Using BIG-IQ to Determine Differences Between Advanced WAF Policies

Introduction

With BIG-IQ 8.0, F5 introduced a policy comparison feature. This allows you to bring up 2 web application firewall (WAF) policies and look at them side-by-side in a table format. The policies can be deployed on different BIG-IP’s or BIG-IP pairs, on virtual servers deployed for different applications. 

This feature also allows the administrator to export report in PDF format for consumption outside of the BIG-IP/BIG-IQ. It also very useful to determine policy drift in cases where a policy is used to spawn other policies that, in turn, are tuned for the applications they protect.

This article will take you through the process of comparing 2 policies and exporting the report to PDF. 

Policy Comparison

The “Compare Policies” feature is available from the Configuration menu on BIG-IQ. Ensure that you login to BIG-IQ with sufficient privileges to access and view the Application Security Policies and their contents.

 

The figure below shows how to access the policy by

·      selecting the Configuration tab,

·      highlighting the Security menu,

·      expanding the item labelled Web Application Security,

·      Selecting the Policies

Note that, selecting a policy in the window above provides valuable information about the policy and related configured items. In the example below, the asm-lab3 is selected and the interface shows an overview of the policy content and the related items such as the virtual server the policy is associated with.

Once on the Policies screen, you can select 2 and compare them as shown below:

The two policies configuration now appear side-by-side for inspection

The two-column view can be exported in PDF format for external consumption by clicking on the Export button. 

Also, you can get the comparison in JSON format through BIG-IQ’s REST API by following these main steps:

1.    Obtain a token to access the API to use with all subsequent requests

2.    List the policies and find the references to the policies of interest by issuing a GET request to the following end-point:

https://{{BIG-IQ}}/mgmt/cm/asm/working-config/policies

3.    Create a policy compare task referencing the 2 policies of interest by posting a request to the following end-point:

https://{{BIG-IQ}}/mgmt/cm/asm/tasks/policy-diff

with a payload referencing the 2 policies (to and from):

  {
 "fromPolicyReference": {
        "link": ""
   },
  "toPolicyReference": {
    "link": ""
  }
 }

It will result in the creation of a task – the task information will be provided in the response in the form:

"selfLink": "https://localhost/mgmt/cm/asm/tasks/policy-diff/XXX"

Where XXX is a unique identifier.

4. The task generated in the step above will take some time – you can check on the status by sending a request to:

https://{{BIG-IQ}}/mgmt/cm/asm/tasks/policy-diff/XXX

Where XXX is the identifier gleaned from Step 3 above.

In the payload of the response, there will be a link to the results of the task in the form:

"diffReportReference": {
       "link": "https://localhost/mgmt/cm/asm/reports/policy-diff/YYY”
       },

5.    Once the task is done (e.g. "currentStep": "DONE"), the result of the comparison can be found in JSON format at:

https://{{BIG-IQ}}/mgmt/cm/asm/reports/policy-diff/YYY

Where YYY is the id referenced in Step 4 above.

Conclusion

You have 2 options to get to a comparison between 2 policies deployed anywhere in your security infrastructure, enhancing your team’s visibility. 

Published Mar 22, 2021
Version 1.0
No CommentsBe the first to comment