Applies To:
Show VersionsBIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Configuring General Security Policy Building Settings
About general security policy building settings
General policy building settings determine how a security policy is built for both automatic policy building and manual policy building. The settings define the type of policy to create, and what level of Learning suggestions to provide based on real traffic. You can specify the circumstances under which the system adds or suggests that you add explicit entities to the security policy. The settings also let you determine at which level (global or URL) to add parameters to the policy.
Changing the policy type
The elements that are currently in the security policy remain in the policy. From this point on, the security policy is built according to the new policy type you have selected.
Security policy elements included in each policy type
The elements that the system adds to a security policy depend on the policy type you select for automatic policy building. You can set the policy type when creating the security policy in the Deployment wizard or later by modifying the policy settings (
. When the policy type is set or modified, the Application Security Manager™ (ASM) assigns the Explicit Entities Learning settings as follows.Security policy element | Fundamental | Enhanced | Comprehensive | Vulnerability Assessment |
---|---|---|---|---|
File Types | Add All Entities | Add All Entities | Add All Entities | Never (wildcard only) |
URLs | Never (wildcard only) | Selective | Add All Entities | Never (wildcard only) |
Parameters | Selective (wildcard only) | Selective | Add All Entities | Never (wildcard only) |
Cookies | Never (wildcard only) | Selective | Selective | Never (wildcard only) |
Redirection Domains | Add All Entities | Add All Entities | Add All Entities | Add All Entities |
Setting | Description |
---|---|
Add All Entities | The Policy Builder includes all of the website entities. This option creates a large set of security policy entities with a granular object level configuration and high security level. |
Selective | This option applies only to the * wildcard. When false positives occur, the system adds or suggests adding an explicit entity with relaxed settings. This option provides a good balance between security, policy size, and ease of maintenance. |
Never (Wildcard Only) | When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option creates a security policy that is easy to manage but may result in overall relaxed application security. |
Depending on which policy type you select, ASM™ includes a different set of policy elements in the Automatic Policy Building Settings.
Security Policy element | Fundamental | Enhanced | Comprehensive | Vulnerability Assessment |
---|---|---|---|---|
HTTP Protocol Compliance | Yes | Yes | Yes | Yes |
Evasion Techniques Detected | Yes | Yes | Yes | Yes |
File Type Lengths | Yes | Yes | Yes | No |
Attack Signatures (Applies to policy, parameter, content profile, and cookie signatures) | Yes | Yes | Yes | Yes |
URL Meta Characters | No | Yes | Yes | No |
Parameter Name Meta Characters | No | No | Yes | No |
Parameter Value Lengths | No | Yes | Yes | No |
Value Meta Characters (for Parameters and Content Profiles) | No | No | Yes | No |
Allowed Methods | No | Yes | Yes | Yes |
Request Length Exceeds Defined Buffer Size | Yes | Yes | Yes | No |
Header Length | Yes | Yes | Yes | No |
Cookie Length | Yes | Yes | Yes | No |
Failed to Convert Character | Yes | Yes | Yes | Yes |
Content Profiles | No | Yes | Yes | No |
Automatically detect advanced protocols | No | No; but Yes if JSON/XML payload detection selected | No; but Yes if JSON/XML payload detection selected | No |
Host Names | Yes | Yes | Yes | Yes |
CSRF URLs | No | No | Yes | Yes |
Configuring explicit entities learning
You can adjust the explicit entities learning settings for file types, URLs, parameters, cookies, and redirection domains. Explicit learning settings specify when Real Traffic Policy Builder® adds, or suggests you add, explicit entities to the security policy.
The security policy now learns new file types, parameters, URLs, cookies, and redirection domains according to the explicit learning settings you specified.
Adjusting the parameter level
You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual policy building) to the security policy. In most cases, you do not need to change the default values of these settings.
The security policy now adds parameters according to the level you specified.