You can configure how Application Security Manager handles requests that violate the security policy in several ways.
|Blocking actions||Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs.|
|Evasion techniques||Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as evasion techniques. Application Security Manager can detect the evasion techniques, and you can configure blocking properties for them.|
|HTTP Protocol Compliance||The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy.|
|Web Services Security||You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors.|
|Response pages||When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access.|
When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.
When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (configured for blocking), and the enforcement readiness period is over. You use this mode when you are ready to enforce a security policy.
|Learn||If selected, the system generates learning suggestions for requests that trigger the violation.|
|Alarm||If selected, the system records requests that trigger the violation in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).|
|Block||If selected (and the enforcement mode is set to Blocking), the system blocks requests that trigger the violation.|
The system takes the following actions when the blocking actions are enabled.
|Learn||When the Learn flag is enabled for a violation, and a request triggers the violation, the system logs the request and generates learning suggestions. The system takes this action when the security policy is in either the transparent or blocking enforcement mode.|
|Alarm||When the Alarm flag is enabled for a violation, and a request triggers the violation, the system logs the request, and also logs a security event. The system takes this action when the security policy is in either the transparent or blocking enforcement mode.|
|Block||The Block flag blocks traffic when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, (3) the Block flag is enabled for the violation, and (4) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.|
|Select this Option||When You Want to|
|Learn||Generate learning suggestions for requests that trigger the violation.|
|Alarm||Record requests that trigger the violation in ASM Charts, the system log (/var/log/asm), and possibly in local or remote logs (depending on the logging profile settings).|
|Block||Block requests that trigger the violation (the enforcement mode must be set to Blocking).|
If the HTTP protocol compliance failed violation is set to Learn, Alarm, or Block, the system performs the protocol compliance checks. If the Enforcement Mode is set to Blocking and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.
If you use automatic policy building, the system immediately enables the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation; also, the security policy immediately enables one of the HTTP protocol checks: Bad HTTP version (version 1.0 or later is required). After the system processes sufficient traffic from different users over a period of time, it enables other appropriate HTTP protocol checks.
If a request is too long and causes the Request length exceeds defined buffer size violation, the system stops validating protocol compliance for that request.