Study Guide 303. | 8

ASM 303 Study Guide

Objective 4.10 Explain the circumstances under which it is appropriate to use

ASM bypass

Example: Recognize ASM specific user roles

Example: Recognize differences between user roles and permissions
Instructor Led Training: Module 8: ASM User, Role, and Policy Administration
https://devcentral.f5.com/tech-tips/articles/asm-bypass-v1120-muhahahahahahaha
https://devcentral.f5.com/community/group/aft/2163451/asg/50
http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9372.html

ASM Study Guide 303. | 9