Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Automate ASM "Ready to Be Enforced" Attack Signatures

danielpenna
Cirrus
Cirrus

Hi All,

Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up to this point, where someone manually has to go and click the "Enforce Ready Entities" button.

 

That sounds like a minor thing to do, but in an Enterprise it includes change control/PVT etc to do...

 

...but automating this out as a fortnightly thing should reduce risk and I can do other things.

 

So I am comfortable with the API, but looking at v13/v14 API I dont see a functionality that can do this for me. Has anyone done this last step to fully utomate attack signature updates ?

 

1 ACCEPTED SOLUTION

DanSkow
Nimbostratus
Nimbostratus

In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

  1. It checks the HA status, and exits the script if the HA status is Standby
  2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
  3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

------------------------------------------------------------------------------------------------------------------------

# Determines HA Status, creates variable, then loops through it on Active devices

bash
cd /var/tmp/

# Static Variables
CREDS=admin

# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt

# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi

# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)

# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
  curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
  LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
  curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done

------------------------------------------------------------------------------------------------------------------------

If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

View solution in original post

2 REPLIES 2

DanSkow
Nimbostratus
Nimbostratus

In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

  1. It checks the HA status, and exits the script if the HA status is Standby
  2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
  3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

------------------------------------------------------------------------------------------------------------------------

# Determines HA Status, creates variable, then loops through it on Active devices

bash
cd /var/tmp/

# Static Variables
CREDS=admin

# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt

# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi

# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)

# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
  curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
  LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
  curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done

------------------------------------------------------------------------------------------------------------------------

If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

Thanks for this, @DanSkow! I'm sure it'll come in handy for future users. Apologies to @danielpenna for not having spotted that his question was hanging for so long! The team is working to correct that going forward.