Forum Discussion
danielpenna
Cirrus
CirrusAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
DanSkowCirrus
CirrusGood morning,
I was able to run the Big-IQ script just now against my lab running v16.1.4.3 without any issues.
Are you running the script from the Big-IQ, or trying to run it locally on the Big-IP? If you're trying to run it locally on the Big-IP, you'll need to update the "CREDS=admin" line to include your admin password. For example, "CREDS=admin:password"
If your password has certain special characters, you'll have to escape them with a backslash. For example, "CREDS=admin:password\!"
If you're pushing it from the Big-IQ, you might be able to figure out the issue by looking at the Big-IQ script log. One common issue is not having Advanced Shell access for the admin user.
Let me know if you're able to find any logs related to the failure or any additional information on how you're running the script.
Thank you,
Dan
2Bs
Nimbostratus
NimbostratusHi Dan!
Thanks for your response.
When I try to run the script it does not show any output.
I run it directly from the BIGIP itself and do have special characters in the password so I added the backslash before each special character but I got the same result.
I am running BIGIP v16.1.4.1
- DanSkow
There's a couple different things that could be happening, so here's my recommendation for running it locally on the Big-IP:
- Update the password in the below version of the script, and save it to the Big-IP under /shared/scripts/asm-signature-enforcement.sh
- If there are policies to exclude, add them to the FILENAME line like I stated in my initial post
- Change file permissions using this command: chmod 700 /shared/scripts/asm-signature-enforcement.sh
- Execute the script from bash with this command: /shared/scripts/asm-signature-enforcement.sh
- Then just wait for the script to run through each of the policies. This will take several minutes depending on the number of policies and signatures being updated, but it will return you to the bash prompt when it's done. Script must be run on an Active device. The script exits if run on a Standby device.
I just verified this process on my v16.1.4.3 lab, so if it still fails I assume it's a password issue.
Logs for the failure might be found here: /var/log/restjavad.0.log
My first troubleshooting step for API issues is to run this command: tmsh restart sys service restjavad restnoded
----------------------------------------------------------------------------------------------
#!/bin/bash
# Determines HA Status, creates variable, then loops through it on Active devicescd /var/tmp
# Static Variables
CREDS=admin:password\!# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | .id')
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done