Working with Security Policy Microservices
A security policy microservice is a combination of Hostname and URL. Microservices allow you to create granular security policy configurations. You can set the microservice response to be different from the rest of the security policy. This allows the security policy to generally respond in one way but, for very specific traffic, to respond in another way. For example:
- Security policy in Blocking mode with microservices in Transparent mode.
- Security policy in Blocking mode with Blocking Settings overrides for microservices.
- Security policy in Transparent mode with microservices in Blocking mode.
Examples of microservices:
- Web application: hostname=*.example.com, URL=*
- Add-to-cart microservice: hostname=api.example.com, URL=/api/AddToCart.aspx
Ensure that the desired policy is selected at the top of the Microservices screen.
Once a microservice is created, the microservice’s name cannot be changed. Both the Hostname and URL may be pure or non-pure wildcards but they cannot both be a pure wildcard at the same time. This means that Hostname = * and URL = * is not supported as it means all hostnames and all URLs.
-
On the Main tab, click Security > Application Security > Microservices.
-
Click Create
-
Select whether the Hostname is a Wildcard or Explicit Hostname and enter the Hostname.
The hostname can be an fnmatch regular expression. IPv4 and IPv6 addresses are supported.
-
Select whether the URL is a Wildcard or Explicit URL and enter the URL.
The URL can be an fnmatch regular expression. The URL can be HTTP, HTTPS or a websocket. The URL does not need to exist in the Allowed URLs in the selected policy.
Note: The URL Wildcard Match Includes Slashes option is only available for wildcard URLs and is enabled by default. A wildcard starting with * must have this enabled or no matches will be found because the wildcard will reject the leading slash in every URL.
-
Select the Enforcement Mode for the microservice.
Mode Description Policy Default The default security policy enforcement is enforced for this microservice, i.e. if the default enforcement is Transparent, it will remain Transparent; if Blocking, it will remain Blocking. Transparent The policy is not enforced for this microservice, even if the security policy enforcement is Blocking. Blocking The policy is enforced for this microservice, even if the security policy enforcement is Transparent. -
Select which, if any, Evasion technique detected violations to override and how.
You can override all Evasion technique detected configurations by selecting Override Violation at the top of the list. Modify the Learn, Alarm and Block settings to match your desired behavior.
You can override specific subviolations by selecting Override for that subviolation. Modify the Enable and Learn settings to match your desired behavior.
-
Select which, if any, HTTP protocol compliance failed violations to override and how.
You can override all HTTP protocol compliance failed configurations by selecting Override Violation at the top of the list. Modify the Learn, Alarm and Block settings to match your desired behavior.
You can override specific subviolations by selecting Override for that subviolation. Modify the Enable and Learn settings to match your desired behavior.
If a violation is overridden globally and Enable, Alarm and Block are disabled then you cannot override and enable them for subviolations.
-
Click Save to save the microservice.
The newly created microservice is added to the top of the list below the Default microservice.
The matching priority for enforcement is according to the order of the microservices list. Drag and drop a microservice to move it within the list. The Default microservice shows the policy enforcement and cannot be moved.
Once you have configured microservices you can view the high and low scoring learning suggestions for each microservice.
Suggestions for HTTP protocol compliance and Evasion technique detected may be accepted on one or more selected microservices or globally in a policy. With the microservice suggestion information, you can see if a configured microservice is well-suited to the virtual server(s) it is applied to and decide when to change the microservice’s enforcement mode from transparent to blocking.
-
On the Main tab, click Security > Application Security > Policy Building > Traffic Learning.
With no suggestion selected, the Traffic Learning Summary displays in the right pane, including the Enforcement by Microservice table.
-
In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
-
In the right pane, click Enforcement By Microservice to open the table and view any microservice suggestions.
If no suggestions have been generated for a microservice, you can switch it from transparent mode to blocking mode. If suggestions have been generated for a microservice, click on the suggestion count to view the suggestions. You can change the enforcement mode as needed. You may need to create additional microservices to best serve the traffic and server type.
Once you have configured microservices you can view any requests relevant to each microservice. A microservice is displayed only if it has a request.
All configured microservices, which have generated requests, are listed, along with each microservice’s security policy and virtual server. The number of illegal and blocked requests are listed for each microservice as well as a detected signature.
-
On the Main tab, click Security > Event Logs > Application > Requests.
With no request selected, the Requests Log Summary displays in the right pane, including the Microservices table.
-
In the right pane, click Microservices to open the table and view the microservice suggestions with high and low scores.