Applies To:

Show Versions Show Versions

Manual: Configuration Guide for BIG-IP Application Security Management, version 9.4

Original Publication Date: 01/08/2007

Configuration Guide for BIG-IP®
Application Security Management
version 9.4

Table of Contents

Legal Notices

1. Introducing Application Security Management

Introducing the BIG-IP system

Overview of the BIG-IP Application Security Manager

Summary of the Application Security Manager features

Introducing application security for the BIG-IP Local Traffic Manager

Highlights of this configuration guide

Using the Configuration utility

Browser support for the Configuration utility

Identifying referrer objects in the Configuration utility

Stylistic conventions in this document

Using the solution examples

Identifying new terms

Identifying references to products

Identifying references to objects, names, and commands

Identifying references to other documents

Identifying command syntax

Finding help and technical support resources

2. Essential Configuration Tasks

Overview of the essential configuration tasks

Defining a local traffic pool

Defining an application security class

Defining a local traffic virtual server

Configuring the web application language

Determining the required security level for the web application

Understanding the security levels

Understanding positive security logic

Setting the active policy for the web application

Refining the security policy using the Learning process

Activating blocking mode on the security policy

Maintaining and monitoring the security policy

3. Working With Application Security Classes

What is an application security class?

Understanding the difference between an application security class and an HTTP class profile

Creating a basic application security class

Understanding the traffic classifiers

How the system applies the traffic classifiers

Using the Hosts traffic classifier

Using the URI Paths traffic classifier

Using the Headers traffic classifier

Using the Cookies traffic classifier

Understanding the actions for the application security class

Using the Rewrite URI action

4. Working With Web Applications

What is a web application?

Viewing the configured web applications

Configuring the properties of a web application

Configuring the web application language

Configuring the active security policy

Configuring requests logging

Enabling traffic sampling for the Policy Builder

Configuring the target security policy for learning suggestions

Enabling dynamic sessions in URLs

Returning a web application to a new, unconfigured state

Working with web application groups

Creating a web application group

Removing a web application group

Working with a disabled web application

Viewing disabled web applications

Re-enabling a web application

Overview of the Security Policies List

5. Working With the Security Policy

What is a security policy?

Chapter overview

Working with the security policy properties

Working with the general policy properties

Configuring the security policy name and description

Viewing the security policy's corresponding web application

Configuring the security level

Configuring the blocking mode

Configuring the maximum HTTP header length

Configuring the maximum cookie header length

Configuring the flow mode

Working with the negative regular expressions pool

Overview of the Policy Builder

Working with the Blocking Response Page property

Working with the Sensitive Parameters property

Working with the Allowed Modified Cookies property

Working with the Allowed Methods property

Working with the Navigation Parameters property

Working with the security policy entities

Working with the Object Types entity

Working with the Web Objects entity

Working with the Parameters entity

Working with the Flows entity

Working with the Character Sets entity

Setting the active policy for a web application

Determining when to set the active security policy

Working with the Blocking Policy settings

Configuring the Learn, Alarm, and Block flags

How the Policy Enforcer enforces security policies

Understanding security policy violations

Overview of RFC violations

Overview of access violations

Overview of length violations

Overview of input violations

Overview of cookie violations

Overview of negative security violations

Maintaining a security policy

Editing an existing security policy

Copying a security policy

Exporting a security policy

Merging two security policies

Importing a security policy

Deleting a security policy

Restoring a deleted security policy

Viewing and restoring an archived security policy

Viewing the security policy using the security policy audit tools

6. Building a Security Policy With the Policy Builder

Overview of the Policy Builder

Configuring the general settings for the Policy Builder

Configuring a Policy Builder domain

Configuring the Start Points general setting

Configuring the Form Fillers general setting

Configuring the Page Not Found Criteria general setting

Configuring the Properties general setting

Configuring the Object Types Associations general settings

Understanding the Policy Builder operation modes

Configuring and using the Real Traffic (Responses) operation mode

Configuring and using the Real Traffic (Requests) operation mode

Configuring and using the Generated Traffic operation mode

Running the Policy Builder

Viewing the status of the Policy Builder

Stopping the Policy Builder

Working with the Policy Builder log

7. Working With Parameters

Understanding parameters

Understanding how the Policy Enforcer processes parameters

Working with global parameters

Creating a global parameter

Editing the properties of a global parameter

Deleting a global parameter

Working with web object parameters

Creating a web object parameter

Editing the properties of a web object parameter

Deleting a web object parameter

Working with flow parameters

Creating a flow parameter

Editing the properties of a flow parameter

Deleting a flow parameter

Configuring parameter characteristics

Understanding parameter types

A note about configuring parameters

Configuring parameter characteristics for static parameters

Configuring parameter characteristics for user-input parameters

Configuring the Allow Empty Value setting

Configuring the Is Mandatory Parameter setting

Working with dynamic parameters and extractions

Configuring dynamic content value parameters

Configuring parameter characteristics for dynamic parameter names

Configuring an extraction

Viewing the list of extractions

8. Refining the Security Policy Using Learning

Overview of the Learning process

Working with the learning suggestions generated by the Learning Manager

Viewing a specific learning suggestion

Viewing the requests that trigger learning suggestions

Viewing the details of a specific request

Processing the learning suggestions generated by the Learning Manager

Accepting a learning suggestion

Clearing a learning suggestion

Rejecting a learning suggestion

Additional considerations when processing learning suggestions

Overview of the Ignored Items screen

Removing items from the Ignored Items list

9. Working with the Statistics and Monitoring Tools

Overview of the statistics and monitoring tools

Working with the Events Monitoring report

Filtering the Monitoring list

Saving and restoring the events data

Working with the Security reports

Viewing the Security reports

Filtering the Security reports

Working with the Attacks reports

Viewing the Attacks reports

Filtering the Attacks reports

Working with the Executive reports

Viewing the Executive reports

Working with the Forensics screen

Filtering the Forensics list

10. General System Options

Configuring a user account for policy editing only

Viewing the application security log files

Working with the system-supplied regular expressions

Overview of the regular expressions pool

Creating a user-defined regular expression

Validating a user-defined regular expression

Overview of the default negative regular expressions pool for security policies

A. Internal Parameters for Advanced Configuration

Overview of internal parameters

B. Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager


Upgrade compatibility

Important considerations regarding the upgrade process

Additional resources

Preparing the 3.2.X system for the upgrade

Backing up and exporting the 3.2.X system configuration

Obtaining the script

Running the script

Installing the BIG-IP version 9.4 software

Downloading the installation CD-ROM ISO image from F5 Networks

Performing a PXE installation

Performing a CD installation

Configuring an IP address for the management interface

Licensing the software using the Configuration utility

Configuring the basic network and system settings

Required network settings

Optional network and system settings

Converting 3.2.X network settings to BIG-IP 9.4 network settings

Configuring the basic local traffic settings

Creating the application security configuration

Configuring an application security class

Associating an application security class with a virtual server

Importing the saved version 3.2.X security policies into the version 9.4 configuration

Upgrading a primary with standby unit topology

Understanding redundant systems

Summary of upgrade tasks for a redundant system

Configuring the high availability settings

Configuring the failover addresses

Connecting the failover cable

Synchronizing the configuration

Sample results file from script

C. Platform-Specific Hazardous Substance Levels, for China

4100 platform