Forum Discussion
danielpenna
Cirrus
CirrusAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
DanSkowCirrus
CirrusIn case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/
# Static Variables
CREDS=admin
# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt
# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi
# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt
FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)
# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done
------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
Thanks for this, DanSkow! I'm sure it'll come in handy for future users. Apologies to danielpenna for not having spotted that his question was hanging for so long! The team is working to correct that going forward.