For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Dec 03, 2025
Solved

F5 AWAF/ASM Fails to update OpenAPI file through REST-API

Hello Everyone,   I followed Update an existing API security policy with a newer swagger file but this only works when creating a new policy not upgrading an existing one when you change the open...
asm
awaf
security
  • Juergen_Mang's avatar
    Juergen_Mang
    Dec 03, 2025

    I use this paylod for the POST request to /mgmt/tm/asm/tasks/import-open-api

    $swagger_file is the previous uploaded swagger file

    $waf_policy is /mgmt/tm/asm/policies/<policy hash>

    {
    apiType: "swagger",
    filename: $swagger_file,
    policyReference: {
        link: $waf_policy
    }
}

     

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Dec 03, 2025

 

Yes thanks Juergen_Mang​  for some reason when using hash id then there is no issue! Why with F5 developers always do stuff like that no idea as in AS3 local traffic policies are called endpoint policies and here in some places you use the name and in others the hash 😑

  curl -sk -u xxx:xxxx1 \
  -X POST "https://xxxx/mgmt/tm/asm/tasks/import-open-api" \
  -H "Content-Type: application/json" \
  --data "{
    \"policyReference\": { 
      \"link\": \"/mgmt/tm/asm/policies/xxxxx\"
    },
    \"filename\": \"openapi.json\"
  }"
  

 

Also the need of 4 REST-API tasks.

 

First uploading the new file > then getting the hash id > then recreating the policy > then applying the policy 😁

Here is something from me about getting the ID from the name.

curl -sk -u xxx:'xxx' \
  "https://xxx/mgmt/tm/asm/policies?\$filter=fullPath+eq+'/Common/<policy name>'" \
  | sed -n 's/.*"id":"\([^"]*\)".*/\1/p'

 

I still think F5 could fix the option with the name as to not only create new policy but update the existing one as to have 3 REST API tasks and not 4.