F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP ASM
  4. BIG-IP Application Security Manager: Implementations
  5. Configuring ASM with Local Traffic Policies
Manual Chapter : Configuring ASM with Local Traffic Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Configuring ASM with Local Traffic Policies

Overview: Configuring ASM with local traffic policies

Application Security Manager™ applies security policy rules to traffic that is controlled and defined using a local traffic policy. To provide more flexibility in selecting the traffic, you can edit the local traffic policy and add rules to it.

This implementation shows how to create a security policy and edit at the local traffic policy that is created. The example provided describes how to add rules to the local traffic policy so that the security policy applies only to administrative traffic beginning with /admin. No security policy applies to the other traffic.

Many other options are available for configuring local traffic policies with ASM. By following through the steps in this example, you can see the other options that are available on the screens, and can adjust the example for your needs.

Task Summary

About application security and local traffic policies

When you use Application Security Manager™ (ASM) to create a security policy attached to a virtual server, the BIG-IP® system automatically creates a local traffic policy. The local traffic policy forms a logical link between the local traffic components and the application security policy.

By default, the system automatically creates a simple local traffic policy directs all HTTP traffic coming to the virtual server to the ASM™ security policy that you created. ASM examines the traffic to ensure that it meets the requirements of the security policy. If that is all you need to do, your task is done. If, however, you want more flexibility, such as applying different security policies depending on the type of traffic or disabling ASM for certain types of traffic, you can use the local traffic policy to do that.

Local traffic policies can include multiple rules. Each rule consists of a condition and one or more actions to be performed if the condition holds. So you can create a local traffic policy that works with ASM and includes multiple rules that do different things depending on the conditions you set up. In this type of traffic policy, the rules perform these actions:

  • Enable ASM enforcing a specific security policy
  • Disable ASM

For example, you may want a local traffic policy directed to a specific URL to enforce a security policy. As a default rule, all other traffic could disable ASM. You can also direct people using different aspects of an application (or different applications) to various security policies. Many other options are available for directing ASM traffic using local traffic policies.

About application security and manually adding local traffic policies

If you use the Deployment wizard to create a security policy not attached to a virtual server, the system creates the security policy but does not create a local traffic policy. However, you will need to have a virtual server and local traffic policy to select the traffic for the security policy to enforce.

In that case, you can develop the security policy adding the features that you want to use. Without a virtual server, the system cannot build the security policy automatically until you have traffic going through. But you can manually develop the security policy.

When you are ready to enforce the security policy and start sending traffic through the system, create a virtual server with an http profile, and enable the security policy you created in the virtual server resources. When you save the virtual server, the system automatically creates a default local traffic policy that enforces the security policy on all traffic. You can edit the local traffic policy rules if you want more flexibility concerning how the security policies are implemented.

Creating a security policy automatically

Before you can create a security policy, you must perform the minimal system configuration tasks including defining a VLAN, a self IP address, and other tasks required according to the needs of your networking environment.
Application Security Manager™ can automatically create a security policy that is tailored to secure your web application.
  1. On the Main tab, click Security > Application Security > Security Policies .
    The Active Policies screen opens.
  2. Click the Create button.
    The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
    • To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
    • To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
    • To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.
    The virtual server represents the web application you want to protect.
    The Configure Local Traffic Settings screen opens if you are adding a virtual server. Otherwise, the Select Deployment Scenario screen opens.
  4. If you are adding a virtual server, configure the new or existing virtual server, and click Next.
    • If creating a new virtual server, specify the protocol, virtual server name, virtual server destination address and port, pool member IP address and port, and the logging profile.
    • If using an existing virtual server, it must have an HTTP profile and cannot be associated with a local traffic policy. Specify the protocol and virtual server.
    • If you selected Do not associate with Virtual Server, you will have to manually associate the security policy with a virtual server at a later time. On the policy properties screen, you need to specify a name for the security policy.
    The Select Deployment Scenario screen opens.
  5. For Deployment Scenario, select Create a security policy automatically and click Next.
    The Configure Security Policy Properties screen opens.
  6. In the Security Policy Name field, type a name for the policy.
  7. From the Application Language list, select the language encoding of the application, or use Auto detect and let the system detect the language.
    Important: You cannot change this setting after you have created the security policy.
  8. If the application is not case-sensitive, clear the Security Policy is case sensitive check box. Otherwise, leave it selected.
    Important: You cannot change this setting after you have created the security policy.
  9. If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, clear the Differentiate between HTTP/WS and HTTPS/WSS URLs check box. Otherwise, leave it selected.
  10. Click Next.
    The Configure Attack Signatures screen opens.
  11. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list.
    The system adds the attack signatures needed to protect the selected systems.
  12. For the Signature Staging setting, verify that the default option Enabled is selected.
    Note: Because ASM begins building the security policy in Blocking mode, you can keep signature staging enabled so you can check whether legitimate traffic is being stopped to reduce the chance of false positives.
    New and updated attack signatures remain in staging for 7 days, and are recorded but not enforced (according to the learn, alarm, and block flags in the attack signatures configuration) during that time.
  13. Click Next.
    The Configure Automatic Policy Building screen opens.
  14. For Policy Type, select an option to determine the security features to include in the policy.
    Bulleted lists on the screen describe the exact security features that are included in each type.
    Option Description
    Fundamental Creates a robust security policy that is appropriate for most applications.
    Enhanced Creates a more specific security policy with additional customization such as learning URLs, cookies, and content profiles; includes tracking of user login sessions and brute force protection.
    Comprehensive

    Creates the most secure policy providing the greatest amount of customization, including all the Enhanced features and more traffic classification at the parameter and URL levels, dynamic parameters, and CSRF URLs.
  15. For the Policy Builder Learning Speed setting, select how fast to generate suggestions for the policy.
    Option Description
    Fast Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.
    Medium Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Slow Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
  16. For Trusted IP Addresses, select which IP addresses to consider safe:
    Option Description
    All Specifies that the policy trusts all IP addresses. This option is recommended for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.
    Address List Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.
    If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
  17. If you want to display a response page when an AJAX request does not adhere to the security policy, select the AJAX blocking response behavior check box.
  18. Click Next.
    The Security Policy Configuration Summary opens where you can review the settings to be sure they are correct.
  19. Click Finish to create the security policy.
    The Policy Properties screen opens.
ASM™ creates the virtual server with an HTTP profile (or associates an existing one), and on the Security tab, Application Security Policy is enabled and associated with the security policy you created. A local traffic policy is also created and by default sends all traffic for the virtual server to ASM. The Policy Builder automatically begins examining the traffic to the web application and making suggestions for building the security policy (unless you did not associate a virtual server). The system sets the enforcement mode of the security policy to Blocking, but it does not block requests until the Policy Builder processes sufficient traffic, adds elements to the security policy, and enforces the elements.
Tip: This is a good point at which to test that you can access the application being protected by the security policy and check that traffic is being processed correctly by the BIG-IP® system.

Creating local traffic policy rules for ASM

Before you can use the local traffic policy with ASM™, you need a security policy associated with a virtual server.
You can add rules to define conditions and perform specific actions for different types of application traffic in a local traffic policy. This example creates two rules to implement different security protection for different traffic.
  1. On the Main tab, click Local Traffic > Policies .
  2. Click the name of the local traffic policy that was created automatically. The name is asm_auto_l7_policy__name where name is the name of the security policy.
  3. To edit the policy, click Create Draft.
  4. In the Draft Policies list, click the name of the draft policy.
  5. In the Rules area, click Create to create a rule that defines when traffic is handled by the security policy.
  6. In the Name field, type the name admin.
  7. In the Match all of the following conditions area, click + and specify these conditions:
    1. For the first condition, select HTTP URI.
    2. For the second condition, select path.
    3. For the third condition, select begins with.
    4. For the fourth condition, by the field below any of, type /admin and click Add.
    This rule looks for requests with a URI that begins with /admin.
  8. In Do the following when the traffic is matched, click + and specify the actions:
    1. For the first action, select Enable.
      For the second action, select asm.
    2. Next to for policy, select the security policy you created.
  9. Click Save to add the rule to the local traffic policy.
    The admin rule is added to the list.
  10. In the Rules area, click the rule called default.
    The default rule was added to the local traffic policy when the system created it.
    The screen displays the General Properties of the rule.
  11. To change the default action for all other traffic, in the Do the following when the traffic is matched area, edit the action that is shown there.
    1. For the first action, select Disable.
    2. For the second action, select asm.
    3. To save the rule, click Save.
    The default rule now disables ASM protection for other traffic.
  12. To save the updated policy, click Save Draft.
    The Policy List Page opens.
  13. Select the check box next to the draft policy you edited, and click Publish.
You have edited and published the local traffic policy so that administrative traffic must meet the security policy you assigned to it. But other traffic is not subject to that security policy.

Implementation results

When you have completed the steps in this implementation, you have configured the Application Security Manager™ (ASM) to enforce security policy rules only on traffic with a URI beginning with /admin. All other traffic bypasses ASM™.

This is simply one way to illustrate how you can use a local traffic policy to determine different conditions and specify multiple actions instead of having all traffic treated the same way. We encourage you to explore the local traffic policy options and documentation to learn how to use this flexible feature to best suit your needs.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information