Manual Chapter : Managing Threat Campaigns
Applies To:Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0
Managing Threat Campaigns
Central management of threat campaigns
Threat campaign signatures are based on current “in-the-wild” attacks that exploit the latest vulnerabilities and/or new ways to exploit old vulnerabilities.
Threat campaign signaturescontain contextual information about the nature and purpose of the attack. BIG-IQ allows you to oversee threat campaigns for managed BIG-IP devices version 14.0 or later. This means you can manage devices with threat campaign protection services, and you can maintain an up-to-date database of ongoing exploits.
By default, managed devices provide immediate action once an active threat campaign signature is detected. You can select one or several threat campaigns to include a staging period in which identified requests are allowed for a temporary period of time.
In addition to providing protection from active threat campaigns, regular updates mark campaigns that are no longer a threat as inactive. Once the threat campaign is in an inactive state, the system no longer provisions resources for identification and mitigation.
To view a complete list of all threat campaigns and their statuses, go to the global setting screen.
Configure threat campaigns for a Web Application Security policy
You must have a BIG-IP version 14.0 or later, with threat campaigns provisioned and licensed on that BIG-IP device. On BIG-IQ, ASM services must be discovered on BIG-IQ Centralized Management.
If you intend to configure settings for a child policy, you need to decline inheritance settings of the parent policy. See
Edit inheritance settings for threat campaignsfor more information.
You configure your Web Application Security policy to include protection and/or staging against active threat campaigns.
- Go to.
- Click a policy in theNamecolumn.The screen changes to show properties for that policy.
- To view, or disable threat campaigns available to a selected policy, clickTHREAT CAMPAIGNSon the left.The screen displays a list of all the active threat campaigns found in the the global settings (found on the screen at).
- From the Policy Properties menu on the left, go to, scroll down and expand theThreat Campaignssetting.
- At the far right of the field, select one or more policy action to take once a threat campaign is detected:
- SelectBlockto block requests that include signatures of the enforced threat campaigns.
- SelectAlarmto generate an alarm when requests contain threat campaign signatures.
- To perform staging for new and updated threat campaign signatures for a period of time, select theEnable Threat Campaigns Stagingcheck box.
- Once you enable staging, select specific threat campaigns for staging from the policy's settings (see step 3).
- SelectEnabledforEnable Threat Campaigns Staging.By default, all threat campaigns are unstaged.
- ForThreat Campaigns Enforcement Readiness Period, set the number of days to enforce staging.
- ClickSave & Close.
Ensure that you update your threat campaigns files regularly, so that your protection is up to date. To do so, see
Customize device updates from threat campaigns.
Edit inheritance settings for threat campaigns
Before you can edit any settings for threat campaigns, you must have an existing Web Application Security policy.
You can change the properties of inheritance settings for a child policy to configure threat campaign protection that is different from a parent policy.
- Go to.
- Click the appropriate parent policy name to display the policy's properties.
- On the left, expandPOLICY PROPERTIESand clickInheritance Settings.
- From theThreat Campaignssetting selectOptional.
- Return to the Web Application Security Policies screen, and click the appropriate child policy name.
- ClickInheritance Settings.
- From theThreat Campaignslist, selectDecline.This action rejects the parent policy's inheritance settings for threat campaigns, so that you can edit the child policy's staging and enforcement settings.
- ClickSave & Close.
Device updates for threat campaigns
Due to the dynamic nature of the threat landscape, threat campaigns need to be maintained and up-to-date. This includes updating your database to include newly discovered threat campaigns, and removing those that were resolved. Live updates can be scheduled and fine-tuned, based on your protection needs.
The accuracy of threat campaigns signature detection provides a minimal chance of false positives, and F5 recommends that you leave blocking enabled. However, threat campaign enforcement readiness periods and threat campaign staging provide a period of time in which you can evaluate the threat level of a threat campaign, before the system begins to block traffic
Customize device updates for threat campaigns
Before you can customize device updates, first ensure that your managed BIG-IP is version 14.0 or later, with threat campaigns licensed, and threat intelligence updates enabled. On BIG-IQ, ASM services must be discovered on BIG-IQ Centralized Management.
Regular updates ensure that your system has the most up-to-date information about ongoing threat campaigns and their malicious signatures for all discovered BIG-IP devices. Enabling regular updates to your threat campaign files ensures that devices can provide protection from newly detected threats, and refresh information for threat campaigns that have become inactive.
- Go to.
- On the left, expandTHREAT CAMPAIGNS FILESand selectThreat Campaigns Files List.
- For general download settings, clickDownloadto change the settings for file sources.By default, the system downloads all threat campaign files, regardless of device or status.
- For customizing the regularity of updates for devices, clickSettings:
- Ensure that theRemote Updatessetting isEnabled.
- ForInterval, select the regularity in which the system collects threat campaign updates.
- Ensure that devices are listed in theAllow auto updatelist to enable automatic updates for the selected devices.
- To remove one or more device from the auto updates list, select the device and move it to theSkip Auto Updateslist.
- From theInstall Tolist you can selectActive Devices Onlyto install updates on active, high availability devices in your BIG-IP device cluster.
- ClickSave & Close.
To complete the process of scheduling automatic updates on a specific BIG-IP device, go to, click the device name in the devices list, and for the relevant file type, select the link for
Allow Automatic Install.