Forum Discussion

JustJozef's avatar
JustJozef
Icon for Cirrus rankCirrus
Feb 20, 2023

icontrol - policy-diff and merge

Hello,

trying to compare and merge two ASM policies via REST API but with no success.

I called endpoint POST /mgmt/tm/asm/tasks/policy-diff with body:

{"firstPolicyReference": { "link": "http://localhost/mgmt/tm/asm/policies/firstID"}, "secondPolicyReference": {"link": "http://localhost/mgmt/tm/asm/policies/secondID"}}

From response I took selflink and called it as GET request. Follow response was reported:

{"executionStartTime": "2023-02-20T15:36:04Z", "status": "COMPLETED", "lastUpdateMicros": 1676907376000000.0, "kind": "tm:asm:tasks:policy-diff:policy-diff-taskstate", "selfLink": "https://localhost/mgmt/tm/asm/tasks/policy-diff/id?ver=16.1.3", "endTime": "2023-02-20T15:36:17Z", "id": "id", "startTime": "2023-02-20T15:36:04Z", "firstPolicyReference": {"link": "https://localhost/mgmt/tm/asm/policies/id?ver=16.1.3", "fullPath": "/Common/sp_test_firstpolicy"}, "secondPolicyReference": {"link": "https://localhost/mgmt/tm/asm/policies/id?ver=16.1.3", "fullPath": "/Common/sp_test_secondpolicy"}, "result": {"policyDiffReference": {"link": "https://localhost/mgmt/tm/asm/policy-diffs/id?ver=16.1.3", "firstPolicyReference": {"link": "https://localhost/mgmt/tm/asm/policies/id?ver=16.1.3", "fullPath": "/Common/sp_test_firstpolicy"}, "secondPolicyReference": {"link": "https://localhost/mgmt/tm/asm/policies/id?ver=16.1.3", "fullPath": "/Common/sp_test_secondpolicy"}}}}

But in response I do not see details what has been changed. Regarding policies I copied first policy and create new one with different name and added to the policy two additional response codes. No other changes has been added.

I tried to call endpoint /mgmt/tm/asm/tasks/policy-merge just to see if something will change on first policy but no changes has been done. Body in request 

{"policyDiffReference": { "link": "selflink"}, "addMissingEntitiesToFirst": true}

When I compared policies via GUI it was correctly reported. Second policy contains in addition two more response codes. 

Allowed Response Codes: 419, 405.

Did I call it wrong?

Best Regards,

Jozef

devops
security
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Apr 10, 2023

    I tried the guide at https://cdn.f5.com/websites/devcentral.f5.com/downloads/icontrol-rest-api-user-guide-16-1-0.pdf but I get the restjavad log error below:

    [SEVERE][252][10 Apr 2023 12:51:35 UTC][com.f5.rest.workers.asm.AsmConfigWorker] nanoTime:[3661835037124] threadId:[24] Exception:[ASMConfigException(error_message:Could not parse/validate the Policy Diff Task. Invalid reference for secondPolicyReference ('test-signature'), error_code:UNKNOWN, internal_error:Failed parse/validate for PolicyDiffTask found -- parse/validate aborted : Error message = Invalid reference for secondPolicyReference ('test-signature'), rest_code:REST_INTERNAL_SERVER_ERROR)

     

     

    I am not even getting to the merge 🙂 . Still you can try following the GUIDE as my version is 16.1.3 and maybe yours do not have the bug as you need to send "POST" not "GET" Requests and the Content-Type header should be application/json. Other than test with admin credentials in your lab, just as the API user and token may have limited rights or something like that.

     

    • JustJozef's avatar
      JustJozef
      Icon for Cirrus rankCirrus
      May 03, 2023

      At the end I modify policy manually and then trigger script with python library jsondiff to compare my last stored policy with new one. Not perfect but help.

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Mar 22, 2023

    A good question that I have been asking myself. If you get the answer, please share it and if I also manage to find it, so will I share it with you 🙂

    • JustJozef's avatar
      JustJozef
      Icon for Cirrus rankCirrus
      Mar 22, 2023

      Unforunately still do not have solution for it. Will return to this topic in next weeks but I am afraid that I will finish with "manual" work when I will want merge two policies.

  • plc's avatar
    plc
    Icon for Nimbostratus rankNimbostratus
    May 31, 2024

     

    Hey JustJozef 

    You need to call then the selfLink of the response.

    curl -sku <user> "https://localhost/mgmt/tm/asm/tasks/policy-diff/<ID>" | jq .

    After that you'll get another link for policyDIffReference, something like that:

    ... 
"result": 
  "result": {
    "policyDiffReference": {
      "link": "https://localhost/mgmt/tm/asm/policy-diffs/<Diff_ID>ver=17.1.1",
 ...

    Call this policyDiffReference link adding "/diferences" as the endpoint.

    curl -sku <user> "https://localhost/mgmt/tm/asm/policy-diffs/<Diff_ID>/differences" | jq .

    That did it for me, hope it helps you as well.

    Cheers