Applies To:
Show Versions
BIG-IQ Centralized Management
- 6.1.0
Modify and Manage Layer 7 Security Objects
Modifying object Layer 7 security to improve application protection
On BIG-IP devices, virtual servers have Layer 7 (L7) security objects (such as DoS profiles, logging profiles, or Web Application Security policies) that detect and mitigate bad traffic to an application. After configuring your virtual servers, you can manage the application security settings using BIG-IQ Centralized Management. The L7 Security Dashboard (
) lists all deployed applications and virtual servers that are managed by your system. You can view all your managed applications and virtual servers to determine whether the existing protection and logging configuration defines your protection mode.Adjust Layer 7 protection for applications and virtual servers
- A Data Collection Device (DCD) configured to your BIG-IQ system.
- Managed BIG-IP devices have ASM provisioned for managing security policies.
- The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
- Managed BIG-IP devices have AVR provisioned (recommended).
Object protection modes for Layer 7 security
The L7 Security Dashboard (
) displays objects with different protection modes. Protected objects consist of the applications or virtual severs that have a Web Application Security policy or DoS profile.
Object protection modes. The PROTECTION MODE area on this screen displays the number of managed objects for each protection mode.
Blocking
- Web Application Security Policy
- The policy's Enforcement Mode is set to Blocking.
- DoS Profile
- The operation mode for TPS-based Detection is set to Blocking.
- and/or
- The operation mode for Behavioral & Stress-based Detection is set to Blocking.
Monitoring
- Web Application Security Policy
- The policy's Enforcement Mode is set to Transparent.
- DoS Profile
- The operation mode for TPS-based Detection is set to Blocking .
- and/or
- The operation mode for Behavioral & Stress-based Detection is set to Transparent.
Not Protected
A virtual server is not protected if it does not have a Monitoring or Blocking configuration. An application is not protected if all of its assigned virtual servers are not protected.
Protected objects with Layer 7 Security
The Layer 7 Security screen (
) displays the applications and virtual servers monitored by BIG-IQ Centralized Management. Protected objects consist of the applications or virtual severs that have a Web Application Security policy or DoS profile with an enabled protection status. The PROTECTED OBJECTS area on this screen displays the number of protected objects, out of the total objects. The following describes the object count for this screen, regardless of protection status:
- Virtual Server
- A stand-alone virtual server counts as a managed object (protected or unprotected) when it is not assigned to an application. The virtual server must have at least one HTTP profile. Once it is assigned to an application, the virtual server is no longer included in the total object count.
- Application
- Each application counts as an object (protected or unprotected). The application includes all its assigned virtual servers.
L7 Security Alerts
Security alerts in the TRENDS AND IMPACTS area of the L7 Security Dashboard (
) notify you of the number of objects reporting Web Application Security policy (Web Exploits) or DoS profile (L7 DDoS Attacks) events over the past day (trend charts report the past week). These alerts indicate that a protected object (application or virtual server) recently experienced an increased rate in performance issues. To view data the corresponds with these traffic events go to To view the status of your deployed applications, go to .Alert | Description | Indication | Default Thresholds | Action (if applicable) |
---|---|---|---|---|
BAD TRAFFIC TRENDS | The number of objects with a significant increase in traffic with any violation rating. | Increase in transactions with any violation rating. |
Web Exploits: The average number of transactions with a violation rating exceeded 10% in the past 24 hours and increased by a ratio of 0.1% out of all traffic over the past week. L7 DDoS Attacks: The average volume of active, simultaneous attacks increased in the past 24 hours. |
Investigate transactions and fine tune your security policy/profile for new threats. |
POTENTIALLY HARMFUL ATTACKS | The number of objects with a transparent protection mode (Monitoring), that have an increase in bad traffic. | Increase in transactions with high violation rating. |
Web Exploits: The rate of transactions with violation rating of 4 or 5 exceeded 0.1% in the past 24 hours. L7 DDoS Attacks: The volume of simultaneous active attacks increased in the past 24 hours. |
Change security policy or profile to Blocking mode. |
FALSE POSITIVE ATTACKS | The number of objects with a blocking protection mode that have an increase in blocked traffic with a low violation rating. | Increase in blocked transactions. |
Web Exploits: The rate of blocked transactions with a violation rating of 1 or 2 exceeded 0.01% over the past 24 hours. |
Investigate blocked transactions and fine-tune your Web Application Security policy to allow valid transactions. |
BLOCKED ATTACKS | The number of objects with a blocking protection mode that blocked any bad traffic over the past 24 hours. | N/A | N/A | N/A |
Modifying a DoS profile to improve application protection
A DoS profile configured on the BIG-IQ Centralized Management system prevents or monitors denial of service (DoS) attacks on web applications. Depending on your configuration, the system detects DoS attacks based on transactions per second (TPS) on the client side, stress-based server latency, heavy URLs, source location, suspicious browsers, and failed CAPTCHA responses. Behavioral DoS (BADoS), a part of stress-based detection, automatically discovers and mitigates DoS attacks using behavioral data.
Changes in your application's traffic might reduce the effectiveness of your existing DoS profile. You can edit DoS profiles that protect your application's security to add or remove attack detection and mitigation measures.
Edit DoS profile for application security
Modifying a Web Application Security policy to improve application protection
Web Application Security imports BIG-IP Application Security Manager (ASM) application security policies from discovered BIG-IP devices, and lists them with the attached protected object (application or virtual server). The Web Application Security policy helps you to define both bad traffic and how this traffic is handled so that it doesn't affect the performance of your application's web server. Changes in traffic or an application's protection needs might reduce the effectiveness of your policy. You can change the policy's configuration to ensure that your protected objects can withstand a Layer 7 attack.
Edit web application security policies
Modifying a logging profile to monitor application security events
A logging profile configured on BIG-IQ Centralized Management determines the kind of events that the system logs, and where the system stores these events. You can define a logging profile to record events from multiple virtual servers, from multiple devices. Changes to your security settings might require you to adjust the information that is recorded by your existing logging profile. You can edit an existing logging profile to improve your monitoring capabilities.
Edit object logging profiles
Creating a new DoS profile to improve application security
A denial of service attack (DoS attack) makes a resource unavailable to its intended users, or obstructs the communication media between the intended users and the site. A DoS profile allows you to define, monitor, and mitigate traffic patterns that threaten application security.
- A high volume of incoming traffic (using TPS-based Detection settings)
- Server stress (with Behavioral and Stress-based Detection settings)
Create a DoS profile with application security
Creating a new Web Application Security policy to improve application protection
A Web Application Security policy implements various levels of security to protect Layer 7 applications. The L7 Summary Dashboard (
) lists the applications and virtual servers attached to BIG-IP Application Security Manager (ASM) policies. With this dashboard, you can create new policies based on the requirements of the objects configured to your monitored BIG-IP systems.You create a new application security policy based on observed traffic patterns. In addition, you have the flexibility to manually develop a security policy that is customized for your needs, based on the amount of protection and acceptable risk. For more information, refer to the Managing Application Security Policies in Web Application Security topics in BIG-IQ Centralized Management: Security on support.f5.com.
Create a Web Application Security policy
Creating logging profile for event monitoring
A logging profile records requests to a virtual server. You can determine which requests to log, and where to store the request information. The L7 Summary Dashboard (
) lists the applications and virtual servers attached to a log profile. Use this dashboard to create new log profiles based on the requirements of the objects listed on the screen.For more information, refer to the Managing Logging Profiles in Shared Security topics in BIG-IQ Centralized Management: Security on support.f5.com.