Applies To:

Show Versions Show Versions

Manual Chapter: Working with Application Security Classes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

An application security class is the logical bridge, or link, between the local traffic components and the application security components. You create one or more application security classes, and then assign them as resources for one or more local traffic virtual servers. When the virtual server receives an HTTP request, it applies the application security classes, in the listed order, and if the traffic classifiers find a match in the request, the system routes the request to the Application Security ManagerTM.
In the application security class, the traffic classifiers specify which incoming HTTP traffic should be routed through the Application Security Manager. The traffic classifiers use different elements of an HTTP request, including host header values, URI paths, other headers and values, and cookie names (or a combination of all of these), to determine which requests go to the Application Security Manager. For requests that match the traffic classifiers, the Application Security Manager applies the active security policy to the designated traffic, and processes the traffic according to the security policy settings.
When you configure an application security class (or an HTTP class profile with application security enabled), the system automatically creates a default web application in Application Security Manager. You then configure an active security policy for the web application. For complex applications, you can create more than one application security class if you need to apply different security policies to different parts of the application.
The application security class and the HTTP class profile are two names for the same basic object in the Configuration utility. The primary difference between the two objects is that when you create an application security class, the system automatically enables the Application Security setting. HTTP class profiles exist (without the Application Security option enabled) on every Local Traffic Manager system, and they are used to classify HTTP traffic. By default, when you create an HTTP class profile, the Application Security setting is not enabled (and the setting is available only if you have Application Security Manager provisioned on the system).
You create application security classes from the Application Security section of the navigation pane. You create HTTP class profiles from the Profiles option in the Local Traffic section of the Main tab. (For information on the generic HTTP class profile, see the Managing Protocol Profile chapter, in the Configuration Guide for BIG-IP® Local Traffic ManagerTM.)
Tip: F5 Networks recommends that you create the application security classes from the Application Security section on the Main tab of the navigation pane so that the system automatically enables the application security option for you.
1.
On the Main tab of the navigation pane, expand Application Security and then click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
Type a name for the application security class.
Note that in the application security configuration, the corresponding web application and security policy also use this name.
5.
Above and on the right of the Actions area, select the Custom check box to enable Actions options.
6.
For the Send To setting, select Pool from the list.
The screen refreshes, and the action settings are all enabled.
7.
For the Pool setting, select the local traffic pool that contains the web server resources for your web application.
Note: If you have not already configured a local traffic pool, refer to Defining a local traffic pool.
8.
Click Finished.
The system adds the new application security class, and also automatically creates a web application with the same name, and creates a security policy with the same name with a _default suffix.
Tip: For additional information about BIG-IP HTTP class traffic flow, see Solution 8018 in the Ask F5SM Knowledge Base, https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8018.html.
You can use the traffic classifiers in the application security class to specify exactly which traffic goes through the Application Security Manager before it reaches the web application resources. The traffic classifiers perform pattern matching against HTTP requests, based either on wildcard strings or on regular expressions. When the traffic classifier finds a match in an HTTP request, the system forwards that request to the Application Security Manager. The Application Security Manager then applies the active security policy to the request.
The traffic classifiers perform pattern matching using either literal strings or regular expressions. The literal strings can include wildcard characters, such as asterisk (*) or question mark (?). The regular expressions use the Tcl regular expression syntax. You can use a mixture of matching types within each traffic classifier.
Note: Pattern-matching traffic classifiers are case-sensitive; that is, www.F5.com is not the same as www.f5.com. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
You can configure one or more traffic classifiers in each application security class. If the traffic classifier has multiple matching objects within its list, the system looks for a match until it finds one, and forwards the request when it does. If you configure more than one type of classifier (for example, you configure both a URI path and a header traffic classifier), the system performs the pattern matching and forwards to the Application Security Manager only the traffic that matches both traffic classifier types. If you configure multiple entries within each traffic classifier list, the system performs the pattern matching until it finds a match.
You can use the Hosts traffic classifier to specify hosts whose traffic you want to direct through the Application Security Manager. When you use the Hosts traffic classifier, the system performs pattern matching against the information contained in the Host header in a request.
Tip: Just by configuring the valid host headers for the web application, you acquire immunity to most of the worms that are spread by an IP address as a value in the Host header.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the Hosts setting, select Match only.
The screen refreshes, and you see the Host List setting.
6.
Add hosts to the Host List as needed:
a)
In the Host box, type the name of the host for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The host is added to the list.
8.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
You can use the URI Paths traffic classifier to specify one or more URI paths whose requests you want to direct through the Application Security Manager. When you use the URI Paths traffic classifier, the system performs pattern matching against the URI path in a request.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the URI Paths setting, select Match only.
The screen refreshes, and you see the URI Path List setting.
6.
Add URIs to the URI Path List as needed.
a)
In the URI Path box, type the URI path for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The URI is added to the list.
8.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
You can use the Headers traffic classifier to specify one or more headers whose associated requests you want to direct through the Application Security Manager. When you use the Headers traffic classifier, the system performs pattern matching against the headers and their values in a request.
Note: If you want to classify traffic using the Cookie header, use the Cookies traffic classifier instead of the Headers traffic classifier. See Classifying traffic using cookies, for more information.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above and on the right of the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the Headers setting, select Match Only.
The screen refreshes, and you see the Header List setting.
6.
a)
In the Header box, type the header. Include the colon when you add headers to this list, for example: User-Agent:<value>.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
c)
Click Add.
The header is added to the list.
8.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
You can use the Cookies traffic classifier to specify one or more cookies whose associated requests you want to direct through the Application Security Manager. When you use the Cookies traffic classifier, the system performs pattern matching against the cookie name information in the Cookie header in a request.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the Cookies setting, select Match Only.
The screen refreshes, and you see the Cookie List setting.
6.
Add cookie names to the Cookie List as needed:
a)
In the Cookie box, type the cookie data.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The cookie is added to the list.
8.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
The actions of the application security class designate what the system does with the traffic when the traffic matches one or more of the traffic classifier criteria. The actions for the application security class are as follows.
None
When you use the none action, the system does nothing with the traffic within the context of this application security class. The system may process the request according to other settings for the virtual server, for example, forward the request to the virtual servers default pool.
Send to pool
When you use the send to pool action, the system sends the traffic to the local traffic pool specified in the Pool setting. In this case, traffic is not sent to the Application Security Manager, nor to the pool specified in the virtual server (unless it is the same pool).
Redirect to another resource
When you use the redirect action, the system sends any traffic that matches (based on the full HTTP URI) to another resource on the network. You can use Tcl expressions to create a custom redirection. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable the Actions options.
7.
For the Send To setting, specify what you want the system to do with the traffic related to this application security class. See the online help for assistance with specific screen elements.
8.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
You can use the Rewrite URI action to rewrite a URI without sending an HTTP redirect to the requesting client. For example, an ISP provider may host a site that is composed of different web applications, that is, a secure store application and a general information application. To the client, these two applications are the same site, but on the server side they are different applications. Using the Rewrite URI action transparently redirects the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system maps the static URI for every incoming request. For details on using Tcl expressions, and Tcl syntax, see the F5 Networks Dev Central web site, http://devcentral.f5.com.
Note: The Rewrite URI setting is available only when you select None or Pool for the Send To setting, and you are using the Hosts or URI Paths traffic classifiers.
1.
In the navigation pane, expand Application Security and click Classes.
The HTTP Class list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable Actions options.
7.
For the Send To setting, select Pool from the list.
The screen refreshes and shows more options.
8.
For the Pool setting, select the name of the local traffic pool to which you want the system to send the traffic.
9.
For the Rewrite URI setting, type the Tcl expression that represents the URI that the system inserts in the request to replace the existing URI.
10.
Click Finished.
The system adds the new application security class, creates a corresponding web application ready for you to configure a security policy, and displays the HTTP Class list screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)