Applies To:Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0
Deploying Application Security to AS3 Application Services
Deploying application security to AS3 application services using BIG-IQ
Overview of process using BIG-IQ
- Reference Web Application Security policy, and security logging profile to a cloned AS3 template
- (Optional) Provide user access privileges to the secure AS3 template
- Create and monitor secure application services using the secure AS3 template
- Edit the security policy based on application service monitoring results
Add Web Application Security to an AS3 Template
Prerequisites for adding security objects to an AS3 template
- The host BIG-IP device has the ASM module discovered and imported. For more information about your device's discovered services, go toand select the device name to see the status of its Web Application Security services.
- The Web Application Security service is Active in BIG-IQ. For more information, go to.
- When customizing an AS3 template, it is strongly recommended to clone a default template. For Web Application Security, it is recommended to clone the imported default templateAS3-F5-HTTPS-WAF-existing-lb-template-big-iq-default. For more information about importing and cloning AS3 templates, refer toManaging BIG-IQ AS3 templatesinsupport.f5.com.
- If you created, or edited a Web Application Security policy using BIG-IQ: Assign the policy to theinactiveweb application security virtual server ( , and deploy your additions/changes over the BIG-IP device.
- If you created an ASM policy using a managed BIG-IP system, ensure that the BIG-IP device's Web Application Security objects were re-discovered and re-imported to BIG-IQ.
- Create a security logging profile and configure it to your BIG-IQ data collection devices (DCDs) For more information refer to the articleConfigure high availability logging for multiple DCDsinDeploying a Data Collection Deviceatsupport.f5.com.
Adding BIG-IP Security objects to an AS3 template
- At the top of the screen, clickApplications, then, on the left, clickAPPLICATION TEMPLATES.The screen lists the AS3 and service catalog templates defined on this BIG-IQ.
- Click the name of the AS3 template that you want to edit.You cannot edit a published template. If the template has been published, but has not been used to deploy an application, you can unpublish it to make it writable. If the template has been used to deploy an application, you have two options:
The properties area displays the list of currently defined services for the selected template.
- Make a clone of the published template and make your changes to the clone. For details, refer toClone an AS3 templateonsupport.f5.com..
- Use theSwitch to templatebutton to change the template that the application uses. For details, refer toChange the template for a deployed applicationonsupport.f5.com..
- Select the AS3 classService_HTTPSfrom the menu to the left.
- UnderpolicyWAFadd to theBigipproperty the file path of your Web Application Security profile on BIG-IP.The format of the file path should include/[partition]/[policy-name]for example;/Common/awaf-security-policy-v1.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- UnderSecurity Log Profilesadd to theBIG-IP security log profileproperty the file path of your logging profile on BIG-IP.The format of the file path should include/[partition]/[profile-name]for example;/Common/secure-logging.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- To change the application statistics collection settings, select the AS3 classAnalytics_Profilefrom the menu to the left.
This step is optional, but can assist in traffic monitoring for application services created with this template.Traffic to applications created with this template will only collect statistics marked asEnabled.
- If the template currently has a value you would like to change, select theOverridebox to the far right of the field, and change the value.
- To allow template users to change the value, as needed, select theEditablebox to the far right of the field.
- ClickSave & Close
Adding AS3 template access to application roles
- At the top of the screen, clickSystem.
- On the left, click.
- Select the name of the user role.The role properties screen opens. If you have already added the active users and device permissions to this role, skip to step 6.
- From the Active Users and GroupsAvailablelist, select the user(s), and move your selection to theSelectedlist.
- From the DevicesAvailablelist, select the device that hosts the AS3 template, and move your selection to theSelectedlist.
- From the AS3 templatesAvailablelist, select the AS3 template, and move your selection to theSelectedlist.
- ClickSave & Close.