Overview: WAF Policy Builder¶
Web Application Firewall (WAF) Policy Builder on BIG-IP Next Central Manager can predict how to best fine-tune your web application security policy that is shared over multiple BIG-IP Next instances. The policy building feature is used to perform traffic learning, by receiving the secure traffic log messages, for the all the policy’s BIG-IP instances, and consolidating the traffic learning suggestions.
WAF configures the policy building settings according to the selections you make when you create a security policy. These settings are used for both automatic and manual policy building. You can review the settings, and change them later if needed. The policy building settings control:
Whether traffic is blocked when a violation is detected
Whether WAF automatically builds the security policy based on traffic to your protected application
How inclusive the security policy is
How new entities (file types, URLs, parameters, etc.) are learned: never learn new entities, learn if there are violations on an entity (selective mode), learn all entities that are discovered in the traffic
Which violations to enforce and how to enforce them
Which IP addresses to trust traffic and data from
Note: This version of Policy Builder does not include content profiles for URL headers, always mode, global accept for metacharacters, valid hostnames, fully automatic policy building, and method suggestions.
Policy learning and suggestions¶
Application traffic processed through a WAF policy, provides information on requests or responses that do not comply with the current security policy and have triggered a violation. The reason for triggering a violation can be either an actual attack on the site, or a false positive (typically seen during the process of building a policy).
As a result of these detected violations, WAF generates learning suggestions for requests that cause violations and do not pass the security policy checks. Learning suggestions can also add legitimate entities such as URLs, file types, or parameters that often appear in requests.
If you are generating a security policy automatically, WAF handles much of the learning for you, adjusting the security policy based on traffic characteristics. In that case, the learning screens show only the elements that the security policy is in the process of learning, or those which require manual intervention to be resolved.
Manual policy building¶
Suggestions are approved or ignored only with manual intervention. With manual Policy Building you examine the learning suggestions, and then use the suggestions to refine the security policy. In some cases, learning suggestions may contain recommendations to relax the security policy. When dealing with learning suggestions, make sure to relax the policy only where false positives occurred, and not in cases where a real attack caused a violation. You can use the violation ratings or the learning score to help determine the strength of a suggestion.
Automatic policy building¶
Suggestions are approved once they reach a learning score of 100%. Policy Builder automatically adjusts the security policy based on traffic characteristics. Therefore, if the enough traffic provides a sufficient score, the suggestion is accepted, or required manual intervention to be resolved. Any changes to the policy based on suggestions are added, but are not automatically deployed. This is so you can review changes before deploying them to your BIG-IP Next instances.
Learning Suggestions¶
WAF generates learning suggestions for requests that cause violations and do not pass the security policy checks.
Learning Score¶
For each suggestion, WAF assigns a learning score that measures the strength of the suggestion by showing a percentage that indicates how close the system is to recommending that you accept the suggestion. The learning score is also influenced by the violation rating: the lower the rating of the violations, the higher the score.
If the system is working in automatic learning mode, when the learning score reaches 100%, the system accepts and enforces most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.
Making decisions about which learning suggestions to accept requires a general understanding of application security, and specific knowledge of the protected application (for example, recognizing valid traffic). For example, you should consider accepting a learning suggestion when you see that it is associated with many requests from many different source IP addresses. As long as they are valid, repeated requests may indicate legitimate traffic behavior that warrants relaxing the security policy.
You can also review the violation rating for requests by selecting the suggestion. Learning suggestions associated with requests having a low average violation rating are more likely to be false positives and can be accepted. If a request has a high violation rating, the learning suggestion may not suit your system’s security needs. You can ignore suggestions to prevent Policy Builder from repeating that specific suggestion going forward.
Enforcement Readiness¶
When you create a security policy, you specify an enforcement readiness period that places entities and attack signatures in staging before they can become enforced (default 7 days). During this staging period learning suggestions are added to staged entities. When the enforcement readiness period is over and no learning suggestions are added for the staging period, the file type, URL, parameter, cookie, signature, or redirection domain is considered ready to be enforced.
If you are using manual learning, you can drill down to evaluate the enforcement value of these entities in the security policy. From the Enforcement Readiness summary panel, you can enforce selected entities to the security policy, or you can enforce all entities (including signatures) that are ready to be enforced. If you are using automatic learning, you can still enforce entities manually, but Policy Builder will automatically enforce entities according to the learning and blocking settings.
Supported WAF policy templates¶
Policy Builder supports specific WAF policy templates. The following templates include Policy Builder, but differ in the amount of effort required to maintain learning suggestions:
Rapid - Recommended for beginners or applications with low security requirements.
Fundamental - Creates a robust security policy that is appropriate for most applications
Comprehensive - Creates the most secure policy providing the greatest amount of customization, including all the enhanced features and more traffic classification at the parameter and URL levels, dynamic parameters, and CSRF URLs.