You can use Application Security Manager™ (ASM) to create two layers of security policies: parent policies and child policies. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, its child policies are automatically updated.
Parent policies let you
You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This way, you can keep child policies in sync with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements. The inheritance follows the sections of the policy in the Learning and Blocking Settings: each part can be inherited or not inherited from the parent.
|All||Specifies that the policy trusts all IP addresses. This option is recommended only for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.|
|Address List||Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.|
|Slow||Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.|
|Medium||Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.|
|Fast||Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.|
The security policy immediately starts protecting your application. The enforcement mode of the security policy is set to Blocking. Traffic that is considered to be an attack such as traffic that is not compliant with HTTP protocol, has malformed payloads, uses evasion techniques, performs web scraping, contains sensitive information or illegal values is blocked. Other potential violations are reported but not blocked.
If the parent is changed, the child policy is automatically updated with the latest inherited (or accepted) settings.
After you create parent and child policies and begin sending traffic to the application protected by the child policy, the system provides learning suggestions concerning additions to the policies based on the traffic it sees. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or ways to fine-tune the parent and child policies to better suit the traffic and secure the application.
Suggestions related to settings that are inherited appear locked in the child policy and can only be accepted in the parent policy.
|Accept Suggestion||The system modifies the policy by taking the suggested action, such
as adding an entity that is legitimate.
Note: For suggestions concerning inherited settings, this option only appears in the parent policy.Suggestions about adding file types, URLs, parameters, cookies, or redirection domains can only be accepted in child policies.
|Delete Suggestion||The system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.|
|Ignore Suggestion||The system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by Status Ignored.|
If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.