Web Application Security imports BIG-IP® Application Security Manager™ (ASM) application security policies from discovered BIG-IP devices, and lists them on the Web Application Security policy editor Policies screen. Each security policy is assigned a unique identifier that it carries across the enterprise. This ensures that each policy is shown only once in the Policies screen, no matter how many devices it is attached to. In the Web Application Security repository, policies are in XML format.
Following is a list of the supported versions of the BIG-IQ Centralized Management system and the BIG-IP device for each subcollection. Refer to the release notes for BIG-IQ Centralized Management for detailed information on BIG-IP device and BIG-IQ Centralized Management system support, such as the minimum F5® TMOS® version supported for this release.
Subcollection | Discovery and Deployment Support | Edit Support using BIG-IQ GUI | Minimum BIG-IP Device Version Support | Comments |
---|---|---|---|---|
Policy and properties | Yes | Yes | Any | |
Character Sets | Yes | Yes | Any | The BIG-IQ Centralized Management user interface can be used to edit parameter names and parameter values. |
Data Guard | Yes | Yes | Any | |
File Types | Yes | Yes | Any | |
IP Address Exceptions | Yes | Yes | Any | |
Parameters | Yes | Yes | Any | |
Extractions | Yes | Yes | 11.6.0 | |
Response Pages | Yes | Yes | Any | Learning using the Central Policy Builder is not applicable for use with response pages. |
Signatures | Yes | Yes | Any | |
Signature Sets and attack signature configuration | Yes | Yes | Any | Filter-based sets are supported, manual sets are not. |
Blocking settings - violations | Yes | Yes | Any | No support for user defined violations. |
Blocking settings - evasions | Yes | Yes | Any | |
Blocking settings - HTTP protocol compliance | Yes | Yes | Any | |
Blocking settings - web services securities | Yes | Yes | Any | |
Policy Builder | Yes | Yes | Any | Learning using the Central Policy Builder is not applicable for use with the local Policy Builder. |
Central Policy Builder | Yes | Yes | 13.1.0 | Learning using the Central Policy Builder is not supported with GWT content profiles, and is non-applicable for response pages, local policy builder, web scraping, and brute force attack prevention. |
Allowed methods | Yes | Yes | Any | |
Headers | Yes | Yes | Any | |
Cookies | Yes | Yes | Any | |
Host names | Yes | Yes | Any | |
Geolocation enforcement | Yes | Yes | 11.6.0 | |
IP Intelligence | Yes | Yes | 11.6.0 | |
Redirection protection | Yes | Yes | 11.6.0 | |
Sensitive parameters | Yes | Yes | Any | |
Web scraping | Yes | No | 12.0.0 | Learning using the Central Policy Builder is not applicable for use with web scraping. |
CSRF protection | Yes | Yes | 11.6.0 | When editing policies deployed to BIG-IP device versions earlier than 13.1, URLs added
to the CSRF URLs list must have the following settings:
|
JSON Content Profiles | Yes | Yes | 11.6.0 | |
XML Content Profiles | Yes | Yes | 11.6.0 | Schemas and WSS are not supported. |
GWT Content Profiles | Yes | No | 11.6.0 | Learning using the Central Policy Builder is not supported with GWT content profiles. |
Plain Text Content Profiles | Yes | Yes | 12.1.0 | |
URLs | Yes | Yes | Any | Flow configuration for URLs is not supported, such as referrer, check flows, check pd/qa, allow pd/qs, or isEntryPoint. |
Websocket URLs | Yes | Yes | 12.1.0 | |
Login Pages | Yes | Yes | 11.6.0 | |
Login Enforcement | Yes | Yes | 11.6.0 | |
Brute Force Attack Preventions | Yes | Yes | 11.6.0 | Learning using the Central Policy Builder is not applicable for use with brute force attack prevention. |
Session Tracking Configuration | Yes | Yes | 11.6.0 | Only configuration is supported, there is no support for online tracking data. |
Layered Policy | Yes | Yes | 13.0.0 | |
Inheritance Settings | Yes | Yes | 13.0.0 | |
Enforcement Readiness | Yes | Yes | Any | |
Server Technologies | Yes | Yes | 13.1.0 |
You can use Web Application Security to create and manage two layers of security policies: parent policies and child policies. This feature is new with BIG-IP® version 13.0 and BIG-IQ® Centralized Management version 5.2. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, the associated child policies are automatically updated.
With parent policies you can:
You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This allows you to keep child policies synchronized with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements.
You establish the parent and child policy relationship as follows:
On the General Properties screen for the policy, set the Policy Type to Parent Policy. Navigate to , then click the policy to edit, and click
On the Inheritance Settings screen for the policy, select the parent policy for a child policy by selecting the parent policy name in the Parent Policy setting. Navigate to , then click the policy to become a child policy and click .
By default, the Parent Policy field is set to None, and there is no layered policy use (no child or parent policies).
Refer to the BIG-IP Application Security Manager: Getting Started guide for additional information on using parent and child layered policies.
Regardless of the type of policy, you should always allow users Read access to the policy.
You can use the Central Policy Builder feature to receive policy building learning suggestions from multiple BIG-IP® devices, rather than have each BIG-IP device perform policy learning in isolation. Using the Central Policy Builder, the learning suggestions from all BIG-IP devices are combined to improve the policy.
Using the Central Policy Builder:
The BIG-IQ system purges successful automatic deployments from the list of deployments after an hour, and retains failed deployments for a week so that the failure can be resolved if needed. If the deployment task has nothing to deploy, the BIG-IQ system purges it from the list immediately after finishing.
These properties are the general configuration options and settings that determine the overall behavior and functionality of the application security policy.
Property | Description |
---|---|
Name | Unique name of the security policy. You can set the Name only when you create the policy. |
Partition | Partition to which the security policy belongs. Only users with access to a partition can view the objects that it contains. If the policy resides in the Common partition, all users can access it. |
Description | Optional description of the security policy. Type in any
helpful details about the policy.
Note: This field is limited to 255 characters.
|
Full Path | Full path to the security policy. |
Policy Type | Indicates the type of policy.
|
Parent Policy | Specifies the parent policy associated with this policy,
if any.
|
Application Language | A language encoding for the web application, which determines how the security policy processes the character sets. The default language encoding determines the default character sets for URLs, parameter names, and parameter values. |
Security Policy is case sensitive | If enabled, the security policy treats file types, URLs, and parameters as case-sensitive. When this setting is disabled (not checked), the system stores these policy elements in lowercase in the policy configuration. |
Application Templates | Specifies options for using the policy with application
templates.
|
Event Correlation Reporting | If enabled, events are reported in groups (correlated), rather than as individual transactions. You can only disable this setting for BIG-IP devices version 13.1 or later. |
Learning Mode | Select one of the options to indicate how the policy
learns:
|
Enforcement Mode | Specifies how the system processes a request that triggers
a security policy violation.
|
Enforcement Readiness Period | Indicates the number of days in the period. The default is
7 days. Both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. The system does not enforce policy entities and attack signatures in staging. Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them. |
Mask Credit Card Numbers in Request Log | When enabled, they system masks credit card numbers in the request log. If disabled (cleared), credit card numbers are not masked. |
Maximum HTTP Header Length | Specifies the maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the HTTP header length up to 8192 bytes. |
Maximum Cookie Header Length | Specifies the maximum length of a cookie header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the cookie header length up to 8192 bytes. |
Allowed Response Status Code | Specifies which requests the security policy permits, based on the HTTP response status codes they return. Click the gear icon to add or delete response codes. |
Dynamic Session ID in URL | Specifies how the security policy processes URLs that use
dynamic sessions. Click the gear icon to change the setting or create a custom
pattern.
|
Trigger ASM iRule Events | When enabled, specifies that Web Application Security activates ASM™ iRule events. Specifies, when disabled, that Web Application Security does not activate ASM iRule events. The default setting is disabled. Leave this option disabled if you either have not written any ASM iRules® or have written iRules that are not ASM iRules. iRule events that are not ASM are triggered by the Local Traffic Manager™. Enable this option if you have written iRules that process ASM iRule events, and assigned them to a specific virtual server. |
Trust XFF Header | When set to No (the default), specifies that the system does not have confidence in
an XFF (X-Forwarded-For) header in the request. Leave this option disabled if you
think the HTTP header may be spoofed, or crafted, by a malicious client. With this
setting disabled, if Web Application Security is deployed behind an internal proxy,
the system uses the internal proxy’s IP address instead of the client’s IP address. If
Web Application Security is deployed behind an internal or other trusted proxy, you
can click the gear icon to change the setting and specify that the system has
confidence in an XFF header in the request. Select the Trust XFF Headers check box and add a required custom header (use a-z, A-Z, no whitespace allowed). The system then uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. |
Handle Path Parameters | Specifies how the system handles path parameters that are
attached to path segments in URIs.
|
You can review and change the settings on various types of response pages. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.
You use the Default Response Pages screen to view and edit the settings for the default response page, which is one of several response pages. Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request.
Option | Description |
---|---|
Default Response | The screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. Click Preview On to preview the response. |
Custom Response | The screen displays the default response header and response body
which you can edit to create a custom response. Alternatively, for the
response body, you can upload a response.
|
Redirect URL | The system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in the Redirect URL field. |
Soap Fault | The system blocks a SOAP request due to an XML-related violation.
The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text. Click Preview On to preview the response. |
Erase Cookies | The system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. Click Preview On to preview the response. |
Option | Description |
---|---|
Default Response | The screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. Click Preview On to preview the response. |
Custom Response | The screen displays the default response header and response body
which you can edit to create a custom response. Alternatively, for the
response body, you can upload a response.
|
Redirect URL | The system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in the Redirect URL field. |
Soap Fault | The system blocks a SOAP request due to an XML-related violation.
The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text. Click Preview On to preview the response. |
Erase Cookies | The system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. Click Preview On to preview the response. |
Option | Description |
---|---|
Custom Response | The screen displays the default response header and response body
which you can edit to create a custom response. Alternatively, for the
response body, you can upload a response.
|
Soap Fault | The system blocks a SOAP request due to an XML-related violation.
The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text. Click Preview On to preview the response. |
You configure the settings of the security policy to specify how the system responds to a request that contains each type of illegal request.
Blocking Setting | Description |
---|---|
Enforcement Mode | Specify whether blocking is active or inactive for the security policy.
|
Learning Mode | Specify how learning is, or is not, performed.
|
Policy Building Mode | Specify how policy building is performed. The option you select changes the other
settings that are available.
|
Policy Building Device | Specify which central policy building device to use. This option is available
only when central policy building mode is selected. The policy building device is also
a data collection device.
|
Auto-Deploy Policy | Specify when learning is automatically applied to the
policy, and the policy is automatically deployed.
|
Learning Speed | Select the speed the Policy Builder uses for learning.
|
All Violations | Select the Learn, Alarm or
Block check boxes in this row to have those selections apply
to all the violations in this group. You can select or clear these check boxes in the
violation rows to change the behavior for individual violations, or groups of
violations.
|
Policy General Features | Expand this setting to see the contained violations. Click the information icon
next to each violation for more information about it. Select Learn, Alarm, or Block for each, as appropriate for your policy. |
HTTP protocol compliance failed | Expand this setting to see the sub-violations, and click the information icons
for more information. Either select the Enable or Learn check box at the top of the section to select all HTTP protocol compliance failed sub-violations at once, or select the Enable or Learn check box to the left of each sub-violation to specify that the system enforces the sub-violation. When the check box is cleared, the system does not enforce this sub-violation. This category contains the following sub-violations.
|
Attack Signatures | The system examines HTTP messages for known attacks by comparing them against known attack patterns. Click the Edit Settings link to edit the properties of that signature set. |
Evasion technique detected | Expand this setting to see the evasion technique sub-violations and click
information icons for more information. Either select the Enable or Learn check box at the top of the section to select all sub-violations at once, or select the Enable or Learn check box to the left of each sub-violation to specify that the system enforces the sub-violation. When the check box is cleared, the system does not enforce this sub-violation. This category contains the following sub-violations.
|
File Types | Expand this setting to see the file type sub-violations, and click information
icons for more information. When enabled, the system checks that the requested file
type is configured as a valid file type or not configured as an invalid file type.
This category contains the following sub-violations.
In the Learn New File Types setting, select under which circumstances the Policy Builder adds, or suggests you add, explicit file types to the security policy. As you select the setting, additional information about the setting is displayed below it. In the Maximum Learned File Types setting, type the maximum number. The default value changes based on the value of the Learn New File Types setting. |
URLs | Expand this area to see the URL sub-violations and click the information icons
for more information on each.
|
Parameters | Expand this area to see the parameter sub-violations and click the information
icons for more information on each.
|
Sessions and Logins | Expand this area to see the session and login sub-violations, and click the
information icons for more information on each violation. In the Detect login pages setting, select the Enabled check box to have the Policy Builder detect login pages by examining traffic to the web application. |
Cookies | Expand this area to see the cookie sub-violations and click the information icons
for more information on each violation.
|
Content Profiles | Expand this area to see the content profile sub-violations, and click the
information icons for more information on each violation. In the Collapse many common Content Profiles into one wildcard Content profile setting, you specify, when the Enabled check box is selected, that the system collapses many common content profiles into one wildcard content profile. Type in the field how many explicit content profiles the Policy Builder must detect (the number of occurrences) before collapsing them to one wildcard content profile. |
Web Services Security Failure | Expand this area to see the web services security failure sub-violations. At the top of the list of sub-violations, select either the Enable or Learn check box to select all sub-violations at once, or select the Enable or Learn check box to the left of each sub-violation to specify that individual sub-violation.
|
CSRF Protection | Expand this area to see the cross-site request forgery (CSRF) protection
sub-violations. Cross-site request forgery (CSRF) is an attack that
forces a user to execute unwanted actions on a web application in which the user is
currently authenticated. When this setting is enabled, the system protects the web
application against CSRF attacks. This category contains the following violations.
|
IP Addresses / Geolocations | Expand this area to see the IP address and Geolocation sub-violations, and click the information icons for more information on each violation. |
Headers | Expand this area to see the header sub-violations and click the information icons
for more information on each violation. In the Learn Host Names setting, Select the Enabled check box to specify that the Policy Builder suggests you add host names that have not yet been added to the policy. |
Redirection Protection | Expand this area to see the redirection protection sub-violations, and click the
information icons for more information on each violation. In the Learn New Redirection Domains setting, select under which circumstances the Policy Builder adds, or suggests you add, explicit redirection domains to the policy. As you select the setting, additional information about the setting is displayed below it. In the Maximum Learned Redirection Domains setting, type the largest number of redirection domains that the policy allows. |
Bot Detection | Expand this area to see the WebSocket sub-violations. The Bot Detection category contains the Web scraping detected violation, which detects when the web client, or user agent, does not demonstrate human behavior. |
Data Guard | Expand this area to see the Data Guard sub-violations. The Data Guard category specifies which information the system considers sensitive, including credit card numbers, U.S. Social Security numbers, custom patterns, and file content. This category contains the Data Guard. Information leakage detected violation. |
WebSocket protocol compliance | Expand this area to see the WebSocket protocol compliance sub-violations, and click the information icons for additional information about each violation. |
Antivirus Protection | Expand this area to see the antivirus protection sub-violations, and click the information icons for additional information about each violation. |
Default
login URL is used for all defined login URLs that do not
have their own brute force configuration.If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. Also, the imported policy is then associated with the virtual server and local traffic policy that was previously associated with the policy you replaced. The replaced policy is automatically archived with the inactive security policies.