Applies To:Show Versions
Configuring ASM with Local Traffic Policies
Overview: Configuring ASM with local traffic policies
security and local traffic policies
- Enable ASM enforcing a specific security policy
- Disable ASM
security and manually adding local traffic policies
Creating a simple security policy
- On the Main tab, click.The Policies List screen opens.
- ClickCreate New Policy.You only see this button when no policy is selected.
- In thePolicy Namefield, type a name for the policy.
- LeavePolicy Type, set toSecurity.
- ForPolicy Template, selectFundamental.
- ForVirtual Server, clickConfigure new virtual serverto specify where to direct application requests.
- ForWhat type of protocol does your application use?, selectHTTP,HTTPS, or both.
- In theVirtual Server Namefield, type a unique name.
- In theHTTP Virtual Server Destinationfield, type the address in IPv4 (10.0.0.1) or IPv6 (2001:ed8:77b5:2:10:10:100:42/64) format, and specify the service port.If you want multiple IP addresses to be directed here, use theNetworksetting.
- In the HTTP Pool Member setting, specify the addresses of the back-end application servers.
- From theLogging Profilelist, select a profile such asLog illegal requeststo determine which events are logged on the system.
- In the upper right corner, clickAdvanced.You can use default values for the Advanced settings but it's a good idea to take a look at them.
- If you selectedFundamentalorComprehensivefor thePolicy Template,Learning Modeis set toAutomaticandEnforcement Modeis set toBlocking.If you need to change these values, set application language to a value other thanAuto detect.
- If you know theApplication Language, select it or useUnicode (utf-8).
- To add specific protections (enforcing additional attack signatures) to the policy, forServer Technologies, select the technologies that apply to the back-end application servers.
- You can configure trusted IP addresses that you want the security policy to consider safe.
- ClickCreate Policyto create the security policy.
traffic policy rules for ASM
- On the Main tab, click.
- Click the name of the local traffic policy associated with the security policy.
- To edit the policy, clickCreate Draft.
- In the Draft Policies list, click the name of the draft policy.
- In the Rules area, clickCreateto create a rule that defines when traffic is handled by the security policy.
- In theNamefield, type the nameadmin.
- In the Match all of the following conditions area, click+and specify these conditions:
This rule looks for requests with a URI that begins with/admin.
- For the first condition, selectHTTP URI.
- For the second condition, selectpath.
- For the third condition, selectbegins with.
- For the fourth condition, by the field belowany of, type/adminand clickAdd.
- In Do the following when the traffic is matched, click+and specify the actions:
- For the first action, selectEnable.For the second action, selectasm.
- Next tofor policy, select the security policy you created.
- ClickSaveto add the rule to the local traffic policy.The admin rule is added to the list.
- In the Rules area, click the rule calleddefault.Thedefaultrule was added to the local traffic policy when the system created it.The screen displays the General Properties of the rule.
- To change the default action for all other traffic, in the Do the following when the traffic is matched area, edit the action that is shown there.
The default rule now disables ASM protection for other traffic.
- For the first action, selectDisable.
- For the second action, selectasm.
- To save the rule, clickSave.
- To save the updated policy, clickSave Draft.The Policy List Page opens.
- Select the check box next to the draft policy you edited, and clickPublish.