Forum Discussion
CirrusAS3 Patch Declaration Not Deploying
I've been battling with this thing for a couple weeks and cannot figure it out. Here is my declaration for the PATCH Method allowing us to create one-off VIrtual Servers inside of our F5.
{
"class": "AS3",
"action": "patch",
"patchBody": [
{
"op": "add",
"path": "{{path}}",
"value": {
"class": "Application",
"{{application_name}}": {
"class": "Service_HTTPS",
"virtualAddresses": {{virtual_address::array}},
"pool": "{{pool_name}}",
"serverTLS": "{{client_profile_name}}",
"profileHTTP": "basic",
"layer4": "tcp",
"profileTCP": "normal",
"enable": true,
"snat": "auto"
},
"{{pool_name}}": {
"class": "Pool",
"monitors": [
"tcp"
],
"members": [{
"servicePort": {{pool_port::integer}},
"serverAddresses": {{server_addresses::array}},
"loadBalancingMode": "round-robin"
}]
},
"{{client_profile_name}}": {
"class": "TLS_Server",
"certificates": [{
"certificate": "{{webcert}}"
}]
},
"{{webcert}}": {
"class": "Certificate",
"remark": "in practice we recommend using a passphrase",
"certificate": "{{cert_metadata}}",
"privateKey": "{{key_metadata}}",
}
}
}
]
}
Unfortunately we are running into this error here and i'm not understanding why. Any help is appreciated. Thank you.
ERROR: Failed to render template. Details:
Failed to get data from /mgmt/shared/fast/render?userAgent=FASTGUI/NA: 400 Bad Request
{"code":400,"message":"request failed with null exception","originalRequestBody":"{\"code\":400,\"message\":\"Error: failed to render template: patch2/patch2\\nSyntaxError: Unexpected token , in JSON at position 811\\n at JSON.parse (<anonymous>)\\n at /var/config/rest/iapps/f5-appsvcs-templates/nodejs/fastWorker.js:1601:23\\n at /var/config/rest/iapps/f5-appsvcs-templates/node_modules/core-js/modules/es.promise.js:118:22\\n at flush (/var/config/rest/iapps/f5-appsvcs-templates/node_modules/core-js/internals/microtask.js:27:9)\\n at tryCatcher (/usr/share/rest/node/node_modules/bluebird/js/release/util.js:16:23)\\n at Promise._settlePromiseFromHandler (/usr/share/rest/node/node_modules/bluebird/js/release/promise.js:512:31)\\n at Promise._settlePromise (/usr/share/rest/node/node_modules/bluebird/js/release/promise.js:569:18)\\n at Promise._settlePromiseCtx (/usr/share/rest/node/node_modules/bluebird/js/release/promise.js:606:10)\\n at Async._drainQueue (/usr/share/rest/node/node_modules/bluebird/js/release/async.js:138:12)\\n at Async._drainQueues (/usr/share/rest/node/node_modules/bluebird/js/release/async.js:143:10)\\n at Immediate.Async.drainQueues (/usr/share/rest/node/node_modules/bluebird/js/release/async.js:17:14)\\n at runCallback (timers.js:794:20)\\n at tryOnImmediate (timers.js:752:5)\\n at processImmediate [as _immediateCallback] (timers.js:729:5)\\n at /var/config/rest/iapps/f5-appsvcs-templates/nodejs/fastWorker.js:1628:35\\n at /var/config/rest/iapps/f5-appsvcs-templates/node_modules/core-js/modules/es.promise.js:118:22\\n at flush (/var/config/rest/iapps/f5-appsvcs-templates/node_modules/core-js/internals/microtask.js:27:9)\\n at tryCatcher (/usr/share/rest/node/node_modules/bluebird/js/release/util.js:16:23)\\n at Promise._settlePromiseFromHandler (/usr/share/rest/node/node_modules/bluebird/js/release/promise.js:512:31)\\n at Promise._settlePromise (/usr/share/rest/node/node_modules/bluebird/js/release/promise.js:569:18)\\n at P
Hi Jonathan_c ,
well ,
I thought that you want to create these URLs as allowed.
> My recomendation is :
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
choose if your application is Http or https and it should be like this : " *ping* " .Or
you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
If you want to test the Cusom ping attack signature , I can do it and send the results to you.
or Check this KB :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
I hope it work with you
Ty
Jonathan_cHi,
I gave the PING as an example from a true case we had. but it could be any type of code.
The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.
So from the one hand, we need the wildcard there, for subfolders and file names.
From the other hand, the wildcard allows the code injection...
Jonathan_c
well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all.
or
> you can add all of these suspected codes as a disallowed wildcard urls , like we did with" *ping* " ,
> Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings.
Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ).
> that was my opinion , I will do further tests in my test environment.
If I get an optimal solution meets your needs , I will share it here directly.Thanks
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
