Manual Chapter : Deploying Application Security to AS3 Application Services

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

Deploying Application Security to AS3 Application Services

Deploying application security to AS3 application services using BIG-IQ

The Application Services 3 Extension (AS3) uses a declarative model, meaning you send a declaration file (JSON template) using a single Rest API call. To deploy secure application services, you can reference a Web Application Security policy (WAF or AWAF), that is currently deployed to a managed device, to your AS3 declaration template. With BIG-IQ, you can then monitor your secure AS3 application services to test the security capabilities configured.

Overview of process using BIG-IQ

The following is a general outline of the required steps to successfully deploy and monitor a secure AS3 application service:
  • Reference Web Application Security policy, and security logging profile to a cloned AS3 template
  • (Optional) Provide user access privileges to the secure AS3 template
  • Create and monitor secure application services using the secure AS3 template
  • Edit the security policy based on application service monitoring results

Additional Information

You can edit the AS3 declaration, using a specialized RESTful API client, to add your security policy and logging profile. To submit an AS3 declaration, use the POST method to add an updated declaration to the BIG-IQ URI. For more information, refer to big-iq.html.
This process does not restrict AS3 template editing capabilities based on user authorization roles.

Add Web Application Security to an AS3 Template

Prerequisites for adding security objects to an AS3 template

When using the BIG-IQ interface to edit an AS3 template, you need to ensure that you have the proper BIG-IQ configuration, deployed objects, and user privileges. The following configurations and privileges are required before you can add application security to your AS3 template:

BIG-IQ Configuration

  • The host BIG-IP device has the ASM module discovered and imported. For more information about your device's discovered services, go to
    Devices
    BIG-IP DEVICES
    and select the device name to see the status of its Web Application Security services.
  • The Web Application Security service is Active in BIG-IQ. For more information, go to
    System
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    .
  • When customizing an AS3 template, it is strongly recommended to clone a default template. For Web Application Security, it is recommended to clone the imported default template
    AS3-F5-HTTPS-WAF-existing-lb-template-big-iq-default
    . For more information about importing and cloning AS3 templates, refer to
    Managing BIG-IQ AS3 templates
    in
    support.f5.com
    .

Security Objects

  • If you created, or edited a Web Application Security policy using BIG-IQ: Assign the policy to the
    inactive
    web application security virtual server (
    Configuration
    SECURITY
    Web Application Security
    Virtual Servers)
    , and deploy your additions/changes over the BIG-IP device.
  • If you created an ASM policy using a managed BIG-IP system, ensure that the BIG-IP device's Web Application Security objects were re-discovered and re-imported to BIG-IQ.
  • Create a security logging profile and configure it to your BIG-IQ data collection devices (DCDs) For more information refer to the article
    Configure high availability logging for multiple DCDs
    in
    Deploying a Data Collection Device
    at
    support.f5.com
    .

User Privileges

You must have administrative user privileges to edit AS3 templates using the BIG-IQ UI.

Adding BIG-IP Security objects to an AS3 template

Ensure that you have completed the tasks summarized in
Prerequisites for adding security objects to an AS3 template
.
If you have administrative privileges, you can edit an AS3 template to include a Web Application Security policy deployed over a BIG-IP device in your network. Once you have added a security policy declaration to your AS3 template, an application creator can use the template to create and deploy secure applications services.
  1. At the top of the screen, click
    Applications
    , then, on the left, click
    APPLICATION TEMPLATES
    .
    The screen lists the AS3 and service catalog templates defined on this BIG-IQ.
  2. Click the name of the AS3 template that you want to edit.
    You cannot edit a published template. If the template has been published, but has not been used to deploy an application, you can unpublish it to make it writable. If the template has been used to deploy an application, you have two options:
    • Make a clone of the published template and make your changes to the clone. For details, refer to
      Clone an AS3 template
      on
      support.f5.com.
      .
    • Use the
      Switch to template
      button to change the template that the application uses. For details, refer to
      Change the template for a deployed application
      on
      support.f5.com.
      .
    The properties area displays the list of currently defined services for the selected template.
  3. Select the AS3 class
    Service_HTTPS
    from the menu to the left.
  4. Under
    policyWAF
    add to the
    Bigip
    property the file path of your Web Application Security profile on BIG-IP.
    The format of the file path should include
    /[partition]/[policy-name]
    for example;
    /Common/awaf-security-policy-v1
    .
    By default, this property is
    Editable
    by the template user. To hide the lock the policy setting in the template, select the
    Override
    box to the far right of the field.
    If you are referencing a file from an external repository, add the file name to the
    Use
    property.
  5. Under
    Security Log Profiles
    add to the
    BIG-IP security log profile
    property the file path of your logging profile on BIG-IP.
    The format of the file path should include
    /[partition]/[profile-name]
    for example;
    /Common/secure-logging
    .
    By default, this property is
    Editable
    by the template user. To hide the lock the policy setting in the template, select the
    Override
    box to the far right of the field.
    If you are referencing a file from an external repository, add the file name to the
    Use
    property.
  6. To change the application statistics collection settings, select the AS3 class
    Analytics_Profile
    from the menu to the left.
    1. If the template currently has a value you would like to change, select the
      Override
      box to the far right of the field, and change the value.
    2. To allow template users to change the value, as needed, select the
      Editable
      box to the far right of the field.
    This step is optional, but can assist in traffic monitoring for application services created with this template.
    Traffic to applications created with this template will only collect statistics marked as
    Enabled
    .
  7. Click
    Save & Close
The security policy has been added to the AS3 template. This template is now ready for use by an application creator who deploys and manages secure application services.
Provide users roles with access to the AS3 template for application service deployment.

Adding AS3 template access to application roles

If you wish to provide template access to users with limited BIG-IQ privileges, you must have created a custom Application Creator user to perform this procedure. For more information, refer to
Define an application creator role
in
Monitoring and Managing Applications using BIG-IQ
at
support.f5.com
.
Administrators can provide application creator users with access to specific AS3 templates. This allows application managers to deploy AS3 application services using that contain template properties.
This procedure is not mandatory, and only applies to user admins who oversee system users with restricted permissions.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Roles
    CUSTOM ROLES
    Application Roles
    .
  3. Select the name of the user role.
    The role properties screen opens. If you have already added the active users and device permissions to this role, skip to step 6.
  4. From the Active Users and Groups
    Available
    list, select the user(s), and move your selection to the
    Selected
    list.
  5. From the Devices
    Available
    list, select the device that hosts the AS3 template, and move your selection to the
    Selected
    list.
  6. From the AS3 templates
    Available
    list, select the AS3 template, and move your selection to the
    Selected
    list.
  7. Click
    Save & Close
    .
When the user logs in with their credentials, they will be able to view the added resources when creating, or managing their application services.

Editing Web Application Security Objects

You can edit the Web Application Security policy configured to your AS3 template, based on changes to your security needs, results fo application service monitoring, or added suggestions from Policy Builder.
To edit a Web Application security policy, you must have user privileges to edit security policies. For more information, refer to
Editing Web Application Security Policies.