Manual Chapter : Modify and Manage Layer 7 Security Objects

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Modify and Manage Layer 7 Security Objects

Managing objects with layer 7 security

The L7 Security dashboard provides central management and visibility of Web Application Security to all your system's virtual server and application, including applications with an AS3 configuration.

Modifying object protection

The L7 Security Dashboard (
Monitoring
DASHBOARDS
L7 Security
) lists all deployed applications and virtual servers that are managed by your system.
When Web Application Security is provisioned, virtual servers and applications can have the following layer 7 (L7) security objects that can detect and mitigate bad traffic.
  • DoS Profiles
  • Web Application Security Policies
  • Logging profiles
You can use this list to manage the L7 protection and logging needs of all your objects. Object management capabilities include:
  • Edit protection settings for one or more application
  • Edit protection settings for one or more virtual server protection
  • Deploy bulk changes to multiple virtual servers
    The system automatically deploys changes to applications.

Object Visibility

The current status and statistics of protected objects are listed in the L7 Security dashboard. Additionally, the dashboard provides a summary bar that provides an overview of the protection status, protection mode, and security alerts pertaining to the listed objects.
The dashboard displays data over the time period selected. You can adjust the time over which data is displayed using the controls located to the top left of the screen.
Following object discovery, summary bar statistics can take up to 2 minutes to fully load and reflect the recently added object information.

Manage layer 7 protection settings

To view object information you must have the following:
  • A Data Collection Device (DCD) configured to your BIG-IQ system.
  • Managed BIG-IP devices have ASM provisioned for managing security policies.
  • The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
  • Managed BIG-IP devices have AVR provisioned (recommended).
You identify the Layer 7 security configuration of your managed virtual servers and applications, so you can modify their security settings. To deploy changes, see
Deploy Layer 7 security
.
  1. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  2. To edit an object's security and logging settings, select one or more applications or virtual servers from the list.
  3. To attach a security object click
    Attach
    and select a security resource type from the list.
    For virtual servers, if you would like to immediately deploy change, limit the selection to 20 virtual servers.
    1. From the Choose resource to attach screen select a security resource.
      The list of resources is specific to your object selection. If you have selected multiple objects, only resources shared by your selection are available.
      If you are attaching a DoS profile, it is recommended to configure only one DoS profile per application. Remove any existing DoS profile for the selected applications, before adding a new profile.
    2. If you would like to deploy your changes to a virtual server immediately, select the check box for
      Deploy Virtual Servers
      .
      Deployment times vary depending on the selected virtual server. If you do not select this option, you can continue to adjust your virtual server's settings and conduct a bulk deployment for selected objects in the L7 Security Dashboard.
      When deploying to an application, these changes are automatically deployed when you complete the process.
    3. Click
      Continue
      to complete the process.
    4. To deploy bulk changes, select the check box for the virtual servers you would like to deploy, and click
      Deploy now
    5. To remove a security object click
      Detach
      and select the security object type from the list.
      The
      Detach Confirmation
      screen will request confirmation, click
      Continue
      to confirm the security object's removal.
    6. To remove a security object click
      Detach
      and select the security object type from the list.
  4. To remove a security object click
    Detach
    and select the security object type from the list.
    The Detach Confirmation screen will request confirmation, click
    Continue
    to confirm the security object's removal. This will immediately remove the object from your virtual serve/application.
Changes are immediately reflected in the L7 Security dashboard. Changes to applications will render an immediate update for the deployment process. The time required to complete the deployment process varies based on the number of objects selected.

Monitoring Application Security

The L7 Security dashboard provides information about the current status of your object protected by Web Application Security. The data found in the dashboard provides summary information about all your objects, and overview data specific to each object. All data listed on the screen displays data based on the cumulative data over the selected time settings. These time settings are located to the top left of the screen, and are constantly updated based on a refresh interval.

Summary Data

The summary bar located at the top of the screen provides status information about all objects listed on this screen. This includes status, configuration and alert data. For more information about the information found in the summary bar, see
Objects protection modes for Web Application Security
,
Protected objects with Web Application Security
,
Web Application Security alerts
.

Object Data

Each object row displays information about attacks and bad traffic trends to each object. To view more detailed information about one or more objects' Web Application Security data, select the object's check box, click
View in...
and select
Web Application Security Dashboard
. This action will automatically filter the select object data.

Pre-requisites for viewing L7 protection data

To view the data for object listed in the L7 Security dashboard, you must configure the following settings. If you have not configured these settings, you will be able to view protected objects and their security settings, but you will not have visibility into the objects' data.
  • A Data Collection Device (DCD) configured to your BIG-IQ system.
  • Managed BIG-IP devices have ASM provisioned for managing security policies.
  • The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
  • Managed BIG-IP devices have AVR provisioned (recommended).

Object protection modes for Web Application Security

The L7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) displays objects with different protection modes.
Protected objects
consist of the applications or virtual severs that have a Web Application Security policy or DoS profile.
Object protection modes
The PROTECTION MODE area on this screen displays the number of managed objects for each protection mode.

Blocking

A virtual server has a Blocking security mode if it has at least one of the following security configurations. Likewise, an application has a Blocking security mode if at least one of its assigned virtual servers has a Blocking protection mode.
Web Application Security Policy
The policy's Enforcement Mode is set to
Blocking
.
DoS Profile
The operation mode for TPS-based Detection is set to
Blocking
.
and/or
The operation mode for Behavioral & Stress-based Detection is set to
Blocking
.

Monitoring

A virtual server has a Monitoring security mode if it has at least one of the following security configurations, and has no Blocking security configurations. Likewise, an application has a Monitoring security mode if at least one of its assigned virtual servers has a has a Monitoring protection mode and none of its virtual servers has a Blocking protection mode.
Web Application Security Policy
The policy's Enforcement Mode is set to
Transparent
.
DoS Profile
The operation mode for TPS-based Detection is set to Blocking .
and/or
The operation mode for Behavioral & Stress-based Detection is set to
Transparent
.

Not Protected

A virtual server is not protected if it does not have a Monitoring or Blocking configuration. An application is not protected if all of its assigned virtual servers are not protected.

Protected objects with Web Application Security

The Layer 7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) displays the applications and virtual servers monitored by BIG-IQ Centralized Management.
Protected objects
consist of the applications or virtual severs that have a Web Application Security policy or DoS profile with an enabled protection status. The PROTECTED OBJECTS area on this screen displays the number of protected objects, out of the total objects. The following describes the object count for this screen, regardless of protection status:
The number of managed protected objects, out of all the objects managed by your system.
Virtual Server
A stand-alone virtual server counts as a managed object (protected or unprotected) when it is not assigned to an application. The virtual server must have at least one HTTP profile. Once it is assigned to an application, the virtual server is no longer included in the total object count.
Application
Each application counts as an object (protected or unprotected). The application includes all its assigned virtual servers.

Web Application Security Alerts

Security alerts in the TRENDS AND IMPACTS area of the L7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) notify you of the number of objects reporting Web Application Security policy (Web Exploits) or DoS profile (L7 DDoS Attacks) events over the past day (trend charts report the past week). These alerts indicate that a protected object (application or virtual server) recently experienced an increased rate in performance issues. To view data the corresponds with these traffic events go to
Monitoring
DASHBOARDS
DDoS
HTTP Analysis
To view the status of your deployed applications, go to
Applications
APPLICATIONS
.
Security alerts are not available to legacy applications.
Alert
Description
Impact
Default Thresholds
Action (if applicable)
BAD TRAFFIC TRENDS
The number of objects with a significant increase in traffic with any violation rating.
Increase in transactions with any violation rating.
Web Exploits: The average number of transactions with a violation rating exceeded 10% in the past 24 hours and increased by a ratio of 0.1% out of all traffic over the past week.
L7 DDoS Attacks: The average volume of active, simultaneous attacks increased in the past 24 hours.
Investigate transactions and fine tune your security policy/profile for new threats.
POTENTIALLY HARMFUL ATTACKS
The number of objects with a transparent protection mode (Monitoring), that have an increase in bad traffic.
Increase in transactions with high violation rating.
Web Exploits: The rate of transactions with violation rating of 4 or 5 exceeded 0.1% in the past 24 hours.
L7 DDoS Attacks: The volume of simultaneous active attacks increased in the past 24 hours.
Change security policy or profile to Blocking mode.
FALSE POSITIVE ATTACKS
The number of objects with a blocking protection mode that have an increase in blocked traffic with a low violation rating.
Increase in blocked transactions.
Web Exploits: The rate of blocked transactions with a violation rating of 1 or 2 exceeded 0.01% over the past 24 hours.
Investigate blocked transactions and fine-tune your Web Application Security policy to allow valid transactions.
BLOCKED ATTACKS
The number of objects with a blocking protection mode that blocked any bad traffic over the past 24 hours.
N/A
N/A
N/A