Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Applying Auto ASM Policy via TMSH

biv_59618
Nimbostratus
Nimbostratus

‎08-Dec-2017 06:17 - last edited on ‎05-Jun-2023 22:06 by Fog

What I am trying to do is

  • enable ASM profile
  • add an ASM policy which is configured for Autopolicy

When done through the GUI it looks like this is the config. This is what I am trying to achieve on a large scale through tcl.

   policies {
            asm_auto_l7_policy__someserver.domain.com { }
        }
        profiles {
            ASM_someprofile-WAF { }
    }
`

How do I get the the system to "auto-generate" the policy component of "asm_auto_l7_policy__someserver.domain.com"?

Doing this

`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF}`

results in an error that the policy does not match the asm-controlling policiy. I think it needs to be 

`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF} policies add {INSERT DYNAMIC POLICY NAME?}`

But how do I get it to generate that dynamic policy? On the ASM its use autogenerate.

Here is what happens when I try the above

`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF} policies add {asm_auto_l7_policy__dumb2_443}`

01070734:3: Configuration error: The bot-defense-asm profile /Common/ASM_someprofile-WAF was added to virtual server /network-test/dumb2_443 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.


Nothing actually changes though.
Labels:
0 Kudos
5 REPLIES 5

biv_59618
Nimbostratus
Nimbostratus

‎08-Dec-2017 11:55 - last edited on ‎05-Jun-2023 13:24 by Fog

So I have figured out I need to create the LTM policy first, through TMS this has been troublesome, if anyone can help me with the nested syntax, it has gotten very nested and just looking for a little help. This is the end result I am aiming for:

ltm policy asm_auto_l7_test.com {
    controls { asm }
    requires { http }
    rules {
        default {
            actions {
                1 {
                    asm
                    enable
                    policy /Common/WAF
                }
            }
            ordinal 1
        }
    }
    status legacy
    strategy first-match
}

This is what I got but tripping up on the nested for rules subset

create ltm policy test1 controls add {asm} requires add {http} rules add {defualt {ordinal 1{} actions add{1{policy /Common/WAF}}}}

0 Kudos

biv_59618
Nimbostratus
Nimbostratus

‎17-Jan-2018 03:39

Anyone had luck with this?

 

0 Kudos

mjb109
Nimbostratus
Nimbostratus
In response to biv_59618

‎08-Jun-2020 10:41 - last edited on ‎04-Jun-2023 21:26 by Fog

Old thread, but I just had this same problem, and this works on 13.1.3. Think you just need to add the "asm enable" before your final policy statement

create /ltm policy '/Common/Drafts/asm_auto_l7_policy__MY-VIRTUAL' controls add { asm } requires add {http} rules add { default { ordinal 1 actions add { 1 { asm enable policy /Common/MY-WAF-POLICY } } } }
0 Kudos

Jeff_Faelnar
Nimbostratus
Nimbostratus
In response to mjb109

‎05-Jan-2021 13:41

I get error '01020036:3: The requested policy action (/Common/asm_auto_l7_policy__MY-VIRTUAL) was not found.' on Version  15.1.0.5. Is there an updated command for this? Thanks!

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to mjb109

‎23-Feb-2021 11:26

Hello Jeff,

 

tmsh command should look next: "create ltm policy name_of_ltm_policy controls add { asm } rules add { default { actions add { 1 {asm enable policy name_of_asm_policy } } } } strategy first-match legacy"

0 Kudos
Copyright © 2023 Khoros, LLC