Manual Chapter : Modify and Manage Layer 7 Security Objects

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Modify and Manage Layer 7 Security Objects

Managing objects with layer 7 security

The L7 Security dashboard provides central management and visibility of Web Application Security to all your system's virtual servers and applications, including applications with AS3 or legacy application configurations. This screen provides a single pane view for all objects, their application security configuration, logging settings, and protection status. You can use this screen to further analyze object information, or quickly edit the protection configuration.

Modifying object protection

The L7 Security Dashboard (
Monitoring
DASHBOARDS
L7 Security
) lists all deployed applications and virtual servers that are managed by your system.
When Web Application Security is provisioned, virtual servers and applications can have the following layer 7 (L7) security objects that can detect and mitigate bad traffic.
  • DoS Profiles
  • Web Application Security Policies
  • Bot Profiles (Bot Defense is available only to managed devices running BIG-IP v14.1 or later)
  • Log Profiles
You can use this list to manage the L7 protection and logging needs of all your objects. Object management capabilities include:
  • Edit protection settings for one or more application
  • Edit protection settings for one or more virtual server
  • Deploy bulk changes to multiple virtual servers
    The system automatically deploys changes to applications.

Policy compatibility with managed BIG-IP systems

ASM policies on managed BIG-IP systems must be compatible with your current version of BIG-IQ. Policies that are imported from, or exported to, a BIG-IP system that does not have proper version support, may result in unexpected policy behavior. This can include failed policy imports/exports and missing parameters.
For more information about BIG-IP version support on your current BIG-IQ system, see K34133507.

Limited Object Visibility

Object visibility is determined by your role based access permissions. Users with administrative privileges can view all profiles, policies, logs events, virtual servers and applications configured to BIG-IQ. Other users, with more restricted access privileges, will view only the objects defined in their user role. This includes summary information, available policies, and extended screens, such as the Web Application Security dashboard and event logs.
For more information about customizing object visibility and editing filters, based on user roles, see
Configuring Role Based Access for Application Security Objects
.

Monitoring Application and Virtual Server Security

The L7 Security dashboard provides information about the current status of your object protected by Web Application Security. The data found in the dashboard provides summary information about all your objects, and overview data specific to each object. All data listed on the screen displays data based on the cumulative data over the selected time settings. These time settings are located to the top left of the screen, and are constantly updated based on a refresh interval.

Summary Data

The summary bar located at the top of the screen provides status information about all objects listed on this screen. This includes status, configuration and alert data. For more information about the information found in the summary bar, see
Objects protection modes for Web Application Security
,
Protected objects with Web Application Security
,
Web Application Security alerts
.

Object Data

Each object row displays information about object configuration, protection, attacks, and bad traffic trends to each object. You can use this are to edit the object's configuration, or inspect log events and analytics data. For example, to view more detailed information about one or more objects' Web Application Security data, select the object's check box, click
View in...
and select
Web Application Security Dashboard
. This action will automatically filter the select object data.

Pre-requisites for viewing L7 protection data

To view the data for object listed in the L7 Security dashboard, you must configure the following settings. If you have not configured these settings, you will be able to view protected objects and their security settings, but you will not have visibility into the objects' data.
  • A Data Collection Device (DCD) configured to your BIG-IQ system.
  • Managed BIG-IP devices have ASM provisioned for managing security policies.
  • The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
  • Managed BIG-IP devices have AVR provisioned (recommended).

Manage layer 7 protection settings

To view object information you must have the following:
  • A Data Collection Device (DCD) configured to your BIG-IQ system.
  • Managed BIG-IP devices have ASM provisioned for managing security policies.
  • The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
  • Managed BIG-IP devices have AVR provisioned (recommended).
You identify the Layer 7 security configuration of your managed virtual servers and applications, so you can modify their security settings. To deploy changes, see
Deploy Layer 7 security
.
  1. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  2. To edit an object's security and logging settings, select one or more applications or virtual servers from the list.
  3. To attach a security object click
    Attach
    and select a security resource type from the list.
    For virtual servers, if you would like to immediately deploy change, limit the selection to 20 virtual servers.
    1. From the Choose resource to attach screen select a security resource.
      The list of resources is specific to your object selection. If you have selected multiple objects, only resources shared by your selection are available.
      If you are attaching a DoS profile, it is recommended to configure only one DoS profile per application. Remove any existing DoS profile for the selected applications, before adding a new profile.
    2. If you would like to deploy your changes to a virtual server immediately, select the check box for
      Deploy Virtual Servers
      .
      Deployment times vary depending on the selected virtual server. If you do not select this option, you can continue to adjust your virtual server's settings and conduct a bulk deployment for selected objects in the L7 Security Dashboard.
      When deploying to an application, these changes are automatically deployed when you complete the process.
    3. Click
      Continue
      to complete the process.
    4. To deploy bulk changes, select the check box for the virtual servers you would like to deploy, and click
      Deploy now
    5. To remove a security object click
      Detach
      and select the security object type from the list.
      The
      Detach Confirmation
      screen will request confirmation, click
      Continue
      to confirm the security object's removal.
    6. To remove a security object click
      Detach
      and select the security object type from the list.
  4. To remove a security object click
    Detach
    and select the security object type from the list.
    The Detach Confirmation screen will request confirmation, click
    Continue
    to confirm the security object's removal. This will immediately remove the object from your virtual serve/application.
Changes are immediately reflected in the L7 Security dashboard. Changes to applications will render an immediate update for the deployment process. The time required to complete the deployment process varies based on the number of objects selected.

Object protection modes for Web Application Security

The L7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) displays objects with different protection modes.
Protected objects
consist of the applications or virtual severs that have a Web Application Security policy, DoS profile, or Bot Defense profile.
Object protection modes
The PROTECTION MODE area on this screen displays the number of managed objects for each protection mode.

Blocking

An object has a Blocking security mode if it has at least one of the following security configurations. Likewise, an application has a Blocking security mode if at least one of its assigned virtual servers has a Blocking protection mode.
Web Application Security Policy
The policy's Enforcement Mode is set to
Blocking
.
DoS Profile
The operation mode for TPS-based Detection is set to
Blocking
.
and/or
The operation mode for Behavioral & Stress-based Detection is set to
Blocking
.

Monitoring

An object has a
Monitoring
security mode if it has at least one of the following security configurations, and has no Blocking security configurations. Likewise, an application has a Monitoring security mode if at least one of its assigned virtual servers has a has a Monitoring protection mode and none of its virtual servers has a Blocking protection mode.
Web Application Security Policy
The policy's Enforcement Mode is set to
Transparent
.
DoS Profile
The operation mode for TPS-based Detection is set to Blocking .
and/or
The operation mode for Behavioral & Stress-based Detection is set to
Transparent
.

Not Protected

An object is not protected if it does not have a Monitoring or Blocking configuration. An application is not protected if all of its assigned virtual servers are not protected.

Protected objects with Web Application Security

The Layer 7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) displays the applications and virtual servers monitored by BIG-IQ Centralized Management.
Protected objects
consist of the applications or virtual severs that have a Web Application Security policy or DoS profile with an enabled protection status. The PROTECTED OBJECTS area on this screen displays the number of protected objects, out of the total objects. The following describes the object count for this screen, regardless of protection status:
The number of managed protected objects, out of all the objects managed by your system.
Virtual Server
A stand-alone virtual server counts as a managed object (protected or unprotected) when it is not assigned to an application. The virtual server must have at least one HTTP profile. Once it is assigned to an application, the virtual server is no longer included in the total object count.
Application
Each application counts as an object (protected or unprotected). The application includes all its assigned virtual servers.

Web Application Security Alerts

Security alerts in the TRENDS AND IMPACTS area of the L7 Security dashboard (
Monitoring
DASHBOARDS
L7 Security
) notify you of the number of objects reporting Web Application Security policy (Web Exploits) or DoS profile (L7 DDoS Attacks) events over the past day (trend charts report the past week). These alerts indicate that a protected object (application or virtual server) recently experienced an increased rate in performance issues. To view data the corresponds with these traffic events go to
Monitoring
DASHBOARDS
DDoS
HTTP Analysis
To view the status of your deployed applications, go to
Applications
APPLICATIONS
.
Alert
Description
Impact
Default Thresholds
Action (if applicable)
BAD TRAFFIC TRENDS
The number of objects with a significant increase in traffic with any violation rating.
Increase in transactions with any violation rating.
Web Exploits: The average number of transactions with a violation rating exceeded 10% in the past 24 hours and increased by a ratio of 0.1% out of all traffic over the past week.
L7 DDoS Attacks: The average volume of active, simultaneous attacks increased in the past 24 hours.
Investigate transactions and fine tune your security policy/profile for new threats.
POTENTIALLY HARMFUL ATTACKS
The number of objects with a transparent protection mode (Monitoring), that have an increase in bad traffic.
Increase in transactions with high violation rating.
Web Exploits: The rate of transactions with violation rating of 4 or 5 exceeded 0.1% in the past 24 hours.
L7 DDoS Attacks: The volume of simultaneous active attacks increased in the past 24 hours.
Change security policy or profile to Blocking mode.
FALSE POSITIVE ATTACKS
The number of objects with a blocking protection mode that have an increase in blocked traffic with a low violation rating.
Increase in blocked transactions.
Web Exploits: The rate of blocked transactions with a violation rating of 1 or 2 exceeded 0.01% over the past 24 hours.
Investigate blocked transactions and fine-tune your Web Application Security policy to allow valid transactions.
BLOCKED ATTACKS
The number of objects with a blocking protection mode that blocked any bad traffic over the past 24 hours.
N/A
N/A
N/A