Forum Discussion
Walter_Kacynski
Cirrostratus
Cirrostratusng_export with Per Request Policies
Does anyone know if ng_export cli will work with per request policies (PRP). Access Profile Export utility v14.1 Usage: ng_export [-t|-type access_policy] <name> <filename> [-p|-partition <pa...
You can already do it with normal policies, no reverse engineering needed.
However that ID 755148 refers to API Protection policies. These are the same as PRPs, but they have a different "type" (I'm sure you noticed already).
The other thing is:
The way I do this usually when I'm creating labs or other material is to walk the configuration hirearchy (policy items, agents, policy, profile, customization groups) and then turn it into a pile of TMSH commands, then use the commands to create a policy. It's kind of fragile between versions, but mostly works fine.
Walter_KacynskiCirrostratus
CirrostratusI thought about just copying/pasting from bigip.conf directly. I don't know how to handle the customization groups however, I just want all defaults.
- Lucas_Thompson
Employee
Yeah it's a good question. Basically: Customization groups with default settings (you just create them with TMSH) already contain the default settings and will show the defaults.
Customization was quite complex in versions prior to 15.1, but it's drastically simpler now.
Here's an example of how to create a policy with TMSH that I use for lab testing, this one is an OAuth AS, but the procedure is basically the same for other types. The nice thing about TMSH's transaction approach is that you can do development easily and don't end up with orphan or extra objects because the entire batch is verified by MCP at once rather than line-by-line. So, my process (not ideal, but not too bad) development is:
1- Create policy manually on a test box with no policies.
2- Do "tmsh list apm one-line >> (your file)" to grab out all the APM config (policies, customization, whatever)
3- Do "tmsh list ltm one-line >> (your file)" to grab out the LTM configs (clientssl, vips, etc).
4- Put these together into a pile of TMSH commands, similar to below.
5- From CLI on another test box without the config, do: tmsh < (your tmsh commands file)
6- If it works, great, if not, go figure out what the error is and fix it in the file.
7- Repeat 5,6 until success.
example:
create cli transaction create apm oauth oauth-scope /Common/scope-profile customization-group /Common/scope-profile_oauth_authz_scope_customization scope-name profile create apm oauth oauth-client-app myclientapp2 app-name myclientapp2 customization-group /Common/myclientapp2_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org/oauth/client/redirect } create apm policy access-policy myas_pol default-ending /Common/myas_end_deny items replace-all-with { /Common/myas_allow /Common/myas_end_deny /Common/myas_ent /Common/myas_mac } macros replace-all-with { /Common/myas_macro } start-item /Common/myas_ent create apm policy access-policy myas_macro caption myas_macro default-ending /Common/myas_macro_ter_deny items replace-all-with { /Common/myas_act_logon_page /Common/myas_macro_active-directory_auth /Common/myas_macro_ent_in /Common/myas_macro_oauth_authz /Common/myas_macro_ter_deny /Common/myas_macro_ter_out } start-item /Common/myas_macro_ent_in type macro create apm policy customization-group /Common/myas_act_logon_page source /Common/standard create apm policy customization-group /Common/myas_end_deny_ag_logout source /Common/standard type logout create apm policy customization-group /Common/myas_eps source /Common/standard type eps create apm policy customization-group /Common/myas_errormap source /Common/standard type errormap create apm policy customization-group /Common/myas_framework_installation source /Common/standard type framework-installation create apm policy customization-group /Common/myas_general_ui source /Common/standard type general-ui create apm policy customization-group /Common/myas_logout source /Common/standard type logout create apm policy customization-group /Common/myas_oauth_authz source /Common/standard type oauth-authz create apm policy customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization source /Common/standard type oauth-authz-client-app create apm policy customization-group /Common/profile_oauth_authz_scope_customization source /Common/standard type oauth-authz-scope create apm policy policy-item /Common/myas_act_logon_page agents replace-all-with { /Common/myas_act_logon_page_ag { type logon-page } } caption "Logon page" item-type action rules { { caption fallback next-item /Common/myas_macro_active-directory_auth } } create apm policy policy-item /Common/myas_allow agents replace-all-with { /Common/myas_allow_ag { type ending-allow } } caption Allow item-type ending create apm policy policy-item /Common/myas_end_deny agents replace-all-with { /Common/myas_end_deny_ag { type ending-deny } } caption Deny color 2 item-type ending create apm policy policy-item /Common/myas_ent caption Start rules { { caption fallback next-item /Common/myas_mac } } create apm policy policy-item /Common/myas_mac caption myas_macro item-type macro-call macro /Common/myas_macro rules { { caption Deny next-item /Common/myas_end_deny } { caption Out next-item /Common/myas_allow } } create apm policy policy-item /Common/myas_macro_active-directory_auth agents replace-all-with { /Common/myas_active-directory_auth_ag { type aaa-active-directory } } caption "AD Auth" item-type action rules { { caption Successful expression "expr { [mcget {session.ad.last.authresult}] == 1}" next-item /Common/myas_macro_oauth_authz } { caption fallback next-item /Common/myas_macro_ter_deny } } create apm policy policy-item /Common/myas_macro_ent_in caption In rules { { caption fallback next-item /Common/myas_act_logon_page } } create apm policy policy-item /Common/myas_macro_oauth_authz agents replace-all-with { /Common/myas_macro_oauth_authz_ag { type oauth-authz } } caption "OAuth Authorization" item-type action rules { { caption Successful expression "expr {[mcget {session.oauth.authz.last.result}] == 1}" next-item /Common/myas_macro_ter_out } { caption fallback next-item /Common/myas_macro_ter_deny } } create apm policy policy-item /Common/myas_macro_ter_deny caption Deny color 2 item-type terminal-out create apm policy policy-item /Common/myas_macro_ter_out caption Out item-type terminal-out create apm policy agent aaa-active-directory /Common/myas_active-directory_auth_ag server none type auth create apm policy agent ending-allow /Common/myas_allow_ag create apm policy agent ending-deny /Common/myas_end_deny_ag customization-group /Common/myas_end_deny_ag_logout create apm policy agent logon-page /Common/myas_act_logon_page_ag customization-group /Common/myas_act_logon_page create apm policy agent oauth-authz /Common/myas_macro_oauth_authz_ag customization-group /Common/myas_oauth_authz create apm profile oauth /Common/myas_oauthProfile client-apps replace-all-with { /Common/theirclientapp } db-instance /Common/oauthdb jwt-token disabled opaque-token enabled resource-servers replace-all-with { /Common/myas_myresourceserver } create ltm virtual /Common/myas_vs destination /Common/10.11.10.165:443 ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { /Common/http { } /Common/myas_prof { } /Common/clientssl { context clientside } /Common/tcp { } /Common/websso { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled create apm oauth oauth-client-app /Common/theirclientapp app-name theirclientapp customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org } create apm oauth oauth-resource-server /Common/myas_myresourceserver auth-type secret create apm profile access /Common/myas_prof accept-languages replace-all-with { en } access-policy /Common/myas_pol access-policy-timeout 300 customization-group /Common/myas_logout default-language en defaults-from /Common/access eps-group /Common/myas_eps errormap-group /Common/myas_errormap framework-installation-group /Common/myas_framework_installation general-ui-group /Common/myas_general_ui inactivity-timeout 900 log-settings replace-all-with { /Common/default-log-setting } max-concurrent-sessions 0 max-concurrent-users 0 max-failure-delay 5 max-in-progress-sessions 128 max-session-timeout 604800 min-failure-delay 2 oauth-profile /Common/myas_oauthProfile restrict-to-single-client-ip false use-http-503-on-error false user-identity-method http submit cli transactionI'd like to know if this kind of approach makes sense, or is helpful in your case.