Applies To:

Show Versions Show Versions

Manual Chapter: Deploying an Application-Ready Security Policy
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Application Security Manager provides application-ready security policies, which are baseline templates for the following enterprise applications:
Microsoft® ActiveSync® 1.0, 2.0
Lotus® Domino® 6.5
Microsoft® Outlook Web Access® Exchange 2003
Microsoft® Outlook Web Access® Exchange 2007
Oracle® Portal 10g
Oracle® Applications 11i
PeopleSoft® Portal Solutions 9
SAP® NetWeaver® 7
Microsoft® SharePoint® 2003
Microsoft® SharePoint® 2007
Important: The procedures in this deployment start after you have configured the network settings that are appropriate for your environment. Refer to Chapter 2, Performing Basic Configuration Tasks, if you have not yet configured network connectivity.
The Deployment wizard takes you through the steps required to create an application-ready security policy for one of the supported enterprise applications.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
Locate the web application you want to protect and click the Configure Security Policy link next to it.
The Deployment wizard opens the Select Deployment Scenario screen.
Tip: The application name matches the class name created in Defining an application security class.
For Deployment Scenario, select Manual Deployment and click Next.
The Configure Security Policy Properties screen opens.
For Application Language, specify the language encoding of the application.
For the Application-Ready Security Policy setting, select the HTTP or HTTPS security policy template for your enterprise application.
For Staging-Tightening Period, type the number of days you want to test the security policy and provide learning suggestions before enforcing it. The default value is 7 days.
Click Next.
The Policy Configuration Summary screen opens.
If you are satisfied with the security policy configuration, click Finish.
The system creates the security policy for the enterprise application. For details about the default settings, refer to Appendix B, Working with the Application-Ready Security Policies, in the Configuration Guide for BIG-IP® Application Security ManagerTM.
Once you have created a security policy, traffic must be going to the web application for the system to provide learning suggestions concerning additions to the security policy. For example, you can have users or testers browse the web application. When analyzing the traffic to and from the application, the Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic.
When you first create an application-ready security policy, it operates in transparent mode (meaning that it does not block traffic). When the system receives a request that violates the security policy, the system logs the violation event, but does not block the request.
In the navigation pane, expand Application Security and click Manual Policy Building.
The Traffic Learning screen opens, and lists violations that the system has found against the security policy based on real traffic.
In the Traffic Learning area, click each violation hyperlink sequentially, and view the information provided.
The screen shows the instances of the violation and the resulting learning suggestions.
For each violation, review the specific learning suggestions and decide whether you want to accept or clear the suggestion:
Accept: Select a learning suggestion, click Accept, and then click Apply Policy.
The system updates the security policy to allow the element.
Clear: Select a learning suggestion, click Clear.
The system removes the learning suggestion and continues to generate suggestions for that violation.
Cancel: Click Cancel to return to the Traffic Learning screen.
On the Traffic Learning screen, review the violations and consider whether you want to permit any of them (for example, if a violation is causing false positives). Select the violations you want to allow and click Disable Violation, then OK.
The system clears the Learn, Alarm, and Block settings for those violations.
When you finish dealing with the learning suggestions for the security policy, and the violations that you see are legitimate (not false positives), you can begin to enforce the security policy. To enforce the security policy, you change the enforcement mode from transparent to blocking.
When the enforcement mode is set to blocking and the violations you want to enforce are set to block, the security policy no longer allows requests that cause these violations to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.
For more information on the blocking policy, the enforcement mode, and how the system processes requests that trigger violations, refer to the Manually Configuring Security Policies chapter of the Configuration Guide for BIG-IP® Application Security ManagerTM.
On the Main tab of the navigation pane, expand Application Security, point to Policy, Blocking, then click Settings.
The Policy Blocking Settings screen opens.
For the Enforcement Mode setting, select Blocking.
The system activates the Block flags for all the violations. A default set of violations is already set to block.
Check or clear the Block check boxes for the violations, as required (or use the default settings).
Click the Save button.
In the editing context area, click the Apply Policy button to immediately put the changes into effect.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)