Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: 4 - Working With Web Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


4

Working With Web Applications


What is a web application?

In the Application Security Manager, a web application is the logical representation of the application that you are securing with one or more security policies. When you create an application security class, the system automatically creates a corresponding web application and default security policy for the web application.

Note

For detailed information on application security classes, refer to Chapter 3, Working With Application Security Classes .

Viewing the configured web applications

Once you have created any Application Security classes, you can review the corresponding list of web applications within the Application Security Manager. The web application list provides the following summary information:

  • The name of the web application or web application group
  • The current active security policy
  • The Blocking mode of the security policy
  • The level of logging
  • Whether the web application (and the corresponding application security class) is enabled or disabled

To view the list of web applications

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. Click a web application name to view or modify its properties.
  3. Alternately, click an active policy to view or modify its properties.
Note

For information on working with web application groups, refer to Working with web application groups .

Configuring the properties of a web application

In the Application Security Manager, the web application properties specify the general attributes and preferences for the web application itself. The web application properties help refine how the Application Security Manager processes requests for the web application.

To view the web application properties

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens, where you can view and modify the web application's properties and security policies.

Configuring the web application language

Every web application has a language encoding that determines the character set that browsers use to display the application. The Application Security Manager supports single-byte and several double-byte language encodings. You must set the application language so that the Application Security Manager knows the acceptable character set for the application. The Application Security Manager uses the encoding associated with the selected language for policy editing purposes. The Policy Enforcer also uses the language encoding for the web application when applying a security policy to a request.

Important

You must set the application language before you can see or work with any of the other web application properties, or configure security policies for the web application. Note that once you set the web application language, you cannot change it.

To set the web application language

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, from the Application Language list, select the character set encoding that is appropriate for your web application.
  4. Click Update.
    The screen refreshes, and you see the web application properties and policies list.

Configuring the active security policy

The active security policy is the security policy that the Application Security Manager uses to validate requests for, and responses from, the web application. Only one security policy can be active at a time, even though you may have several security policies configured for the web application.

To configure the active security policy

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, in the Active Security Policy list, select the security policy that you want to be the active security policy for the web application. Note that the system automatically enables (checks) the Apply Policy setting when you change the Active Security Policy setting on this screen.
  4. Click Update.
    The screen refreshes, and in the Policies List, you see the Active Policy icon next to the new active security policy.
Important

You can set the active security policy from most screens in the Configuration utility, in addition to setting it from the Web Application Properties screen, as described above. For more information on setting the active security policy, see Setting the active policy for a web application .

Configuring requests logging

The requests logging setting determines whether the system logs every request for a web application, or only those requests that violate the active security policy. You can review the logged requests on the Forensics screen for the web application.

Tip


If your web application receives a high volume of requests, you may want to log only those requests that violate the active security policy so that the system resources are not overburdened.

To set the requests logging level

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, for the Request Logging setting, select the logging level for the web application.
  4. Click Update.
    The system updates the configuration with any changes you may have made.

Enabling traffic sampling for the Policy Builder

The Policy Builder is a tool that you can use to build a security policy based on real traffic (both requests and responses) and generated traffic. When you enable traffic sampling for a web application, the Policy Builder extracts web objects, parameters, flows, and other web application components from request and response pairs. You can configure traffic sampling to occur either at a specified interval, or on a continuous basis.

Note

Traffic sampling applies only to the following Policy Builder operation modes: Real Traffic (Responses) and Real Traffic (Requests). For more information on the Policy Builder operation modes, refer to Understanding the Policy Builder operation modes .

To enable traffic sampling for the Policy Builder

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, for the Traffic Sampling option, select whether you want to enable or disable traffic sampling. Note that if you select interval traffic sampling, you must specify a time interval, in seconds.
  4. Click Update.
    The system updates the configuration with any changes you may have made.

For more information on working with the Policy Builder, refer to Chapter 6, Building a Security Policy With the Policy Builder .

Configuring the target security policy for learning suggestions

When you accept the learning suggestions that the Learning Manager generates, it updates the target security policy. This is the security policy that you specify as the one to which the Application Security Manager applies learning. Depending on which option you select for the Apply Learning to setting, the Application Security Manager updates only the active security policy, all security policies (those in the web application's Security Policies List), or a specific security policy.

To configure the target security policy for learning suggestions

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, for the Apply Learning To setting, select the appropriate security policy option.
  4. Click Update.
    The system updates the configuration with any changes you may have made.

For more information on the Learning Manager and working with learning suggestions, refer to Chapter 8, Refining the Security Policy Using Learning .

Enabling dynamic sessions in URLs

When a web application uses dynamic sessions in URLs, the Application Security Manager cannot use its normal functions to extract and enforce objects or flows because the URI becomes dynamic. If the web application that you are securing stores dynamic session information in a URL, you can enable the Dynamic Sessions in URL option so that these requests do not trigger security policy violations. When you enable the Dynamic Sessions in URL option, the Application Security Manager extracts the dynamic session information from the request, based on the pattern that you configure, and applies the security policy to the remaining elements in the URI. Additionally, the system can extract the dynamic session information from a response.

Important

The Dynamic Sessions in URL option applies only to security policies that use the high security level. If you enable this setting and you use only a standard security level, the Policy Enforcer ignores the dynamic session setting.

To enable dynamic sessions in URLs

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties section, for the Dynamic Sessions in URL option, enable or disable the dynamic sessions in URL as required by the web application. For help with the settings, click the Help tab in the navigation pane.
  4. Click Update.
    The system updates the configuration with any changes you have made.

Returning a web application to a new, unconfigured state

There may be circumstances when you want to remove all security policies, forensics, logging, and configuration information from a web application, and set the web application back to a new, non-configured state. You can do this by using the Reconfigure button on the Web Application Properties screen.

Important

Using the Reconfigure button to clear the configuration information for a web application is a permanent action, and cannot be undone. Use this setting with caution.

To set a web application back to a new state

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. Below the Web Application Properties area, click the Reconfigure button.
    A confirmation popup screen opens.
  4. Click OK to complete the reset action.
    The system deletes all data associated with this web application from the configuration.

Working with web application groups

A web application group is a collection of web applications within the Application Security Manager configuration. Web application groups are made up of two or more web applications. A web application can belong to more than one web application group, however, a web application does not have to belong to a web application group. The Application Security Manager lists web applications that are not members of any web application group in the ungrouped area of the Web Application Groups screen. Recall that there is a one-to-one relationship between application security classes and web applications. In many cases, you may have several application security classes (and thus, web applications) configured for one actual web application. You can create a web application group, and then use that group to consolidate the forensics, events, and log information about the actual web application.

Creating a web application group

When you create a web application group, you are creating an association between the member web applications. Once you have created a web application group, you can view statistics, logging, forensics, and security events in the context of the web application group, in addition to the individual web applications themselves.

To create a web application group

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. Click the Create button.
    The Group Properties screen opens.
  3. In the Name box, type a name for the group.
  4. For the Web Applications setting, from the Available list, select the web applications that you want to add to the new web application group, and use the Move (<<) button to add them to the Members list.
  5. Click Save to update the configuration with the new web application group.

Removing a web application group

If you no longer require the web application group, you can easily remove the group from the configuration. Note that this action does not delete the web applications themselves.

To delete a web application group

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. Check the Select box next to the web application group that you want to delete, and then click Delete.
    A confirmation popup screen opens.
  3. Click OK.
    The system deletes the web application group.

Working with a disabled web application

There are two situations in which the Application Security Manager automatically disables web applications. These situations occur when you:

  • Disable the Application Security setting on an application security class
  • Delete an application security class entirely

The system disables the web application because a web application must have a corresponding application security class.

Note

For more information on application security classes, refer to Chapter 3, Working With Application Security Classes .

Viewing disabled web applications

When the system disables a web application, it moves the web application to the Disabled Web Applications list screen. From there, you can decide whether to permanently delete or to retain the web application.

To view the disabled web applications

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. On the menu bar, click Disabled Web Applications.
    The Disabled Web Applications screen opens, where you can review the currently-disabled web applications.

Re-enabling a web application

You can re-enable a disabled web application either by creating an application security class with the same name as the disabled web application, or by re-enabling the Application Security setting for an existing application security class. In both cases, the system automatically re-enables the disabled web application as long as the application security class has the same name, exactly, as the disabled web application.

Overview of the Security Policies List

On the Web Application Properties screen, the Security Policies List section displays all of the security policies that exist for the web application. The Security Policies List provides summary information about the web application's security policies, including the blocking mode, security level, time at which the security policy was set to active, and the user who set the security policy to active. You can also perform many administrative actions from the security policy list, including creating, exporting, importing, copying, merging, viewing the history of, or deleting a security policy. For detailed information on configuring and administering a security policy, refer to Chapter 5, Working With the Security Policy .

Note

While only one security policy can be active for a given web application, you may have several security policies configured to meet various business requirements for the web application.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)