Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
Sep 01, 2021
Solved

Automate ASM "Ready to Be Enforced" Attack Signatures

Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
ASM Advanced WAF
automation
security
  • DanSkow's avatar
    DanSkow
    Feb 07, 2023

    In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

    1. It checks the HA status, and exits the script if the HA status is Standby
    2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
    3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

    This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

    ------------------------------------------------------------------------------------------------------------------------

    # Determines HA Status, creates variable, then loops through it on Active devices

    bash
    cd /var/tmp/

    # Static Variables
    CREDS=admin

    # Writes HA Status to a file
    tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
    chmod 755 /var/tmp/ha-status.txt

    # Exits script if the HA Status file contains the string STANDBY
    if grep -q STANDBY /var/tmp/ha-status.txt; then
    exit
    fi

    # Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
    printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

    FILENAME="policy-hashes.txt"
    LINES=$(cat $FILENAME)

    # ASM - Enforces Ready Entities and Applies Policies - All Policies
    for LINE in $LINES
    do
      curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
      LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
      curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
    sleep 10s
    done

    ------------------------------------------------------------------------------------------------------------------------

    If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

Holy64's avatar
Holy64
Icon for Altostratus rankAltostratus
Jan 31, 2025

Hello,

If you use 
https://localhost/mgmt/tm/asm/policies/[policy-id]/signatures?\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+true&\$top=1 
You will see the first signature result showed as something like :
   {
      "hasSuggestions": false,
      "isInherited": true,
      "lastUpdateMicros": 1.738315306e+15,
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/3QzapERGGfTUVBI6Hxs-qg/signatures/amSV16c_VltvPV2ipzycCw?ver\u003d17.1.2",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/iSs1nGK_jlGi14pryZi0qA?ver\u003d17.1.2",
        "isUserDefined": false,
        "name": "Unicode Fullwidth ASCII variant",
        "signatureId": 299999999
      },
      "wasUpdatedWithinEnforcementReadinessPeriod": true,
      "isPriorRuleEnforced": false,
      "performStaging": false,
      "id": "amSV16c_VltvPV2ipzycCw",
      "alarm": true,
      "block": true,
      "enabled": true,
      "learn": true
    }

That show the items "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" and their value .

JamesWi's avatar
JamesWi
Icon for Nimbostratus rankNimbostratus
Jan 31, 2025

Thank you i just found out this morning myself also how the $filter is working exactly.
I did the exact same thing your telling and got it working in my ansible task now (something i forgot the mention)

- name: reporting_attack_signatures | Get Attack Signatures that are Ready to be Enforced
  ansible.builtin.uri:
    url: >
      https://{{ inventory_hostname }}/mgmt/tm/asm/policies/{{ list_policy_asm_item.id }}/signatures/
      ?$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false
    method: GET
    user: "{{ ansible_user }}"
    password: "{{ ansible_password }}"
    force_basic_auth: true
    status_code: 200
  register: results_policy_signatures
  delegate_to: localhost
  loop: "{{ list_policy_asm }}"
  loop_control:
    loop_var: list_policy_asm_item