Manual Chapter : Configuring General ASM System Options

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Adjusting system preferences

You can change the default user interface and system preferences for the Application Security Manager (ASM), and configure fields displayed in the Request List of the Reporting screen.
  1. On the Main tab, click Security > Options > Application Security > Preferences.
  2. In the GUI Preferences area, for Records Per Screen, type the number of entries to display (between 1-100). (The default value is 20.) This setting determines the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout ASM.
  3. For Titles Tooltip Settings, select an option for how to display tooltips.
    Option Description
    Do not show tooltips Never display tooltips or icons.
    Show tooltip icons Display an icon if a tooltip is available for a setting, show the tooltip when you move the cursor over the icon.
    Show tooltips on title mouseover Do not display an icon, but show the tooltip when you move the cursor over the setting name. This is the default setting.
  4. For Default Configuration Level, select Advanced to display all possible settings, or Basic to display only the essential settings, on screens with that option. The default is Basic.
  5. For Apply Policy Confirmation Message, you can specify whether to display a popup message asking if you want to perform the Apply Policy operation each time you change a security policy.
  6. In the Request List GUI Preferences area, for Records Per Requests Screen, type the number of requests to display (between 1-1000). (The default value is 500.) This setting determines the maximum number of requests that appear in any Requests List containing details about any incident, event correlation, or attack.
  7. For Request List Columns, specify what information you want to display on the Requests screen, and the order in which to display it.
  8. For Request List Size, specify the number of requests (small, medium, or large) the system displays before adding a scroll bar. This setting determines how much space the requests list takes up on the Request screen.
  9. If you are using the Cenzic service to mitigate web application vulnerabilities, in the Cenzic ARC Server address field, type the IP address of a local Cenzic ARC server. If you use the Cenzic Cloud service, do not provide an address for this setting.
  10. If you are using a high-availability configuration, for the Sync setting, select the Recommend Sync when Policy is not applied check box to display the Sync Recommended message at the top of the screen when you change a security policy, to remind you to perform a ConfigSync with the peer device.
  11. For the Logging setting, select the Write all changes to Syslog check box to record all changes made to security policies in the Syslog (/var/log/asm).
    Note: The system continues to log system data regardless of whether you enable policy change logging.
  12. Click Save to save your settings.
The adjusted settings are used throughout the ASM system.

Incorporating external antivirus protection

Before you can incorporate antivirus protection, you need to have an ICAP server setup in your network.
You can configure the Application Security Manager (ASM) to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. (ASM was tested with McAfee VirusScan, Trend Micro InterScan, Symantec Protection Engine, and Kaspersky Antivirus products, and may work with others.) You can also set up antivirus checking for HTTP file uploads and SOAP web service requests.
  1. On the Main tab, click Security > Options > Application Security > Integrated Services > Anti-Virus Protection. The Anti-Virus Protection screen opens.
  2. For the Server Host Name/IP Address setting, type the fully qualified domain name of the ICAP server, or its IP address.
    Note: If you specify the host name, you must first configure a DNS server by selecting System > Configuration > Device > DNS.
  3. For Server Port Number, type the port number of the ICAP server. The default value is 1344.
  4. If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
  5. Click Save to save your settings.
  6. On the Main tab, click Security > Application Security > Blocking. The Settings screen opens.
  7. For each security policy, configure, as needed, the blocking policy for antivirus protection.
    1. Ensure that the Current edited policy is the one for which you want antivirus protection.
    2. In the Negative Security Violations area (near the bottom of the Violations list), for the Virus Detected violation, select either or both of the Alarm and Block check boxes.
    3. Click Save to save the settings.
  8. For each security policy, configure, as needed, antivirus scanning for file uploads or SOAP attachments.
    Note: Performing antivirus checks on file uploads may slow down file transfers.
    1. On the Main tab, click Security > Application Security > Integrated Services > Anti-Virus Protection.
    2. Ensure that the Current edited policy is the one that may include HTTP file uploads or SOAP requests.
    3. To have the external ICAP server inspect file uploads for viruses before releasing the content to the web server, select the Inspect file uploads within HTTP requests check box.
    4. To perform anti-virus scanning on SOAP attachments, if the security policy includes one or more XML profiles, in the XML Profiles setting, move the profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list. Alternately, click Create to quickly add a new XML profile, with default settings, to the configuration. You can then add the new profile to the Antivirus Protection Enabled list.
    5. Click Save to save the settings.
  9. To put the security policy changes into effect immediately, click Apply Policy.
If the Virus Detected violation is set to Alarm or Block in the security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies ASM, which then issues the Virus Detected violation.

If antivirus checking for HTTP file uploads and SOAP web service requests is configured, the system checks the file uploads and SOAP requests before releasing content to the web server.

Creating user accounts for application security

User accounts on the BIG-IP system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything on the system, you can further specialize administrative accounts for application security.
  1. On the Main tab, click System > Users.
  2. Click Create. The New User properties screen opens.
  3. From the Role list, select a user role for security policy editing.
    • To limit security policy editing to a specific administrative partition, select Application Security Editor.
    • To allow security policy editing on all partitions, select Application Security Administrator.
  4. If you selected Application Security Editor, then from the Partition Access list, select the partition in which to allow the account to create security policies. You can select a single partition name or All.
  5. From the Terminal Access list, select a level of console access.
  6. Click Finished.
The BIG-IP system now contains a new user account for administering application security.
  • Application Security Editors have permission to view and configure most parts of the Application Security Manager on specified partitions.
  • Application Security Administrators have permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.

Validating regular expressions

The RegExp Validator is a system tool designed to help you validate your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data. The tool is included with Application Security Manager.
  1. Click Security > Options > Application Security > RegExp Validator
  2. From the RegExp Type list, select either PCRE or RE2 (recommended) as the RegExp engine.
    Tip: As of BIG-IP version 11.2, the system’s regular expression library and signatures changed from PCRE to RE2 to increase performance and lower false positives. The system still supports the PCRE library for systems that have user-defined signatures configured in PCRE.
  3. Specify how you want the validator to work:
    • In the RegExp field, type the regular expression you want to validate.
    • Or in the RegExp field, type the regular expression to use to verify a test string, and then in the Test String field, type the string.
  4. Click the Validate button. The screen shows the results of the validation.
The validation result indicates whether the regular expression is valid or not. The first RegExp match displays the result of the verification check (if specified) including if there are matches or not.