United Security Products 10-4 Specifications

Configuration Guide forBIG-IP® Application Security Manager™version 10.2MAN-0283-02

Table of Contentsviii5Building a Security Policy AutomaticallyOverview of automatic policy building ...

Chapter 66 - 20Disallowing specific file typesFor some web applications, you may want to deny requests for certain file types. In this case, you can c

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 21Configuring URLsYou can add three types of UR

Chapter 66 - 22Perform Tightening Specifies, when checked, that tightening is enabled. As a result:-When Policy Builder runs, it adds explicit URLs th

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 23Overview of URL parameters and extractionsURL

Chapter 66 - 24Creating an explicit URLYou can build the list of URLs in the security policy in these ways:• You can run the Policy Builder. See Chapt

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 25Removing a URLWeb applications can change ove

Chapter 66 - 26Identifying referrer URLs In lists of URLs, non-referrer URLs appear in blue and referrer URLs appear in gold. Referrer URLs are web pa

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 276. Click the Create button.7. To put the secu

Chapter 66 - 28Configuring AMF security checksYou configure AMF security on a per-URL basis. You can configure AMF security for both wildcard URLs and

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 29To view or modify the character set for URLs1

Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™ixConfiguring a dynamic flow from a URL ...

Chapter 66 - 30Configuring flowsThe application flow defines the access path leading from one URL to another URL within the web application. For examp

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 31Adding a flow to a URLYou can manually create

Chapter 66 - 32Configuring a dynamic flow from a URLSome web applications contain URLs with dynamic names, for example, the links to a server location

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 33Configuring login URLs to prevent forceful br

Chapter 66 - 34To configure login page settings1. In the navigation pane, expand Application Security, point to Flows, point to Login Pages, and click

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 35Masking sensitive dataDepending on the web ap

Chapter 66 - 366. To specify patterns in the data not to be considered sensitive:a) Check the Enable Exception Patterns box.b) In the New Pattern box,

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 374. From the Cookie Name Type list, select whe

Chapter 66 - 38Deleting an allowed modified cookieYou can delete an allowed modified cookies, as required by changes in the web application.To delete

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 39Configuring mandatory headersIf your applicat

Table of ContentsxSorting wildcard file types ...9-8C

Chapter 66 - 40Configuring allowed methodsAll security policies accept standard HTTP methods by default. The default allowed methods are GET, HEAD, an

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 41Configuring security policy blockingYou can c

Chapter 66 - 42Click the information icon ( ) by a violation, or refer to Appendix A, Security Policy Violations, for descriptions of the violations.

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 43Configuring the blocking actionsOn the Blocki

Chapter 66 - 44Configuring blocking properties for evasion techniquesFor every HTTP request, Application Security Manager examines the request for eva

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 45Configuring blocking properties for web servi

Chapter 66 - 46Configuring the response pagesThe Application Security Manager has a default blocking response page that it returns to the client when

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 475. If you selected the Redirect URL option in

Chapter 66 - 48Configuring CSRF protectionCross-site request forgery (CSRF) is an attack that forces a user to execute unwanted actions on a web appli

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 495. For URLs List, select the option that indi

Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™xi11Working with Attack SignaturesOverview of attack signatures ...

Chapter 66 - 50

7Configuring Anomaly Detection• What is anomaly detection?• Preventing DoS attacks for Layer 7 traffic• Mitigating brute force attacks• Configuring IP

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 1What is anomaly detection?Anomaly detection is a way of

Chapter 77 - 2Preventing DoS attacks for Layer 7 trafficA denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 3If you choose latency-based, DoS attacks are detected b

Chapter 77 - 44. For the Detection Mode, select the way you want the system to look for DoS attacks:• TPS-basedDetermines DoS attacks from the client

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 5to the average rate prior to the attack, or lower than

Chapter 77 - 69. For the Prevention Duration setting, specify the length of time for which the system mitigates DoS attacks:• Unlimited: Select if you

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 7The system considers it to be a brute force attack if t

Table of Contentsxii13Refining the Security Policy Using LearningOverview of the learning process ...

Chapter 77 - 84. For the Password Parameter Name setting, type the password parameter written in the code of the HTML form. When the system detects th

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 9To configure dynamic brute force protection, use the se

Chapter 77 - 10• Source IP-Based Rate LimitingCheck to drop requests from suspicious IP addresses. Application Security Manager drops connections to l

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 11To configure access validationContinue configuring the

Chapter 77 - 12Configuring IP address enforcementYou can configure the IP Enforcer to perform enforcement based on IP address. When the IP Enforcer is

Configuring Anomaly DetectionConfiguration Guide for BIG-IP® Application Security Manager™7 - 137. To put the security policy changes into effect imme

Chapter 77 - 14Preventing web scraping detection on certain addressesIf your environment uses legitimate automated tests, you can create a white list

8Maintaining Security Policies • Maintaining a security policy• Reviewing a log of all security policy changes• Displaying security policies in a tree

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 1Maintaining a security policySecurity policies can chan

Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™xiiiViewing PCI Compliance reports ...

Chapter 88 - 2Editing an existing security policyYou can access a security policy for editing from either the Policies List screen, or from the editin

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 3Copying a security policyYou can copy a security policy

Chapter 88 - 4To export a security policy1. In the navigation pane, expand Application Security and click Policies List.The Policies List screen opens

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 5Merging two security policiesYou can use the policy mer

Chapter 88 - 67. Click the Download Full Report button to open or save the entire Merge Report.8. Click OK.The screen refreshes, and the merged securi

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 7Restoring a deleted security policyIf you delete a secu

Chapter 88 - 8Viewing and restoring an archived security policyThe Application Security Manager keeps an archive of security policies that have been s

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 9Reviewing a log of all security policy changesThe Appli

Chapter 88 - 10Displaying security policies in a tree viewYou can display a tree view of the security policy to quickly view its contents. The tree vi

Maintaining Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™8 - 11Using the security policy audit toolsApplication Secur

Table of ContentsxivUsing the WhiteHat Sentinel Baseline security policy ... B-13Overview of the

Chapter 88 - 12

9Working with Wildcard Entities• Overview of wildcard entities• Configuring wildcard file types• Configuring wildcard URLs• Configuring wildcard param

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 1Overview of wildcard entitiesWildcard entities are web

Chapter 99 - 2Understanding staging and tightening for wildcard entitiesWhen you create a wildcard entity, you have the option to enable staging and t

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 3Understanding stagingYou can perform staging on wildca

Chapter 99 - 45. Click OK.The screen refreshes; the system performs the following on selected entities:• Removes from staging entities whose staging p

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 5Security Enforcer applies any applicable security chec

Chapter 99 - 66. Modify the length settings as required.7. If you want the system to parse responses in addition to parsing requests, check the Check

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 7Deleting wildcard file typesYou can delete wildcard fi

1Introducing the Application Security Manager•Overview of the BIG-IP Application Security Manager• Getting started with the user interface• Finding he

Chapter 99 - 8Sorting wildcard file typesWhen you have configured more than one wildcard file type, you can set the enforcement order, which is the se

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 9Configuring wildcard URLsURLs represent the pages and

Chapter 99 - 107. If you want the system to validate XML data in requests to this URL based on the settings configured in an XML profile, check the Ap

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 11Modifying wildcard URLsAt times, you may want to modi

Chapter 99 - 12Sorting wildcard URLsWhen you have configured more than one wildcard URL, you can set the enforcement order, which is the order in whic

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 13Configuring wildcard parametersYou can specify wildca

Chapter 99 - 145. For the Parameter Level setting, select the appropriate option for this wildcard parameter.• Global Parameter: For more information,

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 15Modifying wildcard parametersYou may want to modify t

Chapter 99 - 165. To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.The system appli

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 17Tip When adding wildcard URLs, you should arrange the

Chapter 99 - 18Using wildcards for allowed modified cookie headersYou can use wildcards for allowed modified cookie headers to reduce the number of Mo

Working with Wildcard EntitiesConfiguration Guide for BIG-IP® Application Security Manager™9 - 19Checking the status of wildcard tightening for allowe

Chapter 99 - 207. In the Tightening column of the allowed modified cookies list, point to the light bulb icon.The system displays information on the l

10Working with Parameters• Understanding parameters• Working with global parameters• Working with URL parameters• Working with flow parameters• Config

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 1Understanding parametersParameters are an integral entity in

Chapter 1010 - 2Working with global parameters Global parameters are those that do not have an association with a specific URL or application flow. Th

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 37. If you are creating a wildcard parameter and you want the

Chapter 1010 - 4Editing the properties of a global parameterAt times, you may want to update the characteristics of a global parameter. This is easily

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 5Working with URL parametersYou define parameters in the cont

Introducing the Application Security ManagerConfiguration Guide for BIG-IP® Application Security Manager™1 - 1Overview of the BIG-IP Application Secur

Chapter 1010 - 64. In the Create New Parameter area, for the Parameter Name setting, select an option:• If you select Explicit, then in the box, type

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 713. To put the security policy changes into effect immediate

Chapter 1010 - 84. Click OK.The system deletes the parameter.5. To put the security policy changes into effect immediately, click the Apply Policy but

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 94. In the Create New Parameter area, for the Parameter Name

Chapter 1010 - 1015. For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the scre

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 11Deleting a flow parameterWeb applications can change over t

Chapter 1010 - 12Configuring parameter characteristicsParameter characteristics define the individual attributes of the parameter. The parameter chara

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 13want to configure the parameter as a user-input parameter i

Chapter 1010 - 14Configuring parameter characteristics for user-input parametersUser-input parameters are those for which the user can provide a value

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 153. For the Data Type setting, use the default value, Alpha-

Chapter 11 - 2◆ Positive security modelThe Application Security Manager creates a robust positive security policy to completely protect web applicatio

Chapter 1010 - 16• In the Overridden Security Policy Settings list, change the attack signature state as required. Note that the state that you select

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 17Configuring a decimal user-input parameterThe decimal data

Chapter 1010 - 18To configure an email user-input parameter1. Create a new parameter.• To create a global parameter, see Creating a global parameter,

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 196. If you want the Security Enforcer to enforce a maximum l

Chapter 1010 - 20Creating parameters without defined valuesThe Allow Empty Value setting specifies whether the system expects the parameter to have a

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 21Allowing multiple occurrences of a parameter in a requestBy

Chapter 1010 - 22Making a flow parameter mandatoryThe Is Mandatory Parameter setting specifies whether a parameter must be present in a flow.NoteYou c

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 23Configuring XML parametersXML parameters contain XML data i

Chapter 1010 - 24Working with dynamic parameters and extractionsWhen you configure a dynamic parameter, you also configure the extraction properties f

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 25To configure a dynamic content value parameter1. Create a n

Introducing the Application Security ManagerConfiguration Guide for BIG-IP® Application Security Manager™1 - 3components. For detailed information on

Chapter 1010 - 26Understanding the extracted items configurationWhen you create an extraction for a dynamic parameter, one aspect of the extraction is

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 27Viewing the list of extractionsYou can review all of the pa

Chapter 1010 - 283. In the Dynamic Parameter Properties area, for the Extract Parameter from URL setting, select the protocol to use and type the URL

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 29Working with the parameter character setsEach security poli

Chapter 1010 - 30Viewing and modifying the default parameter name character setThe parameter name character set controls the default characters and me

Working with ParametersConfiguration Guide for BIG-IP® Application Security Manager™10 - 31Configuring sensitive parametersThe Application Security Ma

Chapter 1010 - 32Configuring navigation parametersIf you want the security policy to differentiate between pages in the web application that are gener

11Working with Attack Signatures• Overview of attack signatures• Types of attacks that attack signatures detect• Managing the attack signatures pool•

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 1Overview of attack signaturesAttack signatures are ru

Chapter 11 - 4Finding help and technical support resourcesYou can find additional technical documentation and product information using the following

Chapter 1111 - 2Overview of attack signature setsAn attack signature set is a group of individual attack signatures. Rather than applying individual a

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 3Types of attacks that attack signatures detectTable 1

Chapter 1111 - 4HTTP request smuggling attack HTTP request smuggling sends a specially formatted HTTP request that might be parsed differently by the

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 5Session hijacking Web servers often send session toke

Chapter 1111 - 6Managing the attack signatures poolThe attack signatures pool contains all of the attack signatures that are part of the configuration

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 7To view the attack signatures pool with a built-in fi

Chapter 1111 - 8Viewing attack signature detailsWhen you click the name of each attack signature, the system displays the properties listed in Table 1

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 9To view attack signature details1. In the navigation

Chapter 1111 - 10Updating the system-supplied attack signaturesYou can update the system-supplied attack signatures on a regular basis to ensure that

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 11Configuring automatic updates for system-supplied at

2Performing Essential Configuration Tasks•Overview of the essential configuration tasks• Defining a local traffic pool• Defining an application securi

Chapter 1111 - 125. Click the Save Settings to save your changes.6. Click the Update Signatures button to start the update process.Viewing information

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 13Working with attack signature setsRather than assign

Chapter 1111 - 14Creating an attack signature setYou can create signature sets in two ways: by using a filter or by manually selecting the signatures

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 15Manual signature sets are composed of attack signatu

Chapter 1111 - 16Editing used-defined attack signature setsYou can edit user-defined attack signature sets to add or remove signatures, or change the

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 17Assigning attack signature sets to a security policy

Chapter 1111 - 18Viewing all attack signatures for a security policyWhen you assign an attack signature set to a security policy, the system builds a

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 19To view all attack signatures for a security policy1

Chapter 1111 - 20Modifying the blocking policy for an attack signature setThe blocking policy defines how the Security Enforcer processes requests tha

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 21Understanding attack signature stagingWhen you first

Chapter 1111 - 22To view signatures in staging that generate learning suggestions1. In the navigation pane, expand Application Security and click Manu

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 23Figure 11.3 Attack signatures in stagingEnabling or

Chapter 1111 - 24To disable or enable an attack signature in staging1. In the navigation pane, expand Application Security and click Manual Policy Bui

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 25Managing user-defined attack signaturesUser-defined

Chapter 1111 - 26Creating a user-defined attack signatureYou can create a user-defined attack signature rule using the syntax that is explained in App

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 27Modifying a user-defined attack signatureYou may nee

Chapter 1111 - 28Importing user-defined attack signaturesIf you have a large number of user-defined attack signatures that you want to add to the conf

Working with Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™11 - 293. In the Choose File box, type the path to the XML

Chapter 1111 - 30

12Protecting XML Applications• Getting started with XML security• Configuring security for SOAP web services• Implementing web services security• Conf

Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 1Overview of the essential configuration task

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 1Getting started with XML securityBecause XML is used as

Chapter 1212 - 2How you proceed with configuring XML security depends on the type of application you want to protect:• For SOAP web services: refer to

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 3Configuring security for SOAP web servicesTo configure s

Chapter 1212 - 45. For the Configuration Files setting, if your web service uses a WSDL or XML schema file, perform steps a and b. Otherwise, skip to

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 511. To mask sensitive XML data, click Sensitive Data Con

Chapter 1212 - 6Uploading certificatesTo use web services security for encryption, decryption, and digital signature signing and verification, you mus

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 7Enabling encryption, decryption, signing, and verificati

Chapter 1212 - 8To configure web services security credentialsOn the XML Profile Properties screen, in the Credentials area of the Web Services Securi

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 93. Check the Enforce And Verify Defined Elements box to

Chapter 22 - 2environment, refer to the BIG-IP® Application Security ManagerTM: Getting Started Guide, which is available in the Ask F5SM Knowledge Ba

Chapter 1212 - 10• none: Insert, into the existing or created security header, the cryptography (for example, the algorithm, cipher, and keys) that de

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 113. Check Enforce Timestamp In Request to check that the

Chapter 1212 - 12You have finished configuring web services security on the security policy using the default defense configuration settings. If you w

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 13Table 12.2 shows examples of XPath queries.Managing SOA

Chapter 1212 - 145. Below the Defense Configuration area, click the Update button.The screen refreshes, and displays the XML Profiles screen.6. To put

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 155. If you selected a referenced file type, in the Impor

Chapter 1212 - 16Fine-tuning XML defense configurationThe defense configuration provides formatting and attack pattern checks for the XML data. The de

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 177. Adjust the defense configuration settings as require

Chapter 1212 - 18Allow Processing InstructionsSpecifies, when enabled, that the system allows processing instructions in the XML request. If you uploa

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 19Masking sensitive XML dataYou can mask sensitive XML da

Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 3Defining an application security classThe se

Chapter 1212 - 20Associating an XML profile with a URLYou can associate XML profiles with explicit URLs and wildcard URLs. The parameter or URL that t

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 216. For the Check XML Content-Type Headers setting, spec

Chapter 1212 - 22Associating an XML profile with a parameterYou can associate an XML profile with a parameter whose value is XML-encoded. When the sys

Protecting XML ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™12 - 23Modifying XML security profilesWeb applications change

Chapter 1212 - 24Deleting an XML profileIf you no longer need a specific XML profile, you can remove it entirely from the configuration. F5 Networks r

13Refining the Security Policy Using Learning• Overview of the learning process• Working with learning suggestions• Accepting or clearing learning sug

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 1Overview of the learning processYou can

Chapter 1313 - 2Working with learning suggestionsThe Learning Manager generates learning suggestions when the Learn flag is enabled for the violations

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 3NoteThe Traffic Learning screen displays

Chapter 22 - 4Defining a local traffic virtual serverThe next essential configuration task is to define a virtual server on the local area network. Th

Chapter 1313 - 4To view all of the requests that triggered a specific learning suggestion1. In the navigation pane, expand Application Security and cl

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 5To view a request that triggered a learn

Chapter 1313 - 6Figure 13.2 Example of the View Full Request Information screenViewing all requests for a specific web applicationIf you want to revi

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 75. Click the Go button.The screen refres

Chapter 1313 - 83. Click a violation hyperlink.The learning suggestions properties screen opens. Note that the screens vary depending on the violation

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 9Working with entities in staging or with

Chapter 1313 - 10Figure 13.4 File type learning suggestionsWhen you look at the learning suggestions, you can clear them or go back to the staging-ti

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 11If the Policy Builder is active, and th

Chapter 1313 - 12Reviewing staging and tightening statusIf a file type, URL, parameter, or cookie is in staging or has tightening enabled, the system

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 13Adding new entities to the security pol

Performing Essential Configuration TasksConfiguration Guide for BIG-IP® Application Security Manager™2 - 5Running the Deployment wizardAfter you have

Chapter 1313 - 14To enforce all file types, URLs, parameters, and cookies that are ready to be enforced1. In the navigation pane, expand Application S

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 15Processing learning suggestions that re

Chapter 1313 - 16• Web scraping detected• Web Services Security failure• XML data does not comply with format settings• XML data does not comply with

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 17To disable a violation1. In the navigat

Chapter 1313 - 18Viewing ignored entitiesWhen you reject a learning suggestion for a URL, a file type, or a flow, the Application Security Manager add

Refining the Security Policy Using LearningConfiguration Guide for BIG-IP® Application Security Manager™13 - 19Adding and deleting ignored IP addresse

Chapter 1313 - 20

14Configuring General System Options• Overview of general system options•Configuring interface and system preferences•Configuring external anti-virus

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 1Overview of general system optionsThe Application

Configuration Guide for BIG-IP®Application Security Manager™iProduct VersionThis manual applies to product version 10.2 of the BIG-IP®Application Secu

Chapter 22 - 6Maintaining and monitoring the security policyThe Application Security Manager provides many reporting and monitoring tools, so that you

Chapter 1414 - 2Configuring interface and system preferencesYou can change the default user interface and system preferences for the Application Secur

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 3Configuring external anti-virus protectionYou can

Chapter 1414 - 4b) For the Virus Detected violation (near the bottom of the screen), enable either or both of the Alarm and Block check boxes. For det

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 56. If you selected Web Application Security Edito

Chapter 1414 - 63. For the Configuration setting, select Advanced.4. In the Configuration area, for the Profile Name setting, type a unique name for t

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 78. For the Server IP setting, type the IP address

Chapter 1414 - 8Configuring a logging profile for a reporting serverIf your network uses a third party reporting server (for example, Splunk), you can

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 913. In the Storage Filter area, make any changes

Chapter 1414 - 1010. To ensure that the system logs requests for the web application, even when the logging utility is competing for system resources,

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 116. For the Protocols setting, select whether log

3Working with Application Security Classes• What is an application security class?• Understanding the traffic classifiers• Configuring actions for the

Chapter 1414 - 12Viewing the application security logsLocally stored system logs for the Application Security Manager are accessible from the Configur

Configuring General System OptionsConfiguration Guide for BIG-IP® Application Security Manager™14 - 13Validating regular expressionsThe RegExp Validat

Chapter 1414 - 14Configuring an SMTP mail serverIf you want the system to send email to users, such as when configuring the system to send reports usi

15Displaying Reports• Overview of the reporting tools• Displaying an application security overview• Reviewing details about requests•Viewing charts• S

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 1Overview of the reporting toolsYou can use several reporting tool

Chapter 1515 - 2Displaying an application security overviewYou can display an overview where you can quickly see what is happening on the Application

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 3 Figure 15.1 Application Security overview statistics

Chapter 1515 - 4Reviewing details about requestsFor each web application, the Application Security Manager logs requests according to the logging prof

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 5When viewing details about an illegal request, if you decide that

Chapter 1515 - 6Figure 15.3 Request detailsFigure 15.4 Details about Illegal header length violation

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 7Exporting requestsYou can export selected requests in PDF or bina

Chapter 1515 - 8Viewing chartsYou can display numerous graphical charts that illustrate the distribution of security alerts. You can filter the data b

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 9You can use a filter to view the security incidents which are of

Chapter 1515 - 10Interpreting graphical chartsYou can monitor graphical charts to determine how well your security policies are protecting your web ap

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 11Scheduling and sending graphical charts using emailYou can confi

Chapter 1515 - 125. In the Send To (E-Mails) box, type each email address where you want the system to send a copy of the chart, then click Add.6. Fro

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 13Viewing Brute Force Attack reportsThe Brute Force Attack report

Chapter 1515 - 14To release IP addresses blocked by the IP Enforcer1. In the navigation pane, expand Application Security, point to Reporting, Anomaly

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 15Viewing PCI Compliance reportsThe PCI Compliance report displays

Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 1What is an application security class?An ap

Chapter 1515 - 16To view a PCI Compliance report1. In the navigation pane, expand Application Security and click Reporting.The Requests screen opens.2

Displaying ReportsConfiguration Guide for BIG-IP® Application Security Manager™15 - 17Filtering reportsYou can use a filter to view the information of

Chapter 1515 - 18Monitoring CPU usageYou can examine the amount of CPU resources that the Application Security Manager is using, and also check overal

ASecurity Policy Violations• Introducing security policy violations• Viewing descriptions of violations•RFC violations• Access violations• Length viol

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 1Introducing security policy violationsSecurity policy viol

Appendix AA - 2Figure A.1 Violations on Blocking Policy screenFigure A.2 Example violation descriptionMany violations are associated with an attack

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 3RFC violationsThe Application Security ManagerTM reports R

Appendix AA - 4Bad unescapeThe system detects illegal HEX encoding and reports unescaping errors (such as %RR).Detection evasionHTTP protocol complian

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 5Access violationsAccess violations occur when an HTTP requ

Chapter 33 - 2Creating a basic application security classA basic application security class simply routes all HTTP traffic through the Application Sec

Appendix AA - 6Length violationsLength violations occur when an HTTP request contains an entity that exceeds the length setting that is defined in the

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 7Illegal request length The incoming request length exceeds

Appendix AA - 8Input violationsInput violations occur when an HTTP request includes a parameter or header that contains data or information that does

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 9Illegal parameter data type The incoming request contains

Appendix AA - 10NoteThe Application Security Manager does not distinguish between dynamic parameters that are defined incorrectly, and dynamic paramet

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 11Cookie violationsCookie violations occur when the cookie

Appendix AA - 12Negative security violationsNegative security violations occur when an incoming request contains a string pattern that matches an atta

Security Policy ViolationsConfiguration Guide for BIG-IP® Application Security Manager™A - 13Determining the type of attack detected by an attack sign

Appendix AA - 14

BWorking with the Application-Ready Security Policies• Understanding application-ready security policies• Using the Rapid Deployment security policy•

Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 3Understanding the traffic classifiersYou ca

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 1Understanding application-ready

Appendix BB - 2Using the Rapid Deployment security policyThe Rapid Deployment security policy is configured with a general set of security checks to m

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 3Using the ActiveSync security po

Appendix BB - 4Using the OWA Exchange 2003 security policyThe OWA Exchange 2003 application-ready security policies protect servers running Microsoft®

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 5Using the OWA Exchange 2007 secu

Appendix BB - 6Using the SharePoint 2003 security policyThe SharePoint 2003 application-ready security policies protect servers running Microsoft® Sha

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 7Using the SharePoint 2007 securi

Appendix BB - 8Using the Lotus Domino 6.5 security policyThe Lotus Domino 6.5 application-ready security policies protect servers running Lotus® Domin

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 9Using the Oracle Applications 10

Chapter 33 - 4To configure an application security class using the Hosts traffic classifier1. In the navigation pane, expand Application Security and

Appendix BB - 10Using the Oracle Applications 11i security policyThe Oracle Applications 11i application-ready security policies protect servers runni

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 11Using the PeopleSoft Portal 9 s

Appendix BB - 12Using the SAP NetWeaver security policyThe SAP NetWeaver application-ready security policies protect servers running the SAP NetWeaver

Working with the Application-Ready Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™B - 13Using the WhiteHat Sentinel Bas

Appendix BB - 14Managing large file uploads when using the application-ready security policiesThe web applications for which you can use one of the ap

CSyntax for Creating User-Defined Attack Signatures• Writing rules for user-defined attack signatures• Overview of rule option scopes• Syntax for atta

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 1Writing rules for user-defined att

Appendix CC - 2Using the pcre rule optionThe pcre rule option performs a regular expression match on different parts of the input, and is based on the

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 3Overview of rule option scopes Sco

Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 5Classifying traffic using URI pathsYou can

Appendix CC - 4A note about normalization For the URI and parameter scopes, the system always applies a normalization process before applying the rule

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 5Syntax for attack signature rulesT

Appendix CC - 6Using the headercontent rule option The headercontent rule option matches when the specified string is found anywhere in the HTTP reque

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 7at http://pcre.org. For details on

Appendix CC - 8Using the reference rule optionUse the reference rule option in a rule to provide an external reference or link to information regardin

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 9Using the offset modifierUse the o

Appendix CC - 10For example, the content rule in Figure C.9 matches these requests: 12345678901234567890GET /67ABC ...GET /6ABC ...but not these reque

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 11specified keyword, while the offs

Appendix CC - 12but not these requests: xxxxxxxx12345678901234567890GET /ABC12345678XYZ ...GET /ABC123456789XYZ ...TipThe line of numbers above the re

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 13SQL-Injection, and Command Execut

Chapter 33 - 6Classifying traffic using headersYou can use the Headers traffic classifier to specify one or more headers whose associated requests you

Appendix CC - 14Note that for the pcre rule option, you use the \x escape sequence, and not the pipe symbols, to escape characters. See the PCRE docum

Syntax for Creating User-Defined Attack SignaturesConfiguration Guide for BIG-IP® Application Security Manager™C - 15Rule combination exampleIt is imp

Appendix CC - 16

DInternal Parameters for Advanced Configuration• Overview of internal parameters• Viewing internal parameters• Restoring the default settings for inte

Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 1Overview of internal parametersSeveral

Appendix DD - 2ecard_regexp_email ^\s*([\w.-]+)@([\w.-]+)\s*$ (regular expression)Specifies the regular expression that defines a valid pattern for pa

Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 3ProtocolIndication -1 Specifies how th

Appendix DD - 4Viewing internal parametersYou can review the settings for the internal parameters on the Advanced Configuration screen.To view interna

Internal Parameters for Advanced ConfigurationConfiguration Guide for BIG-IP® Application Security Manager™D - 5Restoring the default settings for int

Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 7Classifying traffic using cookiesYou can us

Appendix DD - 6

EUpgrading HTTP Security Profiles to Security Policies• Overview of the Migration wizard• Performing the migration

Upgrading HTTP Security Profiles to Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™E - 1Overview of the Migration wizar

Appendix EE - 2Performing the migrationThe Migration wizard guides you through the steps necessary to convert HTTP security profiles in Protocol Secur

FRunning Application Security Manager on the VIPRION Chassis• Overview of running Application Security Manager on the VIPRION chassis• Viewing VIPRION

Running Application Security Manager on the VIPRION ChassisConfiguration Guide for BIG-IP® Application Security Manager™F - 1Overview of running Appli

Appendix FF - 2Viewing cluster statisticsYou can view statistics for all active blades running on the VIPRION chassis.To view statistics for all blade

Running Application Security Manager on the VIPRION ChassisConfiguration Guide for BIG-IP® Application Security Manager™F - 3To view cluster member sy

iiCanadian Regulatory ComplianceThis Class A digital apparatus complies with Canadian ICES-003.Standards ComplianceThis product conforms to the IEC, E

Chapter 33 - 8Configuring actions for the application security classThe actions of the application security class designate what the system does with

Appendix FF - 4

Glossary

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 1access violationAn access violation is a security policy violation th

GlossaryGlossary - 2blocking modeA security policy is in blocking mode when the enforcement mode is blocking, and one or more Block flags are enabled.

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 3cookie violationA cookie violation is a security policy violation tha

GlossaryGlossary - 4dynamic valueSee dynamic parameter. enforcement modeThe enforcement mode determines what actions the Security Enforcer takes when

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 5headersSee HTTP headers.heuristicsHeuristics are the data collected a

GlossaryGlossary - 6learning suggestionWhen a request triggers a violation, and the Learn flag is enabled for that violation, the Learning Manager gen

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 7parameter and value pairA parameter and value pair represents some el

Working with Application Security ClassesConfiguration Guide for BIG-IP® Application Security Manager™3 - 9Rewriting a URIYou can use the Rewrite URI

GlossaryGlossary - 8response scrubbingThe process of removing sensitive user information-such as credit card numbers, or social security numbers (U.S.

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 9session IDA session ID is a string of data that identifies a user to

GlossaryGlossary - 10system-supplied attack signaturesSystem-supplied attack signatures are shipped as part of the Application Security Manager softwa

GlossaryConfiguration Guide for BIG-IP® Application Security Manager™Glossary - 11URL parameterAn URL parameter is a parameter that is defined and val

GlossaryGlossary - 12

Index

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 1AAbout tab 1-3abuse of functionality attack 11-3Accept as Legitimate (L

IndexIndex - 2attack signature updatesand network access 11-10and update failures 11-10receiving email notification 11-12viewing update activity

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 3buffer overflow attacksand length violations A-6description 11-3prevent

Chapter 33 - 10

IndexIndex - 4denial-of-service attacksdefined 7-2, 11-3mitigating 7-3recognizing 7-2deployment scenarios 2-5Deployment wizardabout 2-5and a

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 5Failure to convert character violation A-8false positivesand accuracy 1

IndexIndex - 6Illegal meta character in header violation A-8Illegal meta character in parameter value violation A-8Illegal meta character in param

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 7Lotus Domino 6.5 security policy B-8MMain tab, about 1-3Malformed XML d

IndexIndex - 8parametersallowing empty value 10-20allowing repeated occurrences of flow 10-9allowing repeated occurrences of global 10-3allowing

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 9requestsclearing from the Requests List 15-7configuring default number di

IndexIndex - 10restoring 8-7restoring archived version 8-8setting active 4-4, 6-1, 6-12updating 13-2using application-ready security policies

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 11support ID numbersand blocking mode 6-3for security policy violations

IndexIndex - 12user rolesabout 14-4user-defined attack signaturesabout 11-1and failed attack signature updates 11-10creating 11-26, C-1deletin

IndexConfiguration Guide for BIG-IP® Application Security Manager™Index - 13and logging profiles 14-5and negative security violations A-12and sens

4Working with Web Applications• What is a web application?• Configuring the properties of a web application• Working with web application groups• Work

IndexIndex - 14XML securityconfiguring for web services 12-3configuring for XML content 12-14encrypting SOAP messages 12-5overview 12-1verifyi

Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 1What is a web application?In Application Security Manag

Chapter 44 - 2Figure 4.1 shows an example of a web application list.Figure 4.1 Sample list of web applicationsTo view the list of web applications1.

Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 3Configuring the properties of a web applicationIn the A

Chapter 44 - 4Configuring the active security policyThe active security policy is the security policy that the Application Security Manager uses to va

Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 5If none of these profiles meets your needs, refer to Co

Configuration Guide for BIG-IP® Application Security Manager™iiiThis product includes software developed by the OpenSSL Project for use in the OpenSSL

Chapter 44 - 6To set a web application back to a new state1. In the navigation pane, expand Application Security and click Web Applications.The Web Ap

Working with Web ApplicationsConfiguration Guide for BIG-IP® Application Security Manager™4 - 7Creating a web application groupWhen you create a web a

Chapter 44 - 8Working with a disabled web applicationThe Application Security Manager automatically disables web applications when you:• Disable the A

5Building a Security Policy Automatically• Overview of automatic policy building• Configuring automatic policy building• Viewing the automatic policy

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 1Overview of automatic policy buildingApplica

Chapter 55 - 2Configuring automatic policy buildingApplication Security Manager completely configures the automated policy building settings according

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 34. For Policy Type, select the type of secur

Chapter 55 - 4Configuring advanced automatic policy building settingsIf you want to review the configuration details of the Policy Builder, you can us

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 5To configure advanced policy building settin

iv

Chapter 55 - 6Changing the policy typeThe policy type determines which security policy elements are included in the security policy. When you create a

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 7To change the policy type1. In the navigatio

Chapter 55 - 8URLs Configures the security policy to add allowed URLs, based on legitimate traffic.XURLs–Meta Characters Configures the security polic

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 9Note that the list in Table 5.1 includes the

Chapter 55 - 10Figure 5.3 Security policy elements (Fundamental policy type selected)You can change the selected policy elements, in which case, the

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 11Modifying automatic policy building options

Chapter 55 - 12Figure 5.4 Options area on the Automatic Policy Building screenTo modify automatic policy building options1. In the navigation pane, e

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 134. In the Options area, for Parameter Level

Chapter 55 - 14Tip: Normally, the Policy Builder learns only from legitimate traffic, so you should add response codes that are returned under normal

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 15Modifying automatic policy building rulesDu

Table of Contents

Chapter 55 - 16Figure 5.5 shows the Rules area of the Automatic Policy Building Configuration screen.Figure 5.5 Rules area of the Automatic Policy Bu

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 17Advanced users can view and change the cond

Chapter 55 - 187. For the Track Site Changes rule:a) The Enable Track Site Changes check box is selected by default. This box must remain checked if y

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 19Modifying the list of trusted IP addressesY

Chapter 55 - 204. In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe: • To trust all IP addresses (for in

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 21Viewing the automatic policy building statu

Chapter 55 - 22• In the learning details for Attack Signatures, you can see the list of signatures that the system detected, and which may be false po

Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP® Application Security Manager™5 - 23Stopping and starting automatic policy buil

Chapter 55 - 24Viewing automatic policy building logsThe Application Security Manager creates a log file, called the policy log, for every security po

6Manually Configuring Security Policies • Understanding security policies• Configuring security policy properties• Setting the active security policy

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 1Understanding security policiesThe core of the

Chapter 66 - 2Configuring the security policy name and descriptionEach security policy that you configure has a unique name, which you assign as part

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 3Configuring the enforcement modeSecurity polic

Chapter 66 - 4To configure the enforcement mode1. In the navigation pane, expand Application Security and click Policy.The Policy Properties screen op

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 5Configuring the staging-tightening periodFor e

Chapter 66 - 6Enabling or disabling staging for attack signaturesFor each security policy, you can enable or disable staging for attack signatures on

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 74. For the Maximum HTTP Header Length setting,

Chapter 66 - 8Configuring the allowed response status codesBy default, the Application Security Manager accepts all response codes from 1xx to 3xx as

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 9responses, based on the pattern that you confi

Table of ContentsConfiguration Guide for BIG-IP® Application Security Manager™vii1Introducing the Application Security ManagerOverview of the BIG-IP A

Chapter 66 - 10Activating iRule eventsAn iRule is a script that lets you customize how you manage traffic on the BIG-IP system. You can write iRulesTM

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 11Configuring trusted XFF headersYou can config

Chapter 66 - 12Setting the active security policy for a web applicationAt any given time, the Application Security Manager enforces only one security

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 13Determining when to set the active security p

Chapter 66 - 14Validating HTTP protocol complianceThe first security checks that Application Security Manager performs are those for RFC compliance wi

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 15Configuring HTTP protocol compliance validati

Chapter 66 - 16Adding file typesUsing the Allowed File Types screen, you can specify the file types that are allowed (or disallowed) in the web applic

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 17Creating allowed file typesFor allowed file t

Chapter 66 - 18To manually create an allowed file type1. In the navigation pane, expand Application Security and click File Types.The Allowed File Typ

Manually Configuring Security PoliciesConfiguration Guide for BIG-IP® Application Security Manager™6 - 19Modifying file typesYou can modify any of the