Applies To:

Show Versions Show Versions

Manual Chapter: System Variables for Advanced Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Several system variables control how the BIG-IP® Application Security Manager functions. In most cases, you do not need to change the system variables from their default settings. Table D.1 lists the system variables, their default values, and a description of their purpose.
Note: F5 Networks recommends that you change the values of parameters only with the guidance of Technical Support.
Specifies, when set to 0, that if a request arrives with no main ASM cookie (entry point) then every domain cookie in the request is considered a modified domain cookie, and is enforced according to the security policy.
When set to 1, all cookies are accepted at entry points.
Note: When enabling this setting, F5 recommends that you set running to disabled in the daemon-ha bd section of /defaults/daemon.conf and then reload the configuration.
Specifies whether traffic bypasses the Application Security Manager when the system is stopped. The possible values are 1 (bypass enabled) or 0 (bypass disabled, default). If you enable this parameter, web traffic bypasses the system if any of the following occur:
-If you restart the Application Security Manager; traffic bypasses the Application Security Manager from the time the system is stopped until the system restarts
-If the system crashes (performs a core dump), traffic bypasses the Application Security Manager from the time the system is stopped until it restarts
WARNING: Enabling this option allows traffic to access the web application even when the BIG-IP system is down. However, no security will be in effect when the system is being bypassed.
Specifies whether traffic bypasses Application Security Manager as a result of limited resources or when the system is off. The default value is 0 (bypass disabled). If you enable this parameter, web traffic bypasses the system when any of the following occur:
-If you restart the Application Security Manager; traffic bypasses the Application Security Manager from the time the system is stopped until it reloads
-If the system crashes (performs a core dump), traffic bypasses the Application Security Manager from the time the system is stopped until it reloads
-If the system does not have enough memory, or does not have enough system resources
WARNING: Enabling this option allows traffic to access the web application even when the BIG-IP system is down, or has limited resources. However, no security will be in effect when the system is being bypassed.
11112222333344445555666677778888 (key)
Provides a key in the MD5 digest calculations for ASM cookies.
Note: For security reasons, F5 Networks recommends that you change the cookie digest key from the default value. When changing the value for the key, use the same key value for units in a redundant pair, by configuring the setting on one system and performing a ConfigSync with the redundant pair member.
Allows the system to determine the time (in seconds) for which the ASM cookie data is valid.
Specifies the maximum age value (in seconds) assigned to the Max-Age attribute of the ASM cookie. When set to 0, ASM cookies never expire.
Defines how often the system renews the ASM cookie time. This system variable is tightly coupled with cookie_expiration_time_out (in seconds).
Defines a maximum URI length that the system can support in its internal buffers. If this number is higher (more permissive) than the internal URI-length limit defined per file type, the internal file-type limit is the actual limit. Exceeding this internal limit triggers the HTTP protocol compliance failed violation.
^\s*[+-]?\d*(\.\d+)?\s*$ (regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type decimal.
^\s*([\w.-]+)@([\w.-]+)\s*$ (regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type email.
^\s*[0-9 ()+-]+\s*$
(regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type phone number.
Specifies the URI for the ICAP service, which checks requests for viruses by connecting to an Internet Content Adaptation Protocol (ICAP) server.
Values for supported ICAP services:
McAfee: /REQMOD
Trend Micro InterScan Web Security: /reqmod
Kaspersky: /av/reqmod
Symantec: /symcscanreq-av-url
Specifies that the system keeps track of attack signatures that have been disabled (either globally or on the parameter level) by accepting learning suggestions. A signature may have been disabled due to a false positive.
When set to 0, the system does not track disabled signatures.
Specifies the maximum number of concurrent FTP connections that the Protocol Security Manager can manage.
Specifies the maximum number of cryptographic operations allowed per document by Web Services encryption and decryption.
Specifies the maximum number of concurrent SMTP connections that the Protocol Security Manager can manage.
Specifies the maximum number of violation entries per violation type kept in memory. Note that this parameter applies only to the security profiles in the Protocol Security Manager.
Specifies the maximum number of concurrent long requests that the system can handle. A long request is a request longer than request_buffer_size and less than long_request_buffer_size.
Specifies the maximum number of slow transactions per CPU or plug-in before the system drops the slow transactions (such as when mitigating slow HTTP post DDoS attacks). Slow transactions are defined in slow_transaction_timeout.
Specifies how the system distinguishes between HTTP and HTTPS URLs. If the value is -1, the system decides whether the object requested is an HTTP request or an HTTPS request based on the incoming traffic. If the value is 0, the system treats all incoming URL requests as HTTP requests. If the value is 1, the system treats all incoming URL requests as HTTPS requests.
Specifies the number of requests per second that the system can enter into the proxy log.
Specifies the amount of time the system should wait to return filter results in the Security > Event Logs > Application > Requests screen before the system performs a timeout of the filter request
Specifies the maximum buffer size for a single instance of the accumulated response buffers. The system accumulates response buffers until their total size reaches the max_filtered_html_length.
0 (number of CPU cores determines number of threads)
Specifies, when the value is greater than zero, the number of threads that the system uses for protocol security. When the value is 0, the number of CPU cores in the system determines the number of threads.
0 (number of CPU cores determines number of threads)
Specifies, when the value is greater than zero, the number of threads that the system uses for application security. When the value is 0, the number of CPU cores in the system determines the number of threads.
1200 seconds
(20 minutes)
Specifies how long a logged in user can remain inactive on their system (not making any requests) before ASM stops tracking the user. This is used, for example, in session awareness.
Specifies the number of seconds after which a transaction is considered slow (such as when mitigating slow HTTP post DDoS attacks). The system tracks the number of slow transactions that have occurred and drops slow transactions after the max_slow_transactions is reached.
Specifies the maximum memory size (in kilobytes) available for the systems memory pools. A value of 0 means no limit to the maximum memory size.
Specifies the maximum amount of memory that can be allocated to the XML parser. A value of 0 means no limit to the amount of memory that the parser can use.
X-Virus-Name,
X-Infection-Found
(McAfees default response headers)
Specifies the header name used by an anti-virus program on an ICAP server. By default, the system supports an ICAP server with McAfee anti-virus protection. If you are using different ICAP servers, change this to the appropriate header value, or specify multiple header values separated by commas. Be sure that the ICAP server you are connecting to includes the status in the response header.
Values for supported anti-virus programs:
McAfee: X-Infection-Found,X-Virus-Name
Trend Micro InterScan Web Security: X-Virus-ID
Kaspersky: X-Virus-ID
Symantec: X-Violations-Found
Specifies a WhiteHat IP address. If Application Security Manager is behind a NAT or if you are using a WhiteHat Satellite box, you can change this to a redirected source IP address.
Specifies a second WhiteHat IP address. If Application Security Manager is behind a NAT or if you are using a WhiteHat Satellite box, you can change this to a redirected source IP address.
Specifies a third WhiteHat IP address. If Application Security Manager is behind a NAT or if you are using a WhiteHat Satellite box, you can change this to a redirected source IP address.
Specifies a fourth WhiteHat IP address. If Application Security Manager is behind a NAT or if you are using a WhiteHat Satellite box, you can change this to a redirected source IP address.
When integrating Application Security Manager (ASM) with the WhiteHat Sentinel vulnerability scanner, the BIG-IP system running ASM has to recognize whether a request is coming from WhiteHat. When ASM can protect against a vulnerability, it returns header information to WhiteHat Sentinel, which then marks the vulnerability as Mitigated by WAF.
Application Security Manager cannot obtain the original source IP address of a request if ASM is behind a NAT, or if you are using a WhiteHat Satellite box. Consequently, ASM does not recognize that the information is coming from WhiteHat Sentinel and cannot return the appropriate header information to mark the vulnerability as handled.
To resolve this issue, set as many of the WhiteHatIP system variables as needed to the redirected source IP addresses in your networking environment.
1.
On the Main tab, expand Security and click Options.
The Attack Signatures screen opens.
2.
From the Advanced Configuration menu, choose System Variables.
The Advanced Configuration: System Variables screen opens.
3.
If you change the value of a parameter, you need to restart Application Security Manager (ASM) for the system to use the new value. Restart ASM by typing tmsh start/sys service asm at the command line.
If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
Tip: If the parameter name is shown in boldface text, the value has been changed from the default. The default value is displayed below the parameter value.
Important: F5 Networks recommends that you change the values for the system variables only with the guidance of the technical support staff.
1.
On the Main tab, expand Security and click Options.
The Attack Signatures screen opens.
2.
From the Advanced Configuration menu, choose System Variables.
The Advanced Configuration screen opens.
3.
Click the Restore Defaults button.
The system resets any changed parameter values to their factory settings.
a)
b)
To reboot the system, on the Main tab, expand System and click Configuration. In the Properties and Operations area, for the Operations setting, click the Reboot button.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)