Application Security

This section contains declarations that aim to secure your deployment.

Use the index under Current Page on the left to locate specific examples.

1: Virtual service referencing an existing security policy

This example creates an HTTP service, and attaches an existing Web Application Firewall (WAF) security policy created with the BIG-IP Application Security Manager (ASM) module. See the BIG-IP ASM Implementations Guide for information on configuring security policies.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_01.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the existing ASM policy named test-policy.
{
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "5489432",
  "label": "ASM_policy_existing",
  "remark": "ASM_policy_existing",
  "Sample_app_sec_01": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "bigip": "/Common/test-policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      }
    }
  }
 }

Back to top


2: Virtual service referencing an external security policy

This example creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. See the BIG-IP ASM Implementations Guide for information on configuring security policies, and the Exporting ASM Policies chapter for information on exporting policies.

Note the URL in the following declaration does not resolve, you need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_02.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the external ASM policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "5489432",
  "label": "ASM_policy_external_URL",
  "remark": "ASM_policy_external_URL",
  "Sample_app_sec_02": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "use": "My_ASM_Policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      },
      "My_ASM_Policy": {
        "class": "WAF_Policy",
        "url": "https://example.com/asm-policy.xml",
        "ignoreChanges": true
      }
    }
  }
}

Back to top

3: Endpoint policy with default rule to disable WAF

This example shows an Endpoint policy that includes two rules, one that attempts to match a URI and then enables the WAF policy, and a default rule to disable the Web Application Firewall (WAF) if the first doesn’t match. See the Schema Reference for usage options and information on Endpoint policies. You can also see this page for example policy declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_03.
  • An Endpoint policy named testItem.
  • Two rules, one to enable the WAF and the other to disable it.
  • A WAF policy named wafPolicy which references an external policy (via URL).
{
  "class": "ADC",
  "schemaVersion": "3.7.0",
  "id": "Service_HTTP",
  "Sample_app_sec_03": {
      "class": "Tenant",
      "Application": {
          "class": "Application",
          "template": "generic",
          "testItem": {
              "class": "Service_HTTP",
              "policyEndpoint": "endpointPolicy",
              "virtualAddresses": ["10.1.40.50"]
          },
          "endpointPolicy": {
              "class": "Endpoint_Policy",
              "rules": [
                  {
                    "name": "enableWAF",
                        "conditions": [{
                            "type": "httpUri",
                            "path": {
                                "values": ["example.com"]
                            }
                        }
                    ],
                    "actions": [{
                            "type": "waf",
                            "policy": {
                                "use": "wafPolicy"
                            }
                        }
                    ]
                  }, 
                  {
                    "name": "disable",
                    "conditions": [],
                    "actions": [{
                            "type": "waf"
                        }
                    ]
                  }
              ]
          },
          "wafPolicy": {
              "class": "WAF_Policy",
              "url": "http://example.com/orchestration-as3-test/resources/asm_policy/policy.xml",
              "ignoreChanges": true
          }
      }
   } 
}

Back to top

4: Endpoint policy with SSL SNI Match conditions and HTTP action

This example shows an Endpoint policy that includes SSL SNI Match conditions (sslExtension) and the ability to use HTTP actions in a declaration. The SSL extension property inspects SSL extensions being negotiated during the HELLO phase. See Policy_Condition and Policy_Condition_SSL_extension_HTTP in the Schema Reference for usage and options. The HTTP actions property provides the ability to enable or disable the BIG-IP system’s HTTP filter processing. See Policy_Action_HTTP in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_04.
  • An Endpoint policy named test1.
  • An Endpoint policy rule (sni0) which, if during the SSL client HELLO the server name (test1.com) is in the SSL extension, will forward to an existing pool (sni1) on the BIG-IP (with HTTP actions set to false).
  • A second rule (sni1) which, if during the SSL client HELLO the server name (test2.com) is in the SSL extension, will forward to an existing pool (sni2) on the BIG-IP (with HTTP actions set to false).
  • A default rule that drops the request if neither of the other two rules are matched.
{
    "class": "ADC",
    "schemaVersion": "3.8.0",
    "id": "Endpoint_Policy",
    "Sample_app_sec_04": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "test1": {
                "class": "Endpoint_Policy",
                "rules": [{
                        "name": "sni0",
                        "actions": [{
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni1"
                                    }
                                }
                            }, {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [{
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test1.com"
                                    ]
                                }
                            }
                        ]
                    }, {
                        "name": "sni1",
                        "actions": [{
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni2"
                                    }
                                }
                            }, {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [{
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test2.com"
                                    ]
                                }
                            }
                        ]
                    }, {
                        "name": "default",
                        "actions": [{
                            "type": "drop",
                            "event": "request"
                        }]
                    }
                ]
            }
        }
    }
}

Back to top

5: Using a Security log profile with Application Security

This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles section of the ASM documentation., and Security Log Profile class in the Schema Reference for AS3 usage options and information.

There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.

Local storage

This declaration creates a security log profile that uses local storage (for the remote storage example, click Remote storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Local.
  • A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile_local",
    "Security_Log_local": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "secLogLocal": {
                "class": "Security_Log_Profile",
                "application": {
                    "storageFilter": {
                        "logicalOperation": "and",
                        "requestType": "all",
                        "responseCodes": [
                            "100",
                            "200",
                            "300",
                            "400"
                        ],
                        "protocols": [
                            "https",
                            "ws"
                        ],
                        "httpMethods": [
                            "ACL",
                            "GET",
                            "POLL",
                            "POST"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-headers",
                            "value": "The header string to search for"
                        },
                        "loginResults": [
                            "login-result-successful",
                            "login-result-failed"
                        ]
                    },
                    "guaranteeLoggingEnabled": true,
                    "guaranteeResponseLoggingEnabled": true,
                    "maxHeaderSize": 200,
                    "maxQuerySize": 1040,
                    "maxRequestSize": 900,
                    "responseLogging": "all"
                }
            }
        }
    }
}

Remote storage

This declaration creates a security log profile that uses remote storage (for the local storage example, click Local storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Remote.
  • A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile",
    "Security_Log_Remote": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "secLogRemote": {
                "class": "Security_Log_Profile",
                "application": {
                    "facility": "local3",
                    "storageFilter": {
                        "requestType": "illegal-including-staged-signatures",
                        "responseCodes": [
                            "404",
                            "201"
                        ],
                        "protocols": [
                            "http"
                        ],
                        "httpMethods": [
                            "PATCH",
                            "DELETE"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-request",
                            "value": "The new value"
                        },
                        "loginResults": [
                            "login-result-unknown"
                        ]
                    },
                    "storageFormat": {
                        "fields": [
                            "attack_type",
                            "avr_id",
                            "headers",
                            "is_truncated"
                        ],
                        "delimiter": "."
                    },
                    "localStorage": false,
                    "maxEntryLength": "10k",
                    "protocol": "udp",
                    "remoteStorage": "remote",
                    "reportAnomaliesEnabled": true,
                    "servers": [
                        {
                            "address": "9.8.7.6",
                            "port": "9876"
                        }
                    ]
                }
            }
        }
    }
}

Back to top