Manual Chapter : Introducing the Application Security Manager

Applies To:

Show Versions Show Versions


  • 11.2.1
Manual Chapter
The BIG-IP® Application Security Manager protects mission-critical enterprise Web infrastructure against application-layer attacks, and monitors the protected web applications. The Application Security Manager can prevent a variety of web application attacks, such as:
Malicious exploitations of the application memory buffer to stop services, to get shell access, and to propagate worms
The system can automatically develop a security policy to protect against security threats, and you can configure additional protections and customize the system response to threats.
Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks TMOS® architecture, the ICSA-certified, positive-security Application Security Manager is fully integrated with the BIG-IP Local Traffic Manager.
Automated security policy building
Application Security Manager uses an auto-adaptive approach to application delivery security, where the security policy is automatically built and updated based on observed traffic patterns. A Deployment wizard helps you create a security policy for your environment. Then the automated policy building feature, called the Real Traffic Policy Builder®, examines requests and responses, and populates the security policy with legitimate security policy elements, based on what it finds in the traffic.
Positive security model
The Application Security Manager creates a robust positive security policy to completely protect web applications from targeted web application layer threats, such as buffer overflows, SQL injection, cross-site scripting, parameter tampering, cookie poisoning, and others, by allowing only valid application transactions. The positive security model is based on a combination of valid user session context and valid user input, as well as a valid application response.
Attack Signature protection
The Attack Signatures in the Application Security Manager provide protection from generalized and known application attacks such as worms, SQL injection, cross-site scripting, and requests for restricted files and URLs. The Attack Signatures Update feature provides current, up-to-date signatures, so that your applications are protected from new attacks and threats.
Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized security policy management, and easy-to-read audit reports.
Configurable security levels
The Application Security Manager offers varying levels of security, from general protection of web site elements such as file types and character sets, to tailored, highly granular, application-specific security policies. This flexibility provides enterprises the ability to choose the level of security they need, and reduce management costs based on the level of protection and risks acceptable in their business environment.
Role-based administration
The BIG-IP system supports role-based administration, which you can use to restrict access to various components of the product. For example, users with the Web Application Security Editor role can audit and maintain application security policies on a specific partition, but they have no access to general BIG-IP system administration.
To use this guide, you must have installed the BIG-IP system, and have licensed and provisioned Application Security Manager. This guide focuses on configuring the application security components, including:
If you are using automatic security policy building, Application Security Manager directs you through the steps required to create these components. For those who require custom configuration of these components, this guide also contains information on how to manually create virtual servers, pools, and HTTP classes for use with application security. For overview information about local traffic objects, refer to the BIG-IP® Local Traffic Manager: Concepts. For details on configuring local traffic objects, refer to BIG-IP® Local Traffic Manager: Implementations.
When you provision Application Security Manager, the Protocol Security Module is also included on the system and available for use (without needing to be provisioned separately). For information on working with protocol security objects, refer to the Configuration Guide for BIG-IP® Protocol Security Module.
For additional information about using Application Security Manager, refer to BIG-IP® Application Security Manager: Implementations.
The browser-based graphical user interface for the BIG-IP system is called the Configuration utility. You log in and use the Configuration utility to set up the system and configure the Application Security Manager.
Identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name and management IP address. This area is also where certain system messages display, for example Activation Successful, which appears after a successful licensing process.
Navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen. The About tab provides overview information about the BIG-IP system.
Menu bar
The menu bar, which is below the identification and messages area, and above the body on many screens, provides links to additional screens.
The body is the screen area where the configuration settings display, and where the user configures the system.
Online help for Application Security components
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help.
About tab in the navigation pane
The About tab in the navigation pane contains links to many useful web sites and resources, including the AskF5 Knowledge Base, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, and SSH clients.
F5 Networks Technical Support web site
The F5 Networks Technical Support web site,, provides the latest documentation for the product, including:
BIG-IP® Application Security Manager: Getting Started Guide
BIG-IP® Application Security Manager: Implementations
Configuration Guide for BIG-IP® Protocol Security Module
AskF5 Knowledge Base