Manual Chapter :
Managing Signature,
Server Technologies, and Browser Challenges and Threat Campaign Files
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Managing Signature,
Server Technologies, and Browser Challenges and Threat Campaign Files
About file update management in Web Application Security
You can download, upload, and install Signature, Server Technologies, and
Browser Challenges, and Threat Campaign update files from one central location for multiple BIG-IP devices. For
each file, the system displays the file name, version, BIG-IP version on which it is
compatible, and its source. You can also schedule automatic file updates so that update files
are downloaded and installed automatically at time intervals that you define.
The Signature file contains rules that run on incoming HTTP requests and
other network
traffic,
and can identify potential attacks that can exploit vulnerabilities on your server. The Server
Technologies file contains rules that can identify the underlying technologies used by the web
application and how the web application is composed. When this is known, the BIG-IP system can
apply more appropriate protections, such as signatures, on your server. The Browser Challenges
file contains JavaScript that runs on web browsers on the client-side and is used mainly by
the bot defense profile to implement bug fixes. Keeping the Signature file, Server
Technologies file, and Browser Challenges file up-to-date is an important part of protecting
your system.
The contents of the Browser Challenges file are
applied only 24-48 hours after installation of the file.
The BIG-IP system includes an attack signature pool and a bot signature
pool. These pools include the system-supplied attack signatures and bot signatures, which are
shipped with the BIG-IP Application Security Manager, and any user-defined signatures.
Web Application Security fetches all new and relevant signature files from
an external server, which might use a proxy. You can configure a proxy from the BIG-IQ
Centralized Management system (
). BIG-IQ can then push the signature files to the relevant BIG-IP device or
devices, and it displays the signature version for each device.Web Application Security signature file processing, such as importing,
downloading, installing (pushing to devices), and deleting signature files, requires the
following built-in roles, or the equivalent permissions on a custom role: Administrator,
Security Manager, or Web App Security Manager.
Authorize a user to upload, download, and install Signature,
Server Technologies, and Browser Challenges files
Configure fine-grained role-based access
credentials to authorize a dedicated user to upload, download, and install Signature,
Server Technologies, and Browser Challenges files. This authorization also includes
permission to schedule automatic file updates.
- Click.The Role Types screen opens.
- ClickAdd.The New Role Type screen opens.
- Assign a name that identifies the role type.
- From theSelect Servicelist, selectWeb Application Security (ASM).The Object Type list appears.
- In the Object Type list, selectSignature Filesand in the Items section at the lower right, ensure thatRELATED OBJECT TYPESis selected.
- Click theAdd Selectedbutton.
- ClickSave & Close.
- On the left, click.The Resource Groups screen opens.
- ClickAdd.The New Resource Group screen opens.
- Assign a name that identifies the Resource Group.
- In theRole Type (Optional)list, select the role type that you previously created.
- In theSelect Servicelist, selectWeb Application Security (ASM).
- In theSelect Object Typelist, selectSignature Files.
- Click theAdd Selectedbutton.
- ClickSave & Close.
- On the left, click.The Roles navigation menu appears.
- In the Roles navigation menu, click.
- ClickAdd.
- Assign a name that identifies the role.
- ForRole Typelist, select the role type that you previously created.
- ForRole Mode, select eitherStrict ModeorRelaxed Mode.
- In theResource Groupssetting, from theAvailablelist, select the resource group that you previously created and move it to theSelectedlist.
- If you want to assign this role to existing users or groups, in theActive Users and Groupssetting select the user or group name from theAvailablelist and move it to theSelectedlist.
- ClickSave & Close.
- If you want to create a new user and assign the role this user, click.
- ClickAdd.The New User screen opens.
- Assign aUser Name,Full Name, andPasswordand confirm the password.
- For theRolessetting, select the role that you previously created from theAvailablelist and move it to theSelectedlist.
- ClickSave & Close.
The user role now has privileges to manage files in BIG-IQ. Any user who logs in using the configured credentials will be able to perform tasks of file management, according to the applied settings.
Download an update file from the F5 update server
Before you start this task, make sure that your current BIG-IQ account has Administrator, Security Manager, or Web App Security Manager credentials, or a custom role with equivalent permissions. These permissions are required for downloading Signature, Server Technologies, Browser Challenges, and Threat Campaign update files.
Download a Signature, Server Technologies, or Browser Challenges update file from the F5 update server to ensure that you have the most up-to-date protection on your BIG-IP devices.
- Go to.The screen provides a menu for Signature Files, Server Technology Files, Browser Challenges Files, and Threat Campaigns Files. Expand one of these menu options and select the...Files Listoption for your required file type.
- ClickDownload.The Choose download and install option screen opens.
- Choose one of the following download options:
- Download latest files: Choose this option to download the most up-to-date file but not install it at this time.
- Download latest files and install on All devices:Choose this option to download the most up-to-date file and install it immediately after download on all BIG-IP devices in the cluster.
- Download latest files and install on Active devices:Choose this option to download the most up-to-date file and install it immediately after download on the primary BIG-IP devices in the cluster.
- ClickOK.
The most up-to-date file is downloaded to the BIG-IQ system and appears in the list in the Files List screen. If you chose the download and install option, the file is pushed to the BIG-IP devices in the cluster and installed on them.
If you did not choose the download and install option, you need to manually install the update file.
You can check the status of the download under the
Configuration
tab by going to . Then in the relevant file menu, select Download Process
and click the file name in the list.If you chose the download and install option, you can check the status under the
Configuration
tab at . Then, in the relevant file, menu select Download and Install
and click the file name in the list.Upload a file stored locally
Before you start this task, make sure that your current BIG-IQ account has Administrator, Security Manager, or Web App Security Manager credentials, or a custom role with equivalent permissions. These permissions are required to upload Signature, Server Technologies, Browser Challenges, and Threat Campaign files.
You can upload a locally stored Signature, Server Technologies, Browser Challenges, or Threat Campaign file to the BIG-IQ system if you do not want to download the update file from the F5 update server.
- Click.The SIGNATURE FILES, SERVER TECHNOLOGIES FILES, and BROWSER CHALLENGES FILES menus appear.
- Expand the menu for the file you would like to upload, and select the file list view.
- ClickImport.The Import File screen opens.
- Specify how to upload the file:
- ClickChoose File, and then:
- Navigate to the file you want to upload.
- ClickOpen. The file name appears in the Import File screen.
- ClickImportat the bottom of the Import File screen. The update file now appears in the Files List.
- Drag and drop the update file from its original location to the area labeled Drop Update File Here. After you do this, the Files List appears, showing the update file.
After the file is uploaded, you need to install it manually.
Install a
file
Before you start this task, make sure that your current BIG-IQ Centralized Management
account has Administrator, Security Manager, or Web App Security Manager credentials, or
a custom role with equivalent permissions. These permissions are required for installing
Signature, Server Technologies, and Browser Challenges files.
Install a Signature, Server Technologies, or
Browser Challenges update file to one or more BIG-IP devices to ensure that you have the
most up-to-date protection on your BIG-IP devices.
- Click.The SIGNATURE FILES, SERVER TECHNOLOGIES FILES, and BROWSER CHALLENGES FILES menus appear.
- In the relevant menu, click the Files List.
- In the Files List, click the name of the file you want to install.The file properties screen opens.
- In theInstall to Devicessetting, specify which BIG-IP devices should receive the file by moving them from theAvailable Deviceslist to theSelected Deviceslist.
- From theInstall Tolist, choose whether to install the file on all BIG-IP devices in the cluster or on just the active (primary) devices in the cluster.Once a file is deployed to an active clustered BIG-IP device, a synchronization task will run on the BIG-IP device cluster.
- ClickInstall.The BIG-IQ system pushes the file to the BIG-IP devices that you selected and the file is installed on those devices.
You can check the status of the installation by
going to
. Then, in the relevant file menu select Install Status
and click the name of
the file in the list.Schedule automatic
file updates
Before you start this task, make sure that your current BIG-IQ Centralized Management
account has Administrator, Security Manager, or Web App Security Manager credentials, or
a custom role with equivalent permissions. These permissions are required for scheduling
automatic file updates.
Schedule automatic updates of Signature, Server
Technologies, and Browser Challenges files to automate the process of downloading and
installing updated files at specified time intervals.
- Click.The SIGNATURE FILES, SERVER TECHNOLOGIES FILES, and BROWSER CHALLENGES FILES menus appear.
- In the relevant menu, click the Files List.
- ClickSettings.The Settings screen opens.
- For theRemote Updatessetting, selectEnabled.If this setting is disabled, the other settings are not displayed.
- In theIntervalsetting, select how often the scheduled update should run.If you chooseCustom, select a time interval from theCustomlist.
- For theStarting atsetting, specify when the scheduled update should begin.You must select a date and time in the future.
- In theProxysetting, select the proxy to use when retrieving signature files, or selectNone.You can configure proxies in the BIG-IQ Centralized Management system ().
- From theInstall Tolist, choose whether you want the update files installed on all BIG-IP devices in the cluster or only on the active (primary) devices in the cluster.Once a file is deployed to an active clustered BIG-IP device, a synchronization task will run on the BIG-IP device cluster.
- ClickSave & Close.
- Follow these steps for every BIG-IP device that you want to receive the automatic updates:
- Go to.
- Click the device name in the Devices List.The Properties screen for this device opens.
- In the Scheduled Updates section, select theAllow Automatic Installcheck box for the relevant file type.
- ClickSave & Close.
You can check the status of the download and
installation by going to
. Then, in the relevant file menu select Download and Install Process
and
click the file name in the list.