General policy building settings determine how a security policy is built for both automatic policy building and manual policy building. The settings define the type of policy to create, and what level of Learning suggestions to provide based on real traffic. You can specify the circumstances under which the system adds or suggests that you add explicit entities to the security policy. The settings also let you determine at which level (global or URL) to add parameters to the policy.
|Fundamental||Provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.|
|Enhanced||Provides extra customization, creating a security policy with more granularity.|
|Comprehensive||Provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.|
|Vulnerability Assessment||Specifies a security policy that is built using the recommendations from a vulnerability assessment tool. By default, the system does not add explicit entities, leaving that to the tool. (Only available if a vulnerability assessment tool is selected on the Vulnerability Assessments Settings screen.)|
|Custom||Provides the level of security that you specify when you adjust settings such as which security policy elements are included in the security policy. The policy type changes to Custom if you change any of the default settings for a policy type.|
The elements that are currently in the security policy remain in the policy. From this point on, the security policy is built according to the new policy type you have selected.
The elements that the system adds to a security policy depend on the policy type you select for automatic policy building. You can set the policy type when creating the security policy in the Deployment wizard or later by modifying the policy settings (. When the policy type is set or modified, the Application Security Manager (ASM) assigns the Explicit Entities Learning settings as follows.
|Security policy element||Fundamental||Enhanced||Comprehensive||Vulnerability Assessment|
|File Types||Add All Entities||Add All Entities||Add All Entities||Never (wildcard only)|
|URLs||Never (wildcard only)||Selective||Add All Entities||Never (wildcard only)|
|Parameters||Selective (wildcard only)||Selective||Add All Entities||Never (wildcard only)|
|Cookies||Never (wildcard only)||Selective||Selective||Never (wildcard only)|
|Redirection Domains||Add All Entities||Add All Entities||Add All Entities||Add All Entities|
|Add All Entities||The Policy Builder includes all of the website entities. This option creates a large set of security policy entities with a granular object level configuration and high security level.|
|Selective||This option applies only to the * wildcard. When false positives occur, the system adds or suggests adding an explicit entity with relaxed settings. This option provides a good balance between security, policy size, and ease of maintenance.|
|Never (Wildcard Only)||When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option creates a security policy that is easy to manage but may result in overall relaxed application security.|
Depending on which policy type you select, ASM includes a different set of policy elements in the Automatic Policy Building Settings.
|Security Policy element||Fundamental||Enhanced||Comprehensive||Vulnerability Assessment|
|HTTP Protocol Compliance||Yes||Yes||Yes||Yes|
|Evasion Techniques Detected||Yes||Yes||Yes||Yes|
|File Type Lengths||Yes||Yes||Yes||No|
|Attack Signatures (Applies to policy, parameter, content profile, and cookie signatures)||Yes||Yes||Yes||Yes|
|URL Meta Characters||No||Yes||Yes||No|
|Parameter Name Meta Characters||No||No||Yes||No|
|Parameter Value Lengths||No||Yes||Yes||No|
|Value Meta Characters (for Parameters and Content Profiles)||No||No||Yes||No|
|Request Length Exceeds Defined Buffer Size||Yes||Yes||Yes||No|
|Failed to Convert Character||Yes||Yes||Yes||Yes|
|Automatically detect advanced protocols||No||No; but Yes if JSON/XML payload detection selected||No; but Yes if JSON/XML payload detection selected||No|
You can adjust the explicit entities learning settings for file types, URLs, parameters, cookies, and redirection domains. Explicit learning settings specify when Real Traffic Policy Builder adds, or suggests you add, explicit entities to the security policy.
|Never (wildcard only)||Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity.|
|Selective||Applies only to * wildcard entity. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard. (Option not applicable to Redirection Domains.)|
|Add All Entities||Creates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.|
The security policy now learns new file types, parameters, URLs, cookies, and redirection domains according to the explicit learning settings you specified.
You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual policy building) to the security policy. In most cases, you do not need to change the default values of these settings.
|Global||Add parameters at the global level for all URLs in the security policy. Make learning suggestions based on the properties of entities that already exist in the security policy. Default value for Fundamental and Enhanced policy types.|
|URL||Add parameters at the URL level, only for specific URLs. Make
learning suggestions based on real traffic. Default value for
Note: This option applies only to the attack signature and illegal meta character violations.
The security policy now adds parameters according to the level you specified.