Applies To:

Show Versions Show Versions

Manual Chapter: Working with Application Security Classes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

An application security class is the logical bridge, or link, between the local traffic components and the application security components. You create one or more application security classes, and then assign them as resources for one or more local traffic virtual servers. When the virtual server receives an HTTP request, it applies the application security classes, in the listed order, and if the traffic classifiers find a match in the request, the system routes the request to the Application Security Manager.
In the application security class, the traffic classifiers specify which incoming HTTP traffic should be routed through the Application Security Manager. The traffic classifiers use different elements of an HTTP request, including host header values, URI paths, other headers and values, and cookie names (or a combination of all of these), to determine which requests go to the Application Security Manager. For requests that match the traffic classifiers, the Application Security Manager applies the active security policy to the designated traffic, and processes the traffic according to the security policy settings.
When you configure an application security class, the system automatically creates a default web application and security policy in the Application Security Manager configuration. You can create several application security classes for your web site, so that you can apply different security policies to different aspects of your web application. Note that while you can create several security policies for your web application, you can have only one active security policy for each web application.
The application security class and the HTTP class profile are two names for the same basic object in the Configuration utility. The primary difference between the two objects is that when you configure an application security class, the system automatically enables the Application Security setting within the application security class. For HTTP class profiles, you must explicitly enable the Application Security setting within the profile, as well as enabling all of the option settings for this object. You configure application security classes from the Application Security section of the Main tab on the navigation pane. You configure HTTP class profiles from the Profiles link in the Local Traffic section of the Main tab. (For information on the generic HTTP class profile, see the Managing Protocol Profile chapter, in the Configuration Guide for BIG-IP® Local Traffic Management.)
Tip: We recommend that you create the application security classes from the Application Security section on the Main tab of the navigation pane so that the system automatically enables the application security options for you.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
Type a name for the application security class.
Note that in the application security configuration, the corresponding web application and security policy also use this name.
7.
In the Pool setting, select the local traffic pool that contains the web server resources for your web application.
Note: If you have not already configured a local traffic pool, refer to Configuring Load Balancing Pools, in the Configuration Guide for BIG-IP® Local Traffic Management.
8.
Click Finished.
The system adds the new application security class, and its corresponding web application and security policy, to the configuration, and displays the HTTP Class Profiles list screen.
You can use the traffic classifiers in the application security class to specify exactly which traffic goes through the Application Security Manager before it reaches the web application resources. The traffic classifiers perform pattern matching against HTTP requests, based either on wildcard strings or on regular expressions. When the traffic classifier finds a match in an HTTP request, the system forwards that request to the Application Security Manager. The Application Security Manager then applies the active security policy to the request.
The traffic classifiers perform pattern matching using either literal strings or regular expressions. The literal strings can include wildcard characters, such as asterisk (*) or question mark (?). The regular expressions use the Tcl regular expression syntax. You can use a mixture of matching types within each traffic classifier.
Note: Pattern-matching traffic classifiers are case-sensitive; that is, www.F5.com is not the same as www.f5.com. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
You can configure one or more traffic classifiers in each application security class. If the traffic classifier has multiple matching objects within its list, the system looks for a match until it finds one, and forwards the request when it does. If you configure more than one type of classifier (for example, you configure both a URI path and a header traffic classifier), the system performs the pattern matching and forwards to the Application Security Manager only the traffic that matches both traffic classifier types. If you configure multiple entries within each traffic classifier list, the system performs the pattern matching until it finds a match. The matching does not have to match all of the entries in the traffic classifier list.
You can use the Hosts traffic classifier to specify hosts whose traffic you want to direct through the Application Security Manager. When you use the Hosts traffic classifier, the system performs pattern matching against the information contained in the Host header in a request.
Tip: Just by configuring the valid host headers for the web application, you acquire immunity to most of the worms that are spread by an IP address as a value in the Host header.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
5.
In the Configuration area, for the Hosts setting, select Match Only.
The screen refreshes, and displays the Host List.
6.
Add hosts to the Host List as needed.
7.
Select the Entry Type, either Pattern String or Regular Expression (regex). When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
9.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the URI Paths traffic classifier to specify one or more URI paths whose requests you want to direct through the Application Security Manager. When you use the URI Paths traffic classifier, the system performs pattern matching against the URI path in a request.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
5.
In the Configuration area, for the URI Paths setting, select Match Only.
The screen refreshes, and displays the URI Path List.
6.
Add URIs to the URI Path List as needed.
7.
Select the Entry Type, either Pattern String or Regular Expression (regex). When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
9.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Headers traffic classifier to specify one or more headers whose associated requests you want to direct through the Application Security Manager. When you use the Headers traffic classifier, the system performs pattern matching against the headers and their values in a request.
Note: If you want to classify traffic using the Cookie header, use the Cookies traffic classifier instead of the Headers traffic classifier. See Using the Cookies traffic classifier, for more information.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
5.
In the Configuration area, for the Headers setting, select Match Only.
The screen refreshes, and displays the Header List.
6.
Add headers and their values to the Header List as needed. Include the colon when you add headers to this list, for example: User-Agent:<value>.
7.
Select the Entry Type, either Pattern String or Regular Expression (regex). When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
9.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Cookies traffic classifier to specify one or more cookies whose associated requests you want to direct through the Application Security Manager. When you use the Cookies traffic classifier, the system performs pattern matching against the cookie name information in the Cookie header in a request.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
5.
In the Configuration area, in the Cookies setting, select Match Only.
The screen refreshes, and displays the Cookie List.
6.
Add cookie names to the Cookie List as needed.
7.
Select the Entry Type, either Pattern String or Regular Expression (regex). When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
9.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
The actions of the application security class designate what the system does with the traffic when the traffic matches one or more of the traffic classifier criteria. The actions for the application security class are as follows.
Send to pool
When you use the send to pool action, the system sends any traffic that matches the traffic classifier criteria (or the pool that was defined as a resource of the associated virtual server) to the Application Security Manager.
Redirect to another resource
When you use the redirect action, the system sends any matching traffic (based on the full HTTP URI) to another resource on the network. You can use Tcl expressions to create a custom redirection. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
None
When you use the none action, the system does nothing with the traffic within the context of this application security class. The system may process the request according to other settings for the virtual server, for example, forward the request to the virtual servers default pool.
1.
On the Main tab of the navigation pane, in the Application Security section, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
7.
In the Actions area, for the Send To setting, specify what you want the system to do with the traffic related to this application security class. See the online help for assistance with specific screen elements.
8.
Click Finished.
The system adds the new application security class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Rewrite URI action to rewrite a URI without sending an HTTP redirect to the requesting client. For example, an ISP provider may host a site that is composed of different web applications, that is, a secure store application and a general information application. To the client, these two applications are the same site, but on the server side they are different applications. You can use the Rewrite URI action to transparently redirect the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system maps the static URI for every incoming request. For details on using Tcl expressions, and Tcl syntax, see the F5 Networks Dev Central web site, http://devcentral.f5.com.
Note: The Rewrite URI action is applicable only if you are using the Hosts or URI Paths traffic classifiers.
1.
On the Main tab of the navigation pane, click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
5.
In the Configuration area, configure the traffic classifiers as needed, specifically the Hosts or URI Paths classifiers.
8.
In the Pool setting, select the name of the local traffic pool to which you want the system to send the traffic.
9.
In the Rewrite URI setting, type the Tcl expression that represents the URI that the system inserts in the request to replace the existing URI.
10.
Click Finished.
The system adds the new application security class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen.
Tip: See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)