Manual Chapter :
Deploying Application Security to AS3 Application Services
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Deploying Application Security to AS3 Application Services
Deploying application security to AS3 application services using BIG-IQ
The Application Services 3 Extension (AS3) uses a declarative model, meaning
you send a declaration file (JSON template) using a single Rest API call. To deploy
secure application services, you can reference a Web Application Security policy (WAF or AWAF),
that is currently deployed to a managed device, to your AS3 declaration template. With
BIG-IQ, you can then monitor your secure AS3 application services to test the security
capabilities configured.
Overview of process using BIG-IQ
The following is a general outline of the required steps to successfully deploy and
monitor a secure AS3 application service:
- Reference Web Application Security policy, and security logging profile to a cloned AS3 template
- (Optional) Provide user access privileges to the secure AS3 template
- Create and monitor secure application services using the secure AS3 template
- Edit the security policy based on application service monitoring results
Additional Information
You can edit the AS3 declaration, using a specialized RESTful API client, to add your security policy and logging profile. To submit an AS3 declaration, use the POST method to add an updated
declaration to the BIG-IQ URI. For more information, refer to big-iq.html.
This process does not
restrict AS3 template editing capabilities based on user authorization roles.
Add Web Application Security to an AS3 Template
Prerequisites for adding security objects to an AS3 template
When using the BIG-IQ interface to edit an AS3 template, you need to ensure
that you have the proper BIG-IQ configuration, deployed objects, and user privileges.
The following configurations and privileges are required before you can add application
security to your AS3 template:
BIG-IQ Configuration
- The host BIG-IP device has the ASM module discovered and imported. For more information about your device's discovered services, go toand select the device name to see the status of its Web Application Security services.
- The Web Application Security service is Active in BIG-IQ. For more information, go to.
- When customizing an AS3 template, it is strongly recommended to clone a default template. For Web Application Security, it is recommended to clone the imported default templateAS3-F5-HTTPS-WAF-existing-lb-template-big-iq-default. For more information about importing and cloning AS3 templates, refer toManaging BIG-IQ AS3 templatesinsupport.f5.com.
Security Objects
- If you created, or edited a Web Application Security policy using BIG-IQ: Assign the policy to theinactiveweb application security virtual server ( , and deploy your additions/changes over the BIG-IP device.
- If you created an ASM policy using a managed BIG-IP system, ensure that the BIG-IP device's Web Application Security objects were re-discovered and re-imported to BIG-IQ.
- Create a security logging profile and configure it to your BIG-IQ data collection devices (DCDs) For more information refer to the articleConfigure high availability logging for multiple DCDsinDeploying a Data Collection Deviceatsupport.f5.com.
User Privileges
You must have administrative user privileges to edit AS3 templates using the BIG-IQ
UI.
Adding BIG-IP Security objects to an AS3 template
Ensure that you have completed the tasks summarized in
Prerequisites for adding security objects to an AS3 template
.If you have administrative privileges, you can edit
an AS3 template to include a Web Application Security policy deployed over a BIG-IP
device in your network. Once you have added a security policy declaration to your AS3
template, an application creator can use the template to create and deploy secure
applications services.
- At the top of the screen, clickApplications, then, on the left, clickAPPLICATION TEMPLATES.The screen lists the AS3 and service catalog templates defined on this BIG-IQ.
- Click the name of the AS3 template that you want to edit.You cannot edit a published template. If the template has been published, but has not been used to deploy an application, you can unpublish it to make it writable. If the template has been used to deploy an application, you have two options:
- Make a clone of the published template and make your changes to the clone. For details, refer toClone an AS3 templateonsupport.f5.com..
- Use theSwitch to templatebutton to change the template that the application uses. For details, refer toChange the template for a deployed applicationonsupport.f5.com..
The properties area displays the list of currently defined services for the selected template. - Select the AS3 classService_HTTPSfrom the menu to the left.
- UnderpolicyWAFadd to theBigipproperty the file path of your Web Application Security profile on BIG-IP.The format of the file path should include/[partition]/[policy-name]for example;/Common/awaf-security-policy-v1.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- UnderSecurity Log Profilesadd to theBIG-IP security log profileproperty the file path of your logging profile on BIG-IP.The format of the file path should include/[partition]/[profile-name]for example;/Common/secure-logging.By default, this property isEditableby the template user. To hide the lock the policy setting in the template, select theOverridebox to the far right of the field.If you are referencing a file from an external repository, add the file name to theUseproperty.
- To change the application statistics collection settings, select the AS3 classAnalytics_Profilefrom the menu to the left.
- If the template currently has a value you would like to change, select theOverridebox to the far right of the field, and change the value.
- To allow template users to change the value, as needed, select theEditablebox to the far right of the field.
This step is optional, but can assist in traffic monitoring for application services created with this template.Traffic to applications created with this template will only collect statistics marked asEnabled. - ClickSave & Close
The security policy has been added to the AS3
template. This template is now ready for use by an application creator who deploys and
manages secure application services.
Provide users roles with access to the AS3 template
for application service deployment.
Adding AS3 template access to application roles
If you wish to provide template access to users with limited BIG-IQ privileges, you must have created a custom Application Creator
user to perform this procedure. For more information, refer to
Define an application creator role
in Monitoring and Managing Applications using BIG-IQ
at support.f5.com
.Administrators can provide application creator
users with access to specific AS3 templates. This allows application managers to deploy
AS3 application services using that contain template properties.
This procedure is not mandatory, and only applies to user admins who oversee system users with restricted permissions.
- At the top of the screen, clickSystem.
- On the left, click.
- Select the name of the user role.The role properties screen opens. If you have already added the active users and device permissions to this role, skip to step 6.
- From the Active Users and GroupsAvailablelist, select the user(s), and move your selection to theSelectedlist.
- From the DevicesAvailablelist, select the device that hosts the AS3 template, and move your selection to theSelectedlist.
- From the AS3 templatesAvailablelist, select the AS3 template, and move your selection to theSelectedlist.
- ClickSave & Close.
When the user logs in with their credentials, they
will be able to view the added resources when creating, or managing their
application services.
Editing Web Application Security Objects
You can edit the Web Application Security policy configured to your AS3 template, based on changes to your security needs, results fo application service monitoring, or added suggestions from Policy Builder.
To edit a Web Application security policy, you must have user privileges to edit security policies. For more information, refer to
Editing Web Application Security Policies.