Forum Discussion

Matt_Bystrzak_2's avatar
Matt_Bystrzak_2
Icon for Nimbostratus rankNimbostratus
Apr 12, 2019

How to get ASM, DoS, and Logging Profiles Applied to a Virtual Server

Hello,

I'm trying to map ASM, DoS, and logging profiles as a reporting feature to some of my automation. At the most basic level if I query a particular virtual server I don't get great information on the security profiles.

b = ManagementRoot('myhost', 'admin', admin')
vip = b.tm.ltm.virtuals.virtual.load(name='myvs')
profiles =  vip.profiles_s.get_collection()

for p in profiles:
print(p.name)
Returns the Following: 
ASM_pytest.mtb.com  SO MY ASM POLICY NAME
clientssl   MY CLIENT SSL
f5-tcp-lan  MY TCP CLIENT PROFILE
f5-tcp-wan  MY TCP SERVER PROFILE
http        MY HTTP PROFILE
serverssl   MY SERVER SSL PROFILE
websecurity NOT SURE WHAT THIS IS?

What I'm trying to understand, is that ASM_ prepended to every ASM policy associated with a virtual server or is there a more accurate way to get the ASM policy name associated?

What is 'websecurity' and how do I use it?

How do I get the DoS and Logging Profiles associated with the virtual server?

ASM Advanced WAF
security

5 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 12, 2019

    Can you post a sanitized copy of your virtual server configuration (as show by a list command in tmsh)? And what version of TMOS are you using?

     

  • Matt_Bystrzak_2's avatar
    Matt_Bystrzak_2
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2019

    Sure.

    I'm using v 13.1.1.3.

    Here's the output:

    ltm virtual vs_test_python_1 {
description "A Python REST client test virtual server"
destination 1.1.1.2:https
ip-protocol tcp
mask 255.255.255.255
policies {
    asm_auto_l7_policy__vs_test_python_1 { }
}
pool pool_test_python
profiles {
    ASM_pytest.mtb.com { }
    clientssl {
        context clientside
    }
    f5-tcp-lan {
        context serverside
    }
    f5-tcp-wan {
        context clientside
    }
    http { }
    serverssl {
        context serverside
    }
    websecurity { }
}
source 0.0.0.0/0
translate-address disabled
translate-port enabled
vlans {
    some_vlans
}
vlans-enabled
    vs-index
}
  • Matt_Bystrzak_2's avatar
    Matt_Bystrzak_2
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2019

    So I quickly realized after this exercise that I don't have a DoS profile defined. So I defined one and it shows up under the profiles_s collection.

     

    So that answers that question...I'm a putz. Sorry about that.

     

    Logging profiles show up under security-log-profiles key outside of profiles{} I'm finding.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 12, 2019

    it looks like tmsh adds ASM_ to your policy when applied to the virtual server, as well as the websecurity profile. I'll need to see what that means for you in using the sdk, however. Standby.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 15, 2019

    (edited) Hi Matt, so you can create the vip up front with all the profiles and policies you need. Here's how I did it:

    >>> profiles = []
>>> profiles.append({'name': 'tcp'})
>>> profiles.append({'name': 'http'})
>>> profiles.append({'name': 'clientssl'})
>>> profiles.append({'name': 'websecurity'})
>>> policies = []
>>> policies.append({'name': 'asm_auto_l7_policy__asmtestvip'})
>>> vip1 = b.tm.ltm.virtuals.virtual.create(name='testvip2', 
                                            destination='192.16.102.42:443', 
                                            mask='255.255.255.255',
                                            pool='asmtestvip', 
                                            ipProtocol='tcp', 
                                            profiles=profiles, 
                                            policies=policies)