Manual Chapter : General Configuration Options for BIG-IP DataSafe Profiles and URLs

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.0
Manual Chapter

Configuring advanced general settings on a profile

Configure advanced general settings on BIG-IP® DataSafe™profiles if you want to change the default settings that the BIG-IP® system assigns to profiles.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafeProfile Properties screen, click Advanced.
    The Advanced settings appear.
  4. In the Alert Path field, use the automatically generated path, or define your own path.
    Note: If you define your own path, ensure that the path is not used by any other field in the profile and that it is not an already existing URL.
  5. In the Suggested Username Header field, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.
    With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
  6. For the JavaScript Directory field, use the automatically generated path, or define your own.
    This path specifies the location of the main BIG-IP DataSafe JavaScript. This path does not include the actual file name of the JavaScript.
    Note: This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  7. For the JavaScript Configuration Directory field, use the automatically generated path, or define your own path that specifies the location of the BIG-IP DataSafe JavaScript containing profile configuration settings.
    This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
    Note: This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
  8. For the JavaScript Removal Location field, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
  9. For JavaScript Grace Threshold, change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
  10. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5®.
  11. For the Prevent duplicate alerts from Client Side setting, select the Enabled check box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
  12. Click Save.
    The BIG-IP system saves the changes that you made to the advanced settings.

Enable an iRule to handle logins and alerts

Enabling iRules® to handle logins and alerts is only relevant if you have written an iRule to handle the ANTIFRAUD_ALERT event, or the ANTIFRAUD_LOGIN event and the iRule is associated with the same virtual server as your profile.
Enable an iRule to handle logins and alerts if you want to use an iRule to disable alerts or record login events.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafeProfile Properties screen, click Advanced.
    The Advanced settings appear.
  4. In the Trigger iRule Events setting, select the Enabled check box.
  5. Click Save.
    iRules are now enabled to handle logins and alerts.

iRule events

iRules® can subscribe to the ANTIFRAUD_ALERT event and the ANTIFRAUD_LOGIN event in BIG-IP® DataSafe™

iRule event Description
ANTIFRAUD_ALERT Occurs when alerts are sent to the BIG-IP® system.
ANTIFRAUD_LOGIN Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.

iRule Examples

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to log all available information about an alert that was sent by the BIG-IP system to the location /var/log/ltm.

when ANTIFRAUD_ALERT{  
  log local0. "=========Anti-Fraud Alert========="
  log local0. "Alert Identifier: [ANTIFRAUD::alert_id]"
  log local0. "Alert Type: [ANTIFRAUD::alert_type]"
  log local0. "Alert Component: [ANTIFRAUD::alert_component]"
  log local0. "Alert Details: [ANTIFRAUD::alert_details]"
  log local0. "Alert GUID: [ANTIFRAUD::alert_guid]"
  log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]"
  log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]"
  log local0. "Alert Score: [ANTIFRAUD::alert_score]"
  log local0. "Alert Transaction Data: [ANTIFRAUD::alert_transaction_data]"
  log local0. "Alert Username: [ANTIFRAUD::alert_username]"
  log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]"
  log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]"
  log local0. "Alert Forbidden Added Element: [ANTIFRAUD::alert_forbidden_added_element]"
  log local0. "Alert Bait Signatures: [ANTIFRAUD::alert_bait_signatures]"
  log local0. "Alert HTML: [ANTIFRAUD::alert_html]"
}

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to disable a specific alert according to its type.

when ANTIFRAUD_ALERT{
if {[ANTIFRAUD::alert_type] eq "components_validation"}{
  log local0. "Alert Type is components validation"
  ANTIFRAUD::disable_alert
  log local0. "Disabled Alert"
  }
}

The following example shows how an iRule uses the ANTIFRAUD_LOGIN event with its commands.

when ANTIFRAUD_LOGIN{
  log local0. "=========Anti-Fraud Login========="
  # read mode
  log local0. "Username: [ANTIFRAUD::username]"
  log local0. "GUID: [ANTIFRAUD::guid]"

  # write mode
  ANTIFRAUD::username "other_user"
}

Values for iRule commands

The following values can be used in iRule commands:
Value Description
alert_id For example, d4.
alert_type The type of alert.
alert_component An error type that is determined according to the alert_type.
alert_details Additional information regarding the alert.
alert_device_id Persistent browser identifier.
alert_license_id crc32 of the license id in hex.
alert_transaction_data Key-value list of all parameters marked to be attached.
alert_username

When this command is used without any additional arguments, this is the name of the user who triggered the alert.

It is possible to use additional arguments to override the current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above.

alert_http_referrer The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info

Shows additional information about the alert, such as the parameter values too long error message.

disable_alert Disables the current alert.
For more information about iRules, go to F5® Networks DevCentral™ (https://devcentral.f5.com/irules).

Configuring URL parameters

Configure URL parameters to protect sensitive URL parameter values. For example, if you have a password parameter sent by GET and you want to encrypt its value, assign the Encrypt attribute (for Application Layer Encryption) and the GET method.
Note: When a protected web page (an INJECTION page) passes data to another web page (an ACTION page), for example via a submit form, both web pages must have the exact same parameter configurations. Otherwise, appropriate alerts may not be sent.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Click the URL on which you want to configure parameters.
    The URL Properties screen opens.
  5. In the URL Configuration area, select Parameters.
  6. Type a parameter name in the text box and click the Add button.
    The parameter name is added to the list of parameters in the table.
  7. In the parameter row in the table, select parameter attributes as follows:
    • Identify as Username: When enabled, the system considers this parameter a username. Only one parameter per URL can have this attribute.
      Note: If you did not set URL is Login Page=Yes and you set a parameter to be a user name here, a warning sign appears under this column on the parameter row indicating that the user name is identified without access validation unless the URL is a Login Page.
    • Encrypt : When enabled, the system encrypts the parameter’s value attribute.
    • Substitute Value: When enabled, the system substitutes the parameter’s value with a random value in the web application while the form is being filled. This option is available only after the Encrypt setting is enabled, unless you are using a custom encryption function.
      Note: If you assign this attribute to a password parameter, the web browser’s autocomplete feature for passwords does not work on this parameter.
    • Obfuscate: When enabled, the system encrypts the parameter’s name attribute. This attribute cannot be assigned to a parameter if Application Layer Encryption is not enabled.
    • Method: Select the method of request from where parameter data is received (POST or GET).
  8. Repeat steps 6 and 7 for each parameter you want on the URL.
  9. Click Save to save URL parameter settings.

Cloning a profile

If you want to create a new profile with settings identical to an existing profile, you can clone the profile. Unlike parent-child profiles, the cloned profile is not dependent on the original one, and any changes made to the original profile after cloning are not inherited by the previously cloned profile.
Note: A cloned profile inherits all properties from the original profile, including all URL properties.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. Select the check box next to the profile that you want clone.
  3. Click the Clone button.
    The Clone Profile pop-up screen opens.
  4. In the Clone Profile pop-up screen, assign a profile name and (optionally) a description.
  5. Click Clone.
    The cloned profile is created and appears in the list of profiles in the DataSafe Profiles screen.

Cloning a URL

You can clone a URL if you want to create a new URL with identical settings to an existing URL.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the profile with the URL you want to clone.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the check box next to the URL that you want clone.
  5. Click the Clone button.
    The Clone URL pop-up screen opens.
  6. In the Clone URL pop-up screen, assign a URL path and (optionally) a description.
  7. If you don’t want to encrypt data on the web page of the URL that you are cloning, disable the Inject JavaScript setting.
  8. Click the Clone button in the Clone URL pop-up screen.
    Note: A cloned URL inherits all properties from the original URL, including parameters. However, once the cloned URL is created, there is no further dependency, and any future changes made in the original URL are not inherited by the cloned URL.