Forum Discussion
CirrusAutomate ASM "Ready to Be Enforced" Attack Signatures
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
NimbostratusHello,
Anyone found out yet how this work in v17.1.x ??
where trying also to get the attack signatures with status "Ready to be Enforced" but for now only can check status "staging" and not in combination with "Ready to be Enforced" and K94215981 only go to v15.1.8.
look like the items "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" dont exist anymore in v17.1.x when you look at the signature items in the list you get from https://localhost/mgmt/tm/asm/policies/[policy-id]/signatures?
CirrusThe script still works for me, and the "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" filters are still being used.
However, I'm now seeing that my original post was missing the ending to the FILENAME variable line. The explanation at the bottom of my post has the correct format, but the original script I posted is missing this part at the end of the FILENAME variable line: | .id')
Here is an updated version that just uses variables instead of creating files, which should work on both v15 and v17:
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
# Static Variables
CREDS=admin
# Exit script on standby devices
haStatus=$(tmsh show /cm failover-status | grep Status)
if [[ $haStatus == *"STANDBY"* ]]; then
exit
fi
# Creates variable with list of policy hashes (exclude parent and default policies)
LINES=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | .id')
# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done
------------------------------------------------------------------------------------------------------------------------
Additional Considerations:
- Exclude parent and default policies from LINES variable. See the bottom of my original post for details on how to do that
- When running this script from the Big-IQ, you'll want to increase the Device Timeout to 3600 so it doesn't time out halfway through the policies, especially if you have a lot of ASM policies
- If running this script locally on the F5's rather than from the Big-IQ, you'll need to make these changes to the script:
- Delete the "bash" line since you'll already be starting in bash when running the script locally
- modify the CREDS variable to include the F5's admin password. Special characters may need to be escaped like this
- CREDS=admin:password\!
