Manual Chapter :
Changing Security Policy Settings
Applies To:
Show VersionsBIG-IP ASM
- 14.0.0
Changing Security Policy Settings
About security policy settings
The security policy settings determine how the security policy is built. You initially specify
the values of these settings when you create the policy. You can change the values, but
understand that the security policy will have different characteristics than it originally
did.
Editing an existing security policy
When you create a security policy,
the system uses default values for some of the settings. You can access a security
policy for editing either from the Policies List or from the
Current edited
security policy
setting. (For parent policies, it is the
Current edited parent policy
.) The Current edited
security policy
setting appears at the top of almost every security
policy screen throughout Application Security Manager. - On the Main tab, click.The Learning and Blocking Settings screen opens.
- Make any changes that are required for that security policy, such as to general settings, URLs, parameters, and so on.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
- To edit other security policies, from theCurrent edited policylist, select the security policy you want to edit.
Changing security
policy enforcement
Security policies can be in one of two enforcement
modes: transparent or blocking. The
enforcement mode
specifies whether the system simply logs or blocks a request that triggers a security
policy violation. You can manually change the enforcement mode for a security policy
depending on how you want the system to handle traffic that causes violations.- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- For theEnforcement Modesetting, specify how to treat traffic that causes violations.
- To block traffic that causes violations (that are set to block), selectBlocking.
- To stop allow traffic even if it causes violations so you can review the violations, selectTransparent.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
When the enforcement mode is set to
transparent
, traffic is not blocked even if a violation is triggered.
The system typically logs the violation event (if the Learn flag is set on the
violation). You can use this mode along with an enforcement readiness period when
you first put a security policy into effect to make sure that no false positives
occur that would stop legitimate traffic.When the enforcement mode is set to
blocking
, traffic is blocked if it causes a violation (that is
configured for blocking), and the enforcement readiness period is over. You can use
this mode when you are ready to enforce a security policy.Adjusting the
enforcement readiness period
For each security policy, you can configure the
number of days used as the
enforcement readiness
period
, also called staging
. Security
policy entities and attack signatures remain in staging for this period of time before
the system suggests that you enforce them. Staging allows you to test security policy
entities and attack signatures for false positives without enforcing them. The default
value of 7
days works well for
most situations so you typically do not need to change it.- On the Main tab, click.The Learning and Blocking Settings screen opens.
- For theEnforcement Readiness Period, type the number of days you want the entities or signatures to be in staging.The default value is7days.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
During the enforcement readiness period, the system does not block
traffic, even if requests trigger violations against the security policy and the
violations are set to
Block
. The security policy provides suggestions when requests match
the attack signatures or do not adhere to the security policy entity's settings. If you are using automatic policy building and the system has
processed sufficient traffic, after the enforcement readiness period is over, the
Policy Builder automatically enforces the security policy entities and the attack
signatures that did not cause violations during the period.
Making a parent policy mandatory
You can mandate that all new policies created
or imported be a child of a compatible parent policy. The parent must have the same
partition or in the /common partition and all mandatory inheritance attributes, encoding
language, protocol independence and case sensitivity match as the child policy. The
default is not enabled.
- On the Main tab, click.
- SelectEnabled.
- ClickSaveto save your setting.
When enabled, if no accessible parent policy exists, a security
policy can be created as a stand-alone security policy. However, if a parent policy
exists and is accessible but is not suitable, you must create a suitable parent
policy before continuing to create the child security policy. Existing child
security policies are able to switch parents but cannot be orphaned. Security
policies, without a parent policy, which existed before enabling this feature will
not be affected and will remain stand-alone security policies without a parent but
can be associated with a compatible parent policy at any time.
Viewing whether a security policy is case-sensitive
When you first create a security
policy, you have the advanced option of making a security policy case-sensitive or not.
By default, the option
Security Policy is case sensitive
is
selected, and the security policy treats file types, URLs, and parameters as
case-sensitive. You cannot change this setting after the security policy is created, but
you can view how it is set. - On the Main tab, click.The Policy Properties screen for the current edited policy opens.
- Review thePolicy is case sensitivesetting.If the value isYes, the security policy is case-sensitive; if the value isNo, the policy is not case-sensitive.
- ClickCancelwhen you are done.
Differentiating
between HTTP and HTTPS URLs
When creating a security policy, you
can determine whether a security policy differentiates between HTTP and
HTTPS URLs. Later, you can view the setting, but you can change it only if
the security policy contains no URLs that have the same name and use
different protocols.
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary opens.
- Review theDifferentiate between HTTP and HTTPS URLssetting.If theEnabledcheck box is selected, the security policy differentiates between HTTP and HTTPS URLs. Otherwise, it does not, and creates protocol-independent URLs.
- ClickCancelwhen you are done.
If the
Differentiate between HTTP and HTTPS URLs
setting is disabled, the security policy configures URLs without
specifying a specific protocol. This is useful for applications that
behave the same for HTTP and HTTPS, and it keeps the security policy
from including the same URL twice. Specifying the response codes that are allowed
You can specify which responses a security policy permits. By default, the Application Security Manager accepts all response codes from 100 to
399 as valid responses. Response codes from 400 to 599 are considered invalid unless
added to the Allowed Response Status Codes list. By default, 400, 401, 404, 407, 417,
and 503 are on the list as allowed HTTP response status codes.
- On the Main tab, click.The Policy Properties screen for the current edited policy opens.
- From the list, selectAdvanced.
- If you want to allow additional responses for theAllowed Response Status Codessetting, in theNew Allowed Response Status Codefield, type the HTTP response status code, between400and599, that the security policy should consider a legal response, and clickAdd.
- If you do not want to allow any response codes between400and599, clickRemove All.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy considers legal responses that return response codes that are
listed as allowed response codes. If a response contains a response status code from
400 to 599 that is not on the list, the system issues the violation,
Illegal
HTTP status in response
. If you configured the security policy to block
this violation, the system blocks the response. Activating ASM
iRule events
An iRule is a script that lets you customize how
you manage traffic on the BIG-IP system. You can write iRules to modify a request or
response, or to cause an action to occur. For detailed information on iRules, see the F5
Networks DevCentral web site,
http://devcentral.f5.com
. If you are using iRules to perform actions
based on Application Security Manager iRule events, you must instruct ASM to trigger
iRule events. By default, the trigger iRule event setting is disabled. - On the Main tab, click.The Policies List screen opens.
- From the list, selectAdvanced.
- If you have written iRules to process application security events, for theTrigger ASM iRule Eventssetting, select the mode to use.
- Recommended: If you are writing new iRules, such as those that perform a specific action after handling requests, selectNormal Mode. Whenever ASM processes a request, it triggers anASM_REQUEST_DONEevent.
- Not recommended: If you are using iRules that useASM_REQUEST_VIOLATION, selectCompatibility Mode. Whenever ASM processes a request with a violation, it triggers anASM_REQUEST_VIOLATIONevent. F5 recommends that you rewrite the iRules usingASM_REQUEST_DONEin theNormal Mode.
Leave this option disabled if you have not written any ASM iRules, or you have written iRules not for ASM (triggered by the Local Traffic Manager). - ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If you write iRules that process ASM iRule events and assign them to a specific virtual
server, when the trigger iRules setting is enabled, ASM triggers iRule events for
requests. If the trigger iRules setting is not enabled, no iRule events occur for ASM
iRule events.
Application security iRule events
These are the events that iRules can subscribe to in Application Security Manager.
Application Security iRule Event | Description |
---|---|
ASM_REQUEST_DONE | Occurs when Application Security Manager finishes processing a request in Normal
mode (regardless of whether a violation occurred or not). The system triggers this
event after deciding what to do with the request, block it or forward it, but before
actually executing that action, so you can specify a change to that action. |
ASM_REQUEST_BLOCKING | Occurs when Application Security Manager is generating an error response to the
request that caused a violation, and gives the iRule a chance to modify the response
before it is sent. Allows you to modify the blocking page. |
ASM_RESPONSE_VIOLATION | Occurs when Application Security Manager detects a response that violates a
security policy. |
ASM_REQUEST_VIOLATION | Deprecated. Use ASM_REQUEST_DONE instead. Occurs when
Application Security Manager detects a request that violates a security policy when
using Compatibility mode only. |
Notes
From any of these events, you can use the
ASM::fingerprint
command to get
fingerprinting information from a request. For example:when ASM_REQUEST_DONE { log local0.[ASM::fingerprint] }
If fingerprinting information is available, this example returns the fingerprint ID. If it
is not available, the example returns
0
. The fingerprint ID is a number representing the client's browser. If requests coming from a
particular fingerprint ID contain violations, you could mark that ID as suspicious and treat
future requests from that ID differently.
Allowing XFF headers in requests
You can configure Application Security Manager (ASM) to trust XFF (X-Forwarded-For) headers or customized XFF headers in requests. For example, you could do this if ASM is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. This option is useful for logging, web scraping, anomaly detection, and the geolocation feature.
You should not
configure trusted XFF headers if you think the HTTP header may be spoofed, or
crafted, by a malicious client.
- On the Main tab, click.The Policy Properties screen for the current edited policy opens.
- From the list, selectAdvanced.
- For theTrust XFF Headersetting, select theEnabledcheck box.The screen displays theCustom XFF Headersconfiguration option.
- If your web application uses custom XFF headers, in theCustom XFF Headerssetting, add them as follows:
- In theNew Custom XFF Headerfield, type the XFF header that the system should trust.
- ClickAdd.
You can add up to five custom XFF headers. - ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
When you trust XFF headers, the system has confidence in XFF headers in the request. If you added custom XFF headers, the system recognizes and trusts them. If deployed behind a proxy, ASM uses the initiating IP address rather than the address of the proxy.
Adding host
names
You can manually add legitimate host names to a
security policy, for example, if users can access the application from multiple host
names. If you are using automatic policy building, the system automatically adds domain
names to the security policy so adding them in that case is optional.
- On the Main tab, click.The Host Names screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Above the list of host names, click theCreatebutton.The New Host Name screen opens.
- In theHost Namefield, type the host name that is used to access the web application (either a domain name or an IP address).
- If you also want to use all sub-domains of the specified host name to access the web application, select theInclude Sub-domainscheck box.
- If you want to make sure all the traffic to the host is not blocked even if it has blocking violations, selectPolicy is always transparent for this host.This is useful when deploying the policy on a new application that needs to be tested before moving to blocking mode while still securing other applications protected by the same policy.This setting causes the policy to operate in transparent mode only for the application identified with this host name, while still working in blocking mode on other applications protected by the policy. For a host name with different enforcement, the event log shows the blocking override reason asHost name is configured as transparent.
- ClickCreate.
- To put the security policy changes into effect immediately, clickApply Policy.
The host name is added to the list of host names that can legitimately be used to
access the web application that the security policy is protecting. The list shows the
enforcement mode of the host name (transparent or blocking).
About adding
multiple host names
If users can access a web application using multiple host names or IP
addresses, you can add the multiple host names or IP addresses to the security policy
that protects the application. The system uses this list of host names as follows:
- The Policy Builder considers the host names in the list to be legitimate internal links and forms, and learns security policy entities from them, and also from relative URLs that do not contain a domain name.
- The CSRF feature uses the list to distinguish between internal and external links and forms, and the system inserts the CSRF token only into internal links and forms.
The Application Security
Manager™ (ASM) identifies web application-related host names as fully qualified
domain names (FQDNs) in requests or responses. If you include sub-domains with the host
name, the system matches all sub-domains when evaluating FQDNs, and inserts ASM™ cookies into responses from the sub-domains
of the host name. When an application uses several sub-domains, ASM cookie-based
features (like CSRF protection, Login Pages, and Dynamic Sessions ID in URL) require ASM
cookies to be inserted from the correct domain.
Protecting against cross-site request forgery (CSRF)
Cross-site request forgery (CSRF) is
an attack where a user is forced to
carry
out unauthorized actions (such as a bank transfer) within a web
application where the user is currently authenticated. You can configure a security
policy to protect against CSRF attacks, including specifying which URLS you want the
system to
examine.
CSRF
protection provides two enforcement options:
- Verify CSRF Token: The system inserts a CSRF token to application URLs using JavaScript injection. Requests without a valid CSRF token are blocked. If the system detects a CSRF attack, it issues a CSRF attack detected violation. To prevent token hijacking, the system reviews the token expiration date. If the token is expired, the system issues the CSRF authentication expired violation.
- Verify Origin: The system blocks requests without a valid Origin header(such as a CSRF request, which has no Origin header). This enforcement option can protect an AJAX request of an application, because AJAX requests always contain an Origin header. If all protected URLs are configured withVerify Origin, the system does not do JavaScript injection. If the system detects a request without a valid Origin header, it issues a CSRF attack detected violation.
CSRF attacks specifically target state-changing requests(for
example, transferring funds or changing an email
address).
State-changing requests are usually POST
requests,but,
in some cases,
may
be performed using GET requests.
There
are
two
modes for entering URLs for CSRF protection:
- Simple Edit Mode: Defines URLs for CSRF token verification during a POST method.
- Advanced Edit Mode: Defines URLs for additional methods, required parameters and enforcement actions.
- On the Main tab, click.The CSRF Protection screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Select theCSRF Protectioncheck box.
- Specify which part of the application you want to protect against CSRF attacks:
- To protect SSL requests only in the secured part of the application, select theSSL Onlycheck box.
- To protect the entire web application, leave theSSL Onlycheck box cleared.
- If you want the CSRF token (which is injected into responses) to expire:
- ForExpiration Time, selectEnabled.
- In the field, type the amount of time, in seconds (1 to 99999), after which the token should expire.The default is 600 seconds.
- In theURLs List (for POST requests with CSRF token verification only)setting, selectSimple Edit Modeand specify at least one URL (and its method) that you want the system to examine.The system considers all URLs that are not on the list to be safe unless it discovers another problem.If you need to specify methods other than POST, or request parameters, or use theVerify Originenforcement option, you should selectAdvanced Edit Mode.
- Select theMethodfor request verification.
- Type the URL in the format/index.html.You can also use wildcards for URLs; for example,/myaccount/*.html,/*/index.php, or/index.?html.
- ClickAdd.
- Repeat steps a through c to add all of the potentially unsafe URLs that you want the system to examine.
- From the URL list, in theRequired Parameterscolumn, define any required parameters for the URL.
- From the URL list, in theEnforcement Actioncolumn, select the enforcement action to take.
- ClickSaveto save your settings.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- Select theAdvancedsetting, and in the Policy Building Settings area, expandCSRF Protection, then click the appropriateLearn,Alarm, andBlocksettings in the two CSRF violations.If you want to block CSRF attacks, clickBlockforCSRF attack detected. Also, in the General Settings area, check thatEnforcement Modeis set toBlocking.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.