Applies To:

Show Versions Show Versions

Manual Chapter: Configuring General System Options
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

14 
The Application Security ManagerTM includes general system options that apply to the overall application security configuration. You can perform the following tasks to configure general system options:
Configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. See Configuring external anti-virus protection, for more information.
Some of the overall system configuration tasks are described in other chapters, because they relate to other tasks described there. You can perform the following additional general configuration tasks:
1.
In the navigation pane, expand Application Security, point to Options, and then click Preferences.
The Preferences screen opens.
2.
For Records Per Screen, type the number of entries to display (1-100). The default value is 20.
This setting affects the maximum number of web applications, file types, URLs, parameters, flows, headers, and XML profiles to display in lists throughout the Application Security Manager.
3.
For Records Per Requests Screen, type the number of requests to display (1-1000). The default value is 500.
This setting affects the maximum number of requests that appear in the Requests List (Reporting>>Requests).
4.
For Titles Tooltip Settings, select one of the options for how to display tooltips:
Show tooltip icons: Display an icon if a tooltip is available for a setting, and show the tooltip when you move the cursor over the icon. This is the default setting.
Show tooltips on title mouseover: Display a tooltip when you move the cursor over a setting on the screen.
Do not show tooltips: Never display tooltips or icons.
5.
For Advanced by Default, select whether to display all possible settings (Advanced) or the Basic settings on screens with that option.
6.
If the BIG-IP system is in a redundant configuration and you want to display a message telling you to synchronize the two systems when a security policy was updated but not applied, check the Recommend Sync When Policy Not Applied box.
To log system data and configuration changes made to all security policies, check the Write all changes to Syslog box.
To log system data only, clear the Write all changes to Syslog check box. This is the default setting.
8.
Click Save to keep your changes.
You can configure the Application Security Manager to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. If the Virus Detected violation is enabled for that web applications security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies the Application Security Manager, which then issues the Virus Detected violation.
The default ICAP server is configured for McAfee anti-virus protection. If the ICAP server supports anti-virus protection using different software, you must change the value of the virus_header_name internal parameter. Refer to Appendix D, Internal Parameters for Advanced Configuration, for information about internal parameters.
1.
In the navigation pane, expand Application Security, point to Options, and then click Anti-Virus Protection.
The Anti-Virus Protection screen opens.
For Server Host Name, type the ICAP server host name in the format of a fully qualified domain name.
Note: If using the host name only, you must also configure a DNS server on the BIG-IP system. Expand System, point to Configuration, Device, then click DNS. If DNS is not configured, you must include the IP address.
For Server IP Address, type the IP address of the ICAP server.
3.
For Server Port Number, type the port number of the ICAP server.
4.
If you want to perform virus checking even if it may slow down the web application, check the Guarantee Enforcement box.
5.
Click Save to save the ICAP server configuration.
6.
In the navigation pane, point to Policy, and then click Blocking.
The Blocking Settings screen opens.
a)
In the editing context area, ensure that the edited web application and security policy are the ones for which you want anti-virus protection.
b)
For the Virus Detected violation (near the bottom of the screen), enable either or both of the Alarm and Block check boxes. For details on setting up blocking, refer to Configuring the blocking policy.
c)
Click Save to save the blocking policy.
d)
To put the anti-virus protection into effect immediately, click the Apply Policy button in the editing context area.
User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything, you may want to further specialize administrative accounts. You must have Administrator access to create accounts on the BIG-IP system.
Web Application Security Editor
Grants users permission to view and configure most parts of the Application Security Manager, on specified partitions.
Web Application Security Administrator
Grants users permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.
1.
In the navigation pane, expand System, and then click Users.
The User List screen opens.
2.
Click the Create button.
The New User screen opens.
3.
For the User Name setting, type the name for the account.
4.
For the Password setting, type and confirm the account password.
5.
For the Role setting, select the appropriate role:
6.
If you selected Web Application Security Editor, then in Partition Access, select the partition in which to allow the account to create security policies.
7.
Click Finished.
The User List screen opens and includes the new user account in the list.
Logging profiles specify how and where the system stores request and violation data for web applications. When you configure a web application, you select the logging profile for that web application. You can use one of the system-supplied logging profiles, or you can create a custom logging profile. Note that the system-supplied logging profiles log data locally. For more information on selecting the logging profile for a web application, refer to Specifying the logging profile for a web application.
Additionally, you can choose to log the request data locally, on a remote storage system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format).
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where the logs are stored, either locally or remotely. The storage filter determines what information gets stored.
You can create a logging profile to store request data on the local BIG-IP system. When you store the request data locally, the logging utility may compete for system resources. You can use the Guarantee Logging setting to ensure that the system logs the requests in this situation.
Note: Enabling the Guarantee Logging setting may cause a performance reduction if you have a high traffic-volume application.
1.
In the navigation pane, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
4.
In the Configuration area, for the Profile Name setting, type a unique name for the logging profile.
5.
To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources, check the Guarantee Logging box.
Note: Enabling this setting may slow access to the associated web application.
7.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
You can create a logging profile to store information remotely on syslog servers in Comma Separated Value (CSV) format or a user-defined format. When you configure a logging profile for remote storage, the system stores request data for the associated web application on a separate remote management system, where you can view the files.
Note: The logging profile for remote storage relies on external systems to perform the actual logging. The configuration and maintenance of the external logging servers is not the responsibility of F5 Networks.
1.
In the navigation pane, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Check the Remote Storage box, and make sure the Type is set to Remote.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), UDP, or TCP-RFC3195.
8.
For the Server IP setting, type the IP address of the remote storage server.
9.
For the Server Port setting, type a port number or use the default value, 514.
10.
For the Facility setting, select the syslog facility where you want to store the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
Tip: If you have more than one web application, and you configure remote logging for both applications, you can use the facility filter to sort the data for each.
11.
For the Storage Format setting, from the Available Items list, select the data items to include in the log. Use the Move button (<<) to add the data items to the Selected Items list.
Predefined: If you select this option, specify the delimiter to separate the data items in the log (the default delimiter is comma). You may not use the % character. This is the default value.
User-defined: If you select this option, in the Selected Items box, type any text you want to appear between the items, with surrounding percent (%) characters (for example,%Request%).
12.
To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources, check the Guarantee Logging box.
Note: Enabling this setting may slow access to the associated web application.
13.
Optionally, adjust the maximum request, header, and query string sizes, and maximum entry length settings. (Refer to online help for details on the settings.)
14.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, check the Report Detected Anomalies box.
16.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
If your network uses a third party reporting server (for example, Splunk), you can configure a logging profile to store the log information on the reporting server using the key-value pair storage format.
Note: This logging profile relies on external reporting server to perform the actual logging. The configuration and maintenance of the reporting server is not the responsibility of F5 Networks.
1.
In the navigation pane, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Check the Remote Storage box, and for the Type setting, select Reporting Server.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the reporting server uses: TCP (the default setting), UDP, or TCP-RFC3195.
8.
For the Server IP setting, type the IP address for the remote storage server.
9.
For the Server Port setting, type a port number or use the default value, 514.
10.
To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources, check the Guarantee Logging box.
Note: Enabling this setting may slow access to the associated web application.
11.
Optionally, adjust the maximum request, header, and query string size and maximum entry length settings. (Refer to online help for details on the settings.)
12.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, check the Report Detected Anomalies box.
14.
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
If your network uses ArcSight logs, you can configure a logging profile that formats the log information for that system. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs.
CEF:Version|Device Vendor|Device Product|Device Version
|Device Event Class ID|Name|Severity|Extension
Note: This logging profile relies on external systems to perform the actual logging. The configuration and maintenance of the external logging servers is not the responsibility of F5 Networks.
1.
In the navigation pane, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
3.
For the Configuration setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Profile Name setting, type a unique name for the logging profile.
5.
Check the Remote Storage box, and for the Type setting, select ArcSight.
The screen displays additional settings.
7.
For the Protocol setting, select the protocol that the reporting server uses: TCP (the default setting), UDP, or TCP-RFC3195.
8.
For the Server IP setting, type the IP address of the remote storage server.
9.
For the Server Port setting, type a port number or use the default value, 514.
10.
To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources, check the Guarantee Logging box.
Note: Enabling this setting may slow access to the associated web application.
11.
Optionally, adjust the maximum request, header, and query string size and maximum entry length settings. (Refer to online help for details on the settings.)
12.
If you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, check the Report Detected Anomalies box.
14.
Click the Create button.
The screen refreshes, and displays the new logging profile.
1.
In the navigation pane, expand Application Security, point to Options, and then click Logging Profiles.
The Logging Profiles screen opens.
2.
In the Logging Profiles area, click the name of an existing logging profile.
The Edit Logging Profile screen opens.
3.
For the Storage Filter setting, select Advanced.
The screen refreshes to display additional settings.
4.
For the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.
OR: Select this operator if you want the system to log the data that meets one or more of the criteria.
AND: Select this operator if you want the system to log the data that meets all of the criteria.
5.
For the Request Type setting, select the kind of requests that you want the system to store in the log.
6.
For the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.
7.
For the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.
8.
For the HTTP Methods setting, select whether logging occurs for all methods or specific methods.
9.
For the Request Containing String setting, select whether the request logging is dependent on a specific string.
10.
Click the Update button.
The screen refreshes, and displays the new logging profile on the Logging Profiles screen.
You can customize the severity levels of security policy violations for application security events that are displayed on the Security Alerts screen, in the request details, and also in the messages logged by the syslog utility. The event severity levels are Informational, Notice, Warning, Error, Critical, Alert, and Emergency. They range from least severe (Informational) to most severe (Emergency).
For more information on how BIG-IP systems use the syslog utility, refer to the Logging BIG-IP System Events chapter in the TMOS® Management Guide for BIG-IP® Systems.
Note: When you make changes to the event severity level for security policy violations, the changes apply globally to all web applications.
1.
In the navigation pane, expand Application Security, point to Options, and then click Severities.
The Severities screen opens.
3.
Click the Save button to retain any changes.
Tip: If you modify the event severity levels for any of the security policy violations, and later decide you want to use the system-supplied default values instead, click the Restore Defaults button.
Locally stored system logs for the Application Security Manager are accessible from the Configuration utility for the BIG-IP system. Note that these are the logs for general system events and user activity. Security violation events are displayed in the Configuration utility for the Application Security Manager.
For more information on logging in general, refer to the TMOS® Management Guide for BIG-IP® Systems, which is available in the Ask F5SM Knowledge Base, https://support.f5.com.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm directory.
1.
In the navigation pane of the BIG-IP system, expand System, and then click Logs.
The System Logs list screen opens.
2.
On the menu bar, click Application Security.
The Application Security log list screen opens, where you can review the logged entries.
The RegExp Validator is a system tool designed to help you verify your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data.
1.
In the navigation pane, expand Application Security, point to Options, Tools, and then click RegExp Validator.
The RegExp Validator screen opens.
2.
In the RegExp box, perform one of the following tasks to specify how you want the validator to work:
3.
Click the Validate button.
The screen refreshes and shows the results of the validation.
If you want the system to send email to users, such as when configuring the system to send reports using email (refer to Scheduling and sending graphical charts using email), you must enable the SMTP mailer and configure an SMTP server.
Note: For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system (System>>Configuration>>Device>>DNS).
1.
In the navigation pane, expand Application Security, point to Options, and then click SMTP Configuration.
The SMTP Configuration screen opens.
2.
Check the Enable SMTP mailer box.
3.
For SMTP Server Host Name, type the fully qualified host name of an SMTP server (for example, smtp.example.com).
4.
For SMTP Server Port Number, type the SMTP port number (25 is the default for no encryption; 465 is the default if SSL or TLS encryption is the encryption setting).
5.
For Local Host Name, type the fully qualified host name of the BIG-IP system.
6.
For From Address, type the mail address to use as the reply-to address of the email.
7.
For Encrypted Connection, select whether the SMTP server requires an encrypted connection to send mail. Select No encryption, SSL (Secure Sockets Layer), or TLS (Transport Layer Security).
8.
If you want the SMTP server to validate users before sending email, check the Use Authentication box, then type the Username and Password that the SMTP server requires for validation.
9.
Click Save to save the configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)