Forum Discussion

JeffRW's avatar
JeffRW
Icon for Altocumulus rankAltocumulus
Apr 05, 2018

Possible to export/import ASM policies via a script?

Is it possible to possible to export ASM policies from one F5 and then import the ASM policies into another F5 via a script?   I'd like to export the ASM policies from our prod F5 and then import ...
ASM Advanced WAF
asm policy
export
import
security
TMSH
NickAD's avatar
NickAD
Icon for Cirrus rankCirrus

This thread is a bit old but it helped point me in the right direction for what worked for my requirements. Leaving my notes for anyone in the future who may find it useful.

To start with exporting policies first you need to get the list of policy names written to a text file. I ran this from my home directory:

tmsh list asm policy \* one-line | cut -d " " -f 3 > policies.txt

Now you can use the list of policy names to export each of them as an XML file:

for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml; done

If you are exporting them a second time you will need to include the overwrite flag otherwise you will get an error that the file already exists:

for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml overwrite; done

The policies will be saved to /var/tmp/ and from there you can use SCP to grab them. You could import them manually, but that's quite slow if you've got a large number to get through.

My next step is to copy these policies over to /var/tmp of the target device where I will be importing them.

First step on the target device is recreating the policies.txt file. Just copy and paste the same one created above. If you don't need to import all policies on the target device, then edit policies.txt to remove the lines with policy names you don't need. Again, I am doing this all in my home directory.

With policies.txt created and the policies copied over to /var/tmp you can use the following command to import:

for i in $(cat policies.txt); do echo $i; tmsh load asm policy $(echo ${i}) overwrite file /var/tmp/$(echo ${i}.xml); tmsh publish asm policy $(echo ${i}); done

The tmsh load will look at our target policy, say TEST-ASM, and overwrite it with /var/tmp/TEST-ASM.xml. Then tmsh publish will apply the policy changes, otherwise all of them will be stuck in changes pending.

If you don't need to overwrite a target policy, then you could just remove that section and be left with:

for i in $(cat policies.txt); do echo $i; tmsh load asm policy file /var/tmp/$(echo ${i}.xml); done

This is all tested and working on 15.1 but I've also done the exporting piece in the past on 14.1.

Curious1's avatar
Curious1
Icon for Cirrus rankCirrus
Mar 27, 2021

Hi NickAD,

 

This looks really useful, any chance you can get this to work for multiple partitions?

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Mar 28, 2021

    You can do cd /, followed by recursive command.

  • NickAD's avatar
    NickAD
    Icon for Cirrus rankCirrus
    Mar 29, 2021

    I don't have a device to test and confirm on, but I'd agree with what jaikumar said.

  • Curious1's avatar
    Curious1
    Icon for Cirrus rankCirrus
    Mar 30, 2021

    thank you for your suggestion. I got it working via the following:

     

    tmsh -q -c "cd / ; list asm policy one-line recursive" | cut -d " " -f 3 > asmpolicylist.txt