Applies To:

Show Versions Show Versions

Manual Chapter: Essential Configuration Tasks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This chapter is your guide to the essential configuration tasks you must complete to initially create and refine a standard security policy for a web application on the Application Security Manager. Implementing a security policy for a web application has two phases: setting up the local traffic network, and creating the application security configuration. The phase one configuration tasks are:
Define a local traffic pool.
The local traffic pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and then associate the pool with an application security class. See Defining a local traffic pool, for more information.
Define an application security class.
When you define an application security class, the system automatically creates a corresponding web application and a default security policy in the Application Security Manager. See Defining an application security class, for more information.
Define a local traffic virtual server that uses the application security class as a resource.
The local traffic virtual server load balances the network resources that host the web application you are securing. The application security class is the bridge that links the security policy to the web application traffic through the virtual server. You configure the virtual server, and then associate the application security class with the virtual server. See Defining a local traffic virtual server, for more information.
Run the Deployment Wizard.
The quickest way to create a security policy is to use the Deployment Wizard. Using the Deployment Wizard, you fully configure a security policy, based on one of several typical deployment scenarios. Note that this is the best way to initially configure a security policy. See Running the Deployment Wizard, for more information.
Periodically review the security policy settings.
To ensure that the security policy is providing adequate application security, review the requests, monitoring, and statistics information on a regular basis. See Maintaining and monitoring the security policy, for more information.
This chapter describes the general tasks that you perform to configure a security policy for a web application hosted on a local traffic virtual server. The chapter does not address specific deployments or environments. For additional implementations that address the needs of a particular environment, refer to the BIG-IP® Application Security Manager: Implementations guide, which is available in the AskF5SM Knowledge Base, https://support.f5.com.
Important: The tasks described in this chapter begin after you have installed the BIG-IP system, activated the license, and configured the appropriate network settings. If you have not yet completed these activities, refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide, and the BIG-IP® Network and System Management Guide for additional information. Both of these guides are available at https://support.f5.com.
The first essential configuration task is to define a local traffic pool. The local traffic pool contains the resources that host the actual web application content that you want to protect with the security policy.
Important: The following procedure outlines only the basic pool configuration. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available in the AskF5SM Knowledge Base, https://support.f5.com.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pool List screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the web server or application server that hosts the web application.
5.
In the Service Port box, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
The second essential configuration task is to configure an application security class. An application security class is the logical bridge, or link, between the local traffic components and the application security components of the BIG-IP system. You use the application security class to specify to which incoming HTTP traffic the system applies application security before the virtual server forwards the traffic to the web application. When you configure an application security class, the system automatically creates a default web application and a corresponding security policy on the Application Security Manager. See Chapter 3, Working with Application Security Classes, for more information on application security classes.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class Profiles screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles screen.
Note: In the Configuration utility, the application security class and the HTTP Class Profile are different labels for the same object. The difference between the two objects is that, for the application security class, the Application Security setting is enabled by default. If you disable the Application Security setting on an application security class, you effectively turn off application security for the associated web application.
The next essential configuration task is to define a virtual server on the local area network. The virtual server processes the incoming traffic, which includes applying the application security class to incoming HTTP traffic.
Important: The following procedure outlines only the basic virtual server configuration. For detailed information on virtual servers, including SSL virtual servers, and other local traffic components, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available in the AskF5SM Knowledge Base, https://support.f5.com.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Server List screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80. Alternately, you can select HTTP from the list.
6.
In the Configuration section, from the HTTP Profile list, select http.
7.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
8.
Click Finished.
The system updates the configuration, and the Virtual Server List screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.
Once you have completed the phase one tasks, which set up the local area network, you are ready for the phase two tasks. The phase two tasks include configuring the security policy, and monitoring the security policy.
The most efficient way to build a security policy for a new web application is to use the Deployment Wizard. The Deployment Wizard automates the fundamental tasks required to initially build and deploy a security policy. The Deployment Wizard uses several deployment scenarios, which represent several typical environments that use application security, to guide you through the configuration process. The deployment scenarios include:
Important: You can run the Deployment Wizard only for new, unconfigured web applications, so do not set the language encoding for a new web application if you want to use the Deployment Wizard.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link for the new web application.
The Web Application Properties screen opens.
3.
In the Deployment Wizard area, click the Run Deployment Wizard button.
The ASM Deployment Wizard starts.
To run the Deployment Wizard for a specific deployment scenario, refer to the BIG-IP® Application Security Manager: Implementations guide, which is available on the AskF5SM web site, https://support.f5.com.
The Application Security Manager provides many reporting and monitoring tools, so that you can view and analyze the violations that the system detects in the traffic through the web application. By actively using the reporting and monitoring tools, you can be assured that your web applications are fully protected. For additional information and details about the reporting tools, refer to Chapter 14, Working with the Reporting Tools.
3.
On each screen, you can use the Filter option to customize and refine the reports.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)