Manual Chapter : General Configuration Options for BIG-IP DataSafe Profiles and URLs

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

General Configuration Options for
BIG-IP DataSafe
Profiles and URLs

Configuring advanced general settings on a profile

Configure advanced general settings on
BIG-IP DataSafe
profiles if you want to change the default settings that the BIG-IP system assigns to profiles.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafe Profile Properties screen, click
    Advanced
    .
    The Advanced settings appear.
  4. In the
    Alert Path
    field, use the automatically generated path, or define your own path.
    If you define your own path, ensure that the path is not used by any other field in the profile and that it is not an already existing URL.
  5. In the
    Alert Token Header
    field, use the default header or type a header that will be added to alerts that are generated on the client-side by JavaScript.
    This header secures communication between the client's browser and the BIG-IP system.
  6. In the
    Suggested Username Header
    field, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.
    With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
  7. For the
    JavaScript Directory
    field, use the automatically generated path, or define your own.
    This path specifies the location of the main
    BIG-IP DataSafe
    JavaScript. This path does not include the actual file name of the JavaScript.
    This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  8. For the
    JavaScript Configuration Directory
    field, use the automatically generated path, or define your own path that specifies the location of the
    BIG-IP DataSafe
    JavaScript containing profile configuration settings.
    This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
    This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  9. For the
    JavaScript Removal Location
    field, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
  10. For
    Threat Analytics Path
    , use the default path or define your own path for sending data to the Threat Analytics Platform (if enabled).
  11. For
    JavaScript Grace Threshold
    , change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
  12. For the
    Collect Geolocation Coordinates
    setting, select the
    Enabled
    check box if you want the client to ask the end-user to grant permission to add geolocation coordinates to alerts.
  13. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  14. If your profile includes one or more URLs that contain SPA views, for
    Referrer Info Header
    use the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
  15. For the
    Prevent duplicate alerts from Client Side
    setting, select the
    Enabled
    check box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
  16. For
    Maximum Length of HTML Attached to Test Alert
    , use the default length or type a number for the maximum length (in bytes) for the test alert.
  17. Click
    Save
    .
    The BIG-IP system saves the changes that you made to the advanced settings.

Enable an iRule to handle logins and alerts

Enabling iRules® to handle logins and alerts is only relevant if you have written an iRule to handle the
ANTIFRAUD_ALERT
event, or the
ANTIFRAUD_LOGIN
event and the iRule is associated with the same virtual server as your profile.
Enable an iRule to handle logins and alerts if you want to use an iRule to disable alerts or record login events.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafe Profile Properties screen, click
    Advanced
    .
    The Advanced settings appear.
  4. In the
    Trigger iRule Events
    setting, select the
    Enabled
    check box.
  5. Click
    Save
    .
    iRules are now enabled to handle logins and alerts.

iRule events

iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the
ANTIFRAUD_LOGIN
event in
BIG-IP DataSafe
iRule event
Description
ANTIFRAUD_ALERT
Occurs when alerts are sent to the BIG-IP system.
ANTIFRAUD_LOGIN
Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.

iRule Examples

The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to log all available information about an alert that was sent by the BIG-IP system to the location
/var/log/ltm
.
when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]" log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]" }
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to disable a specific alert according to its type.
when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event with its commands.
when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }

Values for iRule commands

The following values can be used in iRule commands:
Value
Description
alert_id
For example, d4.
alert_type
The type of alert.
alert_component
An error type that is determined according to the alert_type.
alert_details
Additional information regarding the alert.
alert_device_id
Persistent browser identifier.
alert_license_id
crc32 of the license id in hex.
alert_transaction_data
Key-value list of all parameters marked to be attached.
alert_username
When this command is used without any additional arguments, this is the name of the user who triggered the alert.
It is possible to use additional arguments to override the current user name (write mode), as shown in the
ANTIFRAUD_LOGIN
example above.
alert_http_referrer
The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info
Shows additional information about the alert, such as the
parameter values too long
error message.
disable_alert
Disables the current alert.
For more information about iRules, go to F5 Networks DevCentral (
https://devcentral.f5.com/irules
).

Configuring SPA views

Configuring SPA views on a URL is relevant only if your web site is single-page application (SPA).
You configure SPA views to provide
BIG-IP DataSafe
protection to the SPA views on a URL.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. In the URL List, click the
    Add View
    button in the row of the URL where you want to add a view.
    The Create New View screen opens.
  5. In the
    View
    field, type a name for the view.
  6. Click
    Advanced
    .
  7. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  8. For the
    Destination URLs
    setting, add URLs that should receive protected data from this view.
    Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  9. Click
    Create
    .
    The BIG-IP system creates the view and the
    DataSafe
    Profile Properties screen opens.

Applying the
BIG-IP DataSafe
Main JavaScript on SPA views not in the profile

This task is relevant only if your URL contains SPA views that are not configured on the
BIG-IP DataSafe
profile.
Apply the
BIG-IP DataSafe
main JavaScript to SPA views that are not configured on your
BIG-IP DataSafe
profile if you want those views to be protected by the
BIG-IP DataSafe
main JavaScrip.
For SPA views that are configured on your
BIG-IP DataSafe
profile, those views are automatically protected by the Main JavaScript if
Inject Main JavaScript
is enabled on the URL.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. In the URL List, click the relevant URL.
    The URL Properties screen opens.
  5. Click
    Advanced
    in the General Settings screen.
  6. Verify that the
    Enabled
    check box for
    Fallback to Base URL
    is selected.
  7. Click
    Save
    .

Cloning a profile

If you want to create a new profile with settings identical to an existing profile, you can clone the profile. Unlike parent-child profiles, the cloned profile is not dependent on the original one, and any changes made to the original profile after cloning are not inherited by the previously cloned profile.
A cloned profile inherits all properties from the original profile, including all URL properties.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. Select the check box next to the profile that you want clone.
  3. Click the
    Clone
    button.
    The Clone Profile pop-up screen opens.
  4. In the Clone Profile pop-up screen, assign a profile name and (optionally) a description.
  5. Click
    Clone
    .
    The cloned profile is created and appears in the list of profiles in the
    DataSafe
    Profiles screen.

Cloning a URL or view

You can clone a URL or SPA view if you want to create a new URL or view that inherits some or all of the settings on an existing URL or view.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the profile with the URL you want to clone.
    The
    DataSafe
    Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the check box next to the URL or view that you want clone.
  5. Click the Clone button.
    The Clone URL (or Clone View) pop-up screen opens.
  6. In the pop-up screen, assign a URL path or view name and (optionally) a description.
  7. If you are cloning a URL, do the following:
    1. If you don’t want
      to encrypt data
      on the web page of the new URL, disable the
      Inject JavaScript
      setting.
    2. If the source URL contains SPA views and you want the new URL to inherit those views, select the
      Enabled
      check box by Views.
  8. If you want the new URL or view to inherit all the parameters configured on the source URL or view, select the
    Enabled
    check box by Parameters.
  9. Click the
    Clone
    button in the pop-up screen.
    Once the new URL/view is created, there is no further dependency on the source URL/view and any future changes made to the source URL/view are not inherited by the new URL/view.
The BIG-IP system creates the new URL/view.

Configuring a URL or View parameter that uses an HTML tag attribute other than Name or ID

To define a parameter with the
Selector
attribute, either
Ajax Encryption
or
Check AJAX Payload for Data Manipulation
must be enabled on the URL or View.
Configure a URL or View parameter with the
Selector
attribute if you want to provide
BIG-IP DataSafe
protection to a parameter that uses an HTML tag attribute other than
Name
or
ID
.
  1. In the
    DataSafe
    Configuration area of your profile, click
    URL List
    .
    The URL List opens.
  2. In the URL List, click the relevant URL or View.
    The URL/View Properties screen opens.
  3. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  4. Click the
    Add
    button.
    The Parameter Settings screen opens.
  5. In the
    Parameter Name
    field, assign a name using the CSS selector syntax and ensure that
    Explicit
    (and not Wildcard) is selected.
    For example, to configure a parameter with the CSS class
    myinputs
    , you need to assign
    .myinputs
    as the parameter name.
  6. Select the
    Enabled
    check box by Selector.
  7. Click
    Create
    .
    The Parameters list is displayed and the parameter that you created is listed.