Forum Discussion
AltostratusASM/AWAF declarative policy
Hi there,
I searching for options to automate ASM and rather want to avoid having AS3 in loop due to need to update it on F5 side. Luckily F5 introduced "declarative policy"
But, I am not able to get it working properly. I am able to deploy WAF policy with example mentioned here. But it does not contain any of specified servier technologies. I do have the same issue with parameters or URLs when I tried other examples. They are simply got ignored. Is it buggy, or have anyone of you struggled with it?
My last option is to have set of policies predefined in XML format and do some importing or playing with policy inheritance. Well declarative ASM looks exactly what I need, it just does not work or I am wrong :)
Thanks for any help
Zdenek
5 Replies
- Nikoolayy1
MVP
Are you on the latest 17.1.5.x version?
At some point I may test this myself but I may need time.
Good examples are:
and
zdenekzembaThanks Nikoolayy1, that documentation could be done better. There is, for example, missing API endpoint, it should be POST to /mgmt/tm/asm/policies. But then the payload (the last example in this page) does not correspond to it as whole declaration is under key "policy". BUT when I try to deploy it to /mgmt/tm/asm I get 501, when I try to deploy it to /mgmt/tm/asm/policies I get 400. I am worried whether this is not one of the dead end cases like iWorkflow, AS3 in container etc.. Is this still well sustained and supported solution or was it one time try? I will maybe create support ticket for this
- Juergen_Mang
Importing a declarative JSON Policy works in all my setups without problems.
You can have a look at Restsh and spcecially this script: https://github.com/AxiansITSecurity/Restsh/blob/master/restsh/modules/f5/bin/f5.asm.policy.declare or this script: https://github.com/AxiansITSecurity/Restsh/blob/master/restsh/modules/f5/bin/f5.asm.policy.import
A policy should look like:
{ "policy" : { "type" : "security", "name" : "{{WAF_POLICY_NAME}}", "description" : "Created by {{CI_JOB_URL}}", "template" : { "name" : "{{VAR_F5_BASE_TEMPLATE}}" }, "enforcementMode" : "{{VAR_ENFORCEMENT_MODE}}" } }- Nikoolayy1
Maybe that could be a workaround to create a template with the needed server technologies and use your article Juergen_Mang​
Update an ASM Policy Template via REST-API - the reverse engineering way | DevCentral or better yet restsh.
- Juergen_Mang
There should be no need for a workaround. A declarative policy works like a charm since version 16.
