Manual Chapter : Working with Security Policy Microservices

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Working with Security Policy Microservices

Working with security policy microservices

An Advanced WAF license is required to use this functionality. A security policy microservice is a combination of Hostname and URL. Microservices allow you to create granular security policy configurations. You can set the microservice response to be different from the rest of the security policy. This allows the security policy to generally respond in one way but, for very specific traffic, to respond in another way. For example:
  • Security policy in Blocking mode with microservices in Transparent mode.
  • Security policy in Blocking mode with Blocking Settings overrides for microservices.
  • Security policy in Transparent mode with microservices in Blocking mode.
Examples of microservices:
  • Web application: hostname=*.example.com, URL=*
  • Add-to-cart microservice: hostname=api.example.com, URL=/api/AddToCart.aspx

Creating a security policy microservice

Ensure that the desired policy is selected at the top of the Microservices screen.
Once a microservice is created, the microservice's name cannot be changed. Both the Hostname and URL may be pure or non-pure wildcards but they cannot both be a pure wildcard at the same time. This means that Hostname = * and URL = * is not supported as it means all hostnames and all URLs.
  1. On the Main tab, click
    Security
    Application Security
    Microservices
    .
  2. Click
    Create
  3. Select whether the Hostname is a
    Wildcard
    or
    Explicit
    Hostname and enter the Hostname.
    The hostname can be an fnmatch regular expression. IPv4 and IPv6 addresses are supported.
  4. Select whether the URL is a
    Wildcard
    or
    Explicit
    URL and enter the URL.
    The URL can be an fnmatch regular expression. The URL can be HTTP, HTTPS or a websocket. The URL does not need to exist in the Allowed URLs in the selected policy.
    The
    URL Wildcard Match Includes Slashes
    option is only available for wildcard URLs and is enabled by default. A wildcard starting with * must have this enabled or no matches will be found because the wildcard will reject the leading slash in every URL.
  5. Select the
    Enforcement Mode
    for the microservice.
    Policy Default
    The default security policy enforcement is enforced for this microservice, i.e. if the default enforcement is Transparent, it will remain Transparent; if Blocking, it will remain Blocking.
    Transparent
    The policy is not enforced for this microservice, even if the security policy enforcement is Blocking.
    Blocking
    The policy is enforced for this microservice, even if the security policy enforcement is Transparent.
  6. Select which, if any,
    Evasion technique detected
    violations to override and how.
    You can override all Evasion technique detected configurations by selecting
    Override Violation
    at the top of the list. Modify the
    Learn
    ,
    Alarm
    and
    Block
    settings to match your desired behavior.
    You can override specific subviolations by selecting
    Override
    for that subviolation. Modify the
    Enable
    and
    Learn
    settings to match your desired behavior.
  7. Select which, if any,
    HTTP protocol compliance failed
    violations to override and how.
    You can override all HTTP protocol compliance failed configurations by selecting
    Override Violation
    at the top of the list. Modify the
    Learn
    ,
    Alarm
    and
    Block
    settings to match your desired behavior.
    You can override specific subviolations by selecting
    Override
    for that subviolation. Modify the
    Enable
    and
    Learn
    settings to match your desired behavior.
    If a violation is overridden globally and Enable, Alarm and Block are disabled then you cannot override and enable them for subviolations.
  8. Click
    Save
    to save the microservice.
The newly created microservice is added to the top of the list below the Default microservice.
The matching priority for enforcement is according to the order of the microservices list. Drag and drop a microservice to move it within the list. The Default microservice shows the policy enforcement and cannot be moved.

Viewing microservice suggestions

Once you have configured microservices you can view the high and low scoring learning suggestions for each microservice.
Suggestions for HTTP protocol compliance and Evasion technique detected may be accepted on one or more selected microservices or globally in a policy. With the microservice suggestion information, you can see if a configured microservice is well-suited to the virtual server(s) it is applied to and decide when to change the microservice's enforcement mode from transparent to blocking.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Traffic Learning
    .
    With no suggestion selected, the Traffic Learning Summary displays in the right pane, including the Enforcement by Microservice table.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. In the right pane, click
    Enforcement By Microservice
    to open the table and view any microservice suggestions.
If no suggestions have been generated for a microservice, you can switch it from transparent mode to blocking mode. If suggestions have been generated for a microservice, click on the suggestion count to view the suggestions. You can change the enforcement mode as needed. You may need to create additional microservices to best serve the traffic and server type.

Viewing microservice requests

Once you have configured microservices you can view any requests relevant to each microservice. A microservice is displayed only if it has a request.
All configured microservices, which have generated requests, are listed, along with each microservice's security policy and virtual server. The number of illegal and blocked requests are listed for each microservice as well as a detected signature.
  1. On the Main tab, click
    Security
    Event Logs
    Application
    Requests
    .
    With no request selected, the Requests Log Summary displays in the right pane, including the Microservices table.
  2. In the right pane, click
    Microservices
    to open the table and view the microservice suggestions with high and low scores.