Applies To:Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0
Overview: Web Application Security in BIG-IQ
Managing Web Application Security
Importing Web Application Security policies from BIG-IP
Policy compatibility with managed BIG-IP systems
About subcollections in policies
Import application security policies from locally saved file
- Go to the Policies screen.
- On the Policies screen, click theImportbutton.
- Import a security policy file by clickingChoose File...and navigating to the file location, or drag and drop a file directly to theDrop Policy File Herearea.If the .xml file is designated as a child policy,Retain the Inheritance SettingsandParent Policiesfields appear. If the parent policy is not configured, you cannot import the policy.
- For child policies with a parent policy:
- Select a parent policy, select policy from theParent Policiesfield (required).By default, the parent policy in the imported file is selected. If the parent policy is not configured, you must select an option. If you selectNone, the child status of the imported policy is removed.
- To import the policy with the optional inheritance settings from the original parent policy, selectEnabledforRetain the Inheritance Settings.By default this option is disabled, which means the imported policy will accept all optional inheritance settings from the selected parent policy. If enabled, the imported policy will retain the optional inheritance settings in the .xml file, regardless of the selected parent policy.
- Enter a policy name for the imported policy (optional).
Export application security policies
- Navigate to the Policies screen: click.
- Select the check box to the left of the security policy you want to export.TheExportbutton becomes active.
- Click theExportbutton to show a list, and select the BIG-IP version to use when exporting this security policy.
Policy structure and inheritance
- Create and maintain common elements and settings.
- Impose mandatory elements on child policies.
- Push a change to multiple child policies.
- Identify the current policy as a parent policy.On the General Properties screen for the policy, set thePolicy TypetoParent Policy. Navigate to , then click the policy to edit, and click
- Set a policy to be the child policy of the parent policy.On the Inheritance Settings screen for the policy, select the parent policy for a child policy by selecting the parent policy name in theParent Policysetting. Navigate to , then click the policy to become a child policy and click .
- ClickSaveto save this policy as a child policy and display the inheritance properties.
- Continue to use the Inheritance Settings screen to accept or decline what is to be inherited from the parent policy.
Establish a parent and child policy relationship
- Go to.
- Select the name of the policy you would like to designate as a parent policy.The screen displays the policy'sGeneral Properties.
- For a parent policy, selectParent PolicyIf you select the option you can configure inheritance settings for child policies.
- For a child, or unaffiliated policy, selectSecurity Policy
- From the menu to the left, clickInheritance Settings.
- From theParent Policyfield select the name of a parent policy.
- ClickSave & Close.
Determining access permissions for child and parent policies
- ClickAdd. The New Role Type properties screen opens.
- Select Web Application Security (ASM) as the service. Those object types are displayed.
- SelectPolicies: Web Application Securityas the object type, and clickAdd Selected.
- To define access to standalone policies that do not use inheritance, select from the permissions without the Child or Parent prefix: Read, Add, Edit, or Delete.
- To define access to only child policies, select permissions with the Child prefix: Child Create, Child Delete, or Child Edit.
- To define access to only parent policies, select permissions with the Parent prefix: Parent Create, Parent Delete, or Parent Edit.
Create new Web Application Security policies
- Go to.
- In the Policies screen, clickAddto display a screen for creating a new policy.The newly-created policy contains only the editable configuration (the configuration deployed to the BIG-IP device). Hidden values ca be views on the managed BIG-IP device, which acquires the configuration default values.
- Specify the following required information for the new Web Application Security policy:
- Type theName(required) of the security policy.
- Specify thePartitionto which the security policy belongs.Only users with access to a partition can view the objects that it contains. If the security policy resides in theCommonpartition, all users can access it.
- ForPolicy type, select whether you want to designate this as aParent PolicyorSecurity Policy(default). SeePolicy structure and Inheritancefor more information.Once you save this policy, you cannot change this setting.
- ForPolicy Templateselect a template that suits your system's needs.The default template isRapid Deployment Policy, which meets the protection requirements for most applications. For more information about policy templates and their affected settings, seeGeneric Policy Templates.Once you save this policy, you cannot change this setting. You can, however, manually change template settings throughout the policy.
- ForApplication Language, you can change the template's default coding language, which determines how the security policy processes the character sets.The default language encoding determines the default character sets for URLs, parameter names, and parameter values.Once you save this policy, you cannot change this setting.
- to change the template'sEnforcement Mode, specify whether the protection is blocking is active (Blocking) or inactive (Transparent) for the security policy.You can enable or disable blocking for individual violations in the subsequent tables of settings and properties. Iftransparentappears, blocking is disabled for the security policy. This disables blocking for all options, and the check boxes to enable blocking are unavailable.
- When you are finished editing the properties, clickSave.This makes the remaining policy objects available for editing.
- In the Policy objects list on the left, click the next object to edit, and then click theEditbutton.For theAttack Signatures Listobject only, click theAttack Signatures Listobject, then in the Name column, click the signature name you want to edit, then clickEdit.
- ClickSaveto save the modifications to each policy object before moving to another one.
- ClickSave & Closewhen you are finished editing.
Removing security policies
- Log in to BIG-IQ Security with Administrator, Security Manager, or Web Application Security Manager credentials.
- Navigate to the Policies screen: click.
- Select the check box to the left of the security policy you want to remove.TheRemovebutton becomes active.
- Click theRemovebutton.
- In the Remove Policies dialog box, confirm the removal by clickingRemove.