Manual Chapter : Configuring ASM with Local Traffic Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.2, 14.1.0
Manual Chapter

Configuring ASM with Local Traffic Policies

Overview: Configuring ASM with local traffic policies

Application Security Manager applies security policy rules to traffic that is controlled and defined using a local traffic policy. To provide more flexibility in selecting the traffic, you can edit the local traffic policy and add rules to it.
This implementation shows how to create a security policy and edit at the local traffic policy that is created. The example provided describes how to add rules to the local traffic policy so that the security policy applies only to administrative traffic beginning with
/admin
. No security policy applies to the other traffic.
Many other options are available for configuring local traffic policies with ASM. By following through the steps in this example, you can see the other options that are available on the screens, and can adjust the example for your needs.

About application security and local traffic policies

When you use Application Security Manager (ASM) to create a security policy attached to a virtual server, the BIG-IP system automatically creates a local traffic policy. The local traffic policy forms a logical link between the local traffic components and the application security policy.
By default, the system automatically creates a simple local traffic policy directs all HTTP traffic coming to the virtual server to the ASM security policy that you created. ASM examines the traffic to ensure that it meets the requirements of the security policy. If that is all you need to do, your task is done. If, however, you want more flexibility, such as applying different security policies depending on the type of traffic or disabling ASM for certain types of traffic, you can use the local traffic policy to do that.
Local traffic policies can include multiple rules. Each rule consists of a condition and one or more actions to be performed if the condition holds. So you can create a local traffic policy that works with ASM and includes multiple rules that do different things depending on the conditions you set up. In this type of traffic policy, the rules perform these actions:
  • Enable ASM enforcing a specific security policy
  • Disable ASM
For example, you may want a local traffic policy directed to a specific URL to enforce a security policy. As a default rule, all other traffic could disable ASM. You can also direct people using different aspects of an application (or different applications) to various security policies. Many other options are available for directing ASM traffic using local traffic policies.

About application security and manually adding local traffic policies

If you create a security policy not attached to a virtual server, the system creates the security policy but does not create a local traffic policy. However, you will need to have a virtual server and local traffic policy to select the traffic for the security policy to enforce.
In that case, you can develop the security policy, adding the features that you want to use. Without a virtual server, the system cannot build the security policy automatically until you have traffic going through. But you can manually develop the security policy by adding entities such as file types, URLs, assigning server technologies, and so on.
When you are ready to enforce the security policy and start sending traffic through the system, create a virtual server with an http profile, and enable the security policy you created in the virtual server resources. When you save the virtual server, the system automatically creates a default local traffic policy that enforces the security policy on all traffic. You can edit the local traffic policy rules if you want more flexibility concerning how the security policies are implemented.

Creating a simple security policy

Before you can create a security policy, you must perform the minimal system configuration tasks required according to the needs of your networking environment.
You can use Application Security Manager to create a robust, yet simple, security policy that is tailored to protect your web application. This is the easiest way to create a security policy.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  2. Click
    Create New Policy
    .
    You only see this button when no policy is selected.
  3. In the
    Policy Name
    field, type a name for the policy.
  4. Leave
    Policy Type
    , set to
    Security
    .
  5. For
    Policy Template
    , select
    Fundamental
    .
  6. For
    Virtual Server
    , click
    Configure new virtual server
    to specify where to direct application requests.
    1. For
      What type of protocol does your application use?
      , select
      HTTP
      ,
      HTTPS
      , or both.
    2. In the
      Virtual Server Name
      field, type a unique name.
    3. In the
      HTTP Virtual Server Destination
      field, type the address in IPv4 (
      10.0.0.1
      ) or IPv6 (
      2001:ed8:77b5:2:10:10:100:42/64
      ) format, and specify the service port.
      If you want multiple IP addresses to be directed here, use the
      Network
      setting.
    4. In the HTTP Pool Member setting, specify the addresses of the back-end application servers.
    5. From the
      Logging Profile
      list, select a profile such as
      Log illegal requests
      to determine which events are logged on the system.
  7. In the upper right corner, click
    Advanced
    .
    You can use default values for the Advanced settings but it's a good idea to take a look at them.
    • If you selected
      Fundamental
      or
      Comprehensive
      for the
      Policy Template
      ,
      Learning Mode
      is set to
      Automatic
      and
      Enforcement Mode
      is set to
      Blocking
      .
      If you need to change these values, set application language to a value other than
      Auto detect
      .
    • If you know the
      Application Language
      , select it or use
      Unicode (utf-8)
      .
    • To add specific protections (enforcing additional attack signatures) to the policy, for
      Server Technologies
      , select the technologies that apply to the back-end application servers.
    • You can configure trusted IP addresses that you want the security policy to consider safe.
  8. Click
    Create Policy
    to create the security policy.
ASM creates a security policy that immediately starts protecting your application. The enforcement mode of the security policy is set to Blocking. Traffic that is considered to be an attack such as traffic that is not compliant with HTTP protocol, has malformed payloads, uses evasion techniques, performs web scraping, contains sensitive information or illegal values is blocked. Other potential violations are reported but not blocked.
The system examines the traffic to the web application making suggestions for more specifically building the security policy. The Policy Builder selectively learns new entities like file types, parameters, and cookies used in requests to the application. When ASM processes sufficient traffic, it automatically adds the entities to the security policy, and enforces them.
The system applies a basic set of attack signatures to the security policy and puts them in staging (by default, for 7 days). If you specified server technologies, additional attack signatures are included. ASM reports common attacks discovered by comparison to the signatures but does not block these attacks until the staging period is over and they are enforced. That gives you a chance to be sure that these are actual attacks and not legitimate requests.
This is a good point at which send some traffic to test that you can access the application being protected by the security policy and check that traffic is being processed correctly by the BIG-IP system. Send the traffic to the virtual server destination address.

Creating local traffic policy rules for ASM

Before you can use the local traffic policy with ASM, you need a security policy associated with a virtual server.
You can add rules to define conditions and perform specific actions for different types of application traffic in a local traffic policy. This example creates two rules to implement different security protection for different traffic.
  1. On the Main tab, click
    Local Traffic
    Policies
    .
  2. Click the name of the local traffic policy associated with the security policy.
  3. To edit the policy, click
    Create Draft
    .
  4. In the Draft Policies list, click the name of the draft policy.
  5. In the Rules area, click
    Create
    to create a rule that defines when traffic is handled by the security policy.
  6. In the
    Name
    field, type the name
    admin
    .
  7. In the Match all of the following conditions area, click
    +
    and specify these conditions:
    1. For the first condition, select
      HTTP URI
      .
    2. For the second condition, select
      path
      .
    3. For the third condition, select
      begins with
      .
    4. For the fourth condition, by the field below
      any of
      , type
      /admin
      and click
      Add
      .
    This rule looks for requests with a URI that begins with
    /admin
    .
  8. In Do the following when the traffic is matched, click
    +
    and specify the actions:
    1. For the first action, select
      Enable
      .
      For the second action, select
      asm
      .
    2. Next to
      for policy
      , select the security policy you created.
  9. Click
    Save
    to add the rule to the local traffic policy.
    The admin rule is added to the list.
  10. In the Rules area, click the rule called
    default
    .
    The
    default
    rule was added to the local traffic policy when the system created it.
    The screen displays the General Properties of the rule.
  11. To change the default action for all other traffic, in the Do the following when the traffic is matched area, edit the action that is shown there.
    1. For the first action, select
      Disable
      .
    2. For the second action, select
      asm
      .
    3. To save the rule, click
      Save
      .
    The default rule now disables ASM protection for other traffic.
  12. To save the updated policy, click
    Save Draft
    .
    The Policy List Page opens.
  13. Select the check box next to the draft policy you edited, and click
    Publish
    .
You have edited and published the local traffic policy so that administrative traffic must meet the security policy you assigned to it. But other traffic is not subject to that security policy.

Implementation results

When you have completed the steps in this implementation, you have configured the Application Security Manager (ASM) to enforce security policy rules only on traffic with a URI beginning with
/admin
. All other traffic bypasses ASM.
This is simply one way to illustrate how you can use a local traffic policy to determine different conditions and specify multiple actions instead of having all traffic treated the same way. We encourage you to explore the local traffic policy options and documentation to learn how to use this flexible feature to best suit your needs.