Before you can create a security policy, you must perform the minimal system
configuration tasks including defining a VLAN, a self IP address, and other tasks required according to the needs of your
Application Security Manager can automatically create a security
policy that is tailored to secure your web application.
On the Main tab, click
The Active Policies screen opens.
Click the Create button.
The Deployment wizard opens to the Select Local Traffic Deployment
For the Local Traffic Deployment Scenario setting,
specify a virtual server to use for the security policy.
The virtual server represents the web application you want to protect.
The Configure Local Traffic Settings screen opens.
- To secure an existing virtual server that has no security policy
associated with it, select Existing Virtual Server
and click Next.
- To create a new virtual server and pool with basic configuration
settings, select New Virtual Server and click
- To create an active but unused security policy, select Do not
associate with Virtual Server and click
Next. No traffic will go through this security
policy until you associate it with a virtual server. The Policy Builder
cannot begin automatically creating a policy until traffic is going to ASM
through the virtual server.
Configure the new or existing virtual server, and click
The name of the new or existing virtual server becomes the name of the
The Select Deployment Scenario screen opens.
- If creating a new virtual server, specify the protocol, name, IP address
and port, pool IP address, and port.
- If using an existing virtual server, it must have an HTTP profile and
cannot be associated with a local traffic policy.
- If you selected Do not associate with Virtual
Server, you will have to manually associate the security
policy with a virtual server at a later time. On the policy properties
screen, you need to specify a name for the security policy.
For Deployment Scenario, select Create a
policy automatically and click
The Configure Security Policy Properties screen opens.
From the Application Language list, select the language
encoding of the application, or select Auto detect and
let the system detect the language.
Important: You cannot change this setting after you have created the
If the application is not case-sensitive, clear the Security Policy
is case sensitive check box. Otherwise, leave it selected.
Important: You cannot change this setting after you have created the
If you do not want the security policy to distinguish between HTTP and HTTPS
URLs, clear the Differentiate between HTTP and HTTPS URLs
check box. Otherwise, leave it selected.
The Configure Attack Signatures screen opens.
To configure attack signatures, move the systems used by your web application
from the Available Systems list into the
Assigned Systems list.
The system adds the attack signatures needed to protect the selected
For the Signature Staging setting, verify that the
default option Enabled is selected.
Note: Because the Real Traffic Policy Builder
begins building the security policy in Blocking mode, you can keep signature
staging enabled to make sure that false positives do not occur.
New and updated attack signatures remain in staging for 7 days, and are
not enforced (according to the learn, alarm, and block flags) during that
The Configure Automatic Policy Building screen opens.
For Policy Type, select an option to determine the
security features to include in the policy.
A bulleted list on the screen describes which security features are included
in each type.
||Creates a security policy enforcing HTTP protocol compliance,
evasion techniques, explicit file types (including length checks),
explicit parameters in selective mode at the global level, attack
signatures, the violation Request Length Exceeds Defined Buffer Size,
host names, header lengths, cookie lengths, the violation Failed to
Convert Character, and learn explicit redirection domains.
||Creates a security policy with all the elements of the Fundamental
policy type; also checks for explicit URLs in selective mode plus meta
characters, Explicit parameter length checks in selective mode at the
global level, methods, explicit cookies, and content profiles.
||Creates a security policy with all the elements of the Enhanced
policy type; also checks for explicit URLs and meta characters, explicit
parameters and lengths at the URL level, parameter meta characters, and
For Rules, move the slider to set the Policy Builder
Based on the option you select, the system sets greater or lesser values
for the number of different user sessions, different IP addresses, and length of
time before it adds to the security policy and enforces the
||Use if your application supports a small number of requests from a
small number of sessions; for example, useful for web sites with less
traffic. However, choosing this option may present a greater chance of
adding false entities to the security policy.
||Use if your application supports a medium number of requests, or if
you are not sure about the amount of traffic on the application web
site. This is the default setting.
||Use if your application supports a large number of requests from
many sessions; for example, useful for web sites with lots of traffic.
This option creates the most accurate security policy, but takes Policy
Builder longer to collect the statistics.
For Trusted IP Addresses, select which IP addresses to
If you leave the trusted IP address list empty, the system treats all traffic
as untrusted. In general, it takes more untrusted traffic, from different IP
addresses, over a longer period of time to build a security policy.
||Specifies that the policy trusts all IP addresses. For example, if
the traffic is in a corporate lab or preproduction environment where all
of the traffic is trusted, the policy is created faster when you select
||Specifies networks to consider safe. Fill in the IP
Address and Netmask fields, then
click Add. This option is typically used in a
production environment where traffic could come from untrusted sources.
The IP Address can be either an IPv4 or an IPv6 address.
If you want the security policy to automatically detect JSON and XML protocols,
select the JSON/XML payload detection check box.
If requests contain legitimate XML or JSON data, the Policy Builder
creates content profiles in the security policy according to the data it
If you want to display a response page when an AJAX request does not adhere to
the security policy, select the AJAX blocking response
behavior check box.
The Security Policy Configuration Summary opens where you can review the
settings to be sure they are correct.
Click Finish to create the security policy.
The Automatic Policy Building Status screen opens where you can view the
current state of the security policy.
ASM creates the virtual server with an HTTP profile, and on the
Security tab, Application Security Policy is enabled and
associated with the security policy you created. A local traffic policy is also created
and by default sends all traffic for the virtual server to ASM. The Policy Builder
automatically begins examining the traffic to the web application and building the
security policy (unless you did not associate a virtual server). The system sets the
enforcement mode of the security policy to Blocking, but it does not block requests
until the Policy Builder processes sufficient traffic, adds elements to the security
policy, and enforces the elements.
Tip: This is a good point at which to test that you can access the application being
protected by the security policy and check that traffic is being processed by the