Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM Signature Enforcement via iControl REST

Hi DevCentral community!

Is there any way in ASM to enforce signatures (in staging, but ready to be enforced) via iControl REST?

We are currently trying to automate signature updates and their enforcement.

Thank you in advance.

1
Rate this Question
Comments on this Question
Comment made 5 months ago by Dominik 23

Hi!

I found a solution for automating the signature enforcement for ASM policies.

The first step is to retrieve all ASM policies from the BIG-IP:

GET https://f5.intern/mgmt/tm/asm/policies/?$select=id,partition,name

{
    ...
    "items": [
        {
            "name": "POLICY1",
            "id": "12ABcd34-567eFgHi89",
            "partition": "PART1"
        },
        ...
    ]
}

In the next step you need to get all signatures, associated with a policy, which are put into staging mode:

GET https://f5.intern/mgmt/tm/asm/policies/12ABcd34_567eFgHi89/signatures/?$filter=performStaging eq true&$select=id,performStaging

{
    ...
    "items": [
        {
            ...
            "performStaging": true,
            "id": "1a2b3c4edefg128"
        },
        ...
    ]
}

The last step is to enforce the target signatures (e.g. every signature of a policy individually):

PATCH https://f5.intern/mgmt/tm/asm/policies/12ABcd34_567eFgHi89/signatures/1a2b3c4edefg128

Request Payload:

{
    "performStaging": false
}

The BIG-IP's response contains the staging status of the updated signature for verification:

{
    ...
    "id": "1a2b3c4edefg128"
    "performStaging": false
    ...
}

Result:

It is possible to enforce the signatures of an ASM policy in an automated fashion via the iControl REST ASM interface.

1
Comment made 5 months ago by Philipp Stadler 286

Hi, but this doesn't exclude Signatures, where suggestions are triggered during staging ... or, it doesn't check "ready to be enforced" state. - correct?

0
Comment made 5 months ago by Dominik 23

Yes, you are correct this does not check the "enforcement readiness" state. Thanks for pointing out the respective API calls to achieve this functionality in https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246. Please let me know once you have an update on your open case.

On the other hand, a workaround I could think of is to check all learning suggestions for a given policy for their status and last occurrence. If a signature does not have any suggestions associated for a specified time range it can be ready for enforcement.

e.g. by issuing the following calls you could conclude that if no learning suggestion associated with a particular signature occurred for more than 7 days, the signature is ready for enforcement:

GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/?$select=id,enforcementReadinessPeriod

...
"stagingSettings":{
    "signatureStaging":true,
    "enforcementReadinessPeriod":7
}
...

GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/suggestions/?$select=id,lastOccurrenceDatetime,signatureReference,status

0
Comment made 5 months ago by Philipp Stadler 286

you are right, but the API call for learning suggestions is broken as well. ;-(

1

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The above steps are correct, but to get to the best answer, there is a filter for showing if a signature has any pending suggestions.

$filter=hasSuggestions%20eq%20false"

This will then filter on signatures that don't have any pending suggestions and thus are ready to be enforced.

Using this with the above comments will get you to where you want to be.

0