Using iControl REST API to manage F5 BIG-IP Advanced Firewall Manager (AFM)

Overview

iControl REST is a very useful tool when it comes to automating various tasks on BIG-IP.  Overall, the iControl REST API is well documented and covers a wide breadth of topics within BIP-IP landscape. In this article, we will focus on F5 BIG-IP Advanced Firewall Manager (AFM) specific endpoints to see how we can automate common tasks related to managing BIG-IP AFM.

F5 BIG-IP Advanced Firewall Manager (AFM) Basics

Before we dive into the actual REST API calls to interact with BIG-IP AFM it is helpful to review the basic concepts of how Advanced Firewall Manager works. It is best to understand the following:

ContextIt is very common to hear abou BIG-IP AFM firewall contexts, but what exactly is a context? Context in BIG-IP AFM literature is the category of the object to which firewall rules apply. The context can be Global, Route Domain, Self IP or Virtual Server. Attaching firewall rules to a Global context implies that those rules should be applied to all traffic traversing the BIG-IP AFM firewall. The next sections will use the Global context as the context in the examples.

Firewall Rules can also be attached to Route Domain, Self IPs and Virtual Server Contexts. In such cases, those rules will be limited in scope to only a specific set of VLAN’s/interfaces, or only for specific destination IP subnets and ports.

PolicyA basic collection of firewall rules. Policies can be thought as books and rules as its pages. They can be standalone or be applied to contexts. When they’re standalone, they have no effect. The user creates policies, adds rules to them, and then applies to a context. They can be applied as enforced or staged. Enforced policies take action when there is a match. Staged policies don’t take action but they increase statistical counters so as to give the customer an idea about their possible effects. We will concentrate on enforced-policies as staged-policies are optional and enforced-policies are mostly the main method used.

RulesFirewall rules are minimally composed of actions, a rule name and a relative place directive that specifies order among other rules.

PartitionA BIG-IP system term to define separate configuration locations. This offers granularity and security. For example, a firewall manager can access all partitions but if we wanted to limit a specific user from accessing some sensitive configuration, such configuration could be created in a new partition. Only users allowed access to that partition could see/change the configuration. All the policies can be simply put in Common partition (it’s the default partition where a policy created, so no action is needed other than knowing the concept itself). 

REST API

A basic REST query format looks like this:

The BIG-IP AFM Rest API follows a hierarchical command structure of tmsh as described below:

Action → Module → SubModule → Component → Objects

There are six basic tmsh commands to manage BIG-IP AFM ACL global policies as mapped to the tmsh command structure: 

1. Create a policy <policy_name>
          create security firewall policy <policy_name>
2. Add/delete rules or modify existing rules
          modify security firewall policy <policy_name>
          modify security firewall policy rules →
                                                  add {}
                                                  modify {}
                                                  delete {}
3. Apply (aka “attach”) <policy_name> to global context
        modify security firewall global-rules → enforced/staged-policy <policy_name>
4. Show the contents of the policy <policy_name>
        show security firewall policy <policy_name>
5. Delete the policy <policy_name>
        delete security	firewall policy	<policy_name>
6. List currently enforced/staged policy for global context
        list security firewall	 global-rules → enforced/staged-policy

Examples

1. Create policy: restApiDemo

TMSH: create security firewall policy restApiDemo

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X POST -d '{"name":"restApiDemo"}' https://localhost/mgmt/tm/security/firewall/policy | python -m json.tool
{
"fullPath": "/Common/restApiDemo",
"generation": 1354,
"kind": "tm:security:firewall:policy:policystate",
"name": "restApiDemo",
"partition": "Common",
"rulesReference": {
"isSubcollection": true,
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules?ver=13.1.0.2"
},
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo?ver=13.1.0.2"
}

2. Create rules in restApiDemo

TMSH: modify security firewall policy restApiDemo rules add { myRule1 { action reject place- before first } } 

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X POST -d '{"name":"myRule1", "action":"reject", "place-before":"first"}' https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules | python -m json.tool
{
"action": "reject",
"destination": {},
"fullPath": "myRule1",
"generation": 1360,
"ipProtocol": "any",
"iruleSampleRate": 1,
"kind": "tm:security:firewall:policy:rules:rulesstate",
"log": "no",
"name": "myRule1",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/myRule1?ver=13.1.0.2",
"source": {
"identity": {}
},
"status": "enabled"
}

3. Display rules in restApiDemo

TMSH: show security policy restApiDemo

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules | python -m json.tool
{
"items": [
{
"action": "reject",
"destination": {},
"fullPath": "myRule1",
"generation": 1360,
"ipProtocol": "any",
"iruleSampleRate": 1,
"kind": "tm:security:firewall:policy:rules:rulesstate",
"log": "no",
"name": "myRule1",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/myRule1?ver=13.1.0.2",
"source": {
"identity": {}
},
"status": "enabled"
}
],
"kind": "tm:security:firewall:policy:rules:rulescollectionstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules?ver=13.1.0.2"
}

4. Change rule action to “accept” for myRule1

TMSH: security firewall policy restApiDemo rules modify { myRule1 { action accept } }

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X PATCH -d '{"action":"accept"}' https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/myRule1 | python -m json.tool
{
"action": "accept",
"destination": {},
"fullPath": "myRule1",
"generation": 1364,
"ipProtocol": "any",
"iruleSampleRate": 1,
"kind": "tm:security:firewall:policy:rules:rulesstate",
"log": "no",
"name": "myRule1",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/myRule1?ver=13.1.0.2",
"source": {
"identity": {}
},
"status": "enabled"
}

5. Delete rule myRule1 from restApiDemo

TMSH: modify security firewall policy restApiDemo rules delete { myRule1 }

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X DELETE https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/myRule1 | python -m json.tool
No JSON object could be decoded

6. Apply restApiDemo to Global context

TMSH: modify security firewall global-rules enforced-policy restApiDemo

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X PATCH -d '{"enforcedPolicy":"restApiDemo"}' https://localhost/mgmt/tm/security/firewall/globalRules/ | python -m json.tool
{
"enforcedPolicy": "/Common/restApiDemo",
"enforcedPolicyReference": {
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo?ver=13.1.0.2"
},
"kind": "tm:security:firewall:global-rules:global-rulesstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/global-rules?ver=13.1.0.2"
}

7. Display existing policy applied to Global context

TMSH: list security firewall global-rules enforced-policy

[root@C2629643-bigip1:FIREWALL RULES DEPLOY IN-PROGRESS:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://localhost/mgmt/tm/security/firewall/globalRules | python -m json.tool
{
"enforcedPolicy": "/Common/restApiDemo",
"enforcedPolicyReference": {
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo?ver=13.1.0.2"
},
"kind": "tm:security:firewall:global-rules:global-rulesstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/global-rules?ver=13.1.0.2"
}

8. Delete policy restApiDemo

TMSH: delete security firewall policy restApiDemo

Remove it from Global Context before deleting.

[root@C2629643-bigip1:Active:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X PATCH -d '{"enforcedPolicy":""}' https://localhost/mgmt/tm/security/firewall/globalRules/ | python -m json.tool
{
"kind": "tm:security:firewall:global-rules:global-rulesstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/global-rules?ver=13.1.0.2"
}
[root@C2629643-bigip1:FIREWALL RULES DEPLOY IN-PROGRESS:Standalone] config # curl -sk -u admin:admin -H "Content-Type: application/json" -X DELETE https://localhost/mgmt/tm/security/firewall/policy/~Common~restApiDemo | python -m json.tool
No JSON object could be decoded
Published Dec 27, 2022
Version 1.0
f5 sirt
Security