Manual Chapter : Common elements for entities

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common elements for entities

  1. On the Main tab, click
    Security
    Application Security
    Headers
    HTTP Headers
    .
    The HTTP Headers screen opens.
  2. Click
    Create
    .
    The New Header screen opens.
  3. Click
    Create
    .
    The HTTP Headers screen opens and lists the new header.
  4. On the Main tab, click
    Security
    Application Security
    Headers
    .
    The Cookies List screen opens.
  5. Leave the
    Perform Staging
    check box selected if you want the security policy to evaluate traffic before enforcing this entity.
    Staging helps reduce the occurrence of false positives.
  6. If you want the system to add the HttpOnly attribute to the response header of the domain cookie, select the
    Insert HttpOnly attribute
    check box.
    This attribute prevents the cookie from being modified or intercepted on the client side, by unwanted third parties that run scripts on the web page. The client's browser allows only pure HTTP or HTTPS traffic to access the protected cookie.
  7. If you want the system to add the Secure attribute to the response header of the domain cookie, select the
    Insert Secure attribute
    check box.
    This attribute ensures that cookies are returned to the server only over SSL, which prevents the cookie from being intercepted. It does not, however, guarantee the integrity of the returned cookie.
  8. If this is a custom cookie that may include base64 encoding, select the
    Base64 Decoding
    check box.
    If the cookie contains a Base64 encoded string, the system decodes the string and continues with its security checks.
  9. Select either the Enforced Cookies or Allowed Cookies tab to locate the cookie you want to edit.
  10. On the Main tab, click
    Security
    Application Security
    File Types
    .
    The Allowed File Types screen opens.
  11. Click
    Create
    .
    The Add Allowed File Type screen opens.
  12. For
    File Type
    , choose a type:
    Option
    Description
    Explicit
    Specifies a unique file type, such as JPG or HTML. Type the file type (from 1 to 255 characters) in the adjacent box.
    No Extension
    Specifies that the web application has a URL with no file type. The system automatically assigns this file type the name
    no_ext
    . The slash character (/) is an example of a
    no_ext
    file type.
    Wildcard
    Specifies that the file type is a wildcard expression. Any file type that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as
    htm*
    . Type a wildcard expression in the adjacent box.
  13. On the Main tab, click
    Security
    Application Security
    URLs
    .
    The Allowed HTTP URLs screen opens.
  14. Click
    Create
    .
    The New Allowed HTTP URL screen opens.
  15. From the Allowed HTTP URLs List, click the name of the URL you want to modify.
    The Allowed HTTP URL Properties screen opens.
  16. Click
    Update
    to save the changes.
  17. Click
    Save
    to save the changes.
  18. Click
    Delete
    to delete the entity, and click
    OK
    when asked to confirm.
  19. Click
    Create
    .
    The Add Parameter screen opens.
  20. In the Create New Parameter area, for the
    Parameter Name
    setting, specify the type of parameter you want to create.
    • To create a named parameter, select
      Explicit
      , then type the name.
    • To use pattern matching, select
      Wildcard
      , then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
    • To create an unnamed parameter, select
      No Name
      . The system creates a parameter with the label,
      UNNAMED
      .
  21. Leave the
    Perform Staging
    check box selected if you want the system to evaluate traffic before enforcing this parameter.
    Staging helps reduce the occurrence of false positives.
  22. If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, for the
    Learn Explicit Entities
    setting, select
    Add All Entities
    .
    Do not enable both staging and
    Add All Entities
    on the same wildcard entity.
  23. Specify whether the parameter requires a value:
    • If the parameter is acceptable without a value, leave the
      Allow Empty Value
      setting enabled.
    • If the parameter must always include a value, clear the
      Allow Empty Value
      check box.
  24. To allow users to send a request that contains multiple parameters with the same name, select the
    Allow Repeated Occurrences
    check box.
    Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
  25. If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable the
    Mask Value in Logs
    setting.
  26. For the
    Parameter Value Type
    setting, select the format of the parameter value.
    Depending on the value type you select, the screen refreshes to display additional configuration options.
  27. Click
    Create
    to add the new parameter to the security policy.
  28. Use the
    View
    option to filter the character set.