For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dominik_312933's avatar
Dominik_312933
Icon for Nimbostratus rankNimbostratus
Mar 13, 2018

ASM Signature Enforcement via iControl REST

Hi DevCentral community!   Is there any way in ASM to enforce signatures (in staging, but ready to be enforced) via iControl REST?   We are currently trying to automate signature updates and th...
ASM Advanced WAF
devops
iControlREST
security
Dominik_312933's avatar
Dominik_312933
Icon for Nimbostratus rankNimbostratus
Apr 20, 2018

Yes, you are correct this does not check the "enforcement readiness" state. Thanks for pointing out the respective API calls to achieve this functionality in 

https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246
. Please let me know once you have an update on your open case.

On the other hand, a workaround I could think of is to check all learning suggestions for a given policy for their status and last occurrence. If a signature does not have any suggestions associated for a specified time range it can be ready for enforcement.

e.g. by issuing the following calls you could conclude that if no learning suggestion associated with a particular signature occurred for more than 7 days, the signature is ready for enforcement:

GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/?$select=id,enforcementReadinessPeriod

...
"stagingSettings":{
    "signatureStaging":true,
    "enforcementReadinessPeriod":7
}
...


GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/suggestions/?$select=id,lastOccurrenceDatetime,signatureReference,status