Applies To:

Show Versions Show Versions

Manual Chapter: Maintaining Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

You may at times need to adjust your security policies as a result of changes in the application or because of new security needs. You can view the status of all security policies, and see the outstanding configuration tasks on the Overview Summary screen.
From the Inactive Security Policies screen, you can perform the above actions on inactive security policies in addition to the following tasks:
From the Policy History screen, you can review all changes that have been made to a security policy by reviewing the policy log, and you can restore a previous version of the security policy.
You can access a security policy for editing from either the Active Policies screen, or from the editing context area. The editing context area appears at the top of almost every screen throughout the Application Security Manager. Figure 7.1 shows the editing context area.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
Note: If a security policys entire row is highlighted in gray, this indicates that another user is currently editing it. As a result, you can view but not edit that security policy.
2.
4.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can export a security policy as a binary archive file or as a readable XML file. For example, you may want to export a security policy from one web application so that you can use it as a baseline for a new web application. You can also export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, or to use the exported security policy in a policy merge. (See Merging two security policies, for more information on merging policies.)
You can export a security policy located on a remote system. The XML or archive file includes the name of the security policy and the date it was exported. If you saved the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.
The exported security policy includes any user-defined attack signature sets that are in use by the policy, but not the actual signatures. It is therefore a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
In the Active Security Policies list, select the security policy that you want to export by clicking the button on its left, then click Export.
The Select Export Method popup opens.
To save the security policy as an XML file, select Export security policy in XML format.
To save the security policy as a policy archive file (.plc file), select Binary export of the security policy.
4.
Click Export.
The popup closes to display the Active Policies screen.
5.
In the file download screen, save the file.
The system exports the security policy in the format you specified and saves it in the remote location.
The exported security policy includes any user-defined signature sets that are in the policy, but not the user-defined signatures themselves. Optionally, you can export user-defined signatures from the Options: Attack Signatures screen.
You can import a security policy previously saved in archive policy or XML format to quickly apply a security policy to a new web application. You can also use the import option to restore a security policy from a remote system.
Before you import an exported policy onto another system, it is a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.
If using device management and you import a security policy with automatic policy building enabled, the imported policy will have Real Traffic Policy Builder® enabled on the local device. But, when replicated to the other devices, Policy Builder will be disabled in the policy on the other devices in the group.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
Above the Active Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Choose File setting, click the Browse button to navigate to the security policy that you want to import.
4.
For the Import Target setting, select one of the following:
a)
Select Inactive Security Policies List to place the uploaded policy into the list of inactive policies.
b)
Select HTTP Class (Replaced Policy) to activate the uploaded policy to the selected HTTP Class.
The uploaded policy becomes the new active security policy associated with this class.
Note: When you select the HTTP Class check box, the replaced policy is automatically moved to the Inactive Securities Policies List.
If you selected Inactive Security Policies List, proceed to step 6.
5.
For Associate existing statistics, logs data and learning suggestions to the imported policy, select or clear the Enabled check box:
Enabled: Specifies when checked, that the system moves all statistics information and learning suggestions from the security policy being replaced to the imported security policy.
Disabled: Specifies when cleared, that the system deletes all statistics information and learning suggestions from the security policy that is being replaced.
6.
Click Import.
The system displays a success status message when the operation is complete.
7.
Click OK.
The screen refreshes, and you can see the imported security policy in either the Active Securities Policies list or the Inactive Security Policies list, depending on your selection. The imported policy includes any user-defined signature sets that were exported with the security policy.
Note: The names of security policies must be unique within the Application Security Manager. If a security policy with the same name already exists, the system adds a sequential number to the end of the name.
You can use the policy merge option to combine two security policies. For example, you can merge a security policy that you built offline into a security policy that is on a production system.
The merge mechanism is lenient when merging security policies. The system resolves any conflicts that occur by using the more open settings in the target security policy. When the merge is complete, the system displays a merge report showing results of the merge process.
In addition, you can view or download the complete Policy Merge Report as a text file (*.txt). The report includes the details of the merge showing how conflicts were resolved. If you enable verbose logging for the merge, the merge report also contains the following information:
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
In the Security Policies area, select the target security policy (into which to merge the second security policy) by clicking the button on its left, and click the Merge button.
The Merge Security Policies screen opens.
3.
For the Security Policy To Be Merged setting, click the Browse button, and navigate to the exported security policy file that you want to merge into the target security policy.
4.
To save a copy of the original security policy, for the Backup Target Security Policy, select the Enabled check box.
5.
To include additional details about the merge, for the Verbose Mode setting, select the Enabled check box.
6.
Click the Merge button.
The system merges the export security policy into the target security policy, and produces a Merge Report.
7.
Click the Download Full Report button to open or save the entire Merge Report.
8.
Click OK.
The screen refreshes, and the merged security policy is in the Active Security Policies list.
Note: A copy of the original security policy also appears in the Inactive Security Policies List, if you selected the Backup Target Security Policy option in step 4.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
Select the security policy that you want to remove from the configuration, and click the Delete button below the list.
A confirmation popup screen opens, where you confirm that you want to delete the security policy.
3.
Click OK.
The security policy is moved to the Inactive Security Policies list.
If you delete a security policy, and later decide that you want to use it, you can restore the security policy from the Inactive Security Policies list.
1.
On the Main tab, expand Application Security, point to Security Policies, Policies List, then click Inactive Policies.
The Inactive Policies screen opens.
3.
Click Activate.
The Activate Policy screen opens.
4.
5.
For Associate existing statistics, logs data and learning suggestions to the activated policy, select or clear the Enabled check box:
Select Enabled to retain all statistics, log data, and learning suggestions currently associated with the security policy to be replaced, and associate them with the restored security policy.
Clear Enabled to delete all data associated with the security to be replaced.
6.
Click Activate.
A confirmation screen opens.
7.
Click OK.
The restored security policy properties screen opens.
If you created a security policy and saved it and decide later that you want to start over from the beginning, you can reconfigure it.
1.
On the Main tab, expand Application Security and click Policy.
The Properties screen opens.
2.
For Current edited policy, select the security policy that you want to reconfigure.
3.
Click Reconfigure to clear all the settings, data, and statistics for this security policy.
4.
Click Yes. on the confirmation screen to make the changes.
Your security policy is clear of all settings.
5.
Click Run Deployment Wizard to create the security policy.
If you delete a security policy from the configuration, and later decide that you want to delete it permanently, you can delete the security policy from the Inactive Security Policies list.
1.
On the Main tab, expand Application Security, point to Security Policies, Policies List, then click Inactive Policies.
The Inactive Policies screen opens.
3.
Click Delete.
A confirmation popup screen opens, where you can confirm that you want to permanently delete the security policy.
4.
Click OK.
The screen refreshes, and you no longer see the security policy in the Inactive Security Policies list.
The Application Security Manager keeps an archive of security policies that have been set to active. Every time you make a security policy the active security policy, the system saves a version of that security policy, and archives it. You can restore any of the archived security policies, and make it the active security policy.
Tip: In the Active Security Policies list, on the Active Policies screen, the security policy version number is in square brackets next to the security policy name.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
In the Active Security Policies list, click the security policy whose different versions you want to view or whose archived version you want to restore.
The Policy Properties screen opens.
3.
On the menu bar, from Policy, choose History.
The Security Policy History screen opens, where you can view the archived versions of the security policy.
4.
Select the version, and then click the Restore button.
The Restore Security Policy screen opens.
5.
In the Security Policy Name field, change the name as required.
6.
Click Restore.
A confirmation dialog opens.
7.
Click OK.
The policy properties screen of the restored active security policy opens.
You can create a security policy template to use as the basis for new security policies. When you manually develop a security policy using the Deployment wizard, the template you created is listed with the list of application-ready security policies.
You can view the list of all available templates including those supplied by the system, the application-ready security policies, and those that are user-defined.
1.
On the Main tab, expand Application Security and click Options.
2.
From the Advanced Configuration menu, choose Policy Templates.
The Policy Templates screen opens and lists the available policy templates. The list includes all system-supplied and user-defined security policy templates that are on the system
You can save a security policy as a template to create policies that differ only in a few details. The template can serve as the basis for a new security policy.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
3.
Click the Save as Template button.
The Add Policy Template screen opens.
4.
In the Name field, type the name for the security policy template.
5.
In the Description field, type a description of the template, such as the name of the security policy it was based on.
6.
For the Template File setting:
a)
Select Use existing security policy.
7.
Click Add.
The Policy Templates screen opens showing a list of all policy templates including the one you just created.
If, in the future, you change the original security policy from which you created the template, the template is not updated or changed.
Before you can create a template, you need to have an exported template from another system, or a security policy saved in XML format.
1.
On the Main tab, expand Application Security and click Security Policies.
The Active Policies screen opens.
2.
Click the Save as Template button.
The Add Policy Template screen opens.
3.
In the Name field, type the name for the security policy template.
4.
In the Description field, type a description of the template, such as the name of the security policy it was based on.
5.
For the Template File setting:
a)
Select Upload template file.
b)
Click the Browse button to search for an exported template, or a security policy exported in XML format.
6.
Click Add.
The Policy Templates screen opens showing a list of all policy templates including the one you just created.
You can export a security policy template and save it for later use. For example, you can upload the template onto another system.
1.
On the Main tab, expand Application Security and click Options.
2.
From the Advanced Configuration menu, choose Policy Templates.
The Policy Templates screen opens and lists all of the available policy templates.
3.
Select one policy template to export, and click the Export button.
The system creates a template file in XML format called exported_template_mm-dd-yy_hr-mn.xml, where the date and time follow the name exported_template.
5.
To import the exported template, log in to the system where you want to use it and create a template using the one you exported.
1.
On the Main tab, expand Application Security and click Security Policies.
2.
Click Create.
The Deployment wizard opens.
3.
For Local Traffic Deployment Scenario, use an existing or create a new virtual server, and click Next.
5.
Select Create a policy manually or use templates, and click Next.
6.
From the Application Language list, select the language encoding of the application.
7.
From the Application-Ready Security Policy list, select the security policy template to use.
8.
For the Staging-Tightening Period setting, specify the following:
How long you want to keep the security policy entities and attack signatures in staging before the system suggests that you enforce them. Staging allows you to test the entities and the attack signatures for false positives without enforcing them.
How many days wildcard entities remain in tightening mode before the system suggests you enforce them. When wildcard entities are in tightening mode, the system adds explicit entities that match these wildcard expressions.
9.
Unless you want the security policy to be case-insensitive, for Security Policy is Case Sensitive, leave the Enabled check box selected.
10.
Click Next.
The Security Policy Configuration Summary screen opens.
11.
Click Finish.
The system creates the security policy based on the template.
The Application Security Manager creates a policy log for every security policy. The policy log includes an entry for each event or action performed on the security policy, including the event type, the element type and name (if relevant), the data and time of the change, a description of the change, and where, how, and by whom the change was made.
This log is different from the automatic policy building log because this one shows all changes that the Policy Builder or a user made to the security policy. The automatic policy building log is described in Viewing automatic policy building logs.
1.
On the Main tab, expand Application Security, then click Policy.
2.
From the Policy menu, choose Policy Log.
The Policy Log screen opens.
3.
In the editing context area, ensure that the Current edited policy is the one for which you want to view log transactions.
4.
In the Filter area, adjust the filter settings to view the logs you want to see.
The screen refreshes, and displays the policy log for the current security policy. Figure 7.2 shows a portion of a sample policy log.
6.
To save the log as a PDF, click Export.
The system creates a PDF that you can open or save.
You can display a tree view of the security policy to quickly view its contents. The tree view shows the hierarchy of the web application, particularly the URLs and parameters contained in the security policy. Global parameters appear at the top level, and URL parameters fall under URLs in the directory-like structure.
1.
On the Main tab, expand Application Security, and then click Tree View.
4.
Click an allowed URL, a disallowed URL or a parameter to view its properties.
The properties page for the URL or parameter opens.
Figure 7.3 shows an example tree view of a security policy for an auction web application.
Application Security Manager includes several audit tools that you can use to query a security policy to find the information you are looking for. You can use the audit tools to analyze suspicious policy states (for example, URLs allowed to modify domain cookies). Each tool type specifies a predefined URL, parameter, or flow filter that helps to identify conflicts and errors in the security policy.
1.
On the Main tab, expand Application Security, point to Policy, Policy again, and click Audits.
The Audits screen opens.
3.
From the Tool Type list, select an audit tool, and then click Go.
The screen refreshes, and the system displays the audit report.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)