Manual Chapter : Maintaining Security Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Maintaining Security Policies

Overview: Comparing security policies

Application Security Manager has a Policy Diff feature that lets you compare two security policies, view the differences between them, and copy the settings from one policy to the other. You can use the comparison for auditing purposes, to make two policies act similarly, or to simply view the differences between two security policies. The Policy Diff feature is particularly useful for comparing a security policy in staging and a production version. You can compare active security policies (with or without Policy Builder running), inactive security policies, and exported security policies. When you import security policies that were exported from another system, they are placed in the inactive policies list.
Note
: the policy will be set to active when it’s configured within a rule of an LTM policy or activated via CLI using tmsh modify asm policy <policy> active. Vice versa, it can be inactivated with the command:
tmsh modify asm policy <policy> inactive
and it’s removed from any LTM policy.
You need to have a user role on the BIG-IP system of Administrator or Web Application Security Editor to use Policy Diff to compare security policies.

Comparing security policies

Before you can compare security policies, the two policies must be on the same BIG-IP system, or accessible from the system you are using (such as imported policies). They must also have the same language encoding, the same protocol independence (
Differentiate between HTTP and HTTPS URLs
) configuration, and the same case sensitivity configuration. You can compare policies even if they are running Policy Builder, but because they are constantly changing, the comparison is done on copies of the policies to avoid corrupting them.
Only users with a role of Administrator, Application Security Administrator, or Application Security Editor can use Policy Diff to compare security policies.
You can compare two security policies to review the differences between them. While the two security policies are being compared, the system prevents other users from saving changes to them.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policy Diff
    .
  2. From the
    First Policy
    and
    Second Policy
    lists, select the security policies you want to compare or merge, or browse to search your computer for an exported security policy.
    The two security policies you are comparing can be active, inactive, policies imported in binary or XML format, or a combination of both.
  3. If you plan to merge security policy attributes, it is a good idea to safeguard the original security policy. In the
    Working Mode
    field, select how you want to work.
    Option
    Description
    Work on Original
    Incorporate changes to one (or both) of the original security policies depending on the merge options you select without making a copy of it.
    Make a Copy
    Make a copy of the security policy into which you are incorporating changes.
    Work on Copy
    Work on a copy of the original security policy. First, a copy is made, then incorporate possible changes on the original policies. If comparing one or more policies with Policy Builder enabled, this option is automatically selected (and the other options become unavailable).
  4. Click the
    Calculate Differences
    button to compare the two security policies.
    The system does not compare navigation parameters. They are ignored and do not appear in the results.
    The Policy Differences Summary lists the number of differences for each entity type.
  5. Click any row in the Policy Differences Summary to view the differing entities with details about the conflicting attributes.
    The system displays a list of the differing entities and shows details about each entity's conflicting attributes.
  6. Review the differences between the two policies and determine whether or not you want to merge attributes from one policy to the other.

Overview: Importing and exporting security policies

You can export or import security policies from one Application Security Manager (ASM) system to another.
You can export a security policy as a binary archive file or as a readable XML file. For example, you might want to export a security policy protecting one web application to use it as a baseline policy for another similar web application. You might want to export a security policy to archive it on a remote system before upgrading the system software, to create a backup copy, to replace an existing policy, or to merge it with another security policy.
You can import a declarative security policy file or a security policy that was previously exported from another ASM system. When you import a security policy, you can import it as an inactive security policy or so that it replaces an existing security policy.

About security policy export formats

Application Security Manager can export security policies in binary or XML format. The XML or archive file includes the partition name, the name of the security policy, and the date and time it was exported. For example, a policy called
finance
in the
Common
partition is exported to a file called
Common_finance__2014-04-28_12-10-00__source.device
with either a
.plc
(binary) or
.xml
extension. The time used in the file name is the policy version timestamp (which includes the source hostname where the policy was last modified, the time modified, and the policy name).
An exported security policy includes any user-defined attack signature sets that are in use by the policy, but not the actual signatures. Therefore, it is a good idea to make sure that the attack signatures and user-defined signatures are the same on the two systems.
If you save the policy as an XML file, you can open it to view the configured settings of the security policy in a human readable format.
In addition when exporting to XML, you can save the security policy in a compact format, which results in a smaller XML file. The compact XML format does not include information about the staging state of attack signatures. Also, information about the following items is only included if it was changed from the default values:
  • Meta-character sets
  • Learn, Alarm, and Block settings for violations
  • Response pages
  • IP address intelligence Alarm and Block settings

Exporting security policies

You can export a security policy and save it in a file. The exported security policy can be used as backup, or you can import it onto another system.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    .
    The Policies List screen opens.
  2. From the Policies list, select the security policy that you want to export, then click
    Export
    .
    The Export policy popup screen opens.
  3. For
    Export policy format
    , select an export method.
    • To save the security policy as an XML file, select
      XML format
      .
    • To save the security policy as a policy archive file (
      .plc
      file), select
      Binary format
      .
  4. For
    Compact format
    , if you want to reduce the size of the XML file, click
    Enabled
    .
  5. Click
    Export Policy
    .
    The system exports the security policy in the format you specified.
The exported security policy includes all of the policy details, including entities that use default values, unless you selected the compact format option. If using the compact format, values unchanged from the default values are not exported.
The exported security policy includes any user-defined signature sets that are in the policy, but not the user-defined signatures themselves. Optionally, you can export user-defined signatures from the Attack Signature List (to see the list, go to
Security
Options
Application Security
Attack Signatures
Attack Signatures List
).

Importing security policies

Before you import a security policy from another system, ensure that the attack and user-defined signatures are the same on both systems. You also need access to the exported policy file.
If you are importing a declarative security policy you can include attack signatures and user-defined signatures in the declarative policy file.
You can import a security policy that was previously exported from another Application Security Manager system.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    .
    The Policies List screen opens.
  2. Click
    Import Policy
    .
    The Import Security Policy screen opens.
  3. For
    Imported Policy File
    , click
    Select File
    to navigate to a declarative or previously exported security policy.
    The declarative security policy is in JSON format. The exported security policy can be in XML (regular or compact) or binary (
    .plc
    ) format.
    The system shows the name of the policy you plan to import and the policy encoding.
  4. For the
    Import Target
    setting, and select how to import the security policy.
    • To replace the currently active policy with the security policy you are importing, select
      Replaced Policy
      and select the policy to replace from the list.
  5. For
    Import Target
    , select how to import the policy:
    • To treat the imported policy as a new security policy, select
      New Policy
      .
    • To replace an existing policy with an imported policy, select
      Replace Policy
      .
    The system imports the security policy and displays a success status message when the operation is complete.
If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. Also, the imported policy is then associated with the virtual server and local traffic policy that was previously associated with the policy you replaced.