NimbostratusHi DevCentral community!
Is there any way in ASM to enforce signatures (in staging, but ready to be enforced) via iControl REST?
We are currently trying to automate signature updates and their enforcement.
Thank you in advance.
NimbostratusHi!
I found a solution for automating the signature enforcement for ASM policies.
The first step is to retrieve all ASM policies from the BIG-IP:
GET https://f5.intern/mgmt/tm/asm/policies/?$select=id,partition,name{
...
"items": [
{
"name": "POLICY1",
"id": "12ABcd34-567eFgHi89",
"partition": "PART1"
},
...
]
}
In the next step you need to get all signatures, associated with a policy, which are put into staging mode:
GET https://f5.intern/mgmt/tm/asm/policies/12ABcd34_567eFgHi89/signatures/?$filter=performStaging eq true&$select=id,performStaging{
...
"items": [
{
...
"performStaging": true,
"id": "1a2b3c4edefg128"
},
...
]
}
The last step is to enforce the target signatures (e.g. every signature of a policy individually):
PATCH https://f5.intern/mgmt/tm/asm/policies/12ABcd34_567eFgHi89/signatures/1a2b3c4edefg128Request Payload:
{
"performStaging": false
}
The BIG-IP's response contains the staging status of the updated signature for verification:
{
...
"id": "1a2b3c4edefg128"
"performStaging": false
...
}
Result:
It is possible to enforce the signatures of an ASM policy in an automated fashion via the iControl REST ASM interface.
NimbostratusHi, but this doesn't exclude Signatures, where suggestions are triggered during staging ... or, it doesn't check "ready to be enforced" state. - correct?
NimbostratusYes, you are correct this does not check the "enforcement readiness" state. Thanks for pointing out the respective API calls to achieve this functionality in
https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246On the other hand, a workaround I could think of is to check all learning suggestions for a given policy for their status and last occurrence. If a signature does not have any suggestions associated for a specified time range it can be ready for enforcement.
e.g. by issuing the following calls you could conclude that if no learning suggestion associated with a particular signature occurred for more than 7 days, the signature is ready for enforcement:
GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/?$select=id,enforcementReadinessPeriod...
"stagingSettings":{
"signatureStaging":true,
"enforcementReadinessPeriod":7
}
...
GET https://f5.intern/mgmt/tm/asm/policies/ABCDEFG123456/suggestions/?$select=id,lastOccurrenceDatetime,signatureReference,statusyou are right, but the API call for learning suggestions is broken as well. ;-(
The above steps are correct, but to get to the best answer, there is a filter for showing if a signature has any pending suggestions.
$filter=hasSuggestions%20eq%20false"
This will then filter on signatures that don't have any pending suggestions and thus are ready to be enforced.
Using this with the above comments will get you to where you want to be.
AltostratusHi,
I'm looking to do the same, enforce only signatures which are ready to be enforced.
Have you been able to solve this ? Ta
Jiri