Applies To:

Show Versions Show Versions

Manual Chapter: Maintaining Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Security policies can change and evolve over time. As the nature of the traffic through the web application changes, you can adjust the security policy as required. From the Policies List screen, you can perform the following policy maintenance tasks:
You can access a security policy for editing from either the Policies List screen, or from the editing context area. The editing context area appears at the top of almost every screen throughout the Application Security ManagerTM. Figure 8.1 displays the editing context area.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
Note: If a security policys entire row is highlighted in gray, this indicates that another user is currently editing it. As a result, you can view but not edit that security policy.
2.
In the Security Policies area, click the name of the security policy that you want to edit.
The Policy Properties screen opens.
4.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
3.
Click the Copy button.
The Copy Security Policy screen opens.
4.
In the New Security Policy Name box, accept or change the name for the security policy, and then click Save. The default name is the <original_policy_name>_copy.)
The system displays a message when the policy is successfully copied.
5.
Click OK.
The screen refreshes, and you see the new security policy in the Security Policies List.
Note: In the Security Policies List, the Active icon next to a security policy indicates that this policy is active. The Modified icon indicates that the security policy has been modified, and you must click the Apply Policy button to implement any changes in the security policy.
You can export security policies as a binary archive file or as a readable XML file. For example, you may want to export a security policy from one web application so that you can use it as a baseline for a new web application. You can also export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, or to use the exported security policy in a policy merge. (See Merging two security policies, for more information on merging policies.)
You can export the security policy on a remote system or other location. The XML or archive file includes the name of the security policy and the date it was exported. If you saved the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies list, select the security policy that you want to export by clicking the button on its left, then:
3.
In the file download screen, save the file.
The system exports the security policy in the format you specified and saves it in the remote location.
You can import a security policy previously saved in archive policy or XML format to quickly apply a security policy to a new web application. You can also use the import option to restore a security policy from a remote system.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Above the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Choose File setting, click the Browse button to navigate to the security policy that you want to import.
4.
Click Import.
The system displays a success status message when the operation is complete.
5.
Click OK.
The screen refreshes, and you can see the imported security policy in the Security Policies List.
Note: The names of security policies must be unique within the Application Security Manager. If the name of the imported security policy already exists, the system renames the imported file by adding a sequential number to the end of the name.
You can use the policy merge option to combine two security policies. For example, you can use the policy merge option to merge a security policy that you have built offline into a security policy that is on a production system.
The merge mechanism is lenient when merging security policies. The merge action does not delete anything from the target security policy. The system resolves any conflicts that occur by retaining the settings of the target security policy. When the merge is complete, the system displays the beginning of a merge report of all security policy components that were modified or added during the merge process. In addition, you have the option to view or download the complete merge report. You can save the Policy Merge Report as a text file (*.txt), so that you can review the details of the merge, and resolve any errors that may have occurred.
Note: When a security policy contains restrictive components, for example, a user-defined attack signature set, the merge tool deletes it.
The merge report contains information about any conflicts that occurred during the merge, and how they were resolved. If you enable verbose logging for the merge, the merge report also contains the following information:
Entities in the target security policy whose values are different from those in the merged security policy
(If this occurs, the system does not change the target security values.)
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies area, select the target security policy (the one into which the system merges the second security policy) by clicking the button on its left, and click the Merge button.
The Merge Security Policies screen opens.
3.
For the Security Policy To Be Merged setting, click the Browse button, and navigate to the exported security policy file that you want to merge into the target security policy.
4.
6.
Click the Merge button.
The system merges the export security policy into the target security policy, and produces a Merge Report.
7.
Click the Download Full Report button to open or save the entire Merge Report.
8.
Click OK.
The screen refreshes, and the merged security policy is in the Security Policies list.
Note: A copy of the original security policy also appears in the Security Policies list, if you selected the Backup Target Security Policy option in step 4.
You can remove all security policies from the configuration, one by one, except the active security policy. The active security policy for a web application has the Active icon next to its name in the Security Policies list.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies area, select the security policy that you want to remove from the configuration, and click the Delete button below the list.
A confirmation popup screen opens, where you confirm that you want to delete the security policy.
3.
Click OK.
The screen refreshes and you no longer see the security policy in the Security Policies List.
If you delete a security policy, and later decide that you did not want to do that, you can restore the security policy from the Security Policy Recycle Bin.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Above the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Security Policy Recycle Bin list, select the security policy that you want to restore, and then click the Restore button.
A confirmation popup screen opens, where you confirm that you want to restore the security policy.
4.
Click OK.
The system restores the security policy, and displays a success message.
5.
Click OK.
The screen refreshes, and you see the restored security policy in the Policies List.
If you delete a security policy from the configuration, and later decide that you want to delete it permanently, you can delete the security policy from the Security Policy Recycle Bin.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
Below the Security Policies area, click the Import button.
The Import Security Policy screen opens.
3.
In the Security Policy Recycle Bin list, select the security policy that you want to delete, and then click the Delete button.
A confirmation popup screen opens, where you can confirm that you want to delete the security policy.
4.
Click OK.
The screen refreshes, and you no longer see the security policy in the Security Policy Recycle Bin list.
The Application Security Manager keeps an archive of security policies that have been set to active. Every time you make a security policy the active security policy, the system saves a version of that security policy, and archives it. You can restore any of the archived security policies, and make it the active security policy.
Tip: In the Security Policies list, on the Policies List screen, the security policy version number is in square brackets next to the security policy name.
1.
In the navigation pane, expand Application Security and click Policies List.
The Policies List screen opens.
2.
In the Security Policies list, click the security policy whose different versions you want to view or whose archived version you want to restore.
The Policy Properties screen opens.
3.
On the menu bar, click History.
The Security Policy History screen opens, where you can view the archived versions of the security policy.
4.
To restore an archived security policy, select the version, and then click the Restore button.
The Restore Security Policy screen opens.
5.
In the Security Policy Name box, change the name as required.
7.
Click OK.
The screen refreshes and you see the restored security policy in the Policies List.
The Application Security Manager creates a policy log for every security policy. The policy log includes an entry for each event or action performed on the security policy, including the event type, the element type and name (if relevant), the data and time of the change, a description of the change, and where and how the change was made.
This log is different from the automatic policy building log because this one shows all changes that the Policy Builder or a user made to the security policy. The automatic policy building log is described in Viewing automatic policy building logs.
1.
In the navigation pane, expand Application Security, point to Policy, then click Policy Log.
The Policy Log screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those for which you want to view log transactions.
3.
In the Filter area, adjust the filter settings to view the logs you want to see.
4.
Click the Go button.
The screen refreshes, and displays the policy log for the web application and security policy that you selected. Figure 8.2 shows a portion of a sample policy log.
You can display a tree view of the security policy to quickly view its contents. The tree view shows the complete hierarchy of the web application as reflected in the security policy. Global parameters appear at the top level, and URL parameters fall under URLs in the directory-like structure.
1.
In the navigation pane, expand Application Security, point to Policy, and then click Tree View.
4.
Click an allowed URL, a disallowed URL or a parameter to view its properties.
The properties page for the URL or parameter opens.
Figure 8.3 shows the structure of a security policy for www.paycom.com, a web application for selling merchandise.
Application Security Manager includes several audit tools that you can use to query a security policy to find the information you are looking for. You can use the audit tools to analyze suspicious policy states (for example, URLs allowed to modify domain cookies). Each tool type specifies a predefined URL, parameter, or flow filter that helps to identify conflicts and errors in the security policy.
1.
In the navigation pane, expand Application Security, point to Policy and click Audits.
The Policy Audits screen opens.
3.
From the Tool Type list, select an audit tool, and then click Go.
The screen refreshes, and the system displays the audit report.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)