Manual Chapter : General Configuration Options for BIG-IP DataSafe Profiles and URLs

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.2, 14.1.0
Manual Chapter

General Configuration Options for BIG-IP DataSafe Profiles and URLs

Configuring advanced general settings on a profile

Configure advanced general settings on BIG-IP® DataSafe™profiles if you want to change the default settings that the BIG-IP® system assigns to profiles.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafeProfile Properties screen, click Advanced.
    The Advanced settings appear.
  4. In the Alert Path field, use the automatically generated path, or define your own path.
    Note: If you define your own path, ensure that the path is not used by any other field in the profile and that it is not an already existing URL.
  5. In the Suggested Username Header field, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.
    With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
  6. For the JavaScript Directory field, use the automatically generated path, or define your own.
    This path specifies the location of the main BIG-IP DataSafe JavaScript. This path does not include the actual file name of the JavaScript.
    Note: This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  7. For the JavaScript Configuration Directory field, use the automatically generated path, or define your own path that specifies the location of the BIG-IP DataSafe JavaScript containing profile configuration settings.
    This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
    Note: This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  8. For the JavaScript Removal Location field, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
  9. For JavaScript Grace Threshold, change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
  10. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5®.
  11. If your profile includes one or more URLs that contain SPA views, for Referrer Info Header use the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
  12. For the Prevent duplicate alerts from Client Side setting, select the Enabled check box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
  13. Click Save.
    The BIG-IP system saves the changes that you made to the advanced settings.

Enable an iRule to handle logins and alerts

Enabling iRules® to handle logins and alerts is only relevant if you have written an iRule to handle the ANTIFRAUD_ALERT event, or the ANTIFRAUD_LOGIN event and the iRule is associated with the same virtual server as your profile.
Enable an iRule to handle logins and alerts if you want to use an iRule to disable alerts or record login events.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafeProfile Properties screen, click Advanced.
    The Advanced settings appear.
  4. In the Trigger iRule Events setting, select the Enabled check box.
  5. Click Save.
    iRules are now enabled to handle logins and alerts.

iRule events

iRules® can subscribe to the ANTIFRAUD_ALERT event and the ANTIFRAUD_LOGIN event in BIG-IP® DataSafe™

iRule event Description
ANTIFRAUD_ALERT Occurs when alerts are sent to the BIG-IP® system.
ANTIFRAUD_LOGIN Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.

iRule Examples

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to log all available information about an alert that was sent by the BIG-IP system to the location /var/log/ltm.

when ANTIFRAUD_ALERT{  
  log local0. "=========Anti-Fraud Alert========="
  log local0. "Alert Identifier: [ANTIFRAUD::alert_id]"
  log local0. "Alert Type: [ANTIFRAUD::alert_type]"
  log local0. "Alert Component: [ANTIFRAUD::alert_component]"
  log local0. "Alert Details: [ANTIFRAUD::alert_details]"
  log local0. "Alert GUID: [ANTIFRAUD::alert_guid]"
  log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]"
  log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]"
  log local0. "Alert Score: [ANTIFRAUD::alert_score]"
  log local0. "Alert Username: [ANTIFRAUD::alert_username]"
  log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]"
  log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]"
}

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to disable a specific alert according to its type.

when ANTIFRAUD_ALERT{
if {[ANTIFRAUD::alert_type] eq "components_validation"}{
  log local0. "Alert Type is components validation"
  ANTIFRAUD::disable_alert
  log local0. "Disabled Alert"
  }
}

The following example shows how an iRule uses the ANTIFRAUD_LOGIN event with its commands.

when ANTIFRAUD_LOGIN{
  log local0. "=========Anti-Fraud Login========="
  # read mode
  log local0. "Username: [ANTIFRAUD::username]"
  log local0. "GUID: [ANTIFRAUD::guid]"

  # write mode
  ANTIFRAUD::username "other_user"
}

Values for iRule commands

The following values can be used in iRule commands:
Value Description
alert_id For example, d4.
alert_type The type of alert.
alert_component An error type that is determined according to the alert_type.
alert_details Additional information regarding the alert.
alert_device_id Persistent browser identifier.
alert_license_id crc32 of the license id in hex.
alert_transaction_data Key-value list of all parameters marked to be attached.
alert_username

When this command is used without any additional arguments, this is the name of the user who triggered the alert.

It is possible to use additional arguments to override the current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above.

alert_http_referrer The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info

Shows additional information about the alert, such as the parameter values too long error message.

disable_alert Disables the current alert.
For more information about iRules, go to F5® Networks DevCentral™ (https://devcentral.f5.com/irules).

Configuring SPA views

Configuring SPA views on a URL is relevant only if your web site is single-page application (SPA).
You configure SPA views to provide BIG-IP® DataSafe™ protection to the SPA views on a URL.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. In the URL List, click the Add View button in the row of the URL where you want to add a view.
    The Create New View screen opens.
  5. In the View field, type a name for the view.
  6. Click Advanced.
  7. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5®.
  8. For the Destination URLs setting, add URLs that should receive protected data from this view.
    Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  9. Click Create.
    The BIG-IP system creates the view and the DataSafe Profile Properties screen opens.

Enhancing data encryption on a URL with SPA views

This task is relevant only if your URL contains SPA views.
If your URL contains SPA views, BIG-IP DataSafe provides some additional settings for enhancing data encryption.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. In the URL List, click the relevant URL.
    The URL Properties screen opens.
  5. Click Advanced.
  6. If this URL has SPA views that are not configured in the profile and you want the BIG-IP DataSafe Main JavaScript to run on those views, verify that the Enabled check box for Fallback to Base URL is selected.
  7. At Destination URLs, add URLs that should receive encrypted data from this URL.
    Adding URLs here allows you to use the parameters that are configured on this URL on the destination URL as well, without having to re-configure them on the destination URL.
    Note:
    • This setting appears only for URLs that have SPA views configured in the profile.
    • This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  8. Click Save.
    The URL configuration settings are saved.

Cloning a profile

If you want to create a new profile with settings identical to an existing profile, you can clone the profile. Unlike parent-child profiles, the cloned profile is not dependent on the original one, and any changes made to the original profile after cloning are not inherited by the previously cloned profile.
Note: A cloned profile inherits all properties from the original profile, including all URL properties.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. Select the check box next to the profile that you want clone.
  3. Click the Clone button.
    The Clone Profile pop-up screen opens.
  4. In the Clone Profile pop-up screen, assign a profile name and (optionally) a description.
  5. Click Clone.
    The cloned profile is created and appears in the list of profiles in the DataSafe Profiles screen.

Cloning a URL or view

You can clone a URL or SPA view if you want to create a new URL or view that inherits some or all of the settings on an existing URL or view.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the profile with the URL you want to clone.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the check box next to the URL or view that you want clone.
  5. Click the Clone button.
    The Clone URL (or Clone View) pop-up screen opens.
  6. In the pop-up screen, assign a URL path or view name and (optionally) a description.
  7. If you are cloning a URL, do the following:
    1. If you don’t want to encrypt data on the web page of the new URL, disable the Inject JavaScript setting.
    2. If the source URL contains SPA views and you want the new URL to inherit those views, select the Enabled check box by Views.
  8. If you want the new URL or view to inherit all the parameters configured on the source URL or view, select the Enabled check box by Parameters.
  9. Click the Clone button in the pop-up screen.
    Note: Once the new URL/view is created, there is no further dependency on the source URL/view and any future changes made to the source URL/view are not inherited by the new URL/view.
The BIG-IP® system creates the new URL/view.