Applies To:
Show VersionsBIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Changing how a security policy is built
Application Security Manager™ (ASM) completely configures the policy building settings according to the selections you make when you create a security policy. These settings are used for both automatic and manual policy building. You can review the settings, and change them later if needed.
The policy building settings control:
- Whether traffic is blocked if a violation occurs
- Whether ASM automatically builds the security policy
- How inclusive the security policy is
- How new entities (file types, URLs, parameters, and so on) are learned: never learn new entities, learn if there are violations on an entity (selective mode), learn all entities that are discovered in the traffic.
- Which violations to enforce and how to enforce them
- Which IP addresses to trust traffic and data from
- Whether learning is available for every particular attribute
There are two levels of policy building settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. Selecting the policy template causes ASM to choose reasonable values for the advanced settings.
The advanced level allows you to view and change all of the configuration settings if you want further control over security policy details. However, in most cases, you do not need to change the default values of these settings. F5 recommends that you use the default settings unless you are technically familiar with the web application being protected, and with ASM.
Task summary
Changing how to build a security policy
If you are an advanced user, you can review or adjust the settings that the system uses to build or fine-tune a security policy. In most cases, you do not need to change the values of these settings.
By adjusting the policy building settings, you change the way that Application Security Manager™ creates the security policy.
Adding trusted IP addresses to a security policy
In a security policy, you can include a list of IP addresses that you want the system to consider safe or trusted. Take care when specifying trusted IP addresses. Trusted IP addresses are typically internal IP addresses to which only trusted users have access. You configure all trusted IP addresses as IP address exceptions.
Application Security Manager™ (ASM) processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that ASM™ requires less traffic (by default, only 1 user session) to update the security policy or make suggestions about adding an entity or making other changes. It takes more traffic from untrusted clients to change or suggest changes to the security policy (for example, if using the default values).
Learning host names automatically
Classifying the content of learned parameters
When using automatic learning, you can instruct the system to examine and classify the content of learned parameters. If the system detects legitimate XML or JSON data in parameters, the system adds (or suggests adding) XML or JSON content profiles to the security policy and configures them using the data found.
Specifying whether to learn integer parameters
Integer parameters are parameters with a data type that is numeric and can include only whole numbers. If a security policy is learning parameters (when Learn New Parameters is set to Selective or Add All Entities), you can specify whether the Policy Builder suggests adding integer parameters to the security policy. This option is available only when the learning mode is set to automatic.
When the Application Security Manager™ receives a request that includes an entity (for example, a URL) containing an integer parameter, the system collects the parameter value from the web application’s response to the request and suggests adding it to the security policy.
Specifying when to learn dynamic parameters
Dynamic parameters are those whose values are regenerated when the user accesses an application. For example, a session ID is a dynamic parameter, and it is linked to a user session. The system can extract dynamic parameters from parameters, URLs, and file types. You can specify the conditions under which the Policy Builder suggests adding dynamic parameters to the security policy. This option is available only when the learning mode is set to automatic.
When the Application Security Manager™ receives a request that includes an entity (for example, a file extension or URL) containing a dynamic parameter, the system collects the parameter value or name from web application’s response to the request and suggests adding it to the security policy.
Collapsing entities in a security policy
When using automatic policy building, the system automatically simplifies your security policy by combining several similarly named explicit entities into wildcard entities. For example, multiple parameters beginning with param are combined into param*. You can specify which entities should be collapsed and after how many occurrences.
Changing how cookies are enforced
- The * cookie wildcard is an allowed cookie
- Learn New Cookies is set to Selective
- The * cookie wildcard is an enforced cookie
- Learn New Cookies is set to Selective
- The Learn flag of the Modified domain cookie(s) violation is selected
If a request causes the Modified domain cookie(s) violation, the system changes their type from “enforced” to “allowed” (in the GUI they are moved between the tabs).
In cases where you want all cookies to be enforced, the * cookie wildcard must be an allowed cookie. If you do not want all cookies to be enforced, the * cookie wildcard must be an enforced cookie. In either case, set Learn New Cookies to Never (wildcard only) and clear the Learn and enforce new unmodified cookies check box.
Limiting the maximum number of policy elements
When building a security policy using automatic or manual learning, the system has reasonable limits for the maximum number of file types, URLs, parameters, cookies, and redirection domains that the system can learn and add to the security policy. These limits work fine for most situations. You can adjust the limits, if needed. Note that you can always add an entity manually even after the limits are reached.
- If the web site requires more than the maximum number of elements, you can increase the limits, or reconsider the type of the policy (you may not need to include all the elements explicitly).
- If the site includes a dynamic element that the Policy Builder cannot learn (such as dynamic sessions in URL or dynamically generated parameter names), either configure the security policy to include the element (for example, dynamic sessions in URL), or clear the element type. The Policy Builder should not be configured to learn that element type in such an environment.
- If you want to maintain the limits, you can add the required entities manually.
Classifying the content of requests to URLs
When using automatic learning, you can instruct the system to examine and classify the content of requests to URLs. If the system detects legitimate XML, JSON, or Google Web Toolkit (GWT) data in requests to URLs configured in the security policy, the system adds XML, JSON, or GWT content profiles to the security policy and configures them using the data found.
Specifying the file types for wildcard URLs
For security policies that are tracking URLs (policies that use the comprehensive template), the system adds a wildcard URL instead of explicit URLs for commonly used file types. You can adjust the list of file types that are changed to wildcard URLs.
Disabling full policy inspection
Application Security Manager™ provides full functionality, and performs full policy inspection, and holds in memory information about the configuration of entities that are included in a security policy. In rare cases, such as on systems with limited memory or when instructed to do so by F5 Support, you might need to disable full policy inspection.
If you disable the Full Policy Inspection check box, the system does not store all the information about the policy elements in memory, thus it enables memory optimization. However, you lose some functionality. When the setting is disabled, the system cannot collapse URLs, WebSocket URLs, parameters, or content profiles (the collapse settings are cleared, become unavailable, and cannot be changed). The system no longer performs classification for parameters, URLs, or WebSocket URLs.
Disabling full policy inspection causes pabnagd (policy building daemon) to restart in 5 minutes. The delay allows time to disable the check box on more than one policy. The restart does not affect traffic throughput.
Stopping and starting automatic policy building
You can use the Real Traffic Policy Builder® to automatically build a security policy in two ways: with automatic learning or manual learning. When you set Learning Mode to automatic, the Policy Builder makes suggestions on how to update the security policy and updates the security policy when the policy building rules are met. It does this by automatically enforcing the suggested changes, adding file types, URLs, parameters, and so on for the web application. The Policy Builder also operates when you set Learning Mode to manual. In this case, the Policy Builder examines traffic, and makes suggestions on what to add to the security policy or what to change in the policy settings but you have to implement them.
If you set learning mode to automatic, the Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). If you are using manual learning, the Policy Builder examines traffic and makes suggestions on ways to adjust the security policy; changes are implemented only when you approve them. You can manually accept, delete, or ignore the suggestions on the Traffic Learning screen.
If you disable the learning mode, all learning suggestions are deleted and no more learning takes place; the security policy remains the same unless you manually change it. If you enable manual or automatic learning later, the learning process starts over. Regardless of the learning mode, you can always monitor the policy and manually change it.