Add or delete a parameter from multiple ASM policy or modify multiple ASM policy via API (iControlREST)
Problem this snippet solves: Sometimes it is necessary to add a parameter into multiple policy or all policies or to delete a parameter from multiple policies. If you have hundreds of asm polices and you try to do it via GUI, It takes long time and It is boring. For example, you have a new vulnerability scanner and you want to add all policies, or your contract with a security analysis company and you want to delete their IP address from all asm policies. If you have lots of policy, this gets big issue. How to use this snippet: I wrote a sample bash script, It adds an IP into the trusted IP list of multiple asm policy or deletes an IP from the trusted IP list of all asm policies. Firstly, you must choose which asm polices you want to change. Use this command to get list of the asm policies and write it into a file(asmPolicies.txt😞 curl -k -u <admin>:<password> -H "Content-Type: application/json" -X GET https://<F5 IP Address>/mgmt/tm/asm/policies?$select=id,name,fullPath | jq -r '.items[] | "\(.id) \(.name) \(.fullPath)"' > asmPolicies.txt This is the sample content of an asmPolicies.txt [root@f5 asmPolicies]# cat asmPolicies.txt x3yyOJTe3CvcWJDMqpnrgQ First /Common/First RqXf73h6qZY94EFGVDSlbg SecPolManual_First /Common/SecPolManual_First d928o8by0WBrWdW7oadMQg SecPol-Lab14 /Common/SecPol-Lab14 i4LnoF4GwMKRhTZ81RCeSQ SecPol-Lab14.2 /Common/SecPol-Lab14.2 kLoqhuDoa6bEeBjcrFo4VA SecPol-Lab15.1 /Common/SecPol-Lab15.1 DvE_fPp2tLUZvJi8cb8Rpg SecPol-Lab15.2 /Common/SecPol-Lab15.2 52dxLNxjExt6QRNvbg7fHA SecPol-Lab15.3 /Common/SecPol-Lab15.3 DcSvljkbLZQD19adkVdV3A SecPol-Lab16.2 /Common/SecPol-Lab16.2 rJ6Mt9sPxzgLu6WHyyifLg SecPol-Lab16.4 /Common/SecPol-Lab16.4 Sy_0vNh-5VXal-xDlMXMqw Single_URI /Common/Single_URI Hzyj8pZF6flV3VhTkCFkig SecPol-Lab22.2 /Common/SecPol-Lab22.2 sPR5LNQrrf29I1xZ8MtcRA SecPol-Lab16.4_2 /Common/SecPol-Lab16.4_2 Secondly, check the asmPolicies.txt, and erase the lines which policies you dont want to change Last, copy updateAsmPolicies.sh(attached) in a directory, then run updateAsmPolicies.sh with an appropriate command and parameter Usage: updateAsmPolicies.sh command parameter Commands: -a, -add add an IP address into the trusted IP list -d, -delete delete an IP address from the trusted IP list -c, -change <orgIP-newIP> delete the orgIP from the trusted IP list, then add the newIP into the trusted IP list updateAsmPolicies.sh -a 1.1.1.1 -> adds 1.1.1.1 into the trusted IP list updateAsmPolicies.sh -d 1.1.1.1 -> delete 1.1.1.1 from the trusted IP list that is it. This is just a sample. Code : #!/bin/bash #### #### AUTHOR: FARUK AYDIN --- farukaydin at yahoo.com #### DATE: 2018.01.25 #### This script adds or deletes or changes the trusted IP addresses in the asm policies #### #### Prerequest commands: ####echo ####curl ####jq ####shift ####cut ####cat function usage { echo "Usage: $0 command parameter" echo "Commands:" echo "-a, -add add an IP address into the trusted IP lists" echo "-d, -delete delete an IP address from the trusted IP lists" echo "-c, -change delete the orgIP from trusted IP lists, then add the newIP into the trusted IP lists" exit 0 } if [ ${#@} == 0 ]; then usage fi addingIP() { echo adding $2 into $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'"$2"'","ipMask":"255.255.255.255","trustedByPolicyBuilder":true}' https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips } deleteIP() { md5IP=$(curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X GET https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips | jq -r '.items[] | select(.ipAddress=="'"$2"'") |"\(.id)"') if [ -z "$md5IP" ]; then echo $2 is not found in $1 policy; else echo deleting $1 from $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X DELETE https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips/${md5IP} fi } UNKNOWN=() param=0 whatTodo="nothing" whatToDoN=0 f5user="admin" f5pass="password" f5host="192.168.1.245" while [[ $# -gt 0 ]] do key="$1" case $key in -a|--add) ((param++)) addIP="$2" whatToDo="adding a new trusted IP(${addIP}) to all asm policies" whatToDoN=1 shift # past argument shift # past value ;; -d|--delete) ((param++)) delIP="$2" whatToDo="deleting the trusted IP(${delIP}) from all asm policies" whatToDoN=2 shift # past argument shift # past value ;; -c|--change) ((param++)) changeIP="$2" orgIP=$(echo $changeIP | cut -f1 -d-) newIP=$(echo $changeIP | cut -f2 -d-) if [ "${orgIP}" == "${newIP}" ] ; then orgIP=$(echo $changeIP | cut -f1 -d:) newIP=$(echo $changeIP | cut -f2 -d:) fi whatToDo="changing the trusted IP(${orgIP}) with the new IP(${newIP}) in all asm policies" whatToDoN=3 shift # past argument shift # past value ;; --default) DEFAULT=YES ((param++)) shift # past argument ;; *) # unknown option UNKNOWN+=("$1") # save it in an array for later shift # past argument ;; esac done if [ "${param}" -gt 1 ] ; then echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!!!!!!!! you used ${param} commands !!!!!!!!" echo "!!! you must use only one command !!!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" usage fi echo "${whatToDo}", Option: "${whatToDoN}" for i in $(cat asmPolicies.txt | cut -d " " -f 1); do case $whatToDoN in 1) addingIP $i $addIP ;; 2) deleteIP $i $delIP ;; 3) deleteIP $i $orgIP addingIP $i $newIP ;; esac done Tested this on version: 12.1Powershell - Get Current Connection for Nodes
Hello, I've been unable to find any posts with solutions to this problem. It's been asked a few times, but either the question is never answered, or at the very least nobody can provide a way to do this with the PS Snapin's F5 developed. Question: How do you query for the Current Connections for a given Node? The cmdlets Get- and Get- don't seem to provide this information. Is there an object associated with 'Get-' cmdlet that will allow for this query? I can't seem to find any documentation for all the objects tied with this cmdlet. I think this might be the route to go, but am having a difficult time finding something for 'Current Connections'. I need a Powershell solution for this, not Bash or Python. Thank you for your help!iControl Add-Snapin fails after setup
Received a new workstation and had to reload the icontrol code. This is a windows 10 workstation. I was able to run the setupSnapin and can see the snapin registered, but I cannot seem to Add-PSSnapin iControlSnapin. PLEASE point me in the right direction..... PS C:\Program Files\F5 Networks\iControlSnapIn> add-pssnapin iControlSnapIn add-pssnapin : Cannot load Windows PowerShell snap-in iControlSnapIn because of the following error: Could not load file or assembly 'iControlSnapin.dll' or one of its dependencies. The system cannot find the path specified. At line:1 char:1 + add-pssnapin iControlSnapIn + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (iControlSnapIn:String) [Add-PSSnapin], PSSnapInException + FullyQualifiedErrorId : AddPSSnapInRead,Microsoft.PowerShell.Commands.AddPSSnapinCommand
Why do calls to REST API fail?
We are seeing intermittent failures for calls to the rest api on 11.5.1 HF6. The TCP handshake completes, client sends SSL Client Hello, BigIP sends ACK, and no further packets are seen. Is this related to iControl/REST connection limits? In the icrd log I see: Nov 1 12:45:34 mylb notice icrd_child[31618]: 31618,31633, RestRequestSender, INFO,Connection idle too long fd:9 cached. Nov 1 12:45:42 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:50:34 mylb notice icrd_child[31655]: 31655,31670, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 1 12:50:52 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:55:33 mylb notice icrd_child[31717]: 31717,31732, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 1 12:56:02 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 1 12:56:08 mylb notice icrd: 8195,13817, RestServer, INFO,Connection idle too long fd:11 Nov 3 13:05:33 mylb notice icrd_child[31936]: 31936,31951, RestRequestSender, INFO,Connection idle too long fd:10 cached. Nov 3 13:05:51 mylb notice icrd: 8195,13830, RestRequestSender, INFO,Connection idle too long fd:13 cached. Nov 3 13:06:08 mylb notice icrd: 8195,13817, RestServer, INFO,Connection idle too long fd:11 The restjavad log doesn't register anything during the failure time, and lsof shows the below. [myuser@mylb:Active:Changes Pending] ~ lsof -nPu apache | grep -E "(TCP|COMMAND)" COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME httpd 12579 apache 3u IPv6 1272168705 TCP *:80 (LISTEN) httpd 12579 apache 5u IPv6 1272168710 TCP *:443 (LISTEN) httpd 12579 apache 18u IPv4 1554156729 TCP 127.0.0.1:52743->127.0.0.1:8100 (CLOSE_WAIT) ...several iterations of the above... httpd 16246 apache 3u IPv6 1272168705 TCP *:80 (LISTEN) httpd 16246 apache 5u IPv6 1272168710 TCP *:443 (LISTEN) httpd 16246 apache 16u IPv6 1555163788 TCP 10.1.1.1:443->10.10.10.10:50000 (ESTABLISHED) httpd 16246 apache 18u IPv4 1554419261 TCP 127.0.0.1:43108->127.0.0.1:8100 (CLOSE_WAIT)SOAP Request Formation for iControl
Hello, I am trying to get the list of virtual servers under all the partitions in the LTM using the below SOAP message. http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="; xmlns:soapenv="; xmlns:vir="urn:iControl:LocalLB/VirtualServer"> ' target="_blank" rel="nofollow">http://schemas.xmlsoap.org/soap/encoding/"/>; But getting only the vs under common partition. Could someone please let me know how to get the list of virtual servers for all partitions.