Manual Chapter : Common elements for security policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common elements for security policies

  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    .
    The Policies List screen opens.
  2. Click the name of the security policy you want to work on.
    The Policy Summary opens.
  3. From the list, select
    Advanced
    .
  4. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policy Properties screen for the current edited policy opens.
  5. Review each of the Policy Building Settings so you understand how the security policy handles requests that cause the associated violations, and adjust if necessary. You need to expand most of the settings to see the violations.
    To the right of Policy Building Settings, click
    Blocking Settings
    to see and adjust all of the violations at once.
    Option
    What happens when selected
    Learn
    The system generates learning suggestions for requests that trigger the violation (except learning suggestions are not generated for requests that return HTTP responses with 400 or 404 status codes).
    Alarm
    When selected, the system marks requests that trigger the violation as illegal. The system also records illegal requests in the Charts screen, the system log (
    /var/log/asm
    ), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block
    The system blocks requests that trigger the violation when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, and (3) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.
  6. For the
    Enforcement Mode
    setting, select
    Blocking
    .
  7. Adjust the
    Enforcement Mode
    setting if needed.
    • To block traffic that causes violations, select
      Blocking
      .
    • To allow traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select
      Transparent
      .
    You can only configure the Block flag on violations if the enforcement mode is set to
    Blocking
    .
  8. Select or clear the
    Learn
    ,
    Alarm
    , and
    Block
    check boxes for the violations, as required (using the default settings is recommended).
  9. Note how the
    Enforcement Mode
    is set.
    Option
    What Happens
    Transparent
    When the system receives a request that violates the security policy, the system logs the violation event.
    Blocking
    When the system receives a request that violates the security policy, the system logs the violation event, blocks the request, and responds to the request by sending the Blocking Response page and Support ID information to the client.
  10. On the Default Response Page tab, for the
    Response Type
    setting, select one of the following options.
    Option
    System Response to Blocked Request
    Default Response
    The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response
    The system returns a response page with HTML code that you define.
    Redirect URL
    The system redirects the user to a specified web page.
    SOAP Fault
    The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select
    Use XML Blocking Response Page
    on the XML profile.
    Erase Cookies
    The system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.
    The settings on the screen change depending on the selection that you make for the
    Response Type
    setting.
  11. If you selected the
    Custom Response
    option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the
      Response Headers
      setting, type the response header you want the system to send.
    2. For the
      Response Body
      setting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click
      Show
      to see what the response will look like.
    To upload a file containing the response:
    1. In the
      Response Body
      , for the
      Upload File
      setting,click
      Choose File
      to specify an HTML file that contains the response you want to send to blocked requests.
    2. Click
      Upload
      to upload the file into the response body.
  12. If you selected the
    Redirect URL
    option, then in the
    Redirect URL
    field, type the URL to which the system redirects the user, for example,
    http://www.myredirectpage.com
    .
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces
    <%TS.request.ID%>
    with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  13. In the editing context area, click
    Apply Policy
    to put the changes into effect.
  14. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  15. On the Main tab, click
    Security
    Application Security
    Policy
    Response Pages
    .
    The Response Pages screen opens.
  16. At the top of the screen, click
    Current edited policy
    to display the security policy properties.
  17. On the Main tab, click
    Security
    Application Security
    Security Policies
    Active Policies
    .
  18. From the Blocking menu, choose Settings.
  19. On the Main tab, click
    Security
    Application Security
    Geolocation Enforcement
    .
  20. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    .
    The Login Pages List screen opens.
  21. Click
    Create
    .
    The New Login Page screen opens.
  22. For the
    Login URL
    setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL:
      Explicit
      or
      Wildcard
      .
    2. Select either
      HTTP
      or
      HTTPS
      based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the field.
      When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format
      /login
      , and wildcard URLs without the slash, such as
      *.php
      .
      Wildcard syntax is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name can match multiple objects.
      Wildcard Character
      Matches
      *
      All characters
      ?
      Any single character.
      [abcde]
      Exactly one of the characters listed.
      [!abcde]
      Any character not listed.
      [a-e]
      Exactly one character in the range.
      [!a-e}
      Any character not in the range.
      Note that wildcards do not match regular expressions.
  23. From the
    Authentication Type
    list, select the method the web server uses to authenticate the login URL's credentials with a web user.
    Option
    Description
    None
    The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
    HTML Form
    The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication
    The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication
    The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM
    Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
    JSON/AJAX Request
    The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
  24. In the Access Validation area, define at least one validation criteria for the login page response.
    If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
    The system checks the access validation criteria on the response of the login URL only if the response has one of the following content-types: text/html, text/xml, application/sgml, application/xml, application/html, application/xhtml, application/x-asp, or application/x-aspx.
  25. Click
    Create
    to add the login page to the security policy.
    The new login page is added to the login pages list.
  26. Add as many login pages as needed for your web application.
  27. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    Login Enforcement
    .
    The Login Enforcement screen opens.
  28. If you want the login URL to be valid for a limited time, set
    Expiration Time
    to
    Enabled
    , and type a value, in seconds (1-99999) that indicates how long the session will last.
    If enabled, the login session ends after the number of seconds has passed.
  29. For the
    Authenticated URLs
    setting, specify the target URLs that users can access only by way of the login URL:
    1. In the
      Authenticated URLs (Wildcards supported)
      field, type the target URL name in the format
      /private.php
      (wildcards are allowed).
    2. Click
      Add
      to add the URL to the list of authenticated URLs.
    3. Repeat to add as many authenticated URLs as needed.
  30. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    Session Tracking
    .
    The Session Tracking screen opens.
  31. In the Session Tracking Configuration area, select the
    Session Awareness
    check box.
  32. From the
    Application Username
    list, select
    Use All Login Pages
    to track login sessions for all of the login pages in the security policy.
  33. From the
    Application Username
    list, select
    Use APM Usernames and Session ID
    .
  34. In the Violation Detection Actions area, select the
    Track Violations and Perform Actions
    check box.
  35. In the
    Violation Detection Period
    field, type the number of seconds that indicates the sliding time period to count violations for violation thresholds.
    The default is
    900
    seconds.
  36. If you want the system to log activity when the number of violations for user, session, device ID, or IP address, exceeds the threshold during the violation detection period, specify one or more of the following settings on the Log All Requests tab.
    Option
    Description
    Username Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts logging this user's activity for the log all requests period.
    Session Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts logging activity for this HTTP session for the log all requests period.
    Device ID Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts to log requests for this device.
    IP Address Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts logging the activity of this IP address for the log all requests period.
    Log All Requests Period
    Specify how long the system should log all requests when any of the enabled thresholds is reached. Type the number of seconds in the field.
  37. If you want more tolerant blocking for selected violations, such as those prone to false positives, specify one or more of the following settings on the Delay Blocking tab.
    Option
    Description
    Username Threshold
    Select
    Enable
    and specify the number of violations a user must cause before the system begins blocking this user for the delay blocking period.
    Session Threshold
    Select
    Enable
    and specify the number of violations users must cause (during the violation detection period) before the system begins blocking this HTTP session for the delay blocking period.
    Device ID Threshold
    Select
    Enable
    and specify the number of violations allowed per device ID before the system starts to block illegal requests from the device.
    IP Address Threshold
    Select
    Enable
    and specify the number of violations allowed before the system begins blocking this IP address for the delay blocking period.
    Delay Blocking Period
    Type the number of seconds that the system should block the user, session, or IP address when any of the enabled thresholds is reached.
    Associated Violations
    Move the violations for which you want delay blocking from the
    Available
    list into the
    Selected
    list. If the selected violations occur, the system does not block traffic until one of the enabled thresholds is reached. At that point, the system blocks traffic causing those violations for the user, session, or IP address, but allows other transactions to pass.
    For the system to block requests, the security policy Enforcement Mode must be set to blocking and some violations must be set to block.
  38. If you want the system to block all activity for a user, session, device ID, or IP address when the number of violations exceeds the threshold within the violation detection period, specify one or more of the following settings on the Block All tab.
    Option
    Description
    Blocked URLs
    Specify which URLs to block after the number of violations exceeds the enabled thresholds. To block all URLs, select
    Block all URLs
    . To block authenticated URLs protected by login pages, select
    Block Authenticated URLs
    .
    Username Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts to block this user's activity.
    Session Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts to block activity for this HTTP session.
    Device ID Threshold
    Select
    Enable
    and specify the number of violations allowed per device ID before the system starts to block activity for this device.
    IP Address Threshold
    Select
    Enable
    and specify the number of violations allowed before the system starts to block the activity for this IP address.
    Block All Period
    Specify how long to block users, sessions, or IP addresses if the number of violations exceeds the threshold. To block the user, session, or IP address indefinitely, click
    Infinite
    . Otherwise, click
    User-defined
    and type the number of seconds to block the traffic. The default is
    600
    seconds.
    For the system to block requests, the security policy Enforcement Mode must be set to blocking and some violations must be set to block.
  39. On the Main tab, click
    Security
    Application Security
    IP Addresses
    IP Address Exceptions
    .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  40. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policy Diff
    .
  41. From the
    First Policy
    and
    Second Policy
    lists, select the security policies you want to compare or merge, or browse to search your computer for an exported security policy.
    The two security policies you are comparing can be active, inactive, policies imported in binary or XML format, or a combination of both.
  42. If you plan to merge security policy attributes, it is a good idea to safeguard the original security policy. In the
    Working Mode
    field, select how you want to work.
    Option
    Description
    Work on Original
    Incorporate changes to one (or both) of the original security policies depending on the merge options you select without making a copy of it.
    Make a Copy
    Make a copy of the security policy into which you are incorporating changes.
    Work on Copy
    Work on a copy of the original security policy. First, a copy is made, then incorporate possible changes on the original policies. If comparing one or more policies with Policy Builder enabled, this option is automatically selected (and the other options become unavailable).
  43. Click the
    Calculate Differences
    button to compare the two security policies.
    The system does not compare navigation parameters. They are ignored and do not appear in the results.
    The Policy Differences Summary lists the number of differences for each entity type.
  44. Click any row in the Policy Differences Summary to view the differing entities with details about the conflicting attributes.
    The system displays a list of the differing entities and shows details about each entity's conflicting attributes.
  45. To automatically merge the differences between the two security policies, click
    Auto Merge
    .
    An Auto Merge popup screen opens.
  46. In the
    Handle missing entities
    setting, specify how you want the system to treat entities that exist in one security policy but not the other.
    By default, both check boxes are selected; the auto-merge process adds unique entities from each policy into the policy from which they are missing.
    • To move missing entities from the second policy to the first, select
      Add all unique entities from <second policy> to <first policy>
      .
    • To move missing entities from the first policy to the second, select
      Add all unique entities from <first policy> to <second policy>
      .
    • If you do not want to merge missing entities, leave both check boxes blank.
  47. In the
    Handle common entities for <first policy> and <second policy>
    , specify how you want the system to treat entities that have conflicting attributes.
    • To make no changes to either policy when entities are different, select
      Leave unchanged
      .
    • To use the differing entities from the first policy and move them to the second, select
      Accept all from <first policy> to <second policy>
      .
    • To use the differing entities from the second policy and move them to the first, select
      Accept all from <second policy> to <first policy>
      .
  48. Click
    Merge
    .
    The system merges the two security policies.