Applies To:

Show Versions Show Versions

Manual Chapter: Building a Security Policy Automatically
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Application Security Manager automates the process of creating a security policy to protect a web application. The system must be set up in a networking environment, and be capable of handling traffic to the application.
This section provides an overview of setting up automatic policy building. The BIG-IP® Application Security Manager: Getting Started Guide describes in detail how to use the Deployment wizard.
Create the security policy
From the Active Security Policies list, click Create. Using the Deployment wizard, create a virtual server, pool, and then select the option Create a policy automatically.
Let the system automatically add entities to the security policy
When the Deployment wizard finishes, the system starts the Real Traffic Policy Builder®, the automated policy building tool. The Policy Builder examines requests and responses from different sessions and different IP addresses, over a period of time. It then populates the security policy with legitimate security policy elements (file types, URLs, parameters, and so on), and puts them in staging. The Policy Builder ensures that the policy does not cause false positives.
Let the system stabilize the security policy
The security policy stabilizes after the system analyzes sufficient traffic, from different sessions and different IP addresses, over a period of time. Policy elements are moved out of staging and enforced as they meet the rule threshold values for stabilization. After that, traffic that violates the security policy generates security violations.
Let the system track site changes and update the policy
If the web application changes and causes violations for enough different users and IP addresses, over a period of time, the Policy Builder makes the necessary adjustments to the security policy. After sufficient time passes, Policy Builder once again stabilizes the security policy.
Review the automatic policy building status
On the Policy Building: Automatic: Status screen, you can review the current status of the security policy, see the policy elements that were added, and view details about the elements and violations listed. If you want more control, you can enforce parts of the security policy from the status screen. The system logs all changes that you or the Policy Builder make to the security policy.
You use the Policy Building: Automatic: Configuration screen to configure and monitor automatic policy building. The features and settings discussed in this chapter relate directly to the different settings in various areas of the screen.
Application Security Manager completely configures the automated policy building settings according to the selections you make when using the Deployment wizard. You can review the settings, and change them if needed.
There are two levels of automated policy building settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. The advanced level allows you to view and change all of the configuration settings if you want further control over security policy details.
Note: When you first create a security policy, you have the option of making it case-sensitive or not. By default, it is case-sensitive. You cannot change the setting after creating the security policy.
Figure 4.1 shows an Policy Building: Automatic: Configuration screen with the basic settings.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Real Traffic Policy Builder®, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
For Policy Type, select the type of security policy:
Fundamental: Provides granularity sufficient for most organizations creating a generalized security policy that is fast to create and easy to maintain. This is the default setting.
Enhanced: Provides additional granularity and security features suited for customers with higher (and, typically, specific) security needs). This policy type takes longer to implement.
Comprehensive: Provides the most granular definitions, includes most security features, and is suited for advanced users or customers with extreme security needs. This policy type typically takes even longer to deploy and requires more maintenance.
5.
For Rules, move the slider to change the thresholds of the rules for the security policy:
Fast: Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.
Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.
Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.
6.
If you changed any of the settings, click Save.
When traffic is flowing to the application, the system examines requests and responses and begins to build the security policy. This is all you are required to configure unless you want to examine the advanced configuration options. Skip to Viewing the automatic policy building status, for what to do next.
If you want to review the configuration details of the Policy Builder, you can use the advanced automated policy building settings.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Real Traffic Policy Builder®, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
Next to Automatically Build Policy, select Advanced.
The screen displays the advanced configuration details of the Policy Builder.
5.
Review the settings and modify them as needed. Refer to the online help or the following procedures for more information:
The policy type determines which security policy elements are included in the security policy. When you create a security policy, you can select one of the following policy types:
Fundamental provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.
Enhanced provides extra customization, creating a security policy with more granularity.
Comprehensive provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.
Custom provides the level of security that you specify when you adjust which security policy elements are included in the security policy. The policy type changes to Custom if you change which elements to include in the policy.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Real Traffic Policy Builder®, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
For Policy Type, select a different type.
The selected security policy elements and options change depending on the policy type you choose.
5.
Click Save to save your changes.
Table 4.1 lists each of the security policy elements listed in the Automatic Policy Building configuration, describes what the Policy Builder does when each element is enabled, and shows which policy type enables the element.
What the System Does
(When Enabled)
Creates the security policy with validation checks that ensure HTTP requests are formatted properly.
Creates the security policy so it detects evasion techniques and perform normalization processes on URI and parameter input.
Creates the security policy with the explicit file types used by the application.
Creates the security policy with length limitations per file type, based on legitimate web application traffic.
Creates the security policy so it enables or disables attack signatures.
Creates the security policy with allowed URLs, based on legitimate traffic.
Creates the security policy with allowed meta characters for wildcard URLs, based on legitimate traffic.
Creates the security policy with allowed parameters, based on legitimate traffic.
Parameters-Name Meta Characters
Creates the security policy with allowed meta characters for parameter names for wildcard parameters.
Parameters-Value Lengths
Creates the security policy with limits for every parameters length, based on legitimate traffic.
Creates the security policy with allowed meta-characters for parameter values, and content profiles, based on legitimate web application traffic.
Creates the security policy with cookie values based on legitimate web application traffic. How the Policy Builder treats modified cookies is determined by the security policys Cookie Settings configuration.
Creates the security policy with allowed methods based on legitimate traffic.
Request length exceeds defined buffer size
Creates the security policy and enables the Request length exceeds defined buffer size violation.
(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)
Creates the security policy so that it validates XML and JSON request data based on legitimate web application traffic. If traffic includes legitimate XML or JSON data, the Policy Builder edits existing XML or JSON profiles according to the data it detects. You must select URLs or Parameters to use Content Profiles.
Content Profiles- Automatically detect advanced protocols
(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)
Allows the system to add XML or JSON profiles as needed to the security policy, and configures their attributes according to the data the Policy Builder detects in legitimate XML or JSON data in URLs or parameters in the policy.
Allows the system to add domain names used in the web application to the security policys list of host names. This allows the system to distinguish between internal and external links and forms.
Verifies URLs against Cross-site Request Forgery (CSRF) based on legitimate web application traffic. If Policy Builder detects an excessive rate of violations on a CSRF-protected URL, the system treats the violation as a false positive and removes the URL from the list of CSRF-protected URLs.
Note that the list in Table 4.1 includes the violations and checks that are relevant only for automatic security policy building. The Application Security Manager includes many other security features that are not included in automatic policy building, such as response scrubbing using Data Guard, described in Chapter 5, and anomaly detection, described in Chapter 6.
Security policy elements, such as file types, URLs, evasion technique violations, and so on, form the basis of the security policy that the automatic policy building process is creating. The selected security policy elements are the ones that the Policy Builder configures into the security policy based on legitimate web application traffic. Figure 4.2 shows the security policy elements for a comprehensive security policy.
Each policy type enables a different granularity of policy elements. Refer to Table 4.1, for a list of policy elements, descriptions of each, and which policy elements are included in each policy type.
You can select the policy elements to include in the security policy, in which case, the system changes the Policy Type setting to Custom.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Real Traffic Policy Builder®, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
To display all configuration options, next to Automatically Build Policy, select Advanced.
5.
In the Policy Type setting, for Include the following Security Policy Elements, select the security policy entities (or violation) that you want the Policy Builder to automatically configure when building the security policy. For details on the policy elements, see Table 4.1.
6.
Click Save to save your changes.
When you create a security policy automatically, the Application Security Manager sets the automatic policy building options on the Policy Building: Automatic: Configuration screen (Advanced setting). These options determine what type of entities the Policy Builder adds to the security policy. You can change the values of the settings in the Options area, shown in Figure 4.3. Refer to the online help for details about all of the settings.
The security policy learns from responses, by default, meaning that it adds elements found in trusted IP addresses or in responses that are legal and fully enforced.
If the web application contains dynamic parameters, you can configure the Policy Builder to identify them. Dynamic parameters are parameters whose sets of accepted values can change, and usually depend on the user session. For more information on dynamic parameters, refer to Working with dynamic parameters and extractions.
The options also let you simplify your security policy by collapsing similar specific entities into one global entity. After a specified number of occurrences (10 by default), the system can combine:
User-input parameters (alphanumeric only) with similar names into one general name (replacing param1, param2, and param3 with param*)
Cookies with similar names, replacing them with a wildcard cookie that matches all of the similarly-named cookies. For example, cookie1 and cookie2 are replaced with cookie*
Content profiles, where each content profile contains one parameter/URL, replacing them with one content profile containing all parameters/URLs; (the Policy Builder collapses content profiles once, and then uses the collapsed content profile)
Figure 4.3 shows the Options area of the Automatic Policy Building screen.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Options area, select Learn from responses if you want the security policy to include elements found in responses.
The response may include more information about the web application than is found in the request. If the setting is enabled, the Policy Builder learns only from responses from valid requests (meaning those which do not generate violations).
5.
For Parameter Level, select how to add parameters to the security policy:
Tip: Both options are available only when both Parameters and URLs are selected in the security policy elements.
6.
Specify whether you want the Policy Builder to add dynamic parameters to the security policy, and if so, where to get them from:
If you do not want to include dynamic parameters, make sure all the dynamic parameters check boxes are cleared, and skip to step 8.
To extract dynamic parameters from file types, make sure both the File Types and Parameters policy elements are already selected in the Security Policy Elements area.
To extract dynamic parameters from URLs, make sure the URLs and Parameters policy elements are selected. Selecting File Types, Parameters, and URLs also extracts dynamic parameters from URLs.
7.
To specify the conditions under which the Policy Builder adds dynamic parameters to the security policy, for Dynamic Parameters, perform the following tasks, as needed:
To add all hidden form input parameters from the application as dynamic content value parameters, select the All HIDDEN Fields check box.
To add parameters from forms as dynamic content value parameters, select the Using statistics - FORM parameters check box.
To add parameters from links as dynamic content value parameters, select the Using statistics - link parameters check box.
Adjust the number of unique value sets that must be seen for a parameter before the system considers it a dynamic content value. The default value is 10.
8.
To simplify your security policy by combining common specific settings into a more global setting, for Collapse to one entity, click Enabled and type the number of occurrences after which entities are combined. The default value is 10.
9.
For Learn from traffic with the following HTTP Response Status Codes, type the response codes you want to add (for example, add specific codes like 304 or a class of codes like 4xx).
The Policy Builder extracts information from traffic based on transactions that return only those HTTP response status codes.
Tip: Normally, the Policy Builder learns only from legitimate traffic, so you should add response codes that are returned under normal usage conditions for your application.
All informational responses (the request was received; continuing to process it). Included by default.
All successful responses (the request was received, understood, accepted, and processed successfully). Included by default.
All redirection (the client needs to take additional action on the request). Included by default.
Specific codes such as 100, 306, 400, 404
Refer to Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC-2616).
10.
For Maximum Security Policy Elements, if needed, adjust the maximum number of elements that can be added to the security policy:
File Types (the default value is 250)
URLs (the default is value 10000)
Parameters (the default value is 10000)
Cookies (the default value is 100)
If the Policy Builder reaches the specified limit, it stops adding that type of security policy element. If this happens, you may need to intervene.
If the web site requires more than the maximum number of elements, you can increase the limits, or reconsider the type of the policy (you may not need to include all the elements explicitly).
If the site includes a dynamic element that the Policy Builder cannot learn (such as dynamic sessions in URL or dynamically generated parameter names), either configure the security policy to include the element (for example, dynamic sessions in URL), or clear the element type. The Policy Builder should not be configured to learn that element type in such an environment.
11.
For File Types for which wildcard URLs will be configured, add the file types for which the Policy Builder creates a wildcard URL instead of adding an explicit URL. Common file types are included by default.
12.
Click Save.
13.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
During automatic policy building, the Policy Builder builds security policies in three stages. These stages each have separate sets of settings in the Rules area of the Policy Building: Automatic: Configuration screen. Rules in each stage determine when an element in the security policy moves from one stage to the next.
Some of the rules have different values depending on whether the traffic comes from a trusted or untrusted source. The system generally considers trusted traffic and the policy elements it contains legitimate and adds them to the policy more quickly than those in untrusted traffic.
Accept as Legitimate (Loosen)
During this stage, the Policy Builder identifies legitimate application usage based on repeated behavior from sufficient different user sessions and IP addresses, over a period of time. The system updates the security policy accordingly. Based on wildcard matches, Policy Builder adds the legitimate policy entities (putting most into staging to learn their properties), and disables violations that are probably false positives.
For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions and IP addresses over time, then it adds the entity to the security policy.
Stabilize (Tighten)
During this stage, the Policy Builder refines the security policy elements until the number of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, for different IP addresses, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy.
Similarly, the Policy Builder enforces the entity's attributes (takes them out of staging) after it records a sufficient number of unique requests and sessions from different IP addresses, over a sufficient length of time for a particular file type, URL, or parameter since the last time the entity's attributes or settings were updated.
When the traffic to the application no longer includes new elements and the Policy Builder has enforced the policy elements, the security policy is considered stable and its progress reaches 100%.
Track Site Changes
If sufficient traffic from different sessions and different IP addresses causes violations over a period of time, the Policy Builder looks for changes to the web site. If the Policy Builder discovers changes, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary adjustments. When the Policy Builder stabilizes the added elements, it retightens the security policy.
Although it is not recommended, you can disable the Track Site Changes option. If you do, when the security policy progress reaches 100% stability, the system disables automatic policy building. The security policy is not updated unless you manually change it, or restart automatic policy building by re-enabling the Track Site Changes option.
Figure 4.4 shows the Rules area of the Policy Building: Automatic: Configuration screen with a learning speed of slow.
Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the built-in levels) also changes the learning speed and chances of adding false entities settings to say Custom (instead of Slow, Medium, and Fast or Low, Medium, and High).
Note: We recommend that only advanced users change the automatic policy building rule settings. F5 advises using the default values in most cases.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
For Rules, move the slider to change the thresholds of the rules for the security policy:
Fast: Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.
Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.
Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.
5.
For the Accept as Legitimate (Loosen) rules, adjust the number of different sessions, different IP addresses, and the time spread after which the Policy Builder accepts and learns a security policy change from traffic.
In this stage of security policy building, the Policy Builder adds entities, configures attributes (such as lengths and meta characters), places entities in staging, and disables violations.
6.
For the Stabilize (Tighten) rules adjust the number of requests, the number of different sessions, different IP addresses, and the time spread before the Policy Builder stabilizes the security policy elements.
Stabilizing a security policy element may mean tightening it by deleting wildcard entities, removing entities from staging, and enforcing violations that did not occur.
7.
For the Track Site Changes rules:
a)
The Enable Track Site Changes check box is selected by default. This box must remain selected if you want the Policy Builder to quickly loosen the security policy if changes to the web application cause violations.
From Trusted and Untrusted Traffic: Specifies that the Policy Builder loosens the security policy based on all traffic. This is the default option.
Only from Trusted Traffic: Specifies that the Policy Builder loosens the security policy based on traffic from trusted sources defined in the Trusted IP Addresses area on this screen.
c)
Adjust the number of different sessions and different IP addresses for which the system detects violations, over a period of time, after which the Policy Builder updates the security policy.
In this stage of security policy building, the Policy Builder adds wildcard entities, places entities in staging, and disables violations.
8.
Click Save to save your changes.
9.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can configure a set of trusted IP addresses for clients that the Policy Builder considers safe in the Trusted IP addresses area of the Policy Building: Automatic: Configuration screen. Figure 4.5 shows the trusted IP addresses area.
The Policy Builder processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that the Policy Builder requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes. It takes more traffic from untrusted clients to change the security policy (given the default values).
Figure 4.6 shows the default Accept as Legitimate (Loosen) area of the Policy Building: Automatic: Configuration screen, configured for a fundamental security policy set to medium strictness. You can see that different values apply to trusted and untrusted traffic.
Refer to Modifying automatic policy building rules, to learn more about how the rules affect the security policy.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe:
To add specific IP addresses or networks, select Address List, type the IP address and netmask, then click Add.
The IP address or network range is added to the list. Add as many trusted IP addresses as needed.
5.
Click Save to save your changes.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
If you change the configuration settings and decide that you want to return them to the system default values, you can change the policy type or use the Restore Defaults button.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
For Policy Type, select the type of policy for which you want the default values.
The screen refreshes and displays the default values for the policy type you selected.
5.
Click Save to save the default configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can also click the Restore Defaults button at the bottom of the Policy Building: Automatic: Configuration screen. If you do, the system refreshes and displays the default values for the Fundamental policy type.
You can review the current state of the security policy by looking at the Policy Building: Automatic: Status screen. A progress bar shows approximately how close the security is to becoming stabilized. You can see a summary of the number of file types, URLs, parameters, and cookies that were added to the security policy.
If you want to understand more about what is happening in the security policy, you can use the Status screen to delve into the details of each policy element.
1.
On the Main tab, expand Application Security, point to Policy Building, then click Automatic.
The Policy Building: Automatic: Status screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one for which you want to view the status.
3.
To view the number of policy elements that are in the current security policy, review the Policy Elements Learned area. Click the number in the Elements column to examine the specific elements for any entity type.
4.
In the Details area, click the expand buttons to show details about the security policy elements included in the policy. You can make changes to the security policy, if you want, as follows:
In the details for HTTP Protocol Compliance, Evasion Techniques Detected, and Request Length Exceeds Defined Buffer Size, in the Action column, click Enable to enforce a check or violation immediately, overriding the rules for adding them.
In the stability details for File Types, URLs, Parameters, Cookies, and Methods, click Enforce to enforce the entity by deleting the entity wildcard (*) from the security policy.
In the learning details for File Types, URLs, Parameters, Cookies, and Methods, click Accept to immediately add specific entities to the security policy, even though they have not met the rules to be accepted as legitimate.
In the Staging details for File Types, URLs, Parameters, and Cookies, click Enforce to remove a specific entity from staging, and start enforcing its setting or attributes.
In the Signature stability details for Attack Signatures, click Enforce to remove all signatures from staging and enforce them.
In the learning details for Attack Signatures, review the list of signatures that the system detected. If you see false positives, click Disable to remove the signature from staging and disable it.
In the learning details for CSRF URLs, review the list of the URLs in the security policy that caused a CSRF Attack Detected violation. Click Remove to delete a specific URL from the security policy, or Remove All to delete all of them.
In the learning details for Host Names, review the list of host names the Policy Builder has not yet added to the security policy because they have not satisfied the Accept as Legitimate rule. Click the Accept button in the Action column to add the host name to the security policy immediately.
Figure 4.7 shows the Policy Building: Automatic: Status screen for a security policy that just started adding policy elements, and is about 5% stabilized. The security policy was developed for trusted traffic, and so far includes 2 file types, 11 URLs, 5 parameters, and 3 cookies.
When you use automatic policy building, the Policy Builder can update the security policy as needed, for example, if changes occur on the application web site. You can stop automatic policy building at any time, such as when the security policy stabilizes, and you think the web application will not change for a while.
For security policies that were created using one of the manual methods or imported from an earlier release, you can start automatic policy building. By examining the traffic going to the application, the Policy Builder can add various web site entities to the security policy in order to enhance it.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one for which you want to stop automatic policy building.
3.
For Real Traffic Policy Builder®, clear the Enabled check box.
The screen shows fewer options.
4.
Click Save.
5.
From the Automatic menu, choose Status.
The Real Traffic Policy Builder status displays Disabled, and the system stops the Policy Builder. The security policy remains the same unless you change the configuration manually, or restart the Policy Builder.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Configuration.
The Policy Building: Automatic: Configuration screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Real Traffic Policy Builder®, select the Enabled check box.
The Policy Builder starts running, and the screen shows more options.
4.
Click Save.
5.
From the Automatic menu, choose Status.
The Real Traffic Policy Builder status displays Enabled, and the Policy Builder restarts the automatic policy building process based on traffic and configuration settings.
You can centrally manage groups of BIG-IP systems called device groups within a given network. Device groups can maintain a synchronized configuration between all devices in the group. If all devices in the group have Application Security Manager on them, those devices all provide consistent enforcement. All devices must run the same version of Application Security Manager.
Using device management, all new security policies, and any security policy changes made on one device are automatically pushed to all other devices within the ASM device group, even if you do not apply the security policy. We recommend that you apply the security policy to each device to ensure consistent enforcement among all devices.
In addition, if you create a new security policy using the Deployment wizard and create a new virtual server, the new security policy is synchronized on the peer devices. But, the new virtual server is not automatically assigned to the new security policy on the peer devices. You must manually synchronize the virtual server configuration to the device group.
You can run Policy Builder on only one device in a group for any given web application. Activating Policy Builder on one device automatically disables Policy Builder for that security policy on all other devices in the device group. The system relays all security policy configuration changes that Policy Builder makes on the system where it is running to all other devices in the device group.
1.
On the Main tab, expand Device Management, then click Device Groups.
3.
4.
Click the Synchronize To Group button.
The automatic policy building policy log includes an entry for each event or action that the Policy Builder makes to the policy. This policy log is useful for reviewing changes, and to understand when and why the security policy was changed.
1.
On the Main tab, expand Application Security, point to Policy Building, Automatic, then click Log.
The Automatic Policy Building Log screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one you are interested in.
3.
In the Filter area, adjust the filter settings, as needed.
4.
Click the Go button.
The screen refreshes, and displays the policy log for the web application and security policy that you selected. Figure 4.8 shows a portion of a sample automatic policy building policy log.
5.
In the Description column, click the + magnifying glass to view details about an element that was added to the security policy. For example, see the details for the /regions URL in Figure 4.8.
6.
To save the log as a PDF, click Export.
The system creates a PDF that you can open or save.
Tip: To display a policy log that shows additional information, such as including manual as well as automatic changes, navigate to the Policy > Policy > Policy Log screen. For details, see Reviewing a log of all security policy changes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)