Manual Chapter :
Working with Security Policy Microservices
Applies To:
Show Versions
BIG-IP ASM
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Working with Security Policy Microservices
Working with security policy microservices
An Advanced WAF license is required to use this functionality. A security
policy microservice is a combination of Hostname and URL. Microservices allow you to
create granular security policy configurations. You can set the microservice response to
be different from the rest of the security policy. This allows the security policy to
generally respond in one way but, for very specific traffic, to respond in another way.
For example:
- Security policy in Blocking mode with microservices in Transparent mode.
- Security policy in Blocking mode with Blocking Settings overrides for microservices.
- Security policy in Transparent mode with microservices in Blocking mode.
Examples of microservices:
- Web application: hostname=*.example.com, URL=*
- Add-to-cart microservice: hostname=api.example.com, URL=/api/AddToCart.aspx
Creating a security policy microservice
Ensure that the desired policy is selected at the top
of the Microservices screen.
Once a microservice is created, the microservice's
name cannot be changed. Both the Hostname and URL may be pure or non-pure wildcards but
they cannot both be a pure wildcard at the same time. This means that Hostname = * and URL =
* is not supported as it means all hostnames and all URLs.
- On the Main tab, click .
- ClickCreate
- Select whether the Hostname is aWildcardorExplicitHostname and enter the Hostname.The hostname can be an fnmatch regular expression. IPv4 and IPv6 addresses are supported.
- Select whether the URL is aWildcardorExplicitURL and enter the URL.The URL can be an fnmatch regular expression. The URL can be HTTP, HTTPS or a websocket. The URL does not need to exist in the Allowed URLs in the selected policy.TheURL Wildcard Match Includes Slashesoption is only available for wildcard URLs and is enabled by default. A wildcard starting with * must have this enabled or no matches will be found because the wildcard will reject the leading slash in every URL.
- Select theEnforcement Modefor the microservice.Policy DefaultThe default security policy enforcement is enforced for this microservice, i.e. if the default enforcement is Transparent, it will remain Transparent; if Blocking, it will remain Blocking.TransparentThe policy is not enforced for this microservice, even if the security policy enforcement is Blocking.BlockingThe policy is enforced for this microservice, even if the security policy enforcement is Transparent.
- Select which, if any,Evasion technique detectedviolations to override and how.You can override all Evasion technique detected configurations by selectingOverride Violationat the top of the list. Modify theLearn,AlarmandBlocksettings to match your desired behavior.You can override specific subviolations by selectingOverridefor that subviolation. Modify theEnableandLearnsettings to match your desired behavior.
- Select which, if any,HTTP protocol compliance failedviolations to override and how.You can override all HTTP protocol compliance failed configurations by selectingOverride Violationat the top of the list. Modify theLearn,AlarmandBlocksettings to match your desired behavior.You can override specific subviolations by selectingOverridefor that subviolation. Modify theEnableandLearnsettings to match your desired behavior.If a violation is overridden globally and Enable, Alarm and Block are disabled then you cannot override and enable them for subviolations.
- ClickSaveto save the microservice.
The newly created microservice is added to the top of
the list below the Default microservice.
The matching priority for enforcement is according
to the order of the microservices list. Drag and drop a microservice to move it within
the list. The Default microservice shows the policy enforcement and cannot be
moved.
Viewing microservice suggestions
Once you have configured microservices you can view
the high and low scoring learning suggestions for each microservice.
Suggestions for HTTP protocol compliance and
Evasion technique detected may be accepted on one or more selected microservices or
globally in a policy. With the microservice suggestion information, you can see if a
configured microservice is well-suited to the virtual server(s) it is applied to and
decide when to change the microservice's enforcement mode from transparent to
blocking.
- On the Main tab, click .With no suggestion selected, the Traffic Learning Summary displays in the right pane, including the Enforcement by Microservice table.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In the right pane, clickEnforcement By Microserviceto open the table and view any microservice suggestions.
If no suggestions have been generated for a
microservice, you can switch it from transparent mode to blocking mode. If suggestions
have been generated for a microservice, click on the suggestion count to view the
suggestions. You can change the enforcement mode as needed. You may need to create
additional microservices to best serve the traffic and server type.
Viewing microservice requests
Once you have configured microservices you can view
any requests relevant to each microservice. A microservice is displayed only if it has a
request.
All configured microservices, which have generated
requests, are listed, along with each microservice's security policy and virtual server.
The number of illegal and blocked requests are listed for each microservice as well as a
detected signature.
- On the Main tab, click .With no request selected, the Requests Log Summary displays in the right pane, including the Microservices table.
- In the right pane, clickMicroservicesto open the table and view the microservice suggestions with high and low scores.
