Manual Chapter : Deploying Application Security to AS3 Application Services
Applies To:Show Versions
BIG-IQ Centralized Management
Deploying Application Security to AS3 Application Services
Deploying application security to AS3 application services using BIG-IQ
The Application Services 3 Extension (AS3) uses a declarative model, meaning you send a declaration file (JSON template) using a single Rest API call. To deploy secure application services, you can reference a Web Application Security policy (WAF or AWAF), that is currently deployed to a managed device, to your AS3 declaration template. With BIG-IQ, you can then monitor your secure AS3 application services to test the security capabilities configured.
Overview of process using BIG-IQ
The following is a general outline of the required steps to successfully deploy and monitor a secure AS3 application service:
- Reference Web Application Security policy, and security logging profile to a cloned AS3 template
- (Optional) Provide user access privileges to the secure AS3 template
- Create and monitor secure application services using the secure AS3 template
- Edit the security policy based on application service monitoring results
You can edit the AS3 declaration, using a specialized RESTful API client, to add your security policy and logging profile. To submit an AS3 declaration, use the POST method to add an updated declaration to the BIG-IQ URI. For more information, refer to big-iq.html.
This process does not restrict AS3 template editing capabilities based on user authorization roles.
Add Web Application Security to an AS3 Template
Prerequisites for adding security objects to an AS3 template
When using the BIG-IQ interface to edit an AS3 template, you need to ensure that you have the proper BIG-IQ configuration, deployed objects, and user privileges. The following configurations and privileges are required before you can add application security to your AS3 template:
- The host BIG-IP device has the ASM module discovered and imported. For more information about your device's discovered services, go toand select the device name to see the status of its Web Application Security services.
- The Web Application Security service is Active in BIG-IQ. For more information, go to.
- When customizing an AS3 template, it is strongly recommended to clone a default template. For Web Application Security, it is recommended to clone the imported default templateAS3-F5-HTTPS-WAF-existing-lb-template-big-iq-default. For more information about importing and cloning AS3 templates, refer toManaging BIG-IQ AS3 templatesinsupport.f5.com.
- If you created, or edited a Web Application Security policy using BIG-IQ: Assign the policy to theinactiveweb application security virtual server ( , and deploy your additions/changes over the BIG-IP device.
- If you created an ASM policy using a managed BIG-IP system, ensure that the BIG-IP device's Web Application Security objects were re-discovered and re-imported to BIG-IQ.
- Create a security logging profile and configure it to your BIG-IQ data collection devices (DCDs) For more information refer to the articleConfigure high availability logging for multiple DCDsinDeploying a Data Collection Deviceatsupport.f5.com.
You must have administrative user privileges to edit AS3 templates using the BIG-IQ UI.
Adding BIG-IP Security objects to an AS3 template
Ensure that you have completed the tasks summarized in
Prerequisites for adding security objects to an AS3 template.
If you have administrative privileges, you can edit an AS3 template to include a Web Application Security policy deployed over a BIG-IP device in your network. Once you have added a security policy declaration to your AS3 template, an application creator can use the template to create and deploy secure applications services.
- At the top of the screen, clickApplications, then, on the left, clickAPPLICATION TEMPLATES.The screen lists the AS3 and service catalog templates defined on this BIG-IQ.
- Click the name of the AS3 template that you want to edit.You cannot edit a published template. If the template has been published, but has not been used to deploy an application, you can unpublish it to make it writable. If the template has been used to deploy an application, you have two options:
The properties area displays the list of currently defined services for the selected template.
- Make a clone of the published template and make your changes to the clone. For details, refer toClone an AS3 templateonsupport.f5.com..
- Use theSwitch to templatebutton to change the template that the application uses. For details, refer toChange the template for a deployed applicationonsupport.f5.com..
- Select the AS3 classService_HTTPSfrom the menu to the left.
- UnderpolicyWAFadd to theBigipproperty the file path of your Web Application Security profile on BIG-IP.The format of the file path should include/[partition]/[policy-name]for example;/Common/awaf-security-policy-v1.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- UnderSecurity Log Profilesadd to theBIG-IP security log profileproperty the file path of your logging profile on BIG-IP.The format of the file path should include/[partition]/[profile-name]for example;/Common/secure-logging.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- To change the application statistics collection settings, select the AS3 classAnalytics_Profilefrom the menu to the left.
This step is optional, but can assist in traffic monitoring for application services created with this template.Traffic to applications created with this template will only collect statistics marked asEnabled.
- If the template currently has a value you would like to change, select theOverridebox to the far right of the field, and change the value.
- To allow template users to change the value, as needed, select theEditablebox to the far right of the field.
- ClickSave & Close
The security policy has been added to the AS3 template. This template is now ready for use by an application creator who deploys and manages secure application services.
Provide users roles with access to the AS3 template for application service deployment.
Adding AS3 template access to application roles
If you wish to provide template access to users with limited BIG-IQ privileges, you must have created a custom Application Creator user to perform this procedure. For more information, refer to
Define an application creator rolein
Monitoring and Managing Applications using BIG-IQat
Administrators can provide application creator users with access to specific AS3 templates. This allows application managers to deploy AS3 application services using that contain template properties.
This procedure is not mandatory, and only applies to user admins who oversee system users with restricted permissions.
- At the top of the screen, clickSystem.
- On the left, click.
- Select the name of the user role.The role properties screen opens. If you have already added the active users and device permissions to this role, skip to step 6.
- From the Active Users and GroupsAvailablelist, select the user(s), and move your selection to theSelectedlist.
- From the DevicesAvailablelist, select the device that hosts the AS3 template, and move your selection to theSelectedlist.
- From the AS3 templatesAvailablelist, select the AS3 template, and move your selection to theSelectedlist.
- ClickSave & Close.
When the user logs in with their credentials, they will be able to view the added resources when creating, or managing their application services.
Create and Monitor a Secure AS3 Application Service
Editing Web Application Security Objects
You can edit the Web Application Security policy configured to your AS3 template, based on changes to your security needs, results fo application service monitoring, or added suggestions from Policy Builder.
To edit a Web Application security policy, you must have user privileges to edit security policies. For more information, refer to
Editing Web Application Security Policies.