Applies To:
Show VersionsBIG-IP ASM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
About security policy blocking
You can configure how Application Security Manager handles requests that violate the security policy in several ways.
Method | Description |
---|---|
Blocking actions | Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs. |
Evasion techniques | Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as evasion techniques. Application Security Manager can detect the evasion techniques, and you can configure blocking properties for them. |
HTTP Protocol Compliance | The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy. |
Web Services Security | You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors. |
Response pages | When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access. |
Changing security policy enforcement
When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.
When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (configured for blocking), and the enforcement readiness period is over. You use this mode when you are ready to enforce a security policy.
Configuring blocking actions for violations
About blocking actions
The system takes the following actions when the blocking actions are enabled.
Blocking Action | Description |
---|---|
Learn | When the Learn flag is enabled for a violation, and a request triggers the violation, the system logs the request and generates learning suggestions. The system takes this action when the security policy is in either the transparent or blocking enforcement mode. |
Alarm | When the Alarm flag is enabled for a violation, and a request triggers the violation, the system logs the request, and also logs a security event. The system takes this action when the security policy is in either the transparent or blocking enforcement mode. |
Block | The Block flag blocks traffic when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, (3) the Block flag is enabled for the violation, and (4) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client. |
Configuring HTTP protocol compliance validation
If the HTTP protocol compliance failed violation is set to Learn, Alarm, or Block, the system performs the protocol compliance checks. If the Enforcement Mode is set to Blocking and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.
If you use automatic policy building, the system immediately enables the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation; also, the security policy immediately enables one of the HTTP protocol checks: Bad HTTP version (version 1.0 or later is required). After the system processes sufficient traffic from different users over a period of time, it enables other appropriate HTTP protocol checks.
If a request is too long and causes the Request length exceeds defined buffer size violation, the system stops validating protocol compliance for that request.
Configuring blocking actions for web services security
- If configured to Learn or Alarm when the violation occurs, the system does not encrypt or decrypt the SOAP message, and sends the original document to the web service.
- If configured to Block when the violation occurs, the system blocks the traffic and prevents the document from reaching its intended destination.