Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Methods to attach ASM policy to virtual server via REST API requests

John_Alam_45640
Historic F5 Account

on ‎03-Apr-2018 04:00 - edited on ‎05-Jun-2023 22:03 by Community Manager

Two method to attach the ASM policy to a virtual.

  1. First method:  Start with the policy and list the virtual names under one of its properties.  This allows more than one virtual name to be listed and therefore applies the policy to all of them.  This method is intuitive and easy to follow.  You have to first locate the policy hash ID and then reference it by this ID as you post the names of the virtuals.  
  2. Second Method (Alternate): Start with the virtual and assign to iy a "websecurity" profile and an LTM Layer 7 policy (pointing to the ASM policy).   This method is less intuitive but safer to use in some cases.  Use this method to add a policy to a virtual server without affecting any other virtual that may be using the same policy.

First Method:

Request

PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}

Headers

Content-Type: application/json X-F5-Auth-Token: {{big_ip_a_auth_token}}

Body

{ "virtualServers":["/Common/hackazon_vs"] }

Get more information here:  Lab 3.4: Apply ASM Policy to VS — F5 Programmability Training documentation

If not careful, a problem with this procedure appears when more than one virtual uses the same policy.   You must post the list of virtual names in the body of the PATCH request.  If any of the virtuals already listed under the policy is not resubmitted, the policy would be be dropped from to the virtual.

Alternate Method:

This alternate method applies the policy to one vritual server at a time.

Step 1: Create the policy in LTM L7 policy (in draft mode) which activates the ASM policy for all traffic.

POST /mgmt/tm/ltm/policy

Body:
 
{
   "name": "<name_for_LTM_L7_policy>",
   "partition": "/Common/Drafts/",
   "controls": [
      "asm"
   ],
  
 "requires": [
      "http"
   ],

   "status": "legacy",
   "strategy": "/Common/first-match",
   "rules" : [
    {
   "name": "default",
   "fullPath": "default",
   "ordinal": 1,
   "actions" : [ {
   "name": "1",
   "fullPath": "1",
   "asm": true,
   "code": 0,
   "enable": true,
   "expirySecs": 0,
   "length": 0,
   "offset": 0,
   "policy": "<name_for_ASM_policy>",
   "port": 0,
   "request": true,
   "status": 0,
   "timeout": 0,
   "vlanId": 0
      }]}]
  }
Step 2: Publish the LTM policy created.

POST /mgmt/tm/ltm/policy

Body:

{command: "publish", name: "/Common/Drafts/<name_for_LTM_L7_policy>"}

Step 3: Add the default "websecurity" profile to the virtual server.

POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/profiles

Body:
{
  "context": "all",
  "name": "websecurity"
}
Step 4: Add the LTM L7 policy to the virtual server.

POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/policies

Body:
{
  "name": "<name_for_LTM_L7_policy>"
}
Note:  you do not directly add the ASM policy to the virtual, you add the LTM policy which references the ASM policy.  
Labels:
Version history
Last update:
‎05-Jun-2023 22:03
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC