Possible to export/import ASM policies via a script?

Hi, yes that is possible:

• export ASM policy: save asm policy [policy name] xml-file [file name]
• copy XML files to DR
• import ASM policy: load asm policy [policy name] file [file name]
• (optional) active imported policy: modify asm policy [policy name] active

if you want to save all policies from box you can use something like:

 for i in $(tmsh list asm policy \/\*\/\* one-line | cut -d " " -f 3); do echo ${i}; tmsh save asm policy ${i} xml-file ${i}.xml; done

than copy it and import it by:

for i in $(find . -name '*xml); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done

This should be functional if you don't use partitions. If you do, you will have to create the directories with partition names first, or try to substitute '/' character in policy names...

import command had a missing ' after the *xml

for i in $(find . -name '*xml’); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done

Hi Filip,

Trying to use the scripts but hitting a weird syntax error. A colleague also tried this and is hitting the same thing. The save command works as expected and creates the backup file. In this case it's "Hackazon-WAF.xml".

The load command produces the following error:

[admin@ip-10-1-1-8:Active:Standalone] tmp  for i in $(find . -name '*xml'); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done

./Hackazon-WAF.xml Syntax Error: "./Hackazon-WAF" unexpected argument Syntax Error: "enable" unknown property

Do you have any suggestions for us?

Thanks,

BHS

You problem is the find command it returns the file names with a "./" in front of it which breaks the load command.

Instead of the relative reference to the location use en explicit one: for i in $(find /var/tmp/asm -name '*xml').....

Where you have the exported xml files placed in /var/tmp/asm.

I fell for the exact same problem :-)

Hi, does load policy work for your when loading to different partition? I use

load asm policy file /var/tmp/tmp_policy.xml

It works correctly in GUI, but not in TMSH. I use v12.1.3, does this work for anyone here?

Thx Zdenek

This thread is a bit old but it helped point me in the right direction for what worked for my requirements. Leaving my notes for anyone in the future who may find it useful.

To start with exporting policies first you need to get the list of policy names written to a text file. I ran this from my home directory:

tmsh list asm policy \* one-line | cut -d " " -f 3 > policies.txt

Now you can use the list of policy names to export each of them as an XML file:

for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml; done

If you are exporting them a second time you will need to include the overwrite flag otherwise you will get an error that the file already exists:

for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml overwrite; done

The policies will be saved to /var/tmp/ and from there you can use SCP to grab them. You could import them manually, but that's quite slow if you've got a large number to get through.

My next step is to copy these policies over to /var/tmp of the target device where I will be importing them.

First step on the target device is recreating the policies.txt file. Just copy and paste the same one created above. If you don't need to import all policies on the target device, then edit policies.txt to remove the lines with policy names you don't need. Again, I am doing this all in my home directory.

With policies.txt created and the policies copied over to /var/tmp you can use the following command to import:

for i in $(cat policies.txt); do echo $i; tmsh load asm policy $(echo ${i}) overwrite file /var/tmp/$(echo ${i}.xml); tmsh publish asm policy $(echo ${i}); done

The tmsh load will look at our target policy, say TEST-ASM, and overwrite it with /var/tmp/TEST-ASM.xml. Then tmsh publish will apply the policy changes, otherwise all of them will be stuck in changes pending.

If you don't need to overwrite a target policy, then you could just remove that section and be left with:

for i in $(cat policies.txt); do echo $i; tmsh load asm policy file /var/tmp/$(echo ${i}.xml); done

This is all tested and working on 15.1 but I've also done the exporting piece in the past on 14.1.