Bigipasm9 4config

Configuration Guide for
BIG-IP Application Security Management
version 9.4
MAN-0225-01
Product Version
This manual applies to product version 9.4 of the BIG-IP Application Security Manager.
Publication Date
This manual was published on February 23, 2007.
Legal Notices
Copyright
Copyright 2005 - 2007, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, Internet Control Architecture, IP Application
Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam,
FirePass, TrafficShield, Swan, WANJet, WebAccelerator, and TMOS are registered trademarks or
trademarks, and Ask F5 is a service mark, of F5 Networks, Inc. in the U.S. and certain other countries. All
other trademarks mentioned in this document are the property of their respective owners. F5 Networks'
trademarks may not be used in connection with any product or service except as permitted in writing by
F5.
Patents
This product protected by U.S. Patents 6,311,278. Other patents pending.
Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States
government may consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance

This class A digital apparatus complies with Canadian I CES-003.
Configuration Guide for BIG-IP Application Security Management i

Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Bill Paul.
This product includes software developed by Jonathan Stone.
This product includes software developed by Manuel Bouyer.
This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its
contributors.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product contains software based on oprofile, which is protected under the GNU Public License.
ii
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License
(GPL).
This product includes software developed by the Apache Software Foundation <http://www.apache.org/>.
This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun
Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU
General Public License.
This product includes the Zend Engine, freely available at http://www.zend.com.
This product contains software developed by NuSphere Corporation, which is protected under the GNU
Lesser General Public License.
This product contains software developed by Erik Arvidsson and Emil A Eklund.
This product contains software developed by Aditus Consulting.
This product contains software developed by Dynarch.com, which is protected under the GNU Lesser
General Public License, version 2.1 or above.
Configuration Guide for BIG-IP Application Security Management iii

iv
Table of Contents
Table of Contents
1
Introducing Application Security Management
Introducing the BIG-IP system .....................................................................................................1-1
Overview of the BIG-IP Application Security Manager ..........................................................1-2
Summary of the Application Security Manager features ...............................................1-2
Introducing application security for the BIG-IP Local Traffic Manager .....................1-3
Highlights of this configuration guide ................................................................................1-3
Using the Configuration utility .....................................................................................................1-5
Browser support for the Configuration utility ...............................................................1-6
Identifying referrer objects in the Configuration utility ................................................1-6
Stylistic conventions in this document .......................................................................................1-7
Using the solution examples ...............................................................................................1-7
Identifying new terms ............................................................................................................1-7
Identifying references to products .....................................................................................1-7
Identifying references to objects, names, and commands ............................................1-7
Identifying references to other documents .....................................................................1-7
Identifying command syntax ................................................................................................1-8
Finding help and technical support resources ..........................................................................1-9
2
Essential Configuration Tasks
Overview of the essential configuration tasks .........................................................................2-1
Defining a local traffic pool ...........................................................................................................2-3
Defining an application security class .........................................................................................2-4
Defining a local traffic virtual server ...........................................................................................2-5
Configuring the web application language .................................................................................2-6
Determining the required security level for the web application ........................................2-7
Understanding the security levels ......................................................................................2-7
Understanding positive security logic ...............................................................................2-8
Setting the active policy for the web application .....................................................................2-9
Refining the security policy using the Learning process ...................................................... 2-10
Activating blocking mode on the security policy .................................................................. 2-11
Maintaining and monitoring the security policy .................................................................... 2-12
3
Working With Application Security Classes
What is an application security class? ........................................................................................3-1
Understanding the difference between an application security class and an HTTP class
profile ........................................................................................................................................3-1
Creating a basic application security class .......................................................................3-2
Understanding the traffic classifiers ............................................................................................3-3
How the system applies the traffic classifiers ..................................................................3-3
Using the Hosts traffic classifier .........................................................................................3-3
Using the URI Paths traffic classifier ..................................................................................3-4
Using the Headers traffic classifier ....................................................................................3-5
Using the Cookies traffic classifier .....................................................................................3-6
Understanding the actions for the application security class ................................................3-7
Using the Rewrite URI action .............................................................................................3-7
4
Working With Web Applications
What is a web application? ...........................................................................................................4-1
Viewing the configured web applications .........................................................................4-1
Configuration Guide for BIG-IP Application Security Management vii

Table of Contents
Configuring the properties of a web application .....................................................................4-2

Configuring the web application language ........................................................................4-2
Configuring the active security policy ...............................................................................4-3
Configuring requests logging ...............................................................................................4-3
Enabling traffic sampling for the Policy Builder ...............................................................4-4
Configuring the target security policy for learning suggestions ..................................4-5
Enabling dynamic sessions in URLs ....................................................................................4-5
Returning a web application to a new, unconfigured state ..........................................4-6
Working with web application groups .......................................................................................4-7
Creating a web application group ......................................................................................4-7
Removing a web application group ....................................................................................4-8
Working with a disabled web application .................................................................................4-9
Viewing disabled web applications .....................................................................................4-9
Re-enabling a web application .............................................................................................4-9
Overview of the Security Policies List .................................................................................... 4-10
5
Working With the Security Policy
What is a security policy? .............................................................................................................5-1
Chapter overview ..................................................................................................................5-1
Working with the security policy properties ...........................................................................5-2
Working with the general policy properties ...................................................................5-3
Configuring the security policy name and description ..................................................5-3
Viewing the security policys corresponding web application .....................................5-4
Configuring the security level .............................................................................................5-4
Configuring the blocking mode ..........................................................................................5-6
Configuring the maximum HTTP header length ............................................................5-7
Configuring the maximum cookie header length ...........................................................5-8
Configuring the flow mode ..................................................................................................5-9
Working with the negative regular expressions pool ................................................ 5-10
Overview of the Policy Builder ........................................................................................ 5-14
Working with the Blocking Response Page property ................................................ 5-14
Working with the Sensitive Parameters property ...................................................... 5-16
Working with the Allowed Modified Cookies property ........................................... 5-17
Working with the Allowed Methods property ............................................................ 5-18
Working with the Navigation Parameters property .................................................. 5-19
Working with the security policy entities .............................................................................. 5-20
Working with the Object Types entity ......................................................................... 5-20
Working with the Web Objects entity ......................................................................... 5-26
Working with the Parameters entity ............................................................................. 5-27
Working with the Flows entity ........................................................................................ 5-27
Working with the Character Sets entity ....................................................................... 5-30
Setting the active policy for a web application ...................................................................... 5-33
Determining when to set the active security policy ................................................... 5-33
Working with the Blocking Policy settings ............................................................................ 5-35
Configuring the Learn, Alarm, and Block flags ............................................................. 5-35
How the Policy Enforcer enforces security policies ............................................................ 5-37
Understanding security policy violations ................................................................................ 5-38
Overview of RFC violations ............................................................................................. 5-38
Overview of access violations .......................................................................................... 5-39
Overview of length violations .......................................................................................... 5-39
Overview of input violations ............................................................................................ 5-40
Overview of cookie violations ......................................................................................... 5-41
Overview of negative security violations ...................................................................... 5-42
Maintaining a security policy ...................................................................................................... 5-43
viii
Table of Contents
Editing an existing security policy ................................................................................... 5-43

Copying a security policy .................................................................................................. 5-44
Exporting a security policy ............................................................................................... 5-44
Merging two security policies .......................................................................................... 5-45
Importing a security policy ............................................................................................... 5-46
Deleting a security policy .................................................................................................. 5-47
Restoring a deleted security policy ................................................................................. 5-48
Viewing and restoring an archived security policy ...................................................... 5-48
Viewing the security policy using the security policy audit tools ..................................... 5-50
6
Building a Security Policy With the Policy Builder
Overview of the Policy Builder ....................................................................................................6-1
Configuring the general settings for the Policy Builder .........................................................6-2
Configuring a Policy Builder domain .................................................................................6-2
Configuring the Start Points general setting ....................................................................6-4
Configuring the Form Fillers general setting ...................................................................6-5
Configuring the Page Not Found Criteria general setting ...........................................6-6
Configuring the Properties general setting ......................................................................6-6
Configuring the Object Types Associations general settings ......................................6-7
Understanding the Policy Builder operation modes ............................................................ 6-10
Configuring and using the Real Traffic (Responses) operation mode .................... 6-10
Configuring and using the Real Traffic (Requests) operation mode ....................... 6-12
Configuring and using the Generated Traffic operation mode ................................ 6-14
Running the Policy Builder ......................................................................................................... 6-19
Viewing the status of the Policy Builder ................................................................................. 6-20
Stopping the Policy Builder ........................................................................................................ 6-21
Working with the Policy Builder log ....................................................................................... 6-22
7
Working With Parameters
Understanding parameters ...........................................................................................................7-1
Understanding how the Policy Enforcer processes parameters ..........................................7-2
Working with global parameters .................................................................................................7-3
Creating a global parameter ................................................................................................7-3
Editing the properties of a global parameter ...................................................................7-4
Deleting a global parameter ................................................................................................7-5
Working with web object parameters .......................................................................................7-6
Creating a web object parameter ......................................................................................7-6
Editing the properties of a web object parameter .........................................................7-7
Deleting a web object parameter ......................................................................................7-8
Working with flow parameters ...................................................................................................7-9
Creating a flow parameter ...................................................................................................7-9
Editing the properties of a flow parameter .................................................................. 7-10
Deleting a flow parameter ................................................................................................ 7-11
Configuring parameter characteristics .................................................................................... 7-13
Understanding parameter types ...................................................................................... 7-13
A note about configuring parameters ............................................................................ 7-14
Configuring parameter characteristics for static parameters ................................... 7-14
Configuring parameter characteristics for user-input parameters .......................... 7-15
Configuring the Allow Empty Value setting .................................................................. 7-20
Configuring the Is Mandatory Parameter setting ........................................................ 7-23
Working with dynamic parameters and extractions ........................................................... 7-25
Configuring dynamic content value parameters .......................................................... 7-25
Configuration Guide for BIG-IP Application Security Management ix

Table of Contents
Configuring parameter characteristics for dynamic parameter names .................. 7-27

Configuring an extraction ................................................................................................. 7-28
Viewing the list of extractions ......................................................................................... 7-29
8
Refining the Security Policy Using Learning
Overview of the Learning process ..............................................................................................8-1
Working with the learning suggestions generated by the Learning Manager ...................8-2
Viewing a specific learning suggestion ...............................................................................8-2
Viewing the requests that trigger learning suggestions .................................................8-3
Viewing the details of a specific request ...........................................................................8-3
Processing the learning suggestions generated by the Learning Manager .........................8-5
Accepting a learning suggestion ..........................................................................................8-5
Clearing a learning suggestion .............................................................................................8-6
Rejecting a learning suggestion ...........................................................................................8-6
Additional considerations when processing learning suggestions ..............................8-7
Overview of the Ignored Items screen ......................................................................................8-9
Removing items from the Ignored Items list ...................................................................8-9
9
Working with the Statistics and Monitoring Tools
Overview of the statistics and monitoring tools .....................................................................9-1
Working with the Events Monitoring report ...........................................................................9-1
Filtering the Monitoring list .................................................................................................9-2
Saving and restoring the events data .................................................................................9-2
Working with the Security reports ............................................................................................9-4
Viewing the Security reports ..............................................................................................9-4
Filtering the Security reports ..............................................................................................9-4
Working with the Attacks reports .............................................................................................9-6
Viewing the Attacks reports ...............................................................................................9-6
Filtering the Attacks reports ...............................................................................................9-6
Working with the Executive reports .........................................................................................9-8
Viewing the Executive reports ............................................................................................9-8
Working with the Forensics screen ...........................................................................................9-9
Filtering the Forensics list ....................................................................................................9-9
10
General System Options
Configuring a user account for policy editing only .............................................................. 10-1
Viewing the application security log files ................................................................................ 10-2
Working with the system-supplied regular expressions ..................................................... 10-3
Overview of the regular expressions pool ................................................................... 10-3
Creating a user-defined regular expression .................................................................. 10-3
Validating a user-defined regular expression ................................................................ 10-4
Overview of the default negative regular expressions pool for security policies 10-5
A
Internal Parameters for Advanced Configuration
Overview of internal parameters ...............................................................................................A-1
B
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
x
Table of Contents
Introduction .................................................................................................................................... B-1

Upgrade compatibility .......................................................................................................... B-1
Important considerations regarding the upgrade process .......................................... B-2
Additional resources ............................................................................................................ B-2
Preparing the 3.2.X system for the upgrade ............................................................................ B-2
Backing up and exporting the 3.2.X system configuration .......................................... B-3
Obtaining the collect_ts_info.pl script ............................................................................. B-3
Running the collect_ts_info.pl script ................................................................................ B-4
Installing the BIG-IP version 9.4 software ................................................................................ B-5
Downloading the installation CD-ROM ISO image from F5 Networks .................. B-5
Performing a PXE installation ............................................................................................. B-6
Performing a CD installation ............................................................................................ B-10
Configuring an IP address for the management interface ......................................... B-11
Licensing the software using the Configuration utility ........................................................ B-12
Configuring the basic network and system settings ............................................................. B-13
Required network settings ............................................................................................... B-13
Optional network and system settings .......................................................................... B-14
Converting 3.2.X network settings to BIG-IP 9.4 network settings ................................ B-15
Configuring the basic local traffic settings .............................................................................. B-16
Creating the application security configuration .................................................................... B-18
Configuring an application security class ....................................................................... B-18
Associating an application security class with a virtual server ................................. B-19
Importing the saved version 3.2.X security policies into the version 9.4 configuration
B-20
Upgrading a primary with standby unit topology ................................................................. B-21
Understanding redundant systems .................................................................................. B-21
Summary of upgrade tasks for a redundant system .................................................... B-21
Configuring the high availability settings ........................................................................ B-23
Configuring the failover addresses .................................................................................. B-23
Connecting the failover cable .......................................................................................... B-24
Synchronizing the configuration ...................................................................................... B-24
Sample results file from ts_collect_info.pl script .................................................................. B-26
C
Platform-Specific Hazardous Substance Levels, for China
4100 platform .................................................................................................................................C-1
Glossary
Index
Configuration Guide for BIG-IP Application Security Management xi

Table of Contents
xii
1
Introducing Application Security
Management
Introducing the BIG-IP system
Overview of the BIG-IP Application Security

Manager
Using the Configuration utility
Stylistic conventions in this document
Finding help and technical support resources

Introducing the BIG-IP system

F5 Networks BIG-IP system is a port-based, multilayer switch that
supports virtual local area network (VLAN) technology. Because hosts
within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP
system reduces the need for routers and IP routing on the network. This in
turn reduces equipment costs and boosts overall network performance. At
the same time, the BIG-IP systems multilayer capabilities enable the
system to process traffic at other OSI layers. The BIG-IP system can
perform IP routing at Layer 3, as well as manage and secure TCP, UDP, and
other application traffic at Layers 4 through 7. The following software
modules provide comprehensive traffic management and security for all
traffic types. The modules are fully integrated to provide efficient solutions
to meet any network, traffic management, and security needs.
BIG-IP Local Traffic Manager
The BIG-IP system includes local traffic management features that help
you make the most of network resources such as web servers. Using the
powerful Configuration utility, you can customize the way that the
BIG-IP system processes specific types of protocol and application
traffic. By using features such as virtual servers, server pools, profiles,
and iRulesTM, you ensure that traffic passing through the BIG-IP system
is processed quickly and efficiently, while meeting all of your security
needs. For more information, see the Configuration Guide for BIG-IP
Local Traffic Management.
BIG-IP Application Security Manager

The Application Security Manager provides web application protection
from application-layer attacks. The Application Security Manager
protects Web applications from both generalized and targeted application
layer attacks including buffer overflow, SQL injection, cross-site
scripting, and parameter tampering.
Configuration Guide for BIG-IP Application Security Management 1-1

Chapter 1
Overview of the BIG-IP Application Security Manager

The BIG-IP Application Security Manager is designed to protect
mission-critical enterprise Web infrastructure against application-layer
attacks, and to monitor the protected web applications. The Application
Security Manager can prevent a variety of web application attacks, such as:
Manipulation of cookies or hidden fields.
Insertions of SQL commands or HTTP structures into user input fields in
order to expose confidential information or to deface content.
Malicious exploitations of the application memory buffer to stop
services, to get shell access and to propagate worms.
Unauthorized changes to server content using HTTP Delete and Put
commands.
Attempts aimed at causing the web application to be unavailable or to
respond slowly to legitimate users.
Forceful browsing.
Unknown threats, also known as zero-day threats.
Summary of the Application Security Manager features

The Application Security Manager includes the following features.
Integrated platform guaranteeing the delivery of secure application
traffic
Built on F5 Networks award-winning TMOS architecture, the
ICSA-certified, positive security Application Security Manager is fully
integrated with the BIG-IP Local Traffic Manager.
Attack Filters
The Attack Patterns in the Application Security Manager use regular
expressions to offer protection from generalized and known application
attacks such as known worms, vulnerabilities, and requests for restricted
files and objects.
Positive Security Model
The Application Security Manager creates a robust positive security
policy to completely protect web applications from targeted web
application layer threats, such as buffer overflows, SQL injection,
cross-site scripting, parameter tampering, cookie poisoning, and others,
by allowing only valid application transactions. The positive security
model is based on a combination of valid user session context and valid
user input, as well as a valid application response.
Integrated, simplified management
The browser-based Configuration utility provides network device
configuration, centralized visual security policy management, and
easy-to-read audit reports. Additional tools provide a highly automated
1-2
and visual security policy building mechanism, based on a proprietary

Policy Builder that automatically builds a map of all the valid application
transactions and drastically simplifies the security policy management.
Role-based administration
The BIG-IP system supports role-based administration, which you can
use to restrict access to various components of the product. For example,
users with the Application Security Policy Editor role can audit and
maintain application security policies but have no access to the network
or general system administration.
Configurable security levels
The Application Security Manager offers varying levels of security, from
general protection of web site elements such as file types and character
sets, to tailored, highly granular, application-specific security policies.
This flexibility provides enterprises the ability to choose the level of
security they need, and reduce management costs based on the level of
protection and risks acceptable to their business environment.
Introducing application security for the BIG-IP Local Traffic

Manager
The Application Security Manager is the front-line defense for web
application resources managed by the BIG-IP Local Traffic Manager. When
you configure a security policy using the Application Security Manager, and
then configure one or more local traffic virtual servers to use that policy,
you exponentially reduce the possibility of your web application and
resources becoming victims of application-layer attacks. The Application
Security Manager is fully integrated with the Local Traffic Manager,
providing easy configuration and management of your web application
security throughout the life of the application.
Highlights of this configuration guide

The Configuration Guide for BIG-IP Application Security Management
contains configuration information for the all of the application security
components, including:
Application security classes
Web applications
Security policies
Policy Builder
Monitoring, statistics, and logging

Chapter 1
This configuration guide also contains information on configuring a local

traffic virtual server to use an application security class to protect the web
application resources. The application security class is the bridge between
the local traffic components and the application security components.
Important
For detailed information on configuring the local traffic objects, refer to the
Configuration Guide for BIG-IP Local Traffic Management, which is
available on the Ask F5 Technical Support web site, http://tech.f5.com.
1-4
Using the Configuration utility

The Configuration utility is the browser-based graphical user interface for
the BIG-IP system. In the Configuration utility, the Main tab provides
access to the application security configuration objects, as well as the
network, system, and local traffic configuration objects. The Help tab
contains context-sensitive online help for each screen. Note that when you
click the application security objects with the link icon ( ), the
Configuration utility opens a second screen.
Figure 1.1 displays the Welcome screen of the Configuration utility.
Figure 1.1 Welcome screen in the Configuration utility
Important
All users need to use the web-based Configuration utility to license the
system for the first time.

Chapter 1
Browser support for the Configuration utility

You can use any of the following web browsers to access the Configuration
utility.
Microsoft Internet Explorer, version 5.0, 5.5, and 6.0
Mozilla, Firefox, Camino, Netscape Navigator 7.1, and other
browsers using the same engine as Mozilla
Note
For the most current list of the supported browsers for the Configuration
utility, refer to the current release note on the Ask F5 Technical Support
web site, http://tech.f5.com.
Identifying referrer objects in the Configuration utility

In the Configuration utility, blue URLs indicate non-referrer objects, while
gold URLs indicate referrer objects. Referrers are web pages that can
request other objects. For example, an HTML page can request a GIF, JPG,
or PNG image file. The HTML page is a referrer, and the GIF, JPG, and
PNG files are non-referrers. Figure 1.2 illustrates a referrer object
(/buy2.php) and several non-referrer web objects.
Figure 1.2 Example of a referrer object in the Configuration utility
1-6
Stylistic conventions in this document

To help you easily identify and understand certain types of information, this
documentation uses the following stylistic conventions.
Using the solution examples

All examples in this documentation use only private IP addresses. When you
set up the configurations we describe, you must use IP addresses suitable to
your own network in place of our sample IP addresses.
Identifying new terms

When we first define a new term, the term is shown in bold italic text. For
example, a referrer is a web page that calls other web objects, such as image
files.
Identifying references to products

We refer to all products in the BIG-IP product family as BIG-IP systems.
We refer to the software modules by their name, for example, we refer to the
Local Traffic Manager module as simply the Local Traffic Manager. If
configuration information relates to a specific hardware platform, we note
the platform.
Identifying references to objects, names, and commands

We apply bold text to a variety of items to help you easily pick them out of a
block of text. These items include web addresses, IP addresses, utility
names, most controls in the Configuration utility, and portions of
commands, such as variables and keywords. For example, click the Apply
Policy button to make the security policy active.
Identifying references to other documents

We use italic text to denote a reference to another document. In references
where we provide the name of a book as well as a specific chapter or section
in the book, we show the book name in bold, italic text, and the
chapter/section name in italic text to help quickly differentiate the two. For
example, you can find information about local traffic virtual servers in the
Configuration Guide for BIG-IP Local Traffic Management, Chapter 2,
Configuring Virtual Servers.

Chapter 1
Identifying command syntax

We show actual, complete commands in bold Courier text. Note that we do
not include the corresponding screen prompt, unless the command is shown
in a figure that depicts an entire command line screen. Table 1.1 explains
additional special conventions used in command line syntax.
Item in text Description
\
Continue to the next line without typing a line break.
< >
You enter text for the enclosed item. For example, if the command
has <your name>, type in your name.
|
Separates parts of a command.
[ ]
Syntax inside the brackets is optional.
...
Indicates that you can type a series of items.
Table 1.1 Command line conventions used in this manual
1-8
Finding help and technical support resources

You can find additional technical documentation and product information
using the following resources:
Online help for Application Security components
The Configuration utility has online help for each screen. The online help
contains descriptions of each control and setting on the screen. Click the
Help tab in the left navigation pane to view the online help for a screen.
Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many
useful web sites and resources, including the F5 Networks Technical
Support web site, the F5 Solution Center, the F5 DevCentral web site,
plug-ins, SNMP MIBs, the Policy Browser, and SSH clients.
F5 Networks Technical Support web site
The F5 Networks Technical Support web site, http://tech.f5.com,
provides the latest documentation for the product, including:
Release notes for the Application Security Manager and the Local
Traffic Manager, current and past
Configuration Guide for BIG-IP Local Traffic Management
Installation, Licensing, and Upgrades for BIG-IP Systems
BIG-IP Network and System Management Guide
Platform Guide: 1500, 3400, 6400, and 6800
Technical notes
Answers to frequently asked questions
The Ask F5 natural language question and answer engine
To access this site, you need to register at http://tech.f5.com.

Chapter 1
1 - 10
2
Overview of the essential configuration tasks
Defining a local traffic pool
Defining an application security class
Defining a local traffic virtual server
Configuring the web application language
Determining the required security level for the web

application
Setting the active policy for the web application
Refining the security policy using the Learning

process
Activating blocking mode on the security policy
Maintaining and monitoring the security policy

Overview of the essential configuration tasks

This chapter is your guide to the essential configuration tasks you must
complete to initially create and refine a standard security policy for a web
application on the Application Security Manager. Implementing a security
policy for a web application has two phases that correspond to the security
policy modes: transparent and blocking. In phase one, the security policy
operates in transparent mode to learn about the web application and the
traffic that the web application processes. In phase two, you gradually
activate the blocking mode to actively prevent illegal access to the web
application.
The phase one configuration tasks are:
Define a local traffic pool.
The local traffic pool contains the web server or application server
resources that host the web application that you want to protect with a
security policy. You create the local traffic pool, and then associate the
pool with the application security class. See Defining a local traffic pool,
on page 2-3, for more information.
Define an application security class.
When you define an application security class, the system automatically
creates a corresponding web application and a default security policy in
the Application Security Manager. See Defining an application security
class, on page 2-4, for more information.
Define a local traffic virtual server that uses the application security
class as a resource.
The local traffic virtual server load balances the network resources that
host the web application you are securing. The application security class
is the bridge that links the security policy to the web application traffic
through the virtual server. You configure the virtual server, and then
associate the application security class with the virtual server. See
Defining a local traffic virtual server, on page 2-5, for more information.
Set the language encoding for the web application.
When you first create a web application in the application security
configuration, you must configure the language encoding. See
Configuring the web application language, on page 2-6, for more
information.
Evaluate the required security level for the web application.
The type of security policy you configure depends on the required
security level for the web application. Before you start configuring the
security policy, you must assess the level of security that is appropriate
for the web application, based on business requirements and available
resources. See Determining the required security level for the web
application, on page 2-7, for more information.
Set the security policy to active.
The active security policy is the security policy that the Policy Enforcer
applies to incoming requests. See Setting the active policy for the web

Chapter 2
Fine tune the security policy using the Learning process.

See Refining the security policy using the Learning process, on page
2-10, for more information.
The phase two configuration tasks are:
Gradually activate blocking mode for the security policy to start
protecting the web application.
Once you are confident that the Learning process is reporting only
legitimate security policy violations, you can transition the security
policy from transparent mode to blocking mode. In blocking mode, the
Policy Enforcer blocks requests that do not comply with the security
policy, and forwards requests that do comply to the web application. We
recommend that you enable blocking gradually, so that you can fine-tune
the security policy as needed. See Activating blocking mode on the
security policy, on page 2-11, for more information.
Periodically review the security policy settings.
To ensure that the security policy is providing adequate application
security, review the forensics, monitoring, and statistics information on a
regular basis. See Maintaining and monitoring the security policy, on
page 2-12, for more information.
This chapter describes, in detail, the tasks that you perform to configure a
standard security policy for a web application hosted on a local traffic
virtual server.
Important
The tasks described in this chapter begin after you have installed the BIG-IP
system, activated the license, and configured the appropriate network
settings. If you have not yet completed these activities, refer to the
Installation, Licensing, and Upgrades for BIG-IP Systems guide, and the
BIG-IP Network and System Management Guide for additional
information. Both of these guides are available at http://tech.f5.com.
2-2
Defining a local traffic pool

The first configuration task is to define a local traffic pool. The local traffic
pool contains the resources that host the actual web application content that
you want to protect with the security policy.
Important
The following procedure outlines only the basic pool configuration. For
detailed information on configuring pools, refer to the Configuration Guide
for BIG-IP Local Traffic Management, which is available on the Ask F5
Technical Support web site, http://tech.f5.com.
To define a local traffic pool

1. On the Main tab of the navigation pane, expand Local Traffic, and
then click Pools.
The Pools list screen opens.
2. Click the Create button.
The New Pool screen opens.
3. In the Configuration area, in the Name box, type a name for the
pool.
4. In the Resources area, for the New Members setting, in the
Address box, type the IP address for the web server or application
server that hosts the web application.
5. In the Service Port box, type the service port number (for example,
type 80 for the HTTP service), or select a service name from the list.
6. Click the Add button to add the resource to the New Members list.
7. Click the Finished button.
The screen refreshes and the system displays the new pool in the
pools list.

Chapter 2
Defining an application security class

The second task is to configure an application security class. An application
security class is the logical bridge, or link, between the local traffic
components and the application security components. You use the
application security class to specify to which incoming HTTP traffic the
system applies application security before the virtual server forwards the
traffic to the web application. When you configure an application security
class, the system automatically creates a default web application and a
corresponding security policy on the Application Security Manager. See
Chapter 3, Working With Application Security Classes, for more information
on application security classes.
To create an application security class

1. On the Main tab of the navigation pane, expand Application
Security, and then click Classes.
The HTTP Class Profiles list screen opens.
The New HTTP Class Profile screen opens.
3. In the General Properties area, in the Name box, type a name for the
application security class.
4. In the Configuration area, leave all of the settings at the defaults.
5. In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6. For the Pool setting, select the local traffic pool that you created.
7. Click Finished.
The system adds the class, the default web application, and the
corresponding security policy to the configuration, and displays the
HTTP Class Profiles list screen.
Note
In the Configuration utility, the application security class and the HTTP
Class Profile are different labels for the same object. The difference
between the two objects is that, for the application security class, the
Application Security setting is enabled by default. If you disable the
Application Security setting on an application security class, you effectively
turn off application security for the associated web application.
2-4
Defining a local traffic virtual server

The next configuration step is to define a virtual server on the local area
network. The virtual server processes the incoming traffic, which includes
applying the application security class to incoming HTTP traffic.
Important
The following procedure outlines only the basic virtual server configuration.
For detailed information on virtual servers, and other local traffic
components, refer to the Configuration Guide for BIG-IP Local Traffic
Management, which is available on the Ask F5 Technical Support web site,
http://tech.f5.com.
To configure a virtual server

then click Virtual Servers.
The Virtual Servers list screen opens.
The New Virtual Server screen opens.
3. In the Name box, type a name for the virtual server.
4. In the Destination option, select Host, and type an IP address.
5. In the Service Port box, type 80. Alternately, you can select HTTP
from the list.
6. In the Configuration section, from the HTTP Profile list, select
http.
7. In the Resources section, for the HTTP Class Profiles setting, from
the Available list, select the application security class that you
created, and click the Move button (<<) to add the class to the
Enabled list.
8. Click Finished.
The system updates the configuration, and the Virtual Server list
screen opens, where you can see your newly created virtual server.
Important
For virtual servers that load balance resources for a web application that is
protected by the Application Security Manager, you must configure an
HTTP profile in addition to the application security class. Refer to steps 6
and 7 in the previous procedure.

Chapter 2

When you created the application security class, the Application Security
Manager automatically created a default web application within the
application security configuration. Before you can configure the
corresponding security policy, you configure the language encoding for the
web application. For more information on web applications and web
application properties, see Chapter 4, Working With Web Applications.
To configure the web application properties

Security, and then click Web Applications.
The Web Application Groups screen opens.
2. In the Name column, click a web application name.
The Web Application Properties screen opens.
3. For the Application Language setting, select the language
encoding in which the web application is written.
4. Leave the remaining settings at the default values.
5. Click Update.
The screen refreshes, and you see the web application properties and
the security policies list for the web application.
Important
You set the language encoding the first time you open the Web Application
Properties screen. You cannot change the language encoding once you set
it.
2-6
Determining the required security level for the web

application
Before you start configuring the security policy itself, you need to determine
the security level that you want the security policy to enforce. This decision
is based on several factors: the complexity of the web application, how often
you update the web application, the business and site requirements for
protecting the web application, and the resources available to maintain the
security policy. All of these factors affect not only how long it takes to get
the Application Security Manager configured initially, but also the amount
of time it takes to maintain the system over time.
Important
We recommend that you configure a standard security policy first, to protect
the web application against the most common known threats, and to
familiarize yourself with the functionality of the Application Security
Manager. This chapter describes the tasks to configure a standard security
policy.
Understanding the security levels

By default, the Application Security Manager provides three security levels
for security policies: standard, enhanced standard, and high security (APC).
The security levels affect the granularity of the security policy, which in turn
affects the manageability of the security policy. In addition to the default
security levels, you can customize the security levels to meet the security
requirements for your web application. For additional information on
security levels, refer to Configuring the security level, on page 5-4.
Standard
The standard security level protects the general objects that make up the
web application, based on the built-in security logic of the Application
Security Manager. The standard security level applies a security policy
that uses a more generic set of rules, and requires less setup and
maintenance time than an enhanced standard or APC security policy.
Enhanced standard
An enhanced standard level of security is based on the protection offered
by a standard security policy, and uses a more granular level of security
to protect a small subset of objects in the application.
High security (APC)
The high security (APC) security level provides a more granular level of
security for the web application. The APC security level can protect
individual parameters within the application, their associated objects, and
also any flows to or from the object. The APC security level requires a
longer setup time, as the security policy configuration is more closely
tied to specific, individual objects and parameters in the application.

Chapter 2
Understanding positive security logic

The Application Security Manager operates on the principle of positive
security logic. Positive security logic means that, when the security policy is
in blocking mode, the security policy permits only known, legitimate traffic
through to the web application. Compare this to negative security logic,
which means that the web application is subjected to all traffic, except that
which is known to be a threat because it matches the built-in negative logic
criteria. By using positive security logic in addition to negative security
logic, the Application Security Manager protects the web application against
both known and unknown threats (also known as zero-day threats).
The biggest advantage of deploying web application security based on
positive security logic is that it blocks all access to the web application
except for legitimate, known traffic. There may be times, however, when the
system blocks a request that is actually legitimate, in other words, generates
a false positive alarm. False positive alarms may occur when the web
application changes, or when the security policy does not yet account for the
entire web application. When this happens, you must adjust the security
policy settings accordingly, so that the security policy does not block that
type of request. This is an iterative process, and may take several days or
weeks.
The goal of testing and fine-tuning the security policy with trustworthy
traffic is to eliminate the false positive alarms. Once you have accomplished
this goal, you can gradually enable blocking mode for the security policy,
and be confident that the right clients are able to access the web application,
and the web application is protected from the myriad known and unknown
threats.
2-8
Setting the active policy for the web application

Once you have configured the basic security policy, you set the security
policy to active for the web application. The active security policy is the
security policy that the Policy Enforcer applies to incoming requests. If
some aspect of the request does not comply with the active security policy,
the Policy Enforcer generates an alarm, and the Learning Manager generates
a learning suggestion. See Configuring the active security policy, on page
4-3, and Setting the active policy for a web application, on page 5-33, for
additional information.
To set the active policy for a web application

The Web Applications list screen opens.
2. Click a web application name.
3. In the Web Application Properties area, from the Active Security
Policy list, select the security policy that you have been configuring.
4. Click Update.
The screen refreshes, and in the Security Policies List area, you see
the Active icon next to the newly-active security policy.
Important
The Application Security Manager requires you to set the active policy every
time you change a property of a security policy. When a security policy has
been changed in any way, you see the Modified icon next to the security
policy name, in the Security Policies List.

Chapter 2
Refining the security policy using the Learning

process
The Learning process evaluates incoming requests for the web application,
and if a request contains an entity that does not comply with the security
policy, the Learning Manager generates a learning suggestion. You can then
examine the learning suggestion to determine whether the entity that caused
the learning suggestion should be part of the security policy. For more
information on the Learning process, and learning suggestions, see Chapter
8, Refining the Security Policy Using Learning.
When all of the learning suggestions generated by the Learning Manager
represent invalid requests, for example, requests for non-existent
information, or automated scripting attacks, you are ready to transition the
security policy into blocking mode. You can also use the data in the
Statistics section of the Configuration utility to help you decide whether the
security policy is ready to be put into blocking mode. These reports provide
data on all violations, not just the violations that trigger learning
suggestions. For more information on the Statistics reports, see Chapter 9,
Working with the Statistics and Monitoring Tools.
Security policies can be as restrictive as you need, based on the potential
threats and network traffic that the web application processes. For additional
details and information about working with security policies, refer to
Chapter 5, Working With the Security Policy.
2 - 10
Activating blocking mode on the security policy

You can activate blocking mode gradually, using the Blocking Policy
screen. For example, you can enable the Block flag for only the Illegal
HTTP format violation, so that the Application Security Manager blocks
any request that does not comply with the HTTP protocol standards. When
you gradually activate blocking, you can continue to refine the security
policy. Once you have activated blocking for the relevant security policy
violations, you can consider that any alarms that the Policy Enforcer reports
are for potentially harmful traffic.
To activate blocking mode for a security policy

3. In the Security Policies List area, click the name of the security
policy for which you want to activate blocking.
The Policy Properties screen opens.
4. In the Policy Properties area, for the Security Level setting, click
the Edit button.
The Blocking Policy screen opens.
5. Clear the Disable Blocking check box.
6. In the remaining sections of the screen, clear or check the Block and
Alarm check boxes as needed.
7. Click Save.
The system updates the security policy with any changes you made.
8. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
Tip
The Security Reports screen, in Statistics, is a very good resource when you
are deciding whether a security policy is ready to put into blocking mode.
This screen displays how many instances of a violation have occurred.
Configuration Guide for BIG-IP Application Security Management 2 - 11

Chapter 2
Maintaining and monitoring the security policy

The Application Security Manager provides many reporting and monitoring
tools, so that you can view and analyze the violations that the system detects
in the traffic through the web application. By actively using the monitoring
tools, you can be assured that your web applications are fully protected.
To view the monitoring tools

Security, and then click Statistics.
The Events Monitoring screen opens.
2. On the menu bar, select the statistics type that you want to view.
3. On each screen, you can use the Filter option to customize and
refine the reports.
For additional information and details about the monitoring tools, refer to
Chapter 9, Working with the Statistics and Monitoring Tools.
2 - 12
3
What is an application security class?
Understanding the traffic classifiers
Understanding the actions for the application

security class
What is an application security class?

An application security class is the logical bridge, or link, between the local
traffic components and the application security components. You create one
or more application security classes, and then assign them as resources for
one or more local traffic virtual servers. When the virtual server receives an
HTTP request, it applies the application security classes, in the listed order,
and if the traffic classifiers find a match in the request, the system routes the
request to the Application Security Manager.
In the application security class, the traffic classifiers specify which
incoming HTTP traffic should be routed through the Application Security
Manager. The traffic classifiers use different elements of an HTTP request,
including host header values, URI paths, other headers and values, and
cookie names (or a combination of all of these), to determine which requests
go to the Application Security Manager. For requests that match the traffic
classifiers, the Application Security Manager applies the active security
policy to the designated traffic, and processes the traffic according to the
security policy settings.
When you configure an application security class, the system automatically
creates a default web application and security policy in the Application
Security Manager configuration. You can create several application security
classes for your web site, so that you can apply different security policies to
different aspects of your web application. Note that while you can create
several security policies for your web application, you can have only one
active security policy for that web application.
Understanding the difference between an application security class

and an HTTP class profile
The application security class and the HTTP class profile are two names for
the same basic object in the Configuration utility. The primary difference
between the two objects is that when you configure an application security
class, the system automatically enables the Application Security setting
within the application security class. For HTTP class profiles, you must
explicitly enable the Application Security setting within the profile, as well
as enabling all of the option settings for this object. You configure
application security classes from the Application Security section of the
Main tab on the navigation pane. You configure HTTP class profiles from
the Profiles link in the Local Traffic section of the Main tab. (For
information on the generic HTTP class profile, see the Configuration Guide
for BIG-IP Local Traffic Management, Chapter 8, Managing Protocol
Profiles.)
Tip
We recommend that you create the application security classes from the
Application Security section on the Main tab of the navigation pane so that
the system automatically enables the application security options for you.

Chapter 3
Creating a basic application security class

A basic application security class simply routes all HTTP traffic through the
Application Security Manager.
To create a basic application security class

3. Type a name for the application security class.
Note that in the application security configuration, the
corresponding web application and security policy also use this
name.
4. In the Configuration area, leave all of the traffic classifier settings at
the default, which is Match All.
6. In the Pool setting, select the local traffic pool that contains the web
server resources for your web application.
Note: If you have not already configured a local traffic pool, refer
to Chapter 4, Configuring Load Balancing Pools, in the
Configuration Guide for BIG-IP Local Traffic Management.
7. Click Finished.
The system adds the new application security class, and its
corresponding web application and security policy, to the
configuration, and displays the HTTP Class Profiles list screen.
Tip
For additional information on the options on this screen, click the Help tab
in the navigation pane.
3-2
Understanding the traffic classifiers

You can use the traffic classifiers in the application security class to specify
exactly which traffic goes through the Application Security Manager before
it reaches the web application resources. The traffic classifiers perform
pattern matching against HTTP requests, based either on wildcard strings or
on regular expressions. When the traffic classifier finds a match in an HTTP
request, the system forwards that request to the Application Security
Manager. The Application Security Manager then applies the active security
policy to the request.
The traffic classifiers perform pattern matching using either literal strings or
regular expressions. The literal strings can include wildcard characters, such
as asterisk (*) or question mark (?). The regular expressions use the Tcl
regular expression syntax. You can use a mixture of matching types within
each traffic classifier.
Note
See the F5 Dev Central web site, http://devcentral.f5.com, for information

on Tcl expressions and syntax.
How the system applies the traffic classifiers

You can configure one or more traffic classifiers in each application security
class. If the traffic classifier has multiple matching objects within its list, the
system looks for a match until it finds one, and forwards the request when it
does. If you configure more than one type of classifier (for example, you
configure both a URI path and a header traffic classifier), the system
performs the pattern matching and forwards only the traffic that matches
both traffic classifier types. If you configure multiple entries within each
traffic classifier list, the system performs the pattern matching until it finds a
match. The matching does not have to match all of the entries in the traffic
classifier list.
Using the Hosts traffic classifier

You can use the Hosts traffic classifier to specify hosts whose traffic you
want to direct through the Application Security Manager. When you use the
Hosts traffic classifier, the system performs pattern matching against the
information contained in the Host: header in a request.
Tip
Just by configuring the valid host headers for the web application, you get
immunity to most of the worms that are spread by an IP address as a value
in the Host header.

Chapter 3
To configure an application security class using the Hosts

traffic classifier
4. In the Configuration area, for the Hosts setting, select Match Only.
The screen refreshes, and you see the Host List.
5. Add hosts to the Host List as needed.
6. Select the Entry Type, either Pattern String or Regular
Expression (regex). When you select Regular Expression (regex),
the system prepends (regex) when you add the object to the list.
7. Configure the remaining settings as needed.
8. Click Finished.
The system adds the new application security class, the
corresponding web application, and a default security policy to the
Tip
For information on the other options on this screen, click the Help tab in the
navigation pane.
Using the URI Paths traffic classifier

You can use the URI Paths traffic classifier to specify one or more URI
paths whose requests you want to direct through the Application Security
Manager. When you use the URI Paths traffic classifier, the system
performs pattern matching against the URI path in a request.
To configure an application security class using the URI

Paths traffic classifier
4. In the Configuration area, for the URI Paths setting, select Match
Only.
The screen refreshes, and you see the URI Path List.
3-4
5. Add URIs to the URI Path List as needed.

8. Click Finished.
Tip
navigation pane.
Using the Headers traffic classifier

You can use the Headers traffic classifier to specify one or more headers
whose associated requests you want to direct through the Application
Security Manager. When you use the Headers traffic classifier, the system
performs pattern matching against the headers and their values in a request.
Note
If you want to classify traffic using the Cookie header, use the Cookies
traffic classifier instead of the Headers traffic classifier. See Using the
Cookies traffic classifier, on page 3-6, for more information.
To configure an application security class using the Headers

traffic classifier
4. In the Configuration area, for the Headers setting, select Match
Only.
The screen refreshes, and you see the Header List.
5. Add headers and their values to the Header List as needed. Include
the colon when you add headers to this list, for example:
User-Agent:<value>.

Chapter 3
8. Click Finished.
Tip
navigation pane.
Using the Cookies traffic classifier

You can use the Cookies traffic classifier to specify one or more cookies
whose associated requests you want to direct through the Application
Security Manager. When you use the Cookies traffic classifier, the system
performs pattern matching against the cookie name information in the
Cookie header in a request.
To configure an application security class using the Cookies

traffic classifier
4. In the Configuration area, in the Cookies setting, select Match
Only.
The screen refreshes, and you see the Cookie List.
5. Add cookie names to the Cookie List as needed.
8. Click Finished.
Tip
navigation pane.
3-6
Understanding the actions for the application

security class
The actions of the application security class designate what the system does
with the traffic when the traffic matches one or more of the traffic classifier
criteria. The actions for the application security class are as follows.
Send to pool
When you use the send to pool action, the system sends any traffic that
matches the traffic classifier criteria to the Application Security
Manager.
Redirect to another resource
When you use the redirect action, the system sends any matching traffic
(based on the full HTTP URI) to another resource on the network.
None
When you use the none action, the system does nothing with the traffic
within the context of this application security class. The system may
process the request according to other settings for the virtual server, for
example, the system may apply another HTTP class, or forward the
request to the virtual servers default pool.
To configure an action for the application security class

4. In the Configuration area, configure the traffic classifiers as needed.
5. In the Actions area, for the Send To setting, specify what you want
the system to do with the traffic related to this application security
class. See the online help for assistance with specific screen
elements.
6. Click Finished.
The system adds the new application security class, the default
security policy, and the default web application to the configuration,
and displays the HTTP Class Profiles list screen.
Using the Rewrite URI action

You can use the Rewrite URI action to rewrite a URI without sending an
HTTP redirect to the requesting client. For example, an ISP provider may
host a site that is composed of different web applications, that is, a secure
store application and a general information application. To the client, these

Chapter 3
two applications are the same site, but on the server side they are different
applications. You can use the Rewrite URI action to transparently redirect
the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system
maps the static URI for every incoming request. For details on using Tcl
expressions, and Tcl syntax, see the F5 Networks Dev Central web site,
http://devcentral.f5.com.
Note
The Rewrite URI action is applicable only if you are using the Hosts or URI
Paths traffic classifiers.
To configure the Rewrite URI action

4. In the Configuration area, configure the traffic classifiers as needed,
specifically the Hosts or URI Paths classifiers.
6. In the Pool setting, select the name of the local traffic pool to which
you want the system to send the traffic.
7. In the Rewrite URI setting, type the Tcl expression that represents
the URI that the system inserts in the request to replace the existing
URI.
8. Click Finished.
The system adds the new application security class, the default
security policy, and the default web application to the configuration,
and displays the HTTP Class Profiles list screen.
Tip
See the F5 Dev Central web site, http://devcentral.f5.com, for information
on Tcl expressions and syntax.
3-8
4
What is a web application?
Configuring the properties of a web application
Working with web application groups
Working with a disabled web application
Overview of the Security Policies List

What is a web application?

In the Application Security Manager, a web application is the logical
representation of the application that you are securing with one or more
security policies. When you create an application security class, the system
automatically creates a corresponding web application and default security
policy for the web application.
Note
For detailed information on application security classes, refer to Chapter 3,

Working With Application Security Classes.
Viewing the configured web applications

Once you have created any Application Security classes, you can review the
corresponding list of web applications within the Application Security
Manager. The web application list provides the following summary
information:
The name of the web application or web application group
The current active security policy
The Blocking mode of the security policy
The level of logging
Whether the web application (and the corresponding application security
class) is enabled or disabled
To view the list of web applications

2. Click a web application name to view or modify its properties.
3. Alternately, click an active policy to view or modify its properties.
Note
For information on working with web application groups, refer to Working

with web application groups, on page 4-7.

Chapter 4
Configuring the properties of a web application

In the Application Security Manager, the web application properties specify
the general attributes and preferences for the web application itself. The web
application properties help refine how the Application Security Manager
processes requests for the web application.
To view the web application properties

The Web Application Properties screen opens, where you can view
and modify the web applications properties and security policies.

Every web application has a language encoding that determines the
character set that browsers use to display the application. The Application
Security Manager supports single-byte and several double-byte language
encodings. You must set the application language so that the Application
Security Manager knows the acceptable character set for the application.
The Application Security Manager uses the encoding associated with the
selected language for policy editing purposes. The Policy Enforcer also uses
the language encoding for the web application when applying a security
policy to a request.
Important
You must set the application language before you can see or work with any
of the other web application properties, or configure security policies for
the web application. Note that once you set the web application language,
you cannot change it.
To set the web application language

3. In the Web Application Properties section, from the Application
Language list, select the character set encoding that is appropriate
for your web application.
4. Click Update.
The screen refreshes, and you see the web application properties and
policies list.
4-2
Configuring the active security policy

The active security policy is the security policy that the Application Security
Manager uses to validate requests for, and responses from, the web
application. Only one security policy can be active at a time, even though
you may have several security policies configured for the web application.
To configure the active security policy

3. In the Web Application Properties section, in the Active Security
Policy list, select the security policy that you want to be the active
security policy for the web application. Note that the system
automatically enables (checks) the Apply Policy setting when you
change the Active Security Policy setting on this screen.
4. Click Update.
The screen refreshes, and in the Policies List, you see the Active
Policy icon next to the new active security policy.
Important
You can set the active security policy from most screens in the
Configuration utility, in addition to setting it from the Web Application
Properties screen, as described above. For more information on setting the
active security policy, see Setting the active policy for a web application, on
page 5-33.
Configuring requests logging

The requests logging setting determines whether the system logs every
request for a web application, or only those requests that violate the active
security policy. You can review the logged requests on the Forensics screen
for the web application.
Tip
If your web application receives a high volume of requests, you may want to
log only those requests that violate the active security policy so that the
system resources are not overburdened.

Chapter 4
To set the requests logging level

3. In the Web Application Properties section, for the Request Logging
setting, select the logging level for the web application.
4. Click Update.
The system updates the configuration with any changes you may
have made.
Enabling traffic sampling for the Policy Builder

The Policy Builder is a tool that you can use to build a security policy based
on real traffic (both requests and responses) and generated traffic. When you
enable traffic sampling for a web application, the Policy Builder extracts
web objects, parameters, flows, and other web application components from
request and response pairs. You can configure traffic sampling to occur
either at a specified interval, or on a continuous basis.
Note
Traffic sampling applies only to the following Policy Builder operation

modes: Real Traffic (Responses) and Real Traffic (Requests). For more
information on the Policy Builder operation modes, refer to Understanding
the Policy Builder operation modes, on page 6-10.
To enable traffic sampling for the Policy Builder

3. In the Web Application Properties section, for the Traffic
Sampling option, select whether you want to enable or disable
traffic sampling. Note that if you select interval traffic sampling,
you must specify a time interval, in seconds.
4. Click Update.
have made.
For more information on working with the Policy Builder, refer to Chapter
6, Building a Security Policy With the Policy Builder.
4-4
Configuring the target security policy for learning suggestions

When you accept the learning suggestions that the Learning Manager
generates, it updates the target security policy. This is the security policy
that you specify as the one to which the Application Security Manager
applies learning. Depending on which option you select for the Apply
Learning to setting, the Application Security Manager updates only the
active security policy, all security policies (those in the web applications
Security Policies List), or a specific security policy.
To configure the target security policy for learning

suggestions
3. In the Web Application Properties section, for the Apply Learning
To setting, select the appropriate security policy option.
4. Click Update.
have made.
For more information on the Learning Manager and working with learning
suggestions, refer to Chapter 8, Refining the Security Policy Using
Learning.
Enabling dynamic sessions in URLs

When a web application uses dynamic sessions in URLs, the Application
Security Manager cannot use its normal functions to extract and enforce
objects or flows because the URI becomes dynamic. If the web application
that you are securing stores dynamic session information in a URL, you can
enable the Dynamic Sessions in URL option so that these requests do not
trigger security policy violations. When you enable the Dynamic Sessions
in URL option, the Application Security Manager extracts the dynamic
session information from the request, based on the pattern that you
configure, and applies the security policy to the remaining elements in the
URI. Additionally, the system can extract the dynamic session information
from a response.
Important
The Dynamic Sessions in URL option applies only to security policies that
use the high security level. If you enable this setting and you use only a
standard security level, the Policy Enforcer ignores the dynamic session
setting.

Chapter 4
To enable dynamic sessions in URLs

3. In the Web Application Properties section, for the Dynamic
Sessions in URL option, enable or disable the dynamic sessions in
URL as required by the web application. For help with the settings,
click the Help tab in the navigation pane.
4. Click Update.
The system updates the configuration with any changes you have
made.
Returning a web application to a new, unconfigured state

There may be circumstances when you want to remove all security policies,
forensics, logging, and configuration information from a web application,
and set the web application back to a new, non-configured state. You can do
this by using the Reconfigure button on the Web Application Properties
screen.
Important
Using the Reconfigure button to clear the configuration information for a
web application is a permanent action, and cannot be undone. Use this
setting with caution.
To set a web application back to a new state

3. Below the Web Application Properties area, click the Reconfigure
button.
A confirmation popup screen opens.
4. Click OK to complete the reset action.
The system deletes all data associated with this web application
from the configuration.
4-6
Working with web application groups

A web application group is a collection of web applications within the
Application Security Manager configuration. Web application groups are
made up of two or more web applications. A web application can belong to
more than one web application group, however, a web application does not
have to belong to a web application group. The Application Security
Manager lists web applications that are not members of any web application
group in the ungrouped area of the Web Application Groups screen. Recall
that there is a one-to-one relationship between application security classes
and web applications. In many cases, you may have several application
security classes (and thus, web applications) configured for one actual web
application. You can create a web application group, and then use that group
to consolidate the forensics, events, and log information about the actual
web application.
Creating a web application group

When you create a web application group, you are creating an association
between the member web applications. Once you have created a web
application group, you can view statistics, logging, forensics, and security
events in the context of the web application group, in addition to the
individual web applications themselves.
To create a web application group

The Group Properties screen opens.
3. In the Name box, type a name for the group.
4. For the Web Applications setting, from the Available list, select
the web applications that you want to add to the new web
application group, and use the Move (<<) button to add them to the
Members list.
5. Click Save to update the configuration with the new web application
group.

Chapter 4
Removing a web application group

If you no longer require the web application group, you can easily remove
the group from the configuration. Note that this action does not delete the
web applications themselves.
To delete a web application group

2. Check the Select box next to the web application group that you
want to delete, and then click Delete.
3. Click OK.
The system deletes the web application group.
4-8
Working with a disabled web application

There are two situations in which the Application Security Manager
automatically disables web applications. These situations occur when you:
Disable the Application Security setting on an application security class
Delete an application security class entirely
The system disables the web application because a web application must
have a corresponding application security class.
Note
For more information on application security classes, refer to Chapter 3,

Viewing disabled web applications

When the system disables a web application, it moves the web application to
the Disabled Web Applications list screen. From there, you can decide
whether to permanently delete or to retain the web application.
To view the disabled web applications

2. On the menu bar, click Disabled Web Applications.
The Disabled Web Applications screen opens, where you can
review the currently-disabled web applications.
Re-enabling a web application

You can re-enable a disabled web application either by creating an
application security class with the same name as the disabled web
application, or by re-enabling the Application Security setting for an
existing application security class. In both cases, the system automatically
re-enables the disabled web application as long as the application security
class has the same name, exactly, as the disabled web application.

Chapter 4
Overview of the Security Policies List

On the Web Application Properties screen, the Security Policies List section
displays all of the security policies that exist for the web application. The
Security Policies List provides summary information about the web
applications security policies, including the blocking mode, security level,
time at which the security policy was set to active, and the user who set the
security policy to active. You can also perform many administrative actions
from the security policy list, including creating, exporting, importing,
copying, merging, viewing the history of, or deleting a security policy. For
detailed information on configuring and administering a security policy,
refer to Chapter 5, Working With the Security Policy.
Note
While only one security policy can be active for a given web application,
you may have several security policies configured to meet various business
requirements for the web application.
4 - 10
5
What is a security policy?
Working with the security policy properties
Working with the security policy entities
Setting the active policy for a web application
Working with the Blocking Policy settings
How the Policy Enforcer enforces security policies
Understanding security policy violations
Maintaining a security policy
Viewing the security policy using the security policy

audit tools
What is a security policy?

The core of the Application Security Managers security functionality is the
security policy. The security policy is a map of the web application itself.
When the Application Security Manager receives an incoming HTTP or
HTTPS request for the web application, the system compares the request to
the active security policy. If the request does not comply with security
policy, the Application Security Manager processes the request according to
the blocking mode: either the system issues a security alert and lets the
request through; or the system issues a security alert, blocks the request, and
sends a blocking response and support ID to the client. In both cases, the
system reports the security policy violation, and records the request in the
Forensics information. You can then review the violation to decide if it
really was a legitimate request. If the request is legitimate, then you can
update the security policy accordingly.
Chapter overview
This chapter contains information about the following aspects of the security
policy.
Security policy properties
The security policy properties determine the overall characteristics and
behavior of the security policy. The security policy properties specify
how the security policy interacts with the security policy entities. The
security policy properties also specify how the security policy processes
and responds to security policy violations.
Security policy entities
The security policy entities compose the security policy. The security
policy entities can include web objects, object types, parameters, flows,
character sets, and regular expressions.
Managing the security policy
Security policies may need to be modified over time, as the protected
web application changes. In addition to the tools that you can use to build
and refine a security policy (the Policy Builder and the Learning
process), you can manually add, edit, or delete almost every entity in the
security policy.

Chapter 5
Working with the security policy properties

Before you configure the security policy entities, which are the map of the
web application, you configure the policy properties of the security policy.
The policy properties are the general configuration options and settings that
determine the overall behavior and functionality of the security policy. Note
that not all policy properties apply to all security policies. Some are
applicable only if you configuring a security policy that uses the high
security level. (See Configuring the security level, on page 5-4, for more
information on security levels.)
The policy properties include the following options:
General policy properties
The general policy properties specify the general characteristics of the
security policy.
Policy Builder
The Policy Builder is a set of automated tools that you can use to build
and refine the security policy entities. See Chapter 6, Building a Security
Policy With the Policy Builder, for additional information on the Policy
Builder.
Blocking response page
The blocking response page specifies the content of the response that the
system sends when the security policy blocks a client request from
accessing the web application.
Sensitive parameters
You can use the sensitive parameters property to protect sensitive user
input, such as a password or a credit card number, in a validated request.
Allowed modified cookies
The allowed modified cookies property specifies any HTTP cookies that
the security policy should ignore, even if the cookies do not meet the
expected criteria.
Allowed methods
The allowed methods property specifies the HTTP methods that are
acceptable within the context of the web application.
Navigation parameters
The navigation parameters property specifies parameters within an HTTP
request that the system treats as if they are part of the URL, even though
they are not.
The following sections of this chapter describe the security policy properties
in detail.
Important
Any time you make a change to a security policy, no matter how small, you
must apply the security policy to make it the active security policy. Once you
set the active security policy, the Policy Enforcer enforces any changes you
have made. To set the active policy, refer to Setting the active policy for a
web application, on page 5-33, for detailed information.
5-2
Working with the general policy properties

You use the general policy properties to configure the general attributes of
the security policy, including the security level.
To configure the general policy properties for a security

policy
1. On the Main tab of the navigation pane, expand the Application
Security section, and then click Web Applications.
2. In the Name column, click the name of a web application.
3. In the Security Policies List area, in the Security Policy Name
column, click the name of a security policy.
4. In the Policy Properties area, make changes to the general security
policy properties as required. For additional information on the
settings, click the Help tab in the navigation pane.
5. Click the Save button to save any changes you may have made to
the general security policy properties.
Configuring the security policy name and description

Each security policy that you configure has a unique name, which you
configure on the Policy Properties screen as part of the general properties.
At minimum, a new security policy must have a name. You can change the
security policy name at any time. You can also provide a description of the
security policy, to help you better identify the security policy.
To configure the security policy name

4. In the Policy Properties area, for the Security Policy Name setting,
type a unique name for the security policy.
5. Optionally, in the Policy Description box, type a description, as
required.

Chapter 5
6. Click the Save button to save any changes you may have made.
Viewing the security policys corresponding web application

From the Policy Properties screen, you can easily review the corresponding
web application.
To view the web application for a security policy

4. In the Policy Properties area, click the name of the web application
in the Web Application setting.
The Web Application Properties screen opens, where you can view
the details of the web application.
Configuring the security level

There are three system-supplied security policy levels: standard, enhanced
standard, and high security (also known as APC). The security level
determines the degree of granularity to which the security policy protects the
web application. The security levels are cumulative in nature, for example,
an enhanced standard security policy provides all the protection of a
standard security policy, and also protects a subset of entities that you
specify. Note that as you increase the granularity of protection, you also
increase the maintenance commitments for the security policy.
Each security level offers its own advantages.
Standard
A standard level of security protects against common, known attacks. A
security policy that uses the standard security level contains the object
types and character sets for the web application. A standard security
policy also includes a negative regular expressions pool that the system
uses to detect known attack patterns. In a standard security policy, each
page of the web application is an entry point. A standard security policy
primarily uses negative security logic to protect the web application.
You can configure the standard security policy to protect the application
against attacks in the following areas:
5-4
SQL injection
Cross-site scripting
Cookie poisoning
Buffer overflow
Parameter tampering (lengths and meta characters)
Forceful browsing (file type enforcement)
Stealth commanding
Back-door and debug options
Third-party misconfiguration
Enhanced Standard
An enhanced standard level of security is based on the protection offered
by a standard security policy, but uses high security to protect a small
subset of objects in the application. For example, a security policy that
uses the enhanced standard security level might include flows or
user-input parameters, in addition to the object types, meta characters,
and negative regular expressions that are in a standard security policy.
An enhanced standard policy protects the web application with a
combination of positive and negative security logic.
High Security (APC)
An APC security policy protects against common, known attacks (like a
standard security policy does), and also protects individual parameters
within the application, their associated web objects, and any flows to or
from the objects. When you have fully configured an APC security
policy, and put it into blocking mode, it applies mostly positive security
logic. (See Understanding positive security logic, on page 2-8, for more
information.) The APC security level requires a longer setup time, as the
security policy configuration is more closely tied to specific entities in
the application.
Custom
Whenever you modify any of the default settings on the Blocking Policy
screen, and you save the modifications, the system saves the security
level as Custom. You can modify the default settings for any of the
system-supplied security levels (Standard, Enhanced Standard, or High
Security) to create a custom security level. Note that you can create only
one custom security policy.
To edit a system-supplied security level

3. In the Security Policies List, in the Security Policy Name column,
click the name of the security policy that you want to update.

Chapter 5
4. In the Policy Properties area, for the Security Level setting, click
the Edit button.
5. Make any changes on this screen that are pertinent to your web
application.
6. Click Save to save any changes you may have made to the Blocking
Policy settings.
Note
On the Blocking Policy screen, the default settings change depending on the
security level of the security policy. For full details on working with the
Blocking Policy screen, refer to Working with the Blocking Policy settings,
on page 5-35.
Configuring the blocking mode

There are two blocking modes for a security policy: transparent and
blocking. When the system receives an incoming HTTP request that does
not comply with the security policy, the system logs the HTTP request and
generates alarms for the violations. If the security policy is in transparent
mode, the system then forwards the request to the web application. If the
security policy is in blocking mode, the system does not forward the request
to the web application. Instead, the system sends the blocking response page
to the client, which advises the client that the request was blocked, and
provides a support ID number for the violating request.
To configure the blocking mode

4. In the Policy Properties area, check or clear the Disable Blocking
check box, as required.
For transparent mode, check the box.
For blocking mode, clear the box.
5. Click Save to save any changes you may have made to the security
policy properties.
5-6
Using the Learning process to determine when to enable Blocking mode

During the Learning process, the alarms for policy violations should
diminish over time as you refine the security policy. When the alarms are
almost non-existent, you can be confident that all missing entities have been
added to the security policy, and other attributes are attuned to real-life
traffic requirements. At this point, you can transition the security policy
from transparent mode to blocking mode. After you activate the security
policy in blocking mode, illegal requests may continue to generate learning
suggestions, if, on the Blocking Policy screen, you have the Learning flag
enabled for the violation type.
Tip
You can specify whether a violation triggers a learning suggestion on the
Blocking Policy screen. See Configuring the Learn, Alarm, and Block
flags, on page 5-35, for more information.
You activate blocking mode at the point in time when you can reasonably
assume that the security policy is accurate; meaning, all resources are
present and all attribute values meet the requirements of legitimate real-life
traffic and, therefore, any further alarms should be considered suspicious.
Note that you can activate blocking mode, and enable the Block flags in
phases. For example, you can enable blocking for only the illegal HTTP
format and RFC violations first, and then slowly enable blocking for the
remaining applicable violations.
Note
We advise you not to activate blocking mode until the security policy does
not generate any alarms over several days.
Configuring the maximum HTTP header length

You specify a maximum HTTP header length so that the system knows the
acceptable maximum length for the HTTP header in an incoming request.
The system applies the length check to header names and value. The default
maximum length is 8192 bytes. You can use this setting to help prevent
primary buffer overflow attacks.
To configure the maximum HTTP header length


Chapter 5

4. In the Policy Properties area, for the Max HTTP Header Length
setting, select one of the following options:
Select Any to have the system accept HTTP headers of any
length.
Select Length, and type a value, to accept HTTP headers up to a
certain length.
policy properties.
Configuring the maximum cookie header length

You specify a maximum cookie header length so that the system knows the
acceptable maximum length for any cookie headers in the incoming HTTP
request. As with the maximum HTTP header length setting, you can use this
setting to help prevent primary buffer overflow attacks.
To configure the maximum cookie header length

4. In the Policy Properties area, for the Max Cookie Header Length
setting, select one of the following options:
Select Any to have the system accept cookie headers of any
length.
Select Length, and type a value, to accept cookie headers up to a
certain length.
policy properties.
5-8
Configuring the flow mode

The flow mode specifies how the security policy treats the objects that make
up the web application. When you specify the simple flow mode, the Policy
Builder and the Learning process define all objects as entry points. In other
words, the simple flow mode ignores the navigational relationships of the
web application objects. When you specify the advanced flow mode, the
Policy Builder and the Learning process map the navigational relationships
of each and every web application object. For example, the navigational
relationships for each button, graphic file, HTML page, form input field, and
hyperlink are all part of the applications flow. Using the web browsers
Back and Forward buttons is also part of the application flow, if these
actions are permitted within the web application.
Note
We recommend that, for most web applications, you use the simple flow
mode. If you need the additional security of the advanced flow mode for a
particular aspect of your web application, we recommend that you define a
flow parameter. For additional information on flow parameters, see
Working with flow parameters, on page 7-9.
To configure the flow mode

4. In the Policy Properties area, for the Flow Mode setting, select
Simple or Advanced.
policy properties.
Important
Always maintain the same flow mode that was used to initially create a
specific policy. We do not recommend that you switch back and forth
between Simple and Advanced flow modes.

Chapter 5
Working with the negative regular expressions pool

Each security policy has its own set of negative regular expressions that
define known attack patterns. The system applies the regular expressions
(regexps) to incoming requests to look for known attacks and threats, such
as known worms and Trojan horses, cross-site scripting attacks, SQL
injection attacks, and others. If an incoming request contains a component
that matches a negative regular expression in the security policy, then the
system generates an alarm (and blocks the request if in blocking mode).
You can apply the negative regular expressions to the following components
of the incoming request: an object type, a parameter and value pair, and the
HTTP header itself. You can also apply a negative regular expression to an
HTTP response, if you want the security policy to filter responses.
Note
The regular expression pool that is associated with a security policy is

derived from a system-supplied default pool. The default regular expression
pool is independent of any security policy or web application. For
information on managing the default regular expression pool, see Working
with the system-supplied regular expressions, on page 10-3.
Viewing the negative regular expressions pool for a security policy

You can review the regular expressions that are associated with a security
policy from the Negative RegExps screen.
To view the negative regular expressions pool for a security

policy
4. In the Policy Properties area, for the Negative RegExps setting,
click the Edit button.
The Negative RegExps screen opens, where you can review the
negative regular expressions for the security policy.
Tip
Click a regular expression name to view the syntax for the regular
expression.
5 - 10
Adding a negative regular expression to the pool for a security policy

While the default pool includes regular expressions to catch most known
attack patterns, there may be situations in which your security policy
requires one or more user-defined regular expressions. You can create
user-defined regular expressions as part of the system-supplied default pool,
which is independent of any security policy. For information on creating and
validating a user-defined regular expression, see Creating a user-defined
regular expression, on page 10-3, and Validating a user-defined regular
expression, on page 10-4. Once you have created the user-defined regular
expression, you can then add the user-defined regular expression to the
security policy pool.
To add a user-defined regular expression to the security

policy pool
The Negative RegExps screen opens.
5. Above the Negative RegExps area, click the Add button.
The Create New Negative RegExp screen opens.
6. In the Add Negative RegExp to Policy area, from the RegExp
Name list, select the user-defined regular expression that you want
to add to the pool.
7. From the Applies to list, select the policy entity to which the regular
expression applies.
8. Click the Add button.
have made.
Editing the entity to which the regular expression applies

The Application Security Manager can apply the negative regular
expressions to the following entities: web object URIs, header values,
parameter key and value pairs, or responses. You can configure the system
to apply the same regular expression to one or more of these entities,
however, you make each association separately.

Chapter 5
Table 5.1 describes how the system applies the negative regular expressions
to each entity.
Entity Applies the regular expression to
Object The object and path in the URI of the request.
Response The response headers and content.
Header value The value of the HTTP headers in the request.
Parameter=Value The parameter key and value pairs included in the request,
Pairs either in the query string or in the POST data.
Table 5.1 How the system applies negative regular expressions to entities
To change the entity to which a regular expression applies

5. In the Negative RegExps area, in the Select column, check the box
next to the regular expression for which you want to change the
entity association, and then click the Edit button below the list.
The Edit Negative RegExp screen opens.
6. In the Edit Negative RegExp area, from the Applies to list, select
the policy entity to which the regular expression applies.
7. Click the Update button.
have made.
5 - 12
Removing a regular expression from the pool for a security policy

The Application Security Manager has a large pool of default negative
regular expressions. You can choose to use some or all of them to protect
your web application. For example, you can configure a security policy to
use a set of regular expressions to detect SQL injection attacks if your web
application uses a database. You can also use a set of regular expressions to
detect cross-site scripting attacks that a hacker may try to insert into any text
form within your application. For additional information on the
system-supplied regular expressions, refer to Working with the
system-supplied regular expressions, on page 10-3.
Depending on the requirements for securing your web application, you may
not need all of the default regular expressions that are in the negative regular
expressions pool for the security policy. You can easily remove those that
do not apply to the security policy. Removing a regular expression from the
security policy pool does not permanently delete the regular expression from
the system configuration. If you want to restore a regular expression that
you have removed from the security policy pool, you can re-add the regular
expression to the system default pool. See Restoring the negative regular
expressions pool to the default settings, on page 10-6, for more information.
To remove a regular expression from the security policy

pool
column, click the name of the security policy that you want to
update.
5. In the Negative RegExps area, in the Select column, check the box
next to the regular expressions that you want to delete from the
security policy pool, and then click the Remove button below the
list.
6. Click OK.
The screen refreshes, and the system removes the selected regular
expressions.

Chapter 5
Overview of the Policy Builder

The Application Security Manager provides the Policy Builder to automate
building the map of the web application within a security policy. If you were
to build the security policy manually, it would be a tedious undertaking,
especially if the web application is updated frequently. You can use the
Policy Builder to build the security policy based either on real traffic (both
requests and responses), or on system-generated traffic. See Chapter 6,
Building a Security Policy With the Policy Builder, for detailed information
on using the Policy Builder.
Working with the Blocking Response Page property

The Application Security Manager has a default response page that it returns
to the client when the client request, or the response returned by the web
server, is blocked by the security policy. This page is the blocking response
page. Note that the system uses the blocking response page only when the
security policy is in blocking mode. To configure the Blocking Response
Page property, you can do one of the following:
You can use the default response page.
You can customize the default blocking response page.
You can upload a custom blocking response page.
You can provide a URL for redirection.
Customizing the blocking response page

You can customize the blocking response page by modifying the default
text, or by uploading a custom HTML file. Alternately, you can redirect the
client to another resource by providing a redirect URL. These options are
explained in the following task.
To customize the blocking response page

column, click the name of the security policy that you want to
update.
4. Above the Blocking Response Page area, click the Edit button.
The Blocking Response Page popup screen opens.
5. From the Response Type list, select the response that the system
returns when it blocks a client request.
5 - 14
Default Response: Specifies that the system returns the

system-supplied blocking response page. Note that you cannot
edit HTML code on the default response page.
Redirect URL: Specifies that the system returns a redirect URL.
Custom Response: Specifies that the system returns a
user-defined response page.
Note: The remaining settings on this popup screen change
depending on the selection that you make for the Response Type
setting.
6. In the Response Code box, type the HTTP response code that is
returned to the client in the HTTP response header. The default
setting is 200. We recommend that you do not change this setting.
7. If you selected the Redirect URL option in step 4, then in the
Redirect URL box, type the URL to which the system redirects the
client. The URL that you configure should be for a page that is not
within the web application itself.
8. If you selected the Custom Response option in step 4, perform one
of the following tasks to create a custom blocking response page.
In the Paste HTML Code box, type the text that you want the
system to send in the custom blocking response page. Note that
you should use standard HTML syntax.
For the Upload HTML File setting, either type a path to an
HTML response page in the box, or click Browse and navigate to
an HTML response page. Click Upload when you are finished.
9. Click OK to save any changes you may have made, and close the
popup screen.
Apply Policy button near the top of the Policy Properties screen.
Viewing the blocking response page

Once you have configured the Blocking Response Page property, you can
view the page to see how it appears to those who receive it. You can view
the blocking response page from the Policy Properties screen.
To view the blocking response page


Chapter 5
4. Above the Blocking Response Page area, click the Show button.
The Blocking Response Page popup screen opens, where you can
view the text as it appears to recipients.
Working with the Sensitive Parameters property

The Application Security Manager stores incoming requests in plain text
format. Some requests may include sensitive data, such as a password or a
credit card number, that you may not want the system to store once the
request has been processed. You can avoid storing any sensitive data as
plain text by adding the names of the input fields to the Sensitive Parameters
property. The system then replaces the sensitive data, in the stored request,
with a series of Xs.
Configuring a sensitive parameter affects only how the Application Security
Manager stores and displays information in requests and responses. It does
not affect the requests or responses sent to the web application or the client.
Note
The Application Security Manager automatically creates a sensitive

parameter called password for every new security policy.
To create a sensitive parameter

4. Above the Sensitive Parameters section, click the Create button.
The Create New Sensitive Parameter popup screen opens.
5. In the Parameter box, type the name of the user-input parameter,
exactly as it occurs in the HTTP request, for which you do not want
the system to store the actual value. In the following example,
account is the sensitive parameter:
http://www.siterequest.com/bank.php?account=12345
6. Click OK.
The popup closes, and on the Policy Properties screen, you can see
the newly-created sensitive parameter in the Sensitive Parameters
list.
5 - 16
In addition to creating sensitive parameters, you can also edit or delete

existing sensitive parameters, as required by changes in the web application.
Simply check the box next to an existing sensitive parameter, and click
either the Edit or Delete button below the Sensitive Parameters section.
Working with the Allowed Modified Cookies property

You can configure the security policy to ignore certain cookies that are
included in an HTTP request, even if they do not meet the expected criteria,
and would otherwise trigger a security policy violation. You use the
Allowed Modified Cookies property to manage the list of cookies that you
want the security policy to ignore.
To define an allowed modified cookie

4. Above the Allowed Modified Cookies area, click the Create button.
The Create New Allowed Cookies popup screen opens.
5. In the Cookie Name box, type the name of an allowed cookie.
Enter the name of the cookie exactly as it is expected to appear in
the request.
6. Click OK.
the newly-created allowed cookie in the Allowed Modified Cookies
list.
In addition to creating allowed cookies, you can also edit or delete existing
allowed cookies, as required by changes in the web application. Simply
check the box next to an existing allowed cookie, and click either the Edit
or Delete button below the Allowed Modified Cookies section.

Chapter 5
Working with the Allowed Methods property

The Application Security Manager accepts certain HTTP methods by
default. The default methods are GET, POST, and HEAD. The system treats
any incoming HTTP request that uses an HTTP method other than the
allowed methods as an invalid request. If your web application uses HTTP
methods other than the default allowed methods, you can use the Allowed
Methods property to manage them.
To specify additional allowed methods

4. Above the Allowed Methods area, click the Create button.
The Create New Allowed Method popup screen opens.
5. From the Method list, select the new method that you want to add
to the allowed methods list.
6. In the Act as Method box, select one of the following options.
GET: Specifies that the request does not contain any HTTP data
following the HTTP header.
POST: Specifies that the request contains HTTP data following
the HTTP header.
7. Click OK.
the additional allowed method in the Allowed Methods section.
In addition to creating allowed methods, you can also edit or delete existing
allowed methods, as required by changes in the web application. Simply
check the box next to an existing allowed method, and click either the Edit
or Delete button below the Allowed Methods section.
5 - 18
Working with the Navigation Parameters property

If you want the security policy to differentiate between pages in the web
application that are generated by requests with the same object name but
with different parameters, and to build the appropriate flows, you need to
specify the exact names of the parameters that triggered the creation of
theses pages in the web application. You specify these parameter names in
the Navigation Parameters section.
To specify a navigation parameter

4. Above the Navigation Parameters area, click the Create button.
The Create New Navigation Parameter popup screen opens.
5. If the new navigation parameter applies to every page in the web
application, select Any Object.
6. Alternately, if the navigation parameter applies to only one page in
the web application, select Object Path, and type a URL.
7. In the Navigation Parameter box, type the name of the parameter
passed to the web server for page-building purposes.
8. Click OK.
the navigation parameter in the Navigation Parameters section.
In addition to creating navigation parameters, you can also edit or delete

existing navigation parameters, as required by changes in the web
application. Simply check the box next to an existing navigation parameter,
and click either the Edit or Delete button below the Navigation Parameters
section.

Chapter 5
Working with the security policy entities

The security policy entities are the map of the web application. The security
level of the security policy determines which entities are applicable for the
security policy. (Refer to Configuring the security level, on page 5-4, for
more information on security levels.) When the Application Security
Manager receives an incoming HTTP request for the web application, it
compares the entities in the request to the security policy entities. If one or
more entities in the request do not match the security policy entities, the
system generates an alarm for the violation, and then processes the request
based on the Blocking Policy settings. (See Working with the Blocking
Policy settings, on page 5-35, for more information.)
Working with the Object Types entity

The Object Types entity lists the file extensions for all of the general file
types that make up the web application. The object type flags specify the
legitimate behavior and properties of each object type. Additionally, the
security level of the security policy affects which object type flags are
relevant for the particular security policy. (See Configuring the security
level, on page 5-4, for more information.) Based on the object types list, the
security policy knows which file types are legitimate for a web application,
as well as how to process those file types.
Important
Object types are case-sensitive. As a result, the security policy processes
JPG and jpg files as separate object types.
Table 5.2 describes the object type flags, and lists the applicable security
level.
Object type flags Description Security Level
Check objects Specifies, when checked, that if an incoming request Applies to high security
contains an object of the corresponding object type, the (APC)
security policy validates the specific object against the
Web Objects list for the security policy. If the specific
object is not in the Web Objects list, the security policy
logs a violation event, and if in blocking mode, blocks the
request.
Check flows Specifies, when checked, that the security policy Applies to high security
validates the flows to web objects of the corresponding (APC)
object type.
Table 5.2 Object type characteristics and corresponding security level
5 - 20
Object type flags Description Security Level
Is Referrer Specifies that the object type can include references to Applies to high security
other object types. For example, an HTML file may (APC)
contain references to image files. Therefore, the HTML
file is a referrer.
Object Length Specifies the acceptable length, in bytes, for an object of Applies to all security
this object type, in the context of an HTTP request. levels
Request Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the HTTP request that contains the object type. levels
Query String Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the query string portion of a URL that contains the object levels
type.
POST Data Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the POST data of an HTTP request that contains the levels
object type.
Check Response Specifies that the system validate the web server Applies to all security
response to the incoming HTTP request that contains the levels
object type.
Table 5.2 Object type characteristics and corresponding security level
You can build the list of object types entities in the security policy in three
ways:
You can run the Policy Builder. See Chapter 6, Building a Security
Policy With the Policy Builder, for more information.
You can accept an object type from a learning suggestion. See Accepting
a learning suggestion, on page 8-5.
You can manually add each object type, as explained in this section.
Note
When you run the Policy Builder to detect object types, the system
automatically creates a no_ext object type in the following cases: objects
with no file extension, and objects with file extensions longer than eight
characters.
To manually create an object type for a security policy


Chapter 5
4. On the menu bar, click Object Types.

The Object Types screen opens.
5. Above the Object Types list, click the Create button.
The Create New Object Type popup screen opens.
6. In the Object Type box, type the file extension for the object. For
example, to add the GIF image file type to the security policy, type
GIF.
7. Click the Get Defaults button to apply the systems default
attributes for the object type. Alternately, you can specify the
attributes that apply to your web application.
8. Click Create.
the new object type in the Object Types Associations list.
Modifying object types

You can modify any of the object type flags, or characteristics, depending
on the needs of the web application. For example, if you are configuring a
security policy that uses the standard security level, the security policy does
not perform checks on individual objects. Therefore, you can disable the
Check Objects flag for all of the object types.
To modify the object type characteristics

5. In the Object Types list, make any changes, as required, to the
object type flags for the object type that you are modifying.
The system automatically checks the Select box to the left of the
object type.
6. Click the Save button below the list.
The system saves the changes to the security policy.
5 - 22
Removing object types

Since web applications can change on a regular basis, you may find that the
object types list contains file types that are no longer used in the web
application. You can remove the object type, and any related web objects (if
applicable), in one step.
To remove an object type

5. In the Object Types list, click the Select box to the left of the object
type that you want to remove from the list.
6. Click the Delete button below the list.
The system removes the object type from the configuration, and also
removes any specific web objects of this type.
Creating an allowed objects regular expression for an object type

You can define regular expressions that specify a group of web objects of a
certain object type. If you define a regular expression for an allowed object,
and the Application Security Manager does not find a requested object in the
Web Objects list, the system then checks whether the object matches the
regular expression in the Allowed Objects RegExp list. If the web object
matches the regular expression in this list, then the Application Security
Manager applies the security policy to the requests contents. If the web
object does not match the regular expression in the Allowed Objects
RegExp list, then the Application Security Manager generates a non-existent
object alert, and performs a negative logic check. If you have enabled the
Blocking flag for non-existent object violations, then the system generates
an alert, and blocks the request.
Note
For more information on using regular expressions in the Application

Security Manager, see Working with the negative regular expressions pool,
on page 5-10, and also see Working with the system-supplied regular
expressions, on page 10-3.

Chapter 5
To define a regular expression for a set of possible objects

5. On the Object Types list screen, above the Allowed Objects RegExp
list, click the Create button.
The Create New RegExp popup screen opens.
6. In the RegExp box, type the regular expression.
7. Optionally, in the Description box, type a description of the regular
expression.
8. Click Create.
The popup closes, and on the Object Types screen, you can see the
new regular expression in the Allowed Objects RegExp list.
Tip
You can validate a user-defined regular expression before you add it to the
Allowed objects RegExp list. See Validating a user-defined regular
expression, on page 10-4, for more information.
Modifying an allowed objects regular expression

If you have created an allowed object regular expression, you may
occasionally need to edit the regular expression.
To edit an allowed objects regular expression

5 - 24

5. On the Object Types list screen, in the Allowed Objects RegExp
list, check the Select box next to the regular expression that you
want to edit, and then click the Edit button.
The Edit RegExp popup screen opens.
6. In the RegExp box, make any changes to the regular expression that
are required.
expression.
8. Click Update.
The popup closes, and on the Object Types screen, you can see the
updated regular expression in the Allowed Objects RegExp list.
Removing an allowed objects regular expression

When you no longer need an allowed objects regular expression, you can
easily remove the regular expression from the configuration.
To remove an allowed objects regular expression

5. On the Object Types list screen, in the Allowed Objects RegExp
list, check the Select box next to the regular expression that you
want to remove, and then click the Delete button.
6. Click OK.
The popup closes, and on the Object Types screen, the regular
expression is no longer in the Allowed Objects RegExp list.

Chapter 5
Working with the Web Objects entity

The Web Objects entity lists the specific web application objects in the
protected Web site. The Web Objects entity is not relevant if you are
configuring a standard security policy.
An important policy decision to make at this stage is to decide whether a
certain object is an entry point. If you are configuring a security policy using
the simple flow mode, then most web objects should be entry points.
An entry point is a page through which a visitor can enter the web
application; for example, by typing a URL in the browser's address box, or
by selecting a URL from a favorites list. A web application may have
several entry points.
Adding a web object

You can add web objects manually, or you can use the Policy Builder to
populate the web objects. If you want to use the Policy Builder, refer to
Chapter 6, Building a Security Policy With the Policy Builder, for details. If
you want to add web objects manually, use the following procedure.
To add a web object manually

column, click the name of security policy.
4. On the menu bar, click Web Objects.
The Web Application Objects (Site Map) screen opens.
5. Above the Web Application Objects list, click the Create button.
The Create New Object popup screen opens.
6. In the Object Path box, type the full resource path starting with the
slash [/] character.
7. In the Protocol list, select the protocol to be used to access the
object.
8. To get the default object type associations for this web object, click
the Get Defaults button.
9. Click Create.
The popup closes, and on the Web Objects screen, you can see the
new web object in the list.
5 - 26
Removing a web object

Web applications can change over time. As such, you may need to remove
obsolete web objects from the security policy.
To remove a web object

1. In the Web Application Objects list, check the Select box to the left
of the objects to be removed.
2. Click the Remove button.
A confirmation popup screen opens, where you confirm the deletion
of the web object.
3. Click OK.
The popup closes, and the system removes the web object from the
security policy.
Viewing the properties of a web object

You can review and modify the properties of an individual web object.
Simply click the name of the web object in the Web Application Objects list.
The Object Details screen for that object opens.
Tip
If the web object name is in gold letters, the web object is a referrer.
Referrers call other web objects within the web application.
Working with the Parameters entity

A parameter is an item of information within a web application. Parameters
can be configured as global parameters, web object parameters, or flow
parameters. The following are a few examples of parameters: user name,
address, credit card number, phone number, search boxes, and so on. See
Chapter 7, Working With Parameters, for detailed information on working
with parameters.
Working with the Flows entity

The application flow is the defined access path leading from one object to
another object within the web application. For example, on a basic web
page, you may have a graphic and a hyperlink to another page within the
application. The calls to these other objects from the basic page make up the
flow. Because flows can be quite complex, we recommend that you use the
Policy Builder and the Learning process to help you maintain the accuracy
of the flows. The Policy Builder generates a map of the flows from within

Chapter 5
the web application, by scanning the links and references within the objects.
The Learning process maps new and changed flows, once the Policy Builder
has initially mapped the web application. Note that you can also manually
add and edit the application flows, however, we recommend that you use the
automated tools to help you maintain the flows configuration.
Note
Application flows do not apply to security policies that use the standard
level of security.
Viewing the entire application flow

You can view the application flow in its entirety, or you can view the flow
for an individual web object. The flow mode that you set in the Flow Mode
property determines the flow characteristics. See Configuring the flow
mode, on page 5-9, for more information.
To view the entire application flow

column, click the name of the security policy whose flows you want
to review.
4. On the menu bar, click Flows.
The Flows screen opens, where you can review all of the flows in
the application.
Viewing the flow from a web object

When you view the flows for a particular web object, the system displays
the flow from the web object. The system does not display the flow to the
particular web object.
Note
If the Flow Mode is simple, then the system treats all web objects as entry
points, and there is no flow information on the Flows screen for the web
object.
To view the flow from an individual web object

5 - 28

The Web Application Objects screen opens.
5. In the Select column, check the Select box for the web object whose
flows you want to view, and then click the Show Flows button
below the list.
The Flows screen for the web object opens.
Adding a new application flow manually

We recommend that you use the Policy Builder and the Learning process to
create and maintain the application flow. Alternately, you can create a flow
for an object manually.
To manually create a flow

1. On the Web Objects screen, in the Web Application Objects (Site
Map) list, click the name of the object for which you want to create
a flow.
The Object Details screen opens.
2. Above the Flows to Object list, click the Create button.
The Create a New Flow popup screen opens.
3. In the Referrer Object box, select one of the following:
Entry Point: Specifies that the client can enter the application
from this object. Note that for most policies, objects are entry
points.
Object Path: Specifies the URI for the object, if the object is not
an entry point.
4. In the Protocol list, select the appropriate protocol.
5. In the Method list, select the appropriate HTTP method.
6. In the Frame Target box, type the frame in which the web object
belongs, if the web application uses frames. If you leave this option
blank, the system supplies a default setting of 1.
7. If this flow can contain a query string or POST data, check the
Allow QS/PD box.
8. If you want the system to verify query strings or POST data for this
flow, check the Check QS/PD box.
9. Click OK.
The popup closes, and on the Object Details screen, you see the new
flow in the Flows to Object list.

Chapter 5
Working with the Character Sets entity

You can configure the security policy to allow only certain characters to
appear in certain sections of a request. For example, you can allow letters,
digits and the slash (/) in a path to an object but exclude the @ character
from it. Such exclusion causes the Application Security Manager to apply
the Alarm/Blocking policy to the request that contains the excluded
character. Character sets are unique to each security policy, and apply to
headers, object paths, parameter names, and parameter values.
Understanding the actions for the character set

You can define acceptable character sets for header values, object paths,
parameter names, and parameter values. For each character and meta
character within the character set, there is a corresponding action. The action
determines how the system processes the character or meta character. Table
5.3 explains the character set actions, and indicates the entities to which the
action applies.
Action Description Applies to
YG The security policy allows the character or meta character Header values, object paths,
wherever it occurs. parameter names, parameter
values
NG The security policy never allows the meta character, and the Header values, object paths,
Policy Enforcer generates an Illegal meta character violation parameter names, parameter
when it encounters the meta character in a request. values
Table 5.3 Character set actions and corresponding entities
5 - 30
Action Description Applies to
Y Note: This action has a three-part verification. Parameter values

1. If the parameter is not defined in the security policy, then the
Policy Enforcer allows the meta character.
2. If the parameter is defined in the security policy, and the
parameter definition does not allow the meta character, then the
Policy Enforcer generates an Illegal meta character in
parameter value input violation.
parameter definition allows the meta character, then the Policy
Enforcer allows the meta character.
N Note: This action has a three-part verification. Parameter values

1. If the parameter is not defined in the security policy, then the
Policy Enforcer does not allow the meta character, and generates
an Illegal meta character in parameter value violation.
parameter definition does not allow the meta character, then the
Policy Enforcer generates an Illegal meta character in
parameter value input violation.
parameter definition allows the meta character, then the Policy
Enforcer allows the meta character.
Table 5.3 Character set actions and corresponding entities
Modifying the actions for a character set

When you set the language encoding for the web application, the
Application Security Manager automatically configures a default character
set. You can modify the default settings to optimize the character sets for
your web application by changing the action for the characters.
To change the actions for a character set

4. On the menu bar, click Charsets.
The Character Sets screen opens.
5. In the Character Sets area, from the Select Character Set list, select
the character set that you want to modify. When you select an option
from the list, the screen refreshes to display the entire character set
for that option.

Chapter 5
6. In the Actions area, in the Action column for each character, you
can either leave the action at the default setting, or you can modify
the action.
7. Click Save to save any changes you may have made.
Tip
To restore the default character set definitions, you can click the Restore
Defaults button at any time.
A note about non-printable characters

The Application Security Manager displays and processes non-printable
characters, that is, control characters, in the same manner as it displays and
processes other characters. For example, the system displays the Space
character as 0x20.
5 - 32
Setting the active policy for a web application

At any given time, the Application Security Manager enforces only one
security policy for a web application. The security policy that is currently
protecting the web application is called the active security policy. The active
security policy is marked with the Active icon in the Security Policies
List for the web application.
To activate a security policy

2. In the Name column, click the name of the web application for
which you are activating a security policy.
The Web Application properties screen opens.
3. In the Web Application Properties section, in the Active Security
Policy list, select the security policy that you want to be the active
security policy for the web application. Note that the system
automatically checks the Apply Policy setting when you change the
Active Security Policy setting on this screen.
4. Click Update.
The screen refreshes, and in the Security Policies List, you see the
Active Policy icon next to the new active security policy.
You can also set the active security policy from most of the screens
throughout the Application Security Manager. Simply click the Apply
Policy button that is near the top of most screens.
Determining when to set the active security policy

Every time you change the configuration in a security policy, you must
activate the security policy before the changes take effect. Throughout the
Configuration utility, the following icons appear, and are there to let you
know the state of a security policy.
The Active icon next to a security policy name indicates the active
security policy. You may also see an A in square brackets [A] to indicate
the active security policy. Only one security policy can be the active
security policy.
The Modified icon next to a security policy name indicates that the
security policy has been modified. You may also see an M in square
brackets [M] to indicate a modified security policy.
You need to set the active security policy in the following cases:
Before opening the web application to any user traffic, either for testing
or for regular business.

Chapter 5
Every time that you make a change in the security policy. If you do not
re-activate the security policy, the latest changes are not reflected to the
web application.
Whenever you change the active security policy for a web application.
5 - 34
Working with the Blocking Policy settings

The Blocking Policy screen is where you configure how the security policy
reacts to a request that does not comply with the security policy. The
security policy has two blocking modes: transparent and blocking. In
transparent mode, the system generates an alarm and allows the request, if
the request violates some aspect of the security policy. In blocking mode,
the system generates an alarm, does not allow the request, and instead
returns the blocking response page to the client. On the Blocking Policy
screen, you configure for which violations the system generates learning
suggestions and alarms, and if you are using blocking mode, for which
violations the system blocks the violating request. You can also set the
blocking mode from the Blocking Policy screen.
Note
The blocking mode that you use determines the default Blocking Policy
settings.
To set the blocking mode from the Blocking Policy screen

click the name of the security policy for which you want to change
the blocking mode.
4. Next to the Security Level list, click the Edit button.
5. Clear the Disable Blocking check box to change the blocking mode
to blocking. Note that when you clear this check box, the check
boxes in the Block column become active.
6. Alternately, you can check the Disable Blocking box to change the
blocking mode to transparent.
7. Click the Save button to save any changes you may have made on
this screen.
Configuring the Learn, Alarm, and Block flags

On the Blocking Policy screen, you can view, and enable or disable, the
Learn, Alarm, and Block flags for most violations. The flags determine how
the system processes requests that trigger the corresponding violation. The

Chapter 5
default settings on the Blocking Policy screen are determined by the security
level (see Configuring the security level, on page 5-4, for more information
about the security level).
The system takes the following actions when the flags are enabled:
Learn flag
When the Learn flag is enabled for a violation, and a request triggers the
violation, the system generates learning suggestions, and logs the request
in the Forensic information. Note that there are some violations for
which the system cannot generate learning suggestions. These violations
have the Log Only notation next to the Learn flag.
Alarm flag
When the Alarm flag is enabled for a violation, and a request triggers the
violation, the system logs the request in the Forensic information, and
also logs a security event on the Statistics >> Events screen.
Block flag
When the Block flag is enabled for a violation and the security policy is
in blocking mode, the system performs the Alarm flag actions when a
request or response triggers the violation. Additionally, the system does
not forward the request to the application, and sends the blocking
response page (which contains a Support ID to identify the request) to the
offending client. If a response from the web application triggers a
violation for which blocking is enabled, the system sends the blocking
response page to the client instead of the response.
Note
When the Block flag is enabled, the system automatically enables the Alarm
flag, too.
To customize the Learn, Alarm, and Block flags for security

policy violations
click the name of a security policy.
4. Next to the Security Level list, click the Edit button.
5. Review each violation adjust the Learn, Alarm, and Block flags as
required.
6. Click Save to save any changes you may have made on this screen.
5 - 36
How the Policy Enforcer enforces security policies

The Policy Enforcer applies the active security policy to each request for the
web application. If the request complies with the security policy, the Policy
Enforcer forwards the request on to the web application. If the request does
not comply with the security policy, the Policy Enforcer generates a
violation (or violations), and then either forwards the request or blocks the
request, depending on the blocking mode of the security policy.
The Policy Enforcer can also check responses from the web application. If
you enable the Check Responses setting on a object type, the system verifies
that the response received from the web application matches the security
policy. If the response complies with the security policy, the system sends
the response to the client. If the response does not comply with the security
policy, the Policy Enforcer generates the relevant violation (or violations),
and then either forwards the response or blocks the response, depending on
the blocking mode of the security policy.

Chapter 5
Understanding security policy violations

The Blocking Policy screen displays all of the possible security policy
violations for which the system can generate learning suggestions, generate
alarms, or block requests. The violations fall into the following categories.
RFC violations
Access violations
Length violations
Input violations
Cookie violations
Negative security violations
The following sections describe the violations. For information on setting

the alarms and blocking, see Configuring the Learn, Alarm, and Block flags,
on page 5-35.
Overview of RFC violations

The Application Security Manager reports RFC violations when the format
of an HTTP request violates the HTTP RFCs. RFC documents are the
general specifications that summarize the standards used across the internet
and networking engineering community. RFCs, as they are commonly
known, are published by the International Engineering Task Force (IETF).
(For more information on RFCs, see http://www.ietf.org/rfc). Table 5.4
lists the RFC violations.
RFC violation types Description
Illegal HTTP format The format of the incoming request does not comply with the standards as
specified in the RFCs for HTTP. Note that the local traffic parser may prevent
certain poorly-formed requests from reaching the Application Security Manager. In
these cases, the system does not generate this violation.
Non-RFC request The request does not comply with the RFC for the HTTP protocol.
Not RFC compliant cookie The format of the Cookie header in the request does not comply with the standards
as specified in the RFCs for HTTP.
Table 5.4 RFC violation types
Important
The Application Security Manager does not generate learning suggestions
for RFC violations. The system does, however, log requests that generate
RFC violations in the Forensics information for the web application.
5 - 38
Overview of access violations

Access violations occur when an HTTP request tries to gain access to an
area of a web application, and the security policy detects a reference to one
or more entities that are not defined in the security policy as part of the web
application. The access violations are listed in Table 5.5.
Access violation type Description
Illegal entry point The incoming request references an object that is not defined as an entry point.
Illegal flow to object The incoming request references a flow that is not found in the security policy.
Illegal object type The incoming request references an object type not found in the security policy.
Illegal method The incoming request references a HTTP request method that is not found in the
security policy.
Non-existent object The incoming request references an object that is not found in the security policy.
Table 5.5 Access violation types
Overview of length violations

Length violations occur when an HTTP request contains an entity that
exceeds the length setting that is defined in the security policy.
Length violation type Description
Illegal cookie length The incoming request includes a Cookie header that exceeds the acceptable
length as specified in the security policy.
Illegal header length The incoming request includes an HTTP header that exceeds the acceptable
Illegal object length The incoming request references an object whose length exceeds the acceptable
Illegal POST data length The incoming request contains POST data whose length exceeds the acceptable
Illegal query string length The incoming request contains a query string whose length exceeds the
acceptable length as specified in the security policy.
Illegal request length The incoming request length exceeds the acceptable length as specified in the
security policy.
Request length exceeds defined The incoming request is larger than the buffer for Policy Enforcer parser.
buffer size
Table 5.6 Length violation types

Chapter 5
Overview of input violations

Input violations occur when an HTTP request includes a parameter that
contains data or information that does not match, or comply with, the
security policy. Input violations most often occur when the security policy
contains defined user-input parameters. Table 5.7 lists the types of input
violations.
Input violation type Description
Failure to convert character The incoming request contains a character that does not comply with the encoding
of the web application (the character set of the security policy), and the Policy
Enforcer can not to convert the character to current the encoding.
Forbidden Null in request The incoming request contains a NULL character (0x00).
Illegal dynamic parameter value The incoming request contains a dynamic parameter value that does not comply
with the security policy
Illegal empty parameter value The incoming request contains a parameter whose value is empty when it must
contain a value.
Illegal meta character in The incoming request includes a defined parameter whose value contains a meta
parameter value (defined character that is not allowed according to the parameters definition.
parameter)
Illegal number of mandatory The incoming request contains either too few or too many mandatory parameters
parameters on a flow. Note that only flows can contain mandatory parameters.
Illegal parameter The incoming request contains a parameter that is not defined in the security
policy.
Illegal parameter data type The incoming request contains a parameter for which the data type does not match
the data type that is defined in the security policy. This data types that this violation
applies to are integer, email, and phone.
Illegal parameter numeric value The incoming request contains a parameter whose value is not in the range of
decimal or integer values defined in the security policy
Illegal parameter value length The incoming request contains a parameter whose value length does not match
the value length that is defined in the security policy. Note that this violation is
relevant only for user input parameters.
Illegal Query-String or POST The incoming request contains a query string or POST data that is not found in the
data security policy.
Illegal static parameter value The incoming request contains a static parameter whose value is not defined in the
security policy.
Malicious parameter value The incoming request includes a parameter whose value contains a pattern that
matches a negative regular expression (attack pattern) in the security policy.
Null in multi-part parameter The incoming multi-part request has a parameter value whose contains a NULL
value character (0x00).
Table 5.7 Input violation types
5 - 40
Input violation type Description
Parameter value doesn't comply The incoming request contains an alphanumeric parameter value that does not
with regular expression match the expected pattern specified by the regular-expression field for that
parameter.
Value too long for pattern The incoming request contains a parameter value that is too long for the Policy
checks Enforcer to apply regular expressions.
Table 5.7 Input violation types
Note
The Policy Enforcer cannot distinguish between dynamic parameters that

have been defined incorrectly, and dynamic parameters that actually
contain bad values. In both cases, the system issues the Illegal parameter
violation. It is up to the user to evaluate the request, to determine what
caused the violation.
Overview of cookie violations

Cookie violations occur when the cookie values in the HTTP request differ
from those defined in the security policy. Most of the cookie violations are
related to longer client sessions. Table 5.8 lists the cookie violation types.
Cookie violation type Description
Expired timestamp The time stamp in the HTTP cookie is old, which indicates that a client
session has expired.
Illegal session ID in URL The incoming request contains a session ID value that does not match the
session ID value from a previous request from the same client.
Modified ASM cookie The incoming request contains an Application Security Manager (ASM)
cookie that has been modified or tampered with.
Modified domain cookie(s) The domain cookies in the HTTP request do not match the original domain
cookies or are not defined as allowed modified domain cookies in the security
policy.
Wrong message key The incoming request contains an ASM cookie that was created in another
session.
Table 5.8 Cookie violation types

Chapter 5
Overview of negative security violations

Negative security violations occur when an incoming request contains a
character that does not match the security policys defined character set, or
contains a string pattern that matches a regular expression in the security
policys negative regular expressions pool.
Note
For more information on the negative regular expressions pool, see

Overview of the default negative regular expressions pool for security
policies, on page 10-5.
Table 5.9 lists the negative security violations.
Negative security violation

type Description
Illegal HTTP status in response The server response contains an HTTP status code that is not defined in the
security policy.
Illegal meta character in header The incoming request includes a header whose value contains a meta character
that is not defined in the security policy. Note that if you accept the meta character
that caused the violation, the Application Security Manager updates the character
set for header values to include the meta character.
Illegal meta character in object The incoming request includes an object that contains a meta character that is not
defined in the security policy.
Illegal meta character in The incoming request includes a parameter name that contains a meta character
parameter name that is not defined in the security policy.
Illegal meta character in The incoming request includes a parameter that is not defined in the security
parameter value (undefined policy, and whose value contains a meta character that is not allowed, according to
parameter) the security policy character set.
Illegal pattern in header value The incoming request includes a header whose value contains a pattern that
matches a negative regular expression (attack pattern) in the security policy.
Illegal pattern in object The incoming request includes an object that contains a pattern that matches a
negative regular expression (attack pattern) in the security policy.
Illegal pattern in The incoming request includes a parameter and value, which together contain a
parameter=value pairs pattern that matches a negative regular expression (attack pattern) in the security
policy
Illegal pattern in response The HTTP response contains a pattern that matches a negative regular expression
(attack pattern) in the security policy.
Table 5.9 Negative security violation types
5 - 42
Maintaining a security policy

Security policies can change and evolve over time. As the nature of the web
traffic through the web application changes, you adjust the security policy as
required. Several options exist to facilitate the maintenance of the security
policy. You have the option to:
Copy a security policy
Export a security policy
Import a security policy
Merge two security policies
Remove a security policy
Restore a deleted a security policy
View the history of a security policy
Editing an existing security policy

Editing a security policy is an efficient way to update the security policy
over time. The easiest way to access a security policy for editing is from the
Web Application properties screen.
To choose a security policy to edit from the Web

Application properties screen
which you want to restore the security policy.
3. In the Security Policies List, click the name of the security policy
that you want to edit.
4. Make any changes that are required.
Important
Remember that if you make any configuration changes in the security policy,
the changes do not take effect until you set the active policy. See Setting the
active policy for a web application, on page 5-33 for more information.

Chapter 5
Copying a security policy

You can copy a security policy to quickly duplicate policies or create
policies that differ only in a few details.
Note
When you copy a security policy, the system does not export the data from
the Policy Builder log. See Working with the Policy Builder log, on page
6-22, for information on the Policy Builder log.
To copy a security policy

3. In the Security Policies List, select the security policy that you want
to copy, and click the Copy button below the list.
The Copy Policy screen opens.
4. In the New Security Policy Name box, type a name for the security
policy, and then click Copy.
The system displays a success message when the copy is completed.
5. Click OK.
The screen refreshes, and you see the new security policy in the
Security Policies List.
Important
In the Security Policies List, the Active icon next to a security policy
indicates that this policy is active. The Modified icon indicates that the
security policy has been modified, and you must click the Set Active Policy
button to implement any changes in the security policy.
Exporting a security policy

There are different reasons for exporting a security policy. For example, you
may want to export a security policy for one web application so that you can
use the exported policy as a baseline for a new web application. You can
also export a security policy to archive it on a remote system before you
5 - 44
upgrade the system software, to create a backup copy, or to use the exported
security policy in a policy merge. (See Merging two security policies, on
page 5-45, for more information on merging policies.)
Note
When you export a security policy, the system does not export the data from
the Policy Builder log. See Working with the Policy Builder log, on page
6-22, for information on the Policy Builder log.
To export a security policy

to export, and click the Export button below the list.
A file download screen opens.
4. Click Save.
A Save As popup screen opens.
5. Navigate to the remote location where you want to save the security
policy, and click Save.
The system exports the security policy and saves it in the remote
location.
Merging two security policies

You can use the policy merge option to combine two security policies. For
example, you can use the policy merge option to merge a security policy that
you have built offline into a security policy that is on a production system.
The merge mechanism is somewhat lenient when it merges the second
security policy into the first security policy. The merge action does not
delete anything from the target security policy. Where there are conflicts,
the system retains the setting of the target security policy. If there are
unresolved conflicts, the system reports them in the Merge Report. The
Merge Report contains the following information about the merge:
The number of records added to the target security policy from the
merged security policy
Any conflicts that occurred and their resolution
A list of unresolved conflicts
If you enable verbose logging for the merge, the Merge Report also contains
the following information:
Entities that are in the target security policy only

Chapter 5
Entities in the target security policy whose values are different from
those in the merged security policy (If this occurs, the system does not
change the target security values.)
Once the merge is complete, you have the option of saving the Policy Merge
Report as a text file (*.txt), so that you can review the details of the merge,
and resolve any conflicts, or errors, that may have occurred.
To merge two security policies

3. In the Security Policies List, select the security policy that is the
target security policy (the one into which the system merges the
second security policy), and click the Merge button below the list.
The Merge Policies screen opens.
4. In the Merge Policies area, for the Policy To Be Merged setting,
either type a path, or click the Browse button, and navigate to the
file that you want to merge into the target security policy.
5. If you want to save a pre-merge copy of the target security policy,
check the Backup Target Policy setting.
6. If you want the merge action to include additional details about the
merge, check the Verbose Mode setting.
7. Click the Merge button.
The system merges the second security policy into the target
security policy, and produces the Merge Report.
8. Click the Download Full Report button to open or save the entire
Merge Report.
Importing a security policy

You can import a security policy to quickly apply a security policy to a new
web application. You can also use the import option to restore a security
policy from a remote system.
To import a security policy

which you want to import a security policy.
5 - 46
3. Below the Security Policies List, click the Import button.

The Import Policy screen opens.
4. In the Choose File box, type the path to the security policy that you
want to import. Alternately, click the Browse button and navigate to
the security policy that you want to import.
5. Click Import.
The system displays a success status message when the operation is
complete.
6. Click OK.
The screen refreshes, and the imported security policy is in the
Important
The names of security policies must be unique within the Application
Security Manager. If the imported policy already exists in the current the
Application Security Manager environment, the system renames imported
security policy by adding a sequential number to the end of the name.
Deleting a security policy

You can delete a security policy from the configuration, provided that the
security policy is not active.
To delete a security policy

which you want to delete a security policy.
to delete, and click the Delete button below the list.
A confirmation popup screen opens, to confirm that you want to
delete the security policy.
4. Click OK
The screen refreshes and you no longer see the security policy in the
Important
You cannot remove a security policy that is currently active. The active
policy for a web application has the Active icon next to the name in the

Chapter 5
Restoring a deleted security policy

If you delete a security policy, and later decide that you did not want to do
that, you can restore the security policy from the Policy Recycle Bin.
To restore a security policy

3. Below the Security Policies List, click the Import button.
4. In the Policy Recycle Bin list, select the security policy that you
want to restore, and then click the Restore button.
A confirmation popup screen opens, where you confirm that you
want to restore the security policy.
5. Click Restore.
The system restores the security policy, and displays a success
message.
6. Click OK.
The screen refreshes, and you see the restored security policy in the
Policies List.
Viewing and restoring an archived security policy

The Application Security Manager keeps an archive of security policies that
have been set to active. Every time you make a security policy the active
security policy, the system saves a version of that security policy, and
archives it. The system retains up to fifty archived versions. You can restore
any of the archived security policies, and make it the active security policy.
Tip
In the Security Policies List, on the Web Application Properties screen, the
security policy version number is in square brackets next to the security
policy name.
To view and restore an archived security policy

5 - 48
3. Below the Security Policies List, click the History button.

The History for policy <policy_name> screen opens, where you can
see version history for the security policy.
4. If you want to restore an archived security policy, select the version,
and then click the Restore button below the list.
The Restore Policy <policy_name> As popup screen opens.
5. In Security Policy Name box, change the name as required.
6. If you do not want the restored security policy to be immediately
active, clear the Apply Policy box.
7. Click OK.
The popup screen closes, and on the Web Applications Properties
screen, you see the restored security policy in the Security Policies
List area.

Chapter 5
Viewing the security policy using the security policy

audit tools
Since viewing all the security policy in one screen is quite impossible, the
Application Security Manager includes several audit tools that enable you to
query a security policy in order to find the information you are looking for.
Some of these audit tools can be used to analyze suspicious policy states (for
example, an object without flows, or parameters with zero length). Each
report isolates a pre-defined state, and helps you identify conflicts and errors
in the security policy.
To use the security policy audit filters
4. Click Audit Tools on the menu bar.
The Policy Audit Tools screen opens.
5. From the Tool Type list, select an audit tool, and then click Go.
The screen refreshes, and the system displays the information
according to the audit tool properties.
5 - 50
6
Building a Security Policy With the Policy
Builder
Configuring the general settings for the Policy

Builder
Understanding the Policy Builder operation modes
Running the Policy Builder
Viewing the status of the Policy Builder
Stopping the Policy Builder
Working with the Policy Builder log


The Policy Builder is the tool with which you create a security policy. The
Policy Builder parses requests and responses and populates the security
policy with the entities that it finds, including object types, object names,
flows, parameters types and extractions, meta characters, and negative
security changes (meta characters and regular expressions). This action
relaxes the security policy so that once you make this security policy the
active policy, and the Application Security Manager receives a similar
request, the system does not issue violations against the request, or block the
request (if Blocking is enabled).
The Policy Builder has three operation modes: Real Traffic (Responses)
mode, Real Traffic (Requests) mode, and Generated Traffic mode. The Real
Traffic operation modes analyze logged requests to, or responses from, the
web application. The Generated Traffic operation mode emulates user
behavior by crawling the web application. For more information on the
Policy Builder operation modes, refer to Understanding the Policy Builder
operation modes, on page 6-10.

Chapter 6
Configuring the general settings for the Policy

Builder
Before you use the Policy Builder to populate a security policy, you first
configure the general settings for the tool itself. The general settings
determine the default options and behaviors for the Policy Builder.
Tip
The general settings for the Policy Builder apply to all of the Policy Builder
operation modes.
To configure the Policy Builder general settings

which you want to run the Policy Builder.
4. Below the Policy Builder section, click the General Settings
button.
The Policy Builder General Settings screen opens, where you can
make any changes that are required.
The following sections of this chapter describe the Policy Builder general
settings, and how to configure them.
Configuring a Policy Builder domain

The first Policy Builder general setting that you configure is the Policy
Builder domain. The Policy Builder uses the Policy Builder domain to
differentiate between objects that belong to the web application, and objects
that do not belong to the web application (but to which the web application
contains links). For example, the home page in your web application may
contain a link to an external search engine. If you configure a Policy Builder
domain, the Policy Builder updates the security policy with entities from
your web application, and does not update the security policy with entities
that belong to the external search engine.
6-2
Important
You must configure a Policy Builder domain if you plan to run the Policy
Builder in either the Real Traffic (Responses) operation mode, or the
Generated Traffic operation mode. For more information on the operation
modes, see Understanding the Policy Builder operation modes, on page
6-10.
The Policy Builder domain settings should match the client SSL and server
SSL settings for the local traffic virtual server with which the application
security class is associated. Otherwise the Policy Builder cannot gain direct
access to the web server that is hosting the web application. You can
configure the Policy Builder domain settings to use any combination of
HTTP and HTTPS. Table 6.1 shows the mapping.
Then the Policy Builder Enable server-side

If the virtual server uses: domain setting is: encryption?
No client SSL Use HTTP No
Client SSL Use HTTPS No
Server SSL Use HTTP or Use HTTPS Yes
Table 6.1 Mapping virtual server settings to Policy Builder domain settings
To configure a Policy Builder domain

1. On the Policy Builder General Settings screen, above the Policy
Builder Domains area, click Create.
The Create New Policy Builder Domain popup screen opens.
2. In the Host box, type the fully-qualified domain name of the web
server.
3. In the HTTP Settings section, configure the following options:
a) If the web application accepts HTTP traffic, check the Use
HTTP box.
b) In the IP box, type the address of the web server.
c) In the Port box, type the port for the HTTP service, typically 80.
d) If the system should encrypt traffic from the web server, check
the Use Encryption box.
4. In the HTTPS Settings section, configure the following options:
a) If the web application accepts HTTPS traffic, check the Use
HTTPS box.
b) In the IP box, type the address of the web server.

Chapter 6
c) In the Port box, type the port for the HTTPS service, typically
443.
d) If the system should encrypt traffic from the web server, check
the Use Encryption box.
5. Click OK.
The system adds the new Policy Builder domain to the
configuration.
Configuring the Start Points general setting

The Policy Builder starts the data collection process for a web application
from a URL. This URL is known as the start point. The start point is usually
the web application's home page. If the web application has several start
points, you can instruct the Policy Builder to scan the application from each
start point, separately. For example, an online banking site has a public area,
which anyone can access, and a secure area that requires a unique login.
When a customer logs in to the secure area, they may be redirected to a
different web application. To successfully map the entire web application,
the Policy Builder must know about all of these start points.
Important
You must configure a start point if you plan to run the Policy Builder in the
Generated Traffic operation mode. For more information on the operation
modes, see Understanding the Policy Builder operation modes, on page
6-10.
To define a Policy Builder start point

1. On the Policy Builder General Settings screen, above the Start
Points section, click Create.
The Create New Policy Builder Start Point popup screen opens.
2. In the Domain box, select the Policy Builder domain for which you
are creating a start point.
3. In the Start Point box, type the address of the default start page of
the application, for example,
http://myapp.example.com/index.html.
Important: Every start point must reference a Policy Builder
domain.
6-4
4. Click OK.
The system adds the new start point to the Policy Builder Generated
Traffic settings.
Tip
If your web application has more than one start point, we recommend that
you run the Policy Builder one or more times to scan the public access areas
of the web application, and then run the Policy Builder with the login
information configured, to scan the secure areas of the web application.
Configuring the Form Fillers general setting

You can use the Form Fillers general setting to define form parameters and
values that the Policy Builder then uses to fill in forms. For example, if your
web application has a login form, you can define the user name and
password parameters, and their corresponding values.
When you run the Policy Builder in the Generated Traffic operation mode,
the Policy Builder populates the form fillers parameters. You can then
review the form filler parameters to provide the appropriate values.
Tip
Sometimes the parameter names are not self-explanatory, and you may need
to consult with the web application programmer. If it is available to you,
you can also search the HTML source code for this information.
To create a form filler component

1. On the Policy Builder General Settings screen, above the Form
Fillers section, click Create.
The Create New Policy Builder Parameter popup screen opens.
2. In the Parameter Name box, type the name of the parameter, for
example, username.
3. In the Parameter Type box, select the appropriate type. Note that if
you select password, the system displays asterisks instead of clear
text in the Form Fillers list.
4. In the Parameter Value box, type the value that you want the
Policy Builder to enter when it reaches the specified parameter. If
the parameter type is password, the system requires you to confirm
the value.
5. Click OK.
The system adds the new form filler entry to the Policy Builder
Generated Traffic settings.

Chapter 6
Configuring the Page Not Found Criteria general setting

When a request to a non-existent web page comes in, web applications
typically return a standard HTTP 404 response page, with a page not found
error message. This response page may be exploited to stage attacks. To
prevent attacks, some web applications may use customized error pages that
use the HTTP 200 status code in the response, instead of the HTTP 404
status code. Web application designers do this so that their content can be
controlled and verified.
By default, the Policy Builder adds pages that use the HTTP 200 Status OK
message to the security policy, and ignores pages that generate the HTTP
404 message. If you do not define the Page Not Found Criteria setting, the
Policy Builder attempts to identify it by itself. If your web application uses
customized error pages (those that do not return the HTTP 404 status code),
you need to supply a text string that the pages do contain, so that the Policy
Builder can identify them as valid error message pages, and avoid adding
them to the security policy. The Policy Builder can recognize an error page
by its file name, or by text strings that are found in the HTML tags,
<TITLE> or <BODY>.
Tip
The Policy Builder always follows the redirect link, if one is configured. The
Policy Builder identifies the page behind the link, and avoids the link if the
identified page is included in the Page Not Found list.
To define a customized error page

1. On the Policy Builder General Settings screen, above the Page Not
Found Criteria section, click Create.
The Create New Page Not Found Criteria popup screen opens.
2. In the Apply to box, select the object that the Policy Builder
searches to identify the error page.
3. In the Search Item box, type the header or string that the Policy
Builder searches for.
4. Click OK.
The system adds the new page not found criteria for the custom
error page to the Policy Builder settings.
Configuring the Properties general setting

The Properties section provides additional ways to customize the Policy
Builder. For example, you can instruct the Policy Builder to analyze
JavaScript code included in the web application, or to create flows for
cacheable objects.
6-6
To specify the properties general settings

1. On the Policy Builder General Settings screen, in the Properties
section, enable or modify the properties as required. Each property
is described in Table 6.2.
2. Click Save.
The system saves any changes you made to the Policy Builder
properties.
Policy Builder Property Description Default Setting
Analyze JavaScript Specifies whether the Policy Builder analyzes Enabled (checked)
or ignores JavaScript code. This is useful if the
scripts contain references to links that can be
followed, or if they include form fields that need
to be filled.
Create back flows Specifies whether the Policy Builder creates Enabled (checked)
back flows in the security policy for referrer
objects. You can use the back flow information
to impose rules on navigating backwards, which
occurs when the visitor uses the Back button.
Create cache flows Specifies whether the Policy Builder creates Enabled (checked)
flows in the security policy for objects that a
web browser can cache, for example, image
files.
Table 6.2 The Properties options in the Policy Builder general settings
Configuring the Object Types Associations general settings

The Object Types Associations general settings provide a list of file types
that are frequently used in web applications, and their most common usage
in the web application. In this list, you can configure how the Policy Builder
processes a certain file type or object, thus saving tedious manual
configuration in the security policy. For example, image files would not
typically be a link, so you can use the object types associations settings to
instruct the Policy Builder to define all image files (*.bmp, *.gif, *.jpg, and
so on) as files that are not referrers.
If an object type already exists in the security policy, then the Policy Builder
uses the security policy settings instead of the settings you define in the
Object Type Associations general settings. However, when the Policy
Builder discovers an object type that does not yet exist in the security policy,
the Policy Builder applies the object type associations that you define in the
Object Type Associations general settings to the new object.

Chapter 6
The default settings provided in the object type associations list cover the
most common file types and associations, and you can adapt them to your
needs by checking or clearing boxes. Table 6.3 provides a description of the
default file types and their corresponding file type associations.
Option Description
Is Entry Point This option specifies whether all web objects of this type can be entry points to the
web application. If the security policys flow mode is Simple, the system considers
all web objects to be entry points.
Is Referrer This option specifies whether objects of this type may contain references to other
files. For example, an HTML page that contains an HREF link or a CGI file that calls
another file, are referrers. Picture and sound files cannot be referrers because
these objects never contain links to other objects, and are not web pages.
Don't Check Flow This option specifies whether the system ignores or validates the flows to or from
objects of this file type.
Don't Check Object This option specifies whether the system ignores or validates the requests referring
to files (objects) of this type.
Table 6.3 The object type associations in the Policy Builder general settings
Creating a new object type in the Object Type Associations list

If your web application contains object types that are not included in the
default Object Types Associations list, you can create custom object type
associations, and add them to the list.
To create a custom object type association

1. On the Policy Builder General Settings screen, above the Object
Types Associations area, click Create.
The Create New Object Type popup screen opens.
2. In the Object Type box, type the file type extension for the new
object type. Note that object type names are not case-sensitive.
3. Click OK.
The screen refreshes, and the new object type appears in the Object
Types Associations list.
4. Check any associations that you want to make for the object type.
5. Click the Save button below the Object Type Associations list to
save any changes you have made.
6-8
Deleting an object type from the Object Type Associations list

You can easily remove any extra or unnecessary object types, and their
corresponding associations, from the Object Types Associations list. Note
that you can delete both custom object types, and the default object types.
To delete an object type and its object type associations

1. On the Policy Builder General Settings screen, in the Object Types
Associations area, check the box (in the Select column) to the left of
the object type that you want to delete from the Object Types
Associations list.
2. Below the Object Types Associations area, click the Delete button.
The system removes the object type from the list.
Restoring the default setting in the Object Types Associations list

If you have modified the Object Types Associations list, and you want to
remove those changes from the list entirely, you can restore the default
settings. Restoring the default settings returns the Object Types Associations
list to its original state, by removing any user-added object types, and by
resetting all of the associations for the default object types.
To restore the default settings for the Object Type

Associations list
4. Below the Policy Builder section, click the General Settings
button.
The Policy Builder General Settings screen opens.
5. On the Policy Builder General Settings screen, below the Object
Types Associations area, click Restore Defaults.
6. Click OK.
The screen refreshes and the system restores the default settings for
the Object Types Associations list.

Chapter 6
Understanding the Policy Builder operation modes

You can run the Policy Builder in three operation modes. The operation
modes are:
Real Traffic (Responses)
The Real Traffic (Responses) operation mode extracts the web
application entities from the web applications HTTP or HTTPS
responses to client requests. Use this mode when you have used traffic
sampling to record traffic with responses. With this operation mode, you
can consider the content of the responses from your web application as
trusted, and the Policy Builder updates the security policy with the
outgoing links. For information on working with this Policy Builder
operation mode, see Configuring and using the Real Traffic (Responses)
operation mode, following.
Real Traffic (Requests)
The Real Traffic (Requests) operation mode extracts the web application
entities from the client HTTP or HTTPS requests to the web application.
Use this mode when you have used traffic sampling to record traffic that
caused false-positive violations, and you wish to automatically update
the security policy to accept that traffic. For information on working with
this Policy Builder operation mode, see Configuring and using the Real
Traffic (Requests) operation mode, on page 6-12.
Generated Traffic
The Generated Traffic operation mode uses system-generated traffic to
extract the web application entities from the web application. Use this
mode when you do not have any recorded traffic, and you want the
Policy Builder to automatically fetch requests (browse) against the web
application, process the responses, and use all the outgoing links. The
Policy Builder uses the collected information to update the security
policy to accept all of the generated traffic.For information on working
with this Policy Builder operation mode, see Configuring and using the
Generated Traffic operation mode, on page 6-14.
With all three operation modes, the Policy Builder uses the collected
information to immediately populate the security policy. The resulting
security policy contains web objects, entry point flows, and parameters
within the entry point flows. You can review all of the additions and updates
to the security policy in the Policy Builder log. For more information, refer
to Working with the Policy Builder log, on page 6-22.
Configuring and using the Real Traffic (Responses) operation

mode
The preferred method to create and build a security policy is to run the
Policy Builder in the Real Traffic (Responses) operation mode. This is
because the data that the Policy Builder collects and uses to populate the
security policy is collected from responses from the web application itself.
6 - 10
Configuring the filter options for the Real Traffic (Responses) operation
mode
In addition to the general settings for the Policy Builder, you can apply
several filter options to the Real Traffic (Responses) operation mode. The
filter options determine from which responses the Policy Builder extracts
the web application information that it uses to build or update the security
policy. You can use any combination of filter options, or you can run the
Policy Builder with the default options for this operation mode. Table 6.4
provides a description of the filter options for this operation mode.
Filter Option Description
Request Source IP Filters the responses by the source IP address of the client request.
Request Time Range Filters the responses to those that occur within the specified time range.
Request Object Filters the responses by a requested object within the web application.
Traffic Filters the responses by traffic that generated learning suggestions and generated
alerts.
HTTP Response Code Filters the responses by the HTTP response code within the response.
Table 6.4 Filter options for the Real Traffic (Responses) operation mode
Running the Policy Builder in the Real Traffic (Responses) operation mode
Before you run the Policy Builder in the Real Traffic (Responses) operation
mode, you need to configure a Policy Builder domain (in the Policy Builder
general settings), if you have not already done so. See Configuring a Policy
Builder domain, on page 6-2, for more information. You must also turn on
traffic sampling. For more information, see Enabling traffic sampling for the
Policy Builder, on page 4-4.
To run the Policy Builder in the Real Traffic (Responses)

operation mode
column, click the name of the security policy for which you want to
run the Policy Builder in the Real Traffic (Responses) operation
mode.

Chapter 6
4. In the Operation Mode setting, select Real Traffic (Responses),

and then click the Filters link next to the Real Traffic (Responses)
option.
The Policy Builder Properties - Real Traffic (Responses) screen
opens.
5. Make any changes that you require on this screen, and click the
Save button.
For help with the individual settings on this screen, click the Help
tab in the navigation pane.
6. Click the browsers Back button to return to the Policy Properties
screen.
7. In the Policy Builder area, make any other changes that you require.
8. Click the Start button below the Policy Builder area to start the
Policy Builder.
The Run Policy Builder popup screen opens, where you can monitor
the status of the Policy Builder.
Tip
When you run the Policy Builder in Real Traffic (Responses) mode, the
system generates a series of graphs on the Run Policy Builder screen. You
can use the graphs to help decide when to stop the Policy Builder, and start
using learning to refine the security policy. The graphs display the number
of new and updated web objects, parameters, and flows. When the updates
reach zero, the Policy Builder has added all of the entities that it can find.
Configuring and using the Real Traffic (Requests) operation mode

The Real Traffic (Requests) operation mode extracts security policy
information from requests. Note that you should use this operation mode
only with requests from trusted sources, for example, a test group within
your organization, or other internal users.
Configuring the filter options for the Real Traffic (Requests) operation
mode
The filter options determine from which requests the Policy Builder extracts
the web application information that it uses to build or update the security
policy. You can use any combination of filter options, or you can run the
Policy Builder with the default options for this operation mode. Table 6.5
provides a description of the filter options for this operation mode.
6 - 12
Filter Option Description
Request Source IP Filters the requests by the source IP address of the client request.
Request Time Range Filters the requests to those that occur within the specified time range.
Request Object Filters the requests by a requested object within the web application.
Traffic Filters the requests by traffic that generated learning suggestions and by traffic that
generated alerts.
HTTP Response Code Filters the requests by the HTTP response code within the response.
Table 6.5 Filter options for the Real Traffic (Requests) operation mode
Running the Policy Builder in the Real Traffic (Requests) operation mode
To run the Policy Builder in the Real Traffic (Requests)

operation mode
run the Policy Builder in the Real Traffic (Requests) operation
mode.
4. For the Operation Mode setting, select Real Traffic (Requests),
and then click the Filters link next to the Real Traffic (Requests)
option.
The Policy Builder Properties - Real Traffic (Requests) screen
opens.
Save button.
For help with the individual settings on this screen, click the Help
tab in the navigation pane.
screen.

Chapter 6
Policy Builder.
Note
In the Real Traffic (Requests) operation mode, the Policy Builder adds all
parameters as the User-Input parameter type.
Configuring and using the Generated Traffic operation mode

When you use the Policy Builder in the Generated Traffic operation mode, it
emulates user behavior by submitting data to the web application pages in
the same way users do.
Configuring the settings for the Generated Traffic operation mode

These are the settings you configure when you run the Policy Builder in the
Generated Traffic operation mode.
To configure the settings for the Generated Traffic

operation mode
run the Policy Builder in the Real Traffic (Requests) operation
mode.
4. For the Operation Mode setting, select Generated Traffic, and
then click the Settings link next to the Generated Traffic option.
The Policy Builder Properties - Generated Traffic screen opens,
where you can configure any or all of the Generated Traffic
operation mode settings.
The following sections describe the Generated Traffic operation mode

settings that you can configure once you have opened the Policy Builder
Generated Traffic Settings screen.
6 - 14
Configuring the Logout Pages setting for the Generated Traffic operation mode
If the web application contains a page designed to log a visitor out of the
web application, you need to instruct the Generated Traffic operation mode
not to follow the logout link. Otherwise, when you run the Policy Builder in
Generated Traffic operation mode, it logs out of the web application before
it has fully scanned the application. For example, many web applications
have an Exit or Logout link right on the home page, which would cause the
Policy Builder to exit the application as soon as it enters. You can prevent
this behavior by using the Logout Pages setting to identify the logout points
that the Generated Traffic operation mode should avoid.
Note
If you configure the Generated Traffic operation mode to recognize (and

ignore) a logout page in a web application, the system adds this page to the
security policy.
To create a logout page

1. On the Policy Builder Generated Traffic Settings screen, above the
Logout Pages section, click Create.
The Create New Logout Page popup screen opens.
2. In the Logout Pattern (URL) box, type the relative path of the
logout page.
3. Click OK.
The system adds the new logout page component to the Policy
Builder Generated Traffic settings.
Configuring the Properties settings for the Generated Traffic operation mode
The Properties section provides additional ways to customize the Policy
Builder Generated Traffic operation mode. For example, you can adjust the
frequency at which the Generated Traffic operation mode probes the web
application.
To specify the properties options

1. On the Policy Builder Generated Traffic Settings screen, in the
Properties section, enable or modify the properties as required. Each
property is described in Table 6.2.
2. Click Save.
have made to the Properties settings.

Chapter 6
Property Option Description Default Setting
Accept untrusted SSL Specifies whether the Policy Builder Generated Traffic Enabled (checked)
certificates operation mode accepts untrusted SSL certificates.
Minimal delay between worm The Policy Builder Generated Traffic operation mode is a 250
requests to web application mechanism similar to a central unit sending out multiple
(milliseconds) simultaneous probes to the different areas of the web
application in order to register web application
components. Each probe exercises the web application by
following links and filling in forms, similar to an actual user.
This process increases the traffic to the web application.
The Policy Builder Generated Traffic operation mode can
send the probes in quick or slow succession. Quicker
bursts create more traffic. A burst is measured in terms of
the number of seconds to wait before sending the next
probe. If your web application is active and currently
serving visitors, consider increasing this value in order to
slow down the Policy Builder.
Number of threads to be used This parameter also relates to simultaneous probe activity. 7
by the policy builder A smaller number of threads decreases the Policy
Builders bandwidth consumption, which keeps more
bandwidth available for actual visitors.
Number of times the policy For this property, specify the number of samples that are 5
builder fetches requests with sufficient for the Policy Builder to scan when it discovers
the same structure identical structures. Applications may contain many
identical structures within objects, where only the
parameter values differ. The following examples illustrate
identical structures that differ only by the parameter
values:
http://www.myapp.htm?par=111
http://www.myapp.com?par=222&meter=567
http://www.myapp.com?par=333&meter=123
To reduce the policy building time (and the accompanying
traffic), you can instruct the Policy Builder to scan only a
few (and not all) of such identical structures, assuming that
all others behave in the same way.
Note: A higher value yields a more accurate security
policy, however, it takes a longer amount of time for the
Policy Builder to complete the process.
Table 6.6 Properties options for the Policy Builder Generated Traffic settings
6 - 16
Property Option Description Default Setting
Maximum number of requests When the Policy Builder encounters a form, it processes it 1
generated for each form by the as many times as the number of pre-defined parameter
form iterator values included in it. For example, a list containing ten
objects causes the Policy Builder to process the form ten
times. You can reduce crawling time and traffic, however,
by instructing the Policy Builder to process only a few of
the objects and not all of them.
For this property, specify the number of samples you
deem it sufficient for the Policy Builder to process from the
same form with different values. A higher value yields a
more accurate policy with longer crawling times.
Emulate browser If the web application works only with a particular Internet Microsoft IE
browser, select the relevant browser name from the list.
The Policy Builder uses this property to select the
User-Agent header data when it scans the web
application.
Table 6.6 Properties options for the Policy Builder Generated Traffic settings
Configuring the HTTP Authentication settings for the Generated Traffic operation mode
If the web application uses HTTP authentication, then you can use the
HTTP Authentication settings to configure the login criteria. The Generated
Traffic operation mode accepts all RFC 2617 authentication formats, as well
as the Microsoft NTLM authentication format.
To configure the HTTP Authentication settings

1. On the Policy Builder Generated Traffic Settings screen, in the
HTTP Authentication section, type the user name and password that
the system should supply to access the server where the web
application resides. For Microsoft NTLM authentication, type the
user name in the following format:
<domain>\<user_name>
2. Click Save.
The system updates the HTTP authentication settings.
Running the Policy Builder in the Generated Traffic operation mode

Before you run the Policy Builder in the Generated Traffic operation mode,
you need to configure a Policy Builder domain and start point, (in the Policy
Builder general settings), if you have not already done so. See Configuring a
Policy Builder domain, on page 6-2, and Configuring the Start Points
general setting, on page 6-4, for more information.

Chapter 6
To run the Policy Builder in the Generated Traffic

operation mode
run the Policy Builder in the Generated Traffic operation mode.
4. For the Operation Mode setting, select Generated Traffic, and
then click the Settings link next to the Generated Traffic option.
The Policy Builder Properties - Generated Traffic screen opens.
Save button.
screen.
Policy Builder.
6 - 18
Running the Policy Builder

Once you have configured the general settings for the Policy Builder, you
can use the tool to populate a security policy for your web application. You
can run the Policy Builder to develop a new security policy, or to update an
existing security policy. If you have several security policies for a web
application, you need to run the Policy Builder for each security policy.
To run the Policy Builder

column, click the name of the security policy that you want to build.
Tip: Alternately, you can create a new security policy by copying an
existing security policy. For more information, see Copying a
security policy, on page 5-44.
4. For the Operation Mode setting, select the manner with which you
want the Policy Builder to collect its data. For an explanation of the
operation modes, see Understanding the Policy Builder operation
modes, on page 6-10.
5. For the Flow Mode setting, select Simple or Advanced.
With the Simple flow mode, the Policy Builder defines all
objects in the web application as entry points, and ignores the
navigational relationships between the objects.
With the Advanced flow mode, the Policy Builder defines all of
the navigational relationships among the web application objects.
Note that you can select the advanced flow mode only when the
Policy Builder operation mode is Generated Traffic.
6. Check the Continuous Mode setting to enable continuous mode for
the Policy Builder. When you enable continuous mode, the Policy
Builder runs from the time you start it until you click the Stop
button. If you do not enable the continuous mode, the Policy Builder
analyzes only traffic that the system has already received, and stops
once that process is complete. Note that if you run the Policy
Builder with the continuous mode enabled, you also need to enable
traffic sampling. For details on traffic sampling, see Enabling traffic
sampling for the Policy Builder, on page 4-4.
7. Click the Start button (below the Policy Builder area) to start the
Policy Builder.

Chapter 6
Viewing the status of the Policy Builder

The Policy Builder Status popup screen provides information about the
running status of the Policy Builder.
To view the Policy Builder status

4. Below the Policy Builder area, click the Status button.
The Policy Builder Status popup screen opens.
5. When you have finished reviewing the status information, click the
Close button to close the Policy Builder Status popup screen.
Note
Closing the Policy Builder Status popup screen does not stop the Policy
Builder when it is running. To stop the Policy Builder, refer to Stopping the
Policy Builder, on page 6-21.
6 - 20
Stopping the Policy Builder

When the Policy Builder is running, you can stop it at any time.
To stop the Policy Builder

4. Below the Policy Builder area, click the Stop button.
The Policy Builder Status popup screen opens, where you can
review a summary of the Policy Builder status.
5. When you have finished reviewing the summary information, click
the Close button to close the Policy Builder Status popup screen.

Chapter 6
Working with the Policy Builder log

Every action that the Policy Builder takes against the security policy is
logged in the Policy Builder log. As a result, you can use the Policy Builder
log to see what new and updated object types, web objects, flows,
parameters, and parameter values the Policy Builder has added to the
security policy. You can use the Filter option to narrow the scope of the log
entries. See the online help for information on using the filter.
To view the Policy Builder log

column, click the name of the security policy whose Policy Builder
log you want to review.
4. Below the Policy Builder area, click the Show Log button.
The Policy Builder Log screen opens.
6 - 22
7
Understanding parameters
Understanding how the Policy Enforcer processes

parameters
Working with global parameters
Working with web object parameters
Working with flow parameters
Configuring parameter characteristics
Working with dynamic parameters and extractions

Understanding parameters
Parameters are an integral entity in any web application. When you define
parameters in a security policy, you are tightening the security for the web
application. Application Security Manager evaluates defined parameters,
meta characters, query string lengths, and POST data lengths as part of a
positive security logic check. The system evaluates undefined parameters as
part of a negative security logic check. The Policy Enforcer verifies
parameters in the context of a security policy, not a web application. In other
words, any parameters that you configure in a security policy are enforced
only by that security policy.
You can define parameters as global parameters, web object parameters, and
flow parameters. For information on configuring global parameters, see
Working with global parameters, on page 7-3. For information on
configuring web object parameters, see Working with web object
parameters, on page 7-6. For information on configuring flow parameters,
see Working with flow parameters, on page 7-9.
There are several types of parameters that you can configure: static content,
dynamic content, dynamic name, and user-input. You can also configure
parameters for which the system does not check or verify the value. With the
exception of dynamic parameter names, you can configure a global, object,
or flow parameter as any parameter type. The dynamic parameter name type
is applicable only to flow parameters. Refer to Understanding parameter
types, on page 7-13 for more information.

Chapter 7
Understanding how the Policy Enforcer processes

parameters
The Policy Enforcer uses the following priority when enforcing parameters:
Flow parameters
Object parameters
Global parameters
If a parameter is defined more than once in the request context, the Policy
Enforcer applies only the more specific definition. For example, the
parameter param_1 is defined as a static content global parameter, and also
defined as a user-input object parameter. When the Application Security
Manager receives a request for the parameters object, the Policy Enforcer
generates any violations based on the object parameter definition, not the
global parameter definition.
7-2
Working with global parameters

When a web application has a parameter that you do not want to define in
the context of a web object or a flow, you can define a global parameter.
Global parameters are those that do not have an association with a specific
web object or application flow. Therefore, you can configure a global
parameter once, and the Policy Enforcer enforces the parameter wherever it
occurs. Typically, you define parameters as part of a high security (APC)
security policy. However, because global parameters are not associated with
a web object or flow, you can define them when you are using the standard
level of security for a security policy. For more information on security
levels, see Configuring the security level, on page 5-4.
Creating a global parameter

You create a global parameter to address the following conditions:
The web application has a parameter that appears in several web objects
or flows.
You are configuring a security policy that uses the standard level of
security, and you want the Application Security Manager to enforce a
specific set of parameters. (Recall that a standard security policy does not
enforce web objects or flows. See Configuring the security level, on page
5-4, for more information.)
To create a global parameter

Security and then click Web Applications.
which you are creating a global parameter.
column, click the name of the security policy that will enforce the
global parameter.
4. On the menu bar, click Global Parameters.
The Global Parameters screen opens.
5. Above the List of Global Parameters area, click the Create button.
The Global Parameter Properties screen opens.
6. In the Create New Parameter area, fill in the information as
required.
See the online help for information on the parameter name
settings.
See Understanding parameter types, on page 7-13, for
information on the parameter types options.

Chapter 7
If the parameter is acceptable without a value, check the Allow

Empty Value setting. (See Configuring the Allow Empty Value
setting, on page 7-20, for details.)
7. In the Parameter Characteristics area, fill in the information as
required. Note that the parameter type determines the parameter
characteristics. See Configuring parameter characteristics, on page
8. Click the Create button to add the new global parameter to the
security policy.
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
Editing the properties of a global parameter

There may be times when you need to update the characteristics of a global
parameter. This is easily done by editing the parameter properties.
To edit a global parameter

global parameter.
5. In the List of Global Parameters area, in the Parameter Name
column, click the name of the parameter whose properties you want
to edit.
The Global Parameter Properties screen opens.
6. Make any changes to the parameter properties, as required.
7. When you have finished, click Update.
The system saves any changes you may have made, and returns you
to the Global Properties screen.
7-4
Deleting a global parameter

Web applications can change over time, and there may be occasions when
you need to delete a global parameter.
To delete a global parameter

global parameter.
5. In the List of Global Parameters area, in the Select column (far left),
check the box next to the parameter that you want to remove, and
then click the Delete button.
The system displays a popup confirmation screen.
6. Click OK.
The system deletes the parameter.

Chapter 7
Working with web object parameters

You define parameters in the context of a web object when a parameter is
relevant to that particular object, and you do not want the system to also
verify the objects associated flows. That is, you define a web object
parameter when it does not matter where the user was before they access
this web object, and when it does not matter whether the parameter was in a
GET or POST request. When you define a web object parameter, the Policy
Enforcer applies the security policy to the parameter attributes in the context
of the associated web object, and ignores the flow information.
Creating a web object parameter

When you create a parameter that is associated with a web object, the Policy
Enforcer verifies the parameter in the context of the web object. For
example, for the login parameters for an online bank, you may want to
provide additional security for the user name and user password in the login
object by specifying the acceptable user-input characters, such as making
the acceptable character set as A-Z, a-z, 0-9, and $, #, !, _, -.
Important
The following task assumes that the web object for which you want to create
a parameter is already configured in the security policy. If this is not the
case, refer to Working with the Web Objects entity, on page 5-26, for
information on adding a web object to the configuration.
To create a parameter associated with a web object

which you are creating a web object parameter.
web object parameter.
The Web Objects screen opens.
5. In the Web Application Objects (Site Map) area, in the Accessible
Objects List column, click the name of the web object for which you
want to create a parameter.
The Object Properties screen opens.
6. Above the List of Object Parameters area, click the Create button.
The Object Parameter Properties screen opens.
7-6

required.
settings.
setting, on page 7-20, for more information.)
required. Note that the parameter type determines the parameter
characteristics. See Configuring parameter characteristics, on page
9. Click the Create button to add the new parameter to the security
policy.
Tip
Editing the properties of a web object parameter

There may be times when you need to update the characteristics of a web
object parameter. This is easily done by editing the parameter properties.
To edit the properties of a web object parameter

which you are editing a web object parameter.
Objects List column, click the name of the web object with which
the parameter is associated.

Chapter 7
6. In the List of Object Parameters area, in the Parameter Name

column, click the name of the parameter whose properties you want
to edit.
The Object Parameter Properties screen opens.
to the Object Properties screen.
Deleting a web object parameter

you need to delete a parameter from a web object.
To delete a parameter from a web object

which you are deleting a web object parameter.
column, click the name of the security policy that enforces the web
object parameter.
6. In the List of Object Parameters area, in the Select column (far left),
check the box next to the parameter that you want to remove from
the web object, and then click the Delete button.
7. Click OK.
7-8
Working with flow parameters

You define parameters in the context of a flow when it is important to
enforce whether a parameter is in a GET request or a POST request.
Defining a parameter in the context of a flow is the most specific context,
and thus provides the tightest security for the web application.
Note
The Policy Builder defines all parameters as flow parameters, that is,
parameters in the context of a flow.
Creating a flow parameter

When you create a parameter that is associated with a flow, the Policy
Enforcer verifies the parameter in the context of the flow. For example, if
you define a parameter in the context of a GET request, and a client sends a
POST request that contains the parameter, the Policy Enforcer generates an
illegal parameter violation.
For APC security policies, you can define flow parameters for very tight,
flow-specific security. With this increased protection comes an increase in
maintenance and configuration time. However, you can use the Policy
Builder to expedite the security policy-building process for user-input and
static parameters. Note that if your web application uses dynamic
parameters, you manually add those to the security policy.
Important
The following task assumes that the flow for which you want to create a
parameter is already configured in the security policy. If this is not the case,
refer to Working with the Flows entity, on page 5-27, for information on
adding a flow to the configuration.
To create a parameter associated with an application flow

2. In the Name column, click the name of the relevant web application.
flow parameter.
The Flows screen opens.
5. In the Flows List area, click the Expand button to view the flows.

Chapter 7
6. In the Flows List, click the name of the flow to which you want to
add a parameter.
The Flow Properties screen opens.
7. Above the List of Flow Parameters area, click the Create button.
The Flow Parameter Properties screen opens.
required.
settings.
If the parameter is required in the context of the flow, check the
Is Mandatory Parameter setting. Note that only flows can have
mandatory parameters. (See Configuring the Is Mandatory
Parameter setting, on page 7-23, for more information.)
setting, on page 7-20, for more information.)
required. Note that the parameter type determines the applicable
parameter characteristics. See Configuring parameter
characteristics, on page 7-13, for more information.
10. Click the Create button to add the new parameter to the security
policy.
Tip
Editing the properties of a flow parameter

There may be times when you need to update the characteristics of a flow
parameter. This is easily done by editing the parameter properties.
To edit the properties of a flow parameter

which you are editing a flow parameter.
7 - 10

flow parameter.
5. In the Flows list area, click the Expand button to view the flows.
6. In the Flows List, click the name of the flow with which the
parameter is associated.
7. In the List of Flow Parameters area, in the Parameter Name column,
click the name of the parameter whose properties you want to edit.
The Flow Parameter Properties screen opens.
to the Flow Properties screen.
Deleting a flow parameter

you need to delete a parameter from a flow.
To delete a parameter from a flow

which you are deleting a flow parameter.
column, click the name of the security policy that enforces the flow
parameter.
5. In the Flows List area, click the Expand button to view the flows.
6. In the Flows List, click the name of the flow with which the
parameter is associated.

Chapter 7
7. In the List of Flow Parameters area, in the Select column (far left),
check the box next to the parameter that you want to remove from
the flow, and then click the Remove button.
8. Click OK.
7 - 12
Configuring parameter characteristics

Parameter characteristics define the individual attributes of the parameter.
The parameter characteristics change depending on the type of parameter
that you specify.
Understanding parameter types

When you add a parameter to the security policy, you specify the parameter
type. The Policy Enforcer then knows in what form to expect the parameter
value, and applies the security policy accordingly. You can configure global
parameters, web object parameters, and flow parameters as any parameter
type, with the exception of the dynamic parameter name type. You can
configure only flow parameters as this type.
The parameter types are:
Static content value
Static parameters are those that have a known set of values. A list of
country names, or a yes/no form field are both examples of static
parameters. For information on configuring static parameters, see
Configuring parameter characteristics for static parameters, on page
7-14.
User-input value
User-input parameters are those that require users to enter or provide
some sort of data. Comment, name, and phone number fields on an
online form are all examples of user-input parameters. You can also
configure user-input parameters even if the parameter is not really user
input. For example, if a parameter has a wide range for values, or has
many static values, you may want to configure the parameter as a
user-input parameter instead of a static content parameter. For
information on configuring user-input parameters, see Configuring
parameter characteristics for user-input parameters, on page 7-15.
Dynamic content value
Dynamic parameters are those whose set of values can change, and are
often linked to a user session. The server sets the value for dynamic
content value (DCV) parameters. DCV parameters are often associated
with applications that use session IDs for client sessions. For information
on configuring DCV parameters, see Configuring dynamic content value
parameters, on page 7-25.
Dynamic parameter name
Some dynamic parameters have dynamic names as well as dynamic
values. If you want the Policy Enforcer to enforce dynamic names as
well as dynamic values, then you can use this parameter type. For
information on configuring dynamic parameter names, see Configuring
parameter characteristics for dynamic parameter names, on page 7-27.

Chapter 7
A note about configuring parameters

Configuring parameters for a web application can be a lengthy and arduous
task. While you can do this manually, as explained throughout the remainder
of this chapter, you can also use the Policy Builder and the Learning process
to help you discover the parameters and values that are part of your web
application.
Configuring parameter characteristics for static parameters

Static parameters are parameters whose possible values is a known set. For
example, the credit card type parameter, for payment in a shopping
application, may have the value set of Mastercard, Visa, and American
Express. When you configure the static parameter characteristics, you are
basically creating the value set for the parameter.
To configure static parameter characteristics

1. Create a new parameter.
To create a global parameter, see Creating a global parameter,
on page 7-3.
To create a web object parameter, see Creating a web object
parameter, on page 7-6.
To create a flow parameter, see Creating a flow parameter, on
page 7-9.
2. For the Parameter Type setting, select Static content value.
The screen refreshes and displays the Parameter Static Values area.
3. In the Parameter Static Values area, for the New Static Content
Value setting, type the new value in the Add box.
4. Click the Add button to add the value to the values list.
5. Repeat steps 3 and 4 to add all the values that this parameter
requires.
6. Click the Create button to save the parameter in the configuration.
Tip
7 - 14
Configuring parameter characteristics for user-input parameters

User-input parameters are those for which a user can provide a value. For
user-input parameters, you can configure the Application Security Manager
to verify minimum and maximum values, minimum and maximum lengths,
and valid meta characters. The system can also check for attack patterns
within the text.
User-input parameters can accept many different data types. The data types
are: alpha-numeric, binary, decimal, email, integer, and phone. Depending
on the data type that you configure, there are additional options that the
Policy Enforcer can verify, as noted in the following sections.
Tip
You can configure any parameter as a user-input parameter if you want the
system to apply a broader verification to the parameter values.
Configuring an alpha-numeric user-input parameter

The alpha-numeric data type specifies that the parameter value can have
letters, integers, and the underscore character in it. For this data type, you
can specify a maximum length, and you can define the acceptable parameter
values as a regular expression. You can also specify one or more meta
characters (in addition to the base character set of a-z, A-Z, 0-9), and one or
more regular expressions (which represent common attack patterns), that are
acceptable within the context of the parameter.
Note
If you enable regular expressions for an alpha-numeric parameter, the

system may automatically enable certain meta characters (in the Allowed
Meta Characters list) that are part of the regular expressions, even if you
have not explicitly enabled meta characters for the parameter.
To configure an alpha-numeric user-input parameter

on page 7-3.
page 7-9.
2. For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Parameter Characteristics
area.
3. In the Parameter Characteristics area, for the Data Type setting,
select Alpha-Numeric.

Chapter 7
4. If you want the Policy Enforcer to enforce a maximum length

(number of bytes) for the parameter value, check the Check Max.
Length box, and type a number.
5. If you want the Policy Enforcer to enforce the parameter value using
pattern matching, check the Regular Expression box, and type a
regular expression. Note that when you enable this setting, the only
values that are acceptable for the parameter are those that exactly
match the regular expression pattern that you provide. All other
values are considered illegal in the context of this parameter.
6. If you want to make certain meta characters valid as part of the
parameter value, check the Enable Allowed Meta Characters List
box.
The screen refreshes, and displays the meta character set.
7. Check the box next to any meta characters in the list that are
acceptable in the context of the parameter value. Note that the
possible meta character options change depending on the language
encoding of the web application. (For more information, see
Configuring the web application language, on page 4-2.)
8. If you want to make certain known attack patterns valid as part of
the parameter value, check the Enable Allowed Regular
Expression List box.
The screen refreshes, and displays the attack pattern set.
9. Check the box next to any regular expressions in the list that are
acceptable in the context of the parameter value.
10. Click the Create button to add the parameter to the configuration.
Tip
Configuring a binary user-input parameter

The binary data type specifies that the parameter value is text for which the
system does not verify meta characters or attack. Typically, you use this
data type for binary file uploads. Note that for this data type, you specify
only a maximum length.
To configure a binary user-input parameter

on page 7-3.
7 - 16

page 7-9.
area.
select Binary (Length checks only).
Tip
Configuring a decimal user-input parameter

The decimal data type specifies that the parameter value is numeric, and can
include integers and decimals only. For this data type, you can specify a
minimum value, a maximum value, and a maximum length.
To configure a decimal user-input parameter

on page 7-3.
page 7-9.
area.
select Decimal.
4. If you want the Policy Enforcer to enforce a minimum value for the
parameter value, check the Check Min. Value box, and type a
number.
5. If you want the Policy Enforcer to enforce a maximum value for the
parameter value, check the Check Max. Value box, and type a
number.

Chapter 7

Tip
Configuring an email user-input parameter

The email data type specifies that the parameter value is in the email address
format. Values for this data type can include letters, numbers, the at meta
character ( @ ), the period ( . ) character, and the underscore ( _ ) character.
For this data type you can specify only a maximum length.
Note
We recommend that you use the email data type only if the web application
has client-side data validation for the parameter.
To configure an email user-input parameter

on page 7-3.
page 7-9.
area.
select Email.
7 - 18
Tip
Configuring an integer user-input parameter

The integer data type specifies that the parameter value is numeric, and can
include only whole numbers. For this data type, you can specify a minimum
value, a maximum value, and a maximum length.
To configure an integer user-input parameter

on page 7-3.
page 7-9.
area.
select Integer.
4. If you want the Policy Enforcer to enforce a minimum value for the
parameter value, check the Check Min. Value box, and type a
number.
5. If you want the Policy Enforcer to enforce a maximum value for the
parameter value, check the Check Max. Value box, and type a
number.
Tip

Chapter 7
Configuring a phone user-input parameter

The phone data type specifies that the parameter value is in the phone
number format. Values for this data type can include numbers, the hyphen
meta character ( - ), and the parentheses meta characters ( ( ) ). For this data
type you can specify only a maximum length.
Note
We recommend that you use the phone data type only if the web application
has client-side data validation for the parameter.
To configure a phone user-input parameter

on page 7-3.
page 7-9.
area.
select Phone.
Tip
Be sure to make the security policy active if you want the Policy Enforcer to
start enforcing this parameter. See Setting the active policy for a web
Configuring the Allow Empty Value setting

The Allow Empty Value setting specifies whether the Policy Enforcer
expects the parameter to have a defined value. When this setting is enabled
on a parameter, the Policy Enforcer does not generate an Illegal empty
parameter value alert if a client request does not provide a value.
Conversely, if the Allow Empty Value setting is disabled (which is the
default setting), the system generates the Illegal empty parameter value
7 - 20
alert if a client request does not provide a value. The Allow Empty Value
setting is applicable to global parameters, web object parameters, and flow
parameters.
Configuring the Allow Empty Value setting for a global parameter

You can configure the Allow Empty Value setting either from the Global
Parameters screen, or from the Global Parameter Properties screen. To
change the Allow Empty Value setting from the Global Parameter
Properties screen, refer to Editing the properties of a global parameter, on
page 7-4. Use the following procedure to change the setting from the Global
Parameters screen.
To set the Allow Empty Value setting for a global

parameter
global parameter.
5. In the List of Global Parameters area, in the Select column (far left),
check the box next to the parameter for which you want to change
the Allow Empty Value setting.
6. In the Allow Empty Value column, check or clear the check box as
required for any parameters you selected in the previous step.
7. Click the Save button (below the List of Global Parameters) to save
any changes you may have made.
Configuring the Allow Empty Value setting for a web object parameter
You can configure the Allow Empty Value setting either from the Object
Properties screen of the associated web object, or from the Object Parameter
Properties screen. To change the Allow Empty Value setting from the
Object Parameter Properties screen, refer to Editing the properties of a web
object parameter, on page 7-7. Use the following procedure to change the
setting from the Object Properties screen of the associated web object.

Chapter 7
To set the Allow Empty Value setting for a web object

parameter
6. In the List of Object Parameters area, in the Select column (far left),
8. Click the Save button (below the List of Object Parameters) to save
Configuring the Allow Empty Value setting for a flow parameter

You can configure the Allow Empty Value setting either from the Flow
Properties screen of the associated flow, or from the Flow Parameter
Properties screen. To change the Allow Empty Value setting from the Flow
Parameter Properties screen, refer to Editing the properties of a flow
parameter, on page 7-10. Use the following procedure to change the setting
from the Flow Properties screen.
To set the Allow Empty Value setting for a flow parameter

flow parameter.
7 - 22

6. In the Flows List, click the name of a flow.
9. Click the Save button (below the List of Flow Parameters) to save
Configuring the Is Mandatory Parameter setting

The Is Mandatory Parameter setting specifies whether a parameter must be
present in a flow. You can configure the Is Mandatory Parameter setting
either from the Flow Properties screen of the associated flow, or from the
Flow Parameter Properties screen. To change the Is Mandatory Parameter
setting from the Flow Parameter Properties screen, refer to Editing the
properties of a flow parameter, on page 7-10. Use the following procedure
to change the Is Mandatory Parameter setting from the Flow Properties
screen of the associated flow.
Note
You can configure only flow parameters as mandatory.
To set the Is Mandatory Parameter setting for a flow

parameter
flow parameter.
6. In the Flows List, click the name of a flow.

Chapter 7
the Is Mandatory Parameter setting.
8. In the Is Mandatory Parameter column, check or clear the check box
as required for any parameters you selected in the previous step.
9. Click the Save button (below the List of Flow Parameters) to save
7 - 24
Working with dynamic parameters and extractions

When you configure a dynamic parameter, you also configure the extraction
properties for the parameter values.The extraction properties define from
where to extract the dynamic parameter values or name, and which method
or methods to use for the extraction. When the Application Security
Manager receives a request that contains a dynamic parameter, the system
then uses the extraction properties to collect the parameter value or name
from web applications response to the request. Once the system has
extracted the dynamic parameter values, the Policy Enforcer knows what to
enforce the next time a request contains the dynamic parameter.
Configuring dynamic content value parameters

Dynamic content value (DCV) parameters are those for which the web
application sets the value on the server side. When you configure a DCV
parameter in the Application Security Manager, the system verifies that the
client is not changing the parameter value, as set by the server, from one
request to the next. For example, in an auction application, the price
parameter would be a DCV parameter, because you do not want users to
tamper with the price value that the server sends to the client.
DCV parameters are often associated with web applications that use
sessions. Each user of these applications has unique identifiers, and those
identifiers may also change. As a result, the parameters within the web
application that help identify the user have dynamic content values.
When you configure a DCV parameter, you also configure the extraction
properties for the parameter values. The extraction properties specify the
manner in which the Application Security Manager discovers and populates
the values for the DCV parameter. By default, the system retains all of the
values that it finds for a DCV parameter. In other words, the system does not
replace the values it knows about when it extracts a new value.
To configure a dynamic content value parameter

on page 7-3.
page 7-9.
2. For the Parameter Type setting, select Dynamic content value.
A popup screen opens.
4. Click OK.
The Extraction Properties screen opens.

Chapter 7
5. Above the Extract Items Configuration area, select Basic or

Advanced (Advanced provides additional configuration options),
and then specify from where you want the system to extract the
dynamic parameter values. (See Viewing the list of extractions, on
page 7-29, for more information on this setting.)
6. Above the Extract Methods Configuration area, select Basic or
and then specify the method or methods that you want the system to
use to extract the dynamic parameter values. (See Understanding
the extraction methods configuration, on page 7-27, for more
information on this setting.)
7. Click the Create button to add the new parameter to the
configuration.
Note
You should define the extractions for a DCV parameter before you apply the
security policy that includes the parameters. If you do not, when you apply
the security policy, the policy validator generates a warning that the
security policy contains dynamic parameters that do not have extractions
defined.
Understanding the extracted items configuration

When you create an extraction for a dynamic parameter, one aspect of the
extraction is configuring where, in the response, the system searches for the
dynamic parameter. You can configure the system to extract the dynamic
parameter values from object types, web objects, and by using pattern
matching. Alternately, you can configure the system to extract dynamic
parameter values from all items. Table 7.1 describes the extracted items
settings.
Extraction item Description
Object types Use this setting when you want the system to extract dynamic parameters from files
of a certain type. Note that the available object types are those that are already a
part of the security policy.
Web objects Use this setting when you want the system to extract dynamic parameters from
specific web objects.
Table 7.1 Extraction locations for dynamic parameters
7 - 26
Extraction item Description
Regexp Use this setting when you want the system to extract dynamic parameters that
match a regular expression pattern. Note that this setting is available only when
you select Advanced (above the Extract Items area).
All items Use this setting when you want the system to extract dynamic parameters from all
text-based objects and object types. Note that this setting is available only when
you select Advanced (above the Extract Items area).
Table 7.1 Extraction locations for dynamic parameters
Understanding the extraction methods configuration

Another important aspect of the extraction configuration is defining how the
system extracts the dynamic parameter, that is, the extraction method. Table
7.2 describes the extraction methods.
Extraction method Description
Search in links Use this setting when you want the system to extract dynamic parameter values
from links (href tags) within an object.
Search entire form Use this setting when you want the system to extract dynamic parameter values
from all areas of a form.
Search within form Use this setting when you want the system to extract dynamic parameter values
from a specific frame or parameter within in a form.
Search in XML Use this setting when you want the system to extract dynamic parameter values
from within XML entities.
Search in response body Use this setting when you want the system to extract dynamic parameter values
from the body of a response.
Table 7.2 Extraction methods for dynamic parameters
Configuring parameter characteristics for dynamic parameter

names
In some web applications, DCV parameters also have dynamic names. You
can use the parameter type, Dynamic parameter name, when you want the
Policy Enforcer to enforce the dynamic names as well as dynamic values.
Note that the Dynamic parameter name parameter type is applicable only
when you are configuring a flow parameter.
When you configure a dynamic parameter name, you also configure the
extraction properties. The extraction properties specify the manner in which
the Application Security Manager discovers the parameter names.

Chapter 7
To configure a dynamic parameter name parameter

1. Create a flow parameter (See Creating a flow parameter, on page
7-9).
2. For the Parameter Type setting, select Dynamic parameter name.
The screen refreshes, automatically generates a unique name in the
Parameter Name setting, and displays the Dynamic Parameter
Properties area.
3. In the Dynamic Parameter Properties area, for the Extract
Parameter from Object setting, specify the web object from which
you want the system to extract the dynamic parameter.
4. Next, select whether the system searches for the parameter in a
form, or in the response body.
If the parameter is located in a form, select Search Within
Form, and specify the form index and parameter index.
If the parameter is located in the HTTP/S response, select Search
parameters in response body. In the By Pattern box, type a
regular expression that represents the parameter name pattern.
Clear the Check parameter value box if you do not want the
system to enforce whether the parameter has a value.
5. Click the Create button to add the new parameter to the
configuration.
Configuring an extraction
You can configure an extraction that creates a global DCV parameter. When
you create an extraction by using the Extractions screen, you have the option
of associating it with an existing DCV parameter, or creating a new
parameter (by typing a new name in Step 6 of the following task). If you
type a new name, the system automatically creates a new global DCV
parameter, because extractions must be associated with a DCV parameter.
They cannot exist independently.
To create an extraction
which you are creating an extraction.
extraction.
7 - 28
4. On the menu bar, click Extractions.

The Extractions screen opens.
5. Above the List of Extractions area, click the Create button.
The Extraction Properties screen opens.
6. In the Extraction Properties area, for the Name setting, select an
existing name, or type a new name in the box. Note that the existing
name options are the names of dynamic content value parameters. If
you type a new name, you are creating a new global parameter, by
default.
7. Above the Extract Items Configuration area, select Basic or
and then specify from where you want the system to extract the
dynamic parameter values. (See Understanding the extracted items
configuration, on page 7-26, for more information on this setting.)
8. Above the Extract Methods Configuration area, select Basic or
and then specify the method or methods that you want the system to
use to extract the dynamic parameter values. (See Understanding
the extraction methods configuration, on page 7-27, for more
information on this setting.)
9. Click the Create button to add the new extraction to the
configuration.
Viewing the list of extractions

On the Extractions screen, you can review all of the parameter extractions
that are configured in the security policy. You can also review the parameter
extractions for a specific web object on the properties screen for that web
object. See Working with the Web Objects entity, on page 5-26, for more
information on web object properties.
To view the configured extractions

4. On the menu bar, click Extractions.
The Extractions screen opens, where you can view the extractions
that are in the security policy.

Chapter 7
7 - 30
8
Overview of the Learning process
Working with the learning suggestions generated by

the Learning Manager
Processing the learning suggestions generated by

Overview of the Ignored Items screen

Overview of the Learning process

Once you have created a security policy with the Policy Builder, you can use
the learning suggestions generated by the Learning Manager to fine tune the
security policy. When you start sending actual client traffic through the
Application Security Manager, you can use the Learning data to recognize
the expected behavior of the traffic sent to the protected web application.
You examine the requests that cause learning suggestions, and then use
those learning suggestions to refine the security policy. The result of this
refinement process is that the security policy does not prevent legal requests,
from legitimate users, from accessing the protected web application.
The Learning process uses the following resources:
Learning Manager
The Learning Manager parses the security policy violations that the
Policy Enforcer generates, and generates learning suggestions based on
those policy violations. As visitors move through the web application,
the Learning Manager captures requests that contradict the current
security policy settings, and records the learning suggestions on the
Traffic Learning screen.
Traffic Learning screen
The data on the Traffic Learning screen are the learning suggestions that
the Learning Manager generates. The learning suggestions are
categorized by violation type, and can represent actual threats or false
positives. It is important to note that the learning suggestions are based
on the currently-active security policy.
Ignored Items screen
The Ignored Items screen lists the object types, objects, and flows that
you have instructed the Learning Manager to ignore, that is, to stop
generating learning suggestions for. Typically, the ignored items are
items that you do not want to be a part of the security policy.

Chapter 8
Working with the learning suggestions generated by

The Learning Manager generates learning suggestions when the Learn flag
is enabled for the violations on the Blocking Policy screen. (See
Configuring the Learn, Alarm, and Block flags, on page 5-35, for more
information.) When the system receives a request that triggers a violation,
the Learning Manager then updates the Traffic Learning screen with
learning suggestions based on the violating request information. From this
screen, you can review the learning suggestions to determine whether the
request triggered a legitimate security policy violation, or the violation
represents a need to update the security policy.
To view the learning suggestions

3. On the menu bar, click Traffic Learning.
The Traffic Learning screen opens, where you can review the
current learning suggestions, and the number of occurrences for
each violation category.
Viewing a specific learning suggestion

On the Traffic Learning screen, the violation types become hyperlinks when
the Learning Manager generates a learning suggestion.
To view the details of a learning suggestion

The Traffic Learning screen opens.
4. In the Traffic Learning section, click a violation type hyperlink to
view the specific elements in the request that triggered the security
policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the specific violations
that caused the learning suggestions.
8-2
Viewing the requests that trigger learning suggestions

You can review the requests that trigger the learning suggestions by
examining the occurrences of each learning suggestion.
To view all of the requests that triggered a learning

suggestion
The screen refreshes, and the system displays the request elements
5. In the Occurrences column, click the number.
The requests list screen opens, and displays all of the requests that
contained an item that triggered the learning suggestion.
Viewing the details of a specific request

Before you process a learning suggestion, it is very helpful to examine the
details of the request that caused the learning suggestion.
To view a specific request that triggered a learning

suggestion
The screen refreshes, and the system displays the request elements

Chapter 8
5. In the Occurrences column, click the number.

The List of Requests screen opens, and displays all of the requests
that contained an item that triggered the learning suggestion.
6. On the List of Requests screen, in the Object column, click a
requested object.
The View Full Request Information screen opens, where you can
review the details of the request that triggered one or more learning
suggestions.
8-4
Processing the learning suggestions generated by the

Learning Manager
The Learning Manager generates learning suggestions throughout the life of
the security policy. When you are refining a new security policy, a majority
of the learning suggestions are actually parameters and parameter values, or
some other component of the application, that are missing from the security
policy. When the Policy Enforcer detects violations for an existing policy,
however, the violations may be related to a real attack, and therefore warrant
more careful inspection before you accept the corresponding learning
suggestions, and update the security policy. In both cases, you should
carefully review the request for which the learning suggestion was
generated.
Once you have reviewed the learning suggestions (violations) that the
Learning Manager records on the Traffic Learning screen, you must decide
what to do with them in regard to the security policy. You can do one of
three things with the learning suggestion recommendation: accept it, clear it,
or reject it.
Accepting a learning suggestion

When you accept a learning suggestion, the system updates one or more of
the web applications security policies to accept the request entity that
triggered the violation. The system determines which security policies to
update based on the Apply Learning To setting for the web application. For
more information, see Configuring the target security policy for learning
suggestions, on page 4-5.
To accept a learning suggestion

4. Click a violation type hyperlink.
The learning suggestions properties screen opens. Note that the
screens vary depending on the violation.
5. Select a learning suggestion, and then click Accept.
The system updates the security policy with the element in the
request that caused the learning suggestion.

Chapter 8
Clearing a learning suggestion

When you clear a learning suggestion, the system deletes the learning
suggestion, and does not update the security policy. The Learning Manager
continues to generate learning suggestions for future instances of the
violation.
To clear a learning suggestion

The violation properties screen opens.
5. Select a learning suggestion, and then click Clear.
A Confirm Delete popup screen opens.
6. Click OK.
The system deletes the learning suggestion.
Tip
For a description of the violation types, refer to Understanding security
policy violations, on page 5-38.
Rejecting a learning suggestion

When you reject a learning suggestion, the system deletes the learning
suggestion, and updates the Ignored Items list for the security policy. The
Learning Manager does not report future instances of the violation. You can
reject learning suggestions for the following violation types: illegal object
type, non-existent object, illegal object, and illegal flow to object. These
violations typically represent object types or web objects that are not part of
the security policy, but for which the Learning Manager repeatedly
generates learning suggestions.
To reject a learning suggestion

8-6

The violation properties screen opens. The information on these
screens varies depending on the violation type.
5. Select a learning suggestion, and then click Clear.
A Confirm Delete popup screen opens.
6. Check the Reject items from learning? box, and then click OK.
The system deletes the learning suggestion, and updates the Ignored
Items list for the web application. The Learning Manager no longer
generates learning suggestions for this security policy violation.
Tip
For more information on the Ignored Items list, see Overview of the
Ignored Items screen, on page 8-9.
Additional considerations when processing learning suggestions

When you are processing the learning suggestions, we recommend that you
process them in the following order. By doing so, you build the security
policy in a logical fashion, first adding the object types, and then expanding
the information about those object types. As you refine the security policy,
the learning suggestions for each violation category should diminish.
Illegal object types
Length errors
Illegal objects
Illegal flows
Illegal query string or POST data
Illegal parameters
Illegal parameter values
As the learning suggestions diminish, you can turn on blocking for those
violations for which you receive no learning suggestions for several days.
The Learning Manager does not generate learning suggestions for all
possible violations. As such, we recommend that you review the violations
report, in the Forensics information, before you start enabling the blocking

Chapter 8
mode, to ensure that those violations are not occurring. For more
information on enabling the blocking mode, see Configuring the blocking
mode, on page 5-6.
Important
Use these guidelines only when you are processing learning suggestions
generated from known, trustworthy traffic. When you are processing
learning suggestions from real client traffic, each learning suggestion or
violation must be considered a potential threat.
Important
The Learning Manager does not generate learning suggestions for requests
that cause non-existent object violations if the web server sends an HTTP
response with status codes in the 4XX or 5XX range.
8-8
Overview of the Ignored Items screen

When you reject a learning suggestion for an object, an object type, or a
flow, the Application Security Manager adds the rejected item to the
Ignored Items list. When the system receives subsequent requests for those
rejected items, the system no longer generates learning suggestions related
to the rejected items. The system does, however, continue to log the requests
in the forensics data, and the security events data, if applicable.
To view the Ignored Items screen

3. On the menu bar, click Ignored Items.
The Ignored Items screen opens, where you can review the ignored
items for the web application.
Removing items from the Ignored Items list

If you want the system to start generating learning suggestions for items that
you have added to the Ignored Items list, you remove those items from the
list.
To remove an item from the Ignored Items list

3. On the menu bar, click Ignored Items.
The Ignored Items screen opens.
4. In the list that contains the item you want to remove, check the
Select box (in the far left column) next to the item, and then click
the Clear button below the list.

Chapter 8
8 - 10
9
Working with the Statistics and Monitoring
Tools
Overview of the statistics and monitoring tools
Working with the Events Monitoring report
Working with the Security reports
Working with the Attacks reports
Working with the Executive reports
Working with the Forensics screen

Overview of the statistics and monitoring tools

You can use the statistics and monitoring tools to analyze incoming
requests, track trends in violations, generate security reports, and evaluate
possible attacks. The statistics and monitoring tools are:
Events Monitoring report
The Events Monitoring report summarizes all of the events that occur as
a result of a security policy violation. See Working with the Events
Monitoring report, following, for more information.
Security reports
The Security reports summarize security policy violations by violation
type and by IP address of the offending client. See Working with the
Security reports, on page 9-4, for more information.
Attacks reports
The Attacks reports track the IP addresses that are generating security
policy violations, and the most frequent violation types. See Working
with the Attacks reports, on page 9-6, for more information.
Executive reports
The Executive reports display printable charts of attack data and trends.
See Working with the Executive reports, on page 9-8, for more
information.
Forensics
The Forensics information summarizes the requested objects for a web
application. See Working with the Forensics screen, on page 9-9, for
more information.
Working with the Events Monitoring report

You can use the Events Monitoring report to review all of the events that
occur as a result of a security policy violation. The Events Monitoring report
displays the following information about each event: severity level (log
level), web application name, last time (most recent occurrence), counter
(number of occurrences), and violation types. You can use the filter option
to filter the Monitoring list to display only those events in which you are
interested. You can also export the events data, or import saved events data.
To view the Events report

On the Main tab of the navigation pane, expand Application Security, and
then click Statistics.
The Events Monitoring screen opens, where you can review the events that
have triggered policy violations.

Chapter 9
Filtering the Monitoring list

In many instances, the Monitoring list may be quite long. You can use the
filter option to view only those events which are of interest to you. The filter
option has several built-in, time-based options. In addition, you can create a
custom filter.
To use a built-in filter to view monitoring events

1. On the Events Monitoring screen, from the Filter list, select the
time range for which you want to view the monitoring events.
2. Click Go.
The screen refreshes, and the Monitoring list displays only those
events that match the specified time criteria.
To use a custom filter to view monitoring events

1. On the Events Monitoring screen, to the left of the Filter list, click
the Show/Hide Filter button (the little arrow).
The filter option expands to display the custom filter options.
2. Specify the criteria by which you want the filter option to filter the
Monitoring list.
3. Click the Save Filter button.
A popup screen opens, where you provide a name for the custom
filter.
4. Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
5. From the Filter list, select the custom filter that you just created,
and then click Go.
The screen refreshes, and the Monitoring list displays only those
events that match the specified criteria.
Saving and restoring the events data

There may be situations where you want to export the events data. You may
want to archive it on a remote system, or you may want to preserve the data
when you upgrade the system software. The system saves the last 100,000
events in a *.tar.gz file. When you import, or restore, the saved file, the
system restores only those events that correspond to web application in the
current configuration. Additionally, the import action does not restore
duplicated events.
9-2
To export and archive an events data file

1. Below the Monitoring list, click the Export button.
A popup screen opens.
2. Select the save option, and click OK.
The system creates a *.tar.gz file of the events, and saves it on your
work station.
Note: Depending on the web browser you use, the labeling for the
save option changes.
Importing (or restoring) a saved events data file

1. Below the Monitoring list, click the Import button
The Import Events popup screen opens.
2. In the Choose File box, type the path to the events data file that you
want to restore. Alternately you can click the Browse button, and
navigate to the file.
3. Click Import.
The system extracts the events data, and restores the data on the
system.

Chapter 9
Working with the Security reports

The Security reports display information about the requests that generate
security policy violations. There are two types of security reports: the
Violation Report and the IPs Report. Note that you can use the filter option
to filter the Monitoring list to display only those events in which you are
interested.
The Violation Report
The Violation Report displays each possible violation, the number of
requests that contain the violation, and what percentage of all violations a
particular violation represents.
The IPs Report
The IPs Report displays the source IP addresses of the requests that
contain violations, the number of requests received from the source IP
address, and what percentage of all violating requests have been received
from the particular IP address.
Viewing the Security reports

The security reports are available in the Statistics section of the Application
Security Manager.
To view the Security reports

2. On the menu bar, click Reports.
The Security Reports screen opens.
3. In the Report Type list on the right side of the screen, select the
type of report that you want to review.
The screen refreshes to display the requested data.
Filtering the Security reports

Once you have chosen a report type, you may want to filter the resulting
report. You can use the filter option to view only those events which are of
interest to you. The filter option has several built-in, time-based options.
You can also create a custom filter.
To use a built-in filter to view a security report

9-4

3. On the Security reports screen, from the Filter list, select the time
range for which you want to view the security events.
4. Click Go.
The screen refreshes, and the security report displays only those
To use a custom filter to view a security report

3. On the Security reports screen, to the left of the Filter list, click the
Show/Hide Filter button (the little arrow).
security report.
filter.
and then click Go.
The screen refreshes, and the security report displays only those

Chapter 9
Working with the Attacks reports

The Attacks reports display information and trends based on illegal requests
to a web application. There are two types of Attacks reports: the IPs Report
and the Attack Types Report.
IPs Report
The IPs Report displays the source IP address, attack type, number of
occurrences, start time, and last time for each attack type. You can use
the data in the IPs Report to look for trends in the origination of an
attack. If a certain IP address is generating a high volume of a particular
attack, it is likely that someone is trying to take a malicious action
against the protected web application.
Attack Types Report
The Attack Types Report displays the attack type, the number of requests
containing the attack, and percentage of the overall attacks that the
particular attack represents.
Viewing the Attacks reports

The attacks reports are available in the Statistics section of the Application
Security Manager.
To view the Attacks reports

2. On the menu bar, click Attacks.
The Attacks Report screen opens.
3. In the Report Type list, on the right side of the screen, select the
type of report that you want to review.
The screen refreshes to display the requested data.
Filtering the Attacks reports

Once you have chosen a report type, you may want to filter the resulting
report. You can use the filter option to view only those events which are of
interest to you. The filter option has several built-in, time-based options.
You can also create a custom filter.
To use a built-in filter to view an attacks report

9-6

3. On the Attacks Report screen, from the Filter list, select the time
range for which you want to view the attacks information.
4. Click Go.
The screen refreshes, and the attacks report displays only those
To use a custom filter to view an attacks report

3. To the left of the Filter list, click the Show/Hide Filter button (the
little arrow).
attacks report.
filter.
and then click Go.
The screen refreshes, and the attacks report displays only those

Chapter 9
Working with the Executive reports

The Executive reports display data similar to that which is available in the
Attacks reports. The Executive reports present, in charts, the top five
attacks, the top five attackers, and the attacks volume. You can view charts
based on data collected in the previous 24 hours, or collected in the previous
seven days. You can also easily print the charts, which is an efficient way to
monitor the attack trends over time.
Note
If, on the Blocking Policy screen, only Learn flags are enabled, the
Executive reports screen displays no data because the system does not issue
any alerts. See Working with the Blocking Policy settings, on page 5-35,
for more information.
Viewing the Executive reports

The Executive reports are available in the Statistics section of the
To view the Executive reports

2. On the menu bar, click Executive.
The Executive Reports screen opens.
9-8
Working with the Forensics screen

For each web application, the Application Security Manager records the
requested objects in the Forensics information. The Forensics screen
provides the following information about a request: the request category, the
time of the request, the request protocol, the requested object itself, the
server response code, and the source IP address of the request.
You can view forensics information for all web applications, or you can
view forensics information in the context of a specific web application.
To view the Forensics list for all web applications

The Events screen opens.
2. On the menu bar, click Forensics.
The Forensics screen opens, where you can review the forensics
information for all of the configured web applications.
To view the Forensics list for a specific web application

The Forensics screen opens, where you can review the forensics
information for the specific web application.
Filtering the Forensics list

You can use the filter option to view only those events which are of interest
to you. The filter option has several built-in, time-based options that you can
use to display requests that occurred within a certain time range. Alternately,
you can create a custom filter that refines the Forensics list by criteria such
as web application name, support ID, or specific violation type.
To use a built-in filter to view forensics events

The Forensics screen opens.
3. From the Filter list, select the time range for which you want to
view the forensics.

Chapter 9
4. Click Go.
The screen refreshes, and the Forensics list displays only those
To use a custom filter to view monitoring events

The Forensics screen opens.
3. On the Forensics screen, to the left of the Filter list, click the
Show/Hide Filter button (the little arrow).
Forensics List.
filter.
and then click Go.
The screen refreshes, and the Forensics List displays only those
9 - 10
10
Configuring a user account for policy editing only
Viewing the application security log files
Working with the system-supplied regular

expressions
Configuring a user account for policy editing only

The Application Security Manager provides a user role specifically designed
for security policy management. You can assign the Application Security
Policy Editor user role to those personnel who can edit the security policies,
but cannot change any of the local traffic, network, or system settings. For
additional information on user roles and user management, refer to the
BIG-IP Network and System Management Guide, which is available on
the Ask F5 web site at http://tech.f5.com.
To assign the Policy Editor user role to a user

1. On the Main tab of the navigation pane for the BIG-IP system,
expand System, and then click Users.
The User list screen opens.
The New User Account Properties screen opens.
3. In the User Name box, type the users name.
4. In the Authentication box, type and confirm the users password.
5. In the Web User Role list, select Application Security Policy
Editor.
6. Click Finished.
The screen refreshes and you see the new user account in the list.

Chapter 10
Viewing the application security log files

The system log files for the Application Security Manager are accessible
from the Configuration utility for the BIG-IP system. Note that these are the
log files for general system events and user activity. Security violation
events are displayed in the Configuration utility for the Application Security
Manager. For more information on logging in general, refer to the BIG-IP
Network and System Management Guide, which is available on the Ask F5
web site, http://tech.f5.com.
To view the application security log files

1. On the Main tab of the navigation pane for the BIG-IP system,
expand System, and then click Logs.
The System Logs list screen opens.
2. On the menu bar, click Application Security.
The Application Security log list screen opens, where you can
review the logged entries.
10 - 2
Working with the system-supplied regular

expressions
The Application Security Manager provides a large assortment of regular
expressions and negative regular expressions. You can view and manage
this pool of regular expressions outside the context of a security policy.
Note
If you are unfamiliar with regular expression syntax, you can find many
helpful books at technology book web sites.
Overview of the regular expressions pool

The regular expressions pool contains all of the system-supplied negative
regular expressions. These regular expressions represent known attack
patterns. The regular expressions pool also contains any user-defined regular
expressions.
To view the system-supplied regular expressions pool

Security, and then click Options.
The RegExp Pool screen opens.
2. In the Used in Policy column, you can see whether the regular
expression is used by one of the security policies in the
configuration.
3. On this screen, you can also create, edit, or remove a regular
expression from the regular expressions pool.
Note
You cannot permanently delete system-supplied regular expressions.
Creating a user-defined regular expression

You can create a user-defined regular expression, and add it to the regular
expressions pool.
Important
In general, we recommend that you use the system-supplied regular
expressions as is. If you are an advanced user, and you are familiar with
POSIX-compliant regular expressions, then you may want to create
user-defined regular expressions to add to the regular expressions pool.

Chapter 10
To create a user-defined regular expression

2. Above the RegExp Pool area, click the Create button.
The New RegExp screen opens.
3. In the RegExp Name box, type unique name for the regular
expression.
4. In the RegExp box, type the regular expression syntax.
expression.
6. Click the Save button.
The screen refreshes, and the new regular expression is listed in the
RegExp Pool list.
Important
We strongly recommend that you use the RegExp Validator to validate the
syntax of any user-defined regular expressions.
Validating a user-defined regular expression

The RegExp Validator is a tool that you can use to ensure that a user-defined
regular expression has valid syntax.
To use the RegExp Validator

2. On the menu bar, click RegExp Validator.
The RegExp Validator screen opens.
3. In the RegExp box, type the regular expression syntax.
4. In the Test String box, type a test string pattern.
Click the Validate button.
The screen refreshes and you see the results of the validation.
10 - 4
Overview of the default negative regular expressions pool for

security policies
The default negative regular expressions pool is the collection of regular
expressions that the system assigns to a security policy by default. The
default pool is a subset of the regular expressions pool.
To view the default negative regular expressions pool

2. On the menu bar, click Negative RegExp Defaults.
The Negative RegExp Policy Defaults screen opens.
You can modify the default pools contents on a global level, or within the
context of a security policy. The following sections of this chapter explain
how to modify the default pool on a global level. To modify the regular
expressions within the context of a security policy, refer to Working with the
negative regular expressions pool, on page 5-10.
Adding a regular expression to the default negative regular expressions pool

You can add an existing regular expression to the default negative regular
expressions pool. Note that the regular expression that you want to add must
already be included in the regular expressions pool, which is explained in
Overview of the regular expressions pool, on page 10-3.
To add a regular expression to the default negative regular

expressions pool
3. Above the Negative RegExp Policy Defaults area, click the Create
button.
The New Negative RegExp screen opens.
4. For the RegExp Name setting, select the regular expression that
you want to add to the default pool.
5. For the Applies to setting, select the entity to which the system
applies the regular expression.
6. Click the Save button.
The system updates the configuration, and the Negative RegExp
Policy Defaults screen opens.

Chapter 10
Removing a regular expression from the default negative regular

expressions pool
Depending on the requirements of your web applications, you may not need
all of the regular expressions that are in the default negative regular
expressions pool. You can easily remove any unnecessary regular
expressions.
To remove a regular expression from the default negative

regular expressions pool
3. In the Select column, check the Select box next to the regular
expression that you want to edit, and then click the Remove button
below the Negative RegExp Policy Defaults area.
4. Click OK.
The system updates the configuration, and removes the regular
expression from the pool.
Note
If you inadvertently remove regular expressions that actually belong in the

default pool, you can easily restore them. Refer to Restoring the negative
regular expressions pool to the default settings, following, for more
information.
Restoring the negative regular expressions pool to the default settings

You can restore the default regular expressions from the Negative RegExp
Defaults screen. This action updates the default regular expressions pool
with any system-supplied regular expressions that you may have removed.
Important
Restoring the default settings for the default negative regular expression
pool does not update specific security policy pools with any regular
expressions that you may have removed. See Adding a negative regular
expression to the pool for a security policy, on page 5-11, for more
information.
10 - 6
To restore the default negative regular expression pool

The Negative RegExp Defaults screen opens.
2. Below the Negative RegExp Policy Defaults area, click the Restore
button.
3. Click OK.
The system resets the negative regular expressions pool to the
default set of regular expressions.

Chapter 10
10 - 8
A
Internal Parameters for Advanced
Configuration
Overview of internal parameters

Overview of internal parameters

The Application Security Manager has several internal parameters that
control how the product functions. In almost all cases, there is no need to
change the internal parameters from their default setting.
To view internal parameters in the Configuration utility

2. On the menu bar, click Advanced Configuration.
The Advanced Configuration screen opens, where you can review
the settings for the internal parameters.
Important
We recommend that you change the values for the internal parameters only
with the guidance of the technical support staff.
Table A.1 lists the internal parameters, their default value, and a description
of their purpose.
Internal Parameter Default Value Description
MemoryThreshold 90 When the memory allocated by the Policy

Enforcers umu mechanism reaches this
threshold, the Policy Enforcer stops accepting
new requests. The threshold is calculated as a
percentage of the maximum memory configured
for the umu mechanism.
Port_80 8080 The port that the Application Security Manager

uses.
ecard_max_http_req_uri_len 2048 Defines a maximum URI length that the bd utility

can support in its internal buffers. If this number is
higher than the URI length defined per file type,
then this number is the limit. If this number is
higher than the file type limit, then the file type limit
sets the maximum URI length.
MaxJobs 15000 Maximum number of concurrent sessions that the

Application Security Manager can handle.
Table A.1 Internal parameters for the Application Security Manager
Configuration Guide for BIG-IP Application Security Management A-1

Appendix A
ssl_SSLport 4433 The port on which the Application Security

Manager listens for incoming encrypted HTTP
requests (SSL). Even though the request is
decrypted by TMM utility, the Application Security
Manager needs to differentiate between requests
that originated as HTTP and requests that
originated as encrypted requests.
TcpMaxSynBackLog 500 This parameter configures the backlog parameter

of listen() on the incoming requests socket. The
backlog parameter defines the maximum queue
length of pending connections.
log_bad_msg_sent_to_server 1 When set to 0, the system logs only blocked

requests to the database that generates Forensics
information.
http_error_filter_list 400,401,404,407,503 If the HTTP response code is between 401 and

599, only responses with a response code that
appears in this list are returned as-is to the client.
The system blocks all other response codes, and
issues the Illegal HTTP status violation.
ecard_regexp_email ^\s*([\w.-]+)@([\w.-]+)\s*$ Specifies the regular expression that defines a

valid pattern for parameter values of type email.
cookie_max_age 900 This parameter is the default value (in seconds)

assigned to the Max-Age option for the ASM
cookie, which is created by the Policy Enforcer.
ssl_CloseSocket 0 When set to 1, the bd utility closes the connection

to the client at the end of the response (applies to
SSL sessions).
ecard_regexp_phone ^\s*[0-9 ()+-]+\s*$ Specifies the regular expression that defines a

valid pattern for parameter values of type phone
number.
max_filtered_html_length 52428800 Defines the maximum response size that the bd

utility can accumulate for the purposes of
checking or extracting data from the response (for
example, dynamic parameters or dynamic session
in URL).
cookie_expiration_time_out 600 This value is used by the bd utility to determine

the length of time (in seconds) for which the ASM
cookie data is valid.
cookie_renewal_time_stamp 300 Defines how often the bd utility renews the ASM
cookie time. This internal parameter is tightly
coupled with cookie_expiration_time_out (in
seconds).
A-2
tcp_CloseSocket 0 When set to 1, the bd utility closes the connection

to the client at the end of the response (applies to
TCP session).
ecard_regexp_decimal ^\s*[+-]?\d*(\.\d+)?\s*$ Specifies the regular expression that defines a

valid pattern for parameter values of type
decimal.
max_concurrent_long_request 100 Maximum number of concurrent long requests that

the bd utility can handle. A long request is a
request longer than request_buffer_size and
less than long_request_buffer_size.
request_buffer_size 4096 Common request length supported by the Policy

Enforcer.
long_request_buffer_size 10000000 Longest request length supported by the Policy

Enforcer.
allow_all_cookies_at_entry_point 0 When set to 0, if a request arrives with no main

ASM cookie (entry point) then every domain
cookie that is not configured as
ALLOWED-COOKIE is considered an
ILLEGAL_DOMAIN_COOKIE.
When set to 1, all cookies are accepted.
ResponseBufferSize 106496 Specifies the maximum amount of clean response

data that the system retains.
non_rfc_bitmask 59 Specifies the bit mask that the system applies

requests to expose RFC violations.
startup_end_timeout 300 Specifies the maximum time for the bd utility to

receive all configuration information, and finish the
startup process.
total_umu_max_size 1572864 Specifies the maximum memory size (in bytes)

available for the Policy Enforcers umu
mechanism.
max_len_for_pattern_checks 51200 Specifies the maximum length for pattern checks.
cookie_digest_key 111122223333444455556 This parameter is used as a key in the cookie

66677778888 digest calculations for ASM cookies.
RWThreads 1 Specifies the number of threads that the

Application Security Manager uses.
Configuration Guide for BIG-IP Application Security Management A-3

Appendix A
A-4
B
Upgrading from TrafficShield 3.2.X to
BIG-IP Application Security Manager
Introduction
Preparing the 3.2.X system for the upgrade
Installing the BIG-IP version 9.4 software
Licensing the software using the Configuration

utility
Configuring the basic network and system settings
Converting 3.2.X network settings to BIG-IP 9.4

network settings
Configuring the basic local traffic settings
Creating the application security configuration
Upgrading a primary with standby unit topology
Sample results file from ts_collect_info.pl script

Introduction
This appendix describes, in detail, the standard process for upgrading a
TrafficShield Application Firewall version 3.2.X system to BIG-IP
Application Security Manager version 9.4. This upgrade completely
replaces the version 3.2.X software, and cannot be reversed.
The upgrade process involves the following tasks.
Prepare the system for the upgrade.
Back up the current 3.2.X configuration and export the configuration
file to a remote location.
Run the collect_ts_info.pl script on the 3.2.X system, and save the
resulting file to a remote location. The collect_ts_info.pl script
collects configuration information that you will need once you have
installed the version 9.4 software.
Install the BIG-IP Application Security Manager software.
License the version 9.4 software. You must obtain a new registration key
to license the software. To obtain the new registration keys, contact F5
Technical Support with the serial numbers from the units you are
upgrading.
Configure the local traffic, network, and system settings.
Configure the application security class and web application settings.
Import the saved security policies into the new configuration.
This appendix contains detailed information to guide you through the

upgrade process. We recommend that you review the information to become
familiar with the process before you start the actual upgrade.
Important
Because each deployment of TrafficShield Application Firewall is unique,
this document covers the more general and common tasks related to the
upgrade process. You must evaluate your individual requirements to finalize
the upgrade.
Upgrade compatibility
You can apply the version 9.4 upgrade only to systems running
TrafficShield Application Firewall, version 3.2.0 or version 3.2.1, on the
4100 hardware platform. F5 Networks does not support this upgrade on any
other source or target versions.
Configuration Guide for BIG-IP Application Security Management B-1

Appendix B
Important considerations regarding the upgrade process

Please review the following considerations before you begin the upgrade
process.
The registration key that you used to activate the license for the version
3.2.X software does not activate the version 9.4 software. You must
obtain a new registration key from F5 Technical Support before you
begin the upgrade process. Send an email to support@f5.com that
includes the serial numbers from all of the 4100 units that you want to
upgrade.
The network topology settings are completely different between a 3.2.X
system and a 9.4 system. Refer to Converting 3.2.X network settings to
BIG-IP 9.4 network settings, on page B-15, for additional information.
You may also wish to review the networking information in the BIG-IP
Network and System Management Guide.
During the upgrade process, the system is completely offline. Depending
on the complexities of your configuration, the upgrade may take several
hours to complete. We recommend that you evaluate the timing of the
upgrade because once you have started the upgrade process, you cannot
reverse or back out of it.
If you are upgrading a primary with standby unit topology, you perform
the software upgrade on each 4100 unit, separately, and then you
configure the redundant system. Refer to Upgrading a primary with
standby unit topology, on page B-21, for additional information.
Additional resources
In addition to this guide, the following technical publications and other
resources provide extensive information on the functionality of the BIG-IP
9.X systems:
BIG-IP Network and System Management Guide
Configuration Guide for BIG-IP Local Traffic Management
The Ask F5 Technical Support web site, http://tech.f5.com
The release notes for this release
Preparing the 3.2.X system for the upgrade

Before you can install the BIG-IP Application Security Manager version 9.4
software, you need to perform the following tasks on the TrafficShield
version 3.2.X system:
Back up the 3.2.X system configuration to a remote location.
Install the latest TrafficShield version 3.2.X service pack, if you have not
already done so.
B-2
Run the collect_ts_info.pl script on the 3.2.X system. This script collects
configuration information that you will need once you have installed the
version 9.4 software.
Backing up and exporting the 3.2.X system configuration

The first task in the upgrade process is to back up and export a copy of the
TrafficShield 3.2.X system configuration to a remote location. This task is
very important since the upgrade process completely erases the systems
configuration.
To export the TrafficShield 3.2.X configuration

1. From the TrafficShield Management Station (TSMS) user interface,
click Administration > Maintenance > Support Tools.
The Support Tools screen opens.
2. Click the Export Configuration tab.
The Export Configuration screen opens.
3. Leave all of the options on the screen at their default settings, and
click the Export button.
A file download screen opens.
4. Save the file to a remote location, such as a file server, or a work
station. You may want to make a note of the location.
Tip
The system saves the exported configuration file using a default naming
convention, ts_config_mm-dd-yy_hh-mm.tsc, where mm-dd-yy_hh-mm
represents the date and time at which you first save the file. You can modify
the name before saving the file, as required.
Obtaining the collect_ts_info.pl script

If the collect_ts_info.pl script is not located on your machine, you need to
install the latest version 3.2.X service pack. You can get the latest service
pack from the http://downloads.f5.com site. You can verify whether the
version 3.2.X version has the required service pack by reviewing the
package information on the Show Packages screen.
To verify that the latest service pack is installed on the

version 3.2.X system
1. Log in to the TrafficShield Management Station.
2. Click Administration, at the top of the screen.

Appendix B
3. On the navigation pane, in the Maintenance section, click

Upgrades.
4. On the Upgrades screen, click the Show Packages button.
5. Verify that this hotfix is listed:
TrafficShield_V3.2.x-HOTFIX-V4_CR-57902-58152.tar.gz
If it is not listed, then you need to install the latest TrafficShield

version 3.2.X service pack before you proceed with the upgrade to
version 9.4. This service pack contains the collect_ts_info.pl script,
as well as other fixes.
Note
For details on installing the service pack on a version 3.2.X system, refer to
the readme file that is available from the location of the service pack.
Running the collect_ts_info.pl script

To more easily migrate your application security configuration from the
version 3.2.X software to the version 9.4 software, you need to run the
collect_ts_info.pl script. This script collects important information about
the system configuration as well as all existing security policies, keys,
certificates, and more. The information that the script collects will help you
create your configuration once you have installed the version 9.4 software.
To run the collect_ts_info.pl script

1. Open a serial console session for the system that you want to run the
script on.
2. On the command line, type the following command, and press
Enter:
/ts/off_tools/collect_ts_info.pl
The script collects the information, and creates a ts_conf.tar.gz file

in the /ts/install directory.
3. Using SCP (or a similar tool), copy the newly created ts_conf.tar.gz
file from the /ts/install directory to a remote location.
The collect_ts_info.pl script collects the following information about the

version 3.2.X system:
TrafficShield software version
Attach service IPs to Eth1 setting (ON or OFF)
Private IP address, IP to web address, role (TSMS or TSMS backup)
IP aliases
Route table
Alerts configuration
B-4
Link speed/duplex configuration (available in version 3.2.1 and later)

Permanent IP addresses
Permanent static routes
Web application settings, including:
HTTP settings, including service port
HTTPS settings, including service port
List of all exported policies
List of client certificates
List of server certificates
List of installed hotfixes
Modified internal parameters
Policy active files
License file
Installing the BIG-IP version 9.4 software

Once you have created a backup copy of the 3.2.X configuration, run the
collect_ts_info.pl script, and saved the scripts output file to a remote
location, you are ready to install and license the Application Security
Manager version 9.4 software onto the 4100 platform. You can use one of
two installation methods to install the version 9.4 software: PXE install or
USB CD-ROM drive install. Note that both installation methods require a
CD-ROM that contains the installation ISO image of the version 9.4
software.
Note
We recommend that you review the tasks associated with both installation
methods, and then decide which method best suits your needs.
Downloading the installation CD-ROM ISO image from F5

Networks
Before you begin the upgrade installation process, you need to download the
version 9.4 installation CD-ROM ISO image from
http://downloads.f5.com, and burn an image CD. For details about
downloading the ISO image, review this solution, SOL167: Downloading
Software from F5 Networks, on the F5 Technical Support web site,
http://tech.f5.com.
Note
The name of the ISO image is provided in the release notes.

Appendix B
Performing a PXE installation

Use these procedures to install the version 9.4 software by using a PXE
installation server. Using a PXE installation server to install the BIG-IP
software involves the following tasks:
Download the installation CD-ROM ISO image from F5 Networks and
burn an image CD, as described in Downloading the installation
CD-ROM ISO image from F5 Networks, preceding.
Designate and configure a remote host as a Pre-boot Execution
Environment (PXE) installation server
Network boot the target 4100 system and install the software from the
PXE server
The following sections describe how to perform these tasks.
Designating and configuring a remote host to be a PXE server

Once you have a CD of the installation ISO image, you can use the CD to
designate and configure a remote host as a PXE installation server. This
remote host must meet all the following criteria:
Contain a CD-ROM drive.
Support a CD-ROM boot.
Reside on the same network as the target 4100 system, or be directly
connected to the target 4100 system.
Important
You must connect the PXE installation server to the same network to which
the management port on the BIG-IP unit is connected.
Note
If you are installing the software by directly connecting the PXE installation
server to the target 4100 system, you must use a cross-over cable to connect
to the management port (MGMT). If you are connecting the PXE
installation server by using a router or hub, then you can use a standard
Ethernet cable to connect to the MGMT port.
Once you have designated a host, you complete the following steps to
configure the host to be a PXE installation server.
To configure a PXE installation server

1. Insert the CD that you burned into the drive on the installation
server and reboot the host system.
The host system boots to the CD-ROM, and displays the following
message:
Select terminal type? [vt100]
B-6
Note: You may need to change the BIOS setting on the host so that
the host system tries to boot first from the CD-ROM drive, and then
from the local drive. Refer to the host systems documentation to
learn how to change the BIOS setting.
2. Press Enter to use VT100 terminal emulation, or type the name of
the terminal emulator you are using.
After you select the terminal type, the following screen opens:
Maintenance OS Options
Serve Provide network installation services
Install Install software onto hard disk
Reboot Reboot to your current system
Exit Exit to maintenance shell
3. Select the default, Serve, and then select OK (by pressing Enter).
The Network Install Setup screen opens, where you can review
important information about configuring a PXE installation server.
4. When you are finished reading the network installation information,
press Enter to continue with the setup.
The following prompt displays:
Use existing DHCP server on subnet [no]?
5. Indicate your DHCP choice:

If there is an existing DHCP server on your subnet that you want
to use, type yes.
The server configuration automatically completes. If you choose
this option, you can skip the rest of this procedure, and go
directly to Booting the target 4100 system from the PXE
installation server, on page B-8.
If you want to set up the installation server as the DHCP server,
press Enter.
The following series of prompts displays:
IP network [10.1.10.]?
IP address of server 10.1.10.[n] [199]?
Lower range for clients 10.1.10.[n] [199]?
Upper range for clients 10.1.10.[n] [200]?
6. If your subnet consists only of the installation server and the target
4100 unit, or is otherwise a private subnet, you can use the default
IP addresses by simply pressing Enter after each prompt. If other
machines share the subnet, and there is a possibility of addressing
conflicts, substitute the appropriate unique IP addresses and ranges.
Note: When you enter the IP address of the server, you need to enter
only the last octet. When completing the lower and upper ranges for
the clients, enter number(s) that represent the range of IP addresses
from which the PXE server can assign IP addresses to the clients.
When you have finished entering the addresses, the system displays
a summary of the information, and asks you to confirm the
addresses.

Appendix B
7. At the Use these settings prompt, check your settings:

If the specified settings are correct, simply press Enter, or type
yes, and press Enter.
If the specified settings are not correct, type no.
The system prompts you to retype the information.
8. Once you have accepted the DHCP addressing configuration, you
specify the protocol you want to use to transfer the installation files
from the installation server to the target 4100 system. At the
Choice? prompt, either type 1 to specify the HTTP protocol, or type
2 to specify the NFS protocol. The default protocol is HTTP.
9. Press Enter.
The network installation server is now configured, and ready to
serve the installation files to the target 4100 system.
Booting the target 4100 system from the PXE installation server
After you configure the PXE installation server, you are ready to perform
the network boot from the console of the target 4100 system on which you
wish to install the software.
Important
You must connect the PXE installation server either directly to the
management port on the 4100 unit, or to the network to which the
management interface is connected.
To boot the target 4100 system from the PXE server

1. Open a serial console session for the target 4100 system, and log in.
Tip: Refer to the TrafficShield Installation and Configuration
Guide version 3.2.1 for information on configuring a console
connection to the 4100 unit.
2. Open the Command Menu for the Host Console Shell by typing the
following key sequence:
Esc (
3. At the Enter command prompt, type 4 and press Enter.

This command instructs the target 4100 system to boot from an
external system.
4. At the Enter command prompt, type 5 and press Enter.
This command instructs the host subsystem to reset.
5. At the Press Y to confirm Host subsystem reset prompt, type Y
and press Enter.
The system reboots into network boot mode.
6. At the Enter command prompt, type 1 to return to the host
subsystem console. Note that the reboot process will be in progress.
After the system reboots, it attempts to discover the installation
server.
B-8
7. Once the installation server is found, the system presents the

following prompt:
Press M or Control-SPACE to view menu.
Let the timer count down to auto-select the installation options.

8. After the timer counts down, the installer requests the terminal type.
Terminal type? [vt100]
9. Press Enter to continue, or type the terminal type you are using. We
recommend that you use vt100.
10. A number of messages scroll by and then the BIG-IP installer script
starts. The installer script guides you through the numerous
installation options. When the installer script asks you which
software package to install, ensure that you select the LTM and
ASM version 9.4 package.
Tip: Use the arrow and Tab keys to navigate the installer script
options. Use the Enter key or highlighted letter key to select an
option from a menu, and use the spacebar to toggle select boxes on
or off.
11. After you have completed the prompts for the installer, review the
installation options you have selected.
12. To transfer the files from the PXE server and begin the installation,
press Enter.
The software takes several minutes to install. Once the installation is
complete, you see the following message on the console:
Press return to reboot the machine.
13. Press Enter, and wait for the target 4100 system to reboot.
You see a login prompt similar to this example when the system has
finished rebooting.
BIG-IP 9.4 Build 401.1
Kernel 2.4.21-9.4.0smp on an i686
bigip login:

Appendix B
Performing a CD installation
An alternate way to install the software is to use a USB CD-ROM that is
connected directly to the USB port on the 4100 unit.
Download the installation CD-ROM ISO image from F5 Networks and
burn an image CD, as described in Downloading the installation
CD-ROM ISO image from F5 Networks, on page B-5.
Boot the target 4100 system from the CD-ROM drive and install the
software.
To install the software using a directly-connected USB

CD-ROM drive
1. Open a serial console session to the target 4100 system, and log in.
2. Connect an external USB CD-ROM drive to the USB interface on
the front of the target 4100 unit.
3. Place the ISO image CD that you burned in the CD-ROM drive.
4. Reboot the target 4100 unit.
The system boots from the CD-ROM drive instead of the local disk.
5. At the terminal type prompt, press Enter to continue, or type the
terminal type you are using. We recommend that you use vt100.
Terminal type? [vt100]
6. A number of messages scroll by and then the BIG-IP installer script

starts. The installer script guides you through the numerous
installation options. When the installer script asks you which
software package to install, ensure that you select the LTM and
ASM version 9.4 package.
Tip: Use the arrow and Tab keys to navigate the installer script
options. Use the Enter key or highlighted letter key to select an
option from a menu, and use the Spacebar to toggle select boxes on
or off.
7. After you have completed the prompts for the installer, review the
installation options you have selected.
8. To transfer the files from the PXE server and begin the installation,
press Enter.
The software takes several minutes to install. Once the installation is
complete, you see the following message on the console:
Press return to reboot the machine.
9. Press Return (Enter), and wait for the target 4100 system to reboot.
You see a login prompt similar to this example when the system has
finished rebooting.
BIG-IP 9.4 Build 401.1
Kernel 2.4.21-9.4.0smp on an i686
bigip login:
B - 10
Configuring an IP address for the management interface

After you complete the installation of the software, and before you license
and activate the software, you run the config command to configure an IP
address, net mask, and gateway on the management interface (MGMT). You
then can use the management interface address to open the browser-based
Configuration utility. You run the config command from the serial console
you used during installation.
Tip
You can also configure the MGMT address by using the LCD display on the
4100 unit. See the Installation, Licensing, and Upgrades for BIG-IP
Systems guide for more information on using the LCD.
To configure an IP address for the management interface

1. Log into the console session using the following default settings.
Login: root
Password: default
Note: You will change the password for the root account once you
have licensed and activated the software.
2. To run the config command, type the following command:
config
3. After you run this utility and add an IP address, net mask, and
gateway to your management port, you can log in to the
Configuration utility (graphical user interface), and license the unit.
Configuration Guide for BIG-IP Application Security Management B - 11

Appendix B
Licensing the software using the Configuration utility

Before you can configure the system, and any web applications and security
policies, you must license the version 9.4 software. To activate the license
for the system, you must have a base registration key. The registration key
is a 27-character string that lets the license server know which F5 products
you are entitled to license. You must have a unique registration key for each
unit that you are upgrading, including for those units that are in a redundant
system. You can find detailed information about the licensing tasks in the
Installation, Licensing, and Upgrades for BIG-IP Systems guide, Chapter
3, Licensing and Configuring the BIG-IP System. For more information
about upgrading a redundant system, see Upgrading a primary with standby
unit topology, on page B-21.
Important
You cannot use a 3.2.X registration key to license the newly-installed
version 9.4 software. Please contact Technical Support to obtain a new
registration key for the 9.4 software. For the most current information on
obtaining a new registration key, refer to the BIG-IP Application Security
Manager version 9.4 release notes, which are available at
http://tech.f5.com.
To activate the license using the Configuration utility

1. Open a web browser on a work station attached to the network on
which you configured the management port. If you have not
configured this IP address, see Configuring an IP address for the
management interface, on page B-11.
2. Type the following URL in the browser, where <IP address> is the
address you configured for the management port (MGMT):
https://<IP address>/
3. At the password prompt, type the default user name admin and the
default password admin, and click OK.
The Licensing screen of the Configuration utility opens.
4. To begin the licensing process, click the Activate button. Follow the
on-screen prompts to license the system. For additional information,
click the Help tab.
Important
Reboot the system once you have finished licensing the software.
B - 12
Configuring the basic network and system settings

Now that you have a licensed system, you are ready to configure the basic
network and system settings. The BIG-IP platform has a robust and flexible
feature set to accommodate a vast array of network configurations. The
BIG-IP Network and System Management Guide provides in-depth
information regarding the full feature set for managing the networking and
general system settings. We recommend that you become familiar with the
material in this guide before you begin configuring the network settings for
the BIG-IP version 9.4 software.
Note
Not all features described in the BIG-IP Network and System

Management Guide apply to the Application Security Manager.
Tip
For a mapping of the TrafficShield version 3.2.X settings to their BIG-IP
version 9.4 counterpart, refer to Converting 3.2.X network settings to
BIG-IP 9.4 network settings, on page B-15.
Required network settings

At minimum, you configure one self IP address and one VLAN. You
configure a self IP address that is in the same subnet as the web server that
hosts the web application you want to protect with the Application Security
Manager.
Configure one or more VLANs
A VLAN is a logical grouping of interfaces connected to network
devices.You can use a VLAN to logically group devices that are on
different network segments. For information on configuring VLANs, see
Chapter 7, Configuring VLANs and VLAN Groups, in the BIG-IP
Network and System Management Guide.
Self IP addresses
Self IP addresses are the IP addresses owned by the BIG-IP system that
you use to access devices in VLANs. For information on configuring self
IP addresses, see Chapter 8, Configuring Self IP Addresses, in the
BIG-IP Network and System Management Guide.
Important
The MGMT port address and the self IP addresses must not share the same
network.

Appendix B
Optional network and system settings

With the BIG-IP version 9.4 software, you can also configure the following
features:
User accounts
You can configure user accounts and assign roles to those user to restrict
or permit access to the Configuration utility and the command line
utilities. For information on configuring user accounts and roles, see
Chapter 6, Managing User Accounts, in the BIG-IP Network and
System Management Guide.
Packet filters
You can configure packet filters to further protect your web servers from
malicious traffic. For information on configuring packet filters, see
Chapter 13, Configuring Packet Filters, in the BIG-IP Network and
Routes
The BIG-IP system uses routes to send and receive network
communications. For information on configuring routes, see Chapter 10,
Configuring Routes, in the BIG-IP Network and System Management
Guide.
Spanning tree protocols
The BIG-IP system supports a set of industry-standard, Layer 2 protocols
known as spanning tree protocols. Spanning tree protocols block
redundant paths on a network, thus preventing bridging loops. For
information on configuring spanning tree protocols, see Chapter 14,
Configuring Spanning Tree Protocols, in the BIG-IP Network and
Trunks
A trunk is a logical grouping of interfaces on the BIG-IP system. When
you create a trunk, this logical group of interfaces functions as a single
interface. For information on configuring trunks, see Chapter 12,
Configuring Trunks, in the BIG-IP Network and System Management
Guide.
B - 14
Converting 3.2.X network settings to BIG-IP 9.4

network settings
Table B.1 outlines the network settings in TrafficShield version 3.2.X and
their counterparts in Application Security Manager version 9.4. As shown in
the table, some of the settings for version 3.2.X are no longer required. For
the remaining settings, you can get more information about the specific
settings in the listed guides. These guides are available in both PDF and
HTML formats on the Ask F5 technical support web site,
http://tech.f5.com.
3.2.X Network Setting 9.4 Network Setting For information on the version 9.4 setting, see
Service IP Virtual Server destination Configuration Guide for BIG-IP Local Traffic
address Management, Chapter 2, Configuring Virtual Servers
IP to Web server SNAT address or SNAT Configuration Guide for BIG-IP Local Traffic
Automap (both SNAT types Management, Chapter 13, Configuring SNATs and NATs
use self IP addresses)
Server IP Node address. Nodes become Configuration Guide for BIG-IP Local Traffic
pool members in the local Management, Chapter 3, Configuring Nodes
traffic configuration.
Trusted IP not applicable
Permanent IP Management interface BIG-IP Network and System Management Guide,

(MGMT). The MGMT interface Chapter 9, Working with Interfaces, and Configuring the
is used only to manage the management interface
unit. You cannot use the
Installation, Licensing, and Upgrades for BIG-IP
MGMT interface for traffic
Systems, Chapter 2, Connecting a Management
management.
Workstation or Network
Private IP Primary failover address; used BIG-IP Network and System Management Guide,
only for redundant systems. Chapter 15, Setting Up a Redundant System
These are self IP addresses
configured specifically for
communications between the
units in the redundant system.
Alias IP Floating IP address; relevant BIG-IP Network and System Management Guide,
only to redundant systems. The Chapter 15, Setting Up a Redundant System
floating IP address designation
is used only on the self IP
address that is shared between
the units in a redundant
system.
Table B.1 Conversion table for network settings

Appendix B
Configuring the basic local traffic settings

You use the local traffic configuration objects to direct traffic to resources
on the local area network. For each web application that you had on the
TrafficShield version 3.2.X system, you create the following local traffic
objects:
Node
In the local traffic configuration, a node represents a back-end server. For
the Application Security Managers, nodes represent the web servers that
host the protected web application.
Pool
A pool is a logical grouping of nodes, which are known as pool
members. For the standalone Application Security Manager, pools can
contain only one pool member.
Virtual server
A virtual server maps a destination address with the resources that host
the requested content. Virtual servers can use pools and also iRules to
distribute incoming requests.
Tip
Before you configure these local traffic objects, we recommend that you
review the relevant chapters in the Configuration Guide for BIG-IP Local
Traffic Management, which is available on the Ask F5 web site,
http://tech.f5.com.
To configure a node
then click Nodes.
The Nodes List screen opens.
The New Node screen opens.
3. For the Address setting, type the IP address of the node.
4. Specify, retain, or change each of the other settings.
5. Click Finished.
The screen refreshes, and you see the newly-created node in the
Nodes List screen.
To configure a pool
then click Pools.
The Pools screen opens.
The New Pool screen opens.
3. For the Name setting, type a name for the pool.
B - 16
4. In the Members setting, select Node List.

5. From the node list, select the node that you created previously, and
click Add.
6. Click Finished.
The screen refreshes, and you see the newly created pool in the
Pools List screen.
To configure a virtual server

The New Virtual Server screen opens.
3. In the Name setting, type a name for the virtual server
4. In the Destination setting, type the IP address that is associated with
the web applications DNS name.
5. In the Configuration options list, select Advanced.
6. In the Default Pool list, select the pool that you created previously.
7. In the SNAT setting, select Automap. (This setting establishes
communications between the self IPs and the pool members.)
8. Click Finished.
The screen refreshes, and you see the newly-created virtual server in
the Virtual Servers list.
You now have a basic local traffic configuration. The last major task is to
create the application security configuration and associate it with the local
traffic configuration.

Appendix B
Creating the application security configuration

The application security configuration is made up of application security
classes, which map local traffic virtual servers to web applications and
security policies. Creating the application security configuration involves
the following tasks.
Configure an application security class
You create an application security class for each web application that you
had previously configured on the TrafficShield version 3.2.X system.
When you create an application security class, the Application Security
Manager automatically creates a corresponding web application and
security policy for each application security class.
Associate the application security class with the appropriate local
traffic virtual server
The application security class is the logical bridge between the local
traffic configuration and the application security configuration. Once you
have created application security classes for each web application, you
update the virtual servers to use the application security classes as
resources.
Import the saved security policies
Once you have an application security class and a web application
configured for each web application that you managed on the
TrafficShield version 3.2.X system, you can import the saved security
policies into the new configuration.
Configuring an application security class

You use the application security class to specify which incoming HTTP
traffic should be scanned by the Application Security Manager before it can
access the requested web application. When you configure an application
security class, the system automatically creates a default security policy and
a default web application on the Application Security Manager.
Note
For additional information on application security classes, see Chapter 3,

To create an application security class

3. Type a name for the class, and configure the remaining settings as
needed for this application security class.
B - 18
For additional information on the options on this screen, click the

Help tab.
4. Click Finished.
The system adds the class, the default security policy, and the
default web application to the configuration, and displays the HTTP
Class Profiles list screen.
Note
In the Configuration utility, the application security class and the HTTP
Class profile are different labels for the same object. The difference between
the two objects is that, for the application security class, the Application
Security setting is enabled by default. If you disable the Application
Security setting on an application security class, you effectively turn off
application security for the associated web application.
Associating an application security class with a virtual server

Once you have created application security classes for your web
applications, you associate the application security class with the
appropriate local traffic virtual server. Now when a request comes in for the
web application, the virtual server routes the request through the
To associate an application security class with a local traffic

virtual server
2. In the Name column, click the name of the virtual server to which
you want to apply the Application Security class.
The properties screen for that virtual server opens.
3. On the menu bar, click Resources.
The Resources screen for the virtual server opens.
4. Above the HTTP Class Profiles section, click the Manage button.
The HTTP Class Profiles resource management screen opens.
5. From the Available list, select (by clicking) the application security
class that you want to associate with this virtual server, and click the
Move button (<<) to add the class to the Enabled list.
6. Click the Finished button.
The screen refreshes, and you see the updated resources screen for
this virtual server.

Appendix B
Importing the saved version 3.2.X security policies into the

version 9.4 configuration
The last task in the upgrade is to import the security policies that you saved
from the TrafficShield version 3.2.X configuration into the Application
Security Manager version 9.4 configuration.
To import a security policy

A new browser session opens, and displays the Web Application list
in the Application Security Manager.
which you want to import the saved security policy.
3. Below the Policies List, click the Import button.
4. In the Choose File setting, click the Browse button.
A file upload popup screen opens, where you can navigate to the
remote location in which you saved the version 3.2.X security
policies.
5. Select the security policy that you want to import, and click Open,
or OK. (The options vary depending on the web browser you are
using.)
6. Click the Import button.
The screen refreshes, and displays a confirmation message.
7. Click Ok.
The screen refreshes, and you see the imported security policy in the
Policies List.
8. Repeat this task as required to import the rest of your version 3.2.X
security policies.
Important
If you are importing more than one security policy for a web application, be
sure to set one of the security policies as the active security policy.
Note
When you import your 3.2.X security policies into the version 9.4
configuration, the system may generate request length violations due to
internal increases in the request size on the 9.4 platform. If you receive
request length violations on your imported security policies, you can resolve
the problem by increasing the maximum HTTP header length setting in the
security policy properties.
B - 20
Upgrading a primary with standby unit topology

In a BIG-IP Application Security Manager version 9.4 configuration, the
TrafficShield configuration that uses the primary with standby unit topology
is known as a redundant system. A redundant system refers to a pair of units
that are configured for failover. In a redundant system, there are two units,
one running as the active unit and one running as the standby unit. If the
active unit fails, the standby unit takes over. Both units share the same
configuration, and the redundant system is completely transparent to
external entities.
For the most part, the tasks involved with upgrading to a version 9.4
redundant system are the same as upgrading a single unit. The biggest
differences are that there are some additional network settings, as well as
additional high availability configuration options.
Understanding redundant systems

Before you start setting up a redundant system, we recommend that first you
review and become familiar with the material in Chapter 13, Setting Up a
Redundant System, in the BIG-IP Network and System Management
Guide. This chapter provides detailed information on setting up and
maintaining a redundant system with the BIG-IP 9.2.X platforms. It is
important that you have an understanding of how a redundant system works
before you upgrade your 4100 systems. This guide is available on the Ask
F5 Technical Support web site, http://tech.f5.com.
Summary of upgrade tasks for a redundant system

The upgrade tasks are similar to those for upgrading a single unit, with a few
notable exceptions. First, when you are activating the license and running
the Setup utility, you must specify that this unit is part of a redundant pair,
for high availability. Second, you also specify the primary and (optional)
secondary failover addresses. Third, you can configure floating self IP
addresses on each unit, so that there is no interruption to traffic if the active
unit fails over to the standby unit. Refer to Converting 3.2.X network
settings to BIG-IP 9.4 network settings, on page B-15, to see how the IP
addressing in TrafficShield version 3.2.X maps to the IP addressing in the
BIG-IP version 9.4 software.
Important
We recommend that you take both the primary and standby units offline for
the duration of the upgrade and migration process.
Export and save the existing configuration from the TrafficShield 3.2.X
system. See Preparing the 3.2.X system for the upgrade, on page B-2, for
specific steps of this task. Note that this is an optional step for the
standby unit.

Appendix B
Perform the following tasks on the first unit of the redundant system.
Install the BIG-IP Application Security Manager software. See
Installing the BIG-IP version 9.4 software, on page B-5, for the
specific steps of this task.
Configure the IP address for the management interface. See
Configuring an IP address for the management interface, on page
B-11, for the specific steps of this task.
Activate the license. See Licensing the software using the
Configuration utility, on page B-12, for the specific steps of this task.
Specify the high availability settings. See Configuring the high
availability settings, on page B-23, for the specific steps of this task.
Specify the primary and (optional) secondary failover addresses. See
Configuring the failover addresses, on page B-23, for the specific
steps of this task.
Configure any VLANs and additional self IPs as required by the
networking aspect of the application security configuration. Refer to
the BIG-IP Network and System Management Guide, Chapter 7,
Configuring VLANs and VLAN Groups, and Chapter 8, Configuring
Self IP Addresses, for additional information on these features.
Configure the local traffic options. See Configuring the basic local
traffic settings, on page B-16, for additional information.
Create the application security configuration. See Creating the
application security configuration, on page B-18, and also Chapter 2,
Essential Configuration Tasks.
Perform the following tasks on the second unit of the redundant system.
Install the BIG-IP Application Security Manager software. See
Installing the BIG-IP version 9.4 software, on page B-5, for the
specific steps of this task.
Configure the IP address for the management interface. See
Configuring an IP address for the management interface, on page
B-11, for the specific steps of this task.
Activate the license. See Licensing the software using the
Configuration utility, on page B-12, for the specific steps of this task.
Specify the high availability settings. See Configuring the high
availability settings, on page B-23, for the specific steps of this task.
Specify the primary and (optional) secondary failover addresses. See
Configuring the failover addresses, on page B-23, for the specific
steps of this task.
Configure any VLANs and additional self IPs as required by the
networking aspect of the application security configuration. Refer to
the BIG-IP Network and System Management Guide, Chapter 7,
Configuring VLANs and VLAN Groups, and Chapter 8, Configuring
Self IP Addresses, for additional information on these features.
Connect the units by using the failover cable. See Connecting the
failover cable, on page B-24.
B - 22
Synchronize the configuration from the first unit to the second unit. See
Synchronizing the configuration, on page B-24.
Configuring the high availability settings

By default, the version 9.2.X systems are configured as single devices. If
you are configuring a redundant system, you specify that the unit you are
configuring is a part of a redundant pair and you assign a unit number.
Note
The following tasks assume that you are configuring the high availability
settings as a part of running the Setup utility for the first time. For
additional information on the running the Setup utility, refer to Installation,
Licensing, and Upgrades for BIG-IP Systems, Chapter 3, Licensing and
Configuring the BIG-IP System.
To configure the high availability settings when running the

Setup utility
1. On the Platform settings screen, in the General Properties section,
from the High Availability list, select Redundant Pair.
2. In the Unit ID list, select the unit ID number that you want to assign
to this unit.
For the first unit that you configure, select 1.
For the second unit that you configure, select 2.
3. Click Next when you have finished configuring the remaining
settings on the Platform screen.
Configuring the failover addresses

The failover address is a static self IP address that each unit in the redundant
system uses for communications with the other unit in the redundant system.
We recommend that you use the failover addresses only for redundancy and
synchronization, and not for traffic. On each unit, you configure the primary
self and peer failover addresses. For additional details on failover addresses,
see Chapter 13, Setting Up a Redundant System, in the BIG-IP Network
and System Management Guide.
Important
The Application Security Manager does not recognize or use the secondary
failover addresses in the event of a failover, even if you configure them. We
recommend that you configure only the primary failover addresses.

Appendix B
To configure the primary self and peer failover addresses

1. On the Main tab of the navigation pane, expand System, and then
click High Availability.
The Redundancy Properties screen opens.
2. For the Primary Failover Address settings, in the Self box type the
primary static self IP address for the unit that you are currently
configuring, and in the Peer box type the primary static self IP
address for the peer unit.
Important: Before typing the IP addresses, delete the two colons
(::) in the Self and Peer boxes.
3. In the Redundancy Mode list, retain the default setting of
Active/Standby. Note that you cannot use the Application Security
Manager in Active/Active mode.
4. In the Redundancy State Preference list, select the preferred state
for this unit. The system uses this setting to determine which unit in
the redundant system becomes the active unit, should both units
activate on the network at the same time.
5. Check the Network Failover box to enable network failover in
addition to, or instead of, hard-wired failover.
6. In the Link Down Time on Failover box, type the number of
seconds for which the interfaces are considered down when the
active unit fails over to standby.
7. Click Update to save any changes you have made.
Tip
For quick information about the redundancy settings, click the Help tab in
the navigation pane.
Connecting the failover cable

When you have finished setting up the redundancy configuration on the first
unit, you can connect the failover cable between the two units. You connect
the failover cable to the failover port on the front of the target 4100 systems.
Once the failover cable is connected, you can synchronize the configuration
from the first unit to the second unit.
Synchronizing the configuration

Once you have completed the initial configuration of one of the units in your
redundant system, you must synchronize the configuration between the two
units. For an active/standby system, you must perform configuration
synchronization from the active unit to the standby unit. For more
information on using the ConfigSync feature, see Synchronizing
configuration data, in Chapter 15, Setting Up a Redundant System, in the
B - 24
BIG-IP Network and System Management Guide. Once the

configurations are synchronized, the redundant system is ready for
deployment in your network.

Appendix B
Sample results file from ts_collect_info.pl script

When you run the collect_ts_info.pl script, it collects information similar to
to the information shown in Figure B.1.
Units:
+-------------------+--------------+------------------+-----------------------+------+-------------+
| Unit id | Private IP | IP to WEB-Server | IP to WEB-Server mask | Role | Shield Active
|
+-------------------+--------------+------------------+-----------------------+------+-------------+
| 00:00:00:00:00:00 | 172.30.40.50 | 172.30.40.51 | 255.255.255.0 | TSMS | YES |
+-------------------+--------------+------------------+-----------------------+------+-------------+
IP Alias:
Route table:
Permanent IPs:
+------+-------------------+-----------------+---------------+-----------+
| Role | Unit id | IP | Mask | Interface |
+------+-------------------+-----------------+---------------+-----------+
| TSMS | 00:00:00:00:00:00 | 192.168.10.103 | 255.255.255.0 | 0 |
+------+-------------------+-----------------+---------------+-----------+
Permanent static Routes:

+------+-------------------+---------------------+---------------+---------------+
| Role | Unit id | Destination Network | Mask | Gateway |
+------+-------------------+---------------------+---------------+---------------+
| TSMS | 00:00:00:00:00:00 | 1.1.1.0 | 255.255.255.0 | 172.30.40.254 |
+------+-------------------+---------------------+---------------+---------------+
Bcmconfig settings:
+--------------------------------------------------------------------------+
Unit Id | Interface 1.1 | Interface 1.2 |
+--------------------------------------------------------------------------+
00:00:00:00:00:00 | UP (Speed:100 FD) | Down |
+--------------------------------------------------------------------------+
Preparing web-application settings ...
Web-applications:
Web application: my_webapp1.com

+------------------+-----------------+-----------------+-----------------------+
| Language | Service IP | Service IP Mask | Active Policy Name |
+------------------+-----------------+-----------------+-----------------------+
| Western European | 192.168.10.111 | 255.255.255.0 | my_webapp1_policy.com |
+------------------+-----------------+-----------------+-----------------------+
General settings:
+------------------+-------------------------------+--------------------------------+
| Log All Requests | Treat referrer headerinfo as HTTP | Use dynamic session in URL |
+------------------+-------------------------------+--------------------------------+
| NO | NO | NO |
+------------------+-------------------------------+--------------------------------+
HTTP settings:
+---------------+--------------+-----------------+
| Web Server IP | Service Port | Web Server Port |
+---------------+--------------+-----------------+
| 192.168.10.10 | 80 | 80 |
+---------------+--------------+-----------------+
HTTPS settings:
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| Web Server IP | Service Port | Web Server Port | Keep SSL to Web | Key | Cert
|
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| 192.168.10.10 | 443 | 443 | YES | ssl_key.1 | ssl_certificate_inter.1
|
+---------------+--------------+-----------------+--------------+-----------+----------------------+
Figure B.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script
B - 26
Policy List:
+-----------------------+
| Policy Name |
+-----------------------+
| my_webapp1_policy.com |
+-----------------------+
Users Settings:
+-----------+---------------+-----------------+--------+
| User Name | User Group | Web-Application | Active |
+-----------+---------------+-----------------+--------+
| user | Administrator | All | YES |
+-----------+---------------+-----------------+--------+
Users Access IPs:

+-----------+---------+
| User Name | IP |
+-----------+---------+
| user | 0.0.0.0 |
+-----------+---------+
Aliases List:
Modifiers:
OK
Hotfix list: No items installed on unit: 00:00:00:00:00:00

Internals:
+---------------+--------------+----------------+---------------+-------+
| Configuration | Section | Field | Factory Value | Value |
+---------------+--------------+----------------+---------------+-------+
| alert_mngr | MTCL_SESSION | ConnectTimeout | 1000 | 999 |
+---------------+--------------+----------------+---------------+-------+
Figure B.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script

Appendix B
B - 28
C
Platform-Specific Hazardous Substance
Levels, for China
4100 platform
Platform-Specific Hazardous Substance Levels, for China
4100 platform
This table lists hazardous substances controlled by China, and shows how
the F5 Networks 4100 platform components conform to the standards.
Configuration Guide for BIG-IP Application Security Management C-1

Appendix C
C-2
Glossary
Glossary
active security policy

The active security policy is the security policy whose criteria are
determining the legitimacy of incoming requests for the web application. A
web application can have only one active policy at a time.
application flow
See flow.
application security class

The application security class is the logical bridge, or link, between the local
traffic components and the application security components. You use the
application security class to specify to which incoming HTTP traffic the
system applies application security.
blocking mode
A security policy is in blocking mode when one or more Block flags are
enabled. When a security policy is in blocking mode, and a request triggers
a violation, rather than forwarding the request to the corresponding web
application, the Application Security Manager returns the blocking response
page with a Support ID to the client.
buffer overflow
A buffer overflow occurs when an application attempts to store more data in
a temporary storage area than is allowed. When data in a buffer exceeds the
size of the buffer, adjacent buffers can overflow, corrupting the data already
stored there. In a buffer overflow attack, an attacker can incorporate
additional codes designed to trigger specific actions which could send new
instructions to the attacked system in order to damage the user's files,
change data, or disclose confidential information.
client-side scripting
Client-side scripting is a feature that exists on the client side (such as a web
browser) of a client-server system to extend the functionality of web pages
written in HyperText markup language (HTML). For example, JavaScript,
JScript, and VBScript are client-side scripting languages. See also Java
applets.
content spoofing
Content spoofing is an attack technique that attempts to trick a user into
thinking that false web site content is legitimate.
cookie
A cookie is a message sent to a Web browser by a Web server, that the
server can retrieve at a later time. The browser stores the message in a text
file. Cookies are usually used to track a users actions when browsing a site.
See also cookie manipulation.
Configuration Guide for BIG-IP Application Security Management Glossary - 1

Glossary
cookie manipulation
Cookie manipulation is the process of altering or modifying cookie values
on a client systems web browser in order to exploit security issues within a
web application. An attacker can manipulate cookie values on the client
system to fraudulently authenticate themselves to a web site. See also
cookie.
cross-site scripting
Cross-site scripting (XSS) is a type of exploit where information from one
context, where it is not trusted, can be inserted into another context, where it
is. For example, an attacker can insert malicious coding into a link that
appears trustworthy, but when a user follows the link, the embedded code is
submitted as a part of the client systems request, which could allow the
attacker access to the client system. See also client-side scripting.
Denial of Service
Denial of Service (DoS) is an attack technique on a network or web site that
is designed to render the network or site useless by flooding it with
excessive traffic. Processing the excess traffic can consume CPU cycles,
memory usage, traffic bandwidth, and disk space, causing the system to
become inaccessible to normal activity.
directory traversal
Directory traversal is an exploit that lets attackers access restricted
directories and execute commands in areas beyond the normal web server
directory. User access to web sites is typically restricted to the document
root directory, or CGI root directory.
Dynamic content value (DCV) parameters

DCV parameters are those for which the web application sets the value on
the server side. See also dynamic parameter.
dynamic parameter
A dynamic parameter is a parameter whose set of accepted values can
change, and usually depend on the user session. For example, within a
banking web application, the account number parameter is a dynamic
parameter, since each user has one or more unique account numbers. See
also static parameter.
dynamic value
See dynamic parameter.
entity
An entity is one of the many components of a web application. Web objects,
flows, parameters, and character sets are all examples of entities.
Glossary - 2
Glossary
entry point
An entry point is a web page from which a user can access the
corresponding web application.
false positive alarm

False positive alarms occur when the system blocks a request that is actually
legitimate.
flow
Flow is the defined access path for a browser to get from one object to
another specific object within a web application. Flow is also known as
application flow.
flow parameter
Parameters that are defined within the context of an application flow are
known as flow parameters. See also global parameter, web object
parameter.
form field manipulation

Form field manipulation is a technique where an attacker modifies HTML
Form field input values or HTTP POST data to exploit a web application.
See also cookie manipulation, parameter tampering.
format string attack

A format string attack is an exploit that uses string formatting library
features to access alternate memory space in an application.
global parameter
Within the Application Security Manager configuration, global parameters
are defined parameters that are not associated with a specific web object or a
specific application flow. The Policy Enforcer validates global parameters
wherever they occur. See also flow parameter, web object parameter.
HTTP (HyperText Transfer Protocol)

HyperText Transfer Protocol (HTTP) is the protocol used by the World
Wide Web. HTTP defines how messages are formatted and transmitted, and
how a web browser requests data and how a web server responds.
HTTP class
See application security class.
Java
Java is a programming language developed by Sun Microsystems. Java
programs can run on most computing platforms because runtime
environments exists for most common operating systems. See also
client-side scripting, JavaScript.

Glossary
Java applets
Java applets are small Java applications that can be embedded in a web page
and run on a client system by Java-compatible web browser. See also
client-side scripting, Java, JavaScript.
JavaScript
JavaScript is a scripting language that is used to create dynamic or
interactive web page content. See also client-side scripting, Java applets.
known directory
See predictable file location.
learning process
The learning process is the process of making a security policy more
accurate by verifying how the security policy complies with traffic requests.
If the learning process finds discrepancies between the security policy and
the traffic requests, it translates the discrepancies into a learning suggestion
for modifying the security policy.
learning suggestion
When a request triggers a violation, and the Learn flag is enabled for that
violation, the Learning Manager generates a learning suggestion. The
learning suggestion contains information about what in the request caused
the violation.
meta character
A meta character is a special character in a program or form field that can
control or give information about other characters. They may have special
meaning to programming languages, operating systems, or database queries.
meta character injection

Meta character injection is an attack technique where an attacker sends meta
characters as data input with the intent to manipulate a web application. See
also cross-site scripting, null injection, parameter tampering, SQL injection.
negative security logic

The web application is subjected to all traffic, except that which is known to
be a threat because it matches the systems built-in negative logic criteria.
See also positive security logic.
null injection
Null injection is an attack technique that bypasses sanity checking filters by
adding null-byte characters to a URL. If a user-input string contains a null
character (0\), the web application on the site may stop processing the string
at the null insertion point. This is a form of meta character injection. See
also meta character injection, parameter tampering.
Glossary - 4
Glossary
object
See web object.
OS commanding
OS commanding is an attack technique where an attacker runs operating
system commands by manipulating application input. See also form field
manipulation, parameter tampering.
parameter
See flow parameter, global parameter, web object parameter.
parameter tampering
Parameter tampering is an attack technique in which the attacker tries to
gain access to the web application by changing the parameter name and
value pairs in a URL. This exploit is also referred to as URL manipulation.
See also URL manipulation.
path traversal attacks

A path traversal attack is an HTTP attack technique that uses patterns like
../../ to get access to files not intended to be viewed above the WWW root,
or in order to cross directories on the server.
positive security logic

When the security policy is in blocking mode, the security policy permits
only known, legitimate traffic through to the web application. See also
negative security logic.
predictable file location

Predictable file location is an example of a method that attackers can use to
gain access to hidden content or functionality by making educated guesses
about the names and locations of certain files. An attacker can search
manually or automatically for directories, CGIs, or other configuration files
based on knowledge of a particular type of web server system.
referrer
A referrer is a web page that can request other objects. For example, an
HTML page can request a GIF, JPG, or PNG file. The HTML page is a
referrer; the image files are not.
regular expression
A regular expression (regexp) is a sequence of characters that provides the
user with a powerful, flexible, and efficient test processing tool.
safe traffic
Safe traffic is traffic generated by a controlled group of users, those who are
known not to be potential attackers.

Glossary
Secure Sockets Layer

Secure Sockets Layer (SSL) is a standard protocol designed to provide an
encrypted connection between two systems such as a web server and web
browser. SSL uses two keys, a public key known to everyone, and a private
key known to the recipient of the message.
security policy
In the Application Security Manager, the security policy is a set of rules that
enables the Application Security Manager to understand whether a request is
valid for a web application.
session credential
A session credential is a string of data that identifies a user to a web server.
This string can be contained in a cookie or in the URL. See also session ID.
session fixation
Session fixation is a technique that an attacker can use to force a different
value to a users session credential. See also session credential, session ID.
session hijacking
Session hijacking is the act of compromising a users session. If an attacker
hijacks a users session, the attacker may appear to be the legitimate user to
the web server. See also session credential, session ID.
session ID
A session ID is a string of data that identifies a user to a web server. This
string can be contained in a cookie or in the URL. A session ID can track a
users session as he uses the web site.
session manipulation
Session manipulation is an attack technique where an attacker alters a
session ID or session credential value in order to masquerade as a different
user. See also session credential, session hijacking, session ID.
SQL injection
SQL injection is an attack technique used on database-driven web sites
where an attacker runs unauthorized SQL commands by exploiting insecure
code on a system to bypass the firewall in front of the SQL database. See
also form field manipulation, parameter tampering.
static parameter
A static parameter is a parameter in a request whose values are chosen from
a known set of values, for example, the name of a country, a Yes/No form
field, and so on. See also dynamic parameter.
Glossary - 6
Glossary
static value
See static parameter.
target frame
A target frame is the frame in a browser session to which the web object is
loaded.
target security policy

The target security policy is the security policy that the system updates
whenever you accept a learning suggestion. See also active security policy.
transparent mode
A security policy is in transparent mode when blocking is disabled. When a
security policy is in transparent mode, the Application Security Manager
forwards all requests to the web application. See also blocking mode.
URI (Universal Resource Identifier)

The Universal Resource Identifier (URI) specifies the name of a web object
in a request. For example, in this web address
http://www.siterequest.com/index.html, index.html is the URI.
URL (Universal Resource Locator)

A Universal Resource Locator (URL) is the standard method for specifying
the location of an object on the Internet.
URL manipulation
URL manipulation describes the process of changing the parameter name
and value pairs of a web application. Also known as parameter tampering.
web application
A web application is an application delivered to users from a web server to a
web client, such as a web browser, over a network.
web object
A web object is an individual page within a web application.See also
referrer.
web object parameter

A web object parameter is a parameter that is defined within the context of a
web object.

Glossary
Glossary - 8
Index
Index
A and regular expressions pool 10-3

access violations, about 5-39 attacks
Active icon, about 5-33 detecting possible 9-1
active security policy viewing trends 9-6
setting 2-9, 4-3, 5-33 Attacks reports
when to set 5-33 about 9-6
Alarm flag, about 5-36 filtering 9-6
alarms viewing 9-6
configuring 5-35 audit tools 5-50
for non-existent objects 5-23 Auto-Accept tool
for security policy violations 5-6 See Real Traffic (Requests) operation mode.
Allow Empty Value setting
about 7-20 B
configuring for flow parameter 7-10, 7-22
back flows 6-7
configuring for global parameter 7-4, 7-21
bandwidth consumption
configuring for web object parameter 7-7, 7-21
using Policy Builder Generated Traffic operation
allowed methods
mode 6-16
deleting 5-18
BIG-IP Local Traffic Manager
editing 5-18
integrating with 1-2, 1-3
Allowed Methods property 5-2, 5-18
binary data type
allowed modified cookies
configuring 7-16
deleting 5-17
Block flag, about 5-36
editing 5-17
blocked requests
Allowed Modified Cookies property 5-2, 5-17
processing 5-14
allowed object 5-23
blocking mode
Allowed Objects RegExp list 5-23
about 2-1
allowed objects regular expression
activating 2-11, 5-7
removing 5-25
activating in phases 5-7
alpha-numeric data type
and blocking response page 5-14
configuring 7-15
and Learn flag 5-7
APC security level 5-5
and Policy Enforcer 5-37
APC security policy
and support ID 5-6
and flow parameters 7-9
configuring 5-6
application flow
defined 5-6, 5-35
about 5-27
for security policy 2-8
and mandatory parameters 7-10
transitioning to 2-10, 5-7
and parameters 7-9
Blocking Policy settings
creating 5-29
about 5-35
maintaining 5-28
and Alarm flag 5-36
application security class
and Block flag 5-36
actions of 3-7
and Learn flag 5-36
and default web application 2-6
and security level 5-6
and disabled web applications 4-9
blocking response page
and web applications 4-7
about 5-2
creating 2-4, 3-2
and blocking mode 5-6
defined 2-4, 3-1
customizing 5-14
naming 4-9
viewing 5-15
processing HTTP requests 3-1
browser emulation
rewrite URI action 3-7
and Policy Builder 6-17
using none action 3-7
using redirect action 3-7
using send to pool action 3-7 C
using traffic classifiers 3-1, 3-3 cache flows 6-7
Application Security Policy Editor user role 10-1 cacheable objects
application-layer attacks 1-2 creating cache flows 6-7
attack patterns character set
Configuration Guide for BIG-IP Application Security Management Index - 1

Index
and language encoding 4-2 Dont Check Object flag 6-8

modifying 5-31 dynamic content value (DCV) parameters
Check Objects flag 5-22 See DCV parameters.
China material content listing C-1 dynamic parameter names
client sessions about 7-13
and cookie violations 5-41 and DCV parameters 7-27
client SSL settings and flow parameters 7-27
and Policy Builder domains 6-3 configuring 7-27
command syntax, conventions 1-8 dynamic parameters
configuration tasks 2-1 and Illegal parameter violation 5-41
Configuration utility See also static parameters.
about 1-2 dynamic session information
and online help 1-9 extracting from responses 4-5
and the Welcome screen 1-9 dynamic sessions in URLs
for Setup utility 1-5 about 4-5
identifying referrer objects 1-6 and security level 4-5
Continuous Mode
and traffic sampling 6-19
for Policy Builder 6-19 E
control characters email data type
See non-printable characters. configuring 7-18
cookie violations enhanced standard security level 2-7, 5-5
about 5-41 entities
cookies traffic classifier 3-6 in security policy 5-1
Crawler tool entry point
See Policy Builder Generated Traffic operation and simple flow mode 5-26
mode. defined 5-26
custom level of security 5-5 in a flow 5-29
error page
defining custom 6-6
D events data
data types archiving 9-2
for parameters 7-15 filtering 9-2
DCV parameters Events report
about 7-13 viewing 9-1
and dynamic names 7-27 Executive reports
and extracted items configuration 7-26 about 9-8
and extraction methods 7-27 viewing 9-8
and extraction properties 7-25 Expired timestamp violation 5-41
and extractions 7-25 extracted items configuration 7-26
and session IDs 7-13 extraction methods 7-27
and sessions in web applications 7-25 extraction properties
decimal data type configuring extracted items 7-26
configuring 7-17 configuring extraction methods 7-27
default allowed methods 5-18 for dynamic parameters 7-25
default character set extractions
for security policy 5-31 for DCV parameters 7-25, 7-28
restoring 5-32 viewing all 7-29
default negative regular expressions pool viewing for web objects 7-29
about 10-5
modifying 10-5
removing entries from 10-6 F
default response page F5 Dev Central web site 3-3
for blocked requests 5-14 Failure to convert character violation 5-40
default sensitive parameter 5-16 false positive alarms
Dont Check Flow flag 6-8 defined 2-8
file types
Index - 2
Index
in security policy 5-20 H

flow entities 5-28 hazardous substance restrictions
flow mode for China C-1
configuring 5-9 header values
for Policy Builder 6-19 defining character set 5-30
flow parameters headers traffic classifier 3-5
and Allow Empty Value option 7-21 help, online 1-9
and APC security policies 7-9 high security level
and dynamic parameter names 7-27 about 2-7
and Policy Builder 7-9 See also APC security policy.
configuring 7-9 high security security level
configuring Allow Empty Value setting 7-22 See APC security level.
configuring Is Mandatory Parameter setting 7-23 hosts traffic classifier 3-3
deleting 7-11 HTTP 404 responses
editing 7-10 processing in security policy 6-6
flows HTTP authentication
configuring with Learning process 5-27 for Policy Builder Generated Traffic operation mode
configuring with Policy Builder 5-27 6-17
creating manually 5-29 HTTP class
viewing 5-28, 5-50 See application security class.
Forbidden Null in request violation 5-40 HTTP methods 5-18
forceful browsing 1-2 HTTP response codes
forensics and Policy Builder 6-11, 6-13
filtering by web application group 4-7
Forensics screen
about 9-9 I
form fillers ICSA-certified 1-2
and running Policy Builder 6-5 ignored items list
form iteration for web application 8-9
using Policy Builder 6-17 removing items from 8-9
updating 8-7
Ignored Items screen
G about 8-1
general security policy properties 5-2 Illegal cookie length violation 5-39
general system events 10-2 Illegal dynamic parameter value violation 5-40
Generated Traffic operation mode Illegal empty parameter value violation 5-40, 7-20
about 6-10, 6-14 Illegal entry point violation 5-39
and advanced flow mode 6-19 Illegal flow to object violation 5-39
and HTTP authentication 6-17 Illegal header length violation 5-39
configuring general settings for 6-14 Illegal HTTP format violation 5-38
customizing settings for 6-15 Illegal HTTP status in response violation 5-42
for Policy Builder 6-14 Illegal meta character in header violation 5-42
running Policy Builder in 6-17 Illegal meta character in object violation 5-42
setting probe interval 6-16 Illegal meta character in parameter name violation 5-42
GET request Illegal meta character in parameter value (defined
and parameters 7-9 parameter) violation 5-40
global DCV parameter Illegal meta character in parameter value violation 5-42
configuring 7-28 Illegal method violation 5-39
global parameters Illegal number of mandatory parameters violation 5-40
and Allow Empty Value option 7-21 Illegal object length violation 5-39
and security level 7-3 Illegal object type violation 5-39
creating 7-3 Illegal parameter data type violation 5-40
defined 7-3 Illegal parameter numeric value violation 5-40
deleting 7-5 Illegal parameter value length violation 5-40
editing 7-4 Illegal parameter violation 5-40
Illegal pattern in header value violation 5-42

Index
Illegal pattern in object violation 5-42 and RFC violations 5-38

Illegal pattern in parameter=value pairs violation 5-42 categories of 8-1
Illegal pattern in response violation 5-42 clearing 8-6
Illegal POST data length violation 5-39 generating 5-35
Illegal query string length violation 5-39 processing order 8-7
Illegal Query-String or POST Data violation 5-40 rejecting 8-6, 8-9
Illegal request length violation 5-39 viewing related requests 8-3
Illegal session ID in URL violation 5-41 viewing requests that generate 8-3
Illegal static parameter value violation 5-40 viewing specific 8-2
input violations length violations
summary of 5-40 about 5-39
integer data type types of 5-39
configuring 7-19 local traffic pool
internal parameters, described A-1 defining 2-1
Is Entry Point flag 6-8 local traffic virtual server
Is Mandatory Parameter setting See virtual server.
configuring 7-10, 7-23 log files 10-2
Is Referrer flag 6-8 Logout Pages, configuring 6-15
J M
JavaScript code Malicious parameter value 5-40
analyzing 6-7 mandatory parameters
and application flows 7-10
maximum cookie header length 5-8
K maximum HTTP header length 5-7
known attack patterns Merge Report 5-45
recognizing 5-10 merge security policy 5-45
known threats meta characters
protecting web applications 2-8 for user-input parameters 7-15
Modified ASM cookie violation 5-41
L Modified domain cookie(s) violation 5-41
Modified icon 5-33
language encoding
monitoring tools
and default character set 5-31
about 2-12, 9-1
for web applications 4-2
support for double-byte 4-2
support for single-byte 4-2 N
Learn flag Navigation Parameters
and blocking mode 5-7 configuring 5-19
enabling learning suggestions 8-2 navigation parameters
Learn flag, about 5-36 deleting 5-19
learning editing 5-19
and target security policy 4-5 navigation parameters property 5-2
Learning data negative logic check 5-23
refining a security policy 8-1 negative regular expressions
Learning Manager system-supplied 10-3
about 8-1 negative regular expressions pool
processing learning suggestions 8-5 for security policy 5-10
Learning process removing entries from 5-13
and configuring parameters 7-14 viewing 5-10
and enabling blocking mode 5-7 negative security logic
and length violations 5-39 defined 2-8
configuring flows 5-27 negative security violations
Learning process resources 8-1 about 5-42
learning suggestions types of 5-42
accepting 8-5 no_ext object type 5-21
Index - 4
Index
none action configuring logout pages 6-15

in application security class 3-7 configuring page not found criteria 6-6
Non-existent object violation 5-39 configuring parameters 7-14
non-printable characters, displaying 5-32 creating back flows for referrer objects 6-7
Non-RFC request violation 5-38 creating cache flows 6-7
Not RFC compliant cookie violation 5-38 customizing Generated Traffic operation mode
Null in multi-part parameter value violation 5-40 6-15
defining custom error page 6-6
detecting object types 5-21
O determining flow mode 6-19
object paths processing forms 6-17
defining character set 5-30 processing repeated structures 6-16
object type flags 5-20 running 6-19
object types running in Generated Traffic operation mode 6-17
detecting with Policy Builder 5-21 running in Real Traffic (Requests) operation mode
for standard security level 5-22 6-12
modifying 5-22 scanning web applications 6-4
removing from security policy 5-23 setting object types associations 6-7
Object Types Associations stopping 6-21
and Policy Builder 6-7 updating security policies 6-4
configuring 6-7 using Continuous Mode 6-19
creating custom 6-8 using Generated Traffic operation mode 6-14
deleting 6-9 viewing status of 6-20
online help 1-9 Policy Builder domains
operation modes about 6-2
for Policy Builder 6-10 and client SSL settings 6-3
and server SSL settings 6-3
P Policy Builder general settings
configuring Form Fillers 6-5
Page Not Found Criteria setting, configuring 6-6
configuring Object Types Associations 6-7
parameter data types 7-15
configuring Page Not Found Criteria 6-6
parameter types 7-13
configuring Policy Builder domain 6-2
Parameter value doesnt comply with regular expression
configuring Properties 6-6
violation 5-41
configuring Start Point 6-4
parameters
Policy Builder Generated Traffic operation mode
and Allow Empty Value setting 7-20
allocating system resources 6-16
and application flows 7-9
configuring a start point 6-4
and Is Mandatory Parameter setting 7-23
Policy Builder log
and Policy Enforcer 7-1, 7-13
about 6-22
and web objects 7-6
and Policy Builder operation modes 6-10
creating flow parameters 7-9
Policy Builder operation modes
creating global parameters 7-3
about 6-10
creating web object parameters 7-6
and Policy Builder log 6-10
in a security policy 5-27
Policy Enforcer
types of 7-1
about 5-37
phone data type
and blocking mode 2-2, 5-37
configuring 7-20
and parameters 7-13
Policy Builder
enforcing parameters 7-2
about 5-2, 5-14, 6-1
enforcing responses 5-37
adding web objects 5-26
using language encoding 4-2
analyzing JavaScript code 6-7
verifying parameters 7-1
and browser emulation 6-17
Policy Recycle Bin 5-48
and flow parameters 7-9
pool
and flows 5-27
defining 2-5
and HTTP response codes 6-11, 6-13
positive security logic
configuring a start point 6-4
defined 2-8
configuring general settings for 6-2

Index
positive security model 1-2 for a web application 4-10

POST request security policy
and parameters 7-9 activating blocking mode 2-8
probe interval adjusting 2-8
for Policy Builder Generated Traffic operation mode and access violations 5-39
6-16 and Active icon 5-33
product documentation, finding 1-9 and custom level of security 5-5
and DCV parameters 7-26
and default character set 5-31
R and default negative regular expressions pool 10-5
Real Traffic (Requests) operation mode and length violations 5-39
about 6-10 and Merge Report 5-45
and traffic sampling 4-4 and Modified icon 5-33
configuring 6-12 and negative regular expressions pool 5-10
configuring filter options 6-12 and negative security violations 5-42
Real Traffic (Responses) operation mode and parameters 5-27
about 6-10 and sensitive parameters 5-16
and traffic sampling 4-4 configuring blocking mode 5-14
configuring a Policy Builder domain 6-11 configuring cookies to ignore 5-17
configuring filter options 6-11 configuring security levels 2-7
redirect action copying 5-44
in application security class 3-7 creating a backup 5-45
referrer objects creating a default 3-1, B-18
creating back flows 6-7 creating with Policy Builder 6-19
identifying 1-6 deleting 5-47
RegExp Validator 10-4 editing 5-43
regular expressions enforcing parameters 7-3
creating user-defined 10-3 exporting 5-44
in user-input parameters 7-15 finding version number 5-48
restoring defaults 10-6 fine tuning 8-1
See also negative regular expressions pool. general properties of 5-2, 5-3
validating user-defined 10-4 implementing 2-1
regular expressions pool 10-3 importing 5-46
release notes, finding 1-9 maintaining 5-43
Request length exceeds defined buffer size violation 5-39 managing HTTP 404 responses 6-6
requests merging two policies 5-45
analyzing 9-9 monitoring 2-12
logging 8-9 naming convention 5-47
viewing logged 4-3 refining 5-7
requests logging refining using blocking mode 2-11
setting the log level 4-3 removing web objects 5-27
rewrite URI resolving errors 5-50
in application security class 3-7 restoring 5-48
RFC documents 5-38 restoring archived version 5-48
RFC violations 5-38 setting active 2-9, 4-3, 5-2, 5-33
and learning suggestions 5-38 setting blocking mode 5-6
viewing in Forensics 5-38 updating 8-2, 8-5
updating with Policy Builder 6-4, 6-19
S using APC security level 5-5
using enhanced standard security level 2-7, 5-5
security events
using standard security level 5-4
filtering by web application group 4-7
viewing 5-50
security level
security policy administrative tasks 4-10
and dynamic sessions in URLs 4-5
security policy archives 5-48
configuring 5-4
security policy audit tools 5-50
determining for web applications 2-7
security policy entities
security policies
Index - 6
Index
about 5-1 T
applying negative regular expressions to 5-11 target security policy
security policy management 10-1 about 4-5
security policy properties and learning 4-5
about 5-1 TCL expressions
and flow mode 5-9 using 3-3
and maximum cookie header length 5-8 Tcl expressions
and maximum HTTP header length 5-7 rewriting URIs 3-8
security policy versions 5-48 Technical Support web site 1-9
security policy violations traffic classifier types 3-1
and blocking mode 2-11 traffic classifiers
detecting legitimate 8-2 applying 3-3
generating alarms 5-6 for cookies 3-6
tracking trends 9-1 for headers 3-5
types 5-38 for hosts 3-3
security reports for URI paths 3-4
about 9-1, 9-4 in application security classes 3-1, 3-3
filtering 9-4 Traffic Learning screen
viewing 9-4 and Learning process 8-1
send to pool action processing learning suggestions 8-5
in application security class 3-7 traffic sampling
sensitive data, managing 5-16 and Policy Builder Continuous Mode 6-19
sensitive parameters enabling 4-4
deleting 5-17 for Policy Builder 4-4
editing 5-17 TrafficShield Application Firewall
in web applications 5-16 upgrade compatibility B-1
Sensitive Parameters property upgrading to BIG-IP version 9.4 B-1
about 5-2 transparent mode
configuring 5-16 and blocking 5-6
creating 5-16 configuring 5-35
server SSL settings defined 2-1, 5-6
and Policy Builder domains 6-3
session IDs
and DCV parameters 7-13 U
simple flow mode ungrouped web applications 4-7
and entry points 5-26 unknown threats
standard security level protecting web applications from 2-8
about 2-7, 5-4 upgrading software
and object types 5-22 and exporting security policies 5-45
start point URI paths traffic classifier 3-4
and Generated Traffic operation mode 6-4 user activity
configuring for Policy Builder 6-4 and application security 10-2
defined 6-4 logging actions 10-2
static content value parameters user management 10-1
See static parameters. user roles
static parameters about 10-1
about 7-13 using Application Security Policy Editor role 10-1
See also dynamic parameters user-defined regular expressions
statistics reports 9-1 adding user-defined to security policy 5-11
stylistic conventions 1-7 creating 10-3
support ID validating 10-4
and blocking mode 5-6 user-input parameters
system resource allocation about 7-13
for Policy Builder Generated Traffic operation mode and alpha-numeric data type 7-15
6-16 and binary data type 7-16
and configuring parameter characteristics 7-15

Index
and decimal data type 7-17 viewing disabled 4-9

and email data type 7-18 viewing ignored items 8-9
and input violations 5-40 viewing security policies 4-10
and integer data type 7-19 web object entities 5-26
and phone data type 7-20 web object parameters
using meta characters in 7-15 and Allow Empty Value option 7-21
using regular expressions in 7-15 deleting 7-8
user-input value parameters editing 7-7
See user-input parameters. web objects
adding using Policy Builder 5-26
and application flow 5-28
V configuring Object Types Associations 6-7
Value too long for pattern checks violation 5-41 defining parameters for 7-6
version number, for security policy 5-48 removing from security policy 5-27
violations viewing extractions for 7-29
See security policy violations. viewing properties of 5-27
virtual server Welcome screen 1-9
defining 2-5 worms
protecting against 3-3
W Wrong message key violation 5-41
web application group
creating 4-7 Z
defined 4-7 zero-day threats
deleting 4-8 defined 2-8
web application objects 5-26 protecting against 1-2
web application properties 4-2 See also unknown threats.
web applications
and access violations 5-39
and application security classes 4-7
and browser compatibility 6-17
and DCV parameters 7-25
and global parameters 7-3
and hosted content 2-3
and known threats 2-8
and length violations 5-39
and negative security violations 5-42
and sensitive parameters 5-16
and unknown threats 2-8
creating a default 2-4, 2-6, 3-1, B-18
defined 4-1
defining entry points 6-4
defining parameters 7-1
deleting configurations 4-6
detecting logout pages 6-15
detecting repeated structures 6-16
determining security level 2-7
disabling 4-9
enabling dynamic sessions in URLs 4-5
enabling traffic sampling 4-4
reconfiguring 4-6
re-enabling disabled 4-9
setting active security policy 2-9, 4-3, 5-33
setting language encoding 4-2
tightening security 7-1
updating ignored items list 8-7
viewing all 4-1
Index - 8

Bigipasm9 4config

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bigipasm9 4config

Uploaded by

Copyright:

Available Formats

Configuration Guide for

BIG-IP Application Security Management

Export Regulation Notice

Canadian Regulatory Compliance

Configuration Guide for BIG-IP Application Security Management i

Configuration Guide for BIG-IP Application Security Management iii

Configuration Guide for BIG-IP Application Security Management vii

Configuring the properties of a web application .....................................................................4-2

Editing an existing security policy ................................................................................... 5-43

Configuration Guide for BIG-IP Application Security Management ix

Configuring parameter characteristics for dynamic parameter names .................. 7-27

Introduction .................................................................................................................................... B-1

Configuration Guide for BIG-IP Application Security Management xi

Introducing the BIG-IP system

Overview of the BIG-IP Application Security

Using the Configuration utility

Stylistic conventions in this document

Finding help and technical support resources

Introducing the BIG-IP system

BIG-IP Application Security Manager

Configuration Guide for BIG-IP Application Security Management 1-1

Overview of the BIG-IP Application Security Manager

Summary of the Application Security Manager features

and visual security policy building mechanism, based on a proprietary

Introducing application security for the BIG-IP Local Traffic

Highlights of this configuration guide

Configuration Guide for BIG-IP Application Security Management 1-3

This configuration guide also contains information on configuring a local

Using the Configuration utility

Figure 1.1 Welcome screen in the Configuration utility

Configuration Guide for BIG-IP Application Security Management 1-5

Browser support for the Configuration utility

Identifying referrer objects in the Configuration utility

Figure 1.2 Example of a referrer object in the Configuration utility

Stylistic conventions in this document

Using the solution examples

Identifying new terms

Identifying references to products

Identifying references to objects, names, and commands

Identifying references to other documents

Configuration Guide for BIG-IP Application Security Management 1-7

Identifying command syntax

Item in text Description

Table 1.1 Command line conventions used in this manual

Finding help and technical support resources

Configuration Guide for BIG-IP Application Security Management 1-9

Overview of the essential configuration tasks

Defining a local traffic pool

Defining an application security class

Defining a local traffic virtual server

Configuring the web application language

Determining the required security level for the web

Setting the active policy for the web application

Refining the security policy using the Learning

Activating blocking mode on the security policy

Maintaining and monitoring the security policy

Overview of the essential configuration tasks

Configuration Guide for BIG-IP Application Security Management 2-1

Fine tune the security policy using the Learning process.

Defining a local traffic pool

To define a local traffic pool

Configuration Guide for BIG-IP Application Security Management 2-3

Defining an application security class