For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Dec 03, 2025
Solved

F5 AWAF/ASM Fails to update OpenAPI file through REST-API

Hello Everyone,   I followed Update an existing API security policy with a newer swagger file but this only works when creating a new policy not upgrading an existing one when you change the open...
asm
awaf
security
  • Juergen_Mang's avatar
    Juergen_Mang
    Dec 03, 2025

    I use this paylod for the POST request to /mgmt/tm/asm/tasks/import-open-api

    $swagger_file is the previous uploaded swagger file

    $waf_policy is /mgmt/tm/asm/policies/<policy hash>

    {
    apiType: "swagger",
    filename: $swagger_file,
    policyReference: {
        link: $waf_policy
    }
}

     

Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Dec 04, 2025

Hi Nik,

 

the policy hash can be simply calculated locally: https://my.f5.com/manage/s/article/K40414407

printf "%s" "$POLICY" | openssl dgst -md5 -binary | base64 | cut -c-22 | sed 'y/+\//-_/'

 

You can let the F5 fetch the OpenAPI file from a webserver, but I personally prefer also uploading the OpenAPI file.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Dec 04, 2025

When F5 calls it ID and not a hash adds confusion. Outside of that this is helpful still I need to check it as I wanted to run things with a k8s job and I may need to create a container that has curl + openssl will see if busybox can do it.