Add or delete a parameter from multiple ASM policy or modify multiple ASM policy via API (iControlREST)
Problem this snippet solves: Sometimes it is necessary to add a parameter into multiple policy or all policies or to delete a parameter from multiple policies. If you have hundreds of asm polices and you try to do it via GUI, It takes long time and It is boring. For example, you have a new vulnerability scanner and you want to add all policies, or your contract with a security analysis company and you want to delete their IP address from all asm policies. If you have lots of policy, this gets big issue. How to use this snippet: I wrote a sample bash script, It adds an IP into the trusted IP list of multiple asm policy or deletes an IP from the trusted IP list of all asm policies. Firstly, you must choose which asm polices you want to change. Use this command to get list of the asm policies and write it into a file(asmPolicies.txt😞 curl -k -u <admin>:<password> -H "Content-Type: application/json" -X GET https://<F5 IP Address>/mgmt/tm/asm/policies?$select=id,name,fullPath | jq -r '.items[] | "\(.id) \(.name) \(.fullPath)"' > asmPolicies.txt This is the sample content of an asmPolicies.txt [root@f5 asmPolicies]# cat asmPolicies.txt x3yyOJTe3CvcWJDMqpnrgQ First /Common/First RqXf73h6qZY94EFGVDSlbg SecPolManual_First /Common/SecPolManual_First d928o8by0WBrWdW7oadMQg SecPol-Lab14 /Common/SecPol-Lab14 i4LnoF4GwMKRhTZ81RCeSQ SecPol-Lab14.2 /Common/SecPol-Lab14.2 kLoqhuDoa6bEeBjcrFo4VA SecPol-Lab15.1 /Common/SecPol-Lab15.1 DvE_fPp2tLUZvJi8cb8Rpg SecPol-Lab15.2 /Common/SecPol-Lab15.2 52dxLNxjExt6QRNvbg7fHA SecPol-Lab15.3 /Common/SecPol-Lab15.3 DcSvljkbLZQD19adkVdV3A SecPol-Lab16.2 /Common/SecPol-Lab16.2 rJ6Mt9sPxzgLu6WHyyifLg SecPol-Lab16.4 /Common/SecPol-Lab16.4 Sy_0vNh-5VXal-xDlMXMqw Single_URI /Common/Single_URI Hzyj8pZF6flV3VhTkCFkig SecPol-Lab22.2 /Common/SecPol-Lab22.2 sPR5LNQrrf29I1xZ8MtcRA SecPol-Lab16.4_2 /Common/SecPol-Lab16.4_2 Secondly, check the asmPolicies.txt, and erase the lines which policies you dont want to change Last, copy updateAsmPolicies.sh(attached) in a directory, then run updateAsmPolicies.sh with an appropriate command and parameter Usage: updateAsmPolicies.sh command parameter Commands: -a, -add add an IP address into the trusted IP list -d, -delete delete an IP address from the trusted IP list -c, -change <orgIP-newIP> delete the orgIP from the trusted IP list, then add the newIP into the trusted IP list updateAsmPolicies.sh -a 1.1.1.1 -> adds 1.1.1.1 into the trusted IP list updateAsmPolicies.sh -d 1.1.1.1 -> delete 1.1.1.1 from the trusted IP list that is it. This is just a sample. Code : #!/bin/bash #### #### AUTHOR: FARUK AYDIN --- farukaydin at yahoo.com #### DATE: 2018.01.25 #### This script adds or deletes or changes the trusted IP addresses in the asm policies #### #### Prerequest commands: ####echo ####curl ####jq ####shift ####cut ####cat function usage { echo "Usage: $0 command parameter" echo "Commands:" echo "-a, -add add an IP address into the trusted IP lists" echo "-d, -delete delete an IP address from the trusted IP lists" echo "-c, -change delete the orgIP from trusted IP lists, then add the newIP into the trusted IP lists" exit 0 } if [ ${#@} == 0 ]; then usage fi addingIP() { echo adding $2 into $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'"$2"'","ipMask":"255.255.255.255","trustedByPolicyBuilder":true}' https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips } deleteIP() { md5IP=$(curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X GET https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips | jq -r '.items[] | select(.ipAddress=="'"$2"'") |"\(.id)"') if [ -z "$md5IP" ]; then echo $2 is not found in $1 policy; else echo deleting $1 from $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X DELETE https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips/${md5IP} fi } UNKNOWN=() param=0 whatTodo="nothing" whatToDoN=0 f5user="admin" f5pass="password" f5host="192.168.1.245" while [[ $# -gt 0 ]] do key="$1" case $key in -a|--add) ((param++)) addIP="$2" whatToDo="adding a new trusted IP(${addIP}) to all asm policies" whatToDoN=1 shift # past argument shift # past value ;; -d|--delete) ((param++)) delIP="$2" whatToDo="deleting the trusted IP(${delIP}) from all asm policies" whatToDoN=2 shift # past argument shift # past value ;; -c|--change) ((param++)) changeIP="$2" orgIP=$(echo $changeIP | cut -f1 -d-) newIP=$(echo $changeIP | cut -f2 -d-) if [ "${orgIP}" == "${newIP}" ] ; then orgIP=$(echo $changeIP | cut -f1 -d:) newIP=$(echo $changeIP | cut -f2 -d:) fi whatToDo="changing the trusted IP(${orgIP}) with the new IP(${newIP}) in all asm policies" whatToDoN=3 shift # past argument shift # past value ;; --default) DEFAULT=YES ((param++)) shift # past argument ;; *) # unknown option UNKNOWN+=("$1") # save it in an array for later shift # past argument ;; esac done if [ "${param}" -gt 1 ] ; then echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!!!!!!!! you used ${param} commands !!!!!!!!" echo "!!! you must use only one command !!!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" usage fi echo "${whatToDo}", Option: "${whatToDoN}" for i in $(cat asmPolicies.txt | cut -d " " -f 1); do case $whatToDoN in 1) addingIP $i $addIP ;; 2) deleteIP $i $delIP ;; 3) deleteIP $i $orgIP addingIP $i $newIP ;; esac done Tested this on version: 12.1
Whitelist via FTP
Question, I have created whitelist in the past, but have been recently been asked to create a whitelist for FTP clients. THe premise of the rule is, if you come this IP address, get directed to this pool. Else, go to this IP address. Would I have to invoke a client_Accept instead of a HTTP_REQUEST? when HTTP_REQUEST { if {not ([class match [IP::remote_addr] equals Whitelist_Sorry]) } { pool some_FTP_Pool } else { pool some_other_FTP_Pool log local0. "Condition not matched. Go here.." } } class Whitelist_Sorry { { host 10.10.5.139 network 172.16.0.0/16 } }
Whitelist Blacklist iRule using data group for multiple clients
We are testing single VIP configuration in our test lab, where single public IP will be assigned to multiple clients, using an iRule with a data group. iRule looks like this --- when HTTP_REQUEST { set pool [class match -value -- [HTTP::host] equals test_url] if {$pool ne ""} { pool $pool } } test_url is data group which has strings mapped to appropriate pools of each client. For example, string client1.com mapped to pool client1.net. string client2.com mapped to pool client2.net Now the issue is we want to include whitelist/blacklist for these clients in the same iRule if possible or even a separate iRule would be OK. Could someone suggest the syntax for whitelising/blacklisting based on client string and remote IP pair in data group? For example, if string has client1 and matches dg_whitelist_1, allow. if string has client2 and matches dg_whitelist_2, allow. if string has client3 and matches dg_blacklist_1, deny. There are also clients with no whitelist/blacklist, so it should work just fine for them within same iRule.Single iRule for multiple customers to whitelist blacklist via data group
We have been using separate whitelist/blacklist for each customer so far, since we used separate VIP for each customer. But we are now planning to move to single VIP configuration to handle traffic for all customers for which we have the iRule in our test lab which works fine for our requirement. However we would also like to have one common iRule for whitelist/blacklist that can be handle traffic via data group, to avoid editing iRule for every new customer addition. Please suggest syntax for the same. when HTTP_REQUEST { if { ([matchclass [string tolower [HTTP::host][HTTP::uri]] contains "Customer1_Blacklist_URLs"]) and ([matchclass [IP::remote_addr] equals "Customer1_Blacklist_IPs"]) } { HTTP::respond 403 } } when HTTP_REQUEST { if{ ([matchclass [string tolower [HTTP::host][HTTP::uri]] contains "Customer2_Blacklist_URLs"]) and ([matchclass [IP::remote_addr] equals "Customer2_Blacklist_IPs"]) } { HTTP::respond 403 } }
iRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.
I have read through a multitude of threads, but my scenario seems a little unique. A little background so it all makes sense. We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per. Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc. We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is: when HTTP_REQUEST priority 100 { # This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs # If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page. if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } { # log local0."Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic" HTTP::respond 200 content [ifile get COMPANY_ip_forbidden] after 50 drop event disable } } How do I add the second data group, and allow if the source IP is in either of the two data groups?
DDoS IPI List - Whitelist Update Domains
Problem this snippet solves: Legitimate IP address ranges and Domain Names of valid update servers. Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_update_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0DDoS IPI List - Whitelist NTP Servers
Problem this snippet solves: Legitimate IP address ranges of valid NTP Servers. Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_ntp_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0DDoS IPI List - Whitelist DNS Servers
Problem this snippet solves: Legitimate IP address ranges of valid DNS Servers Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_dns_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0DDoS IPI List - Bogons
Problem this snippet solves: Bogon IP address ranges to block traffic from Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: blacklist_bogon List Type: blacklist Update frequency: 432000 Default Blacklist Category: (Create new one) Blacklisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0iRule for Whitelist basepath
He guys, I am new on F5 BIG-IP. I want to allow the url: https://test.biranetworxx.com/* and restrict the basepath https://test.biranetworxx.com/provider/test* for only one IP. https://test.biranetworxx.com/* must be avail for all https://test.biranetworxx.com//provider/test* must be avail only for a single IP 185.XX.XX.120 Could you please advice. I tried to do that with ltm policy but the restriction is not applied. And I can 't see the problem. Thanking you for your time and response regards