Applies To:

Show Versions Show Versions

Manual Chapter: Securing HTTP Traffic Using a Custom System Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Creating a custom HTTP security profile

This implementation describes how to set up the BIG-IP® Protocol Security Manager™ to perform security checks on your HTTP virtual server traffic customized to the needs of your environment. Custom configuration of HTTP security and traffic management requires creating an HTTP service profile with security, and fine tuning this profile so it protects HTTP traffic the way you want. Once you have all HTTP settings specified, you create a virtual server using the HTTP custom service profile, and a default pool to handle the HTTP traffic.

Task summary

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP. The HTTP profile list screen opens.
  2. Click Create. The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. Modify the settings, as required.
  7. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a security profile for HTTP traffic

An HTTP security profile specifies security checks that apply to HTTP traffic, and that you want the BIG-IP® system to enforce. In the security profile, you can also configure remote logging and trusted XFF headers.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. Click the Create button. The New HTTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. If you want the system to trust XFF (X-Forwarded-For) headers in the requests:
    1. Select the Trust XFF Header check box. Select this option if the BIG-IP system is deployed behind an internal or other trusted proxy. Then, Protocol Security Manager uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. The screen refreshes and provides an additional setting.
    2. In the New Custom XFF Header field, type the header that you want the system to trust, then click Add. You can add up to five custom XFF headers.
  5. If you want the security profile to be case-sensitive, leave the Profile is case sensitive check box selected. Otherwise, clear the check box.
    Note: You cannot change this setting after you create the security profile.
  6. Modify the blocking policy settings by clicking HTTP Protocol Checks and Request Checks, selecting the appropriate options, and enabling the Block or Alarm options as needed.
    Note: If you do not enable either Alarm or Block for a protocol check, the system does not perform the corresponding security verification.
    • Alarm: The system logs any requests that trigger the security profile violation.
    • Block: The system blocks any requests that trigger the security profile violation.
    • Alarm and Block: The system both logs and blocks any requests that trigger the security profile violation.
  7. Click Blocking Page if you want to configure the blocking response page.
  8. Click Create. The screen refreshes, and you see the new security profile in the list.
The BIG-IP® system automatically assigns this service profile to HTTP traffic that a designated virtual server receives.

Configuring an HTTP virtual server

You can configure a local traffic virtual server and a default pool for your network's HTTP servers. When the virtual server receives HTTP traffic, any HTTP security profile created in BIG-IP® Protocol Security Manager™ scans for security vulnerabilities, and load balances traffic that passes the scan.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the HTTP Profile list, select the custom profile that you created with protocol security enabled.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button. The New Pool screen opens.
  9. In the Name field, type a unique name for the pool.
  10. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the appropriate information in the Node Name, Address, and Service Port fields, and click Add to add as many pool members as you need.
  11. Click Finished to create the pool. The screen refreshes, and reopens the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
  12. Click Finished to create the virtual server. The screen refreshes, and you see the new virtual server in the list.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the Protocol Security setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click Security > Protocol Security > Profiles Assignment. The Profiles Assignment: HTTP screen opens.
  2. From the Profiles Assignment menu, select the service profile type, if different from HTTP.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Reviewing violations statistics for security profiles

Protocol Security Manager™ provides statistics and transaction information for each profile that triggers any of the security violations defined by each service profile. If you enable the Alarm flag for a violation and incoming traffic triggers the violation, the Protocol Security Manager logs the request, which you can review on the Statistics screen of the Protocol Security Manager. If you enable the Block flag for any of the violations, the Protocol Security Manager blocks the request.
  1. On the Main tab, click Security > Event Logs > Protocol > HTTP, FTP, SMTP. The Protocol: HTTP, FTP, SMTP statistics screen opens listing all violations, organized by protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)