Manual Chapter : Security Policy Elements in Each Policy Type

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Security policy elements included in each policy type

The elements that the system adds to a security policy depend on the policy type you select for automatic policy building. You can set the policy type when creating the security policy in the Deployment wizard or later by modifying the policy settings (Security > Application Security > Policy Building > Settings > ). When the policy type is set or modified, the Application Security Manager (ASM) assigns the Explicit Entities Learning settings as follows.

Table 1. Explicit Entities Learning Settings for Each Policy Type
Security policy element Fundamental Enhanced Comprehensive Vulnerability Assessment
File Types Add All Entities Add All Entities Add All Entities Never (wildcard only)
URLs Never (wildcard only) Selective Add All Entities Never (wildcard only)
Parameters Selective (wildcard only) Selective Add All Entities Never (wildcard only)
Cookies Never (wildcard only) Selective Selective Never (wildcard only)
Redirection Domains Add All Entities Add All Entities Add All Entities Add All Entities
Table 2. Explicit Entities Learning Settings
Setting Description
Add All Entities The Policy Builder includes all of the website entities. This option creates a large set of security policy entities with a granular object level configuration and high security level.
Selective This option applies only to the * wildcard. When false positives occur, the system adds or suggests adding an explicit entity with relaxed settings. This option provides a good balance between security, policy size, and ease of maintenance.
Never (Wildcard Only) When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option creates a security policy that is easy to manage but may result in overall relaxed application security.

Depending on which policy type you select, ASM includes a different set of policy elements in the Automatic Policy Building Settings.

Table 3. Policy Elements
Security Policy element Fundamental Enhanced Comprehensive Vulnerability Assessment
HTTP Protocol Compliance Yes Yes Yes Yes
Evasion Techniques Detected Yes Yes Yes Yes
File Type Lengths Yes Yes Yes No
Attack Signatures (Applies to policy, parameter, content profile, and cookie signatures) Yes Yes Yes Yes
URL Meta Characters No Yes Yes No
Parameter Name Meta Characters No No Yes No
Parameter Value Lengths No Yes Yes No
Value Meta Characters (for Parameters and Content Profiles) No No Yes No
Allowed Methods No Yes Yes Yes
Request Length Exceeds Defined Buffer Size Yes Yes Yes No
Header Length Yes Yes Yes No
Cookie Length Yes Yes Yes No
Failed to Convert Character Yes Yes Yes Yes
Content Profiles No Yes Yes No
Automatically detect advanced protocols No No; but Yes if JSON/XML payload detection selected No; but Yes if JSON/XML payload detection selected No
Host Names Yes Yes Yes Yes
CSRF URLs No No Yes Yes
Note: In the table, Yes means the element is automatically included in the policy type; No means it is not included.