Manual Chapter : Managing Application Security Manager Devices

Applies To:

Show Versions Show Versions

Enterprise Manager

  • 3.1.1
Manual Chapter

Overview: Application Security Manager device management

You can use Enterprise Manager to easily create and deploy security policies, logging profiles, and IP address exception lists to a large set of BIG-IP Application Security Manager devices.

About ASM security policies

At the core of Application Security Manager are customized security policies that are tailored to your network environment based on settings that you specify. Instead of logging in to each Application Security Manager device to administer these security policies, you can use Enterprise Manager to import, export, and deploy security policies from one central location.

Note: The method you use to deploy a security policy is dependent on the version of software running on the Application Security Manager devices.

Importing an ASM security policy

To import a security policy to Enterprise Manager, you must first create it on the BIG-IP Application Security Manager device.
You can import a security policy to Enterprise Manager to make it available for deployment to other managed Application Security Manager devices or for archiving purposes.
Note: This procedure is only for BIG-IP Application Security Manger devices running version 11.3.0 or later.
  1. On the Main tab, click Security > Application Security > Policies.
  2. Click the Import button.
  3. For the Import Method setting, select an option:
    • Select Import Security Policy from Device to choose a device on which you have a security policy
    • Select Upload Security Policy to browse to a location where you have saved a security policy.
  4. If you are importing the security policy from a device:
    1. Click the name of the device. The screen refreshes and displays a list of associated security policies.
    2. Check the select box next to the security policies that you want to import, and click the Import button. The security policy that you selected displays in the policies list.
  5. If you are importing a security policy from a saved file:
    1. Click the Browse button.
    2. Browse to the location where you saved the security policy.
    3. Click the Update button. The security policy that you selected displays in the policies list.
The security policy is now available to deploy to a managed Application Security Manager device.

Deploying an ASM security policy to devices running version 11.3.0 or later

You must first import a security policy to Enterprise Manager in order to deploy it.

You can deploy a security policy to one or more managed BIG-IP Application Security Manager devices, without having to log in to each of those devices individually.

Important: Enterprise Manager must be able to reach the managed device through its management IP address. If Enterprise Manager cannot reach the device's management IP address, deployment fails.
  1. On the Main tab, click Security > Application Security > Policies.
  2. Click the select button next to the security policy name that you want to deploy, and click the Deploy button.
  3. Select the check box next to the device name to which you want to deploy this security policy.
  4. From the Deploy Target list, select the target to which you want to deploy this security policy. The target can be a virtual server, policy, or new offline policy. The options displayed depend on the target system's state. If you deploy a new security policy, it overwrites any existing security policy.
The security policy is now available for use on the targeted device.

Exporting an ASM security policy

You must import a security policy from a managed BIG-IP Application Security Manager device to Enterprise Manager, before you can export it.
You can export a security policy from one web application to use it as a baseline for a new web application. You can also export a security policy to archive it on a remote system before upgrading the system software, or to create a backup copy.
Note: This procedure is only for BIG-IP Application Security Manger devices running version 11.3.0 or later.
  1. On the Main tab, click Security > Application Security > Policies.
  2. Click the select button next to the security policy that you want to export, and click the Export button. A dialog box opens.
  3. Click the Save button.
  4. Browse to the location that you want to export the security policy to, and click the Save button.
The security policy is now available to import to another managed device.

About attack signatures

Attack signatures are the foundation of the BIG-IP Application Security Manager system's negative security logic. Attack signatures are rules or patterns that identify attacks, or classes of attacks, on a web application and its components. Enterprise Manager can help you easily manage attack signatures for managed Application Security Manager devices by helping you easily obtain and deploy them to your managed BIG-IP Application Security Manager devices.

Scheduling automatic attack signature file downloads

Attack signature files are applicable only to BIG-IP Application Security Manager devices.

You can create a schedule for Enterprise Manager to check for, and download, newly updated attack signature definitions for images stored in the image repository. This feature helps you avoid performing unnecessary and potentially frequent manual checks for updated attack signature files.

Important: Enterprise Manager checks for updated attack signature files from downloads.f5.com. For the system to communicate with the F5 servers, you must configure the Enterprise Manager system to use your network DNS server.
  1. On the Main tab, click Enterprise Management > Tasks > Schedules > Attack Signature Updates.
  2. From the Check for Updates list, select an option. Depending on your selection, the screen refreshes to display the Start Time and Day of the Month/Week settings.
  3. For the Start Time setting, select the time of day that you want Enterprise Manager to check for attack signature updates.
  4. Depending on the frequency you selected, from the Day of the Week or the Day of the Month list, select an option.
  5. Select the Automatically Download New Updates check box.
Enterprise Manager now checks for attack signatures at the specified time interval. If new attack signatures are found, Enterprise Manager downloads the file to its attack signature repository.

Manually checking and downloading updated attack signature files

Attack signature files are applicable only to BIG-IP Application Security Manager devices.
In addition to creating a schedule for automatically checking for attack signature file updates, you can also manually check for and download the most recent attack signature images.
  1. On the Main tab, click Enterprise Management > Repository > Attack Signature List.
  2. Click the Check for New Signatures button. The Check for New Signatures screen opens and displays the status of the check for new attack signatures. The screen refreshes at regular intervals as the system checks for available updates for the signature files listed in the Available ASM Attack Signatures section. After the task completes, the system indicates whether an update is available for the signature files in the repository.
  3. Click the Import button. The Import Attack Signature File screen opens.
  4. Click the Browse button and browse to the location of the Attack Signature file.
  5. Click the Import button. An import status indicator appears, displaying information about the packages as they are downloaded to the image repository.
You can now install the downloaded attack signatures to managed Application Security Manager devices.
By default, Enterprise Manager triggers an alert when a new attack signature is available, however, you must specify the action you want the system to take if the alert is triggered.
Creating an alert for attack signature updates
Before Enterprise Manager can send alerts, you must verify the IP address of your DNS server. If you want Enterprise Manager to send SNMP traps, you must first specify the trap destination.
Create alerts for your devices to monitor specific system events.
  1. On the Main tab, click Enterprise Management > Alerts > Device Alert List.
  2. Click the Create button. The New Alert screen opens.
  3. In the Name field, type a name for the alert. Once you create the alert, you cannot change the name.
  4. From the Alert Type list, select the type of alert that you want to create. Depending on the type of alert that you select, the screen may refresh to display additional options, including threshold fields.
  5. If the alert type requires a threshold, for the Condition setting, specify a threshold value.
  6. For the Action setting, select the check box next to each action that you want Enterprise Manager to take when the alert is triggered. If you select the option, SNMP trap to remote server, you must have SNMP configured.
  7. If you selected the option to send an email for this alert and you want to specify an address different than the default, clear the Use default email recipient check box, and in the Email Recipient field, type an email address. By default, the system sends an email to the recipient you specified in the Options screen for alerts.
  8. If you selected the option to send a message to a remote syslog server and you want to specify an address different than the default, clear the Use default remote syslog server address  check box and in the Remote Syslog Server Address field, type a remote syslog server address. By default, the system sends the event to the remote syslog server address you specified in the Options screen for alerts.
  9. For the Devices or Devices Lists setting, in the Available box, select one or more devices from the devices or device list and click the Move button to move the selected devices or device list to Assigned.
  10. Click Finished.
Enterprise Manager notifies you if a device meets the criteria for the alert you selected.

Installing an attack signature

An attack signature file must be downloaded (automatically by Enterprise Manager or manually) before you can install it on a managed BIG-IP Application Security Manager device. Before installation, verify that the attack signature is the most recent version available.

Important: For the security policies to work properly, the ASM attack signatures (including custom signatures) must be the same on all systems to which you are deploying the security policies.
It is important to regularly install updated attack signatures on managed Application Security Manager devices in your network. Enterprise Manager provides you with a simple method of deploying attack signatures to your devices.
  1. On the Main tab, click Enterprise Management > Tasks > Task List.
  2. Click the New Task button.
  3. For the Application Security setting, select Install Attack Signatures and click the Next button. If the attack signature that you want to install is displayed in the list, you may need to download the attack signature image, or import it to the image repository.
  4. From the Product Version list, select the software version for which you want to install the attack signature. The screen refreshes to display only signatures compatible with the software version you selected.
  5. Select the button next to the attack signature the you want to install and click the Next button.
  6. From the Device List, you can select a group of devices to narrow the number of devices displayed.
  7. Select the check box next to the Application Security Manager device on which you want to install the attack signature and click the Next button.
  8. From the Device Error Behavior list, select the action you want Enterprise Manager to take in the event that the task fails on one of the devices.
    • Continue task on remaining devices
    • Cancel task on remaining devices
  9. Click the Next button.
  10. To change the task name, in the Task Name field, type a new name. This name appears in the task list while the task is running and after the task is finished.
  11. Click the Start Task button. The Task Properties page displays the progress for the task.
When the task completes, the updated attack signature is installed on the selected devices.

About logging profiles for ASM

Enterprise Manager manages BIG-IP Application Security Manager logs through logging profiles. A logging profile determines where events are logged, and which items (such as which parts of requests, or which type of errors) are logged.

You can create a logging profile that stores logs locally on the managed device, or you can configure the managed device to forward log messages to a remote server.

Creating an ASM logging profile for local storage

A logging profile is applicable only if you are managing BIG-IP Application Security Manager devices.
You create a logging profile to specify the elements of logs that a managed device collects, and to define the storage location. Creating a logging profile allows you to easily apply it to several managed devices, ensuring consistency across your Application Security Manager devices. When locally stored, you can view logs on the managed Application Security Manager device by navigating to the Security > Event Logs > Application > Requests screen.
  1. On the Main tab, click Security > Application Security > Logging Profiles.
  2. Click the Create button.
  3. In the Profile Name field, type a unique identifier for the profile you are creating.
  4. For the Application Security setting, select the Enabled check box. The screen refreshes to display additional options.
  5. From the Configuration list, select Advanced.
  6. For the Local Storage setting, select the Enabled check box.
  7. To log all requests for a managed device, for the Guarantee Local Logging setting, select the Enabled check box. When enabled, the device logs all requests, even if the logging process slows access to the web application server. When disabled, the device logs all requests as long as the logging process is not competing for system resources. In either case, the managed device does not drop requests.
  8. To log specific responses, from the Response Logging list, select For Illegal Requests Only or For All Requests.
  9. From the Storage Filter list, select Advanced.
  10. For the Logic Operation setting, select the operation that you want the device to use to filter the storage format items that you specified.
    • OR prompts the system to log requests based on the traffic elements meeting one or more of the specified criteria.
    • AND prompts the system to log requests based on the traffic elements meeting all specified criteria.
  11. From the Request Type list, select what types of requests to log, Only Illegal Requests or All Requests Types.
  12. To log only traffic from a specific protocol, for the Protocols setting, select Only, and then select HTTP or HTTPS from the list.
  13. To log traffic only for specific status codes, use the Response Status Codes setting:
    1. Select Only.
    2. In the Available Status Codes list, click each status code that you want to log.
    3. Click the Move button to transfer the selected status code to the Selected Status Codes list.
  14. To log only traffic from specific HTTP methods, use the HTTP Methods setting:
    1. Select Only.
    2. In the Available Methods list, click each method that you want to log.
    3. Click the Move button to transfer the selected method to the Selected Methods list.
  15. To log based only on specific strings, use the Request Containing String setting:
    1. Select Search In.
    2. From the Search In list, select an option and type a string in the field. The search is case-sensitive.
  16. Click the Finished button to save this logging profile.
This logging policy is now available to deploy to one or more managed Application Security Manager devices or virtual servers.

Deploying an ASM local storage logging profile to a managed device

You must create a profile before you can deploy it to a BIG-IP Application Security Manager device.
You can deploy a logging profile to a device on which you are remotely storing logs,in order to specify which elements of the traffic are logged.
  1. On the Main tab, click Security > Application Security > Logging Profiles.
  2. Click the select button next to the profile name you want to deploy and click the Deploy button.
  3. From the Deploy to list, select Devices.
  4. From the Device List, select an option to narrow the list to a specific device.
  5. Select the check box next to the device to which you want to deploy this logging profile and click the Deploy button.
A window opens displaying the progress of the deployment.

Creating an ASM logging profile for remote storage

A logging profile is applicable only if you are managing BIG-IP Application Security Manager devices.
You create a logging profile to specify the elements of logging. Creating a logging profile allows you to easily apply it to several managed devices, ensuring consistency across your Application Security Manager devices. Storing logs remotely frees room for other processes on the managed device.
  1. On the Main tab, click Security > Application Security > Logging Profiles.
  2. Click the Create button.
  3. In the Profile Name field, type a unique identifier for the profile you are creating.
  4. Select the Enabled check box for the Application Security setting. The screen refreshes to display additional options.
  5. From the Configuration list, select Advanced.
  6. To log all requests for a managed device, for Guarantee Local Logging setting, select the Enabled check box. When enabled, the device logs all requests, even if the logging process slows access to the web application server. When disabled, the device logs all requests as long as the logging process is not competing for system resources. In either case, the managed device does not drop requests.
  7. For the Remote Storage setting, select the Enabled check box.
  8. To log only specific responses, from the Response Logginglist, select For Illegal Requests Only or For All Requests.
  9. From the Remote Storage Type list, select one of the following:
    • Remote - Select this option to store logs on a remote logging server, such as Syslog.
    • Reporting Server - Select this option to store logs on a reporting server using a pre-configured storage format. Key/value pairs are used in the log messages.
    • ArcSight - Select this option to store logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).
  10. From the Protocol list, select the protocol that the remote storage server uses: TCP, TCP-RFC3195, or UDP.
  11. For the Server Address setting:
    1. In the IP Address field, type the IP address for the remote storage server.
    2. From the Port list, select the port that the remote storage server uses for traffic and click the Add button
  12. From the Facility list, select the facility category of the logged traffic.
  13. For the Storage Format setting:
    1. From the list, select Field-List to display only pre-defined items in the Available Items list. Select User-Defined to view pre-defined items in the Available Items list and also allow you to type text directly into the Selected Items field.
    2. If you selected Field-List, in the CSV with delimiter field, type symbol to use to separate the objects in the output. You may not use the percentage sign (%) character. The default delimiter is the comma (,) character
    3. From the Available Items list, select the items you want to log and click the move button. If you selected User-Defined for this setting, you can type a field directly into the Storage Format list.
    4. To move an object up or down in the Selected Items list, click the item and then click the Up or Down button.
  14. To specify a maximum for how much of the query string the server logs, select the Length option and in the Bytes field, type a value.
  15. If the remote storage server supports TCP protocol, you have the option to change how much of the entry length the server logs by selecting a value from the Maximum Entry Length list. The default length is 1K for remote servers that support the UDP protocol and 2K for remote servers that support the TCP and TCP-RFC3195 protocols.
  16. For the Report Detected Anomalies setting, select the Enabled check box if you want the device to send a report string to the remote device log when a brute force attack, denial of service attack, IP enforcer attack, or web scraping attack starts and ends.
  17. From the Storage Filter list, select Advanced.
  18. For the Logic Operation setting, select the operation that you want the device to use to filter the storage format items that you specified.
    • OR prompts the system to log requests based on the traffic elements meeting one or more of the specified criteria.
    • AND prompts the system to log requests based on the traffic elements meeting all specified criteria.
  19. From the Request Type list, select what types of requests to log, Only Illegal Requests or All Requests Types.
  20. To log only traffic from a specific protocol, for the Protocols setting, select Only, and then select HTTP or HTTPS from the list.
  21. To log traffic only for specific status codes, use the Response Status Codes setting:
    1. Select Only.
    2. In the Available Status Codes list, click each status code that you want to log.
    3. Click the Move button to transfer the selected status code to the Selected Status Codes list.
  22. To log only traffic from specific HTTP methods, use the HTTP Methods setting:
    1. Select Only.
    2. In the Available Methods list, click each method that you want to log.
    3. Click the Move button to transfer the selected method to the Selected Methods list.
  23. To log based only on specific strings, use the Request Containing String setting:
    1. Select Search In.
    2. From the Search In list, select an option and type a string in the field. The search is case-sensitive.
  24. Click the Finished button to save this logging profile.
This logging policy is now available to deploy to one or more managed Application Security Manager devices or virtual servers.

Deploying an ASM remote logging profile to a remote virtual server

You must create a profile before you can deploy it to a BIG-IP Application Security Manager device.
You can deploy a logging profile to a managed device to specify which elements of the traffic are logged.
  1. On the Main tab, click Security > Application Security > Logging Profiles.
  2. Click the select button next to the profile name you want to deploy, and click the Deploy button.
  3. From the Deploy to list, select Devices.
  4. From the Device List, select an option to narrow the list to a specific device.
  5. Select the check box next to the device to which you want to deploy this logging profile and click the Deploy button. A window opens displaying the progress of the deployment.
This logging profile is now associated with the selected device.

About ASM IP address exception lists

IP address lists contain specified IP addresses that you have deemed as trusted. Managed BIG-IP Application Security Manager devices do not generate Policy Builder learning suggestions for traffic sent from these IP addresses, which reduces unnecessary traffic.

Creating an ASM IP address exception list

An IP address list is applicable only to managed BIG-IP Application Security Manager devices.
IP address exception lists reduce the amount of unnecessary traffic on your managed BIG-IP Application Security Manager devices by defining trusted sites.
  1. On the Main tab, click Security > Application Security > IP Address Lists.
  2. Click the Create button.
  3. In the List Name field, type a unique name for this list.
  4. To import an IP address list:
    1. Click the Import List button.
    2. Click the select button next to the device from which you want to import the IP address list, and click the Next button.
    3. Select the button next to the security policy from which you want to import the IP address list, and click the Next button.
    4. Select the check box next to each IP address exception list you want to add, and click the Done button.
  5. To add a new IP address exception list and define its properties:
    1. Click the Add IP Address button.
    2. In the IP Address field, type the IP address you want to add.
    3. In the Netmask field, type any associated netmask address.
    4. Specify each setting that you want to enable for this list by selecting its check box. Refer to the online help for details about these settings.
    5. In the Description field, type an optional description.
    6. Click the Add button.
You can now deploy this IP exception list to a security policy.

Deploying an ASM IP address exception list

An IP address list is applicable only to managed BIG-IP Application Security Manager devices. You can deploy an IP address list only after you create one on, or import one to, Enterprise Manager.
Deploying an IP address list helps reduce traffic on managed Application Security Manager devices.
  1. On the Main tab, click Security > Application Security > IP Address Lists.
  2. Click the select button next to the IP address list that you want to deploy, and click the Deploy button.
  3. From the Deploy to list, select Devices.
  4. From the Device List, you can select a group of devices to narrow the number of devices displayed.
  5. Select the check box next to the device to which you want to deploy this IP address list, and click the Deploy button. A window opens to display the deployment status.
This IP exception address list is now associated with the selected policy.

Overview: Viewing analytics for multiple ASM devices

You can use Enterprise Manager to view reports for managed BIG-IP Application Security Manager devices that are provisioned for Application Visibility and Reporting (AVR).

Analytics reports provide detailed metrics about application performance such as transactions per second, server and client latency, request and response throughput, and sessions. Metrics are provided for applications, virtual servers, pool members, URLs, specific countries, and additional detailed statistics about application traffic running through one or more managed devices. You can view the analytics reports for a single device, view aggregated reports for a group of devices, and create custom lists to view analytics for only specified devices. In this way, Enterprise Manager provides centralized analytics reporting.

Viewing analytics charts and data

Before you can use Enterprise Manager to view analytics, you must license it with the Centralized Analytics add-on key. If your web browser is IE8 or earlier, install Adobe Flash Player on the system where you want to view the analytics. You must also provision the managed BIG-IP Application Security Manager devices for Application Visibility and Reporting (AVR), and associate the analytics profile with one or more virtual servers.
Analytics provide visibility into application behavior, user experience, transactions, and data center resource usage. You can use this information to troubleshoot issues and to increase the efficiency of your network.
  1. On the Main tab, click Statistics > Analytics > HTTP. The Overview screen opens.
  2. For each widget (or area on the screen), click the gear icon, and select Settings to adjust what is displayed.
    Setting Description
    Devices Specifies a managed device or a list of managed devices for which you want to display statistics.
    View all traffic by Specifies type of data to view, and provides an optional filter so you can display more information.
    Date range Specifies the time period for which to display statistics (last hour, day, week, month).
    Data visualization Specifies how to format the data (details table, or line, pie, or bar chart).
    Available measurements Specifies up to six measurements to display in Details tables. Line, pie, or bar charts display only the first measurement.
  3. From the menu bar, select the type of statistics you want to view.
    Select this option To see these application statistics
    Overview Top statistical information about traffic on your system or managed systems, such as the top virtual servers, top URLs accessed, and top applications. You can customize the information that is displayed.
    Transactions The HTTP transaction rate (transactions per second) passing through the web applications, and the number of transactions to and from the web applications.
    Latency > Server Latency The number of milliseconds it takes from the time a request arrives at the virtual server until a response arrives at the virtual server.
    Latency > Page Load Time The number of milliseconds it takes for a web page to fully load on a client browser, from the time the user clicks a link or enters a web address until the web page displays in its entirety.
    Throughput > Request Throughput HTTP request throughput in bits per second.
    Throughput > Response Throughput HTTP response throughput in bits per second.
    Sessions > New Sessions The number of transactions that open new sessions, in sessions per second.
    Sessions > Concurrent Sessions The total number of open and active sessions at a given time, until they time out.
    The charts display information based on the settings you enabled in the Analytics profile.
  4. To specify the devices for which to display application statistics, from the Device(s) list, select an option.
    • For multiple devices, select Device list and then select the name of a device list. *All Devices, provided by default, displays statistics for all managed devices for which AVR is provisioned.
    • For one device, select Device and then select the name of the device.
    Tip: You also have the option to create a custom list of devices by clicking Enterprise Management > Custom Lists and on the Custom Lists screen, clicking Create List.
  5. From the View By list, select the specific network object type for which you want to display statistics. You can also click Expand Advanced Filters to filter the information that displays.
  6. To focus on specific information, click the chart or the details. The system refreshes the charts and displays specific information about the item.