Applies To:

Show Versions Show Versions

Manual Chapter: Maintaining Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

You may at times need to adjust your security policies as a result of changes in the application or because of new security needs. From the Policies List screen, you can perform the following policy maintenance tasks:
You can access a security policy for editing from either the Policies List screen, or from the editing context area. The editing context area appears at the top of almost every screen throughout the Application Security Manager. Figure 8.1 shows the editing context area.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
Note: If a security policys entire row is highlighted in gray, this indicates that another user is currently editing it. As a result, you can view but not edit that security policy.
2.
In the Security Policies area, click the name of the security policy that you want to edit.
The Policy Properties screen opens.
4.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
3.
Click the Copy button.
The Copy Security Policy screen opens.
4.
In the New Security Policy Name box, accept or change the name for the security policy, and then click Save. The default name is the <original_policy_name>_copy.)
The system displays a message when the policy is successfully copied.
5.
Click OK.
The screen refreshes, and you see the new security policy in the Security Policies List.
Note: In the Security Policies List, the Active icon next to a security policy indicates that this policy is active. The Modified icon indicates that the security policy has been modified, and you must click the Apply Policy button to implement any changes in the security policy.
You can export a security policy as a binary archive file or as a readable XML file. For example, you may want to export a security policy from one web application so that you can use it as a baseline for a new web application. You can also export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, or to use the exported security policy in a policy merge. (See Merging two security policies, for more information on merging policies.)
You can export a security policy located on a remote system. The XML or archive file includes the name of the security policy and the date it was exported. If you saved the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.
The exported security policy includes any user-defined attack signature sets that are in use by the policy, but not the actual signatures. It is therefore a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies list, select the security policy that you want to export by clicking the button on its left, then:
3.
In the file download screen, save the file.
The system exports the security policy in the format you specified and saves it in the remote location. The exported security policy includes any user-defined signature sets that are in the policy, but not the signatures themselves.
You can import a security policy previously saved in archive policy or XML format to quickly apply a security policy to a new web application. You can also use the import option to restore a security policy from a remote system.
Before you import an exported policy onto another system, it is a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.
If using device management and you import a security policy with automatic policy building enabled, the imported policy will have Real Traffic Policy Builder® enabled on the local device. But, when replicated to the other devices, Policy Builder will be disabled in the policy on the other devices in the group.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Above the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Choose File setting, click the Browse button to navigate to the security policy that you want to import.
4.
Click Import.
The system displays a success status message when the operation is complete.
5.
Click OK.
The screen refreshes, and you can see the imported security policy in the Security Policies List. The imported policy includes any user-defined signature sets that were exported with the security policy.
Note: The names of security policies must be unique within the Application Security Manager. If the name of the imported security policy already exists, the system renames the imported file by adding a sequential number to the end of the name.
You can use the policy merge option to combine two security policies. For example, you can merge a security policy that you built offline into a security policy that is on a production system.
The merge mechanism is lenient when merging security policies. The system resolves any conflicts that occur by using the more open settings in the target security policy. When the merge is complete, the system displays the beginning of a merge report showing results of the merge process.
In addition, you can view or download the complete Policy Merge Report as a text file (*.txt). The report includes the details of the merge showing how conflicts were resolved. If you enable verbose logging for the merge, the merge report also contains the following information:
Entities in the target security policy whose values are different from those in the merged security policy
(If this occurs, the system does not change the target security values.)
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies area, select the target security policy (into which to merge the second security policy) by clicking the button on its left, and click the Merge button.
The Merge Security Policies screen opens.
3.
For the Security Policy To Be Merged setting, click the Browse button, and navigate to the exported security policy file that you want to merge into the target security policy.
4.
6.
Click the Merge button.
The system merges the export security policy into the target security policy, and produces a Merge Report.
7.
Click the Download Full Report button to open or save the entire Merge Report.
8.
Click OK.
The screen refreshes, and the merged security policy is in the Security Policies list.
Note: A copy of the original security policy also appears in the Security Policies list, if you selected the Backup Target Security Policy option in step 4.
You can remove all security policies from the configuration, one by one, except the active security policy. The active security policy for a web application has the Active icon next to its name in the Security Policies list.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies area, select the security policy that you want to remove from the configuration, and click the Delete button below the list.
A confirmation popup screen opens, where you confirm that you want to delete the security policy.
3.
Click OK.
The screen refreshes and you no longer see the security policy in the Security Policies List.
If you delete a security policy, and later decide that you did not want to do that, you can restore the security policy from the Security Policy Recycle Bin.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Above the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Security Policy Recycle Bin list, select the security policy that you want to restore, and then click the Restore button.
A confirmation popup screen opens, where you confirm that you want to restore the security policy.
4.
Click OK.
The system restores the security policy, and displays a success message.
5.
Click OK.
The screen refreshes, and you see the restored security policy in the Policies List.
If you delete a security policy from the configuration, and later decide that you want to delete it permanently, you can delete the security policy from the Security Policy Recycle Bin.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Below the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Security Policy Recycle Bin list, select the security policy that you want to delete, and then click the Delete button.
A confirmation popup screen opens, where you can confirm that you want to delete the security policy.
4.
Click OK.
The screen refreshes, and you no longer see the security policy in the Security Policy Recycle Bin list.
The Application Security Manager keeps an archive of security policies that have been set to active. Every time you make a security policy the active security policy, the system saves a version of that security policy, and archives it. You can restore any of the archived security policies, and make it the active security policy.
Tip: In the Security Policies list, on the Policies List screen, the security policy version number is in square brackets next to the security policy name.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies list, click the security policy whose different versions you want to view or whose archived version you want to restore.
The Policy Properties screen opens.
3.
On the menu bar, click History.
The Security Policy History screen opens, where you can view the archived versions of the security policy.
4.
To restore an archived security policy, select the version, and then click the Restore button.
The Restore Security Policy screen opens.
5.
In the Security Policy Name box, change the name as required.
7.
Click OK.
The screen refreshes and you see the restored security policy in the Policies List.
You can create a security policy template to use as the basis for new security policies. When you manually develop a security policy using the Deployment wizard, the template you created is listed with the list of application-ready security policies.
You can view the list of all available templates including those supplied by the system, the application-ready security policies, and those that are user-defined.
1.
On the Main tab, expand Application Security and click Options.
2.
From the Advanced Configuration menu, choose Policy Templates.
The Policy Templates screen opens and lists the available policy templates. The list includes all system-supplied and user-defined security policy templates that are on the system
You can save a security policy as a template to create policies that differ only in a few details. The template can serve as the basis for a new security policy.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
3.
Click the Save as Template button.
The Add Policy Template screen opens.
4.
In the Name box, type the name for the security policy template.
5.
In the Description box, type a description of the template, such as the name of the security policy it was based on.
6.
For the Template File setting:
a)
Select Use existing security policy.
7.
Click Add.
The Policy Templates screen opens showing a list of all policy templates including the one you just created.
If you change the original security policy from which you created the template, the template is not updated or changed.
Before you can create a template, you need to have an exported template from another system, or a security policy saved in XML format.
1.
On the Main tab, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Click the Save as Template button.
The Add Policy Template screen opens.
3.
In the Name box, type the name for the security policy template.
4.
In the Description box, type a description of the template, such as the name of the security policy it was based on.
5.
For the Template File setting:
a)
Select Upload template file.
b)
Click the Browse button to search for an exported template, or a security policy exported in XML format.
6.
Click Add.
The Policy Templates screen opens showing a list of all policy templates including the one you just created.
You can export a security policy template and save it for later use. For example, you can upload the template onto another system.
1.
On the Main tab, expand Application Security and click Options.
2.
From the Advanced Configuration menu, choose Policy Templates.
The Policy Templates screen opens and lists all of the available policy templates.
3.
Select one policy template to export, and click the Export button.
The system creates a template file in XML format called exported_template_mm-dd-yy_hr-mn.xml, where the date and time follow the name exported_template.
5.
To import the exported template, log in to the system where you want to use it and create a template using the one you exported.
Before you can create a security policy from a template, perform the essential configuration tasks to create a security policy: you need to define an application security class, pool, and virtual server. (For details, see Chapter 2.)
1.
On the Main tab, expand Application Security and click Web Applications.
2.
For the web application you set up, click the Configure Security Policy link.
The Deployment wizard opens the Select Deployment scenario screen.
3.
Select Create a policy manually or use templates and click Next.
4.
From the Application Language list, select the language encoding of the application.
5.
From the Application-Ready Security Policy list, select the security policy template to use.
6.
For the Staging-Tightening Period setting, specifies the following:
How long you want to keep the web application entities and attack signatures in staging before the system suggests that you enforce them. Staging allows you to test the entities and the attack signatures for false positives without enforcing them.
How many days wildcard entities remain in tightening mode before the system suggests you enforce them. When wildcard entities are in tightening mode, the system adds explicit entities that match these wildcard expressions.
7.
Click Finish.
The system creates the security policy based on the template.
The Application Security Manager creates a policy log for every security policy. The policy log includes an entry for each event or action performed on the security policy, including the event type, the element type and name (if relevant), the data and time of the change, a description of the change, and where, how, and by whom the change was made.
This log is different from the automatic policy building log because this one shows all changes that the Policy Builder or a user made to the security policy. The automatic policy building log is described in Viewing automatic policy building logs.
1.
On the Main tab, expand Application Security, then click Policy.
2.
From the Policy menu, choose Policy Log.
The Policy Log screen opens.
3.
In the editing context area, ensure that the edited web application and security policy are those for which you want to view log transactions.
4.
In the Filter area, adjust the filter settings to view the logs you want to see.
5.
Click the Go button.
The screen refreshes, and displays the policy log for the web application and security policy that you selected. Figure 8.2 shows a portion of a sample policy log.
7.
To save the log as a PDF, click Export.
The system creates a PDF that you can open or save.
You can display a tree view of the security policy to quickly view its contents. The tree view shows the hierarchy of the web application, particularly the URLs and parameters contained in the security policy. Global parameters appear at the top level, and URL parameters fall under URLs in the directory-like structure.
1.
On the Main tab, expand Application Security, and then click Tree View.
4.
Click an allowed URL, a disallowed URL or a parameter to view its properties.
The properties page for the URL or parameter opens.
Figure 8.3 shows an example tree view of a security policy for an auction web application.
Application Security Manager includes several audit tools that you can use to query a security policy to find the information you are looking for. You can use the audit tools to analyze suspicious policy states (for example, URLs allowed to modify domain cookies). Each tool type specifies a predefined URL, parameter, or flow filter that helps to identify conflicts and errors in the security policy.
1.
On the Main tab, expand Application Security, point to Policy, Policy again, and click Audits.
The Audits screen opens.
3.
From the Tool Type list, select an audit tool, and then click Go.
The screen refreshes, and the system displays the audit report.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)