Manual Chapter : Managing Custom Attack Signatures and Signature Sets

Applies To:

Show Versions Show Versions
Manual Chapter

Managing Custom Attack Signatures and Signature Sets

About custom attack signatures

Attack signatures
are rules or patterns that identify attacks on a web application. When Application Security Manager® (ASM) receives a client request (or a server response), the system compares the request or response against the attack signatures associated with the security policy. If a matching pattern is detected, ASM triggers an attack-signature-detected violation, and either alarms or blocks the request, based on the enforcement mode of the security policy.
An ideal security policy includes only the attack signatures needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
There are system-supplied signatures and custom (user-defined) signatures.
  • System-supplied signatures
    enforce policies for best-known attacks. F5 Networks provides:
    • Over 2,500 signatures to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications.
    • Signatures that include rules of attack that are F5 intellectual property.
    • Signatures that you can view but not edit or remove. Also, you cannot view the rules governing these signatures.
    • Periodic updates.
    To learn more about system-supplied attack signatures, consult the BIG-IP system documentation.
  • Custom (user-defined) signatures
    are created by your organization for specific purposes in your environment. These signatures:
    • Are added to the attack signatures pool where F5 Networks stores them along with the system-supplied signatures.
    • Must adhere to a specific rule syntax (like system-supplied signatures).
    • Can be combined with system-supplied signatures or system-supplied sets to create custom signature sets.
    • Are never updated by F5 Networks, but are carried forward as-is when the system is updated to a new software version.
In BIG-IQ Web Application Security, you can obtain system-supplied or custom attack signatures through the device discovery process. These signatures are automatically deployed to all policies when the system performs a deployment.

Creating custom attack signatures

Custom (user-defined) attack signatures can handle security policy enforcement unique to your networking environment, emergency situations, or analysis of specific activity on the network. If your organization needs a custom attack signature, you can use the BIG-IQ Web Application Security Policy Editor to create one. You can then assign the new signature to system-supplied or custom attack signature sets.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click
    Web Application Security
    Policy Editor
    .
  3. On the left, click
    Attack Signatures
    .
    The Attack Signatures screen opens and lists all signatures available to the BIG-IQ system. The system lists the system-supplied (factory) signatures in static black text, and lists any custom signatures in blue text. Blue indicates a hyperlink. System-supplied signatures are locked as indicated by a green padlock icon.
    Note that you can click anywhere in a row to display the Signature Properties tab and the Documentation tab for the signature.
  4. At the right of the screen, click
    Add
    and use the Attack Signatures - New Item screen to supply the required information.
    The screen displays a blank template for signature properties.
  5. On the Signature properties tab, fill in fields and select options to define the new custom signature:
    1. In the
      Name
      field, type a unique name.
      If you attempt to create a custom signature with the same name as a system-supplied signature, you will receive an error message and the system will not create the signature.
    2. In the
      Description
      field, type an (optional) description.
    3. From the
      Signature Type
      list, select what the signature should examine:
      • Request
        . Use this signature to examine requests only.
      • Response
        . Use this signature to examine responses only.
    4. For
      Attack Type
      , select the threat classification.
    5. Select the
      Systems
      that you want protected by the signature: use the Move button to shift your choices from the
      Available
      list to the
      Enabled
      list.
    6. For the
      Rule
      setting, type a rule, according to the syntax guidelines, to specify the content of the signature.
      The rule is the heart of the attack signature. All attack signatures must adhere to the F5 attack signature syntax. Refer to the BIG-IP system documentation on signature options and signature syntax for details.
    7. For
      Accuracy
      , select the level that you want for the signature.
      The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms. Higher accuracy results in fewer false positives.
    8. For
      Risk
      , select the level of potential damage this attack might cause, if it were successful.
      • Low
        indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium
        indicates the attack may reveal sensitive data, or cause moderate damage.
      • High
        indicates the attack may cause a full system compromise, denial of service, and the like.
    9. The
      User-defined
      field specifies whether the screen displays signatures based on who created them. Currently, it defaults to
      Yes
      , indicating that the signature was created by a user. You cannot change the setting.
  6. When you are finished, click
    Save
    to save the new custom attack signature.
    Clicking
    Save and Close
    prompts the system to return to the Attack Signatures screen.
    Custom signatures appear in blue and are hyperlinks to an edit screen. Click anywhere on the row except the link to display Signature Properties at the bottom of the screen.
The system places the new custom attack signature into the attack signature pool, and adds it to the signature sets for the systems you specified. The custom signature is put in staging for all policies that have this signature in their assigned signature sets. It is a good idea to make sure that the system added the new signature to the appropriate security policies.

About signature staging

When you first activate a security policy, the system places the attack signatures into staging (if staging is enabled for the policy).
Staging
means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.
Whenever you add or change signatures in assigned sets, those signatures are also placed in staging. You also have the option of placing updated signatures in staging.
Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. If you see that an attack signature violation has occurred, you can view and evaluate these attack signatures. After evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature.
Enabling the signature removes it from staging, and puts the blocking policy into effect.

About custom attack signature sets

An
Attack signature set
is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager ships with several system-supplied signature sets.
Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies. You can assign additional signature sets to the security policy. Sets are named logically so you can tell which ones to choose. Additionally, you can combine custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.
An ideal security policy includes only the attack signature sets needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
In Web Application Security, you can obtain system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to security policies. Then, you can deploy those policies to BIG-IP devices.

Add custom attack signature sets

You can use the Web Application Security policy editor to add custom (user-defined) attack signature sets. Like system-supplied signature sets,
custom signature sets
contain signatures from the signature pool. Once you create a custom signature set, you can apply it to the security policy to protect web applications against known attacks.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. At the top left of the screen, select
    Web Application Security
    from the BIG-IQ menu.
    The Web Application Security Policy Editor screen opens.
  3. On the left, click
    SIGNATURE SETS
    .
    The default, system-supplied signature sets are displayed on the Signature Sets screen, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click
    Add
    and use the Signature Sets - New Item screen to supply the required information.
  5. On the Properties tab, type a unique name for the signature set.
  6. From the
    Type
    list, select how to create the signature set.
    • Select
      Filter-based
      to create a signature set by using a filter only.
    • Select
      Manual
      to manually assign signatures to a signature set.
    Selecting
    Manual
    causes the Signatures Filter tab to be hidden, since it will not be used, and changes the fields displayed on the Signatures tab.
    You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update.
  7. For
    Default Blocking Actions
    , select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
    The
    Learn
    ,
    Alarm
    , and
    Block
    actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
  8. If you want the system to automatically include this set in any newly-created security policies, enable the
    Assign to Policy by Default
    setting.
  9. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set. This tab is only displayed when the signature set type is set to
    Filter-based
    .
    1. Select a
      Signature Type
      to include the type of signatures the system displays.
      • All
        traffic is the default.
      • Request
        only. Signatures that are configured to inspect the client request.
      • Response
        only. Signatures that are configured to inspect the server response.
    2. From the
      Attack Type
      list, specify the threat classifications for which to include signatures in the set.
      • Select
        All
        for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. From the
      Systems
      lists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
    4. From the
      Accuracy
      list, select the accuracy association.
      • All
        specifies signatures that match all accuracy levels, which is the default.
      • Equals
        specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To
        specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To
        specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low
        indicates a high likelihood of false positives.
      • Medium
        indicates some likelihood of false positives.
      • High
        indicates a low likelihood of false positives.
    6. From the
      Risk
      list, select the risk association.
      • All
        specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals
        specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To
        specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To
        specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low
        indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium
        indicates the attack may reveal sensitive data, or cause moderate damage.
      • High
        indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For
      User-defined
      , specify whether to include signatures based on who created them: the user (
      Yes
      ), the system (
      No
      ), or both (
      All
      ).
    9. For
      Update Date
      , specify whether to include all signatures in the set based on the date the signature was changed (
      All
      ), only signatures added before the date the signature was changed (
      Before
      ), or only signatures added after the signature was changed (
      After
      ).
      If specifying
      Before
      or
      After
      , use the calendar icon to specify a date.
  10. Click the Signatures tab.
    The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whether
    Type
    on the Properties tab is set to
    Filter-based
    or
    Manual
    .
    • If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
    • If the signature set is user-defined and
      Type
      is set to
      Filter-based
      , the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
    • If the signature set is user-defined and
      Type
      is set to
      Manual
      , the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, click
      Signatures Advanced Filter
      at the top of the Signatures tab to filter the signatures shown.
  11. In the Included Policies tab, view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  12. When you are finished, click
    Save
    to save the new custom attack signature set.
    Clicking
    Save and Close
    prompts the system to return to the Signature Sets screen and display the new set.
    Sets are listed in alphabetical order; custom sets appear in blue.
The new signature set is added to the list of signature sets that are available on the system, and is available to be applied when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Edit custom attack signature sets

You can use the Web Application Security policy editor to edit custom attack signature sets. Once you edit a custom signature set, you can apply it to the security policy to protect your web applications in ways that are unique to your needs.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. At the top left of the screen, select
    Web Application Security
    from the BIG-IQ menu.
    The Web Application Security Policy Editor screen opens.
  3. On the left, click
    Signature Sets.
    The system displays the default, system-supplied signature sets, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click the name of the signature set that you want to change and use the Signature Sets screen to modify the settings.
  5. On the Properties tab, revise the settings for this custom attack signature set, as needed.
    Note that
    Name
    and
    Category
    are not editable fields.
  6. From the
    Type
    list, you can modify how to create the signature set.
    • Select
      Filter-based
      to create a signature set by using a filter only.
    • Select
      Manual
      to manually assign signatures to a signature set.
    Selecting
    Manual
    causes the Signatures Filter tab to be hidden since it will not be used, and changes the fields displayed on the Signatures tab.
    You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update.
  7. For
    Default Blocking Actions
    , select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
    The
    Learn
    ,
    Alarm
    , and
    Block
    actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
  8. If you want the system to automatically include this set in any newly-created security policies, enable the
    Assign to Policy by Default
    setting.
  9. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set.
    This tab is only displayed when the signature set type is set to
    Filter-based
    .
    1. Select a
      Signature Type
      to include the type of signatures the system displays.
      • All
        traffic is the default.
      • Requests
        only. Include signatures that are configured to inspect the client request.
      • Responses
        only. Include signatures that are configured to inspect the server response.
    2. From the
      Attack Type
      list, specify the threat classifications for which to include signatures in the set.
      • Select
        All
        for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. From the
      Systems
      lists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
    4. From the
      Accuracy
      list, select the accuracy association.
      • All
        specifies signatures that match all accuracy levels, which is the default.
      • Equals
        specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To
        specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To
        specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low
        indicates a high likelihood of false positives.
      • Medium
        indicates some likelihood of false positives.
      • High
        indicates a low likelihood of false positives.
    6. From the
      Risk
      list, select the risk association.
      • All
        specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals
        specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To
        specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To
        specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low
        indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium
        indicates the attack may reveal sensitive data, or cause moderate damage.
      • High
        indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For
      User-defined
      , specify whether to include signatures based on who created them: the user (
      Yes
      ), the system (
      No
      ), or both (
      All
      ).
    9. For
      Update Date
      , specify whether to include all signatures in the set based on the date the signature was changed (
      All
      ), only signatures added before the date the signature was changed (
      Before
      ), or only signatures added after the signature was changed (
      After
      ).
      If specifying
      Before
      or
      After
      , use the calendar icon to specify a date.
  10. Click the Signatures tab.
    The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whether
    Type
    on the Properties tab is set to
    Filter-based
    or
    Manual
    .
    • If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
    • If the signature set is user-defined and
      Type
      is set to
      Filter-based
      , the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
    • If the signature set is user-defined and
      Type
      is set to
      Manual
      , the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, click
      Signatures Advanced Filter
      at the top of the Signatures tab to filter the signatures shown.
  11. Click the Included Policies tab, and view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  12. When you are finished, click
    Save
    to save the new custom attack signature set.
    Clicking
    Save and Close
    prompts the system to return to the Signature Sets screen and display the new set.
    The system lists sets in alphabetical order, custom sets appear in blue
The edited signature set is available for application when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Signatures advanced filter properties

The
Signatures Advanced Filter
option and properties are only available on the Signatures tab when the signature set type is manual.
Signatures Advanced Filter Property
Description
Signature Type
Specifies what type of signatures to include in the signature set.
  • Select
    All
    to include both requests and responses.
  • Select
    Request
    to include only requests.
  • Select
    Response
    to include only responses.
Signature Scope
Specifies whether the system displays all signatures, or only those that do, or do not, apply to parameters, cookies, XML documents, JSON data, GWT data, headers, URI content, and request or response content.
  • Select
    All
    to include all signatures, which is the default.
  • Select
    Parameter
    to specify whether the system displays signatures that apply to alpha-numeric user-input parameters. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to parameters.
    • Yes
      specifies only signatures that apply to parameters.
  • Select
    Cookie
    to specify whether the system displays signatures that apply to allowed cookies. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to allowed cookies.
    • Yes
      specifies only signatures that apply to allowed cookies.
  • Select
    XML
    to specify whether the system displays signatures that apply to XML documents. XML documents may appear as the values of XML parameters defined in the security policy, or as the body of requests to URLs to be parsed as XML, as defined in the security policy. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to XML documents.
    • Yes
      specifies only signatures that apply to XML documents.
  • Select
    JSON
    to specify whether the system displays signatures that apply to JSON data. JSON data may appear as the values of JSON parameters defined in the security policy, or as the body of requests to URLs to be parsed as JSON, as defined in the security policy. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to JSON data.
    • Yes
      specifies only signatures that apply to JSON data.
  • Select
    GWT
    to specify whether the system displays signatures that apply to GWT data. GWT data may appear as the body of requests to URLs to be parsed as GWT, as defined in the security policy. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to GWT data.
    • Yes
      specifies only signatures that apply to GWT data.
  • Select
    Header
    to specify whether the system displays signatures that apply to headers. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to headers.
    • Yes
      specifies only signatures that apply to headers.
  • Select
    URI
    to specify whether the system displays signatures that apply to URI content. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to URI content.
    • Yes
      specifies only signatures that apply to URI content.
  • Select
    Request Content
    to specify whether the system displays signatures that apply to the entire request content. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to the entire request content.
    • Yes
      specifies only signatures that apply to the entire request content.
  • Select
    Response Content
    to specify whether the system displays signatures that apply to the entire response content. Then select
    No
    or
    Yes
    .
    • No
      specifies only signatures that do not apply to the entire response content.
    • Yes
      specifies only signatures that apply to the entire response content.
Attack Type
Specifies which attack type should be included in the set. Select
All
to include all attack types.
Systems
Specifies the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
Accuracy
Specifies the accuracy level of the signature. Higher accuracy results in fewer false positives.
  • Select
    All
    to specify that all signatures should be included, regardless of accuracy level.
  • Select
    Equals
    to specify signatures with a single accuracy level, then select the accuracy level to be
    Low
    ,
    Medium
    , or
    High
    .
  • Select
    Greater Than/Equal To
    to specify that the accuracy level of the signatures should be greater than or equal to the specified accuracy level, then select the level to be
    Low
    ,
    Medium
    , or
    High
    .
  • Select
    Less Than/Equal To
    to specify that the accuracy level of the signatures should be less than or equal to the specified accuracy level, then select the level to be
    Low
    ,
    Medium
    , or
    High
    .
Risk
Specifies the level of potential damage that the signature protects against.
  • Select
    All
    to specify that all signatures should be included, regardless of risk level.
  • Select
    Equals
    to specify a single risk level, then select the risk level to be
    Low
    ,
    Medium
    , or
    High
    .
  • Select
    Greater Than/Equal To
    to specify that the risk level should be greater than or equal to the specified risk level, then select the level to be
    Low
    ,
    Medium
    , or
    High
    .
  • Select
    Less Than/Equal To
    to specify that the risk level should be less than or equal to the specified risk level, then select the level to be
    Low
    ,
    Medium
    , or
    High
    .
User-defined
Specifies whether to include attack signatures based on who created them.
  • Select
    All
    to specify that all signatures should be included, including those defined by the system and by users.
  • Select
    Yes
    to specify that only user-defined signatures should be included.
  • Select
    No
    to specify that only system-defined signatures should be included.
Update Date
Specifies whether to include signatures in the set based on when the signature was last updated or added.
  • Select
    All
    to include all signatures, regardless of when they were last updated.
  • Select
    Before
    to include all signatures updated before a specified date, and then select the date using the displayed
    Select Date
    button.
  • Select
    After
    to include all signatures updated after a specified date, and then select the date using the displayed Select Date button.
Signatures
Specifies the signatures that should be included in the signature set. The available signatures list displayed changes based on the
Signatures Advanced Filter
settings. You can use the
Filter
field above the Available list to search for particular signatures. Add signatures to the signature list by moving them from the Available list to the Selected list.

Assign custom attack signature sets

You use the Web Application Security policy editor to assign a custom attack signature set to a policy.
Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click
    Web Application Security
    Policy Editor
    , select a policy name, and from the
    Policy objects
    list, select
    Attack Signatures Configuration
    .
  3. Click
    Edit
    .
    The policy is placed under administrative lock and fields become editable.
  4. From the
    Attack Signature Set Assignment
    list, select attack signature sets to assign to the policy.
    Any newly-created custom signature sets appear in the list.
  5. When you are finished, click
    Save
    to save the new assignment and unlock the policy.
The system assigns the signature sets to the security policy, and the blocking policy applies to all of the signatures in the signature set. Any changes made subsequently are put into effect in the working configuration of the BIG-IQ Centralized Management system.