Manual Chapter :
Creating Parent and Child Security
Policies
Applies To:
Show VersionsBIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Creating Parent and Child Security
Policies
Overview: Creating parent and child security
policies
You can use Application Security Manager™ (ASM) to create two layers of
security policies: parent policies and child policies. Parent policies include mandatory policy
elements, and child policies inherit those attributes from the parent. When the parent policy is
updated, its child policies are automatically updated.
Parent policies let you
- Create and maintain common elements and settings
- Impose mandatory elements on child policies
- Push a change to multiple child policies
You can specify which parts of the security policy must be inherited, which are optional, and
which are not inherited. This way, you can keep child policies in sync with the changes in the
global mandatory policies and still allow the child policies to address their own unique
requirements. The inheritance follows the sections of the policy in the Learning and Blocking
Settings: each part can be inherited or not inherited from the parent.
Creating a parent security policy
Parent security policies include
features that you want to apply to multiple child security policies that can inherit
those features.
- On the Main tab, click.The Policies List screen opens.
- ClickCreate New Policy.You only see this button when no policy is selected.
- In thePolicy Namefield, type a name for the policy.
- ForPolicy Type, selectParent.
- ForPolicy Template, select the template that you want to use for the parent policy, for example, selectFundamentalto create a robust yet compact security policy that is appropriate for most applications.To create a stricter policy that enforces many violations, selectComprehensiveinstead.
- In the upper right corner, clickAdvanced.
- To use automatic policy building for this policy and child policies, leave theLearning Modeset toAutomatic.
- ForApplication Language, leave the default ofUnicode (utf-8)unless all child policies will use a specific language that you can select.You cannot change this setting after you have created the security policy.
- To enable specific protections that will apply to this policy and its child policies, forServer Technologies, select as many of the technologies as are relevant to the back-end servers.The system adds attack signatures specific to the selected technologies.
- ForTrusted IP Addresses, select which IP addresses to consider safe by all child policies.AllSpecifies that the policy trusts all IP addresses. This option is recommended only for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.Address ListSpecifies networks to consider safe. Fill in theIP AddressandNetmaskfields, then clickAdd. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
- For thePolicy Builder Learning Speedsetting, select how fast to generate suggestions for the policy.OptionDescriptionSlowUse if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.MediumUse if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.FastUse if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
- For theSignature Stagingsetting, verify that the default optionEnabledis selected.New and updated attack signatures remain in staging for 7 days, and are recorded but not enforced (according to the learn, alarm, and block flags in the attack signatures configuration) during that time.
- For theEnforcement Readiness Period, retain the default setting of7days.This is how long entities remain in staging. During this period, you can test the security policy entities for false positives before enforcing them.During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. You can review new entities and decide which are legitimate and include them in the security policy.
- If the application is not case-sensitive, disable thePolicy is Case Sensitivecheck box. Otherwise, leave it selected.You cannot change this setting after you have created the security policy.
- If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, forDifferentiate between HTTP/WS and HTTPS/WSS URLsselectDisabled.
- ClickCreate Policyto create the security policy.The system creates the parent security policy and displays the inheritance settings for each section of the policy (as on the Learning and Blocking Settings screen).
- For each of theInheritance Settings, decide whether you want inheritance to child policies to beMandatory(child inherits the settings),Optional(the child can decide), orNone(no inheritance for this feature). When done, clickSave Changes.
You have created a security policy
that you can use as a parent policy for multiple child policies. The child policies
inherit the settings from this parent policy, and you can change only a subset of the
settings in the child policy. Future changes made to the parent policy are passed down
to the child policies.
Configuring parent
policy settings
After you create a parent security policy, you can
review and adjust the policy settings to be sure they include the correct details that
you want to use for child policies. Although this task is not required and the default
values may suit your needs, it gets you familiar with the settings in the policy. This
is the same process to follow if later you need to make changes to the parent policy and
how it works.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the policy shown is the parent security policy you want to work on.
- On the right side of the Learning and Blocking Settings screen, selectAdvanced.The screen displays the advanced configuration details for the parent security policy.
- For each of the settings, on the right you can see whether the setting hasMandatory Inheritance,Optional Inheritance, orNo Inheritance.
- Expand each of the settings and review the default values for each of the areas. Adjust the values, if necessary. If you change any of the values, clickSave, thenApply Policy.Descriptions of the settings are included in the online Help on the Help tab.
- On the Main tab, click.The Policies List screen opens.
- In the Policies List, select the parent policy you previously created.The policy summary is displayed on the right.
- ClickInheritance Settings.
- Review theInheritance Settings, and make sure that inheritance is set properly for child policies to beMandatory(child inherits the settings),Optional(the child can decide), orNone(no inheritance for this feature). When done, clickSave Changes.
You have configured the security policy settings of the parent policy that you can use
when creating child security policies. If you already have created child policies, when
you save the changes to the parent policy, the changes are automatically made to the
child policies.
Creating a child
security policy
Child security policies inherit settings from a
parent security policy.
- On the Main tab, click.The Policies List screen opens.
- ClickCreate New Policy.You only see this button when no policy is selected.
- In thePolicy Namefield, type a name for the policy.
- ForPolicy Type, selectSecurity.
- ForPolicy Template, select the template to use for the child policy, for example, selectFundamentalto create a robust security policy that is appropriate for most applications.To create a strict security policy that enforces many violations, selectComprehensiveinstead.
- From theParent Policylist, select the parent security policy to use for this policy.
- ForVirtual Server, select an existing virtual server, clickConfigure new virtual serverto specify where to direct application requests, or leave it set toNonefor now.
- Existing virtual servers are only listed if they have an HTTP profile, and are not associated with a local traffic policy.
- To create a new virtual server, specify the protocol, virtual server name, virtual server destination IP address/network and port (IPv4 or IPv6), pool member address and port (address of the back-end application server), and logging profile.
- If you selectNone, you will have to manually associate the security policy with a virtual server with an HTTP profile at a later time to activate the policy. (On the Security tab of the virtual server, setApplication Security PolicytoEnabled, then select the policy.)
- In the upper right corner, clickAdvanced.You can use default values for the Advanced settings but it's a good idea to take a look at them.
- If you selectedFundamentalorComprehensivefor thePolicy Template,Learning Modeis set toAutomaticandEnforcement Modeis set toBlocking.If you need to change these values, set application language to a value other thanAuto detect.
- If you know theApplication Language, select it or useUnicode (utf-8).
- To add specific protections (enforcing additional attack signatures) to the policy, forServer Technologies, select the technologies that apply to the back-end application servers.
- You can configure trusted IP addresses that you want the security policy to consider safe.
- ClickCreate Policyto create the security policy.
- ClickInheritance Settingsto see which parts of the policy are inherited from the parent and which can be declined or accepted.By default, all settings with optional inheritance are accepted.
- You can adjust option settings fromAcceptedtoDecline. When done, clickSave Changes.
ASM creates a child security policy that uses the mandatory settings specified in the
parent policy. As a result, some of the Learning and Blocking Settings are unavailable
in the child policy, and you can only change them in the parent policy.
The security policy immediately starts protecting your
application. The enforcement mode of the security policy is set to Blocking. Traffic
that is considered to be an attack such as traffic that is not compliant with HTTP
protocol, has malformed payloads, uses evasion techniques, performs web scraping,
contains sensitive information or illegal values is blocked. Other potential
violations are reported but not blocked.
This
is a good point at which send some traffic to test that you can access the
application being protected by the child security policy and check that traffic is
being processed correctly by the BIG-IP system. Send the traffic to the virtual
server destination address.
If the parent is changed,
the child policy is automatically updated with the latest inherited (or accepted)
settings.
Reviewing learning suggestions for parent
and child policies
Before you can see learning suggestions on the system, the application protected by
a child policy needs to have had some traffic sent to it.
After you create parent and child policies and begin sending traffic to the
application protected by the child policy, the system provides learning suggestions
concerning additions to the policies based on the traffic it sees. For example, you
can have users or testers browse the web application. By analyzing the traffic to
and from the application, Application Security Manager
generates learning suggestions or ways to fine-tune the parent and child policies to
better suit the traffic and secure the application.
Suggestions related to settings that are inherited appear locked in the child policy
and can only be accepted in the parent policy.
This task is primarily
for building a security policy manually. If you are using the automatic learning
mode, this task applies to resolving suggestions that require manual intervention,
or for speeding up the enforcement of policy elements.
- On the Main tab, click.The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
- Take a look at the Traffic Learning screen to get familiar with it.With no suggestions selected, graphical charts summarize policy activity and you see an enforcement readiness summary on the bottom right.Learning suggestions in the parent policy include a number on the right that shows how many of the child policies included that suggestion. A link lets you review the suggestion in the child policy.
- Review the learning suggestions as follows.
- Select a learning suggestion.Information is displayed about the action the system will take if you accept the suggestion, and what caused the suggestion.
- You can learn more about the suggestion by looking at the action, the number of samples it is based on, the violations caused and their violation ratings, and if available, by examining samples of the requests that caused the suggestion.
- With a request selected on the left, you can view data about the request on the right, including any violations it generated, the contents of the request itself, and the response (if any). Note that some requests may contain violations related to different suggestions.By examining the requests that caused a suggestion, you can determine whether it should be accepted.
- To add comments about the suggestion and the cause, click the Add Comment icon to the right of the suggestion commands, and type the comments.
- Decide how to respond to the suggestions. You can start with the suggestions that have the highest learning scores, or those which you know to be valid for the application. These are the options.OptionWhat happensAccept SuggestionThe system modifies the policy by taking the suggested action, such as adding an entity that is legitimate.Suggestions about adding file types, URLs, parameters, cookies, or redirection domains can only be accepted in child policies.For suggestions concerning inherited settings, this option only appears in the parent policy.Delete SuggestionThe system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.Ignore SuggestionThe system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by StatusIgnored.If you are working in automatic learning mode, when the learning score reaches 100%, the system accepts most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
- To put the security policy changes into effect immediately, clickApply Policy.