You can configure how Application Security Manager™ handles requests that violate the security policy in several ways.
|Blocking actions||Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs. If a violation set to alarm or block occurs on an entity that is in staging, it is not enforced.|
|Evasion techniques||Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as evasion techniques. You can choose which evasion techniques you want Application Security Manager to identify, and configure blocking actions that occur if any of the selected techniques is detected.|
|HTTP Protocol Compliance||The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy.|
|Web Services Security||You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors.|
|Response pages||When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access.|
When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.
When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (that is configured for blocking), and the enforcement readiness period is over. You can use this mode when you are ready to enforce a security policy.
|Option||What happens when selected|
|Learn||The system generates learning suggestions for requests that trigger the violation (except learning suggestions are not generated for requests that return HTTP responses with 400 or 404 status codes).|
|Alarm||When selected, the system marks requests that trigger the violation as illegal. The system also records illegal requests in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).|
|Block||The system blocks requests that trigger the violation when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, and (3) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.|
|Select this Option||When You Want to|
|Learn||Generate learning suggestions for requests that trigger the violation.|
|Alarm||Record requests that trigger the violation in ASM Charts, the system log (/var/log/asm), and possibly in local or remote logs (depending on the logging profile settings).|
|Block||Block requests that trigger the violation (the enforcement mode must be set to Blocking).|
If the HTTP protocol compliance failed violation is set to Learn, Alarm, or Block, the system performs the protocol compliance checks. If the Enforcement Mode is set to Blocking and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.
If a request is too long and causes the Request length exceeds defined buffer size violation, the system stops validating protocol compliance for that request.