Possible to export/import ASM policies via a script?
Is it possible to possible to export ASM policies from one F5 and then import the ASM policies into another F5 via a script? I'd like to export the ASM policies from our prod F5 and then import them into our DR F5 in bulk via a script instead of exporting/importing one by one. Thx
Methods to attach ASM policy to virtual server via REST API requests
Two method to attach the ASM policy to a virtual. First method: Start with the policy and list the virtual names under one of its properties. This allows more than one virtual name to be listed and therefore applies the policy to all of them. This method is intuitive and easy to follow. You have to first locate the policy hash ID and then reference it by this ID as you post the names of the virtuals. Second Method (Alternate): Start with the virtual and assign to iy a "websecurity" profile and an LTM Layer 7 policy (pointing tothe ASM policy). This method is less intuitive but safer to use in some cases. Use this method to add a policy to a virtual server without affecting any other virtual that may be using the same policy. First Method: Request PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}} Headers Content-Type: application/json X-F5-Auth-Token: {{big_ip_a_auth_token}} Body { "virtualServers":["/Common/hackazon_vs"] } Get more information here: Lab 3.4: Apply ASM Policy to VS — F5 Programmability Training documentation If not careful, aproblem with this procedure appears when more than one virtual uses the same policy. You must post the list of virtual names in the body of the PATCH request. If any of the virtuals already listed under the policy is not resubmitted, the policy would be be dropped from to the virtual. Alternate Method: This alternate method applies the policy to one vritual server at a time. Step 1: Create the policy in LTM L7 policy (in draft mode) which activates the ASM policy for all traffic. POST /mgmt/tm/ltm/policy Body: { "name": "<name_for_LTM_L7_policy>", "partition": "/Common/Drafts/", "controls": [ "asm" ], "requires": [ "http" ], "status": "legacy", "strategy": "/Common/first-match", "rules" : [ { "name": "default", "fullPath": "default", "ordinal": 1, "actions" : [ { "name": "1", "fullPath": "1", "asm": true, "code": 0, "enable": true, "expirySecs": 0, "length": 0, "offset": 0, "policy": "<name_for_ASM_policy>", "port": 0, "request": true, "status": 0, "timeout": 0, "vlanId": 0 }]}] } Step 2: Publish the LTM policy created. POST /mgmt/tm/ltm/policy Body: {command: "publish", name: "/Common/Drafts/<name_for_LTM_L7_policy>"} Step 3: Add the default "websecurity" profile to the virtual server. POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/profiles Body: { "context": "all", "name": "websecurity" } Step 4:Add the LTM L7 policy to the virtual server. POST /mgmt/tm/ltm/virtual/~Common~<virtual_server_name>/policies Body: { "name": "<name_for_LTM_L7_policy>" } Note: you do not directly add the ASM policy to the virtual, you add the LTM policy which references the ASM policy.
ASM suggestions: Allowing Meta character on URL or globally
Hi Everyone, I'm getting two different suggestions for the illegal metacharacter in URL (same char in both), one of them is suggesting to allow the metacharacter on URL level, the other is suggesting to allow the same metacharacter but in the URL character set, the only difference is that the second suggestion has the manual accept only sign. Keep in mind I only have one wildcard URL(*), so the suggestions must be related to the same URL. is this behavior expected? aren't both suggestions the same given my situation? what is the best practice in general? what does the manual accept indicate? extra info: version 12.1.2 policy type automatic
ltm policy asm_auto_l7_policy
Hi Experts, We are migrating WAF in an HA pair from i4800 to i5800, UCS is loaded successfully on new pair. while comparing the configurations i found on some policy on previous node the status was legacy and on new node the status is published. what's the difference please? the status is highlighted in red in below config. old node config ltm policy asm_auto_l7_policy__epsite.telenorbank.pk { controls { asm } last-modified 2023-12-08:23:19:30 requires { http } rules { default { actions { 1 { asm enable policy /Common/PTCL-cloud_WAF } } ordinal 1 } } status legacy strategy first-match7 } New Node config ltm policy asm_auto_l7_policy__epsite.telenorbank.pk { controls { asm } last-modified 2024-04-17:13:00:12 requires { http } rules { default { actions { 1 { asm enable policy /Common/PTCL-cloud_WAF } } ordinal 1 } } status published strategy first-match }