Applies To:

Show Versions Show Versions

Manual Chapter: Configuring General System Options
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

14 
The Application Security Manager includes general system options that apply to the overall application security configuration. You can perform the following tasks to configure general system options:
Configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. See Configuring external anti-virus protection, for more information.
Some of the overall system configuration tasks are described in other chapters, because they relate to other tasks described there. You can perform the following additional general configuration tasks:
1.
On the Main tab, expand Application Security, point to Options, and then click Preferences.
The Preferences screen opens.
2.
For Records Per Screen, type the number of entries to display (1-100). The default value is 20.
This setting affects the maximum number of web applications, file types, URLs, parameters, flows, headers, and XML profiles to display in lists throughout the Application Security Manager.
3.
For Records Per Requests Screen, type the number of requests to display (1-1000). The default value is 500.
This setting affects the maximum number of requests that appear in the Requests List (Reporting > Requests).
4.
For Titles Tooltip Settings, select one of the options for how to display tooltips:
Do not show tooltips: Never display tooltips or icons.
Show tooltip icons: Display an icon if a tooltip is available for a setting, and show the tooltip when you move the cursor over the icon. This is the default setting.
Show tooltips on title mouseover: Display a tooltip when you move the cursor over a setting on the screen.
5.
For Default Configuration Level, select whether to display all possible settings (Advanced) or the Basic settings on screens with that option.
6.
If the BIG-IP system is in a redundant configuration and you want to display a message telling you to synchronize the two systems when a security policy was updated but not applied, select the Recommend Sync When Policy Not Applied check box.
To log system data and configuration changes made to all security policies, select the Write all changes to Syslog check box.
To log system data only, clear the Write all changes to Syslog check box. This is the default setting.
8.
Click Save to keep your changes.
You can configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. If the Virus Detected violation is set to Alarm or Block for that web applications security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies the Application Security Manager, which then issues the Virus Detected violation.
You can also set up anti-virus checking for HTTP file uploads and SOAP web service requests. If configured, the system checks the file uploads and SOAP requests before releasing content to the web server.
By default, the system uses the ICAP server for McAfee anti-virus protection. If your ICAP server has different anti-virus software, you must change the values of the icap_uri and virus_header_name internal parameters. Refer to Appendix D, Internal Parameters for Advanced Configuration, for information about internal parameters.
1.
On the Main tab, expand Application Security, point to Options, and then click Anti-Virus Protection.
The Anti-Virus Protection screen opens.
For Server Host Name, type the ICAP server host name in the format of a fully qualified domain name.
Note: If using the host name only, you must also configure a DNS server on the BIG-IP system. Expand System, point to Configuration, Device, then click DNS. If DNS is not configured, you must include the IP address.
For Server IP Address, type the IP address of the ICAP server.
3.
For Server Port Number, type the port number of the ICAP server.
4.
If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
5.
Click Save to save the ICAP server configuration.
6.
On the Main tab, under Application Security, point to Policy, and then click Blocking.
The Blocking Settings screen opens.
a)
In the editing context area, ensure that the edited web application and security policy are the ones for which you want anti-virus protection.
b)
For the Virus Detected violation (near the bottom of the screen), enable either or both of the Alarm and Block check boxes. For details on setting up blocking, refer to Configuring policy blocking.
c)
Click Save to save the blocking policy.
d)
Click Apply Policy.
8.
In each web application and policy for which you want the system to perform virus checking on HTTP file uploads or SOAP requests, complete these tasks:
a)
In the editing context area, ensure that the edited web application and security policy are those which may include HTTP file uploads or SOAP requests.
b)
On the Main tab, point to Policy, and then click Anti-virus Protection.
c)
To have an external ICAP server inspect file uploads for viruses before releasing the content to the web server, select Inspect file uploads within HTTP requests.
d)
To perform virus checking on SOAP attachments, presuming the security policy includes one or more XML profiles, move the profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list.
e)
Click Save.
f)
Click Apply Policy.
User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything, you may want to further specialize administrative accounts. You must have Administrator access to create accounts on the BIG-IP system.
Web Application Security Administrator
Grants users permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.
Web Application Security Editor
Grants users permission to view and configure most parts of the Application Security Manager, on specified partitions.
1.
On the Main tab, expand System, and then click Users.
The User List screen opens.
2.
Click the Create button.
The New User screen opens.
3.
For the User Name setting, type the name for the account.
4.
For the Password setting, type and confirm the account password.
5.
For the Role setting, select the appropriate role:
To limit security policy editing to the current administrative partition, select Web Application Security Editor.
6.
If you selected Web Application Security Editor, then in Partition Access, select the partition in which to allow the account to create security policies.
7.
Click Finished.
The User List screen opens and lists the new user account.
Logging profiles specify how and where the system stores request and violation data for web applications. When you configure a web application, you select the logging profile for that web application. You can use one of the system-supplied logging profiles, or you can create a custom logging profile. Note that the system-supplied logging profiles log data locally. For more information on selecting the logging profile for a web application, refer to Specifying the logging profile for a web application.
Additionally, you can choose to log the request data locally, on a remote storage system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format).
Note: If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where the logs are stored, either locally or remotely. The storage filter determines what information gets stored.
You can create a logging profile to store request data on the local BIG-IP system. When you store the request data locally, the logging utility may compete for system resources. You can use the Guarantee Logging setting to ensure that the system logs the requests in this situation.
Note: Enabling the Guarantee Logging setting may cause a performance reduction if you have a high traffic-volume application.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
4.
In the Configuration area, for the Profile Name setting, type a unique name for the logging profile.
5.
To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources, select the Guarantee Logging check box.
Note: Enabling this setting may slow access to the associated web application.
7.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
a)
On the Main tab, click Web Applications.
c)
For Logging Profile, select the profile you created.
d)
Click Update.
You can create a logging profile to store information about requests remotely on syslog servers in Comma Separated Value (CSV) format or some other format that you define. When you configure a logging profile for remote storage, the system stores request data for the associated web application on one or more remote management systems.
Note: The logging profile for remote storage relies on external systems to perform the actual logging. The configuration and maintenance of the external logging servers is not the responsibility of F5 Networks.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Select the Remote Storage check box, and make sure the Type is set to Remote.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
8.
For the Server Addresses settings, type the IP address, port number (default is 514), and click Add to add one or more remote servers.
9.
For the Facility setting, select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
Tip: If you have more than one web application, you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
10.
For the Storage Format setting, from the Available Items list, select the data items to include in the log. Use the Move button (<<) to add the data items to the Selected Items list.
Predefined: If you select this option, specify the delimiter to separate the data items in the log (the default delimiter is comma). You may not use the % character. This is the default value.
User-defined: If you select this option, in the Selected Items box, type any text you want to appear between the items, with surrounding percent (%) characters (for example,%Request%).
11.
To ensure that the system logs requests for the web application (when logging locally as well as remotely), select the Guarantee Logging check box.
Note: Enabling this setting may slow access to the associated web application.
12.
Optionally, adjust the maximum request, header, and query string sizes, and maximum entry length settings. (Refer to online help for details on the settings.)
13.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select the Report Detected Anomalies check box.
15.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
a)
On the Main tab, click Web Applications.
c)
For Logging Profile, select the profile you created.
d)
Click Update.
If your network uses a third party reporting server (for example, Splunk), you can create a logging profile to store the log information on the reporting server using the key-value pair storage format.
Note: This logging profile relies on external reporting server to perform the actual logging. The configuration and maintenance of the reporting server is not the responsibility of F5 Networks.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Select the Remote Storage check box, and for the Type setting, select Reporting Server.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
8.
For the Server IP setting, type the IP address for the remote storage server.
9.
For the Server Port setting, type a port number or use the default value, 514.
10.
To ensure that the system logs requests for the web application (when logging locally as well as remotely), select the Guarantee Logging check box.
Note: Enabling this setting may slow access to the associated web application.
11.
Optionally, adjust the maximum request, header, and query string size and maximum entry length settings. (Refer to online help for details on the settings.)
12.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select the Report Detected Anomalies box.
14.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
If your network uses ArcSight logs, you can configure a logging profile that formats the log information for that system. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs.
CEF:Version|Device Vendor|Device Product|Device Version
|Device Event Class ID|Name|Severity|Extension
Note: This logging profile relies on external systems to perform the actual logging. The configuration and maintenance of the external logging servers is not the responsibility of F5 Networks.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Select the Remote Storage check box, and for the Type setting, select ArcSight.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
8.
For the Server IP setting, type the IP address of the remote storage server.
9.
For the Server Port setting, type a port number or use the default value, 514.
10.
To ensure that the system logs requests for the web application (when logging locally as well as remotely), select the Guarantee Logging check box.
Note: Enabling this setting may slow access to the associated web application.
11.
Optionally, adjust the maximum request, header, and query string size and maximum entry length settings. (Refer to online help for details on the settings.)
12.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select the Report Detected Anomalies check box.
14.
Click the Create button.
The screen refreshes, and displays the new logging profile.
1.
On the Main tab, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
In the Logging Profiles area, click the name of an existing logging profile.
The Edit Logging Profile screen opens.
3.
For the Storage Filter setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.
OR: Select this operator if you want the system to log the data that meets one or more of the criteria.
AND: Select this operator if you want the system to log the data that meets all of the criteria.
5.
For the Request Type setting, select the kind of requests that you want the system to store in the log.
6.
For the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.
7.
For the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.
8.
For the HTTP Methods setting, select whether logging occurs for all methods or specific methods.
9.
For the Request Containing String setting, select whether the request logging is dependent on a specific string.
10.
Click the Update button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
You can customize the severity levels of security policy violations for application security events that the system displays in the Security Alerts screen, which is also the message logged in the Syslog, in response to violations. The event severity levels are Informational, Notice, Warning, Error, Critical, Alert, and Emergency. They range from least severe (Informational) to most severe (Emergency).
Note: When you make changes to the event severity level for security policy violations, the changes apply globally to all web applications.
1.
On the Main tab, expand Application Security, point to Options.
4.
Click the Save button to retain any changes.
Tip: If you modify the event severity levels for any of the security policy violations, and later decide you want to use the system-supplied default values instead, click the Restore Defaults button.
Locally stored system logs for the Application Security Manager are accessible from the Configuration utility for the BIG-IP system. Note that these are the logs for general system events and user activity. Security violation events are displayed in the Configuration utility for the Application Security Manager.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm directory.
1.
On the Main tab, expand System, and then click Logs.
The System Logs list screen opens.
2.
On the menu bar, click Application Security.
The Application Security log list screen opens, where you can review the logged entries.
The RegExp Validator is a system tool designed to help you verify your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data.
1.
On the Main tab, expand Application Security, point to Options, and then click RegExp Validator.
The RegExp Validator screen opens.
2.
In the RegExp box, perform one of the following tasks to specify how you want the validator to work:
3.
Click the Validate button.
The screen refreshes and shows the results of the validation.
If you want the system to send email to users, such as when configuring the system to send reports using email (refer to Scheduling and sending graphical charts using email), you must enable the SMTP mailer and configure an SMTP server.
Note: For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system (System > Configuration > Device > DNS).
1.
On the Main tab, expand Application Security, point to Options, and then click SMTP Configuration.
The SMTP Configuration screen opens.
2.
Select the Enable SMTP mailer check box.
3.
For SMTP Server Host Name, type the fully qualified host name of an SMTP server (for example, smtp.example.com).
4.
For SMTP Server Port Number, type the SMTP port number (25 is the default for no encryption; 465 is the default if SSL or TLS encryption is the encryption setting).
5.
For Local Host Name, type the fully qualified host name of the BIG-IP system.
6.
For From Address, type the email address to use as the reply-to address that the recipient sees.
7.
For Encrypted Connection, select whether the SMTP server requires an encrypted connection to send mail. Select No encryption, SSL (Secure Sockets Layer), or TLS (Transport Layer Security).
8.
If you want the SMTP server to validate users before sending email, select the Use Authentication check box, then type the Username and Password that the SMTP server requires for validation.
9.
Click Save to save the configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)