Applies To:

Show Versions Show Versions

Manual Chapter: Internal Parameters for Advanced
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Several internal parameters control how the BIG-IP® Application Security Manager functions. In most cases, you do not need to change the internal parameters from their default settings. Table D.1 lists the internal parameters, their default values, and a description of their purpose.
Note: F5 Networks recommends that you change the values of parameters only with the guidance of Technical Support.
Specifies, when set to 0, that if a request arrives with no main ASM cookie (entry point) then every domain cookie in the request is considered a modified domain cookie, and is enforced according to the security policy.
When set to 1, all cookies are accepted at entry points.
Note: When enabling this setting, F5 recommends that you set running to disabled in the daemon-ha bd section of /config/daemon.conf and then reload the configuration.
Specifies whether traffic bypasses the Application Security Manager when the system is stopped. The possible values are 1 (bypass enabled) or 0 (bypass disabled, default). If you enable this parameter, web traffic bypasses the system if any of the following occur:
-If you restart the Application Security Manager; traffic bypasses the Application Security Manager from the time the system is stopped until the system restarts
-If the system crashes (performs a core dump), traffic bypasses the Application Security Manager from the time the system is stopped until it restarts
WARNING: Enabling this option allows traffic to access the web application even when the BIG-IP system is down. However, no security will be in effect when the system is being bypassed.
Specifies whether traffic bypasses Application Security Manager as a result of limited resources or when the system is off. The default value is 0 (bypass disabled). If you enable this parameter, web traffic bypasses the system when any of the following occur:
-If you restart the Application Security Manager; traffic bypasses the Application Security Manager from the time the system is stopped until it reloads
-If the system crashes (performs a core dump), traffic bypasses the Application Security Manager from the time the system is stopped until it reloads
-If the system does not have enough memory, or does not have enough system resources
WARNING: Enabling this option allows traffic to access the web application even when the BIG-IP system is down, or has limited resources. However, no security will be in effect when the system is being bypassed.
11112222333344445555666677778888 (key)
Provides a key in the MD5 digest calculations for ASM cookies.
Note: For security reasons, F5 Networks recommends that you change the cookie digest key from the default value. When changing the value for the key, use the same key value for units in a redundant pair, by configuring the setting on one system and performing a ConfigSync with the redundant pair member.
Allows the system to determine the time (in seconds) for which the ASM cookie data is valid.
Specifies the maximum age value (in seconds) assigned to the Max-Age attribute of the ASM cookie. When set to 0, ASM cookies never expire.
Defines how often the system renews the ASM cookie time. This internal parameter is tightly coupled with cookie_expiration_time_out (in seconds).
Defines a maximum URI length that the system can support in its internal buffers. If this number is higher (more permissive) than the internal URI-length limit defined per file type, the internal file-type limit is the actual limit. Exceeding this internal limit triggers the HTTP protocol compliance failed violation.
^\s*[+-]?\d*(\.\d+)?\s*$ (regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type decimal.
^\s*([\w.-]+)@([\w.-]+)\s*$ (regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type email.
^\s*[0-9 ()+-]+\s*$
(regular expression)
Specifies the regular expression that defines a valid pattern for parameter values of type phone number.
Specifies the URI for the ICAP service, which checks requests for viruses by connecting to an Internet Content Adaptation Protocol (ICAP) server.
Specifies that the system keeps track of attack signatures that have been disabled (either globally or on the parameter level) by accepting learning suggestions. A signature may have been disabled due to a false positive.
When set to 0, the system does not track disabled signatures.
Specifies the maximum number of concurrent FTP connections that the Protocol Security Module can manage.
Specifies the maximum number of cryptographic operations allowed per document by Web Services encryption and decryption.
Specifies the maximum number of concurrent SMTP connections that the Protocol Security Module can manage.
Specifies the maximum number of violation entries per violation type kept in memory. Note that this parameter applies only to the security profiles in the Protocol Security Module.
Specifies the maximum number of concurrent long requests that the system can handle. A long request is a request longer than request_buffer_size and less than long_request_buffer_size.
Specifies the maximum number of slow transactions per CPU or plug-in before the system drops the slow transactions (such as when mitigating slow HTTP post DDoS attacks). Slow transactions are defined in slow_transaction_timeout.
Specifies, when set to 1, that data collection is enabled for both the graphs on the Overview screen and also for the Denial of Service attack prevention feature.
When set to 0, data collection is disabled.
Specifies how the system distinguishes between HTTP and HTTPS URLs. If the value is -1, the system decides whether the object requested is an HTTP request or an HTTPS request based on the incoming traffic. If the value is 0, the system treats all incoming URL requests as HTTP requests. If the value is 1, the system treats all incoming URL requests as HTTPS requests.
Specifies the number of requests per second that the system can enter into the proxy log.
Specifies the maximum buffer size for a single instance of the accumulated response buffers. The system accumulates response buffers until their total size reaches the max_filtered_html_length.
0 (number of CPU cores determines number of threads)
Specifies, when the value is greater than zero, the number of threads that the system uses for protocol security. When the value is 0, the number of CPU cores in the system determines the number of threads.
0 (number of CPU cores determines number of threads)
Specifies, when the value is greater than zero, the number of threads that the system uses for application security. When the value is 0, the number of CPU cores in the system determines the number of threads.
Specifies the number of seconds after which a transaction is considered slow (such as when mitigating slow HTTP post DDoS attacks). The system tracks the number of slow transactions that have occurred and drops slow transactions after the max_slow_transactions is reached.
Specifies the maximum memory size (in kilobytes) available for the systems memory pools. A value of 0 means no limit to the maximum memory size.
Specifies the maximum amount of memory that can be allocated to the XML parser. A value of 0 means no limit to the amount of memory that the parser can use.
X-Virus-Name (McAfees default response header)
Specifies the header name used by an anti-virus program on an ICAP server. By default, the system supports an ICAP server with McAfee anti-virus protection. If you are using a different ICAP server, change this to the appropriate header value.
1.
On the Main tab, expand Application Security and click Options.
The Attack Signatures screen opens.
2.
From the Advanced Configuration menu, choose System Variables.
The System Variables screen opens, where you can review the settings for the internal parameters.
Tip: You can see on the System Variables screen whether the value of an internal parameter has been changed from the default: if it has, the variable is shown in boldface text, and the default value for the variable is displayed below the parameter value.
Note: F5 Networks recommends that you change the values for the internal parameters only with the guidance of the technical support staff.
If you change the value of a parameter, you need to restart Application Security Manager (ASM) for the system to use the new value. To restart ASM, at the command line type bigstart restart asm. If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
If you change any of the parameter values for the internal parameters, it is easy to restore the default settings for those values.
1.
On the Main tab, expand Application Security and click Options.
The Attack Signatures screen opens.
2.
From the Advanced Configuration menu, choose System Variables.
The Advanced Configuration screen opens.
3.
Click the Restore Defaults button.
The system resets any changed parameter values to their factory settings.
b)
To reboot the system, on the Main tab, expand System and click Configuration. In the Operations setting, click the Reboot button.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)