Applies To:

Show Versions Show Versions

Manual Chapter: Configuring General System Options
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
The Application Security Manager includes general system options that apply to the overall application security configuration. You can perform the following tasks to configure general system options:
Configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. See Configuring external anti-virus protection, for more information.
Some of the overall system configuration tasks are described in other chapters, because they relate to other tasks described there. You can perform the following additional general configuration tasks:
You can change the default user interface and system preferences for the Application Security Manager as well as configure fields displayed in the Request List of the Reporting screen.
1.
On the Main tab, expand Application Security, point to Options, and then click Preferences.
The Preferences screen opens.
2.
For Records Per Screen, type the number of entries to display (1-100). The default value is 20.
This setting affects the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout the Application Security Manager.
3.
For Titles Tooltip Settings, select one of the options for how to display tooltips:
Do not show tooltips: Never display tooltips or icons.
Show tooltip icons: Display an icon if a tooltip is available for a setting, and show the tooltip when you move the cursor over the icon. This is the default setting.
Show tooltips on title mouseover: Display a tooltip when you move the cursor over a setting on the screen.
4.
For Default Configuration Level, select whether to display all possible settings (Advanced) or the Basic settings on screens with that option.
5.
For Apply Policy Confirmation Message, you can specify to display a popup message asking to confirm whether you want to perform the Apply Policy operation each time you apply a security policy.
6.
For Records Per Requests Screen, type the number of requests to display (1-1000). The default value is 500.
This setting affects the maximum number of requests that appear in any Requests List that contains requests, such as request lists that contains details for any Incident or Event Correlation, or requests list with violated IP Enforcer attacks.
7.
For Request List Columns, specify what information you want to display on the Requests screen, and the order that it should display.
8.
For Request List Size, specify the number of requests the system displays before adding a scroll bar, and determine the amount of space the requests list take on the Request screen.
9.
For Sync, select the check box to display the Sync Recommended message at the top of the screen when you change a security policy to remind you to perform a ConfigSync with the peer device.
10.
For Logging, select the check box to record all changes made to security policies in the Syslog (/var/log/asm).
Note: The system continues to log system data regardless of whether you enable policy change logging.
11.
Click Save to keep your changes.
You can configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. If the Virus Detected violation is set to Alarm or Block for that web applications security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies the Application Security Manager, which then issues the Virus Detected violation.
You can also set up anti-virus checking for HTTP file uploads and SOAP web service requests. If configured, the system checks the file uploads and SOAP requests before releasing content to the web server.
By default, the system uses the ICAP server for McAfee anti-virus protection. If your ICAP server has different anti-virus software, you must change the values of the icap_uri and virus_header_name internal parameters. Refer to Appendix D, Internal Parameters for Advanced Configuration, for information about internal parameters.
1.
On the Main tab, expand Application Security, point to Options, and then click Anti-Virus Protection.
The Anti-Virus Protection screen opens.
For Server Host Name, type the ICAP server host name in the format of a fully qualified domain name.
Note: If using the host name only, you must also configure a DNS server on the BIG-IP system. Expand System, point to Configuration, Device, then click DNS. If DNS is not configured, you must include the IP address.
For Server IP Address, type the IP address of the ICAP server.
3.
For Server Port Number, type the port number of the ICAP server.
4.
If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
5.
Click Save to save the ICAP server configuration.
6.
On the Main tab, under Application Security, point to Policy, and then click Blocking.
The Blocking Settings screen opens.
a)
Ensure that the Current edited policy is the one for which you want anti-virus protection.
b)
For the Virus Detected violation (near the bottom of the screen), select either or both of the Alarm and Block check boxes. For details on setting up blocking, refer to Configuring policy blocking.
c)
Click Save to save the blocking policy.
d)
Click Apply Policy.
8.
In each security policy for which you want the system to perform virus checking on HTTP file uploads or SOAP requests, complete these tasks:
a)
Ensure that the Current edited policy is the one that may include HTTP file uploads or SOAP requests.
b)
On the Main tab, point to Policy, and then click Anti-virus Protection.
c)
To have an external ICAP server inspect file uploads for viruses before releasing the content to the web server, select Inspect file uploads within HTTP requests.
d)
To perform virus checking on SOAP attachments, presuming the security policy includes one or more XML profiles, in the XML Profiles setting, move the profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list.
e)
Click Save.
f)
Click Apply Policy.
User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything, you may want to further specialize administrative accounts.
Web Application Security Administrator
Grants users permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.
Web Application Security Editor
Grants users permission to view and configure most parts of the Application Security Manager, on specified partitions.
Resource Administrator
Grants users permission to view and configure application security resources.
1.
On the Main tab, expand System, and then click Users.
The User List screen opens.
2.
Click the Create button.
The New User screen opens.
3.
For the User Name setting, type the name for the account.
4.
For the Password setting, type and confirm the account password.
5.
For the Role setting, select the appropriate role:
To limit security policy editing to the current administrative partition, select Web Application Security Editor.
6.
If you selected Web Application Security Editor, then in Partition Access, select the partition in which to allow the account to create security policies.
7.
Click Finished.
The User List screen opens and lists the new user account.
Logging profiles specify how and where the system stores request, response, and violation data for security policies. When you configure a security policy, you select the logging profile for that security policy. You can use one of the system-supplied logging profiles, or you can create a custom logging profile. Note that the system-supplied logging profiles log data locally. For more information on selecting the logging profile for a security policy, refer to Specifying the logging profile for a web application.
Additionally, you can choose to log the request data locally, on a remote storage system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format).
Note: If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where the logs are stored, either locally and/or remotely. The storage filter determines what information gets stored.
When you configure a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote management systems. The system can store the data in Comma Separated Value (CSV) format or another format that you define.
When you store the logs locally, the logging utility may compete for system resources. You can use the Guarantee Logging setting to ensure that the system logs the requests in this situation. Enabling the Guarantee Logging setting may cause a performance reduction if you have a high-volume traffic application.
To view logs stored locally, refer to Viewing the application security logs. View logs stored remotely on the external logging system.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
If you do not want to log data locally on the BIG-IP system, clear the Local Storage check box. Otherwise, leave it selected.
6.
Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
Note: Enabling this setting may slow access to the web application server.
7.
From the Response Logging list, select one of the following options:
Log responses for all requests. when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.)
Note: By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging internal parameters.
8.
If logging locally only, set up the Storage Filter (see Configuring the storage filter, for details), and then click Create.
The Logging Profiles screen opens and displays the new logging profile.
1.
Continuing on the Create New Logging Profile screen, select the Remote Storage check box.
The screen displays additional settings.
2.
From the Remote Storage Type, select the appropriate type:
To store traffic on a reporting server (for example, Splunk) using a preconfigured storage format, select Reporting Server.
Key/value pairs are used in the log messages.
If your network uses ArcSight logs, select ArcSight. For details, see ArcSight log message format.
3.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
4.
For Server Addresses, specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type the IP address, port number (default is 514), and click Add.
5.
If using the Remote storage type, for Facility, select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
Tip: If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
6.
If using the Remote storage type, in the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, what order it logs them:
To determine how the log appears, select Predefined to display the items in the Selected Items list in CSV format with a delimiter you specify; select User-Defined to display the items in the Selected Items list in addition to any free text you type in the Selected Items list.
To specify which items appear in the log, move items from the Available Items list into the Selected Items list.
To control the order in which predefined items appear in the server logs, select an item in the Selected Items list, and click the Up or Down button.
7.
For Maximum Request Size, specify how much of a request the server logs. Select Any to log the entire request, or type Length in bytes.
8.
If using the Remote storage type, for Maximum Headers Size, specify how much of the header the server logs. Select Any to log the entire header, or type Length in bytes.
9.
If using the Remote or Reporting Server storage types, for Maximum Query String Size, specify how much of a query string the server logs. Select Any to log the entire query string, or type Length in bytes.
10.
For Maximum Entry Length, you can specify how much of the entry length the server logs. The default length is 1K for remote servers that support the UDP protocol and 2K for remote servers that support the TCP and TCP-RFC3195 protocols. You can change the default maximum entry length for remote servers that support the TCP protocol.
11.
Select Report Detected Anomalies if you want the system to send a report string to the remote system log when a brute force attack, denial of service attack, IP enforcer attack, or web scraping attack starts and ends.
13.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
1.
On the Main tab, click Security Policies.
3.
For Logging Profile, select the profile you created.
4.
Click Update.
If your network uses ArcSight logs, you can configure a logging profile that formats the log information for that system (see Creating logging profiles). Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs.
CEF:Version|Device Vendor|Device Product|Device Version
|Device Event Class ID|Name|Severity|Extension
Note: The following procedure describes configuring the storage filter for an existing logging profile. You can also do this while creating a new one.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
In the Logging Profiles area, click the name of an existing logging profile.
The Edit Logging Profile screen opens.
3.
For the Storage Filter setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.
OR: Select this operator if you want the system to log the data that meets one or more of the criteria.
AND: Select this operator if you want the system to log the data that meets all of the criteria.
5.
For the Request Type setting, select the kind of requests that you want the system to store in the log.
6.
For the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.
7.
For the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.
8.
For the HTTP Methods setting, select whether logging occurs for all methods or specific methods.
9.
For the Request Containing String setting, select whether the request logging is dependent on a specific string.
10.
Click the Update button.
You can customize the severity levels of security policy violations for application security events that the system displays in the Security Alerts screen, which is also the message logged in the Syslog, in response to violations. The event severity levels are Informational, Notice, Warning, Error, Critical, Alert, and Emergency. They range from least severe (Informational) to most severe (Emergency).
Note: When you make changes to the event severity level for security policy violations, the changes apply globally to all security policies.
1.
On the Main tab, expand Application Security, point to Options.
4.
Click the Save button to retain any changes.
Tip: If you modify the event severity levels for any of the security policy violations, and later decide you want to use the system-supplied default values instead, click the Restore Defaults button.
Locally stored system logs for the Application Security Manager are accessible on the BIG-IP system. Note that these are the logs for general system events and user activity. You can view specific security violation events on the reporting charts or the learning screens in the Application Security Manager.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm directory.
1.
On the Main tab, expand System, and then click Logs.
The System Logs list screen opens.
2.
On the menu bar, click Application Security.
The Application Security log list screen opens, where you can review the logged entries.
The RegExp Validator is a system tool designed to help you verify your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data.
1.
On the Main tab, expand Application Security, point to Options, and then click RegExp Validator.
The RegExp Validator screen opens.
2.
In the RegExp field, specify how you want the validator to work:
3.
Click the Validate button.
The screen refreshes and shows the results of the validation.
If you want the system to send email to users, such as when configuring the system to send reports using email (refer to Scheduling and sending graphical charts using email), you must enable the SMTP mailer and configure an SMTP server.
Note: For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system (System > Configuration > Device > DNS).
1.
On the Main tab, expand Application Security, point to Options, and then click SMTP Configuration.
The SMTP Configuration screen opens.
2.
Select the Enable SMTP mailer check box.
3.
For SMTP Server Host Name, type the fully qualified host name of an SMTP server (for example, smtp.example.com).
4.
For SMTP Server Port Number, type the SMTP port number (25 is the default for no encryption; 465 is the default if SSL or TLS encryption is the encryption setting).
5.
For Local Host Name, type the fully qualified host name of the BIG-IP system.
6.
For From Address, type the email address to use as the reply-to address that the recipient sees.
7.
For Encrypted Connection, select whether the SMTP server requires an encrypted connection to send mail. Select No encryption, SSL (Secure Sockets Layer), or TLS (Transport Layer Security).
8.
If you want the SMTP server to validate users before sending email, select the Use Authentication check box, then type the Username and Password that the SMTP server requires for validation.
9.
Click Save to save the configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)