Manual Chapter : Common Elements for policy building tasks

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.0
Manual Chapter

Common Elements for policy building tasks

  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  2. Click the name of the security policy you want to work on.
    The Policy Summary screen opens.
  3. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  4. On the Main tab, click
    Security
    Overview
    Application
    Action Items
    .
    The Action Items screen opens.
  5. Click
    Create New Policy
    .
    You only see this button when no policy is selected.
  6. Select the type of protocol your application uses:
    HTTP
    ,
    HTTPS
    , or both.
    If you select
    HTTP and HTTPS
    , the system creates two virtual servers with
    _http
    and
    _https
    added to the virtual server name.
  7. In the
    Virtual Server Name
    field, type a unique name for the virtual server.
  8. For the
    HTTP Virtual Server Destination
    setting, select
    Host
    , type the IP address, and select the service port for the virtual server.
  9. For the
    HTTPS Virtual Server Destination
    setting, select
    Host
    , type the IP address, and select the service port for the virtual server.
  10. On the Main tab, click
    Security
    Application Security
    Security Policies
    and click the name of the policy.
    The Policy Properties screen opens.
  11. On the Main tab, click
    Security
    Application Security
    Policy Building
    Traffic Learning
    .
    The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
  12. On the Main tab, click
    Security
    Application Security
    Policy Building
    Traffic Learning
    .
    The Enforcement Readiness summary is on the bottom right.
  13. For the
    Enforcement Readiness Period
    , retain the default setting of
    7
    days.
    This is how long entities remain in staging. During this period, you can test the security policy entities for false positives before enforcing them.
    During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. You can review new entities and decide which are legitimate and include them in the security policy.
  14. If the application is not case-sensitive, disable the
    Policy is Case Sensitive
    check box. Otherwise, leave it selected.
    You cannot change this setting after you have created the security policy.
  15. If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, for
    Differentiate between HTTP/WS and HTTPS/WSS URLs
    select
    Disabled
    .
  16. In the
    Policy Name
    field, type a name for the policy.
  17. For
    Policy Type
    , click whether you want to create an individual
    Security
    policy or a
    Parent
    policy.
    Security
    policies can inherit settings from a parent policy, or stand on their own; you attach security policies to virtual servers.
    Parent
    policies include settings that you want to apply to multiple security policies.
  18. From the
    Application Language
    list, select the language encoding of the application, or use
    Auto detect
    and let the system detect the language.
    You cannot change this setting after you have created the security policy.
  19. From the
    Application Language
    list, select the language encoding of the application, then click
    Next
    .
    You cannot change this setting after you have created the security policy.
  20. For
    Enforcement Mode
    specify whether or not the system blocks traffic that violates the security policy.
    • Leave the value set to
      Transparent
      , the default value, if you want to review and fine-tune the security policy before placing it in Blocking mode.
    • If you want the system to enforce the security policy immediately, select
      Blocking
      .
  21. To configure attack signatures, move the systems used by your web application from the
    Available Systems
    list into the
    Assigned Systems
    list.
    The system adds the attack signatures needed to protect the selected systems.
  22. To find out more about a violation and its occurrences, when you click a violation hyperlink and see what caused the violation, click the number in the Occurrences column.
    The Requests List popup screen opens, and you can see the requests that caused the violation including a violation rating of the request. (Ratings are from 1 to 5, where 5 is the most severe.)
  23. To configure attack signatures, move the systems used by your web application from the
    Available Systems
    list into the
    Assigned Systems
    list.
    The system adds the attack signatures needed to protect the selected systems.
  24. On the Configure Wildcards Tightening screen, select the
    URLs
    or
    Parameters
    check boxes if you want the system to learn explicit URLs or parameters that match wildcards in the security policy.
  25. Click
    Next
    .
    The Security Policy Configuration Summary screen opens.
  26. In the
    Configure exceptions for the scanner IP Address
    setting, specify any IP addresses that you want the security policy to allow (for example, the IP address of the vulnerability assessment tool), and how to deal with them.
    1. Type the IP address and netmask of the vulnerability assessment tool.
      You can add 
      %n
       after an IP address to specify a route domain, where 
      n
       is the route domain identification number.
    2. Select the appropriate check boxes for learning suggestions, logging, and blocking traffic from this IP address.
  27. For
    Learning Mode
    , select how you want the Policy Builder to build the security policy.
    • If you want the Policy Builder to automatically build the security policy, select
      Automatic
      .
    • If you want the Policy Builder to make suggestions and manually decide what to include, select
      Manual
      .
    • If you do not want the system to suggest policy changes, select
      Disabled
      .
    In some cases, running the Policy Builder may overwrite some of the security policy changes suggested by the vulnerability assessment tool. For example, to prevent false positives, the Policy Builder might adjust some of the entities in the security policy based on examining the traffic.
    If you select
    Automatic
    or
    Manual
    , the system examines traffic and makes suggestions about how to tighten the security policy. If you are using automatic learning, the system enforces the suggestions when it is reasonable to do so. If you are using manual learning, you need to examine the changes and accept, delete, or ignore them on the Traffic Learning screen. If you disabled this option, the system does not do any learning for this policy, it makes no suggestions, and the
    Learn
    flag for all violations becomes inactive.
  28. Review the settings for the security policy. When you are satisfied with the security policy configuration, click
    Finish
    .
    The system creates the security policy and opens the vulnerability assessment settings screen specific to the tool you are using. For most tools, you can import the results of a vulnerabilities scan in an XML file.
  29. Connect with the tools on the Vulnerabilities Assessments Settings screen that opens. If you have an account, click
    Connect
    .
    If you do not have an account, you can open a trial account and run a free scan to find and resolve vulnerabilities.
  30. Review the settings for the security policy. When you are satisfied with the security policy configuration, click
    Finish
    .
    The system creates the security policy and opens the Policy Properties screen.
  31. In the editing context area, click
    Apply Policy
    to immediately put the changes into effect.
  32. In the General Settings, for
    Policy Type
    , select the type that defines how you want the security policy built.
    Option
    Description
    Fundamental
    Provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure.
    Enhanced
    Provides extra security, creating a security policy with more granularity.
    Comprehensive
    Provides the highest level of security checks, creating a security policy with more granularity, but it may take longer to configure.
    Vulnerability Assessment
    Specifies a security policy that is built using the recommendations from a vulnerability assessment tool. By default, the system does not add explicit entities, leaving that to the tool. (Only available if a vulnerability assessment tool is selected on the Vulnerability Assessments Settings screen.)
    Custom
    Provides the level of security that you specify when you adjust settings, such as which security policy elements are included in the security policy. The policy type changes to
    Custom
    if you change any of the default settings for a policy type.
    Click the down arrow next to
    Policy Type
    to see exactly which security features each type includes.
    The selected security policy elements and other options on the screen change depending on the policy type you choose.
  33. For
    Learning Mode
    , select how you want the Policy Builder to build the security policy.
    • If you want the Policy Builder to automatically build the security policy, select
      Automatic
      .
    • If you want the Policy Builder to make suggestions and manually decide what to include, select
      Manual
      .
    • If you do not want the system to suggest policy changes, select
      Disabled
      .
    If you selected
    Automatic
    or
    Manual
    , the system examines traffic and makes suggestions about how to tighten the security policy. If you are using automatic learning, the system enforces the suggestions when it is reasonable to do so. If you are using manual learning, you need to examine the changes and accept, delete, or ignore them on the Traffic Learning screen. If you disabled this option, the system does not do any learning for this policy, it makes no suggestions, and the
    Learn
    flag for all violations becomes inactive.
  34. On the right side of the Learning and Blocking Settings screen, select
    Advanced
    .
    The screen displays the advanced configuration details for policy building.
  35. For the
    Policy Builder Learning Speed
    setting, select how fast to generate suggestions for the policy.
    Option
    Description
    Slow
    Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.
    Medium
    Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Fast
    Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
  36. Leave
    Policy Type
    , set to
    Security
    .
  37. For
    Policy Template
    , select
    Fundamental
    .
  38. For
    Virtual Server
    , select an existing virtual server, click
    Configure new virtual server
    to to specify where to direct application requests, or leave it set to
    None
    for now.
    • Existing virtual servers are only listed if they have an HTTP profile, and are not associated with a local traffic policy.
    • To create a new virtual server, specify the protocol, virtual server name, virtual server destination IP address/network and port (IPv4 or IPv6), pool member address and port (address of the back-end application server), and logging profile.
    • If you select
      None
      , you will have to manually associate the security policy with a virtual server with an HTTP profile at a later time to activate the policy. (On the Security tab of the virtual server, set
      Application Security Policy
      to
      Enabled
      , then select the policy.)
  39. For
    Virtual Server
    , click
    Configure new virtual server
    to specify where to direct application requests.
    1. For
      What type of protocol does your application use?
      , select
      HTTP
      ,
      HTTPS
      , or both.
    2. In the
      Virtual Server Name
      field, type a unique name.
    3. In the
      HTTP Virtual Server Destination
      field, type the address in IPv4 (
      10.0.0.1
      ) or IPv6 (
      2001:ed8:77b5:2:10:10:100:42/64
      ) format, and specify the service port.
      If you want multiple IP addresses to be directed here, use the
      Network
      setting.
    4. In the HTTP Pool Member setting, specify the addresses of the back-end application servers.
    5. From the
      Logging Profile
      list, select a profile such as
      Log illegal requests
      to determine which events are logged on the system.
  40. In the upper right corner, click
    Advanced
    .
    You can use default values for the Advanced settings but it's a good idea to take a look at them.
    • If you selected
      Fundamental
      or
      Comprehensive
      for the
      Policy Template
      ,
      Learning Mode
      is set to
      Automatic
      and
      Enforcement Mode
      is set to
      Blocking
      .
      If you need to change these values, set application language to a value other than
      Auto detect
      .
    • If you know the
      Application Language
      , select it or use
      Unicode (utf-8)
      .
    • To add specific protections (enforcing additional attack signatures) to the policy, for
      Server Technologies
      , select the technologies that apply to the back-end application servers.
    • You can configure trusted IP addresses that you want the security policy to consider safe.
  41. Click
    Create Policy
    to create the security policy.