Applies To:

Show Versions Show Versions

Manual Chapter: Building a Security Policy Automatically
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Application Security Manager automates the process of creating a security policy to protect a web application. The system must be set up in a networking environment, and be capable of handling traffic to the application.
This section provides an overview of setting up automatic policy building. The BIG-IP® Application Security Manager: Getting Started Guide describes in detail how to use the Deployment wizard. For details about maintaining security policies, refer to BIG-IP® Application Security Manager: Implementations.
Create the security policy.
From the Active Security Policies list, click Create. Using the Deployment wizard, create a virtual server, pool, and then select the option Create a policy automatically.
Let the system automatically add entities to the security policy.
When the Deployment wizard finishes, the system starts the Real Traffic Policy Builder®, the automated policy building tool. The Policy Builder examines requests and responses from different sessions and different IP addresses, over a period of time. It then populates the security policy with legitimate security policy elements (file types, URLs, parameters, and so on), and puts them in staging. The Policy Builder ensures that the policy does not cause false positives.
Let the system stabilize the security policy.
The security policy stabilizes after the system analyzes sufficient traffic, from different sessions and different IP addresses, over a period of time. Policy elements are moved out of staging and enforced as they meet the rule threshold values for stabilization. After that, traffic that violates the security policy generates security violations.
Let the system track site changes and update the policy.
If the web application changes and causes violations for enough different users and IP addresses, over a period of time, the Policy Builder makes the necessary adjustments to the security policy. After sufficient time passes, Policy Builder once again stabilizes the security policy.
Review the automatic policy building status.
On the Policy Building Status (Automatic) screen, you can review the current status of the security policy, see the policy elements that were added, and view details about the elements. If you want more control, you can enforce parts of the security policy from the status screen. The system logs all changes that you or the Policy Builder make to the security policy.
You use the Policy Building Settings screen to configure and monitor automatic policy building. The features and settings discussed in this chapter relate directly to the different settings in various areas of the screen.
General policy building settings determine how the security policy is built for both automatic policy building and manual policy building. The settings define the type of policy to create, and what level of Learning suggestions to provide (explicit entities learning and parameter level).
The policy type determines which security policy elements are included in the security policy. When you create a security policy, you can select one of the following policy types:
Fundamental provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.
Enhanced provides extra customization, creating a security policy with more granularity.
Comprehensive provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.
Custom provides the level of security that you specify when you adjust settings such as which security policy elements are included in the security policy. The policy type changes to Custom if you change any of the default settings for a policy type.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the General Policy Building Settings, for Policy Type, select a different type.
The selected security policy elements and options change depending on the policy type you choose.
4.
Click Save to save your changes.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table 2.1 lists each of the security policy elements listed in the Automatic Policy Building configuration, describes what the Policy Builder does when each element is enabled, and shows which policy type enables the element.
What the System Does
(When Enabled)
Creates the security policy with validation checks that ensure HTTP requests are formatted properly.
Creates the security policy so it detects evasion techniques and performs normalization processes on URI and parameter input.
Creates the security policy with length limitations per file type, based on legitimate web application traffic.
Creates the security policy so it enables or disables attack signatures. Applies to signatures that can be set in the policy, parameters, content profiles, and cookies.
Creates the security policy with allowed meta characters for wildcard URLs, based on legitimate traffic.
Parameter Name Meta Characters
Creates the security policy with allowed meta characters for parameter names for wildcard parameters.
Adds parameters at the URL level, only for specific URLs.
Creates the security policy with allowed meta-characters for parameter values, and content profiles, based on legitimate web application traffic. Applies to parameters and content profiles.
Creates the security policy with allowed methods based on legitimate traffic.
Request length exceeds defined buffer size
Creates the security policy and enables the Request length exceeds defined buffer size violation.
Creates the security policy and enforces header length limitations based on legitimate web application traffic.
Creates the security policy and limits cookie lengths based on legitimate web application traffic.
Creates the security policy to enforce that the characters comply with the configured language encoding of the web applications security policy.
(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)
Creates the security policy so that it validates XML and JSON request data for URLs or parameters. If traffic includes legitimate XML or JSON data, the Policy Builder edits existing XML or JSON profiles according to the data it detects. You can use this option only after selecting Add All Entities or Selective in the Explicit Entities Learning setting for URLs or parameters.
Content Profiles- Automatically detect advanced protocols
(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)
Allows the system to add XML or JSON profiles as needed to the security policy, and configures their attributes according to the data the Policy Builder detects in legitimate XML or JSON data in URLs or parameters in the policy.
Allows the system to add domain names used in the web application to the security policys list of host names. This allows the system to distinguish between internal and external links and forms.
Verifies URLs against Cross-Site Request Forgery (CSRF) based on legitimate web application traffic. If Policy Builder detects an excessive rate of violations on a CSRF-protected URL, the system treats the violation as a false positive and removes the URL from the list of CSRF-protected URLs. To enforce CSRF URLs, you must enable at least one of the Learn/Alarm/Block check boxes of the CSRF attack detected violation.
Note that the list in Table 2.1 includes the violations and checks that are relevant only for automatic security policy building. The Application Security Manager includes many other security features that are not included in automatic policy building, such as response scrubbing using Data Guard, described in Chapter 3, and anomaly detection, described in Chapter 6.
You can adjust the explicit entities learning settings for file types, URLs, parameters, and cookies. Explicit learning settings specify when Policy Builder adds, or suggests you add, explicit entities to the security policy. Note that if you change the Policy Type, the system also changes explicit entities learning settings.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the General Policy Building Settings area, for the Explicit Entities Learning setting, select how to learn each type of entity (file types, URLs, parameters, and cookies).
Never (wildcard only): Specifies that when false positives occur the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict.
If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity.
Selective: Applies only to * wildcard. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance.
If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard.
Add All Entities: Creates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security.
If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.
4.
Click Save to save your changes.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can adjust how the system determines what parameters to add (automatic policy building) or suggests you add (manual policy building). The parameter levels are Global and URL. Global specifies that learning suggestions are based on the properties of entities that already exist in the security policy. URL specifies that learning suggestions are based on real traffic.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the General Policy Building Settings area, for the Parameter Level setting, select the level of parameter to add.
Global: Adds parameters at the global level for all URLs in the security policy. Default value for Fundamental and Enhanced policy types.
URL: Adds parameters at the URL level, only for specific URLs. Default value for Comprehensive policy type.
4.
Click Save to save your changes.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Application Security Manager completely configures the automated policy building settings according to the selections you make when using the Deployment wizard. You can review the settings, and change many of them later if needed.
There are two levels of automated policy building settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. The advanced level allows you to view and change all of the configuration settings if you want further control over security policy details. However, in most cases, you do not need to change the default values of these settings.
Figure 2.1 shows the basic automatic policy building settings on the Settings screen.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the General Policy Building Settings area, for Policy Type, select the type of security policy:
Fundamental: Provides granularity sufficient for most organizations creating a generalized security policy that is fast to create and easy to maintain. This is the default setting.
Enhanced: Provides additional granularity and security features suited for customers with higher (and, typically, specific) security needs). This policy type takes longer to implement.
Comprehensive: Provides the most granular definitions, includes most security features, and is suited for advanced users or customers with extreme security needs. This policy type typically takes even longer to deploy and requires more maintenance.
4.
Leave the Explicit Entities Learning and Parameter Level settings at their default values.
5.
In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select the Enabled check box.
The screen refreshes and displays more options.
6.
For Rules, move the slider to change the thresholds of the rules for the security policy:
Fast: Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.
Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.
Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.
8.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
When traffic is flowing to the application, the system examines requests and responses and begins to build the security policy.
If you want to review or change the configuration details of the Policy Builder, you can use the advanced automated policy building settings. However, in most cases, you do not need to change the default values of these settings.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
Next to Automatic Policy Building Settings, select Advanced.
The screen displays the advanced configuration details of the Policy Builder.
5.
Review the settings and modify them as needed. Refer to the online help or the following procedures for more information:
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Security policy elements, such as file types, URLs, evasion technique violations, and so on, form the basis of the security policy that the automatic policy building process is creating. The selected security policy elements are the ones that the Policy Builder configures into the security policy based on legitimate web application traffic. Figure 2.2 shows the security policy elements for a comprehensive security policy.
Each policy type enables a different granularity of policy elements. Refer to Table 2.1, for a list of policy elements, descriptions of each, and which policy elements are included in each policy type.
You can select the policy elements to include in the security policy, in which case, the system changes the Policy Type setting to Custom.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the Automatic Policy Building Settings, for Real Traffic Policy Builder®, select the Enabled check box if it is not already selected.
The screen refreshes and displays more options.
4.
To display all configuration options, next to Automatically Build Policy, select Advanced.
5.
In the Policy Type setting, for Include the following Security Policy Elements, select the security policy entities (or violation) that you want the Policy Builder to automatically configure when building the security policy.
For details on the policy elements, see Table 2.1.
When you change the policy elements that are included in the security policy, the Policy Type changes to Custom.
6.
Click Save to save your changes.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
During automatic policy building, the Policy Builder builds security policies in three stages. These stages each have separate sets of settings in the Rules area of the Settings screen. Rules in each stage determine when an element in the security policy moves from one stage to the next.
Some of the rules have different values depending on whether the traffic comes from a trusted or untrusted source. The system generally considers trusted traffic and the policy elements it contains legitimate and adds them to the policy more quickly than those in untrusted traffic.
You can adjust the values for the rules by changing the Policy Builder learning speed. Slow learning speed causes the system to create the policy by looking at more traffic, so the values in the rules are higher. Fast learning speed causes the system to build the policy from fewer requests, and the values you see in the rules are lower.
Accept as Legitimate (Loosen)
During this stage, the Policy Builder identifies legitimate application usage based on repeated behavior from sufficient different user sessions and IP addresses, over a period of time. The system updates the security policy accordingly. Based on wildcard matches, Policy Builder adds the legitimate policy entities (putting most into staging to learn their properties), and disables violations that are probably false positives.
For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions and IP addresses over time, then it adds the entity to the security policy.
Stabilize (Tighten)
During this stage, the Policy Builder refines the security policy elements until the number of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, for different IP addresses, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy.
Similarly, the Policy Builder enforces the entity's attributes (takes them out of staging) after it records a sufficient number of unique requests and sessions from different IP addresses, over a sufficient length of time for a particular file type, URL, parameter, or cookie.
When the traffic to the application no longer includes new elements and the Policy Builder has enforced the policy elements, the security policy is considered stable and its progress reaches 100%.
Track Site Changes
This setting determines whether the Policy Builder may make changes to the security policy after it is stable. If the setting is enabled and the Policy Builder discovers changes to the web application, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary adjustments. When the Policy Builder stabilizes the added elements, it retightens the security policy.
Although it is not recommended, you can disable the Track Site Changes option. If you do, when the security policy progress reaches 100% stability, the system disables automatic policy building. The security policy is not updated unless you manually change it, or restart automatic policy building by re-enabling the Track Site Changes option.
Figure 2.3 shows the Rules area of the Settings screen with the learning speed set to Slow.
Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the default values) also changes the learning speed and chances of adding false entities settings to Custom (instead of Slow, Medium, and Fast).
Note: F5 recommends that only advanced users change the automatic policy building rule settings. Use the default values in most cases.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
4.
In the Rules area, for Policy Builder learning speed, move the slider to change the thresholds of the rules for the security policy:
Fast: Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.
Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.
Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.
Changing these settings also changes the chance of adding false entities to the policy (the slider on the right).
Note: F5 recommends that you use the learning speed slider to adjust the rules values, and skip to step 8.
5.
For the Accept as Legitimate (Loosen) rules, adjust the number of different sessions, different IP addresses, and the time spread after which the Policy Builder accepts and learns a security policy change from traffic.
In this stage of security policy building, the Policy Builder adds entities, configures attributes (such as lengths and meta characters), places entities in staging, and disables violations.
6.
For the Stabilize (Tighten) rules adjust the number of requests, the number of different sessions, different IP addresses, and the time spread before the Policy Builder stabilizes the security policy elements.
Stabilizing a security policy element may mean tightening it by deleting wildcard entities, removing entities from staging, and enforcing violations that did not occur.
7.
For the Track Site Changes rules:
a)
The Enable Track Site Changes check box is selected by default. This box must remain selected if you want the Policy Builder to quickly loosen the security policy if changes to the web application cause violations.
From Trusted and Untrusted Traffic: Specifies that the Policy Builder loosens the security policy based on all traffic. This is the default option.
Only from Trusted Traffic: Specifies that the Policy Builder loosens the security policy based on traffic from trusted sources defined in the Trusted IP Addresses area on this screen.
c)
For untrusted and trusted traffic, adjust the number of different sessions and different IP addresses for which the system detects violations, over a period of time, after which the Policy Builder updates the security policy.
In this stage of security policy building, the Policy Builder adds wildcard entities, places entities in staging, and disables violations.
8.
Click Save to save your changes.
9.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can create a list of trusted IP addresses that the Policy Builder considers safe in the Trusted IP addresses area of the Settings screen. Figure 2.4 shows the trusted IP addresses area.
The Policy Builder processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that the Policy Builder requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes. It takes more traffic from untrusted clients to change the security policy (given the default values).
Figure 2.5 shows the default Accept as Legitimate (Loosen) area of the Settings screen, configured for a fundamental security policy set to medium strictness. You can see that different values apply to trusted and untrusted traffic.
Refer to Modifying the list of trusted IP addresses, to learn more about how the rules affect the security policy.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe:
To add specific IP addresses or networks, select Address List, type the IP address and netmask, then click Add.
The IP address or network range is added to the list. Add as many trusted IP addresses as needed.
5.
Click Save to save your changes.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
When you create a security policy automatically, the Application Security Manager sets the automatic policy building options on the Settings screen (Advanced setting options). These options determine what type of entities the Policy Builder adds to the security policy. You can change the values of the settings in the Options area, shown in Figure 2.6. Refer to the online help for details about all of the settings.
The security policy learns from responses, by default, meaning that it adds elements found in trusted IP addresses or in responses that are legal and fully enforced.
If the web application contains dynamic parameters, you can configure the Policy Builder to identify them. Dynamic parameters are parameters whose sets of accepted values can change, and usually depend on the user session. For more information on dynamic parameters, refer to Working with dynamic parameters and extractions.
The options also let you simplify your security policy by collapsing similar specific entities into one global entity. After a specified number of occurrences (10 by default), the system can combine:
User-input parameters (alphanumeric only) with similar names into one general name (replacing param1, param2, and param3 with param*)
Cookies with similar names, replacing them with a wildcard cookie that matches all of the similarly named cookies. For example, cookie1 and cookie2 are replaced with cookie*
Content profiles, where each content profile contains one parameter/URL, replacing them with one content profile containing all parameters/URLs; (the Policy Builder collapses content profiles once, and then uses the collapsed content profile)
URLs in the same directory with the same prefix and file extension. For example, /abc/x.php, abc/y.php, and abc/z.php, are replaced with abc/*.php.
Figure 2.6 shows the Options area of the Automatic Policy Building screen.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Options area, select Learn from responses if you want the security policy to include elements found in responses.
The response may include more information about the web application than is found in the request. If the setting is enabled, the Policy Builder learns only from responses from valid requests (meaning those which do not generate violations).
5.
Specify whether you want the Policy Builder to add dynamic parameters to the security policy, and if so, where to get them from:
If you do not want to include dynamic parameters, make sure all the dynamic parameters check boxes are cleared, and skip to step 7.
To extract dynamic parameters from file types, make sure both the File Types and Parameters policy elements are already selected in the Policy Elements area.
To extract dynamic parameters from URLs, make sure the URLs and Parameters policy elements are selected. Selecting File Types, Parameters, and URLs also extracts dynamic parameters from URLs.
6.
To specify the conditions under which the Policy Builder adds dynamic parameters to the security policy, for Dynamic Parameters, perform the following tasks, as needed:
To add all hidden form input parameters from the application as dynamic content value parameters, select the All HIDDEN Fields check box.
To add parameters from forms as dynamic content value parameters, select the Using statistics - FORM parameters check box.
To add parameters from links as dynamic content value parameters, select the Using statistics - link parameters check box.
Adjust the number of unique value sets that must be seen for a parameter before the system considers it a dynamic content value. The default value is 10.
7.
To simplify your security policy by combining explicit entities into a more global wildcard entity, for Collapse to one entity, select the entities you want to collapse:
To collapse common entities, select Collapse Parameters, Cookies and Content Profiles, and type the number of occurrences after which entities are combined. The default value is 10.
To collapse URLs in the same directory with the same prefix path and file extension, select Collapse URLs, type the number of occurrences after which URLs are combined (the default is 500), and type the minimum depth for collapsing path segments (the default is 2).
8.
For Learn from traffic with the following HTTP Response Status Codes, type the response code you want to add (for example, add specific codes like 304 or a class of codes like 4xx), then click Add.
The Policy Builder extracts information from traffic based on transactions that return only those HTTP response status codes.
Tip: Normally, the Policy Builder learns only from legitimate traffic, so you should add response codes that are returned under normal usage conditions for your application.
All informational responses (the request was received; continuing to process it). Included by default.
All successful responses (the request was received, understood, accepted, and processed successfully). Included by default.
All redirection (the client needs to take additional action on the request). Included by default.
Specific codes such as 100, 306, 400, 404
Refer to Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC-2616).
9.
For Maximum Security Policy Elements, if needed, adjust the maximum number of elements that can be added to the security policy:
File Types (the default value is 250)
URLs (the default is value 10000)
Parameters (the default value is 10000)
Cookies (the default value is 100)
If the Policy Builder reaches the specified limit, it stops adding that type of security policy element. If this happens, you may need to intervene.
If the web site requires more than the maximum number of elements, you can increase the limits, or reconsider the type of the policy (you may not need to include all the elements explicitly).
If the site includes a dynamic element that the Policy Builder cannot learn (such as dynamic sessions in URL or dynamically generated parameter names), either configure the security policy to include the element (for example, dynamic sessions in URL), or clear the element type. The Policy Builder should not be configured to learn that element type in such an environment.
10.
For File Types for which wildcard URLs will be configured, add the file types for which the Policy Builder creates a wildcard URL instead of adding an explicit URL. Common file types are included by default.
11.
Click Save.
12.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
If you change the configuration settings and decide that you want to return them to the system default values, you can change the policy type or use the Restore Defaults button.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
For Policy Type, select the type of policy for which you want the default values.
The screen refreshes and displays the default values for the policy type you selected.
4.
To display all configuration options, next to Automatic Policy Building Settings, select Advanced.
5.
Click Save to save the default configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can also click the Restore Defaults button at the bottom of the Settings screen. If you do, the system refreshes and displays the default values for the Fundamental policy type.
You can review the current state of the security policy by looking at the Status (Automatic) screen. A progress bar shows approximately how close the security is to becoming stabilized. You can see a summary of the number of file types, URLs, parameters, and cookies that were added to the security policy.
If you want to understand more about what is happening in the security policy, you can use the Status screen to delve into the details of each policy element.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, then click Status (Automatic).
The Status (Automatic) screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one for which you want to view the status.
3.
To view the number of policy elements that are in the current security policy, review the Policy Elements Learned area. Click the number in the Elements column to examine the specific elements for any entity type.
4.
In the Details area, click the expand buttons to show details about the security policy elements included in the policy. You can make changes to the security policy, if you want, as follows:
In the details for HTTP Protocol Compliance, Evasion Techniques Detected, and Request Length Exceeds Defined Buffer Size, in the Action column, click Enable to enforce a check or violation immediately, overriding the rules for adding them.
In the stability details for File Types, URLs, Parameters, Cookies, and Methods, click Enforce to enforce the entity by deleting the entity wildcard (*) from the security policy.
In the learning details for File Types, URLs, Parameters, Cookies, and Methods, click Accept to immediately add specific entities to the security policy, even though they have not met the rules to be accepted as legitimate.
In the Staging details for File Types, URLs, Parameters, and Cookies, click Enforce to remove a specific entity from staging, and start enforcing its setting or attributes.
In the Signature stability details for Attack Signatures, click Enforce to remove all signatures from staging and enforce them.
In the learning details for Attack Signatures, review the list of signatures that the system detected. If you see false positives, click Disable to remove the signature from staging and disable it.
In the learning details for CSRF URLs, review the list of the URLs in the security policy that caused a CSRF Attack Detected violation. Click Remove to delete a specific URL from the security policy, or Remove All to delete all of them.
In the learning details for Host Names, review the list of host names the Policy Builder has not yet added to the security policy because they have not satisfied the Accept as Legitimate rule. Click the Accept button in the Action column to add the host name to the security policy immediately.
Figure 2.7 shows the Status (Automatic) screen for a security policy. The security policy was developed for trusted traffic, and so far includes 1 file type, 1 URL, and 11 parameters. The screen displays the elements that were learned and added to the policy. The Details area shows the elements that were not yet added to the policy, and the elements that are in staging mode while the policy is stabilizing.
When you use automatic policy building, the Policy Builder can update the security policy as needed, for example, if changes occur on the application web site. You can stop automatic policy building at any time, such as when the security policy stabilizes, and you think the web application will not change for a while.
For security policies that were created using one of the manual methods or imported from an earlier release, you can start automatic policy building. By examining the traffic going to the application, the Policy Builder can add various web site entities to the security policy in order to enhance it.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one for which you want to stop automatic policy building.
3.
In the Automatic Policy Building Settings, for Real Traffic Policy Builder®, clear the Enabled check box.
The screen shows fewer options.
4.
Click Save.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
6.
From the menu bar, click Status (Automatic).
The Real Traffic Policy Builder status displays Disabled, and the system stops the Policy Builder. The security policy remains the same unless you change the configuration manually, or restart the Policy Builder.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.
The Settings screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one that you want to update.
3.
In the Automatic Policy Building Settings, for Real Traffic Policy Builder®, select the Enabled check box.
The Policy Builder starts running, and the screen shows more options.
4.
Click Save.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
6.
From the menu bar, click Status (Automatic).
The Real Traffic Policy Builder status displays Enabled, and the Policy Builder restarts the automatic policy building process based on traffic and configuration settings.
You can centrally manage groups of BIG-IP systems called device groups within a given network. Device groups can maintain a synchronized configuration between all devices in the group. If all devices in the group have Application Security Manager on them, those devices all provide consistent enforcement. All devices must run the same version of Application Security Manager.
Using device management, all new security policies, and any security policy changes made on one device are automatically pushed to all other devices within the ASM device group, even if you do not apply the security policy. We recommend that you apply the security policy to each device to ensure consistent enforcement among all devices.
In addition, if you create a new security policy using the Deployment wizard and create a new virtual server, the new security policy is synchronized on the peer devices. But, the new virtual server is not automatically assigned to the new security policy on the peer devices. You must manually synchronize the virtual server configuration to the device group.
You can run Policy Builder on only one device in a group for any given web application. Activating Policy Builder on one device automatically disables Policy Builder for that security policy on all other devices in the device group. The system relays all security policy configuration changes that Policy Builder makes on the system where it is running to all other devices in the device group.
The automatic policy building log includes an entry for each event or action that the Policy Builder makes to the policy. This policy log is useful for reviewing changes, and to understand when and why the security policy was changed.
1.
On the Main tab, expand Security, point to Application Security, Policy Building, then click Log (Automatic).
The Log (Automatic) screen opens.
2.
In the editing context area, ensure that the Current edited policy is the one you are interested in.
3.
In the filter area, adjust the filter settings, as needed.
You can filter by event type or element type, or click Show Filter Details and click Go to display additional settings.
The screen displays the policy log for the web application and security policy that you selected. Figure 2.8 shows a portion of a sample automatic policy building policy log.
4.
In the Description column, click the + magnifying glass to view details about an element that was added to the security policy.
5.
To save the log as a PDF, click Export.
The system creates a PDF that you can open or save.
Tip: To display a log that shows additional information, such as including manual as well as automatic changes, navigate to the Policy Log screen (go to Application Security > Security Policies and from the Active Policies screen, click the policy you want to know about, then click the Policy Log tab.) For details, see Reviewing a log of all security policy changes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)