Manual Chapter :
Configuring General ASM System Options
Applies To:
Show VersionsBIG-IP ASM
- 14.0.0
Configuring General ASM System Options
Changing your
system preferences
You can change the default user interface and
system preferences for the Application Security Manager (ASM), and configure which
fields are displayed in the Request List of the Reporting screen.
- On the Main tab, click.
- In the GUI Preferences area, forRecords Per Screen, type the number of entries to display (between 1-100). (The default value is20.)This setting determines the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout ASM.
- ForTitles Tooltip Settings, select an option for how to display tooltips.OptionDescriptionDo not show tooltipsNever display tooltips or icons.Show tooltip iconsDisplay an icon if a tooltip is available for a setting, show the tooltip when you move the cursor over the icon.Show tooltips on title mouseoverDo not display an icon, but show the tooltip when you move the cursor over the setting name. This is the default setting.
- ForDefault Configuration Level, selectAdvancedto display all possible settings, orBasicto display only the essential settings, on screens with that option.The default isBasic.
- ForApply Policy Confirmation Message, you can specify whether to display a popup message asking if you want to perform theApply Policyoperation each time you change a security policy.
- If you are using a high-availability configuration, for theSyncsetting, select theRecommend Sync when Policy is not appliedcheck box to display the Sync Recommended message at the top of the screen when you change a security policy, to remind you to perform a ConfigSync with the peer device.
- For theLoggingsetting, select theWrite all changes to Syslogcheck box to record all changes made to security policies in the Syslog (/var/log/asm).The system continues to log system data regardless of whether you enable policy change logging.
- ClickSaveto save your settings.
The adjusted settings are used throughout the ASM system.
Adjusting system
variables
System variables control how Application Security
Manager (ASM) works. They apply system-wide. You can review and adjust the values of the
system variables if the default values are not appropriate for your installation.
You generally do not need to change the default values of the
system variables. F5 Networks recommends that you consult with technical support
before adjusting them.
- On the Main tab, click.The System Variables screen opens.
- Locate the system variable you want to change and view the description.
- In theParameter Valuefield, type the new value for the variable.
- ClickUpdate.If the value you typed is not valid, the system displays a message indicating the valid range or values.
- On the Main tab, click, and clickRebootto restart the system using the new value.If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.If the parameter name is shown in boldface text, the value has been changed from the default. The default value is displayed below the parameter value.
The system uses the adjusted value for the system variable. On the System Variables
screen, you can click
Restore
Defaults
to change the values back to their original values.Changing ASM cookies
If you are working in a cluster, all devices
have to be in one device group and in the same partitions in the same failover group for
cookie renaming to work. Sync-only groups will not sync.
You can customize the ASM policy and L7-DoS
cookie prefixes to suit your installation. The cookie_httponly_attr system variable can
be changed through the GUI or shell; the rest can be changed through the
shell.
- On the Main tab, click.The System Variables screen opens.
- Locate the system variablecookie_httponly_attrand open it.
- In theParameter Value fieldupdate the value.
- ClickUpdate.
- On the Main tab, click, and clickRebootto restart the system using the new value.If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
The system uses the adjusted value for the
system variable. On the System Variables screen, you can click
Restore Defaults
to change the values
back to their original values.Use the system variables accessible through
the shell for additional cookie editing.
ASM and L7 system variables
Use these system variables to modify ASM and L7
cookies.
Variable | Description | Applies to | Requires ASM Restart |
---|---|---|---|
asm.cookie_prefix | Prefix for the names of the ASM cookies | ASM, L7-DoS | Yes |
asm.cookie_revision_base | This value is arithmetically added to the cookie revision number,
which is currently 1. The result is represented in Hex. | ASM | Yes |
asm.cookie_suffix_base | This value is arithmetically added to the cookie type | ASM, L7-DoS | Yes |
dosl7.proactive_defense_cookie_name | Cookie name for the Device ID cookie generated by PBD and key name
for the browser local storage of the Device ID. | L7-DoS | No |
dosl7.proactive_defense_prefix | The prefix for several cookies used in Proactive Bot Defense special
scenarios: cross-domain and PRG pattern. | L7-DoS | No |
did.local_storage_name | The key of the local storage in browser for the fingerprint and
Device ID information | L7-DoS | No |
asm.strip_asm_cookies | Whether to remove ASM and L7-DoS cookies in request before forwarding
to server | ASM, L7-DoS | No |
cookie_httponly_attr | Whether to add "httpOnly" to all pure server-side ASM cookies. | ASM | No |
For example, to change the ASM cookie prefix value, on the command line, type:
(tmos)# modify sys db asm.cookie_prefix value My_Fancy_Cookie_Name_Prefix
Incorporating external antivirus protection
Before you can incorporate antivirus protection, you need to have an ICAP server
setup in your network.
You can configure the Application Security Manager (ASM) to
connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for
viruses. (ASM was tested with McAfee VirusScan, Trend Micro InterScan, Symantec
Protection Engine, and Kaspersky Antivirus products, and may work with others.) You can
also set up antivirus checking for HTTP file uploads and SOAP web service requests.
- On the Main tab, click.The Anti-Virus Protection screen opens.
- For theServer Host Name/IP Addresssetting, type the fully qualified domain name of the ICAP server, or its IP address.If you specify the host name, you must first configure a DNS server by selecting.
- ForServer Port Number, type the port number of the ICAP server.The default value is1344.
- If you want to perform virus checking even if it may slow down the web application, select theGuarantee Enforcementcheck box.
- ClickSaveto save your settings.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- For each security policy, configure, as needed, the blocking policy for antivirus protection.
- Ensure that theCurrent edited policyis the one for which you want antivirus protection.
- ExpandPolicy General Featuresand for theVirus Detectedviolation, select either or both of theAlarmandBlockcheck boxes.To set the violation toBlock, theEnforcement Modemust be set toBlocking.
- ClickSaveto save the settings.
- For each security policy, configure, as needed, antivirus scanning for file uploads or SOAP attachments.Performing antivirus checks on file uploads may slow down file transfers.
- On the Main tab, click.
- Ensure that theCurrent edited policyis the one that may include HTTP file uploads or SOAP requests.
- To have the external ICAP server inspect file uploads for viruses before releasing the content to the web server, select theInspect file uploads within HTTP requestscheck box.
- To perform anti-virus scanning on SOAP attachments, if the security policy includes one or more XML profiles, in theXML Profilessetting, move the profiles from theAntivirus Protection Disabledlist to theAntivirus Protection Enabledlist. Alternately, clickCreateto quickly add a new XML profile, with default settings, to the configuration. You can then add the new profile to theAntivirus Protection Enabledlist.
- ClickSaveto save the settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If the
Virus Detected
violation is set to Alarm or Block in the
security policy, the system sends requests with file uploads to an external ICAP server
for inspection. The ICAP server examines the requests for viruses and, if the ICAP
server detects a virus, it notifies ASM, which then issues the Virus
Detected
violation.If antivirus checking for HTTP file uploads and SOAP
web service requests is configured, the system checks the file uploads and SOAP
requests before releasing content to the web server.
Creating user accounts for application security
User accounts on the BIG-IP system are assigned a user role
that specifies the authorization level for that account. While an account with the user
role of Administrator can access and configure everything on the system, you can further
specialize administrative accounts for application security.
- On the Main tab, click.
- ClickCreate.The New User properties screen opens.
- From theRolelist, select a user role for security policy editing.
- To limit security policy editing to a specific administrative partition, selectApplication Security Editor.
- To allow security policy editing on all partitions, selectApplication Security Administrator.
- If you selectedApplication Security Editor, then from thePartition Accesslist, select the partition in which to allow the account to create security policies.You can select a single partition name orAll.
- From theTerminal Accesslist, select whether to allow console access usingtmshcommands.
- ClickFinished.
The BIG-IP system now contains a new user account for administering application
security.
- Application Security Editors have permission to view and configure most parts of the Application Security Manager on specified partitions.
- Application Security Administrators have permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.
Validating regular expressions
The RegExp Validator is a system tool designed to help you validate your regular
expression syntax. You can type a regular expression in the RegExp Validator, provide a
test string pattern, and let the tool analyze the data. The tool is included with Application Security Manager.
- Click
- From theRegExp Typelist, select eitherPCREorRE2(recommended) as the RegExp engine.As of BIG-IP version 11.2, the system’s regular expression library and signatures changed from PCRE to RE2 to increase performance and lower false positives. The system still supports the PCRE library for systems that have user-defined signatures configured in PCRE.
- Specify how you want the validator to work:
- In theRegExpfield, type the regular expression you want to validate.
- Or in theRegExpfield, type the regular expression to use to verify a test string, and then in theTest Stringfield, type the string.
- Click theValidatebutton.The screen shows the results of the validation.
The validation result indicates whether the regular expression is valid or not. The
first RegExp match displays the result of the verification check (if specified)
including if there are matches or not.