Methods to attach ASM policy to virtual server via REST API requests

Two method to attach the ASM policy to a virtual.

  1. First method:  Start with the policy and list the virtual names under one of its properties.  This allows more than one virtual name to be listed and therefore applies the policy to all of them.  This method is intuitive and easy to follow.  You have to first locate the policy hash ID and then reference it by this ID as you post the names of the virtuals.  
  2. Second Method (Alternate): Start with the virtual and assign to iy a "websecurity" profile and an LTM Layer 7 policy (pointing to the ASM policy).   This method is less intuitive but safer to use in some cases.  Use this method to add a policy to a virtual server without affecting any other virtual that may be using the same policy.

First Method:

Request

PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}

Headers

Content-Type: application/json X-F5-Auth-Token: {{big_ip_a_auth_token}}

Body

{ "virtualServers":["/Common/hackazon_vs"] }

Get more information here:  Lab 3.4: Apply ASM Policy to VS — F5 Programmability Training documentation

If not careful, a problem with this procedure appears when more than one virtual uses the same policy.   You must post the list of virtual names in the body of the PATCH request.  If any of the virtuals already listed under the policy is not resubmitted, the policy would be be dropped from to the virtual.

Alternate Method:

This alternate method applies the policy to one vritual server at a time.

Step 1: Create the policy in LTM L7 policy (in draft mode) which activates the ASM policy for all traffic.

POST /mgmt/tm/ltm/policy

Body:
 
{
   "name": "<name_for_LTM_L7_policy>",
   "partition": "/Common/Drafts/",
   "controls": [
      "asm"
   ],
  
 "requires": [
      "http"
   ],

   "status": "legacy",
   "strategy": "/Common/first-match",
   "rules" : [
    {
   "name": "default",
   "fullPath": "default",
   "ordinal": 1,
   "actions" : [ {
   "name": "1",
   "fullPath": "1",
   "asm": true,
   "code": 0,
   "enable": true,
   "expirySecs": 0,
   "length": 0,
   "offset": 0,
   "policy": "<name_for_ASM_policy>",
   "port": 0,
   "request": true,
   "status": 0,
   "timeout": 0,
   "vlanId": 0
      }]}]
  }
Step 2: Publish the LTM policy created.

POST /mgmt/tm/ltm/policy

Body:

{command: "publish", name: "/Common/Drafts/<name_for_LTM_L7_policy>"}

Step 3: Add the default "websecurity" profile to the virtual server.

POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/profiles

Body:
{
  "context": "all",
  "name": "websecurity"
}
Step 4: Add the LTM L7 policy to the virtual server.

POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/policies

Body:
{
  "name": "<name_for_LTM_L7_policy>"
}
Note:  you do not directly add the ASM policy to the virtual, you add the LTM policy which references the ASM policy.  
Updated Jun 06, 2023
Version 2.0
ASM Advanced WAF
asm policy
devops
iControlREST
security
No CommentsBe the first to comment