Applies To:

Show Versions Show Versions

Manual Chapter: Working with the Security Policy Setup Wizard
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Security Policy Setup Wizard provides a quick and efficient way to create a new security policy for an existing web application in the Application Security Manager configuration. The Security Policy Setup Wizard automates the fundamental tasks required to build a security policy. By using the wizard, you create a basic security policy. By changing the enforcement mode to blocking, you can use this security policy as is, to protect against the most common attacks.
As you navigate the wizard, the system provides default settings for each configuration option. For the easiest setup, we recommend that you accept the default settings. Note that you can make any changes that are appropriate for your particular web application and application security requirements.
Note: If you are creating a security policy for a new, unconfigured web application, we recommend that you use the Deployment Wizard to set up the security policy. For more information on using the Deployment Wizard, refer to the BIG-IP® Application Security Manager: Getting Started Guide, which is available at https://support.f5.com.
Every time you create a new security policy for an existing web application, you have the option to either run the Security Policy Setup Wizard, or configure the security policy manually.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The Security Policy Setup Wizard starts, and the Configure Security Policy Properties screen opens.
In this step, you specify the basic security policy settings.These settings include the security policy name, whether the security policy is based on a application-ready security policy, the web application to which the security policy applies, and dynamic session ID in URL (an option that depends on the previous selections).
1.
On the Configure Security Policy Properties screen, in the Security Policy Name box, type a unique name for the new security policy that you are creating with the Security Policy Setup Wizard.
2.
From the Web Application list, select the web application to which this security policy applies.
3.
For the Application-Ready Security Policy setting, specify whether the security policy is based on one of the system-supplied templates.
If you want the security policy to be based on one of the application-ready security policy templates, select a template from the list.
4.
For the Dynamic Session ID in URL setting, which is available only if you selected None in step 3, enable or disable the dynamic session IDs as required. For help with the settings, click the Help tab in the navigation pane.
5.
Click Next.
The Configure Attack Signatures screen opens.
Attack signatures represent known attack patterns. In this step, you create an attack signatures set based on the systems that are in your configuration. The system then assigns the set to the security policy, and applies those signatures to the requests for the associated web application. There is also a set of generic attack signatures that is automatically assigned to the security policy. In this step, you also configure whether the system activates signature staging. When signature staging is enabled, the system keeps track of how many times an attack signature detects an attack pattern, but does not activate blocking for that signature until the staging time has passed.
1.
On the Configure Attack Signatures screen, for the Systems setting, from the Available Systems list, select (by clicking) the systems that apply to your web application.
Tip: Hold the Ctrl key to select more than one system in the list.
3.
If you do not want the system to keep the signatures in the staging state, clear the Enable Signature Staging check box. Otherwise, leave the box checked, which is the default setting.
4.
For the Staging Period setting, specify the length of time for which the signatures are in the staging state. The default is 7 days. Note that this setting is not applicable if you have cleared the Enable Signature Staging setting.
5.
Click Next.
The Configure Wildcard Tightening screen opens.
When you use the Security Policy Setup Wizard to create a new security policy, the wizard automatically adds wildcard entities to the new security policy. By using wildcard entities, you can efficiently build a security policy without in-depth knowledge of the web application, and reduce the number of violations and false positives during the initial stages of building a security policy.
Tightening is a method by which you can refine the security policy to include explicit entities. When you enable tightening for an entity type (file types, URLs, or parameters), then the system suggests new explicit entities that may be added to the security policy. The new explicit entities match the wildcard entities. By default, the system enables wildcard tightening for file types. For more information on wildcard entities and the tightening process, see Chapter 10, Working with Wildcard Entities.
1.
On the Configure Wildcards Tightening screen, for the Systems setting, check the box next to the entities for which you want to enable for wildcard tightening.
2.
Click Next.
The Configure Policy Building Mode screen opens.
Build security policy automatically
The automatic configuration mode uses the Policy Builder to create the security policy. If you select this option, the wizard prompts you to configure some basic Policy Builder settings. Once you finish the Security Policy Setup Wizard, the Policy Builder starts immediately. For more information on using the Policy Builder, see Chapter 6, Building a Security Policy Automatically with the Policy Builder.
Build security policy manually
The manual configuration mode populates the security policy with the * (match all) wildcard entity for file types, URLs, and user-input parameters.
1.
On the Select Configuration Mode screen, for the Configuration Mode setting, select Build security policy automatically.
2.
Click Next.
The Configure Policy Builder screen opens.
1.
On the Select Configuration Mode screen, for the Configuration Mode setting, select Build security policy manually.
2.
Click Next.
The Policy Configuration Summary screen opens.
The Policy Builder is an automated tool to help you efficiently build a security policy. When you use the Security Policy Setup Wizard to create a new security policy or maintain an existing policy, and you select the automatic configuration mode, you configure a few of the fundamental settings for the Policy Builder. For more information on using the Policy Builder, see Chapter 6, Building a Security Policy Automatically with the Policy Builder.
1.
On the Configure Policy Builder screen, if you want the Security Enforcer to detect changes to web application, and automatically update and apply this security policy, then leave the Track Site Changes box checked.
Note: If enabled, this security policy becomes the active security policy.
2.
For the Security Template setting, select the security level upon which the security policy is based. See Understanding the security templates for the Policy Builder, for more information.
3.
For the Trusted IP addresses setting, decide whether you want to configure a list or a range of IP addresses, and type the address information as appropriate.
Note: If you configure any trusted IP addresses, the Policy Builder instantly updates the security policy based on that traffic. For more information on trusted IP addresses, see Configuring Trusted IPs for live traffic.
4.
Click Next.
The Policy Configuration Summary screen opens.
2.
To change any of the settings, click the Back button to return to the appropriate screen of the Security Policy Setup Wizard.
Note: Each time you click the Back button, the Configuration utility goes back one screen in the wizard. You may need to click the Back button on several screens to return to the step for which you want to make changes.
3.
If you are satisfied with the security policy configuration, click the Finish button.
The system saves the changes you have made.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)