Automate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up to this point, where someone manually has to go and click the "Enforce Ready Entities" button. That sounds like a minor thing to do, but in an Enterprise it includes change control/PVT etc to do... ...but automating this out as a fortnightly thing should reduce risk and I can do other things. So I am comfortable with the API, but looking at v13/v14 API I dont see a functionality that can do this for me. Has anyone done this last step to fully utomate attack signature updates ?Solved2.5KViews1like11CommentsError when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n
I am running a Playbook to test bigip_command using ansible [core 2.15.3] against LTM running 15.1.6.1. When I run the playbook I get the following message: UNREACHABLE! => { “changed”: false, “msg”: “Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo $HOME/tmp"&& mkdir "echo $HOME/tmp/ansible-tmp-1709037153.0021555-3167181-73985055078518" && echo ansible-tmp-1709037153.0021555-3167181-73985055078518="echo $HOME/tmp/ansible-tmp-1709037153.0021555-3167181-73985055078518" ), exited with result 1”, “unreachable”: true } When I run the Playbook with -vvv flags I see the following line just before the error message pasted above: Failed to connect to the host via ssh: Syntax Error: unexpected argument “/bin/sh” Similarly, if I test the ssh I also see this same unexpected argument message: ansible all -m shell -a id -vvv Syntax Error: unexpected argument “/bin/sh”\n’ I have tried editing various things in hosts file and ansible.cfg but nothing I have tried seems to have made a difference. Is anyone familiar with this and what is needed to resolve this. Any help is greatly appreciated!216Views1like4CommentsImport PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP
We have more than 160 BIG-IP Virtual Edition with version 15.1.10.3 build 0.0.12. We need to import, in each one, an SSL Certificate in PFX/PKCS 12 format in the path System ›› Certificate Management: Device Certificate Management: Device Certificate. We looked in the documentation and the KB but we couldn't find a way to do it. Has anyone dealt with this and have a solution to do it via Script, CLI or API? Thank you.80Views0likes1CommentNeed help in automating BigIQ session summary reports
I have been asked to work out a way of automating the CSV report from BigIQ Monitoring Access Dashboard. Under Access > Sessions > Session Summary I have been filtering Network_Access as the AP result and then manually exporting the CSV there. Our security who does not have a Splunk server is asking for this every 24 hours. Therefore I am looking to see if there is a way I can have a scheduled job run for this. Only things I am finding are configuration automation or automation dealing with ASM. Any help would be greatly appreciated.10Views0likes0CommentsF5 + VSCode; 2024 roadmap
Greetings team! As I started the vscode project in 2019, I had no idea where it would go. I just knew there was value in using it as a workbence to streamline f5 automations. Since then it has grown into a handful of project covering several different aspects of F5. I am very thankful for all the great comments and feedback over the last couple of years. As the 2023 year comes to an end, I wanted to take a moment to step back and solicit some feedback from the community. Please take a couple of minutes to review the following link and provide feedback. https://github.com/f5devcentral/vscode-f5/discussions/234 In short, this is a way for me to guage where I can make the biggest impact with these projects. Thank you.522Views5likes1CommentAutomating iControlSnapIn installation from Powershell
Hi, I am trying to automate the installation of the iControlSnapIn from a Powershell script. The installation should be silent so that it can ran unsupervised and automatically. From the script I am trying to invoke something like Start-Process "msiexec" -ArgumentList /i iControlSnapInSetup.msi /qn -Wait -Passthru This does not return any error; however the snapin is not installed at the end. No files are copied to the program files folder. Has anyone successfully attempted this? Is there any other argument to be passed in to the msiexec to make this work? UPDATE: if I remove the /qn option to run without UI and manually click throgh the wizard then it works. Therefore I believe there's something related to running silently that makes this installation fail (some missing parameter?)212Views0likes0CommentsTCL & regex - help to parse APM configuration in tmsh
Hello World, I'm using a script to bring some automation to APM and provision resources to my AP from an external server. I'm stuck when comes the time to capture the macro name that I want to provision to the VPE. In a full APM config dump I can get the full resource assign objects using a regex like: apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign.+?caption "Dynamic Resource Assign" (in the VPE I have my macro named Dynamic Resource Assign of course) This returns me a string that contains (in my environment) 2 macros: apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign { agents { AP_SAG_NAME-resources_assignment_act_full_resource_assign_ag { type resource-assign } } app-service none caption "webtop Assign" color 1 item-type action loop false macro none partition Common rules { { caption fallback expression none next-item AP_NAME-resources_assignment_act_empty_2 } } } apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign_1 { agents { AP_NAME-resources_assignment_act_full_resource_assign_1_ag { type resource-assign } } app-service none caption "Dynamic Resource Assign" I'm stuck in finding the right regex to capture the macro name of the second occurrence (AP_NAME-resources_assignment_act_full_resource_assign_1_ag). I tried: AP_SAG_E11TST-resources_assignment_act_full_resource_assign.?.?_ag but of course it returns two entries: AP_SAG_NAME-resources_assignment_act_full_resource_assign_ag AP_SAG_NAME-resources_assignment_act_full_resource_assign_1_ag If anyone has a clue on how to filter out the caption "webtop Assign" entry or (better) make sure only the caption "Dynamic Resource Assign" one is returned that would help me quite a lot... Thank you all! Jérôme198Views0likes0CommentsAccess to F5's mysql from remote server
Hi there, I need to export a lot of learning suggestions from the ASM together with request data which triggered these suggestions. GUI does not allow to export learning suggestions. I realized that ASM learning suggestions are stored in the local mysql database PRX, to which I have access from F5's CLI as the 'asm' user. In order to work with these data efficiently and also because F5 does not allow me to install additional Python modules directly on the F5, I thought I could connect to this database from my remote server. But it looks like the F5 is refusing TCP/3306 connections although the 'asm' user is granted required privileges: GRANT USAGE ON *.* TO 'asm'@'%' IDENTIFIED BY PASSWORD '****' I assume that mysql is only allowing local connections from localhost, but I cannot verify it because I am not able to find the my.cnf on the F5 system. I tried connecting through management interface and also selfIP, but nothing worked. Port lock-down for my selfIP is allow any. According to netstat, F5 should be listening to port 3306 on all interfaces: tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19397/mysqld TCPDUMP on the last firewall in front of the F5 shows me SYN reaching the F5 and immediate RST sent back from the F5. Any ideas how to connect to F5 mysql from remote server? What do I need to check further? Is it even allowed by the system? thanks.447Views0likes1CommentTMSH::Install Command missing???
Hi there, I'm moving ahead with starting to write my own iApp to deploy our hosted applications... However I've hit a stumbling block... I want the set-up wizard to create the certificate's for the VIPs as part of the wizard using some text boxes on screen which I'll paste the existing server keys into... I've found the following command within the tmsh reference guide: (tmos.sys.crypto.cert) install cert test from-editor However I'm struggling to find a way of doing this using an iApp... Any ideas? Cheers Gavin455Views0likes8CommentsName-Based Virtual Host iApp...
Hi there, I'm trying to create an iApp template which will support Name Based virtual hosting as found in Apache... I've created an iRule to handle the pool selection logic, which will look-up the Hostname against a computed Data-group name and return the relevant pool. Will attach a copy of the iRule for reference. I'm now trying to create an iApp template that will handle the creation of the required application components. I can safely handle the creation of the VS & empty Data-group, however I'm struggling with the pool creation and Data-group population logic. Currently I've got a table in the iApp presentation layer as follows: table vhosts { string hostname required string desc string addr required validator "IpAddress" string port default "8080" required validator "PortNumber" display "small" optional ( lb_method_choice == "ratio-member" || lb_method_choice == "ratio-node" || lb_method_choice == "ratio-session" || lb_method_choice == "ratio-least-connections-memeber" || lb_method_choice == "ratio-least-connections-node" || lb_method_choice == "dynamic-ratio-member" || lb_method_choice == "dynamic-ratio-node" ) { string ratio default "1" validator "NonNegativeNumber" display "small" } } This table allows the entry of: HTTP Hostname Back-end server hostname Back-end server IP Address Back-end server Port Back-end connection ratio. What I want to do is parse the above table and use it to do the following: Create a pool for each unique hostname, which could contain 1 or more back-end servers. Populate a Data-group with the http hostname and corresponding pool name. Any thoughts/pointers welcome. Regards Gavin326Views0likes1Comment