Policy Builder¶
Overview¶
Web Application Firewall (WAF) Policy Builder on BIG-IP Next Central Manager can predict how to best fine-tune your web application security policy that is shared over multiple BIG-IP Next instances. The policy building feature is used to perform traffic learning, by receiving the secure traffic log messages, for the all the policy’s BIG-IP instances, and consolidating the traffic learning suggestions.
WAF configures the policy building settings according to the selections you make when you create a security policy. These settings are used for both automatic and manual policy building. You can review the settings, and change them later if needed. The policy building settings control:
Whether traffic is blocked when a violation is detected
Whether WAF automatically builds the security policy based on traffic to your protected application
How inclusive the security policy is
How new entities (for example: file types, URLs, parameters) are learned: Learn if there are violations on an entity (selective mode), learn all entities that are discovered in the traffic
Which violations to enforce and how to enforce them
Which IP addresses to trust traffic and data from
Note: This version of Policy Builder does not include content profiles for URL headers, always mode, global accept for metacharacters, valid hostnames, fully automatic policy building, and method suggestions.
Supported WAF policy templates¶
Policy Builder supports specific WAF policy templates. The following templates include Policy Builder, but differ in the amount of effort required to maintain learning suggestions:
Rapid - Recommended for beginners or applications with low security requirements.
Fundamental - Creates a robust security policy that is appropriate for most applications
Comprehensive - Creates the most secure policy providing the greatest amount of customization, including all the enhanced features and more traffic classification at the parameter and URL levels, dynamic parameters, and CSRF URLs.
Policy learning and suggestions¶
Application traffic processed through a WAF policy, provides information on requests or responses that do not comply with the current security policy and have triggered a violation. The reason for triggering a violation can be either an actual attack on the site, or a false positive (typically seen during the process of building a policy).
As a result of these detected violations, WAF generates learning suggestions for requests that cause violations and do not pass the security policy checks. Learning suggestions can also add legitimate entities such as URLs, file types, or parameters that often appear in requests.
If you are generating a security policy automatically, WAF handles much of the learning for you, adjusting the security policy based on traffic characteristics. In that case, the learning screens show only the elements that the security policy is in the process of learning, or those which require manual intervention to be resolved.
Manual policy building¶
Suggestions are approved or ignored only with manual intervention. With manual Policy Building you examine the learning suggestions, and then use the suggestions to refine the security policy. In some cases, learning suggestions may contain recommendations to relax the security policy. When dealing with learning suggestions, make sure to relax the policy only where false positives occurred, and not in cases where a real attack caused a violation. You can use the violation ratings or the learning score to help determine the strength of a suggestion.
Automatic policy building¶
Suggestions are approved once they reach a learning score of 100%. Policy Builder automatically adjusts the security policy based on traffic characteristics. Therefore, if the enough traffic provides a sufficient score, the suggestion is accepted, or required manual intervention to be resolved. Any changes to the policy based on suggestions are added, but are not automatically deployed. This is so you can review changes before deploying them to your BIG-IP Next instances.
Learning Suggestions¶
When evaluating Policy Builder’s suggestions you can review the status of the policy refinement process, or manually manage security suggestions based on known security requirements. You can do this by either accepting/ignoring learning suggestions, or managing policy entities that are in staging:
Learning Suggestions - Displays learning suggestions for changes to the security policy that the system generates. By selecting a suggestion, you can find out more about it including any violations that caused it and associated requests (up to 100) that triggered the suggestion. The suggestions are listed by pending suggestions, by default, but the list can be refined based on the learning status. The suggestions may relate to actual threats, false-positives, or legitimate additions to the security policy. When you accept a learning suggestion, you are updating the security policy. Alternatively, you can ignore or delete suggestions. See Manually manage learning suggestions.
Note: Changes to your policy are only active once they are deployed to the BIG-IP Next instance. You can deploy changes immediately after you manually accept suggestions, or save your changes and deploy later. For automatic policy building, you manually deploy Policy Builder changes.
Enforcement Readiness - Summarizes the security policy entities in staging or with learn explicit entities enabled, that may have learning suggestions, and may be ready to be enforced. For file types, parameters, URLs, cookies, and signatures, you can review the entities, and decide whether to enforce them in the security policy. You can approve entities that are ready to be enforced. These entities are then are included in the policy and start to take effect on the traffic security. See Enforcing staged entities.
Learning Score¶
For each suggestion, WAF assigns a learning score that measures the strength of the suggestion by showing a percentage that indicates how close the system is to recommending that you accept the suggestion. The learning score is also influenced by the violation rating: the lower the rating of the violations, the higher the score.
If the system is working in automatic learning mode, when the learning score reaches 100%, the system accepts and enforces most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.
Making decisions about which learning suggestions to accept requires a general understanding of application security, and specific knowledge of the protected application (for example, recognizing valid traffic). For example, you should consider accepting a learning suggestion when you see that it is associated with many requests from many different source IP addresses. As long as they are valid, repeated requests may indicate legitimate traffic behavior that warrants relaxing the security policy.
You can also review the violation rating for requests by selecting the suggestion. Learning suggestions associated with requests having a low average violation rating are more likely to be false positives and can be accepted. If a request has a high violation rating, the learning suggestion may not suit your system’s security needs. You can ignore suggestions to prevent Policy Builder from repeating that specific suggestion going forward.
Enforcement Readiness¶
When you create a security policy, you specify an enforcement readiness period that places entities and attack signatures in staging before they can become enforced (default 7 days). During this staging period learning suggestions are added to staged entities. When the enforcement readiness period is over and no learning suggestions are added for the staging period, the file type, URL, parameter, cookie, signature, or redirection domain is considered ready to be enforced.
If you are using manual learning, you can drill down to evaluate the enforcement value of these entities in the security policy. From the Enforcement Readiness summary panel, you can enforce selected entities to the security policy, or you can enforce all entities (including signatures) that are ready to be enforced. If you are using automatic learning, you can still enforce entities manually, but Policy Builder will automatically enforce entities according to the learning and blocking settings.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
You need to create a policy using one of the supported WAF policy templates
How to manage Policy Builder¶
Manage Policy Builder settings¶
You can change the settings for Policy Builder for each WAF policy
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Policy Builder.
The panel displays Learning Suggestions.
Click Settings
For Learning Mode select one of the following:
The defaults for this setting vary depending on the WAF policy template.
Automatic - Accepts learning suggestions once they reach 100%, or when you manually accept the suggestion.
Manual - Requires that you manually accept any suggestion.
On Demand - (Default for Rating Based templates) Learning suggestions are generated for potential false positives but do not include a learning score or request samples. These suggestions appear only when the user clicks “Accept Request”. The Policy Builder screen should display only the settings, excluding learning suggestions and the Enforcement Readiness page.
Disabled - Disables learning.
For Learning Speed select one of the following to customize the number of traffic samples for a suggestion:
Fast - Samples a low volume of traffic to generate a suggestion and reach a full learning score at a faster rate.
Medium - Samples a moderate volume of traffic to generate a suggestion. Recommended for most applications.
Slow - Samples a high volume of traffic to generate a suggestion to sample more traffic and reach higher suggestion accuracy.
For Readiness Period (Days) enter the number of days entities and attack signatures remain in staging before they can become enforced.
Click Save.
If you have completed your changes to the policy, click Deploy to update associated BIG-IP Next instance(s).
To confirm the deployment, click Deploy.
To manage Policy Builder learning suggestions and entity enforcement, see Manually manage learning suggestions and Enforcing staged entities.
Manually manage learning suggestions¶
Use the following procedure to manually manage learning suggestions for a selected policy.
Note: If you are working in automatic learning mode, when the learning score reaches 100%, the system accepts most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually. If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click WAF.
Click the policy name.
From the policy’s panel menu, select Policy Builder. The Policy Builder panel automatically displays the Learning Suggestions.
Select the suggested action:
Note: If you already know the suggestion action, you can click the suggestion’s check box and select an action.
From the suggestion panel you can review the details of the suggestion, including the policy refinement, description, and affected entity.
From the Samples list, you can select a traffic sample to view additional request details in a separate panel.
Select an action:
Accept - Accepts a suggestion to modify the policy, or policy entity, according to the suggestion.
Accept & Stage - Accepts a suggestion to modify the policy entity, according to the suggestion and either enables staging for the entity.
Accept Globally - Accepts a suggestion and adds enforcement to all entities in the policy.
Delete - Removes the learning suggestion from the list, but Policy Builder will suggest this action if detected again in traffic.
Ignore - Removes the learning suggestion and this action will no loger be suggested if detected again in traffic.
Click Save to save your changes without deploying to the policy’s BIG-IP Next instances.
Note: Any changes to your policy are now saved. You are not required to immediately deploy these changes.
Click Deploy to deploy your changes to the policy’s BIG-IP Next instances.
Enforcing staged entities¶
When you create a security policy and traffic is sent to the web application, the system makes learning suggestions about files types, URLs, parameters, cookies, and redirection domains to add to the security policy. You can review the entities and signatures that are ready to be enforced, and enforce them in the security policy.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click WAF.
Click the policy name.
From the policy’s panel menu, select Policy Builder. The Policy Builder panel automatically displays the Learning Suggestions.
Select the Enforcement Readiness tab.
Click Refresh to ensure you are viewing the most up-to-date statuses.
Click the check box next to one or more entity types. Ensure that you are selecting entities types that have one or more entities ready to be enforced. Entities under Ready to be Enforced completed the configured staging period and are eligible to become enforced according to your policy configuration.
Click Enforce Ready Entities.
Click Save to save your changes without deploying to the policy’s BIG-IP Next instances.
Note: Any changes to your policy are now saved. You are not required to immediately deploy these changes.
Click Deploy to deploy your changes to the policy’s BIG-IP Next instances.