Manual Chapter : Configuring How a Security Policy is Automatically Built

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring automatic policy build settings

Application Security Manager completely configures the automated policy build settings according to the selections you make when you created the security policy. You can review the settings, and change them later if needed.

There are two levels of automated policy build settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. The advanced level allows you to view and change all of the configuration settings if you want further control over security policy details. However, in most cases, you do not need to change the default values of these settings. F5 highly recommends that you use the default settings for automatic policy building.

Task summary

Configuring automatic policy building settings

If you are an advanced user, you can review or adjust the settings that the system uses for automatic policy building. In most cases, you do not need to change the values of these settings.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings, for Policy Type, select the type that defines how you want the security policy built.
    Option Description
    Fundamental Provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.
    Enhanced Provides extra customization, creating a security policy with more granularity.
    Comprehensive Provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.
    Vulnerability Assessment Specifies a security policy that is built using the recommendations from a vulnerability assessment tool. By default, the system does not add explicit entities, leaving that to the tool. (Only available if a vulnerability assessment tool is selected on the Vulnerability Assessments Settings screen.)
    Custom Provides the level of security that you specify when you adjust settings such as which security policy elements are included in the security policy. The policy type changes to Custom if you change any of the default settings for a policy type.
    The selected security policy elements and other options on the screen change depending on the policy type you choose.
  4. Leave the Explicit Entities Learning and Parameter Level settings at their default values.
  5. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  6. For Rules, move the slider to change the thresholds of the rules for the security policy:
    Option Description
    Fast Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.
    Medium Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.
    Slow Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.
    Changing this setting also changes the value of the Chance of adding false entities to the policy setting.
  7. If you want to review or adjust additional advanced configuration settings, next to Automatic Policy Building Settings, select Advanced. The screen displays the advanced configuration details for policy building.
  8. Review the settings and modify them as needed. Refer to the online help and other tasks for details on each of the settings.
  9. Click Save to save your settings.
  10. To put the security policy changes into effect immediately, click Apply Policy.

By adjusting the automatic policy building settings, you change the way that Application Security Manager creates the security policy.

About security policy elements

A security policy element specifies a part of the application that Application Security Manager (ASM) is protecting, and indicates what to include when building the security policy. Examples of policy elements are HTTP protocol compliance, file type lengths, parameter value lengths and name metacharacters, methods, header and cookie lengths, attack signatures, evasion technique violations, and so on. These elements included form the basis of the security policy that the automatic policy building process is creating.

Different policy types specify different sets of policy elements. The fundamental policy type includes the fewest number of policy elements, and the comprehensive type includes nearly all policy elements. When traffic accesses the web application that the policy is protecting, ASM verifies details about the selected policy elements. For example, if HTTP Protocol Compliance is selected, ASM checks that the traffic is protocol-compliant. If attack signatures is selected, the security policy examines the traffic for patterns in the signatures. The same goes for the other policy elements included in the security policy.

Modifying security policy elements

When you create a security policy, the policy includes security policy elements such as file types, URLs, parameters, evasion technique violations, and so on. These elements form the basis of the security policy that the automatic policy building process is creating. You can modify which security policy elements are included in the security policy.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Policy Elements setting, for Include the following Security Policy Elements, select the security policy entities (or violations) that you want the Policy Builder to automatically configure when building the security policy. When you change the policy elements that are included in the security policy, the Policy Type changes to Custom.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.

The security policy now includes the policy elements that you selected. The system examines legitimate requests and responses from different sessions and different IP addresses, over a period of time. It then populates the security policy with the security policy elements it finds, and puts them in staging.

About automatic policy building rules

During automatic policy building, the Policy Builder builds security policies in three stages. These stages each have separate sets of settings in the Rules area of the Settings screen. Rules in each stage determine when an element in the security policy moves from one stage to the next.

Some of the rules have different values depending on whether the traffic comes from a trusted or untrusted source. The system generally considers trusted traffic, and the policy elements it contains to be legitimate, and adds them to the policy more quickly than it does those in untrusted traffic.

You can adjust the values for the rules by changing the Policy Builder learning speed. Slow learning speed causes the system to create the policy by looking at more traffic, so the values in the rules are higher. Fast learning speed causes the system to build the policy from fewer requests, and the values you see in the rules are lower.

Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the default values) also changes the learning speed and chances of adding false entities settings to the Custom policy type (instead of Slow, Medium, and Fast).

About automatic policy building stages

Automatic policy building has three stages:

Accept as Legitimate (Loosen)

During this stage, the Policy Builder identifies legitimate application usage based on repeated behavior from sufficient different user sessions and IP addresses, over a period of time. The system updates the security policy accordingly. Based on wildcard matches, Policy Builder adds the legitimate policy entities (putting most into staging to learn their properties), and disables violations that are probably false positives.

For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions and IP addresses over time, then it adds the entity to the security policy.

Stabilize (Tighten)

During this stage, the Policy Builder refines the security policy elements until the number of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, for different IP addresses, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy.

Similarly, the Policy Builder enforces the entity's attributes (takes them out of staging) after it records a sufficient number of unique requests and sessions from different IP addresses, over a sufficient length of time for a particular file type, URL, parameter, or cookie.

When the traffic to the application no longer includes new elements, and the Policy Builder has enforced the policy elements, the security policy is considered stable and its progress reaches 100%.

Track Site Changes

This stage occurs after the security policy is stable. If the Track Site Changes setting is enabled and the Policy Builder discovers changes to the web application, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary adjustments. When the Policy Builder stabilizes the added elements, it re-tightens the security policy.

Although it is not recommended, you can disable the Track Site Changes option. If you do, when the security policy progress reaches 100% stability, the system disables automatic policy building. The security policy is not updated unless you manually change it, or restart automatic policy building by re-enabling the Track Site Changes option.

Modifying security policy rules

Automatic policy building rules specify how a security policy is built. When you create the security policy, values for the rules are set according to the policy type you select. Advanced users can view and modify the rules, for trusted and untrusted traffic, if your application has unique requirements. In most cases, you do not need to change the values of the rules.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. For Rules, move the slider to set the Policy Builder learning speed.
    Option Description
    Fast Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. However, choosing this option may present a greater chance of adding false entities to the security policy.
    Medium Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Slow Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. This option creates the most accurate security policy, but takes Policy Builder longer to collect the statistics.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds to the security policy and enforces the elements.
  6. For the Accept as Legitimate (Loosen) rules, adjust the number of different sessions, different IP addresses, and the time spread after which the Policy Builder accepts and learns a security policy change from traffic. In this stage of security policy building, the Policy Builder adds entities, configures attributes (such as lengths and meta characters), places entities in staging, and disables violations.
  7. For the Stabilize (Tighten) rules, adjust the number of requests, the number of different sessions, different IP addresses, and the time spread before the Policy Builder stabilizes the security policy elements. Stabilizing a security policy element usually means tightening it by deleting wildcard entities, removing entities from staging, and enforcing violations that did not occur.
  8. For the Track Site Changes rules:
    1. The Enable Track Site Changes check box is selected by default. Keep it selected if you want the Policy Builder to quickly loosen the security policy if changes to the web application cause violations.
    2. Select which traffic you want the Policy Builder to use to loosen the security policy: From Trusted and Untrusted Traffic: Specifies that the Policy Builder loosens the security policy based on all traffic. This is the default option. Only from Trusted Traffic: Specifies that the Policy Builder loosens the security policy based only on traffic from trusted sources defined in the Trusted IP Addresses area on this screen.
    3. For untrusted and trusted traffic, adjust the number of different sessions and different IP addresses for which the system detects violations, over a period of time, after which the Policy Builder updates the security policy.
    In this stage of security policy building, the Policy Builder adds wildcard entities, places entities in staging, and disables violations.
  9. Click Save to save your settings.
  10. To put the security policy changes into effect immediately, click Apply Policy.

The system now automatically builds the security policy with the adjusted security policy rules.

Adding trusted IP addresses to a security policy

In a security policy, you can include a list of IP addresses that you want the system to consider safe or trusted.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe:
    • To trust all IP addresses (for internal or test environments), select All.
    • To add specific IP addresses or networks, select Address List, type the IP address and netmask, then click Add. The IP address or network range is added to the list. Add as many trusted IP addresses as needed.
    • To delete IP addresses or networks from the list of trusted IP addresses, select the IP address in the list, then click Delete.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.

Application Security Manager (ASM) processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that ASM requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes. It takes more traffic from untrusted clients to change the security policy (for example, if using the default values).

Learning from responses

If you are using automatic policy building, you can have the system examine responses as well as requests for entities to include in the security policy. This is called learning from responses, and the system does this by default. You may want to learn from responses because a response might include more information about the web application than is found in the request. You can disable this setting if your application does not need to examine responses for entities to add to the security policy, or if the application does not use dynamic parameters.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. If you do not want the security policy to include elements found in responses when building the security policy, in the Options area, clear the Learn from responses check box. If the setting is not enabled, the Policy Builder learns from responses that come from valid requests (meaning those that do not generate violations).
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.

If you disabled the Learn from responses check box, the Policy Builder never adds to the security policy elements found in responses. If the check box is enabled, the Policy Builder adds elements found in responses to the security policy.

Specifying when to add dynamic parameters

Dynamic parameters are those whose values can change, and are often linked to a user session. If you are using automatic policy building, you can specify the conditions under which the Policy Builder adds dynamic parameters to the security policy.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the General Policy Building Settings area, for the Explicit Entities Learning setting:
    1. Set Parameters to either Add All Entities or Selective.
    2. Set URLs or File Types to either Add All Entities or Selective.
    The system can extract dynamic parameters from parameters, URLs, and file types.
  6. In the General Policy Building Settings area, for the Explicit Entities Learning setting,
  7. In the Options area, ensure that Learn from responses has Enabled selected.
  8. For Dynamic Parameters, select one or more of the check boxes to specify the conditions under which the Policy Builder adds dynamic parameters to the security policy.
    Option Description
    All HIDDEN Fields Adds to the security policy all hidden form input parameters, seen in responses, as dynamic content value parameters.
    Using statistics - FORM parameters Adds parameters from forms as dynamic content value parameters.
    Using statistics - link parameters Adds parameters from links as dynamic content value parameters.
    Statistics: Configure parameters as dynamic if <num>... Specifies the number (<num>) of unique value sets that must be seen for a parameter before the system considers it a dynamic content value. The default value is 10.
  9. Click Save to save your settings.
  10. To put the security policy changes into effect immediately, click Apply Policy.

When the Application Security Manager receives a request that has an entity (for example, a file extension or URL) containing a dynamic parameter, the system collects the parameter value or name from web application’s response to the request and adds it to the security policy.

Collapsing entities in a security policy

When using automatic policy building, the system automatically simplifies your security policy by combining several similarly named explicit entities into wildcard entities. For example, multiple parameters beginning with paramare combined into param*. You can specify which entities should be collapsed and after how many occurrences.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Options area, for Collapse to one entity, select or clear the check boxes for those entities you want the security policy to collapse.
    Option Description
    Collapse Parameters, Cookies and Content Profiles When selected, collapses many common parameters, cookies, and content profiles (parameter/URL) into one of each type. In the field, type the number of occurrences (2 or greater) the Policy Builder must detect before collapsing them to one entity.
    Collapse URLs When selected, collapses many common explicit URLs into one wildcard URL with a common prefix and suffix. The Policy Builder collapses URLs only in the same directory (with the same prefix path), and if they have the same file extension. For example, the system collapses the URLs /aaa/x.php, /aaa/y.php, and /aaa/z.php into /aaa/*.php. In the field, type the number of occurrences (2 or greater) the Policy Builder must detect before collapsing them to one entity, and type the minimum depth to collapse the URLs.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
The system collapses the entities selected unless the collapse would lead to a loss of security policy information.

Learning based on response codes

When using automatic policy building, the system automatically learns from legitimate traffic including transactions that return response codes of 1xx, 2xx, and 3xx. These classes of codes are added by default to the policy building settings. You can change which response codes are listed, or add specific response codes, such as those used by the web application you are protecting.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Options area, for Learn from traffic with the following HTTP Response Status Codes, type the response code you want to add (for example, add specific codes like 304 or a class of codes like 4xx), then click Add. Use these formats.
    Response code Description
    1xx All informational responses (the request was received; continuing to process it). Included by default.
    2xx All successful responses (the request was received, understood, accepted, and processed successfully). Included by default.
    3xx All redirection (the client needs to take additional action on the request). Included by default.
    4xx Server failed to fulfill the response as a result of client syntax or input errors.
    5xx All server error responses (the server failed to fulfill a request).
    Specific codes such as 100, 306, 400, or 404 Refer to your web application or the Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC-2616).
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
The Policy Builder extracts information for the security policy from traffic based on transactions that return the specified HTTP response status codes.

Limiting the maximum number of policy elements

When using automatic policy building, the system has reasonable limits to the maximum number of file types, URLs, parameters, and cookies that can be added to the security policy. These limits work fine for most situations. You can adjust the limits if needed.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Options area, for Maximum Security Policy Elements, adjust the maximum number of elements that the Policy Builder can add to the security policy.
    • File Types (the default value is 250)
    • URLs (the default is value 10000)
    • Parameters (the default value is 10000)
    • Cookies (the default value is 100)
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
If the Policy Builder reaches the specified limit, it stops adding that type of security policy element. If this happens, you may need to intervene.
  • If the web site requires more than the maximum number of elements, you can increase the limits, or reconsider the type of the policy (you may not need to include all the elements explicitly).
  • If the site includes a dynamic element that the Policy Builder cannot learn (such as dynamic sessions in URL or dynamically generated parameter names), either configure the security policy to include the element (for example, dynamic sessions in URL), or clear the element type. The Policy Builder should not be configured to learn that element type in such an environment.

Specifying the file types for wildcard URLs

When using automatic policy building, for security policies that are tracking URLs (policy types other than fundamental), the system adds a wildcard URL instead of explicit URLs for commonly used file types. You can specify which file types are changed to wildcard URLs.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select Enabled (if it is not already selected). The screen displays the automatic policy building settings.
  4. From the Automatic Policy Building Settings list, select Advanced. The screen displays the advanced configuration details for policy building.
  5. In the Options area, for File Types for which wildcard URLs will be configured, adjust the file types for which the Policy Builder creates a wildcard URL instead of adding an explicit URL. Common file types are included by default. Note that the setting is unavailable in policies that do not include URLs.
    • To add file types, in the File Type field, type the file extension and click Add.
    • To remove file types, select the file type and click Delete.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
For the file types listed, the Policy Builder adds wildcards instead of explicit URLs when encountering them in web application traffic. Also, the wildcards are added to the policy as non-case sensitive; for example, .jpg URLs are added as *.[Jj][Pp][Gg] instead of image1.jpg, IMAGE2.JPG, and image3.jpg.

Restoring default values for automatic policy building

If you have adjusted the settings for automatic policy building and want to replace those values, you can restore them to the system default values.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings area, for Policy Type, select the type of policy for which you want the default values.
    Tip: You can also click the Restore Defaults button at the bottom of the Settings screen. If you do, the system refreshes and displays the default values for the Fundamental policy type.
    The screen refreshes and displays the default values for the policy type you selected.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

Stopping and starting automatic policy building

You can start the Real Traffic Policy Builder, which automatically builds a security policy. When you use automatic policy building, the Policy Builder can update the security policy as needed, adding elements, for example, if changes occur on the application web site. You can manually stop automatic policy building at any time, such as when the security policy stabilizes, and you think the web application will not change for a while. However, you do not need to stop Policy Builder because the system does this automatically

For security policies that were created using one of the manual methods or imported from an earlier release, you can start automatic policy building so the system builds the security policy for you. By examining the traffic going to the application, the Policy Builder can add various web site entities to the security policy in order to enhance it.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Automatic Policy Building Settings, for Real Traffic Policy Builder, clear the Enabled check box to stop automatic policy building, and select Enabled to start it.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

If you stopped automatic policy building, the security policy remains the same unless you manually add to it. If you started automatic policy building, the Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). As the Policy Builder runs, you see status messages in the identification and messages area at the top of the screen. You can monitor general policy building progress, and see the number of elements that are included in the policy.