Manual Chapter : Configuring General ASM System Options

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.2, 14.1.0
Manual Chapter

Configuring General ASM System Options

Changing your system preferences

You can change the default user interface and system preferences for the Application Security Manager (ASM), and configure which fields are displayed in the Request List of the Reporting screen.
  1. On the Main tab, click
    Security
    Options
    Application Security
    Preferences
    .
  2. In the GUI Preferences area, for
    Records Per Screen
    , type the number of entries to display (between 1-100). (The default value is
    20
    .)
    This setting determines the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout ASM.
  3. For
    Titles Tooltip Settings
    , select an option for how to display tooltips.
    Option
    Description
    Do not show tooltips
    Never display tooltips or icons.
    Show tooltip icons
    Display an icon if a tooltip is available for a setting, show the tooltip when you move the cursor over the icon.
    Show tooltips on title mouseover
    Do not display an icon, but show the tooltip when you move the cursor over the setting name. This is the default setting.
  4. For
    Default Configuration Level
    , select
    Advanced
    to display all possible settings, or
    Basic
    to display only the essential settings, on screens with that option.
    The default is
    Basic
    .
  5. For
    Apply Policy Confirmation Message
    , you can specify whether to display a popup message asking if you want to perform the
    Apply Policy
    operation each time you change a security policy.
  6. If you are using a high-availability configuration, for the
    Sync
    setting, select the
    Recommend Sync when Policy is not applied
    check box to display the Sync Recommended message at the top of the screen when you change a security policy, to remind you to perform a ConfigSync with the peer device.
  7. For the
    Logging
    setting, select the
    Write all changes to Syslog
    check box to record all changes made to security policies in the Syslog (
    /var/log/asm
    ).
    The system continues to log system data regardless of whether you enable policy change logging.
  8. Click
    Save
    to save your settings.
The adjusted settings are used throughout the ASM system.

Adjusting system variables

System variables control how Application Security Manager (ASM) works. They apply system-wide. You can review and adjust the values of the system variables if the default values are not appropriate for your installation.
You generally do not need to change the default values of the system variables. F5 Networks recommends that you consult with technical support before adjusting them.
  1. On the Main tab, click
    Security
    Options
    Application Security
    Advanced Configuration
    System Variables
    .
    The System Variables screen opens.
  2. Locate the system variable you want to change and view the description.
  3. In the
    Parameter Value
    field, type the new value for the variable.
  4. Click
    Update
    .
    If the value you typed is not valid, the system displays a message indicating the valid range or values.
  5. On the Main tab, click
    System
    Configuration
    Device
    General
    , and click
    Reboot
    to restart the system using the new value.
    If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
    If the parameter name is shown in boldface text, the value has been changed from the default. The default value is displayed below the parameter value.
The system uses the adjusted value for the system variable. On the System Variables screen, you can click
Restore Defaults
to change the values back to their original values.

Changing ASM cookies

If you are working in a cluster, all devices have to be in one device group and in the same partitions in the same failover group for cookie renaming to work. Sync-only groups will not sync.
You can customize the ASM policy and L7-DoS cookie prefixes to suit your installation. The cookie_httponly_attr system variable can be changed through the GUI or shell; the rest can be changed through the shell.
  1. On the Main tab, click
    Security
    Options
    Application Security
    Advanced Configuration
    System Variables
    .
    The System Variables screen opens.
  2. Locate the system variable
    cookie_httponly_attr
    and open it.
  3. In the
    Parameter Value field
    update the value.
  4. Click
    Update
    .
  5. On the Main tab, click
    System
    Configuration
    Device
    General
    , and click
    Reboot
    to restart the system using the new value.
    If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
The system uses the adjusted value for the system variable. On the System Variables screen, you can click
Restore Defaults
to change the values back to their original values.
Use the system variables accessible through the shell for additional cookie editing.

ASM and L7 system variables

Use these system variables to modify ASM and L7 cookies.
Variable
Description
Applies to
Requires ASM Restart
asm.cookie_prefix
Prefix for the names of the ASM cookies
ASM, L7-DoS
Yes
asm.cookie_revision_base
This value is arithmetically added to the cookie revision number, which is currently 1. The result is represented in Hex.
ASM
Yes
asm.cookie_suffix_base
This value is arithmetically added to the cookie type
ASM, L7-DoS
Yes
dosl7.proactive_defense_cookie_name
Cookie name for the Device ID cookie generated by PBD and key name for the browser local storage of the Device ID.
L7-DoS
No
dosl7.proactive_defense_prefix
The prefix for several cookies used in Proactive Bot Defense special scenarios: cross-domain and PRG pattern.
L7-DoS
No
did.local_storage_name
The key of the local storage in browser for the fingerprint and Device ID information
L7-DoS
No
asm.strip_asm_cookies
Whether to remove ASM and L7-DoS cookies in request before forwarding to server
ASM, L7-DoS
No
cookie_httponly_attr
Whether to add "httpOnly" to all pure server-side ASM cookies.
ASM
No
For example, to change the ASM cookie prefix value, on the command line, type:
(tmos)# modify sys db asm.cookie_prefix value My_Fancy_Cookie_Name_Prefix

Incorporating external antivirus protection

Before you can incorporate antivirus protection, you need to have an ICAP server setup in your network.
You can configure the Application Security Manager (ASM) to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. (ASM was tested with McAfee VirusScan, Trend Micro InterScan, Symantec Protection Engine, and Kaspersky Antivirus products, and may work with others.) You can also set up antivirus checking for HTTP file uploads and SOAP web service requests.
  1. On the Main tab, click
    Security
    Options
    Application Security
    Integrated Services
    Anti-Virus Protection
    .
    The Anti-Virus Protection screen opens.
  2. For the
    Server Host Name/IP Address
    setting, type the fully qualified domain name of the ICAP server, or its IP address.
    If you specify the host name, you must first configure a DNS server by selecting
    System
    Configuration
    Device
    DNS
    .
  3. For
    Server Port Number
    , type the port number of the ICAP server.
    The default value is
    1344
    .
  4. If you want to perform virus checking even if it may slow down the web application, select the
    Guarantee Enforcement
    check box.
  5. Click
    Save
    to save your settings.
  6. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  7. For each security policy, configure, as needed, the blocking policy for antivirus protection.
    1. Ensure that the
      Current edited policy
      is the one for which you want antivirus protection.
    2. Expand
      Policy General Features
      and for the
      Virus Detected
      violation, select either or both of the
      Alarm
      and
      Block
      check boxes.
      To set the violation to
      Block
      , the
      Enforcement Mode
      must be set to
      Blocking
      .
    3. Click
      Save
      to save the settings.
  8. For each security policy, configure, as needed, antivirus scanning for file uploads or SOAP attachments.
    Performing antivirus checks on file uploads may slow down file transfers.
    1. On the Main tab, click
      Security
      Application Security
      Integrated Services
      Anti-Virus Protection
      .
    2. Ensure that the
      Current edited policy
      is the one that may include HTTP file uploads or SOAP requests.
    3. To have the external ICAP server inspect file uploads for viruses before releasing the content to the web server, select the
      Inspect file uploads within HTTP requests
      check box.
    4. To perform anti-virus scanning on SOAP attachments, if the security policy includes one or more XML profiles, in the
      XML Profiles
      setting, move the profiles from the
      Antivirus Protection Disabled
      list to the
      Antivirus Protection Enabled
      list. Alternately, click
      Create
      to quickly add a new XML profile, with default settings, to the configuration. You can then add the new profile to the
      Antivirus Protection Enabled
      list.
    5. Click
      Save
      to save the settings.
  9. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If the
Virus Detected
violation is set to Alarm or Block in the security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies ASM, which then issues the
Virus Detected
violation.
If antivirus checking for HTTP file uploads and SOAP web service requests is configured, the system checks the file uploads and SOAP requests before releasing content to the web server.

Creating user accounts for application security

User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything on the system, you can further specialize administrative accounts for application security.
  1. On the Main tab, click
    System
    Users
    .
  2. Click
    Create
    .
    The New User properties screen opens.
  3. From the
    Role
    list, select a user role for security policy editing.
    • To limit security policy editing to a specific administrative partition, select
      Application Security Editor
      .
    • To allow security policy editing on all partitions, select
      Application Security Administrator
      .
  4. If you selected
    Application Security Editor
    , then from the
    Partition Access
    list, select the partition in which to allow the account to create security policies.
    You can select a single partition name or
    All
    .
  5. From the
    Terminal Access
    list, select whether to allow console access using
    tmsh
    commands.
  6. Click
    Finished
    .
The BIG-IP system now contains a new user account for administering application security.
  • Application Security Editors have permission to view and configure most parts of the Application Security Manager on specified partitions.
  • Application Security Administrators have permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.

Validating regular expressions

The RegExp Validator is a system tool designed to help you validate your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data. The tool is included with Application Security Manager.
  1. Click
    Security
    Options
    Application Security
    RegExp Validator
  2. From the
    RegExp Type
    list, select either
    PCRE
    or
    RE2
    (recommended) as the RegExp engine.
    As of BIG-IP version 11.2, the system’s regular expression library and signatures changed from PCRE to RE2 to increase performance and lower false positives. The system still supports the PCRE library for systems that have user-defined signatures configured in PCRE.
  3. Specify how you want the validator to work:
    • In the
      RegExp
      field, type the regular expression you want to validate.
    • Or in the
      RegExp
      field, type the regular expression to use to verify a test string, and then in the
      Test String
      field, type the string.
  4. Click the
    Validate
    button.
    The screen shows the results of the validation.
The validation result indicates whether the regular expression is valid or not. The first RegExp match displays the result of the verification check (if specified) including if there are matches or not.