Manual Chapter : Configuring General ASM System Options

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Changing your system preferences

You can change the default user interface and system preferences for the Application Security Manager™ (ASM), and configure which fields are displayed in the Request List of the Reporting screen.
  1. On the Main tab, click Security > Options > Application Security > Preferences .
  2. In the GUI Preferences area, for Records Per Screen, type the number of entries to display (between 1-100). (The default value is 20.)
    This setting determines the maximum number of security policies, file types, URLs, parameters, flows, headers, and XML and JSON profiles to display in lists throughout ASM™.
  3. For Titles Tooltip Settings, select an option for how to display tooltips.
    Option Description
    Do not show tooltips Never display tooltips or icons.
    Show tooltip icons Display an icon if a tooltip is available for a setting, show the tooltip when you move the cursor over the icon.
    Show tooltips on title mouseover Do not display an icon, but show the tooltip when you move the cursor over the setting name. This is the default setting.
  4. For Default Configuration Level, select Advanced to display all possible settings, or Basic to display only the essential settings, on screens with that option.
    The default is Basic.
  5. For Apply Policy Confirmation Message, you can specify whether to display a popup message asking if you want to perform the Apply Policy operation each time you change a security policy.
  6. If you are using a high-availability configuration, for the Sync setting, select the Recommend Sync when Policy is not applied check box to display the Sync Recommended message at the top of the screen when you change a security policy, to remind you to perform a ConfigSync with the peer device.
  7. For the Logging setting, select the Write all changes to Syslog check box to record all changes made to security policies in the Syslog (/var/log/asm).
    Note: The system continues to log system data regardless of whether you enable policy change logging.
  8. Click Save to save your settings.
The adjusted settings are used throughout the ASM system.

Adjusting system variables

System variables control how Application Security Manager™ (ASM) works. They apply system-wide. You can review and adjust the values of the system variables if the default values are not appropriate for your installation.
Important: You generally do not need to change the default values of the system variables. F5 Networks recommends that you consult with technical support before adjusting them.
  1. On the Main tab, click Security > Options > Application Security > Advanced Configuration > System Variables .
    The System Variables screen opens.
  2. Locate the system variable you want to change and view the description.
  3. In the Parameter Value field, type the new value for the variable.
  4. Click Save.
    If the value you typed is not valid, the system displays a message indicating the valid range or values.
  5. On the Main tab, click System > Configuration > Device > General , and click Reboot to restart the system using the new value.
    If using device management to synchronize ASM systems, you must restart ASM on all of the systems in the device group for the change to take effect on all of them.
    Tip: If the parameter name is shown in boldface text, the value has been changed from the default. The default value is displayed below the parameter value.
The system uses the adjusted value for the system variable. On the System Variables screen, you can click Restore Defaults to change the values back to their original values.

Incorporating external antivirus protection

Before you can incorporate antivirus protection, you need to have an ICAP server setup in your network.
You can configure the Application Security Manager™ (ASM) to connect with an Internet Content Adaptation Protocol (ICAP) server to check requests for viruses. (ASM was tested with McAfee VirusScan, Trend Micro InterScan, Symantec Protection Engine, and Kaspersky Antivirus products, and may work with others.) You can also set up antivirus checking for HTTP file uploads and SOAP web service requests.
  1. On the Main tab, click Security > Options > Application Security > Integrated Services > Anti-Virus Protection .
    The Anti-Virus Protection screen opens.
  2. For the Server Host Name/IP Address setting, type the fully qualified domain name of the ICAP server, or its IP address.
    Note: If you specify the host name, you must first configure a DNS server by selecting System > Configuration > Device > DNS .
  3. For Server Port Number, type the port number of the ICAP server.
    The default value is 1344.
  4. If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
  5. Click Save to save your settings.
  6. On the Main tab, click Security > Application Security > Policy Building > Learning and Blocking Settings .
    The Learning and Blocking Settings screen opens.
  7. For each security policy, configure, as needed, the blocking policy for antivirus protection.
    1. Ensure that the Current edited policy is the one for which you want antivirus protection.
    2. Expand Policy General Features and for the Virus Detected violation, select either or both of the Alarm and Block check boxes.
      To set the violation to Block, the Enforcement Mode must be set to Blocking.
    3. Click Save to save the settings.
  8. For each security policy, configure, as needed, antivirus scanning for file uploads or SOAP attachments.
    Note: Performing antivirus checks on file uploads may slow down file transfers.
    1. On the Main tab, click Security > Application Security > Integrated Services > Anti-Virus Protection .
    2. Ensure that the Current edited policy is the one that may include HTTP file uploads or SOAP requests.
    3. To have the external ICAP server inspect file uploads for viruses before releasing the content to the web server, select the Inspect file uploads within HTTP requests check box.
    4. To perform anti-virus scanning on SOAP attachments, if the security policy includes one or more XML profiles, in the XML Profiles setting, move the profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list. Alternately, click Create to quickly add a new XML profile, with default settings, to the configuration. You can then add the new profile to the Antivirus Protection Enabled list.
    5. Click Save to save the settings.
  9. To put the security policy changes into effect immediately, click Apply Policy.
If the Virus Detected violation is set to Alarm or Block in the security policy, the system sends requests with file uploads to an external ICAP server for inspection. The ICAP server examines the requests for viruses and, if the ICAP server detects a virus, it notifies ASM, which then issues the Virus Detected violation.

If antivirus checking for HTTP file uploads and SOAP web service requests is configured, the system checks the file uploads and SOAP requests before releasing content to the web server.

Creating user accounts for application security

User accounts on the BIG-IP® system are assigned a user role that specifies the authorization level for that account. While an account with the user role of Administrator can access and configure everything on the system, you can further specialize administrative accounts for application security.
  1. On the Main tab, click System > Users .
  2. Click Create.
    The New User properties screen opens.
  3. From the Role list, select a user role for security policy editing.
    • To limit security policy editing to a specific administrative partition, select Application Security Editor.
    • To allow security policy editing on all partitions, select Application Security Administrator.
  4. If you selected Application Security Editor, then from the Partition Access list, select the partition in which to allow the account to create security policies.
    You can select a single partition name or All.
  5. From the Terminal Access list, select whether to allow console access using tmsh commands.
  6. Click Finished.
The BIG-IP system now contains a new user account for administering application security.
  • Application Security Editors have permission to view and configure most parts of the Application Security Manager™ on specified partitions.
  • Application Security Administrators have permission to view and configure all parts of the Application Security Manager, on all partitions. With respect to application security objects, this role is equivalent to the Administrator role.

Validating regular expressions

The RegExp Validator is a system tool designed to help you validate your regular expression syntax. You can type a regular expression in the RegExp Validator, provide a test string pattern, and let the tool analyze the data. The tool is included with Application Security Manager™.
  1. Click Security > Options > Application Security > RegExp Validator
  2. From the RegExp Type list, select either PCRE or RE2 (recommended) as the RegExp engine.
    Tip: As of BIG-IP® version 11.2, the system’s regular expression library and signatures changed from PCRE to RE2 to increase performance and lower false positives. The system still supports the PCRE library for systems that have user-defined signatures configured in PCRE.
  3. Specify how you want the validator to work:
    • In the RegExp field, type the regular expression you want to validate.
    • Or in the RegExp field, type the regular expression to use to verify a test string, and then in the Test String field, type the string.
  4. Click the Validate button.
    The screen shows the results of the validation.
The validation result indicates whether the regular expression is valid or not. The first RegExp match displays the result of the verification check (if specified) including if there are matches or not.