Applies To:

Show Versions Show Versions

Manual Chapter: Maintaining Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Security policies can change and evolve over time. As the nature of the web traffic through the web application changes, you adjust the security policy as required. Several options exist to facilitate the maintenance of the security policy. You have the option to:
You can access a security policy for editing from either the Security Policies screen, or from the editing context area. The editing context area appears at the top of almost every screen throughout the Application Security Manager. Figure 9.1 displays the editing context area.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
Note: If a security policys entire row is highlighted in gray, this indicates that another user is currently editing it. As a result, you can view but not edit that security policy.
2.
In the Security Policies area, click the name of the security policy that you want to edit.
The Policy Properties screen opens.
4.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
3.
Click the Copy button.
The Copy Security Policy screen opens.
4.
In the New Security Policy Name box, accept or change the name for the security policy, and then click Save. The default name is the <original_policy_name>_copy.)
The system displays a message when the policy is successfully copied.
5.
Click OK.
The screen refreshes, and you see the new security policy in the Security Policies List.
Important: In the Security Policies List, the Active icon next to a security policy indicates that this policy is active. The Modified icon indicates that the security policy has been modified, and you must click the Apply Policy button to implement any changes in the security policy.
You can export security policies as a binary archive file or as a readable XML file. For example, you may want to export a security policy from one web application so that you can use it as a baseline for a new web application. You can also export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, or to use the exported security policy in a policy merge. (See Merging two security policies, for more information on merging policies.)
You can export the security policy on a remote system or other location. The XML or archive file includes the name of the security policy and the date it was exported. If you saved the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
In the Security Policies list, select the security policy that you want to export by clicking the button on its left, then:
3.
In the file download screen, save the file.
The system exports the security policy in the format you specified and saves it in the remote location.
You can import a security policy previously saved in archive policy or XML format to quickly apply a security policy to a new web application. You can also use the import option to restore a security policy from a remote system.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Below the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Choose File box, click the Browse button to navigate to the security policy that you want to import.
4.
Click Import.
The system displays a success status message when the operation is complete.
5.
Click OK.
The screen refreshes, and the imported security policy is in the Security Policies List.
Important: The names of security policies must be unique within the Application Security Manager. If the name of the imported security policy already exists, the system renames the imported file by adding a sequential number to the end of the name.
You can use the policy merge option to combine two security policies. For example, you can use the policy merge option to merge a security policy that you have built offline into a security policy that is on a production system.
The merge mechanism is lenient when merging security policies. The merge action does not delete anything from the target security policy. The system resolves any conflicts that occur by retaining the settings of the target security policy. When the merge is complete, the system displays the beginning of a merge report of all security policy components that were modified or added during the merge process. In addition, you have the option to view or download the complete merge report. You can save the Policy Merge Report as a text file (*.txt), so that you can review the details of the merge, and resolve any errors that may have occurred.
Important: When a security policy contains restrictive components, for example, a user-defined attack signature set, the merge tool deletes it. As you add signature sets to a security policy, it becomes more restrictive, and thus, harder to perform a merge.
Entities in the target security policy whose values are different from those in the merged security policy
(If this occurs, the system does not change the target security values.)
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
In the Security Policies area, select the target security policy by clicking the button on its left (the one into which the system merges the second security policy), and click the Merge button.
The Merge Security Policies screen opens.
3.
In the Merge Security Policies area, for the Security Policy To Be Merged setting, either type a path, or click the Browse button, and navigate to the exported security policy file that you want to merge into the target security policy.
4.
6.
Click the Merge button.
The system merges the export security policy into the target security policy, and produces a Merge Report.
7.
Click the Download Full Report button to open or save the entire Merge Report.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
In the Security Policies area, select the security policy that you want to delete, and click the Delete button below the list.
A confirmation popup screen opens, to confirm that you want to delete the security policy.
3.
Click OK
The screen refreshes and you no longer see the security policy in the Security Policies List.
Important: You cannot remove a security policy that is currently active. The active policy for a web application has the Active icon next to the name in the Security Policies List.
If you delete a security policy, and later decide that you did not want to do that, you can restore the security policy from the Security Policy Recycle Bin.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Below the Security Policies area, click the Import button.
The Import Policy screen opens.
3.
In the Security Policy Recycle Bin list, select the security policy that you want to restore, and then click the Restore button.
A confirmation popup screen opens, where you confirm that you want to restore the security policy.
4.
Click OK.
The system restores the security policy, and displays a success message.
5.
Click OK.
The screen refreshes, and you see the restored security policy in the Policies List.
The Application Security Manager keeps an archive of security policies that have been set to active. Every time you make a security policy the active security policy, the system saves a version of that security policy, and archives it. The system retains up to fifty archived versions. You can restore any of the archived security policies, and make it the active security policy.
Tip: In the Security Policies list, on the Policies List screen, the security policy version number is in square brackets next to the security policy name.
1.
In the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
In the Configuration editing context area, ensure that the edited security policy is the one you want to update.
3.
In the Security Policies list, click the security policy whose archived version you want to view or restore.
The Security Policy Properties screen opens.
4.
On the menu bar, click History.
The Security Policy History screen opens, where you can view the archived versions of the security policy.
5.
To restore an archived security policy, select the version, and then click the Restore button below the list.
The Restore Security Policy screen opens.
6.
In the Security Policy Name box, change the name as required.
8.
Click OK.
The popup screen closes, and on the Security Policies screen, you see the restored security policy in the Security Policies list.
Application Security Manager includes several audit tools that you can use to query a security policy to find the information you are looking for. You can use the audit tools to analyze suspicious policy states (for example, URLs allowed to modify domain cookies). Each tool type specifies a predefined URL, parameter, or flow filter that helps to identify conflicts and errors in the security policy.
1.
In the Application Security navigation pane, point to Policy and click Audits.
The Policy Audits screen opens.
3.
From the Tool Type list, select an audit tool, and then click Go.
The screen refreshes, and the system displays the audit report.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)