Configuration Guide forBIG-IP® Application Security Manager™version 10.2MAN-0283-02
Table of Contentsviii5Building a Security Policy AutomaticallyOverview of automatic policy building ...
Chapter 66 - 20Disallowing specific file typesFor some web applications, you may want to deny requests for certain file types. In this case, you can c
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 21Configuring URLsYou can add three types of UR
Chapter 66 - 22Perform Tightening Specifies, when checked, that tightening is enabled. As a result:-When Policy Builder runs, it adds explicit URLs th
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 23Overview of URL parameters and extractionsURL
Chapter 66 - 24Creating an explicit URLYou can build the list of URLs in the security policy in these ways:• You can run the Policy Builder. See Chapt
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 25Removing a URLWeb applications can change ove
Chapter 66 - 26Identifying referrer URLs In lists of URLs, non-referrer URLs appear in blue and referrer URLs appear in gold. Referrer URLs are web pa
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 276. Click the Create button.7. To put the secu
Chapter 66 - 28Configuring AMF security checksYou configure AMF security on a per-URL basis. You can configure AMF security for both wildcard URLs and
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 29To view or modify the character set for URLs1
Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™ixConfiguring a dynamic flow from a URL ...
Chapter 66 - 30Configuring flowsThe application flow defines the access path leading from one URL to another URL within the web application. For examp
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 31Adding a flow to a URLYou can manually create
Chapter 66 - 32Configuring a dynamic flow from a URLSome web applications contain URLs with dynamic names, for example, the links to a server location
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 33Configuring login URLs to prevent forceful br
Chapter 66 - 34To configure login page settings1. In the navigation pane, expand Application Security, point to Flows, point to Login Pages, and click
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 35Masking sensitive dataDepending on the web ap
Chapter 66 - 366. To specify patterns in the data not to be considered sensitive:a) Check the Enable Exception Patterns box.b) In the New Pattern box,
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 374. From the Cookie Name Type list, select whe
Chapter 66 - 38Deleting an allowed modified cookieYou can delete an allowed modified cookies, as required by changes in the web application.To delete
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 39Configuring mandatory headersIf your applicat
Table of ContentsxSorting wildcard file types ...9-8C
Chapter 66 - 40Configuring allowed methodsAll security policies accept standard HTTP methods by default. The default allowed methods are GET, HEAD, an
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 41Configuring security policy blockingYou can c
Chapter 66 - 42Click the information icon ( ) by a violation, or refer to Appendix A, Security Policy Violations, for descriptions of the violations.
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 43Configuring the blocking actionsOn the Blocki
Chapter 66 - 44Configuring blocking properties for evasion techniquesFor every HTTP request, Application Security Manager examines the request for eva
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 45Configuring blocking properties for web servi
Chapter 66 - 46Configuring the response pagesThe Application Security Manager has a default blocking response page that it returns to the client when
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 475. If you selected the Redirect URL option in
Chapter 66 - 48Configuring CSRF protectionCross-site request forgery (CSRF) is an attack that forces a user to execute unwanted actions on a web appli
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 495. For URLs List, select the option that indi
Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™xi11Working with Attack SignaturesOverview of attack signatures ...
Chapter 66 - 50
7Configuring Anomaly Detection• What is anomaly detection?• Preventing DoS attacks for Layer 7 traffic• Mitigating brute force attacks• Configuring IP
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 1What is anomaly detection?Anomaly detection is a way of
Chapter 77 - 2Preventing DoS attacks for Layer 7 trafficA denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 3If you choose latency-based, DoS attacks are detected b
Chapter 77 - 44. For the Detection Mode, select the way you want the system to look for DoS attacks:• TPS-basedDetermines DoS attacks from the client
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 5to the average rate prior to the attack, or lower than
Chapter 77 - 69. For the Prevention Duration setting, specify the length of time for which the system mitigates DoS attacks:• Unlimited: Select if you
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 7The system considers it to be a brute force attack if t
Table of Contentsxii13Refining the Security Policy Using LearningOverview of the learning process ...
Chapter 77 - 84. For the Password Parameter Name setting, type the password parameter written in the code of the HTML form. When the system detects th
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 9To configure dynamic brute force protection, use the se
Chapter 77 - 10• Source IP-Based Rate LimitingCheck to drop requests from suspicious IP addresses. Application Security Manager drops connections to l
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 11To configure access validationContinue configuring the
Chapter 77 - 12Configuring IP address enforcementYou can configure the IP Enforcer to perform enforcement based on IP address. When the IP Enforcer is
Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 137. To put the security policy changes into effect imme
Chapter 77 - 14Preventing web scraping detection on certain addressesIf your environment uses legitimate automated tests, you can create a white list
8Maintaining Security Policies • Maintaining a security policy• Reviewing a log of all security policy changes• Displaying security policies in a tree
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 1Maintaining a security policySecurity policies can chan
Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™xiiiViewing PCI Compliance reports ...
Chapter 88 - 2Editing an existing security policyYou can access a security policy for editing from either the Policies List screen, or from the editin
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 3Copying a security policyYou can copy a security policy
Chapter 88 - 4To export a security policy1. In the navigation pane, expand Application Security and click Policies List.The Policies List screen opens
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 5Merging two security policiesYou can use the policy mer
Chapter 88 - 67. Click the Download Full Report button to open or save the entire Merge Report.8. Click OK.The screen refreshes, and the merged securi
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 7Restoring a deleted security policyIf you delete a secu
Chapter 88 - 8Viewing and restoring an archived security policyThe Application Security Manager keeps an archive of security policies that have been s
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 9Reviewing a log of all security policy changesThe Appli
Chapter 88 - 10Displaying security policies in a tree viewYou can display a tree view of the security policy to quickly view its contents. The tree vi
Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 11Using the security policy audit toolsApplication Secur
Table of ContentsxivUsing the WhiteHat Sentinel Baseline security policy ... B-13Overview of the
Chapter 88 - 12
9Working with Wildcard Entities• Overview of wildcard entities• Configuring wildcard file types• Configuring wildcard URLs• Configuring wildcard param
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 1Overview of wildcard entitiesWildcard entities are web
Chapter 99 - 2Understanding staging and tightening for wildcard entitiesWhen you create a wildcard entity, you have the option to enable staging and t
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 3Understanding stagingYou can perform staging on wildca
Chapter 99 - 45. Click OK.The screen refreshes; the system performs the following on selected entities:• Removes from staging entities whose staging p
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 5Security Enforcer applies any applicable security chec
Chapter 99 - 66. Modify the length settings as required.7. If you want the system to parse responses in addition to parsing requests, check the Check
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 7Deleting wildcard file typesYou can delete wildcard fi
1Introducing the Application Security Manager•Overview of the BIG-IP Application Security Manager• Getting started with the user interface• Finding he
Chapter 99 - 8Sorting wildcard file typesWhen you have configured more than one wildcard file type, you can set the enforcement order, which is the se
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 9Configuring wildcard URLsURLs represent the pages and
Chapter 99 - 107. If you want the system to validate XML data in requests to this URL based on the settings configured in an XML profile, check the Ap
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 11Modifying wildcard URLsAt times, you may want to modi
Chapter 99 - 12Sorting wildcard URLsWhen you have configured more than one wildcard URL, you can set the enforcement order, which is the order in whic
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 13Configuring wildcard parametersYou can specify wildca
Chapter 99 - 145. For the Parameter Level setting, select the appropriate option for this wildcard parameter.• Global Parameter: For more information,
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 15Modifying wildcard parametersYou may want to modify t
Chapter 99 - 165. To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.The system appli
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 17Tip When adding wildcard URLs, you should arrange the
Chapter 99 - 18Using wildcards for allowed modified cookie headersYou can use wildcards for allowed modified cookie headers to reduce the number of Mo
Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 19Checking the status of wildcard tightening for allowe
Chapter 99 - 207. In the Tightening column of the allowed modified cookies list, point to the light bulb icon.The system displays information on the l
10Working with Parameters• Understanding parameters• Working with global parameters• Working with URL parameters• Working with flow parameters• Config
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 1Understanding parametersParameters are an integral entity in
Chapter 1010 - 2Working with global parameters Global parameters are those that do not have an association with a specific URL or application flow. Th
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 37. If you are creating a wildcard parameter and you want the
Chapter 1010 - 4Editing the properties of a global parameterAt times, you may want to update the characteristics of a global parameter. This is easily
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 5Working with URL parametersYou define parameters in the cont
Introducing the Application Security ManagerConfiguration Guide for BIG-IP® Application Security Manager™1 - 1Overview of the BIG-IP Application Secur
Chapter 1010 - 64. In the Create New Parameter area, for the Parameter Name setting, select an option:• If you select Explicit, then in the box, type
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 713. To put the security policy changes into effect immediate
Chapter 1010 - 84. Click OK.The system deletes the parameter.5. To put the security policy changes into effect immediately, click the Apply Policy but
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 94. In the Create New Parameter area, for the Parameter Name
Chapter 1010 - 1015. For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the scre
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 11Deleting a flow parameterWeb applications can change over t
Chapter 1010 - 12Configuring parameter characteristicsParameter characteristics define the individual attributes of the parameter. The parameter chara
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 13want to configure the parameter as a user-input parameter i
Chapter 1010 - 14Configuring parameter characteristics for user-input parametersUser-input parameters are those for which the user can provide a value
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 153. For the Data Type setting, use the default value, Alpha-
Chapter 11 - 2◆ Positive security modelThe Application Security Manager creates a robust positive security policy to completely protect web applicatio
Chapter 1010 - 16• In the Overridden Security Policy Settings list, change the attack signature state as required. Note that the state that you select
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 17Configuring a decimal user-input parameterThe decimal data
Chapter 1010 - 18To configure an email user-input parameter1. Create a new parameter.• To create a global parameter, see Creating a global parameter,
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 196. If you want the Security Enforcer to enforce a maximum l
Chapter 1010 - 20Creating parameters without defined valuesThe Allow Empty Value setting specifies whether the system expects the parameter to have a
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 21Allowing multiple occurrences of a parameter in a requestBy
Chapter 1010 - 22Making a flow parameter mandatoryThe Is Mandatory Parameter setting specifies whether a parameter must be present in a flow.NoteYou c
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 23Configuring XML parametersXML parameters contain XML data i
Chapter 1010 - 24Working with dynamic parameters and extractionsWhen you configure a dynamic parameter, you also configure the extraction properties f
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 25To configure a dynamic content value parameter1. Create a n
Introducing the Application Security ManagerConfiguration Guide for BIG-IP® Application Security Manager™1 - 3components. For detailed information on
Chapter 1010 - 26Understanding the extracted items configurationWhen you create an extraction for a dynamic parameter, one aspect of the extraction is
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 27Viewing the list of extractionsYou can review all of the pa
Chapter 1010 - 283. In the Dynamic Parameter Properties area, for the Extract Parameter from URL setting, select the protocol to use and type the URL
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 29Working with the parameter character setsEach security poli
Chapter 1010 - 30Viewing and modifying the default parameter name character setThe parameter name character set controls the default characters and me
Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 31Configuring sensitive parametersThe Application Security Ma
Chapter 1010 - 32Configuring navigation parametersIf you want the security policy to differentiate between pages in the web application that are gener
11Working with Attack Signatures• Overview of attack signatures• Types of attacks that attack signatures detect• Managing the attack signatures pool•
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 1Overview of attack signaturesAttack signatures are ru
Chapter 11 - 4Finding help and technical support resourcesYou can find additional technical documentation and product information using the following
Chapter 1111 - 2Overview of attack signature setsAn attack signature set is a group of individual attack signatures. Rather than applying individual a
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 3Types of attacks that attack signatures detectTable 1
Chapter 1111 - 4HTTP request smuggling attack HTTP request smuggling sends a specially formatted HTTP request that might be parsed differently by the
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 5Session hijacking Web servers often send session toke
Chapter 1111 - 6Managing the attack signatures poolThe attack signatures pool contains all of the attack signatures that are part of the configuration
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 7To view the attack signatures pool with a built-in fi
Chapter 1111 - 8Viewing attack signature detailsWhen you click the name of each attack signature, the system displays the properties listed in Table 1
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 9To view attack signature details1. In the navigation
Chapter 1111 - 10Updating the system-supplied attack signaturesYou can update the system-supplied attack signatures on a regular basis to ensure that
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 11Configuring automatic updates for system-supplied at
2Performing Essential Configuration Tasks•Overview of the essential configuration tasks• Defining a local traffic pool• Defining an application securi
Chapter 1111 - 125. Click the Save Settings to save your changes.6. Click the Update Signatures button to start the update process.Viewing information
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 13Working with attack signature setsRather than assign
Chapter 1111 - 14Creating an attack signature setYou can create signature sets in two ways: by using a filter or by manually selecting the signatures
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 15Manual signature sets are composed of attack signatu
Chapter 1111 - 16Editing used-defined attack signature setsYou can edit user-defined attack signature sets to add or remove signatures, or change the
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 17Assigning attack signature sets to a security policy
Chapter 1111 - 18Viewing all attack signatures for a security policyWhen you assign an attack signature set to a security policy, the system builds a
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 19To view all attack signatures for a security policy1
Chapter 1111 - 20Modifying the blocking policy for an attack signature setThe blocking policy defines how the Security Enforcer processes requests tha
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 21Understanding attack signature stagingWhen you first
Chapter 1111 - 22To view signatures in staging that generate learning suggestions1. In the navigation pane, expand Application Security and click Manu
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 23Figure 11.3 Attack signatures in stagingEnabling or
Chapter 1111 - 24To disable or enable an attack signature in staging1. In the navigation pane, expand Application Security and click Manual Policy Bui
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 25Managing user-defined attack signaturesUser-defined
Chapter 1111 - 26Creating a user-defined attack signatureYou can create a user-defined attack signature rule using the syntax that is explained in App
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 27Modifying a user-defined attack signatureYou may nee
Chapter 1111 - 28Importing user-defined attack signaturesIf you have a large number of user-defined attack signatures that you want to add to the conf
Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 293. In the Choose File box, type the path to the XML
Chapter 1111 - 30
12Protecting XML Applications• Getting started with XML security• Configuring security for SOAP web services• Implementing web services security• Conf
Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 1Overview of the essential configuration task
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 1Getting started with XML securityBecause XML is used as
Chapter 1212 - 2How you proceed with configuring XML security depends on the type of application you want to protect:• For SOAP web services: refer to
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 3Configuring security for SOAP web servicesTo configure s
Chapter 1212 - 45. For the Configuration Files setting, if your web service uses a WSDL or XML schema file, perform steps a and b. Otherwise, skip to
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 511. To mask sensitive XML data, click Sensitive Data Con
Chapter 1212 - 6Uploading certificatesTo use web services security for encryption, decryption, and digital signature signing and verification, you mus
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 7Enabling encryption, decryption, signing, and verificati
Chapter 1212 - 8To configure web services security credentialsOn the XML Profile Properties screen, in the Credentials area of the Web Services Securi
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 93. Check the Enforce And Verify Defined Elements box to
Chapter 22 - 2environment, refer to the BIG-IP® Application Security ManagerTM: Getting Started Guide, which is available in the Ask F5SM Knowledge Ba
Chapter 1212 - 10• none: Insert, into the existing or created security header, the cryptography (for example, the algorithm, cipher, and keys) that de
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 113. Check Enforce Timestamp In Request to check that the
Chapter 1212 - 12You have finished configuring web services security on the security policy using the default defense configuration settings. If you w
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 13Table 12.2 shows examples of XPath queries.Managing SOA
Chapter 1212 - 145. Below the Defense Configuration area, click the Update button.The screen refreshes, and displays the XML Profiles screen.6. To put
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 155. If you selected a referenced file type, in the Impor
Chapter 1212 - 16Fine-tuning XML defense configurationThe defense configuration provides formatting and attack pattern checks for the XML data. The de
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 177. Adjust the defense configuration settings as require
Chapter 1212 - 18Allow Processing InstructionsSpecifies, when enabled, that the system allows processing instructions in the XML request. If you uploa
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 19Masking sensitive XML dataYou can mask sensitive XML da
Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 3Defining an application security classThe se
Chapter 1212 - 20Associating an XML profile with a URLYou can associate XML profiles with explicit URLs and wildcard URLs. The parameter or URL that t
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 216. For the Check XML Content-Type Headers setting, spec
Chapter 1212 - 22Associating an XML profile with a parameterYou can associate an XML profile with a parameter whose value is XML-encoded. When the sys
Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 23Modifying XML security profilesWeb applications change
Chapter 1212 - 24Deleting an XML profileIf you no longer need a specific XML profile, you can remove it entirely from the configuration. F5 Networks r
13Refining the Security Policy Using Learning• Overview of the learning process• Working with learning suggestions• Accepting or clearing learning sug
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 1Overview of the learning processYou can
Chapter 1313 - 2Working with learning suggestionsThe Learning Manager generates learning suggestions when the Learn flag is enabled for the violations
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 3NoteThe Traffic Learning screen displays
Chapter 22 - 4Defining a local traffic virtual serverThe next essential configuration task is to define a virtual server on the local area network. Th
Chapter 1313 - 4To view all of the requests that triggered a specific learning suggestion1. In the navigation pane, expand Application Security and cl
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 5To view a request that triggered a learn
Chapter 1313 - 6Figure 13.2 Example of the View Full Request Information screenViewing all requests for a specific web applicationIf you want to revi
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 75. Click the Go button.The screen refres
Chapter 1313 - 83. Click a violation hyperlink.The learning suggestions properties screen opens. Note that the screens vary depending on the violation
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 9Working with entities in staging or with
Chapter 1313 - 10Figure 13.4 File type learning suggestionsWhen you look at the learning suggestions, you can clear them or go back to the staging-ti
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 11If the Policy Builder is active, and th
Chapter 1313 - 12Reviewing staging and tightening statusIf a file type, URL, parameter, or cookie is in staging or has tightening enabled, the system
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 13Adding new entities to the security pol
Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 5Running the Deployment wizardAfter you have
Chapter 1313 - 14To enforce all file types, URLs, parameters, and cookies that are ready to be enforced1. In the navigation pane, expand Application S
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 15Processing learning suggestions that re
Chapter 1313 - 16• Web scraping detected• Web Services Security failure• XML data does not comply with format settings• XML data does not comply with
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 17To disable a violation1. In the navigat
Chapter 1313 - 18Viewing ignored entitiesWhen you reject a learning suggestion for a URL, a file type, or a flow, the Application Security Manager add
Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 19Adding and deleting ignored IP addresse
Chapter 1313 - 20
14Configuring General System Options• Overview of general system options•Configuring interface and system preferences•Configuring external anti-virus
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 1Overview of general system optionsThe Application
Configuration Guide for BIG-IP®Application Security Manager™iProduct VersionThis manual applies to product version 10.2 of the BIG-IP®Application Secu
Chapter 22 - 6Maintaining and monitoring the security policyThe Application Security Manager provides many reporting and monitoring tools, so that you
Chapter 1414 - 2Configuring interface and system preferencesYou can change the default user interface and system preferences for the Application Secur
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 3Configuring external anti-virus protectionYou can
Chapter 1414 - 4b) For the Virus Detected violation (near the bottom of the screen), enable either or both of the Alarm and Block check boxes. For det
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 56. If you selected Web Application Security Edito
Chapter 1414 - 63. For the Configuration setting, select Advanced.4. In the Configuration area, for the Profile Name setting, type a unique name for t
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 78. For the Server IP setting, type the IP address
Chapter 1414 - 8Configuring a logging profile for a reporting serverIf your network uses a third party reporting server (for example, Splunk), you can
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 913. In the Storage Filter area, make any changes
Chapter 1414 - 1010. To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources,
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 116. For the Protocols setting, select whether log
3Working with Application Security Classes• What is an application security class?• Understanding the traffic classifiers• Configuring actions for the
Chapter 1414 - 12Viewing the application security logsLocally stored system logs for the Application Security Manager are accessible from the Configur
Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 13Validating regular expressionsThe RegExp Validat
Chapter 1414 - 14Configuring an SMTP mail serverIf you want the system to send email to users, such as when configuring the system to send reports usi
15Displaying Reports• Overview of the reporting tools• Displaying an application security overview• Reviewing details about requests•Viewing charts• S
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 1Overview of the reporting toolsYou can use several reporting tool
Chapter 1515 - 2Displaying an application security overviewYou can display an overview where you can quickly see what is happening on the Application
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 3 Figure 15.1 Application Security overview statistics
Chapter 1515 - 4Reviewing details about requestsFor each web application, the Application Security Manager logs requests according to the logging prof
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 5When viewing details about an illegal request, if you decide that
Chapter 1515 - 6Figure 15.3 Request detailsFigure 15.4 Details about Illegal header length violation
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 7Exporting requestsYou can export selected requests in PDF or bina
Chapter 1515 - 8Viewing chartsYou can display numerous graphical charts that illustrate the distribution of security alerts. You can filter the data b
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 9You can use a filter to view the security incidents which are of
Chapter 1515 - 10Interpreting graphical chartsYou can monitor graphical charts to determine how well your security policies are protecting your web ap
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 11Scheduling and sending graphical charts using emailYou can confi
Chapter 1515 - 125. In the Send To (E-Mails) box, type each email address where you want the system to send a copy of the chart, then click Add.6. Fro
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 13Viewing Brute Force Attack reportsThe Brute Force Attack report
Chapter 1515 - 14To release IP addresses blocked by the IP Enforcer1. In the navigation pane, expand Application Security, point to Reporting, Anomaly
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 15Viewing PCI Compliance reportsThe PCI Compliance report displays
Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 1What is an application security class?An ap
Chapter 1515 - 16To view a PCI Compliance report1. In the navigation pane, expand Application Security and click Reporting.The Requests screen opens.2
Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 17Filtering reportsYou can use a filter to view the information of
Chapter 1515 - 18Monitoring CPU usageYou can examine the amount of CPU resources that the Application Security Manager is using, and also check overal
ASecurity Policy Violations• Introducing security policy violations• Viewing descriptions of violations•RFC violations• Access violations• Length viol
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 1Introducing security policy violationsSecurity policy viol
Appendix AA - 2Figure A.1 Violations on Blocking Policy screenFigure A.2 Example violation descriptionMany violations are associated with an attack
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 3RFC violationsThe Application Security ManagerTM reports R
Appendix AA - 4Bad unescapeThe system detects illegal HEX encoding and reports unescaping errors (such as %RR).Detection evasionHTTP protocol complian
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 5Access violationsAccess violations occur when an HTTP requ
Chapter 33 - 2Creating a basic application security classA basic application security class simply routes all HTTP traffic through the Application Sec
Appendix AA - 6Length violationsLength violations occur when an HTTP request contains an entity that exceeds the length setting that is defined in the
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 7Illegal request length The incoming request length exceeds
Appendix AA - 8Input violationsInput violations occur when an HTTP request includes a parameter or header that contains data or information that does
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 9Illegal parameter data type The incoming request contains
Appendix AA - 10NoteThe Application Security Manager does not distinguish between dynamic parameters that are defined incorrectly, and dynamic paramet
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 11Cookie violationsCookie violations occur when the cookie
Appendix AA - 12Negative security violationsNegative security violations occur when an incoming request contains a string pattern that matches an atta
Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 13Determining the type of attack detected by an attack sign
Appendix AA - 14
BWorking with the Application-Ready Security Policies• Understanding application-ready security policies• Using the Rapid Deployment security policy•
Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 3Understanding the traffic classifiersYou ca
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 1Understanding application-ready
Appendix BB - 2Using the Rapid Deployment security policyThe Rapid Deployment security policy is configured with a general set of security checks to m
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 3Using the ActiveSync security po
Appendix BB - 4Using the OWA Exchange 2003 security policyThe OWA Exchange 2003 application-ready security policies protect servers running Microsoft®
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 5Using the OWA Exchange 2007 secu
Appendix BB - 6Using the SharePoint 2003 security policyThe SharePoint 2003 application-ready security policies protect servers running Microsoft® Sha
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 7Using the SharePoint 2007 securi
Appendix BB - 8Using the Lotus Domino 6.5 security policyThe Lotus Domino 6.5 application-ready security policies protect servers running Lotus® Domin
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 9Using the Oracle Applications 10
Chapter 33 - 4To configure an application security class using the Hosts traffic classifier1. In the navigation pane, expand Application Security and
Appendix BB - 10Using the Oracle Applications 11i security policyThe Oracle Applications 11i application-ready security policies protect servers runni
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 11Using the PeopleSoft Portal 9 s
Appendix BB - 12Using the SAP NetWeaver security policyThe SAP NetWeaver application-ready security policies protect servers running the SAP NetWeaver
Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 13Using the WhiteHat Sentinel Bas
Appendix BB - 14Managing large file uploads when using the application-ready security policiesThe web applications for which you can use one of the ap
CSyntax for Creating User-Defined Attack Signatures• Writing rules for user-defined attack signatures• Overview of rule option scopes• Syntax for atta
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 1Writing rules for user-defined att
Appendix CC - 2Using the pcre rule optionThe pcre rule option performs a regular expression match on different parts of the input, and is based on the
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 3Overview of rule option scopes Sco
Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 5Classifying traffic using URI pathsYou can
Appendix CC - 4A note about normalization For the URI and parameter scopes, the system always applies a normalization process before applying the rule
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 5Syntax for attack signature rulesT
Appendix CC - 6Using the headercontent rule option The headercontent rule option matches when the specified string is found anywhere in the HTTP reque
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 7at http://pcre.org. For details on
Appendix CC - 8Using the reference rule optionUse the reference rule option in a rule to provide an external reference or link to information regardin
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 9Using the offset modifierUse the o
Appendix CC - 10For example, the content rule in Figure C.9 matches these requests: 12345678901234567890GET /67ABC ...GET /6ABC ...but not these reque
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 11specified keyword, while the offs
Appendix CC - 12but not these requests: xxxxxxxx12345678901234567890GET /ABC12345678XYZ ...GET /ABC123456789XYZ ...TipThe line of numbers above the re
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 13SQL-Injection, and Command Execut
Chapter 33 - 6Classifying traffic using headersYou can use the Headers traffic classifier to specify one or more headers whose associated requests you
Appendix CC - 14Note that for the pcre rule option, you use the \x escape sequence, and not the pipe symbols, to escape characters. See the PCRE docum
Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 15Rule combination exampleIt is imp
Appendix CC - 16
DInternal Parameters for Advanced Configuration• Overview of internal parameters• Viewing internal parameters• Restoring the default settings for inte
Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 1Overview of internal parametersSeveral
Appendix DD - 2ecard_regexp_email ^\s*([\w.-]+)@([\w.-]+)\s*$ (regular expression)Specifies the regular expression that defines a valid pattern for pa
Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 3ProtocolIndication -1 Specifies how th
Appendix DD - 4Viewing internal parametersYou can review the settings for the internal parameters on the Advanced Configuration screen.To view interna
Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 5Restoring the default settings for int
Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 7Classifying traffic using cookiesYou can us
Appendix DD - 6
EUpgrading HTTP Security Profiles to Security Policies• Overview of the Migration wizard• Performing the migration
Upgrading HTTP Security Profiles to Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™E - 1Overview of the Migration wizar
Appendix EE - 2Performing the migrationThe Migration wizard guides you through the steps necessary to convert HTTP security profiles in Protocol Secur
FRunning Application Security Manager on the VIPRION Chassis• Overview of running Application Security Manager on the VIPRION chassis• Viewing VIPRION
Running Application Security Manager on the VIPRION ChassisConfiguration Guide for BIG-IP® Application Security Manager™F - 1Overview of running Appli
Appendix FF - 2Viewing cluster statisticsYou can view statistics for all active blades running on the VIPRION chassis.To view statistics for all blade
Running Application Security Manager on the VIPRION ChassisConfiguration Guide for BIG-IP® Application Security Manager™F - 3To view cluster member sy
iiCanadian Regulatory ComplianceThis Class A digital apparatus complies with Canadian ICES-003.Standards ComplianceThis product conforms to the IEC, E
Chapter 33 - 8Configuring actions for the application security classThe actions of the application security class designate what the system does with
Appendix FF - 4
Glossary
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 1access violationAn access violation is a security policy violation th
GlossaryGlossary - 2blocking modeA security policy is in blocking mode when the enforcement mode is blocking, and one or more Block flags are enabled.
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 3cookie violationA cookie violation is a security policy violation tha
GlossaryGlossary - 4dynamic valueSee dynamic parameter. enforcement modeThe enforcement mode determines what actions the Security Enforcer takes when
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 5headersSee HTTP headers.heuristicsHeuristics are the data collected a
GlossaryGlossary - 6learning suggestionWhen a request triggers a violation, and the Learn flag is enabled for that violation, the Learning Manager gen
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 7parameter and value pairA parameter and value pair represents some el
Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 9Rewriting a URIYou can use the Rewrite URI
GlossaryGlossary - 8response scrubbingThe process of removing sensitive user information-such as credit card numbers, or social security numbers (U.S.
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 9session IDA session ID is a string of data that identifies a user to
GlossaryGlossary - 10system-supplied attack signaturesSystem-supplied attack signatures are shipped as part of the Application Security Manager softwa
GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 11URL parameterAn URL parameter is a parameter that is defined and val
GlossaryGlossary - 12
Index
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 1AAbout tab 1-3abuse of functionality attack 11-3Accept as Legitimate (L
IndexIndex - 2attack signature updatesand network access 11-10and update failures 11-10receiving email notification 11-12viewing update activity
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 3buffer overflow attacksand length violations A-6description 11-3prevent
Chapter 33 - 10
IndexIndex - 4denial-of-service attacksdefined 7-2, 11-3mitigating 7-3recognizing 7-2deployment scenarios 2-5Deployment wizardabout 2-5and a
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 5Failure to convert character violation A-8false positivesand accuracy 1
IndexIndex - 6Illegal meta character in header violation A-8Illegal meta character in parameter value violation A-8Illegal meta character in param
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 7Lotus Domino 6.5 security policy B-8MMain tab, about 1-3Malformed XML d
IndexIndex - 8parametersallowing empty value 10-20allowing repeated occurrences of flow 10-9allowing repeated occurrences of global 10-3allowing
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 9requestsclearing from the Requests List 15-7configuring default number di
IndexIndex - 10restoring 8-7restoring archived version 8-8setting active 4-4, 6-1, 6-12updating 13-2using application-ready security policies
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 11support ID numbersand blocking mode 6-3for security policy violations
IndexIndex - 12user rolesabout 14-4user-defined attack signaturesabout 11-1and failed attack signature updates 11-10creating 11-26, C-1deletin
IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 13and logging profiles 14-5and negative security violations A-12and sens
4Working with Web Applications• What is a web application?• Configuring the properties of a web application• Working with web application groups• Work
IndexIndex - 14XML securityconfiguring for web services 12-3configuring for XML content 12-14encrypting SOAP messages 12-5overview 12-1verifyi
Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 1What is a web application?In Application Security Manag
Chapter 44 - 2Figure 4.1 shows an example of a web application list.Figure 4.1 Sample list of web applicationsTo view the list of web applications1.
Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 3Configuring the properties of a web applicationIn the A
Chapter 44 - 4Configuring the active security policyThe active security policy is the security policy that the Application Security Manager uses to va
Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 5If none of these profiles meets your needs, refer to Co
Configuration Guide for BIG-IP® Application Security Manager™iiiThis product includes software developed by the OpenSSL Project for use in the OpenSSL
Chapter 44 - 6To set a web application back to a new state1. In the navigation pane, expand Application Security and click Web Applications.The Web Ap
Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 7Creating a web application groupWhen you create a web a
Chapter 44 - 8Working with a disabled web applicationThe Application Security Manager automatically disables web applications when you:• Disable the A
5Building a Security Policy Automatically• Overview of automatic policy building• Configuring automatic policy building• Viewing the automatic policy
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 1Overview of automatic policy buildingApplica
Chapter 55 - 2Configuring automatic policy buildingApplication Security Manager completely configures the automated policy building settings according
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 34. For Policy Type, select the type of secur
Chapter 55 - 4Configuring advanced automatic policy building settingsIf you want to review the configuration details of the Policy Builder, you can us
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 5To configure advanced policy building settin
iv
Chapter 55 - 6Changing the policy typeThe policy type determines which security policy elements are included in the security policy. When you create a
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 7To change the policy type1. In the navigatio
Chapter 55 - 8URLs Configures the security policy to add allowed URLs, based on legitimate traffic.XURLs–Meta Characters Configures the security polic
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 9Note that the list in Table 5.1 includes the
Chapter 55 - 10Figure 5.3 Security policy elements (Fundamental policy type selected)You can change the selected policy elements, in which case, the
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 11Modifying automatic policy building options
Chapter 55 - 12Figure 5.4 Options area on the Automatic Policy Building screenTo modify automatic policy building options1. In the navigation pane, e
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 134. In the Options area, for Parameter Level
Chapter 55 - 14Tip: Normally, the Policy Builder learns only from legitimate traffic, so you should add response codes that are returned under normal
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 15Modifying automatic policy building rulesDu
Table of Contents
Chapter 55 - 16Figure 5.5 shows the Rules area of the Automatic Policy Building Configuration screen.Figure 5.5 Rules area of the Automatic Policy Bu
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 17Advanced users can view and change the cond
Chapter 55 - 187. For the Track Site Changes rule:a) The Enable Track Site Changes check box is selected by default. This box must remain checked if y
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 19Modifying the list of trusted IP addressesY
Chapter 55 - 204. In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe: • To trust all IP addresses (for in
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 21Viewing the automatic policy building statu
Chapter 55 - 22• In the learning details for Attack Signatures, you can see the list of signatures that the system detected, and which may be false po
Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 23Stopping and starting automatic policy buil
Chapter 55 - 24Viewing automatic policy building logsThe Application Security Manager creates a log file, called the policy log, for every security po
6Manually Configuring Security Policies • Understanding security policies• Configuring security policy properties• Setting the active security policy
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 1Understanding security policiesThe core of the
Chapter 66 - 2Configuring the security policy name and descriptionEach security policy that you configure has a unique name, which you assign as part
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 3Configuring the enforcement modeSecurity polic
Chapter 66 - 4To configure the enforcement mode1. In the navigation pane, expand Application Security and click Policy.The Policy Properties screen op
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 5Configuring the staging-tightening periodFor e
Chapter 66 - 6Enabling or disabling staging for attack signaturesFor each security policy, you can enable or disable staging for attack signatures on
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 74. For the Maximum HTTP Header Length setting,
Chapter 66 - 8Configuring the allowed response status codesBy default, the Application Security Manager accepts all response codes from 1xx to 3xx as
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 9responses, based on the pattern that you confi
Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™vii1Introducing the Application Security ManagerOverview of the BIG-IP A
Chapter 66 - 10Activating iRule eventsAn iRule is a script that lets you customize how you manage traffic on the BIG-IP system. You can write iRulesTM
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 11Configuring trusted XFF headersYou can config
Chapter 66 - 12Setting the active security policy for a web applicationAt any given time, the Application Security Manager enforces only one security
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 13Determining when to set the active security p
Chapter 66 - 14Validating HTTP protocol complianceThe first security checks that Application Security Manager performs are those for RFC compliance wi
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 15Configuring HTTP protocol compliance validati
Chapter 66 - 16Adding file typesUsing the Allowed File Types screen, you can specify the file types that are allowed (or disallowed) in the web applic
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 17Creating allowed file typesFor allowed file t
Chapter 66 - 18To manually create an allowed file type1. In the navigation pane, expand Application Security and click File Types.The Allowed File Typ
Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 19Modifying file typesYou can modify any of the
Comments to this Manuals