Forum Discussion
Automate ASM "Ready to Be Enforced" Attack Signatures
- Feb 07, 2023
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
Hello guys,
Thanks for your hard work!
Did you get it to work on v16?
I've been trying to use the scripts but unfortunately none of the works.
- DanSkowJun 04, 2024Cirrus
Good morning,
I was able to run the Big-IQ script just now against my lab running v16.1.4.3 without any issues.
Are you running the script from the Big-IQ, or trying to run it locally on the Big-IP? If you're trying to run it locally on the Big-IP, you'll need to update the "CREDS=admin" line to include your admin password. For example, "CREDS=admin:password"
If your password has certain special characters, you'll have to escape them with a backslash. For example, "CREDS=admin:password\!"
If you're pushing it from the Big-IQ, you might be able to figure out the issue by looking at the Big-IQ script log. One common issue is not having Advanced Shell access for the admin user.
Let me know if you're able to find any logs related to the failure or any additional information on how you're running the script.
Thank you,
Dan
- 2BsJun 04, 2024Nimbostratus
Hi Dan!
Thanks for your response.
When I try to run the script it does not show any output.
I run it directly from the BIGIP itself and do have special characters in the password so I added the backslash before each special character but I got the same result.
I am running BIGIP v16.1.4.1
- DanSkowJun 04, 2024Cirrus
There's a couple different things that could be happening, so here's my recommendation for running it locally on the Big-IP:
- Update the password in the below version of the script, and save it to the Big-IP under /shared/scripts/asm-signature-enforcement.sh
- If there are policies to exclude, add them to the FILENAME line like I stated in my initial post
- Change file permissions using this command: chmod 700 /shared/scripts/asm-signature-enforcement.sh
- Execute the script from bash with this command: /shared/scripts/asm-signature-enforcement.sh
- Then just wait for the script to run through each of the policies. This will take several minutes depending on the number of policies and signatures being updated, but it will return you to the bash prompt when it's done. Script must be run on an Active device. The script exits if run on a Standby device.
I just verified this process on my v16.1.4.3 lab, so if it still fails I assume it's a password issue.
Logs for the failure might be found here: /var/log/restjavad.0.log
My first troubleshooting step for API issues is to run this command: tmsh restart sys service restjavad restnoded
----------------------------------------------------------------------------------------------
#!/bin/bash
# Determines HA Status, creates variable, then loops through it on Active devicescd /var/tmp
# Static Variables
CREDS=admin:password\!# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | .id')
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done
- Holy64Jun 04, 2024Nimbostratus
Hi, I run my script in an ssh session on a 16.1.4.1 Big-IP. I have an admin profile.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com