Applying Auto ASM Policy via TMSH

Question

What I am trying to do is
enable ASM profileadd an ASM policy which is configured for Autopolicy
When done through the GUI it looks like this is the config. This is what I am trying to achieve on a large scale through tcl.
   policies {
            asm_auto_l7_policy__someserver.domain.com { }
        }
        profiles {
            ASM_someprofile-WAF { }
    }
`

How do I get the the system to "auto-generate" the policy component of "asm_auto_l7_policy__someserver.domain.com"?
Doing this
`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF}`

results in an error that the policy does not match the asm-controlling policiy. I think it needs to be 
`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF} policies add {INSERT DYNAMIC POLICY NAME?}`

But how do I get it to generate that dynamic policy? On the ASM its use autogenerate.
Here is what happens when I try the above
`modify ltm virtual /network-test/dumb2_443 profiles add {ASM_someprofile-WAF} policies add {asm_auto_l7_policy__dumb2_443}`

01070734:3: Configuration error: The bot-defense-asm profile /Common/ASM_someprofile-WAF was added to virtual server /network-test/dumb2_443 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.

Nothing actually changes though.

biv_59618 · Answer

So I have figured out I need to create the LTM policy first, through TMS this has been troublesome, if anyone can help me with the nested syntax, it has gotten very nested and just looking for a little help.
This is the end result I am aiming for:
ltm policy asm_auto_l7_test.com {
    controls { asm }
    requires { http }
    rules {
        default {
            actions {
                1 {
                    asm
                    enable
                    policy /Common/WAF
                }
            }
            ordinal 1
        }
    }
    status legacy
    strategy first-match
}

This is what I got but tripping up on the nested for rules subset
create ltm policy test1 controls add {asm} requires add {http} rules add {defualt {ordinal 1{} actions add{1{policy /Common/WAF}}}}

biv_59618 · Answer

Anyone had luck with this?&nbsp;

mjb109 · Answer

Old thread, but I just had this same problem, and this works on 13.1.3. Think you just need to add the "asm enable" before your final policy statementcreate /ltm policy '/Common/Drafts/asm_auto_l7_policy__MY-VIRTUAL' controls add { asm } requires add {http} rules add { default { ordinal 1 actions add { 1 { asm enable policy /Common/MY-WAF-POLICY } } } }

jeff_faelnar · Answer

I get error '01020036:3: The requested policy action (/Common/asm_auto_l7_policy__MY-VIRTUAL) was not found.' on Version&nbsp;&nbsp;15.1.0.5. Is there an updated command for this? Thanks!

ivan_chernenkii · Answer

Hello Jeff,&nbsp;tmsh command should look next: "create ltm policy name_of_ltm_policy controls add { asm } rules add { default { actions add { 1 {asm enable policy name_of_asm_policy } } } } strategy first-match legacy"

Forum Discussion

Applying Auto ASM Policy via TMSH

5 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Related Content

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

Auditing Security Policy Updates

F5 Access Policy Auto submit logon page

Minimizing Security Complexity: Managing Distributed WAF Policies

Icontrol REST upload and apply policy- section "http-protocols" ignored?