Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
Sep 01, 2021
Solved

Automate ASM "Ready to Be Enforced" Attack Signatures

Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
ASM Advanced WAF
automation
security
  • DanSkow's avatar
    DanSkow
    Feb 07, 2023

    In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

    1. It checks the HA status, and exits the script if the HA status is Standby
    2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
    3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

    This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

    ------------------------------------------------------------------------------------------------------------------------

    # Determines HA Status, creates variable, then loops through it on Active devices

    bash
    cd /var/tmp/

    # Static Variables
    CREDS=admin

    # Writes HA Status to a file
    tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
    chmod 755 /var/tmp/ha-status.txt

    # Exits script if the HA Status file contains the string STANDBY
    if grep -q STANDBY /var/tmp/ha-status.txt; then
    exit
    fi

    # Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
    printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

    FILENAME="policy-hashes.txt"
    LINES=$(cat $FILENAME)

    # ASM - Enforces Ready Entities and Applies Policies - All Policies
    for LINE in $LINES
    do
      curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
      LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
      curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
    sleep 10s
    done

    ------------------------------------------------------------------------------------------------------------------------

    If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

JamesWi's avatar
JamesWi
Icon for Nimbostratus rankNimbostratus
Jan 30, 2025

Hello,

 

Anyone found out yet how this work in v17.1.x ?? 
where trying also to get the attack signatures with status "Ready to be Enforced" but for now only can check status "staging" and not in combination with "Ready to be Enforced" and K94215981 only go to v15.1.8. 

look like the items "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" dont exist anymore in v17.1.x when you look at the signature items in the list you get from https://localhost/mgmt/tm/asm/policies/[policy-id]/signatures?


Holy64's avatar
Holy64
Icon for Altostratus rankAltostratus
Jan 31, 2025

Hello,

If you use 
https://localhost/mgmt/tm/asm/policies/[policy-id]/signatures?\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+true&\$top=1 
You will see the first signature result showed as something like :
   {
      "hasSuggestions": false,
      "isInherited": true,
      "lastUpdateMicros": 1.738315306e+15,
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/3QzapERGGfTUVBI6Hxs-qg/signatures/amSV16c_VltvPV2ipzycCw?ver\u003d17.1.2",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/iSs1nGK_jlGi14pryZi0qA?ver\u003d17.1.2",
        "isUserDefined": false,
        "name": "Unicode Fullwidth ASCII variant",
        "signatureId": 299999999
      },
      "wasUpdatedWithinEnforcementReadinessPeriod": true,
      "isPriorRuleEnforced": false,
      "performStaging": false,
      "id": "amSV16c_VltvPV2ipzycCw",
      "alarm": true,
      "block": true,
      "enabled": true,
      "learn": true
    }

That show the items "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" and their value .

  • JamesWi's avatar
    JamesWi
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2025

    Thank you i just found out this morning myself also how the $filter is working exactly.
    I did the exact same thing your telling and got it working in my ansible task now (something i forgot the mention)

    - name: reporting_attack_signatures | Get Attack Signatures that are Ready to be Enforced
      ansible.builtin.uri:
        url: >
          https://{{ inventory_hostname }}/mgmt/tm/asm/policies/{{ list_policy_asm_item.id }}/signatures/
          ?$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false
        method: GET
        user: "{{ ansible_user }}"
        password: "{{ ansible_password }}"
        force_basic_auth: true
        status_code: 200
      register: results_policy_signatures
      delegate_to: localhost
      loop: "{{ list_policy_asm }}"
      loop_control:
        loop_var: list_policy_asm_item