Add or delete a parameter from multiple ASM policy or modify multiple ASM policy via API (iControlREST)

Problem this snippet solves:

Sometimes it is necessary to add a parameter into multiple policy or all policies or to delete a parameter from multiple policies. If you have hundreds of asm polices and you try to do it via GUI, It takes long time and It is boring. For example, you have a new vulnerability scanner and you want to add all policies, or your contract with a security analysis company and you want to delete their IP address from all asm policies. If you have lots of policy, this gets big issue.

How to use this snippet:

I wrote a sample bash script, It adds an IP into the trusted IP list of multiple asm policy or deletes an IP from the trusted IP list of all asm policies.

Firstly, you must choose which asm polices you want to change. Use this command to get list of the asm policies and write it into a file(asmPolicies.txt😞

curl -k -u <admin>:<password> -H "Content-Type: application/json" -X GET https://<F5 IP Address>/mgmt/tm/asm/policies?$select=id,name,fullPath | jq -r '.items[] | "\(.id) \(.name) \(.fullPath)"' > asmPolicies.txt

This is the sample content of an asmPolicies.txt

[root@f5 asmPolicies]# cat asmPolicies.txt 
x3yyOJTe3CvcWJDMqpnrgQ First /Common/First
RqXf73h6qZY94EFGVDSlbg SecPolManual_First /Common/SecPolManual_First
d928o8by0WBrWdW7oadMQg SecPol-Lab14 /Common/SecPol-Lab14
i4LnoF4GwMKRhTZ81RCeSQ SecPol-Lab14.2 /Common/SecPol-Lab14.2
kLoqhuDoa6bEeBjcrFo4VA SecPol-Lab15.1 /Common/SecPol-Lab15.1
DvE_fPp2tLUZvJi8cb8Rpg SecPol-Lab15.2 /Common/SecPol-Lab15.2
52dxLNxjExt6QRNvbg7fHA SecPol-Lab15.3 /Common/SecPol-Lab15.3
DcSvljkbLZQD19adkVdV3A SecPol-Lab16.2 /Common/SecPol-Lab16.2
rJ6Mt9sPxzgLu6WHyyifLg SecPol-Lab16.4 /Common/SecPol-Lab16.4
Sy_0vNh-5VXal-xDlMXMqw Single_URI /Common/Single_URI
Hzyj8pZF6flV3VhTkCFkig SecPol-Lab22.2 /Common/SecPol-Lab22.2
sPR5LNQrrf29I1xZ8MtcRA SecPol-Lab16.4_2 /Common/SecPol-Lab16.4_2

Secondly, check the asmPolicies.txt, and erase the lines which policies you dont want to change

Last, copy updateAsmPolicies.sh(attached) in a directory, then run updateAsmPolicies.sh with an appropriate command and parameter

Usage: updateAsmPolicies.sh command parameter Commands: -a, -add add an IP address into the trusted IP list -d, -delete delete an IP address from the trusted IP list -c, -change <orgIP-newIP> delete the orgIP from the trusted IP list, then add the newIP into the trusted IP list

updateAsmPolicies.sh -a 1.1.1.1
-> adds 1.1.1.1 into the trusted IP list

updateAsmPolicies.sh -d 1.1.1.1
-> delete 1.1.1.1 from the trusted IP list

that is it. This is just a sample.

Code :

#!/bin/bash
####
#### AUTHOR: FARUK AYDIN      ---      farukaydin at yahoo.com
#### DATE: 2018.01.25
#### This script adds or deletes or changes the trusted IP addresses in the asm policies 
#### 
#### Prerequest commands:
####echo 
####curl 
####jq
####shift
####cut
####cat
function usage {
    echo "Usage: $0 command parameter"
    echo "Commands:"
    echo "-a, -add add an IP address into the trusted IP lists"
    echo "-d, -delete delete an IP address from the trusted IP lists"
    echo "-c, -change delete the orgIP from trusted IP lists, then add the newIP into the trusted IP lists"
    exit 0
}
if [ ${#@} == 0 ]; then
usage
fi
addingIP() {
echo adding $2 into $1 policy;
curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'"$2"'","ipMask":"255.255.255.255","trustedByPolicyBuilder":true}' https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips

}
deleteIP() {
md5IP=$(curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X GET https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips | jq -r '.items[] | select(.ipAddress=="'"$2"'") |"\(.id)"')
if [ -z "$md5IP" ];
then
echo $2 is not found in $1 policy;
else
echo deleting $1 from $1 policy;
curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X DELETE  https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips/${md5IP}
fi
}
UNKNOWN=()
param=0
whatTodo="nothing"
whatToDoN=0
f5user="admin"
f5pass="password"
f5host="192.168.1.245"
while [[ $# -gt 0 ]]
do
key="$1"

case $key in
-a|--add)
((param++))
addIP="$2"
whatToDo="adding a new trusted IP(${addIP}) to all asm policies"
whatToDoN=1
shift # past argument
shift # past value
;;
-d|--delete)
((param++))
delIP="$2"
whatToDo="deleting the trusted IP(${delIP}) from all asm policies"
whatToDoN=2
shift # past argument
shift # past value
;;
-c|--change)
((param++))
changeIP="$2"
orgIP=$(echo $changeIP | cut -f1 -d-)
newIP=$(echo $changeIP | cut -f2 -d-)
if [ "${orgIP}" == "${newIP}" ] ;
then
orgIP=$(echo $changeIP | cut -f1 -d:)
newIP=$(echo $changeIP | cut -f2 -d:)
fi
whatToDo="changing the trusted IP(${orgIP}) with the new IP(${newIP}) in all asm policies"
whatToDoN=3
shift # past argument
shift # past value
;;
--default)
DEFAULT=YES
((param++))
shift # past argument
;;
*)    # unknown option
UNKNOWN+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
if [ "${param}" -gt 1 ] ;
then
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!!!!!!! you used ${param} commands !!!!!!!!"
    echo "!!! you must use only one command !!!"
    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
usage
fi
echo "${whatToDo}", Option: "${whatToDoN}"
for i in $(cat asmPolicies.txt | cut -d " " -f 1); do
case $whatToDoN in
1)
addingIP $i $addIP
;;
2)
deleteIP $i $delIP
;;
3)
deleteIP $i $orgIP
addingIP $i $newIP
;;
esac
done

Tested this on version:

12.1
Updated Jun 06, 2023
Version 2.0
No CommentsBe the first to comment