Manual Chapter : Maintaining Security Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Maintaining Security Policies

Overview: Activating and deactivating security policies

When you use the Deployment wizard to create a security policy, it is created as an active security policy. You can have up to 1024 active security policies on a BIG-IP® system. You can view the list of active security policies in Application Security Manager™ (ASM). The policy that you are currently working on is selected in the list, and on many of the ASM™ screens, it is specified as the current edited policy.

To be actively securing traffic, a security policy should be associated with a virtual server and a local traffic policy. When you create a security policy that uses an existing or new virtual server, the policy is automatically associated with a virtual server and a default local traffic policy. You can edit the local traffic policy, but then it becomes a custom local traffic policy. You can also create a security policy that is not associated with a virtual server, and it is listed in the active security policies.

If you are no longer using a security policy or if you want to delete it, you must deactivate the policy first. You deactivate a security policy from the list of active policies. However, you cannot deactivate a security policy that is associated with a virtual server and a custom (not default) local traffic policy. You need to remove all mention of the security policy from the local traffic policy and virtual server before you can deactivate the security policy.

Once the security policy is deactivated and moved to the list of inactive security policies, you can select it and delete it.

Deactivating security policies

If you no longer want to use a security policy, you can deactivate it, and if you want to delete a security policy, you must first deactivate it. Deactivating a security policy makes it inactive.
  1. On the Main tab, click Security > Application Security > Security Policies .
    The Active Policies screen opens.
  2. Select the security policy you want to deactivate.
  3. Click Deactivate, and then click OK when prompted to confirm your action.
    If a custom local traffic policy refers to the security policy, the security policy is not deactivated. You need to first remove mention of the security policy in the associated local traffic policy rules.
If a default local traffic policy is associated with the security policy, the system disassociates the local traffic policy first, then deactivates the security policy. The system moves the security policy to the Inactive Security Policies list, and permanently deletes all of the request log entries generated by the deactivated security policy.

Activating security policies

If you want to resume using an inactive security policy, you can activate it and re-associate it with a virtual server and local traffic policy.
  1. On the Main tab, click Security > Application Security > Security Policies > Inactive Policies .
    The Inactive Policies screen opens showing security policies that were deactivated or imported from another system (as an inactive policy).
  2. Select the security policy you want to activate.
  3. Click Activate.
    The Activate Policy screen opens.
  4. For Activation Type, specify whether to associate a virtual server with the security policy.
    • To activate the security policy using the virtual server from another active security policy, click Replace policy associated with virtual server. For Replaced Policy, select the name of the security policy you want to replace.
    • To wait until later to associate a virtual server with the security policy, click Do not associate with virtual server.
  5. Click Activate.
The system moves the security policy to the Active Security Policies list. If you associated the security policy with a virtual server, application security is enabled on the virtual server and the system creates a default local traffic policy. The security policy you activated becomes the current active security policy, and the old security policy moves to the Inactive Security Policies list.
If you did not associate a virtual server with the security policy, the security policy is unusable because no traffic can go through it. As a result, it is meaningless to run the Policy Builder on this type of security policy. You will need to manually associate it with a virtual server (in which case, the system automatically creates a default local traffic policy) in order for the security policy to handle traffic. You can also manually associate a custom local traffic policy with a security policy.

Deleting security policies

Before you can delete a security policy, you must deactivate it first.
If you no longer want to use a security policy, you can delete it.
  1. On the Main tab, click Security > Application Security > Security Policies > Inactive Policies .
    The Inactive Policies screen opens.
  2. Select the security policy you want to delete.
  3. Click Delete, and then click OK when prompted to confirm your action.
    The system permanently removes the security policy from the system.

Overview: Importing and exporting security policies

You can export or import security policies from one Application Security Manager™ (ASM) system to another.

You can export a security policy as a binary archive file or as a readable XML file. For example, you might want to export a security policy protecting one web application to use it as a baseline policy for another similar web application. You might want to export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, to replace an existing policy, or to merge with another security policy.

You can import a security policy that was previously exported from another ASM™ system. When you import a security policy, you can import it as an inactive security policy or so that it replaces an existing security policy. If you replace an existing policy, the replaced policy is automatically archived with the inactive security policies.

About security policy export formats

Application Security Manager™ can export security policies in binary or XML format. The XML or archive file includes the partition name, the name of the security policy, and the date and time it was exported. For example, a policy called finance in the Common partition is exported to a file called Common_finance__2014-04-28_12-10-00__source.device with either a .plc (binary) or .xml extension. The time used in the file name is the policy version timestamp (which includes the source hostname where the policy was last modified, the time modified, and the policy name).

An exported security policy includes any user-defined attack signature sets that are in use by the policy, but not the actual signatures. Therefore, it is a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.

If you save the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.

In addition when exporting to XML, you can save the security policy in a compact format, which results in a smaller XML file. The compact XML format does not include information about the staging state of attack signatures. Also, information about the following items is only included if it was changed from the default values:

  • Meta-character sets
  • Learn, Alarm, and Block settings for violations
  • Response pages
  • IP address intelligence Alarm and Block settings

Exporting security policies

You can export a security policy and save it in a file. The exported security policy can be used as backup, or you can import it onto another system.
  1. On the Main tab, click Security > Application Security > Security Policies .
    The Active Policies screen opens.
  2. In the Active Security Policies list, select the security policy that you want to export, then click Export.
    Note: You can also export security policies from the Inactive Policies list using the same method.
    The Select Export Method popup screen opens.
  3. Select an export method.
    • To save the security policy as an XML file, select Export security policy in XML format. To reduce the size of the XML file, select the Compact format check box.
    • To save the security policy as a policy archive file (.plc file), select Binary export of the security policy.
    • If the security policy integrates with a vulnerability assessment tool, select the Include Vulnerability Assessment configuration and data check box.
  4. Click Export.
    The system exports the security policy in the format you specified.
The exported security policy includes any user-defined signature sets that are in the policy, but not the user-defined signatures themselves. Optionally, you can export user-defined signatures from the Attack Signature List (to see the list, go to Security > Options > Application Security > Attack Signatures > Attack Signatures List ).

Importing security policies

Before you import a security policy from another system, make sure that the attack signatures and user-defined signatures are the same on both systems. You also need access to the exported policy file.
You can import a security policy that was previously exported from another Application Security Manager™system.
  1. On the Main tab, click Security > Application Security > Security Policies .
    The Active Policies screen opens.
  2. Click Import.
    The Import Security Policy screen opens.
  3. Use the Choose File setting to navigate to the previously exported security policy.
    The exported security policy can be in XML (regular or compact) or binary (.plc) format.
    The system shows the name of the policy you plan to import and the policy encoding.
  4. For the Import Target setting, select how to import the security policy.
    • To place the uploaded policy into the list of inactive policies for later use, select Inactive Security Policies List.
    • To replace the currently active policy with the security policy you are importing, select Replaced Policy and select the policy to replace from the list.
  5. Click Import.
    The system imports the security policy and displays a success status message when the operation is complete.
If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. Also, the imported policy is then associated with the virtual server and local traffic policy that was previously associated with the policy you replaced. The replaced policy is automatically archived with the inactive security policies.

If you imported a security policy to the list of inactive policies, it does not protect any application. You have to activate the inactive policy and associate it with a virtual server before it can protect an application.

Overview: Comparing security policies

Application Security Manager™ has a Policy Diff feature that lets you compare two security policies, view the differences between them, and copy the settings from one policy to the other. You can use the comparison for auditing purposes, to make two policies act similarly, or to simply view the differences between two security policies. The Policy Diff feature is particularly useful for comparing a security policy in staging and a production version. You can compare active security policies (with or without Policy Builder running), inactive security policies, and exported security policies. When you import security policies that were exported from another system, they are placed in the inactive policies list.

You need to have a user role on the BIG-IP® system of Administrator or Web Application Security Editor to use Policy Diff to compare security policies.

Comparing security policies

Before you can compare security policies, the two policies must be on the same BIG-IP system, or accessible from the system you are using (such as imported policies). They must also have the same language encoding, the same protocol independence (Differentiate between HTTP and HTTPS URLs) configuration, and the same case sensitivity configuration. You can compare policies even if they are running Policy Builder, but because they are constantly changing, the comparison is done on copies of the policies to avoid corrupting them.
Note: Only users with a role of Administrator, Application Security Administrator, or Application Security Editor can use Policy Diff to compare security policies.
You can compare two security policies to review the differences between them. While the two security policies are being compared, the system prevents other users from saving changes to them.
  1. On the Main tab, click Security > Application Security > Security Policies > Policy Diff .
  2. From the First Policy and Second Policy lists, select the security policies you want to compare or merge, or browse to search your computer for an exported security policy.
    The two security policies you are comparing can be active, inactive, policies imported in binary or XML format, or a combination of both.
  3. If you plan to merge security policy attributes, it is a good idea to safeguard the original security policy. In the Working Mode field, select how you want to work.
    Option Description
    Work on Original Incorporate changes to one (or both) of the original security policies depending on the merge options you select without making a copy of it.
    Make a Copy Make a copy of the security policy into which you are incorporating changes.
    Work on Copy Work on a copy of the original security policy. First, a copy is made, then incorporate possible changes on the original policies. If comparing one or more policies with Policy Builder enabled, this option is automatically selected (and the other options become unavailable).
  4. Click the Calculate Differences button to compare the two security policies.
    Note: The system does not compare navigation parameters. They are ignored and do not appear in the results.
    The Policy Differences Summary lists the number of differences for each entity type.
  5. Click any row in the Policy Differences Summary to view the differing entities with details about the conflicting attributes.
    The system displays a list of the differing entities and shows details about each entity's conflicting attributes.
  6. Review the differences between the two policies and determine whether or not you want to merge attributes from one policy to the other.

Overview: Merging security policies

Application Security Manager™ has a policy merge option to combine two security policies. In the merge process, the system compares, and then merges, specific features from one security policy to another.

The merge mechanism is lenient when merging security policies. The system resolves any conflicts that occur by using the more open settings in the target security policy. When the merge is complete, the system shows the results of the merge process.

You can perform the merge in two ways:

  • Automatically merge missing entities changing one policy or both policies.
  • Manually merge specific differing entities from one security policy to another.

Merging security policies

Only users with a role of Administrator, Application Security Administrator, or Application Security Editor can use Policy Diff to merge security policies.
If you have two security policies with entities and attributes that you want to combine into one policy, you can merge the two policies. For example, you can merge a security policy that you built offline into a security policy that is on a production system. You can merge two security policies automatically, or by reviewing the specific differences between them. You can perform the merge in two ways:
  • Automatically merge missing entities changing one policy or both policies.
  • Manually merge specific differing entities from one security policy to another.
  1. On the Main tab, click Security > Application Security .
    The Active Policies screen opens.
  2. In the Security Policies area, click the Merge button.
    The Policy Diff screen opens.
  3. From the First Policy and Second Policy lists, select the security policies you want to compare or merge, or browse to search your computer for an exported security policy.
    The two security policies you are comparing can be active, inactive, policies imported in binary or XML format, or a combination of both.
  4. If you plan to merge security policy attributes, it is a good idea to safeguard the original security policy. In the Working Mode field, select how you want to work.
    Option Description
    Work on Original Incorporate changes to one (or both) of the original security policies depending on the merge options you select without making a copy of it.
    Make a Copy Make a copy of the security policy into which you are incorporating changes.
    Work on Copy Work on a copy of the original security policy. First, a copy is made, then incorporate possible changes on the original policies. If comparing one or more policies with Policy Builder enabled, this option is automatically selected (and the other options become unavailable).
  5. Click the Calculate Differences button to compare the two security policies.
    Note: The system does not compare navigation parameters. They are ignored and do not appear in the results.
    The Policy Differences Summary lists the number of differences for each entity type.
  6. Decide whether you want to examine each difference in detail, or have the system resolve the differences.
    • To merge the security policies automatically, skip to step 9.
    • To examine the differences before merging, proceed to step 7.
  7. Click any row in the Policy Differences Summary to view the differing entities with details about the conflicting attributes.
    The system displays a list of the differing entities and shows details about each entity's conflicting attributes.
  8. To merge the two security policies manually, address each difference.
    1. For each differing entity and attribute, move the ones you want into the merged security policy, or click Ignore to leave them different.
      Tip: Click the Details link to see very specific information about the entity in each security policy.
    2. Click Save to save the changes you make.
    When you click Save, the changed section is removed from the screen because it was resolved. Other differing entities that still need to be resolved are still shown.
  9. To automatically merge the differences between the two security policies, click Auto Merge.
    An Auto Merge popup screen opens.
  10. In the Handle missing entities setting, specify how you want the system to treat entities that exist in one security policy but not the other.
    By default, both check boxes are selected; the auto-merge process adds unique entities from each policy into the policy from which they are missing.
    • To move missing entities from the second policy to the first, select Add all unique entities from <second policy> to <first policy>.
    • To move missing entities from the first policy to the second, select Add all unique entities from <first policy> to <second policy>.
    • If you do not want to merge missing entities, leave both check boxes blank.
  11. In the Handle common entities for <first policy> and <second policy>, specify how you want the system to treat entities that have conflicting attributes.
    • To make no changes to either policy when entities are different, select Leave unchanged.
    • To use the differing entities from the first policy and move them to the second, select Accept all from <first policy> to <second policy>.
    • To use the differing entities from the second policy and move them to the first, select Accept all from <second policy> to <first policy>.
  12. Click Merge.
    The system merges the two security policies.
  13. On the right of First or Second Policy (for active policies only), click the Apply Policy button to put into effect the changes made to the merged security policy.
The system logs all changes made either manually or automatically in the policy log, for auditing purposes.