Manual Chapter : Configuring Security Policy Blocking

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About security policy blocking

You can configure how Application Security Manager handles requests that violate the security policy in several ways.

Method Description
Blocking actions Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs.
Evasion techniques Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as evasion techniques. Application Security Manager can detect the evasion techniques, and you can configure blocking properties for them.
HTTP Protocol Compliance The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy.
Web Services Security You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors.
Response pages When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access.

Changing security policy enforcement

An enforcement mode specifies how the system processes a request that triggers a security policy violation. Security policies can be in one of two enforcement modes: transparent or blocking. You can manually change the enforcement mode for a security policy depending on how you want the system to handle traffic that causes violations.
  1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  2. Click the name of the security policy you want to work on. The Properties screen opens.
  3. In the Configuration area, for the Enforcement Mode setting, specify how to treat traffic that causes violations.
    • To block traffic that causes violations, select Blocking.
    • To stop traffic from being blocked and review the violations, select Transparent.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.

When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (configured for blocking), and the enforcement readiness period is over. You use this mode when you are ready to enforce a security policy.

Configuring blocking actions for violations

You can configure the Learn, Alarm, and Block flags, or blocking actions, for each violation. The blocking actions (along with the enforcement mode) determine how the system processes requests that trigger the corresponding violation.
  1. On the Main tab, click Security > Application Security > Blocking. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Adjust the Enforcement Mode setting if needed.
    • To block traffic that causes violations, select Blocking.
    • To not block traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select Transparent.
    You can only configure the Block flag if the enforcement mode is set to Blocking.
  4. For each violation, review the settings so you understand how the security policy handles requests that cause the violation, and adjust if necessary.
    Option Description
    Learn If selected, the system generates learning suggestions for requests that trigger the violation.
    Alarm If selected, the system records requests that trigger the violation in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block If selected (and the enforcement mode is set to Blocking), the system blocks requests that trigger the violation.
    Tip: Click the information icon preceding a violation for a description of it.
  5. Click the violations that are links to display more granular details or subviolations for which you can enable blocking properties. You can enable or disable blocking subviolations for evasion techniques, HTTP protocol compliance, and web services security.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
Entities in staging and wildcards set to add all entities do not cause violations, and consequently are not blocked. But if the enforcement mode is blocking and violations are set to Block, traffic causing those violations is blocked. If violations are set to Alarm, the system logs the violations. For violations set to Learn, the system generates learning suggestions if the violation occurs.
You can now configure the response that the system sends when a request is blocked.

About blocking actions

The system takes the following actions when the blocking actions are enabled.

Blocking Action Description
Learn When the Learn flag is enabled for a violation, and a request triggers the violation, the system logs the request and generates learning suggestions. The system takes this action when the security policy is in either the transparent or blocking enforcement mode.
Alarm When the Alarm flag is enabled for a violation, and a request triggers the violation, the system logs the request, and also logs a security event. The system takes this action when the security policy is in either the transparent or blocking enforcement mode.
Block The Block flag blocks traffic when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, (3) the Block flag is enabled for the violation, and (4) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.

Configuring HTTP protocol compliance validation

The first security checks that Application Security Manager performs are those for RFC compliance with the HTTP protocol. The system validates HTTP requests to ensure that the requests are formatted properly. For each security policy, you can configure which HTTP protocol checks the system performs, and specify what happens if requests are not compliant.
  1. On the Main tab, click Security > Application Security > Blocking. The Settings screen opens.
  2. In the RFC Violations area, for the HTTP protocol compliance failed violation, set the blocking settings as needed.
    Select this Option When You Want to
    Learn Generate learning suggestions for requests that trigger the violation.
    Alarm Record requests that trigger the violation in ASM Charts, the system log (/var/log/asm), and possibly in local or remote logs (depending on the logging profile settings).
    Block Block requests that trigger the violation (the enforcement mode must be set to Blocking).
  3. Click the HTTP protocol compliance failed violation link. The HTTP subviolations are displayed.
  4. Select or clear the HTTP protocol checks, as required.
    Tip: For an explanation of the individual HTTP validations, click the Info icon preceding each one.
  5. Click Save to save your settings.
  6. To put the security policy changes into effect immediately, click Apply Policy.

If the HTTP protocol compliance failed violation is set to Learn, Alarm, or Block, the system performs the protocol compliance checks. If the Enforcement Mode is set to Blocking and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.

If you use automatic policy building, the system immediately enables the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation; also, the security policy immediately enables one of the HTTP protocol checks: Bad HTTP version (version 1.0 or later is required). After the system processes sufficient traffic from different users over a period of time, it enables other appropriate HTTP protocol checks.

If a request is too long and causes the Request length exceeds defined buffer size violation, the system stops validating protocol compliance for that request.

Configuring blocking actions for web services security

You can select which web services security errors must occur for the system to learn, log, or block requests that trigger the errors. These errors are sub-violations of the parent violation, Web Services Security failure.
  1. On the Main tab, click Security > Application Security > Blocking. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Adjust the Enforcement Mode setting if needed.
    • To block traffic that causes violations, select Blocking.
    • To not block traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select Transparent.
    You can only configure the Block flag if the enforcement mode is set to Blocking.
  4. Review the Web Services Security failure violation and adjust the Learn, Alarm, and Block flags as required.
  5. Click the Web Services Security failure violation link. The web services subviolations are displayed.
  6. Enable or disable the web services subviolations, as required.
  7. Click Save to save your settings.
  8. To put the security policy changes into effect immediately, click Apply Policy.
If a request causes one of the enabled errors to occur, web services security stops parsing the document. How the system reacts depends on how you configured the blocking settings for the Web Services Security failure violation:
  • If configured to Learn or Alarm when the violation occurs, the system does not encrypt or decrypt the SOAP message, and sends the original document to the web service.
  • If configured to Block when the violation occurs, the system blocks the traffic and prevents the document from reaching its intended destination.