Manual Chapter :
Modify and Manage Layer 7 Security Objects
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Modify and Manage Layer 7 Security Objects
Managing objects with layer 7 security
The L7 Security dashboard provides central management and visibility of Web Application Security to all your system's virtual servers and applications, including applications with AS3 or legacy application configurations. This screen provides a single pane view for all objects, their application security configuration, logging settings, and protection status. You can use this screen to further analyze object information, or quickly edit the protection configuration.
Modifying object protection
The L7 Security Dashboard (
) lists all deployed applications and virtual servers that are managed by your system.When Web Application Security is provisioned, virtual servers and applications can have the following layer 7 (L7) security objects that can detect and mitigate bad traffic.
- DoS Profiles
- Web Application Security Policies
- Bot Profiles (Bot Defense is available only to managed devices running BIG-IP v14.1 or later)
- Log Profiles
You can use this list to manage the L7 protection and logging needs of all your objects. Object management capabilities include:
- Edit protection settings for one or more application
- Edit protection settings for one or more virtual server
- Deploy bulk changes to multiple virtual serversThe system automatically deploys changes to applications.
Policy compatibility with managed BIG-IP systems
ASM policies on managed BIG-IP systems must be compatible with your current version of BIG-IQ. Policies that are imported from, or exported to, a BIG-IP system that does not have proper version support, may result in unexpected policy behavior. This can include failed policy imports/exports and missing parameters.
For more information about BIG-IP version support on your current BIG-IQ system, see K34133507.
Limited Object Visibility
Object visibility is determined by your role based access permissions. Users with administrative privileges can view all profiles, policies, logs events, virtual servers and applications configured to BIG-IQ. Other users, with more restricted access privileges, will view only the objects defined in their user role. This includes summary information, available policies, and extended screens, such as the Web Application Security dashboard and event logs. For more information about customizing object visibility and editing filters, based on user roles, see
Configuring Role Based Access for Application Security Objects
. Monitoring Application and Virtual Server Security
The L7 Security dashboard provides information about the current status of
your object protected by Web Application Security. The data found in the dashboard
provides summary information about all your objects, and overview data specific to each
object. All data listed on the screen displays data based on the cumulative data over
the selected time settings. These time settings are located to the top left of the
screen, and are constantly updated based on a refresh interval.
Summary Data
The summary bar located at the top of the screen provides status information about
all objects listed on this screen. This includes status, configuration and alert
data. For more information about the information found in the summary bar, see
Objects protection modes for Web Application Security
,
Protected objects with Web Application Security
, Web
Application Security alerts
.Object Data
Each object row displays information about object configuration,
protection, attacks, and bad traffic trends to each object. You can use this are to
edit the object's configuration, or inspect log events and analytics data. For
example, to view more detailed information about one or more objects' Web
Application Security data, select the object's check box, click
View in...
and select Web Application Security
Dashboard
. This action will automatically filter the select object
data.Pre-requisites for viewing L7 protection data
To view the data for object listed in the L7 Security dashboard, you must configure
the following settings. If you have not configured these settings, you will be able
to view protected objects and their security settings, but you will not have
visibility into the objects' data.
- A Data Collection Device (DCD) configured to your BIG-IQ system.
- Managed BIG-IP devices have ASM provisioned for managing security policies.
- The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
- Managed BIG-IP devices have AVR provisioned (recommended).
Manage layer 7 protection settings
To view object information you must have the following:
- A Data Collection Device (DCD) configured to your BIG-IQ system.
- Managed BIG-IP devices have ASM provisioned for managing security policies.
- The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
- Managed BIG-IP devices have AVR provisioned (recommended).
You identify the Layer 7 security configuration of
your managed virtual servers and applications, so you can modify their security
settings. To deploy changes, see
Deploy Layer 7
security
.- Go toThe screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
- To edit an object's security and logging settings, select one or more applications or virtual servers from the list.
- To attach a security object clickAttachand select a security resource type from the list.For virtual servers, if you would like to immediately deploy change, limit the selection to 20 virtual servers.
- From the Choose resource to attach screen select a security resource.The list of resources is specific to your object selection. If you have selected multiple objects, only resources shared by your selection are available.If you are attaching a DoS profile, it is recommended to configure only one DoS profile per application. Remove any existing DoS profile for the selected applications, before adding a new profile.
- If you would like to deploy your changes to a virtual server immediately, select the check box forDeploy Virtual Servers.Deployment times vary depending on the selected virtual server. If you do not select this option, you can continue to adjust your virtual server's settings and conduct a bulk deployment for selected objects in the L7 Security Dashboard.When deploying to an application, these changes are automatically deployed when you complete the process.
- ClickContinueto complete the process.
- To deploy bulk changes, select the check box for the virtual servers you would like to deploy, and clickDeploy now
- To remove a security object clickDetachand select the security object type from the list.TheDetach Confirmationscreen will request confirmation, clickContinueto confirm the security object's removal.
- To remove a security object clickDetachand select the security object type from the list.
- To remove a security object clickDetachand select the security object type from the list.The Detach Confirmation screen will request confirmation, clickContinueto confirm the security object's removal. This will immediately remove the object from your virtual serve/application.
Changes are immediately reflected in the L7 Security
dashboard. Changes to applications will render an immediate update for the deployment
process. The time required to complete the deployment process varies based on the number
of objects selected.
Object protection modes for Web Application Security
The L7 Security dashboard (
) displays objects with different protection modes. Protected objects
consist of the applications or virtual severs that have a Web
Application Security policy, DoS profile, or Bot Defense profile. Blocking
An object has a Blocking security mode if it has at least one
of the following security configurations. Likewise, an application has a Blocking
security mode if at least one of its assigned virtual servers has a Blocking protection
mode.
- Web Application Security Policy
- The policy's Enforcement Mode is set toBlocking.
- DoS Profile
- The operation mode for TPS-based Detection is set toBlocking.
- and/or
- The operation mode for Behavioral & Stress-based Detection is set toBlocking.
Monitoring
An object has a
Monitoring
security mode if it has at least
one of the following security configurations, and has no Blocking security
configurations. Likewise, an application has a Monitoring security mode if at least one
of its assigned virtual servers has a has a Monitoring protection mode and none of its
virtual servers has a Blocking protection mode. - Web Application Security Policy
- The policy's Enforcement Mode is set toTransparent.
- DoS Profile
- The operation mode for TPS-based Detection is set to Blocking .
- and/or
- The operation mode for Behavioral & Stress-based Detection is set toTransparent.
Not Protected
An object is not protected if it does not have a Monitoring or
Blocking configuration. An application is not protected if all of its assigned virtual
servers are not protected.
Protected objects with Web Application Security
The Layer 7 Security dashboard (
) displays the applications and virtual servers monitored by BIG-IQ Centralized
Management. Protected objects
consist of the applications or
virtual severs that have a Web Application Security policy or DoS profile with an enabled
protection status. The PROTECTED OBJECTS area on this screen displays the number of protected
objects, out of the total objects. The following describes the object count for this screen,
regardless of protection status:- Virtual Server
- A stand-alone virtual server counts as a managed object (protected or unprotected) when it is not assigned to an application. The virtual server must have at least one HTTP profile. Once it is assigned to an application, the virtual server is no longer included in the total object count.
- Application
- Each application counts as an object (protected or unprotected). The application includes all its assigned virtual servers.
Web Application Security Alerts
Security alerts in the TRENDS AND IMPACTS area of the L7
Security dashboard (
) notify you of the number of objects reporting Web Application Security policy
(Web Exploits) or DoS profile (L7 DDoS Attacks) events over the past day (trend charts report
the past week). These alerts indicate that a protected object (application or virtual server)
recently experienced an increased rate in performance issues. To view data the corresponds with
these traffic events go to To view the status of your deployed applications, go to . Alert | Description | Impact | Default Thresholds | Action (if applicable) |
---|---|---|---|---|
BAD TRAFFIC
TRENDS | The number of objects with a significant increase in
traffic with any violation rating. | Increase in transactions with any violation
rating. | Web Exploits: The average number of transactions with a
violation rating exceeded 10% in the past 24 hours and increased by a ratio of 0.1%
out of all traffic over the past week. L7 DDoS Attacks: The average volume of active, simultaneous
attacks increased in the past 24 hours. | Investigate transactions and fine tune your security
policy/profile for new threats. |
POTENTIALLY
HARMFUL ATTACKS | The number of objects with a transparent protection mode
(Monitoring), that have an increase in bad traffic. | Increase in transactions with high violation rating. | Web Exploits: The rate of transactions with violation rating of
4 or 5 exceeded 0.1% in the past 24 hours. L7 DDoS Attacks: The volume of simultaneous active attacks
increased in the past 24 hours. | Change security policy or profile to Blocking
mode. |
FALSE
POSITIVE ATTACKS | The number of objects with a blocking protection mode that
have an increase in blocked traffic with a low violation rating. | Increase in blocked transactions. | Web Exploits: The rate of blocked transactions with a violation
rating of 1 or 2 exceeded 0.01% over the past 24 hours. | Investigate blocked transactions and fine-tune your Web
Application Security policy to allow valid transactions. |
BLOCKED
ATTACKS | The number of objects with a blocking protection mode that
blocked any bad traffic over the past 24 hours. | N/A | N/A | N/A |