Applies To:

Show Versions Show Versions

Manual Chapter: Working with Application Security Classes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

An application security class is the logical bridge, or link, between the local traffic components and the application security components. You create one or more application security classes, and then assign them as resources for one or more local traffic virtual servers. When the virtual server receives an HTTP request, it applies the application security classes, in the listed order, and if the traffic classifiers find a match in the request, the system routes the request to the Application Security Manager.
In the application security class, the traffic classifiers specify which incoming HTTP traffic should be routed through the Application Security Manager. The traffic classifiers use different elements of an HTTP request, including host header values, URI paths, other headers and values, and cookie names (or a combination of all of these), to determine which requests go to the Application Security Manager. For requests that match the traffic classifiers, the Application Security Manager applies the active security policy to the designated traffic, and processes the traffic according to the security policy settings.
When you configure an application security class, the system automatically creates a default web application and security policy in the Application Security Manager configuration. You can create several application security classes for your web site, so that you can apply different security policies to different aspects of your web application. Note that while you can create several security policies for your web application, you can have only one active security policy for each web application.
The application security class and the HTTP class profile are two names for the same basic object in the Configuration utility. The primary difference between the two objects is that when you create an application security class, the system automatically enables the Application Security setting. For HTTP class profiles, you must explicitly enable the Application Security setting within the profile, as well as enabling all of the option settings for this object.
You configure application security classes from the Application Security navigation pane. You configure HTTP class profiles from the Profiles link in the Local Traffic section of the Main tab. (For information on the generic HTTP class profile, see the Managing Protocol Profile chapter, in the Configuration Guide for BIG-IP® Local Traffic Manager.)
Tip: F5 Networks recommends that you create the application security classes from the Application Security section on the Main tab of the navigation pane so that the system automatically enables the application security options for you.
1.
On the Main tab of the navigation pane, expand Application Security, and then click Classes.
The HTTP Class Profiles screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
Type a name for the application security class.
Note that in the application security configuration, the corresponding web application and security policy also use this name.
5.
Above and on the right of the Actions area, select the Custom check box to enable Actions options.
6.
For the Send To setting, select Pool from the list.
The screen refreshes, and the action settings are all enabled.
7.
For the Pool setting, select the local traffic pool that contains the web server resources for your web application.
Note: If you have not already configured a local traffic pool, refer to Defining a local traffic pool.
8.
Click Finished.
The system adds the new application security class, and also automatically creates a web application with the same name, and creates a security policy with the same name with a _default suffix.
You can use the traffic classifiers in the application security class to specify exactly which traffic goes through the Application Security Manager before it reaches the web application resources. The traffic classifiers perform pattern matching against HTTP requests, based either on wildcard strings or on regular expressions. When the traffic classifier finds a match in an HTTP request, the system forwards that request to the Application Security Manager. The Application Security Manager then applies the active security policy to the request.
The traffic classifiers perform pattern matching using either literal strings or regular expressions. The literal strings can include wildcard characters, such as asterisk (*) or question mark (?). The regular expressions use the Tcl regular expression syntax. You can use a mixture of matching types within each traffic classifier.
Note: Pattern-matching traffic classifiers are case-sensitive; that is, www.F5.com is not the same as www.f5.com. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
You can configure one or more traffic classifiers in each application security class. If the traffic classifier has multiple matching objects within its list, the system looks for a match until it finds one, and forwards the request when it does. If you configure more than one type of classifier (for example, you configure both a URI path and a header traffic classifier), the system performs the pattern matching and forwards to the Application Security Manager only the traffic that matches both traffic classifier types. If you configure multiple entries within each traffic classifier list, the system performs the pattern matching until it finds a match. The matching does not have to match all of the entries in the traffic classifier list.
You can use the Hosts traffic classifier to specify hosts whose traffic you want to direct through the Application Security Manager. When you use the Hosts traffic classifier, the system performs pattern matching against the information contained in the Host header in a request.
Tip: Just by configuring the valid host headers for the web application, you acquire immunity to most of the worms that are spread by an IP address as a value in the Host header.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the Hosts setting, select Match only.
The screen refreshes, and you see the Host List settings.
6.
Add hosts to the Host List as needed:
a)
After Host, type the host name of the host for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The host is added to the list.
8.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the URI Paths traffic classifier to specify one or more URI paths whose requests you want to direct through the Application Security Manager. When you use the URI Paths traffic classifier, the system performs pattern matching against the URI path in a request.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the URI Paths setting, select Match only.
The screen refreshes, and you see the URI Path List settings.
6.
Add URIs to the URI Path List as needed.
a)
After URI Path, type the URI path for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The URI is added to the list.
8.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Headers traffic classifier to specify one or more headers whose associated requests you want to direct through the Application Security Manager. When you use the Headers traffic classifier, the system performs pattern matching against the headers and their values in a request.
Note: If you want to classify traffic using the Cookie header, use the Cookies traffic classifier instead of the Headers traffic classifier. See Classifying traffic using cookies, for more information.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above and on the right of the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the Headers setting, select Match Only.
The screen refreshes, and you see the Header List settings.
6.
a)
After Header, type the header. Include the colon when you add headers to this list, for example: User-Agent:<value>.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The header is added to the list.
7.
Select the Entry Type, either Pattern String or Regular Expression (regex). When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
9.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Cookies traffic classifier to specify one or more cookies whose associated requests you want to direct through the Application Security Manager. When you use the Cookies traffic classifier, the system performs pattern matching against the cookie name information in the Cookie header in a request.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the Cookies setting, select Match Only.
The screen refreshes, and you see the Cookie List settings.
6.
Add cookie names to the Cookie List as needed:
a)
After Cookie, type the cookie.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The cookie is added to the list.
8.
Click Finished.
The system adds the new application security class, the corresponding web application, and a default security policy to the configuration, and displays the HTTP Class Profiles list screen.
The actions of the application security class designate what the system does with the traffic when the traffic matches one or more of the traffic classifier criteria. The actions for the application security class are as follows.
Send to pool
When you use the send to pool action, the system sends any traffic that matches the traffic classifier criteria (or the pool that was defined as a resource of the associated virtual server) to the Application Security Manager.
Redirect to another resource
When you use the redirect action, the system sends any matching traffic (based on the full HTTP URI) to another resource on the network. You can use Tcl expressions to create a custom redirection. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
None
When you use the none action, the system does nothing with the traffic within the context of this application security class. The system may process the request according to other settings for the virtual server, for example, forward the request to the virtual servers default pool.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above the Configuration area, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable the Actions options.
7.
For the Send To setting, specify what you want the system to do with the traffic related to this application security class. See the online help for assistance with specific screen elements.
8.
Click Finished.
The system adds the new application security class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen.
You can use the Rewrite URI action to rewrite a URI without sending an HTTP redirect to the requesting client. For example, an ISP provider may host a site that is composed of different web applications, that is, a secure store application and a general information application. To the client, these two applications are the same site, but on the server side they are different applications. Using the Rewrite URI action transparently redirects the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system maps the static URI for every incoming request. For details on using Tcl expressions, and Tcl syntax, see the F5 Networks Dev Central web site, http://devcentral.f5.com.
Note: The Rewrite URI action is applicable only if you are using the Hosts or URI Paths traffic classifiers.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above the Configuration area, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable Actions options.
7.
For the Send To setting, select Pool from the list.
The screen refreshes and shows more options.
8.
For the Pool setting, select the name of the local traffic pool to which you want the system to send the traffic.
9.
For the Rewrite URI setting, type the Tcl expression that represents the URI that the system inserts in the request to replace the existing URI.
10.
Click Finished.
The system adds the new application security class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)