Import scan results into F5 BIG-IP ASM

Once you have exported the scan results from Invicti Platform, follow this document to import them to F5 Big-IP ASM.

Pre-requisites

• Your F5 Big-IP ASM system configuration needs to be completed according to the networking environment surrounding your web application.
• You completed a scan in Invicti Platform and created a WAF export file in F5 Big-IP ASM format.

Create a Security Policy in F5 Big-IP ASM

1. Select Security > Application Security > Security Policies > Policies List from the main menu.

2. Click Create New Policy.

3. In the Policy Name field, type a name for the policy (for example: InvictiPolicy).
4. Optionally, enter a description for your Policy.
5. Ensure the Policy Type is set to Security.
6. Set the Policy Template to Vulnerability Assessment Baseline.
7. For the Virtual Server, select Configure new virtual server; this will determine where requests for the web application will be sent.

• Specify whether the web application uses HTTP, HTTPS, or both in the field labelled What type of protocol does your application use (in this example: HTTP).
• Define a unique Virtual Server Name (for example: MyWebApplication).
• Set the HTTP Virtual Server Destination fields to contain the IP address for the web application server (for example: 192.168.0.23) and the service port number (for example: 80).
• Set the HTTP Pool Member fields to the same values as for HTTP Virtual Server Destination.
• Set the Logging Profile to Log illegal requests.

8. Click the Create Policy button at the top of the page.

Associate Invicti scanner with the Security Policy

The Security Policy created in the previous section does not yet protect against the vulnerabilities found by Invicti Platform. The next step is to associate the Invicti scanner with the Security Policy.

1. Select Security > Application Security > Vulnerability Assessments > Settings from the main menu.

2. Ensure that the Current edited security policy is set correctly (in this example: InvictiPolicy).

3. Set the Vulnerability Assessment Tool to Generic Scanner - a dialog will popup for you to confirm this choice.
4. Click Download Generic Schema to download the generic_scanner.xsd file.
5. Click the Apply Policy button to complete this step.

Import vulnerability export data into the Security Policy

Once you have created your WAF export file from Invicti, it's time to import it into the Security Policy created earlier.

1. Select Security > Application Security > Vulnerability Assessments > Vulnerabilities from the main menu.

2. In the Current edited security policy drop-down, ensure that you select the Security Policy created earlier.

3. Click the Import button.
4. Click the Browse button to select your WAF export file.

5. Click the Import button.
6. The next dialog will confirm that the file is valid for import, and also will confirm the web application.

7. Click the Import button to complete the import.

Resolve vulnerabilities

Some vulnerabilities discovered by Invicti can be resolved automatically by your F5 Big-IP ASM Web Application Firewall.

1. Select Security > Application Security > Vulnerability Assessments > Vulnerabilities from the main menu.
2. Adjust the View drop-down to show Resolvable (Automatically) items.
3. Ensure that you are viewing vulnerabilities with Any ASM status.
4. Select a vulnerability you want to resolve.

5. Enable the checkbox next to the Vulnerability URL, and click the Resolve button.
6. Your WAF will check the request; if it needs to make any changes you will be asked for confirmation.
7. Now your WAF will mark the Vulnerability URL as Mitigated.