Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
Aug 31, 2021
Solved

Automate ASM "Ready to Be Enforced" Attack Signatures

Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
ASM Advanced WAF
Automation
security
DanSkow's avatar
DanSkow
Icon for Cirrus rankCirrus
Feb 07, 2023

In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

  1. It checks the HA status, and exits the script if the HA status is Standby
  2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
  3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

------------------------------------------------------------------------------------------------------------------------

# Determines HA Status, creates variable, then loops through it on Active devices

bash
cd /var/tmp/

# Static Variables
CREDS=admin

# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt

# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi

# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)

# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
  curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
  LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
  curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done

------------------------------------------------------------------------------------------------------------------------

If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

Leslie_Hubertus's avatar
Leslie_Hubertus
Ret. Employee
Feb 09, 2023

Thanks for this, DanSkow! I'm sure it'll come in handy for future users. Apologies to danielpenna for not having spotted that his question was hanging for so long! The team is working to correct that going forward.