Forum Discussion
ng_export with Per Request Policies
- Jan 30, 2020
You can already do it with normal policies, no reverse engineering needed.
However that ID 755148 refers to API Protection policies. These are the same as PRPs, but they have a different "type" (I'm sure you noticed already).
The other thing is:
The way I do this usually when I'm creating labs or other material is to walk the configuration hirearchy (policy items, agents, policy, profile, customization groups) and then turn it into a pile of TMSH commands, then use the commands to create a policy. It's kind of fragile between versions, but mostly works fine.
I thought about just copying/pasting from bigip.conf directly. I don't know how to handle the customization groups however, I just want all defaults.
Yeah it's a good question. Basically: Customization groups with default settings (you just create them with TMSH) already contain the default settings and will show the defaults.
Customization was quite complex in versions prior to 15.1, but it's drastically simpler now.
Here's an example of how to create a policy with TMSH that I use for lab testing, this one is an OAuth AS, but the procedure is basically the same for other types. The nice thing about TMSH's transaction approach is that you can do development easily and don't end up with orphan or extra objects because the entire batch is verified by MCP at once rather than line-by-line. So, my process (not ideal, but not too bad) development is:
1- Create policy manually on a test box with no policies.
2- Do "tmsh list apm one-line >> (your file)" to grab out all the APM config (policies, customization, whatever)
3- Do "tmsh list ltm one-line >> (your file)" to grab out the LTM configs (clientssl, vips, etc).
4- Put these together into a pile of TMSH commands, similar to below.
5- From CLI on another test box without the config, do: tmsh < (your tmsh commands file)
6- If it works, great, if not, go figure out what the error is and fix it in the file.
7- Repeat 5,6 until success.
example:
create cli transaction
create apm oauth oauth-scope /Common/scope-profile customization-group /Common/scope-profile_oauth_authz_scope_customization scope-name profile
create apm oauth oauth-client-app myclientapp2 app-name myclientapp2 customization-group /Common/myclientapp2_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org/oauth/client/redirect }
create apm policy access-policy myas_pol default-ending /Common/myas_end_deny items replace-all-with { /Common/myas_allow /Common/myas_end_deny /Common/myas_ent /Common/myas_mac } macros replace-all-with { /Common/myas_macro } start-item /Common/myas_ent
create apm policy access-policy myas_macro caption myas_macro default-ending /Common/myas_macro_ter_deny items replace-all-with { /Common/myas_act_logon_page /Common/myas_macro_active-directory_auth /Common/myas_macro_ent_in /Common/myas_macro_oauth_authz /Common/myas_macro_ter_deny /Common/myas_macro_ter_out } start-item /Common/myas_macro_ent_in type macro
create apm policy customization-group /Common/myas_act_logon_page source /Common/standard
create apm policy customization-group /Common/myas_end_deny_ag_logout source /Common/standard type logout
create apm policy customization-group /Common/myas_eps source /Common/standard type eps
create apm policy customization-group /Common/myas_errormap source /Common/standard type errormap
create apm policy customization-group /Common/myas_framework_installation source /Common/standard type framework-installation
create apm policy customization-group /Common/myas_general_ui source /Common/standard type general-ui
create apm policy customization-group /Common/myas_logout source /Common/standard type logout
create apm policy customization-group /Common/myas_oauth_authz source /Common/standard type oauth-authz
create apm policy customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization source /Common/standard type oauth-authz-client-app
create apm policy customization-group /Common/profile_oauth_authz_scope_customization source /Common/standard type oauth-authz-scope
create apm policy policy-item /Common/myas_act_logon_page agents replace-all-with { /Common/myas_act_logon_page_ag { type logon-page } } caption "Logon page" item-type action rules { { caption fallback next-item /Common/myas_macro_active-directory_auth } }
create apm policy policy-item /Common/myas_allow agents replace-all-with { /Common/myas_allow_ag { type ending-allow } } caption Allow item-type ending
create apm policy policy-item /Common/myas_end_deny agents replace-all-with { /Common/myas_end_deny_ag { type ending-deny } } caption Deny color 2 item-type ending
create apm policy policy-item /Common/myas_ent caption Start rules { { caption fallback next-item /Common/myas_mac } }
create apm policy policy-item /Common/myas_mac caption myas_macro item-type macro-call macro /Common/myas_macro rules { { caption Deny next-item /Common/myas_end_deny } { caption Out next-item /Common/myas_allow } }
create apm policy policy-item /Common/myas_macro_active-directory_auth agents replace-all-with { /Common/myas_active-directory_auth_ag { type aaa-active-directory } } caption "AD Auth" item-type action rules { { caption Successful expression "expr { [mcget {session.ad.last.authresult}] == 1}" next-item /Common/myas_macro_oauth_authz } { caption fallback next-item /Common/myas_macro_ter_deny } }
create apm policy policy-item /Common/myas_macro_ent_in caption In rules { { caption fallback next-item /Common/myas_act_logon_page } }
create apm policy policy-item /Common/myas_macro_oauth_authz agents replace-all-with { /Common/myas_macro_oauth_authz_ag { type oauth-authz } } caption "OAuth Authorization" item-type action rules { { caption Successful expression "expr {[mcget {session.oauth.authz.last.result}] == 1}" next-item /Common/myas_macro_ter_out } { caption fallback next-item /Common/myas_macro_ter_deny } }
create apm policy policy-item /Common/myas_macro_ter_deny caption Deny color 2 item-type terminal-out
create apm policy policy-item /Common/myas_macro_ter_out caption Out item-type terminal-out
create apm policy agent aaa-active-directory /Common/myas_active-directory_auth_ag server none type auth
create apm policy agent ending-allow /Common/myas_allow_ag
create apm policy agent ending-deny /Common/myas_end_deny_ag customization-group /Common/myas_end_deny_ag_logout
create apm policy agent logon-page /Common/myas_act_logon_page_ag customization-group /Common/myas_act_logon_page
create apm policy agent oauth-authz /Common/myas_macro_oauth_authz_ag customization-group /Common/myas_oauth_authz
create apm profile oauth /Common/myas_oauthProfile client-apps replace-all-with { /Common/theirclientapp } db-instance /Common/oauthdb jwt-token disabled opaque-token enabled resource-servers replace-all-with { /Common/myas_myresourceserver }
create ltm virtual /Common/myas_vs destination /Common/10.11.10.165:443 ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { /Common/http { } /Common/myas_prof { } /Common/clientssl { context clientside } /Common/tcp { } /Common/websso { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled
create apm oauth oauth-client-app /Common/theirclientapp app-name theirclientapp customization-group /Common/myas_theirclientapp_oauth_authz_client_app_customization grant-code enabled redirect-uris replace-all-with { https://east.seattlehq.org }
create apm oauth oauth-resource-server /Common/myas_myresourceserver auth-type secret
create apm profile access /Common/myas_prof accept-languages replace-all-with { en } access-policy /Common/myas_pol access-policy-timeout 300 customization-group /Common/myas_logout default-language en defaults-from /Common/access eps-group /Common/myas_eps errormap-group /Common/myas_errormap framework-installation-group /Common/myas_framework_installation general-ui-group /Common/myas_general_ui inactivity-timeout 900 log-settings replace-all-with { /Common/default-log-setting } max-concurrent-sessions 0 max-concurrent-users 0 max-failure-delay 5 max-in-progress-sessions 128 max-session-timeout 604800 min-failure-delay 2 oauth-profile /Common/myas_oauthProfile restrict-to-single-client-ip false use-http-503-on-error false user-identity-method http
submit cli transaction
I'd like to know if this kind of approach makes sense, or is helpful in your case.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com