Manual Chapter : Configuring General Security Policy Building Settings

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About general security policy building settings

General policy building settings determine how a security policy is built for both automatic policy building and manual policy building. The settings define the type of policy to create, and what level of Learning suggestions to provide based on real traffic. You can specify the circumstances under which the system adds or suggests that you add explicit entities to the security policy. The settings also let you determine at which level (global or URL) to add parameters to the policy.

Changing the policy type

The policy type determines which security policy elements are included in the security policy. If you have an existing security policy and want to change which elements are included in the policy from now on, you can change the policy type.
  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings, for Policy Type, select the type that defines how you want the security policy built.
    Option Description
    Fundamental Provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.
    Enhanced Provides extra customization, creating a security policy with more granularity.
    Comprehensive Provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.
    Vulnerability Assessment Specifies a security policy that is built using the recommendations from a vulnerability assessment tool. By default, the system does not add explicit entities, leaving that to the tool. (Only available if a vulnerability assessment tool is selected on the Vulnerability Assessments Settings screen.)
    Custom Provides the level of security that you specify when you adjust settings such as which security policy elements are included in the security policy. The policy type changes to Custom if you change any of the default settings for a policy type.
    The selected security policy elements and other options on the screen change depending on the policy type you choose.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

The elements that are currently in the security policy remain in the policy. From this point on, the security policy is built according to the new policy type you have selected.

Security policy elements included in each policy type

The elements that the system adds to a security policy depend on the policy type you select for automatic policy building. You can set the policy type when creating the security policy in the Deployment wizard or later by modifying the policy settings (Security > Application Security > Policy Building > Settings > ). When the policy type is set or modified, the Application Security Manager (ASM) assigns the Explicit Entities Learning settings as follows.

Table 1. Explicit Entities Learning Settings for Each Policy Type
Security policy element Fundamental Enhanced Comprehensive Vulnerability Assessment
File Types Add All Entities Add All Entities Add All Entities Never (wildcard only)
URLs Never (wildcard only) Selective Add All Entities Never (wildcard only)
Parameters Selective (wildcard only) Selective Add All Entities Never (wildcard only)
Cookies Never (wildcard only) Selective Selective Never (wildcard only)
Redirection Domains Add All Entities Add All Entities Add All Entities Add All Entities
Table 2. Explicit Entities Learning Settings
Setting Description
Add All Entities The Policy Builder includes all of the website entities. This option creates a large set of security policy entities with a granular object level configuration and high security level.
Selective This option applies only to the * wildcard. When false positives occur, the system adds or suggests adding an explicit entity with relaxed settings. This option provides a good balance between security, policy size, and ease of maintenance.
Never (Wildcard Only) When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option creates a security policy that is easy to manage but may result in overall relaxed application security.

Depending on which policy type you select, ASM includes a different set of policy elements in the Automatic Policy Building Settings.

Table 3. Policy Elements
Security Policy element Fundamental Enhanced Comprehensive Vulnerability Assessment
HTTP Protocol Compliance Yes Yes Yes Yes
Evasion Techniques Detected Yes Yes Yes Yes
File Type Lengths Yes Yes Yes No
Attack Signatures (Applies to policy, parameter, content profile, and cookie signatures) Yes Yes Yes Yes
URL Meta Characters No Yes Yes No
Parameter Name Meta Characters No No Yes No
Parameter Value Lengths No Yes Yes No
Value Meta Characters (for Parameters and Content Profiles) No No Yes No
Allowed Methods No Yes Yes Yes
Request Length Exceeds Defined Buffer Size Yes Yes Yes No
Header Length Yes Yes Yes No
Cookie Length Yes Yes Yes No
Failed to Convert Character Yes Yes Yes Yes
Content Profiles No Yes Yes No
Automatically detect advanced protocols No No; but Yes if JSON/XML payload detection selected No; but Yes if JSON/XML payload detection selected No
Host Names Yes Yes Yes Yes
CSRF URLs No No Yes Yes
Note: In the table, Yes means the element is automatically included in the policy type; No means it is not included.

Configuring explicit entities learning

You can adjust the explicit entities learning settings for file types, URLs, parameters, cookies, and redirection domains. Explicit learning settings specify when Real Traffic Policy Builder adds, or suggests you add, explicit entities to the security policy.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings area, for Explicit Entities Learning, for each type of entity (File Types, URLs, Parameters, Cookies, and Redirection Domains), select the option that determines which Learning suggestions are provided by the system (based on real traffic).
    Option Description
    Never (wildcard only) Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity.
    Selective Applies only to * wildcard entity. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard. (Option not applicable to Redirection Domains.)
    Add All Entities Creates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.
    Changing the explicit entities learning settings may change the Policy Type to Custom.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

The security policy now learns new file types, parameters, URLs, cookies, and redirection domains according to the explicit learning settings you specified.

Adjusting the parameter level

You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual policy building) to the security policy. In most cases, you do not need to change the default values of these settings.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings area, for the Parameter Level setting, select the level of parameter to add.
    Option Description
    Global Add parameters at the global level for all URLs in the security policy. Make learning suggestions based on the properties of entities that already exist in the security policy. Default value for Fundamental and Enhanced policy types.
    URL Add parameters at the URL level, only for specific URLs. Make learning suggestions based on real traffic. Default value for Comprehensive policy type.
    Note: This option applies only to the attack signature and illegal meta character violations.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

The security policy now adds parameters according to the level you specified.