Manual Chapter : Publishing Security Policies and Profiles to Application Templates

Applies To:

Show Versions Show Versions
Manual Chapter

Publishing Security Policies and Profiles to Application Templates

About making security policies and profiles available to application templates

The BIG-IQ Centralized Management system provides a set of default security policies and profiles to make it easier to add security to your applications. You can use these default policies and profiles, modify them, or for Web Application Security policies, create your own defaults. You can make these types of security policies or profiles available to an application template:
  • Network Security firewall policies
  • Web Application Security policies
  • Shared Security DoS profiles
  • Shared Security logging profiles
This is the general process for publishing security policies or profiles so that they can be used in an application template and application.
  1. The security administrator uses the Configuration screens of BIG-IQ Centralized Management to edit a policy or profile so that it can be marked as available to application templates, and make any other needed changes. You can use the default profiles or policies provided, or identify other application security policies and logging profiles as defaults for the application templates. The security administrator can then publish policies and profiles one at a time, or publish several at a time if there are no other changes to make.
    You may have different administrators responsible for configuring different security areas, such as firewall security or web application security. If so, multiple administrators may need to be involved.
  2. The BIG-IQ administrator uses the Application screens of the BIG-IQ system to create an application template that includes the new security policy or profile.
  3. The application manager creates an application that uses the security policy or profile from the application template that contained it.
  4. The application manager saves the completed application, which causes the BIG-IQ system to automatically deploy the security policy or profile to the specified BIG-IP devices.
  5. Once the security policies or profiles are deployed, the application manager can use the associated application to monitor and manage those security policies or profiles on the BIG-IP devices.
If application changes are needed, the application manager or BIG-IQ administrator makes them using the BIG-IQ Application screens. If policy or profile changes are needed, the appropriate security administrator makes them using the BIG-IQ Configuration screens, and then deploys the updated policy or profile. Once deployed, the updated policy or profile is automatically available to the applications that use it.

Make a Network Security firewall policy available to an application template

If you want to add a Network Security firewall policy to an application, you must first make that firewall policy available in an application template.
  1. Click
    Configuration
    SECURITY
    Network Security
    Firewall Policies
    .
  2. Review the application templates that are currently using firewall policies.
    1. Review what policies are already available to application templates by looking at the Available in Application Templates column.
    2. To view any application templates that use this policy, select the check box to the left of the policy name. This displays additional details about the policy in the area below the policy list. Then in the Related Items area, click
      Show
      .
    You use this information to verify that the expected policies have been made available to the application templates. This lets you consider the potential impact of changing or deleting a policy that is being used by an application template.
  3. Publish the policy.
    • To publish one or more policies at once, select the check box to the left of the policy names, click
      More
      , and select
      Make available for templates
      .
    • To publish a single policy while modifying that policy, click the name of the policy to modify and then on the left click
      Properties
      . Then in the
      Application Templates
      setting, click
      Make available in Application Templates
      .
  4. Save your work.
You can now select the Network Security policy or policies from the application templates when creating an application. The application manager can now create an application that uses the security policy from the application template that included it. When the application is created, the security policy is deployed as part of a partial deployment to the specified BIG-IP devices.
If a security policy changes, applications using the security policy will receive those changes when the updated policy is deployed to the BIG-IP devices.

Make a Web Application Security application policy available to an application template

If you want to add a Web Application Security policy to an application, you must first make that policy available in an application template.
You cannot make parent policies available in application templates.
  1. Click
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. Review the application templates that are currently using application policies.
    1. Review what policies are already available to application templates by looking at the Available for Templates column.
    2. To view any application templates that use this policy, select the check box to the left of the policy name. This displays additional details about the policy in the area below the policy list. Then in the Related Items area, click
      Show
      .
    You use this information to verify that the expected policies have been made available to the application templates. This lets you review the potential impact of changing or deleting a policy that is being used by an application template.
  3. Publish the policy.
    • To publish one or more policies at once, select the check box to the left of the policy names, click
      More
      , and select
      Make available for templates
      .
    • To publish a single policy while modifying it, click the name of the policy to modify and then on the left click
      General Properties
      . Then in the
      Application Templates
      setting, click
      Make available in Application Templates
      .
  4. Optionally, set a policy as the default for application templates. Select the check box to the left of the policy and click
    More
    , and select
    Use as Default Policy
    .
    The BIG-IQ system supplies a default policy for application templates that you can modify, if needed. The policyis named
    templates-default
    .
  5. Save your work.
You can now select the Web Application Security policy from the application templates when creating an application. The application manager can now create an application that uses the security policy from the application template that included it. When the application is created, the security policy is deployed as part of a partial deployment to the specified BIG-IP devices.
If a security policy changes, applications using the security policy will receive those changes when the updated policy is deployed.

Make a logging profile available to an application template

You make a logging profile available to an application template so that it can then be used by an application. A logging profile is used by security policies to select where events are logged, and which items (such as which parts of requests, or which type of errors) are logged.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Review the application templates that are currently using the logging profile.
    1. Review what profiles are already available to application templates by looking at the Available in Application Templates column.
    2. To view any application templates that use this profile, select the check box to the left of the profile name. This displays additional details about the profile in the area below the profile list. Then in the Related Items area, click
      Show
      .
    You use this information to verify that the expected profiles have been made available to the application templates. This lets you know the potential impact of changing or deleting a profile that is being used by an application template.
  3. Publish the profile.
    • To publish one or more profiles, select the check box to the left of the profile names, and select
      Make available for templates
      .
    • To publish a single profile while modifying it, click the name of the profile to modify and then on the left click
      Properties
      . Then in the
      Application Templates
      setting, select
      Make available in Application Templates
      .
    The default logging profile
    templates-default
    is shipped as part of the BIG-IQ system.
  4. Save your work.
You can now select the profile from the application templates when creating an application. The application manager can now create an application that uses the profile from the application template that included it. When the application is created, the profile is deployed as part of a partial deployment to the specified BIG-IP devices.
If a profile changes, applications using the profile will receive those changes when the updated profile is deployed.

Make a DoS profile available to an application template

You make a DoS profile available to an application template so that it can then be used by an application. DoS profiles define how to protect against DoS attacks and can be used with a security policy.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. Review the application templates that are currently using the DoS profile.
    1. Review what profiles are already available to application templates by looking at the Available in Application Templates column.
    2. To view any application templates that use this profile, select the check box to the left of the profile name. This displays additional details about the profile in the area below the profile list. Then in the Related Items area, click
      Show
      .
    You use this information to verify that the expected profiles have been made available to the application templates. This lets you know the potential impact of changing or deleting a profile that is being used by an application template.
  3. Publish the profile.
    • To publish one or more profiles, select the check box to the left of the profile names, and select
      Make available for templates
      .
    • To publish a single profile while modifying it, click the name of the profile to modify and then on the left click
      Properties
      . Then in the
      Application Templates
      setting, select
      Make available in Application Templates
      .
  4. Save your work.
You can now select the profile from the application templates when creating an application. The application manager can now create an application that uses the profile from the application template that included it. When the application is created, the profile is deployed as part of a partial deployment to the specified BIG-IP devices.
If a profile changes, applications using the profile will receive those changes when the updated profile is deployed.