Forum Discussion

JeffRW's avatar
JeffRW
Icon for Altocumulus rankAltocumulus
Apr 05, 2018

Possible to export/import ASM policies via a script?

Is it possible to possible to export ASM policies from one F5 and then import the ASM policies into another F5 via a script?

 

I'd like to export the ASM policies from our prod F5 and then import them into our DR F5 in bulk via a script instead of exporting/importing one by one.

 

Thx

 

ASM Advanced WAF
asm policy
export
import
security
TMSH

10 Replies

Sort By
  • Filip_Mikulík's avatar
    Filip_Mikulík
    Icon for Altostratus rankAltostratus
    Apr 09, 2018

    Hi, yes that is possible:

    • export ASM policy: save asm policy [policy name] xml-file [file name]
    • copy XML files to DR
    • import ASM policy: load asm policy [policy name] file [file name]
    • (optional) active imported policy: modify asm policy [policy name] active

    if you want to save all policies from box you can use something like:

     for i in $(tmsh list asm policy \/\*\/\* one-line | cut -d " " -f 3); do echo ${i}; tmsh save asm policy ${i} xml-file ${i}.xml; done

    than copy it and import it by:

    for i in $(find . -name '*xml); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done

    This should be functional if you don't use partitions. If you do, you will have to create the directories with partition names first, or try to substitute '/' character in policy names...

  • NickAD's avatar
    NickAD
    Icon for Cirrus rankCirrus
    Jan 19, 2021

    This thread is a bit old but it helped point me in the right direction for what worked for my requirements. Leaving my notes for anyone in the future who may find it useful.

    To start with exporting policies first you need to get the list of policy names written to a text file. I ran this from my home directory:

    tmsh list asm policy \* one-line | cut -d " " -f 3 > policies.txt

    Now you can use the list of policy names to export each of them as an XML file:

    for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml; done

    If you are exporting them a second time you will need to include the overwrite flag otherwise you will get an error that the file already exists:

    for i in $(cat policies.txt); do echo $i; tmsh save asm policy $i xml-file $i.xml overwrite; done

    The policies will be saved to /var/tmp/ and from there you can use SCP to grab them. You could import them manually, but that's quite slow if you've got a large number to get through.

    My next step is to copy these policies over to /var/tmp of the target device where I will be importing them.

    First step on the target device is recreating the policies.txt file. Just copy and paste the same one created above. If you don't need to import all policies on the target device, then edit policies.txt to remove the lines with policy names you don't need. Again, I am doing this all in my home directory.

    With policies.txt created and the policies copied over to /var/tmp you can use the following command to import:

    for i in $(cat policies.txt); do echo $i; tmsh load asm policy $(echo ${i}) overwrite file /var/tmp/$(echo ${i}.xml); tmsh publish asm policy $(echo ${i}); done

    The tmsh load will look at our target policy, say TEST-ASM, and overwrite it with /var/tmp/TEST-ASM.xml. Then tmsh publish will apply the policy changes, otherwise all of them will be stuck in changes pending.

    If you don't need to overwrite a target policy, then you could just remove that section and be left with:

    for i in $(cat policies.txt); do echo $i; tmsh load asm policy file /var/tmp/$(echo ${i}.xml); done

    This is all tested and working on 15.1 but I've also done the exporting piece in the past on 14.1.

    • Curious1's avatar
      Curious1
      Icon for Cirrus rankCirrus
      Mar 27, 2021

      Hi NickAD,

       

      This looks really useful, any chance you can get this to work for multiple partitions?

  • bhs_114985's avatar
    bhs_114985
    Historic F5 Account
    Apr 20, 2018

    import command had a missing ' after the *xml

    for i in $(find . -name '*xml’); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done
  • bhs_114985's avatar
    bhs_114985
    Historic F5 Account
    Jun 14, 2018

    Hi Filip,

    Trying to use the scripts but hitting a weird syntax error. A colleague also tried this and is hitting the same thing. The save command works as expected and creates the backup file. In this case it's "Hackazon-WAF.xml".

    The load command produces the following error:

    [admin@ip-10-1-1-8:Active:Standalone] tmp  for i in $(find . -name '*xml'); do echo ${i}; tmsh load asm $(echo ${i} | sed 's/\.xml//') xml-file ${i}; tmsh modify asm policy $(echo ${i} | sed 's/\.xml//') enable; done

    ./Hackazon-WAF.xml Syntax Error: "./Hackazon-WAF" unexpected argument Syntax Error: "enable" unknown property

    Do you have any suggestions for us?

    Thanks,

    BHS

  • lnxgeek's avatar
    lnxgeek
    Icon for MVP rankMVP
    Oct 18, 2018

    You problem is the find command it returns the file names with a "./" in front of it which breaks the load command.

     

    Instead of the relative reference to the location use en explicit one: for i in $(find /var/tmp/asm -name '*xml').....

     

    Where you have the exported xml files placed in /var/tmp/asm.

     

    I fell for the exact same problem :-)

     

  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Jan 08, 2019

    Hi, does load policy work for your when loading to different partition? I use 

    load asm policy file /var/tmp/tmp_policy.xml
    within tmsh from proper partition, but policy is always uploaded to Common. XML file is updated, so word "Common" is replaced by "properPartition".

    It works correctly in GUI, but not in TMSH. I use v12.1.3, does this work for anyone here?

    Thx Zdenek