Manual Chapter :
Security Policy Elements in Each Policy Type
Applies To:
Show Versions
BIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Security policy elements included in each policy type
The elements that the system adds to a security policy depend on the policy type you select for automatic policy building. You can set the policy type when creating the security policy in the Deployment wizard or later by modifying the policy settings (. When the policy type is set or modified, the Application Security Manager (ASM) assigns the Explicit Entities Learning settings as follows.
| Security policy element | Fundamental | Enhanced | Comprehensive | Vulnerability Assessment |
|---|---|---|---|---|
| File Types | Add All Entities | Add All Entities | Add All Entities | Never (wildcard only) |
| URLs | Never (wildcard only) | Selective | Add All Entities | Never (wildcard only) |
| Parameters | Selective (wildcard only) | Selective | Add All Entities | Never (wildcard only) |
| Cookies | Never (wildcard only) | Selective | Selective | Never (wildcard only) |
| Redirection Domains | Add All Entities | Add All Entities | Add All Entities | Add All Entities |
| Setting | Description |
|---|---|
| Add All Entities | The Policy Builder includes all of the website entities. This option creates a large set of security policy entities with a granular object level configuration and high security level. |
| Selective | This option applies only to the * wildcard. When false positives occur, the system adds or suggests adding an explicit entity with relaxed settings. This option provides a good balance between security, policy size, and ease of maintenance. |
| Never (Wildcard Only) | When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option creates a security policy that is easy to manage but may result in overall relaxed application security. |
Depending on which policy type you select, ASM includes a different set of policy elements in the Automatic Policy Building Settings.
| Security Policy element | Fundamental | Enhanced | Comprehensive | Vulnerability Assessment |
|---|---|---|---|---|
| HTTP Protocol Compliance | Yes | Yes | Yes | Yes |
| Evasion Techniques Detected | Yes | Yes | Yes | Yes |
| File Type Lengths | Yes | Yes | Yes | No |
| Attack Signatures (Applies to policy, parameter, content profile, and cookie signatures) | Yes | Yes | Yes | Yes |
| URL Meta Characters | No | Yes | Yes | No |
| Parameter Name Meta Characters | No | No | Yes | No |
| Parameter Value Lengths | No | Yes | Yes | No |
| Value Meta Characters (for Parameters and Content Profiles) | No | No | Yes | No |
| Allowed Methods | No | Yes | Yes | Yes |
| Request Length Exceeds Defined Buffer Size | Yes | Yes | Yes | No |
| Header Length | Yes | Yes | Yes | No |
| Cookie Length | Yes | Yes | Yes | No |
| Failed to Convert Character | Yes | Yes | Yes | Yes |
| Content Profiles | No | Yes | Yes | No |
| Automatically detect advanced protocols | No | No; but Yes if JSON/XML payload detection selected | No; but Yes if JSON/XML payload detection selected | No |
| Host Names | Yes | Yes | Yes | Yes |
| CSRF URLs | No | No | Yes | Yes |
Note: In the table, Yes means the element is automatically included in
the policy type; No means it is not included.
