Forum Discussion
Possible to export/import ASM policies via a script?
Is it possible to possible to export ASM policies from one F5 and then import the ASM policies into another F5 via a script?
I'd like to export the ASM policies from our prod F5 and then import them into our DR F5 in bulk via a script instead of exporting/importing one by one.
Thx
- Filip_MikulíkAltostratus
Hi, yes that is possible:
- export ASM policy: save asm policy [policy name] xml-file [file name]
- copy XML files to DR
- import ASM policy: load asm policy [policy name] file [file name]
- (optional) active imported policy: modify asm policy [policy name] active
if you want to save all policies from box you can use something like:
for i in $(tmsh list asm policy \/\*\/\* one-line | cut -d " " -f 3); do echo ${i}; tmsh save asm policy ${i} xml-file ${i}.xml; done
than copy it and import it by:
for i in $(find . -name '*xml); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done
This should be functional if you don't use partitions. If you do, you will have to create the directories with partition names first, or try to substitute '/' character in policy names...
- NickADCirrus
This thread is a bit old but it helped point me in the right direction for what worked for my requirements. Leaving my notes for anyone in the future who may find it useful.
To start with exporting policies first you need to get the list of policy names written to a text file. I ran this from my home directory:
tmsh list asm policy \* one-line | cut -d " " -f 3 > policies.txt
Now you can use the list of policy names to export each of them as an XML file:
for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml; done
If you are exporting them a second time you will need to include the overwrite flag otherwise you will get an error that the file already exists:
for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml overwrite; done
The policies will be saved to /var/tmp/ and from there you can use SCP to grab them. You could import them manually, but that's quite slow if you've got a large number to get through.
My next step is to copy these policies over to /var/tmp of the target device where I will be importing them.
First step on the target device is recreating the policies.txt file. Just copy and paste the same one created above. If you don't need to import all policies on the target device, then edit policies.txt to remove the lines with policy names you don't need. Again, I am doing this all in my home directory.
With policies.txt created and the policies copied over to /var/tmp you can use the following command to import:
for i in $(cat policies.txt); do echo $i; tmsh load asm policy $(echo ${i}) overwrite file /var/tmp/$(echo ${i}.xml); tmsh publish asm policy $(echo ${i}); done
The tmsh load will look at our target policy, say TEST-ASM, and overwrite it with /var/tmp/TEST-ASM.xml. Then tmsh publish will apply the policy changes, otherwise all of them will be stuck in changes pending.
If you don't need to overwrite a target policy, then you could just remove that section and be left with:
for i in $(cat policies.txt); do echo $i; tmsh load asm policy file /var/tmp/$(echo ${i}.xml); done
This is all tested and working on 15.1 but I've also done the exporting piece in the past on 14.1.
- Curious1Cirrus
Hi NickAD,
This looks really useful, any chance you can get this to work for multiple partitions?
You can do cd /, followed by recursive command.
- bhs_114985Historic F5 Account
import command had a missing ' after the *xml
for i in $(find . -name '*xml’); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done
- bhs_114985Historic F5 Account
Hi Filip,
Trying to use the scripts but hitting a weird syntax error. A colleague also tried this and is hitting the same thing. The save command works as expected and creates the backup file. In this case it's "Hackazon-WAF.xml".
The load command produces the following error:
[admin@ip-10-1-1-8:Active:Standalone] tmp for i in $(find . -name '*xml'); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done
./Hackazon-WAF.xml Syntax Error: "./Hackazon-WAF" unexpected argument Syntax Error: "enable" unknown property
Do you have any suggestions for us?
Thanks,
BHS
You problem is the find command it returns the file names with a "./" in front of it which breaks the load command.
Instead of the relative reference to the location use en explicit one: for i in $(find /var/tmp/asm -name '*xml').....
Where you have the exported xml files placed in /var/tmp/asm.
I fell for the exact same problem :-)
- ZdendaCirrus
Hi, does load policy work for your when loading to different partition? I use
within tmsh from proper partition, but policy is always uploaded to Common. XML file is updated, so word "Common" is replaced by "properPartition".load asm policy file /var/tmp/tmp_policy.xml
It works correctly in GUI, but not in TMSH. I use v12.1.3, does this work for anyone here?
Thx Zdenek
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com