Applies To:

Show Versions Show Versions

Manual Chapter: Configuring General System Options
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
The Application Security Manager includes general system options that apply to the overall application security configuration. You can perform the following tasks to configure general system options:
Configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. See Configuring external anti-virus protection, for more information.
Some of the overall system configuration tasks are described in other chapters, because they relate to other tasks described there. You can perform the following additional general configuration tasks:
You can change the default user interface and system preferences for the Application Security Manager as well as configure fields displayed in the Request List of the Reporting screen.
1.
On the Main tab, expand Security, point to Options, Application Security, and then click Preferences.
The Preferences screen opens.
2.
In the GUI Preferences area, for Records Per Screen, type the number of entries to display (1-100). The default value is 20.
This setting affects the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout the Application Security Manager.
3.
For Titles Tooltip Settings, select one of the options for how to display tooltips:
Do not show tooltips: Never display tooltips or icons.
Show tooltip icons: Display an icon if a tooltip is available for a setting, and show the tooltip when you move the cursor over the icon. This is the default setting.
Show tooltips on title mouseover: Display a tooltip when you move the cursor over a setting on the screen.
4.
For Default Configuration Level, select Advanced to display all possible settings, or Basic to display only the essential settings, on screens with that option. The default is Basic.
5.
For Apply Policy Confirmation Message, you can specify to display a popup message asking to confirm whether you want to perform the Apply Policy operation each time you apply a security policy.
6.
In the Request List GUI Preferences area, for Records Per Requests Screen, type the number of requests to display (1-1000). The default value is 500.
This setting affects the maximum number of requests that appear in any Requests List containing details about any incident, event correlation, or attack.
7.
For Request List Columns, specify what information you want to display on the Requests screen, and the order that it should display.
8.
For Request List Size, specify the number of requests the system displays before adding a scroll bar, and determine the amount of space the requests list take on the Request screen.
9.
(Optional) In the External Services area, for the Cenzic ARC Server address field, type the IP address for a local Cenzic ARC server, if you are using the Cenzic service to mitigate web application vulnerabilities. If you use the Cenzic Cloud service, do not provide an address for this setting.
10.
In the System Preferences area, for the Sync setting, select the Recommend Sync when Policy is not applied check box to display the Sync Recommended message at the top of the screen when you change a security policy to remind you to perform a ConfigSync with the peer device. This setting is relevant only in a high availability configuration.
11.
For the Logging setting, select the Write all changes to Syslog check box to record all changes made to security policies in the Syslog (/var/log/asm).
Note: The system continues to log system data regardless of whether you enable policy change logging.
12.
Click Save to keep your changes.
You can configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. If the Virus Detected violation is set to Alarm or Block for that web applications security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies the Application Security Manager, which then issues the Virus Detected violation.
You can also set up anti-virus checking for HTTP file uploads and SOAP web service requests. If configured, the system checks the file uploads and SOAP requests before releasing content to the web server.
By default, the system uses the ICAP server for McAfee anti-virus protection. If your ICAP server has different anti-virus software, you must change the values of the icap_uri and virus_header_name system variables. Refer to Appendix D, System Variables for Advanced Configuration, for information about system variables.
1.
On the Main tab, expand Security, point to Options, Application Security, and then click Advanced Configuration.
The System Variables screen opens.
2.
From the Advanced Configuration menu, choose Anti-Virus Protection.
The Anti-Virus Protection screen opens.
For Server Host Name, type the ICAP server host name in the format of a fully qualified domain name.
Note: If using the host name only, you must also configure a DNS server on the BIG-IP system. Expand System, point to Configuration, Device, then click DNS. If DNS is not configured, you must also include the IP address for the anti-virus server.
For Server IP Address, type the IP address of the ICAP server.
4.
For Server Port Number, type the port number of the ICAP server. The default value is 1344.
5.
If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
6.
Click Save to save the ICAP server configuration.
7.
On the Main tab, expand Security, point to Application Security, Blocking, and then click Settings.
The Blocking Settings screen opens.
a)
Ensure that the Current edited policy is the one for which you want anti-virus protection.
b)
In the Negative Security Violations area (near the bottom of the Violations list), for the Virus Detected violation, select either or both of the Alarm and Block check boxes.
For details on setting up blocking, refer to Configuring policy blocking.
c)
Click Save to save the blocking policy.
a)
On the Main tab, expand Security, point to Application Security, and then click Anti-virus Protection.
b)
Ensure that the Current edited policy is the one that may include HTTP file uploads or SOAP requests.
c)
To have the external ICAP server inspect file uploads for viruses before releasing the content to the web server, select the Inspect file uploads within HTTP requests check box.
Note: Performing anti-virus checks on file uploads may slow down file transfers.
d)
To perform antivirus scanning on SOAP attachments, if the security policy includes one or more XML profiles, in the XML Profiles setting, move the profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list.
Alternately, click Create to quickly add a new XML profile, with default settings, to the configuration. You can then add the new profile to the Antivirus Protection Enabled list.
e)
Click Save.
f)
Click Apply Policy to put the changes into effect.
User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything in the Configuration utility, you may want to further specialize administrative accounts.
Web Application Security Administrator
Grants users permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.
Web Application Security Editor
Grants users permission to view and configure most parts of the Application Security Manager, on specified partitions.
Resource Administrator
Grants users permission to view and configure application security resources.
1.
On the Main tab, expand System, and then click Users.
The User List screen opens.
2.
Click the Create button.
The New User screen opens.
3.
For the User Name setting, type the name for the account.
4.
For the Password setting, type and confirm the account password.
5.
For the Role setting, select the appropriate role:
To limit security policy editing to the current administrative partition, select Web Application Security Editor.
6.
If you selected Web Application Security Editor, then in Partition Access, select the partition in which to allow the account to create security policies.
7.
Click Finished.
The User List screen opens and lists the new user account.
Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs screens, or remotely by the clients server. The system forwards the log messages to the clients server using the Syslog service.
One logging profile can be used for Application Security, Protocol Security, Advanced Firewall, and DoS Protection. The system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. You can use the system-supplied logging profiles, or you can create a custom logging profile.
The logging profile records requests to the virtual server. By default when you create a security policy using the Deployment wizard, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.
Note: If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally and/or remotely. The storage filter determines what information gets stored.
For remote logging, you can send logging files for storage on a remote system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format).
If you enable response logging in the logging profile, the system can log only responses with the following content headers:
When you configure a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote management systems. The system can store the data in Comma Separated Value (CSV) format or another format that you define.
When you store the logs locally, the logging utility may compete for system resources. You can use the Guarantee Logging setting to ensure that the system logs the requests in this situation. Enabling the Guarantee Logging setting may cause a performance reduction if you have a high-volume traffic application.
To view logs stored locally, refer to Viewing the application security logs. View logs stored remotely on the external logging system.
1.
On the Main tab, expand Security, point to Event Logs. and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Click the Create button.
The Create New Logging Profile screen opens.
3.
For the Profile Name setting, type a unique name for the logging profile.
4.
Select the Application Security check box.
The screen refreshes and displays additional configuration options.
5.
For the Configuration setting, select Advanced.
6.
By default, logs are stored locally. The Local Storage check box is selected and cannot be cleared unless you enable Remote Storage to store logs remotely.
7.
Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
Note: Enabling this setting may slow access to the web application server.
8.
From the Response Logging list, select one of the following options.
Log responses for all requests. when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.)
Note: By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
10.
Click Finished.
The Logging Profiles screen opens and displays the new logging profile.
1.
Continuing on the Create New Logging Profile screen, select the Remote Storage check box.
The screen displays additional settings.
2.
From the Remote Storage Type, select the appropriate type:
To store traffic on a reporting server (for example, Splunk) using a pre-configured storage format, select Reporting Server.
Key/value pairs are used in the log messages.
If your network uses ArcSight logs, select ArcSight. For details, see ArcSight log message format.
3.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
4.
For Server Addresses, specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type the IP address, port number (default is 514), and click Add.
5.
If using the Remote storage type, for Facility, select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
Tip: If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
6.
If using the Remote storage type, in the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
To determine how the log appears, select Field-List to display the items in the Selected Items list in CSV format with a delimiter you specify; select User-Defined to display the items in the Selected Items list in addition to any free text you type in the Selected Items list.
To specify which items appear in the log, move items from the Available Items list into the Selected Items list.
To control the order in which predefined items appear in the server logs, select an item in the Selected Items list, and click the Up or Down button.
7.
For Maximum Query String Size, specify how much of a request the server logs.
To log a limited number of bytes, select Length and type the maximum number of bytes to log.
8.
For Maximum Entry Length, you can specify how much of the entry length the server logs. The default length is 1K for remote servers that support the UDP protocol and 2K for remote servers that support the TCP and TCP-RFC3195 protocols. You can change the default maximum entry length for remote servers that support the TCP protocol.
9.
Select Report Detected Anomalies if you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends.
11.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
A logging profile records requests to the virtual server. By default when you create a security policy using the Deployment wizard, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy or assign a new one by editing the virtual server.
1.
On the Main tab, expand Local Traffic, and click Virtual Servers.
3.
From the Security menu, select Policies.
4.
Ensure that the Application Security Policy setting is Enabled and that Policy is set to the security policy you want.
5.
For Log Profile, check that it is set to Enabled.
6.
In the Profile setting, from the Available list, select the profile to use for the security policy, and move it into the Selected list.
7.
Click Update.
If your network uses ArcSight logs, you can configure a logging profile that formats the log information for that system (see Creating logging profiles). Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs.
CEF:Version|Device Vendor|Device Product|Device Version
|Device Event Class ID|Name|Severity|Extension
Note: The following procedure describes configuring the storage filter for an existing logging profile. You can also do this while creating a new one.
1.
On the Main tab, expand Security, point to Event Logs, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
In the Profile Name column, click the logging profile name for which you want to set up the filter. Note that this profile must be one that you created and not one of the system-supplied profiles, which cannot be edited.
The Edit Logging Profile screen opens.
3.
For the Storage Filter setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.
OR: Select this operator if you want the system to log the data that meets one or more of the criteria.
AND: Select this operator if you want the system to log the data that meets all of the criteria.
5.
For the Request Type setting, select the kind of requests that you want the system to store in the log.
6.
For the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.
7.
For the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.
8.
For the HTTP Methods setting, select whether logging occurs for all methods or specific methods.
9.
For the Request Containing String setting, select whether the request logging is dependent on a specific string.
10.
Click the Update button.
You can customize the severity levels of security policy violations for application security events that the system displays in the Security Alerts screen, which is also the message logged in the Syslog, in response to violations. The event severity levels are Informational, Notice, Warning, Error, Critical, Alert, and Emergency. They range from least severe (Informational) to most severe (Emergency).
Note: When you make changes to the event severity level for security policy violations, the changes apply globally to all security policies.
1.
On the Main tab, expand Security, point to Options, Application Security, and click Advanced Configuration.
The System Variables screen opens.
4.
Click the Save button to retain any changes.
Tip: If you modify the event severity levels for any of the security policy violations, and later decide you want to use the system-supplied default values instead, click the Restore Defaults button.
Locally stored system logs for the Application Security Manager are accessible on the BIG-IP system. Note that these are the logs for general system events and user activity. You can view specific security violation events on the reporting charts or the learning screens in the Application Security Manager.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm directory.
1.
On the Main tab, expand System, and then click Logs.
The System Logs list screen opens.
2.
On the menu bar, click Application Security.
The Application Security log list screen opens, where you can review the logged entries.
The RegExp Validator is a system tool designed to help you validate your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data.
1.
On the Main tab, expand Security, point to Options, Application Security, and then click RegExp Validator.
The RegExp Validator screen opens.
2.
From the RegExp Type drop-box, select either PCRE or RE2 as the RegExp engine.
Tip: Due to differing feature sets available in RE2 and PCRE, some attack signatures must still use PCRE if a feature is not replicated in RE2. However, to reduce the amount of backtracking, we recommend you select RE2 as it uses a fixed stack space, as opposed to PCREs recursive stack.
3.
In the RegExp field, specify how you want the validator to work:
4.
Click the Validate button.
The screen refreshes and shows the results of the validation.
If you want the system to send email to users, such as when configuring the system to send reports using email (refer to Scheduling and sending graphical charts using email), you must enable the SMTP mailer and configure an SMTP server.
Note: For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system (System > Configuration > Device > DNS).
1.
On the Main tab, expand Security, point to Options, and then click SMTP Configuration.
The SMTP Configuration screen opens.
2.
Select the Enable SMTP mailer check box.
3.
For SMTP Server Host Name, type the fully qualified host name of an SMTP server (for example, smtp.example.com).
4.
For SMTP Server Port Number, type the SMTP port number (25 is the default for no encryption; 465 is the default if SSL or TLS encryption is the encryption setting).
5.
For Local Host Name, type the fully qualified host name of the BIG-IP system.
6.
For From Address, type the email address to use as the reply-to address that the recipient sees.
7.
For Encrypted Connection, select whether the SMTP server requires an encrypted connection to send mail. Select No encryption, SSL (Secure Sockets Layer), or TLS (Transport Layer Security).
8.
If you want the SMTP server to validate users before sending email, enable the Use Authentication setting, then type the Username and Password that the SMTP server requires for validation.
9.
Click Save to save the configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)