Forum Discussion

Walter_Kacynski's avatar
Walter_Kacynski
Icon for Cirrostratus rankCirrostratus
Jan 29, 2020

ng_export with Per Request Policies

Does anyone know if ng_export cli will work with per request policies (PRP).

Access Profile Export utility v14.1

Usage: ng_export [-t|-type access_policy] <name> <filename> [-p|-partition <partition>]

    exported profile would be saved as /shared/tmp/type-<filename>.conf.tar.gz

I've tried

ng_export -t per-rq-policy my-prp my-prp -p MyPartition

but it errors with:

Incorrect arguments: <type> "per-rq-policy" is not supported

Export works thru the GUI, so I'm wondering if export was only implemented via GUI/Java or if ng_export was updated with a special flag

  • You can already do it with normal policies, no reverse engineering needed.

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html

     

    However that ID 755148 refers to API Protection policies. These are the same as PRPs, but they have a different "type" (I'm sure you noticed already).

     

    The other thing is:

    The way I do this usually when I'm creating labs or other material is to walk the configuration hirearchy (policy items, agents, policy, profile, customization groups) and then turn it into a pile of TMSH commands, then use the commands to create a policy. It's kind of fragile between versions, but mostly works fine.

  • Yeah, I was surprised when I installed 15.1 to find the "modern" customization option. I'm glad to see that it's based on Angular as we have a lot of development using that stack. The old style was miserable to customize.

     

    One thing I love about ASM policies is that one can import/export/overwrite at will. This makes promotion VERY easy from NON-PROD to PROD. Granted APM deals with more endpoint data like VPNs. However, when used in an LTM+APM mode for SSO processing the policy is not nearly as complicated.

     

    Thank-you for your help on this.

  • I tried this in 15.1, and the GUI calls ng_export with "-t access_policy" rather than "-t per-rq-policy". It should probably work the same way in 14.1.

     

    Note that you're pretty much on your own with ng_export, but it's interesting people are using it directly!

    Thanks for the question.

  • Much to my surprise ng_export is just a php script. reading its contents it doesn't look like support for per-request policies was ever added.

     

    My next option is to try and reverse engineer the GUI / HTTP calls to support programmatic access to the import/export function.

     

    I don't think there is a REST equivalent for profile import/export 😥

     

    If only RFE 755148 could be delivered soon....

  • You can already do it with normal policies, no reverse engineering needed.

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html

     

    However that ID 755148 refers to API Protection policies. These are the same as PRPs, but they have a different "type" (I'm sure you noticed already).

     

    The other thing is:

    The way I do this usually when I'm creating labs or other material is to walk the configuration hirearchy (policy items, agents, policy, profile, customization groups) and then turn it into a pile of TMSH commands, then use the commands to create a policy. It's kind of fragile between versions, but mostly works fine.

  • I thought about just copying/pasting from bigip.conf directly. I don't know how to handle the customization groups however, I just want all defaults.

    • Lucas_Thompson's avatar
      Lucas_Thompson
      Icon for Employee rankEmployee

      Yeah it's a good question. Basically: Customization groups with default settings (you just create them with TMSH) already contain the default settings and will show the defaults.

      Customization was quite complex in versions prior to 15.1, but it's drastically simpler now.

       

      Here's an example of how to create a policy with TMSH that I use for lab testing, this one is an OAuth AS, but the procedure is basically the same for other types. The nice thing about TMSH's transaction approach is that you can do development easily and don't end up with orphan or extra objects because the entire batch is verified by MCP at once rather than line-by-line. So, my process (not ideal, but not too bad) development is:

       

      1- Create policy manually on a test box with no policies.

      2- Do "tmsh list apm one-line >> (your file)" to grab out all the APM config (policies, customization, whatever)

      3- Do "tmsh list ltm one-line >> (your file)" to grab out the LTM configs (clientssl, vips, etc).

      4- Put these together into a pile of TMSH commands, similar to below.

      5- From CLI on another test box without the config, do: tmsh < (your tmsh commands file)

      6- If it works, great, if not, go figure out what the error is and fix it in the file.

      7- Repeat 5,6 until success.

       

      example:

      create cli transaction
      create apm oauth oauth-scope /Common/scope-profile customization-group /Common/scope-profile_oauth_authz_scope_customization scope-name profile
      create apm oauth oauth-client-app myclientapp2 app-name myclientapp2 customization-group /Common/myclientapp2_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org/oauth/client/redirect }
      create apm policy access-policy myas_pol default-ending /Common/myas_end_deny items replace-all-with { /Common/myas_allow /Common/myas_end_deny /Common/myas_ent /Common/myas_mac } macros replace-all-with { /Common/myas_macro } start-item /Common/myas_ent
      create apm policy access-policy myas_macro caption myas_macro default-ending /Common/myas_macro_ter_deny items replace-all-with { /Common/myas_act_logon_page /Common/myas_macro_active-directory_auth /Common/myas_macro_ent_in /Common/myas_macro_oauth_authz /Common/myas_macro_ter_deny /Common/myas_macro_ter_out } start-item /Common/myas_macro_ent_in type macro
      create apm policy customization-group /Common/myas_act_logon_page source /Common/standard
      create apm policy customization-group /Common/myas_end_deny_ag_logout source /Common/standard type logout
      create apm policy customization-group /Common/myas_eps source /Common/standard type eps
      create apm policy customization-group /Common/myas_errormap source /Common/standard type errormap
      create apm policy customization-group /Common/myas_framework_installation source /Common/standard type framework-installation
      create apm policy customization-group /Common/myas_general_ui source /Common/standard type general-ui
      create apm policy customization-group /Common/myas_logout source /Common/standard type logout
      create apm policy customization-group /Common/myas_oauth_authz source /Common/standard type oauth-authz
      create apm policy customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization source /Common/standard type oauth-authz-client-app
      create apm policy customization-group /Common/profile_oauth_authz_scope_customization source /Common/standard type oauth-authz-scope
      create apm policy policy-item /Common/myas_act_logon_page agents replace-all-with { /Common/myas_act_logon_page_ag { type logon-page } } caption "Logon page" item-type action rules { { caption fallback next-item /Common/myas_macro_active-directory_auth } }
      create apm policy policy-item /Common/myas_allow agents replace-all-with { /Common/myas_allow_ag { type ending-allow } } caption Allow item-type ending
      create apm policy policy-item /Common/myas_end_deny agents replace-all-with { /Common/myas_end_deny_ag { type ending-deny } } caption Deny color 2 item-type ending
      create apm policy policy-item /Common/myas_ent caption Start rules { { caption fallback next-item /Common/myas_mac } }
      create apm policy policy-item /Common/myas_mac caption myas_macro item-type macro-call macro /Common/myas_macro rules { { caption Deny next-item /Common/myas_end_deny } { caption Out next-item /Common/myas_allow } }
      create apm policy policy-item /Common/myas_macro_active-directory_auth agents replace-all-with { /Common/myas_active-directory_auth_ag { type aaa-active-directory } } caption "AD Auth" item-type action rules { { caption Successful expression "expr { [mcget {session.ad.last.authresult}] == 1}" next-item /Common/myas_macro_oauth_authz } { caption fallback next-item /Common/myas_macro_ter_deny } }
      create apm policy policy-item /Common/myas_macro_ent_in caption In rules { { caption fallback next-item /Common/myas_act_logon_page } }
      create apm policy policy-item /Common/myas_macro_oauth_authz agents replace-all-with { /Common/myas_macro_oauth_authz_ag { type oauth-authz } } caption "OAuth Authorization" item-type action rules { { caption Successful expression "expr {[mcget {session.oauth.authz.last.result}] == 1}" next-item /Common/myas_macro_ter_out } { caption fallback next-item /Common/myas_macro_ter_deny } }
      create apm policy policy-item /Common/myas_macro_ter_deny caption Deny color 2 item-type terminal-out
      create apm policy policy-item /Common/myas_macro_ter_out caption Out item-type terminal-out
      create apm policy agent aaa-active-directory /Common/myas_active-directory_auth_ag server none type auth
      create apm policy agent ending-allow /Common/myas_allow_ag
      create apm policy agent ending-deny /Common/myas_end_deny_ag customization-group /Common/myas_end_deny_ag_logout
      create apm policy agent logon-page /Common/myas_act_logon_page_ag customization-group /Common/myas_act_logon_page
      create apm policy agent oauth-authz /Common/myas_macro_oauth_authz_ag customization-group /Common/myas_oauth_authz
      create apm profile oauth /Common/myas_oauthProfile client-apps replace-all-with { /Common/theirclientapp } db-instance /Common/oauthdb jwt-token disabled opaque-token enabled resource-servers replace-all-with { /Common/myas_myresourceserver }
      create ltm virtual /Common/myas_vs destination /Common/10.11.10.165:443 ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { /Common/http { } /Common/myas_prof { } /Common/clientssl { context clientside } /Common/tcp { } /Common/websso { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled
      create apm oauth oauth-client-app /Common/theirclientapp app-name theirclientapp customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org }
      create apm oauth oauth-resource-server /Common/myas_myresourceserver auth-type secret
      create apm profile access /Common/myas_prof accept-languages replace-all-with { en } access-policy /Common/myas_pol access-policy-timeout 300 customization-group /Common/myas_logout default-language en defaults-from /Common/access eps-group /Common/myas_eps errormap-group /Common/myas_errormap framework-installation-group /Common/myas_framework_installation general-ui-group /Common/myas_general_ui inactivity-timeout 900 log-settings replace-all-with { /Common/default-log-setting } max-concurrent-sessions 0 max-concurrent-users 0 max-failure-delay 5 max-in-progress-sessions 128 max-session-timeout 604800 min-failure-delay 2 oauth-profile /Common/myas_oauthProfile restrict-to-single-client-ip false use-http-503-on-error false user-identity-method http
      submit cli transaction

      I'd like to know if this kind of approach makes sense, or is helpful in your case.

       

  • I see, so you would use a lab box exclusively. The only challenge is that there once this config is live on a box, making changes become difficult as one would have to change all virtuals referencing the updated profile(s).

     

    I'm going to 15.1 ASAP, is there something that is notability different for profile duplication?

     

    It would REALLY be awesome if access profiles worked like ASM policies. A single XML file with all the customization groups.

    • Lucas_Thompson's avatar
      Lucas_Thompson
      Icon for Employee rankEmployee

      Agreed, yeah it would be nice. APM's schema is pretty complicated compared to ASM. But in the end these are all MCP objects that you can create with TMSH (aside from the files that appear in cache-path of various MCP objects).

      15.1 brings a much more effective customization system that has a better separation of code and content, so instead of re-writing existing pages you just use CSS overrides in "user-*" files in customization groups.

      15.1's login pages, message boxes, and webtop also uses Angular now instead of the proprietary mechanism used in older versions. So an Angular dev should be able to easily customize.

       

      We're working on a customization example guide and hope to have it published on clouddocs (or here) in the next month or so.

       

  • Alas, ng_export, ng_import, ng_profile has two "-t" options

     

    -t access_policy = per-Request policies

    -t profile_access = per-Session policies

     

    I don't know who comes up with these names and I was able to generate tarballs of both types 😁

     

    Also, the help text for ng_export is not complete, so reading the PHP utilities is somewhat helpful as there is parameter validation.