Forum Discussion
danielpenna
Cirrus
CirrusAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
Holy64
Nimbostratus
NimbostratusI would to share my script. We use partitions on our infrastructure. I don't use the standby check status yet but that's good to add that function to my script.
I use has input parameter, all or the the list of partition where you would to enforce signatures ready to be enforced separate by a space. That's because in our case, partitions could be active on node 1 or on node 2.
I put a sleep 20 after requesting the signature enforcement and I checked during maximum 60 seconds for the ASM policy applying success status. The script give detailled information in console.
Tested on BigIP versions 15.1.8 and 14.1.5.
---------------------------------------------------------------------------------------------------
# YHO 20220207 ASM staging signature enforcement
# ASM-SignEnforcement.ksh
# v01 yho 20220207
export runUser=${USER}
export logfolder=${HOME}/
export policyList=${logfolder}/PolList.txt
if [ "$1" == "" ];
then
echo ------------------------------------------------
echo Partitions list :
tmsh list auth partition one-line | awk '{print $3}' | sed ':a;N;$!ba;s/\n/ /g'
echo ------------------------------------------------
echo Give the option as first parameter
echo Options are :
echo " all : all partition in the above list"
echo " or the partitions list between quotes \"partion list\""
exit 1
else
if [ "$1" == "all" ]
then
export Partis=`tmsh list auth partition one-line | awk '{print $3}' | sed ':a;N;$!ba;s/\n/ /g'`
else
export Partis=$1
fi
fi
echo ------------------------------------------------
echo Signature enforcement for partitions
echo ------------------------------------------------
echo $Partis
echo ------------------------------------------------
echo "sleep 10 seconds - CTRL C to stop"
sleep 10
# List policies/policies ID
mysql -uasm -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` -e "select name, rest_uuid from PLC.PL_POLICIES" > $policyList
sed -i 's/\x09/,/' $policyList
for parti in ${Partis}
do
for pol in `cat $policyList | grep "^\/"`
do
name=`echo $pol | awk -F ',' '{print $1}'`
id=`echo $pol | awk -F ',' '{print $2}'`
echo ${name} | grep "/${parti}/"
if [ $? -eq 0 ]
then
echo ------------------------------------------------
echo Check manual learning $name $id
#restcurl -s -u ${runUser}: /tm/asm/policies/$id/policy-builder?$select=learningMode
restcurl -s -u ${runUser}: /tm/asm/policies/$id/policy-builder?$select=learningMode | grep manual
if [ $? -eq 0 ]
then
# enforce ready to enforce signatures
echo Chek ready to enforce signatures number $name
#restcurl -u ${runUser}: "/tm/asm/policies/$id/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true&\$top=1"
restcurl -u ${runUser}: "/tm/asm/policies/$id/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true&\$top=1" | grep totalItems
restcurl -u ${runUser}: "/tm/asm/policies/$id/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true&\$top=1" | grep 'totalItems.: [1-9]'
if [ $? -eq 0 ]
then
echo Enforce ready to enforce signatures $name
restcurl -X PATCH -u ${runUser}: "/tm/asm/policies/$id/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -d '{"performStaging":false}' | grep 'totalItems.: [1-9]'
echo sleep 20 - signature update ongoing
sleep 20
# Apply policy
echo Apply policy $name
TaskId=`restcurl -s -u ${runUser}: -X POST /tm/asm/tasks/apply-policy -d "{\"policyReference\": {\"link\": \"https://localhost/mgmt/tm/asm/policies/$id\"}}" | grep -e "id.:" | sed 's/.*\"id\": \"//' | sed 's/\",.*//'`
echo Apply policy TaskId : $TaskId - $name
# Check policy applied
app=60
echo Check policy applied for max $app seconds for $name
#exit 0
while [ $app -ge 2 ]
do
app=$(($app-1))
restcurl -s -u ${runUser}: "/tm/asm/tasks/apply-policy/$TaskId" | grep COMPLETED
if [ $? -eq 0 ] ; then app=0; fi
sleep 1
done
echo Policy applied COMPLETE if $app = 0 - $name
else
echo No signature to enforce for $name
fi
else
echo Policy not in manual mode $name
fi
echo ==============================================
fi
done
done
# End
---------------------------------------------------------------------------------------------------