Manual Chapter :
General Configuration Options for
BIG-IP DataSafe Profiles and
URLs
Applies To:
Show VersionsBIG-IP ASM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
General Configuration Options for
BIG-IP DataSafe Profiles and
URLs
BIG-IP DataSafe
Profiles and
URLsConfiguring advanced general settings on a
profile
Configure advanced general settings
on
BIG-IP
DataSafe™
profiles if you want to change the default
settings that the BIG-IP system assigns to profiles.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the General Settings area of the DataSafe Profile Properties screen, clickAdvanced.The Advanced settings appear.
- In theAlert Pathfield, use the automatically generated path, or define your own path.If you define your own path, ensure that the path is not used by any other field in the profile and that it is not an already existing URL.
- In theAlert Token Headerfield, use the default header or type a header that will be added to alerts that are generated on the client-side by JavaScript.This header secures communication between the client's browser and the BIG-IP system.
- In theSuggested Username Headerfield, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
- For theJavaScript Directoryfield, use the automatically generated path, or define your own.This path specifies the location of the mainBIG-IP DataSafeJavaScript. This path does not include the actual file name of the JavaScript.This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
- For theJavaScript Configuration Directoryfield, use the automatically generated path, or define your own path that specifies the location of theBIG-IP DataSafeJavaScript containing profile configuration settings.This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
- For theJavaScript Removal Locationfield, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
- ForThreat Analytics Path, use the default path or define your own path for sending data to the Threat Analytics Platform (if enabled).
- ForJavaScript Grace Threshold, change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
- For theCollect Geolocation Coordinatessetting, select theEnabledcheck box if you want the client to ask the end-user to grant permission to add geolocation coordinates to alerts.
- Leave theAdditional function to be run before JavaScript loadfield blank unless instructed otherwise by F5.
- If your profile includes one or more URLs that contain SPA views, forReferrer Info Headeruse the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
- For thePrevent duplicate alerts from Client Sidesetting, select theEnabledcheck box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
- ForMaximum Length of HTML Attached to Test Alert, use the default length or type a number for the maximum length (in bytes) for the test alert.
- ClickSave.The BIG-IP system saves the changes that you made to the advanced settings.
Enable an iRule to handle logins and
alerts
Enabling iRules®
to handle logins and alerts is only relevant if you have written an iRule to handle the
ANTIFRAUD_ALERT
event, or the ANTIFRAUD_LOGIN
event and the iRule is associated with the same virtual server as your profile.Enable an iRule to handle logins and
alerts if you want to use an iRule to disable alerts or record login events.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the General Settings area of the DataSafe Profile Properties screen, clickAdvanced.The Advanced settings appear.
- In theTrigger iRule Eventssetting, select theEnabledcheck box.
- ClickSave.iRules are now enabled to handle logins and alerts.
iRule events
iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the ANTIFRAUD_LOGIN
event in
BIG-IP
DataSafe™
iRule event | Description |
---|---|
ANTIFRAUD_ALERT | Occurs when alerts are sent to the BIG-IP system. |
ANTIFRAUD_LOGIN | Occurs when a user successfully logs in to the profile. Or if login validation is
not configured, this event can occur if just the user name is identified. |
iRule Examples
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
log all available information about an alert that was sent by the BIG-IP system to the
location /var/log/ltm
.when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]" log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]" }
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
disable a specific alert according to its type.when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event
with its commands.when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }
Values for iRule
commands
The following values can be used in iRule commands:
Value | Description |
---|---|
alert_id | For example, d4. |
alert_type | The type of alert. |
alert_component | An error type that is determined according to the
alert_type. |
alert_details | Additional information regarding the alert. |
alert_device_id | Persistent browser identifier. |
alert_license_id | crc32 of the license id in hex. |
alert_transaction_data | Key-value list of all parameters marked to be
attached. |
alert_username | When this command is used without any
additional arguments, this is the name of the user who triggered the alert. It is possible to use additional arguments to override the
current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above. |
alert_http_referrer | The URL of the site that was visited just before the
Alert URL was visited. |
alert_additional_info | Shows additional information about the
alert, such as the parameter values too
long error message. |
disable_alert | Disables the current alert. |
https://devcentral.f5.com/irules
).Configuring SPA views
Configuring SPA views on a URL is relevant only if your web site is single-page
application (SPA).
You
configure SPA views to provide
BIG-IP
DataSafe™
protection to the SPA views
on a URL.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- In the URL List, click theAdd Viewbutton in the row of the URL where you want to add a view.The Create New View screen opens.
- In theViewfield, type a name for the view.
- ClickAdvanced.
- Leave theAdditional function to be run before JavaScript loadfield blank unless instructed otherwise by F5.
- For theDestination URLssetting, add URLs that should receive protected data from this view.Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
- ClickCreate.The BIG-IP system creates the view and theDataSafeProfile Properties screen opens.
Applying the BIG-IP DataSafe Main JavaScript on SPA views
not in the profile
BIG-IP DataSafe
Main JavaScript on SPA views
not in the profileThis
task is relevant only if your URL contains SPA views that are not configured on the
BIG-IP DataSafe
profile.Apply
the
BIG-IP DataSafe
main JavaScript to SPA views that are not
configured on your BIG-IP DataSafe
profile if you want
those views to be protected by the BIG-IP DataSafe
main JavaScrip.For SPA views that are configured on your
BIG-IP DataSafe
profile, those views are automatically protected by the
Main JavaScript if Inject Main
JavaScript
is enabled on the URL.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- In the URL List, click the relevant URL.The URL Properties screen opens.
- ClickAdvancedin the General Settings screen.
- Verify that theEnabledcheck box forFallback to Base URLis selected.
- ClickSave.
Cloning a
profile
If you want to create a new
profile
with settings identical to an existing profile, you can clone the profile. Unlike
parent-child profiles, the cloned profile is not dependent on the original one, and any
changes made to the original profile after cloning are not inherited by the previously
cloned profile.
A cloned profile inherits all properties from the original
profile, including all URL properties.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- Select the check box next to the profile that you want clone.
- Click theClonebutton.The Clone Profile pop-up screen opens.
- In the Clone Profile pop-up screen, assign a profile name and (optionally) a description.
- ClickClone.The cloned profile is created and appears in the list of profiles in theDataSafeProfiles screen.
Cloning a URL or view
You can clone a URL or SPA view if you want to
create a new URL or view that inherits some or all of the settings on an existing URL or
view.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the profile with the URL you want to clone.TheDataSafeProfile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the check box next to the URL or view that you want clone.
- Click the Clone button.The Clone URL (or Clone View) pop-up screen opens.
- In the pop-up screen, assign a URL path or view name and (optionally) a description.
- If you are cloning a URL, do the following:
- If you don’t wantto encrypt dataon the web page of the new URL, disable theInject JavaScriptsetting.
- If the source URL contains SPA views and you want the new URL to inherit those views, select theEnabledcheck box by Views.
- If you want the new URL or view to inherit all the parameters configured on the source URL or view, select theEnabledcheck box by Parameters.
- Click theClonebutton in the pop-up screen.Once the new URL/view is created, there is no further dependency on the source URL/view and any future changes made to the source URL/view are not inherited by the new URL/view.
The BIG-IP system creates the new
URL/view.
Configuring a URL or View parameter that uses an HTML tag attribute other
than Name or ID
To define a parameter with the
Selector
attribute, either Ajax Encryption
or Check AJAX Payload for Data
Manipulation
must be enabled on the URL or View.Configure a URL or View parameter with the
Selector
attribute if you want to
provide BIG-IP DataSafe
protection to a parameter that uses an HTML tag
attribute other than Name
or ID
.- In theDataSafeConfiguration area of your profile, clickURL List.The URL List opens.
- In the URL List, click the relevant URL or View.The URL/View Properties screen opens.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, assign a name using the CSS selector syntax and ensure thatExplicit(and not Wildcard) is selected.For example, to configure a parameter with the CSS classmyinputs, you need to assign.myinputsas the parameter name.
- Select theEnabledcheck box by Selector.
- ClickCreate.The Parameters list is displayed and the parameter that you created is listed.