ASM Policies¶
Overview¶
API used to create or edit BIG-IQ web application policies in ASM.
REST Endpoint: /mgmt/cm/asm/working-config/policies¶
Requests¶
Create a new BIG-IQ web application security policy for ASM.
POST /mgmt/cm/asm/working-config/policies¶
Request Parameters¶
Name | Type | Description |
---|---|---|
applicationLanguage | string | Character encoding used by BIG-IQ to create the policy object. e.g. utf8 |
fullPath | string | BIG-IP full path which includes partition / policy name. e.g. /Common/Policy_3 |
name | string | Name of ASM web application security policy. |
partition | string | The BIG-IP partition name for where this policy will reside. The default is: Common. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Schema | Description |
---|---|---|
allowedResponseCodes | < integer > array | Array of response codes from server. optional |
applicationLanguage | string | Character encoding used by BIG-IQ to create the policy object. e.g. utf8 optional |
attributes | object | optional |
inspectHttpUploads | boolean | Flag to enable inspection of all http uploads. The default is: false. optional |
maskCreditCardNumbersInRequest | boolean | If enabled, the system masks credit card numbers. If disabled (cleared), the system does not mask credit card numbers. optional |
maximumCookieHeaderLength | string | 0<= number<=8192 The default is: 8192 |
maximumHttpHeaderLength | string | Maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. optional |
pathParameterHandling | string | Specifies how the system handles path parameters that are attached to path segments in URIs. Possible options: as parameter, as url, ignore. optional |
triggerAsmIruleEvent | string | Enable iRule event. List of values. disabled, enabled-compatibility, enabled-normal. optional |
useDynamicSessionIdInUrl | boolean | Specifies how the security policy processes URLs that use dynamic sessions. Possible options: disabled, default pattern, custom pattern. optional |
bruteForceAttackPreventionReference | object | Reference link to brute force attach prevention configuration preventing brute force attacks performed when a hacker tries to log on to a URL numerous times, running many combinations of user names and passwords, until successfully logs on. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
csrfUrlReference | object | Reference link to a list of csrf URLs which require token verification during requests optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
cpbDeviceReference | object | When defined, indicates the DCD assigned to centrally learn the policy optional |
link | string | Reference link to the Centralized Policy Builder device |
parentPolicyReference | object | A reference link to the Parent policy optional |
link | string | Reference link to the parent Policy. |
serverTechnologyReference | object | A Reference link to a list of server technologies. The server technology is a server side application, framework, Web Server or Operating System type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
suggestionReference | object | A reference Link to a list of suggestions. When the policy is set to learn centrally, the CPB will generate suggestions to change the policy according to the traffic received. |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
isPublishedForTemplates | boolean | This value indicates if the policy is available to be used in Application Templates. optional |
caseInsensitive | boolean | Is the ASM web application policy elements case sensitive. True / False optional |
characterSetReference | object | Reference link to character set configuration which lists characters (letters, digits, and symbols) available, and how the security policy responds when that character appears in the value field of an HTTP header in a request, and an uncommon header name. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
cookieReference | object | Reference link to cookie configuration which handles the cookies in a list based on the specific cookie type (Enforced/Allowed). optional, read-only |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
createDateTime | string | Date / Time when web application policy was created. e.g. 2016-11-28T20:50:12Z optional |
creatorName | string | Name of user that created the web application policy. optional |
csrfProtectionReference | object | Reference link to configured cross site request forgery. Unauthorized user access to authenticated accounts using cross-site request forgery (CSRF) Proerty as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
customXffHeaders | < string > array | Additional HTTP header, the X-Forwarded-For header, to proxy an HTTP request to another server. optional |
dataGuardReference | object | Reference link to policy data guard configuration which protects sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or pattern that matches a user-defined pattern, then the system responds based on the enforcement mode setting. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
description | string | Description of security policy. optional |
disallowedGeolocationReference | object | Reference link to configured countries that can access your web application. Property as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
enforcementMode | string | Specifies how the system processes a request that triggers a security policy violation. Possible options: Transparent / Blocking optional |
evasionsReference | object | Reference link to list of evasion technique detected, which is triggered when the BIG-IP ASM system fails to normalize requests. Normalization is the process of decoding requests that are encoded. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
extractionsReference | object | Reference link to extraction service configuration which manages how the system extracts dynamic values for dynamic parameters from the responses returned by the web application server. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
filetypeReference | object | Reference link to a list allow / disallow file types in the web application that the security policy considers legal. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
fullPath | string | Full path containing BIG-IP partition and name of web application security policy. e.g. /Common/Policy_3 |
generation | string | optional |
gwtProfileReference | object | Reference link to gwt configuration used to protect web applications created by google web toolkit (gwt). Google Web Toolkit (GWT) is a Java framework that is used to create AJAX applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect malformed GWT data, request payloads and parameter values. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
hasParent | boolean | Does this policy contain a parent to inherit configuration. True / False optional |
headerReference | object | Reference link to policy header configuration. Each parameter can perform normalization and attack signature checks on HTTP headers. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
hostNameReference | object | Reference link to a list of allow / disallow host name that are used to access the web application that this security policy protects. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
httpProtocolsReference | object | Reference link to a http protocol compliance option which are validation checks that are performed on HTTP requests to ensure the requests are properly formatted. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
id | string | Unique id associated with security policy. optional |
ipIntelligenceReference | object | Reference link to configured ASM ip intelligence functions, such as log and block requests from source IP addresses that, according to an IP Address Intelligence database, have a bad reputation. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
jsonProfileReference | object | Reference link to json profiles which defines what the security policy enforces and considers legal when it detects traffic that contains JSON data. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
kind | string | Type information for security policy. cm:asm:working-config:policies:policystate. |
lastUpdateMicros | string | Update time (micros) for last change made to a security policy object. |
learningMode | string | ASM will attempt to adapt to changing patterns in learning mode. Possible options: Automatic, Manual, or Disabled. For Automatic, the system makes suggestions, and enforces most suggestions after sufficient traffic over a period of time. For Manual, the system examines traffic and makes suggestions on what to add to the policy. You manually examine the changes and accept, delete, or ignore the suggestions. For Disabled the system does not do any learning for the security policy and makes no suggestions. |
loginEnforcementReference | object | Reference link to login enforcement configuration which will allow a user to create or edit the properties of authenticated URLs. Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
loginPageReference | object | Reference link to session login page configuration used to protect restricted parts of the web application by forcing users to pass through the login page before viewing the restricted (authenticated) URL. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
methodReference | object | Reference link to configured ASM methods. Allowable - GET, POST and HEAD. Methods settings are used to specify the HTTP methods that are acceptable within the context of the web application and to specify whether the method should act as the GET method or as the POST method. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
modifierName | string | ASM policy modifiers from the custom syntax. optional |
name | string | Name of security policy. |
parameterReference | object | Reference link to configured ASM parameters that the policy permits, such as attack signature check, perform staging and enable regular expressions and other pieces of information within a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
partition | string | The BIG-IP partition which this policy lives. |
plainTextProfileReference | object | Reference link to plain text content profile that defines the properties that a security policy enforces for unstructured text content, such as those used in websocket messages. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
policyBuilderReference | object | Reference link to policy builder configuration which provides functions such as traffic learning and enforcement readiness. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
protocolIndependent | boolean | Does the user want to allow for protocol independent URLs? True / False optional |
redirectionProtectionReference | object | Reference link to redirection protection configuration to prevent open redirect vulnerability where the server tries to redirect the user to a target domain that is not defined in the security policy. The server redirects a user to a different web application, without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
responsePageReference | object | Reference link to policy response page configuration, where the user can edit the default response page, the login response page, the XML response page, the AJAX blocking response page, and the AJAX login response page for a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
sectionReference | object | Reference link to a list of each ASC property sections. Such as evasion techniques, policy-building, websocket protocol, general settings etc. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
selfLink | string | Reference link to security policy object. |
sensitiveParameterReference | object | Reference link to sensitive parameter configuration used to protect sensitive user input, such as a password or a credit card number, in a validated request. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
sessionTrackingReference | object | Reference link to configured ASM session tracking to track, enforce, and report on user sessions and IP addresses. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
signatureReference | object | Reference link to configured attach signatures. Property as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
signatureSetReference | object | Reference link to signature sets used by ASM to mitigate attack. Attack signatures belong to signature sets assigned to the security policy. A user can enable or disable security policy attack signatures. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
stagingSettings | object | Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them. optional |
enforcementReadinessPeriod | integer | Period in days both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. optional |
placeSignaturesInStaging | boolean | Signature staging - the system places new or updated signatures in staging for the number of days specified in the enforcement readiness period. optional |
signatureStaging | boolean | Signature staging is supported on the security policy. True / False optional |
trustXff | boolean | Trust flag for XFF HTTP request header. optional |
type | string | This is a descriptive type of policy. optional e.g. security |
urlReference | object | Reference link to policy url configuration which will match URLs, or URLs specified string to manage the flow allow / disallow. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
versionDatetime | string | Date time of provisioned security policy. optional |
versionDeviceName | string | Security Policy name as represented by version of BIG-IP. optional |
versionLastChange | string | Operation of last change to a security policy represented. optional |
versionPolicyName | string | Partition and security policy full path. optional |
violationsReference | object | Reference link to a list of violations that occur when some aspect of a request or response does not comply with the security policy for a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
webScrapingReference | object | Reference link to policy web scraping configuation detection such as prevent web data extraction by detecting session anomalies in web application usage. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
webServicesSecurityReference | object | Reference link to a web service with will verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
websocketUrlReference | object | Reference link to web socket url list used to simplifies and speeds up communication between clients and servers. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
whitelistIpReference | object | Reference link to configured white list ip list used to identify source IP addresses for the system to consider safe even if it found in the IP Address Intelligence database. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
xmlProfileReference | object | Reference link to policy xml profile configuration. An XML profile is a set of content definitions that determine whether the system allows or disallows requests that contain XML. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
xmlValidationFileReference | object | Reference link to xml validation configuration used to enforce or validate xml content for web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
Error Response¶
HTTP/1.1 400 Bad Request
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection if policies. 400 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
HTTP/1.1 403 Unauthorized
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. Unauthorized optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
HTTP/1.1 404
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection of policies. 404 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
Permissions¶
Role | Allow |
---|---|
Security Manager | Yes |
Web Application Manager | Yes |
Web Application Editor | Yes |
Web Application Viewer | No |
Web Application Deployer | No |
GET /mgmt/cm/asm/working-config/policies¶
Returns all web application security policies as part of a item collection.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
generation | integer(int64) | A integer that will track change made to a ASM web application security policy collection object. generation. read-only |
items | < object > array | Collection if asm signatures. |
kind | string | Type information for a ASM web application security policy collection object - cm:asm:working-config:policies:policycollectionstate. read-only |
lastUpdateMicros | integer(int64) | Update time (micros) for last change made to an ASM web application security policy collection object. time. read-only |
selfLink | string | A reference link URI to a ASM web application security policy collection object. read-only |
Error Response¶
HTTP/1.1 400 Bad Request
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection if policies. 400 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
HTTP/1.1 403 Unauthorized
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. Unauthorized optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
HTTP/1.1 404
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection of policies. 404 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
Permissions¶
Role | Allow |
---|---|
Security Manager | Yes |
Web Application Manager | Yes |
Web Application Editor | Yes |
Web Application Viewer | Yes |
Web Application Deployer | Yes |
GET /mgmt/cm/asm/working-config/policies/< objectId >¶
Returns a web application policy defined by a object id.
Request Parameters¶
Name | Type | Description |
---|---|---|
< objectId > | string(UUID) | Unique id associated with policy. required |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Schema | Description |
---|---|---|
allowedResponseCodes | < integer > array | Array of response codes from server. optional |
applicationLanguage | string | Character encoding used by BIG-IQ to create the policy object. e.g. utf8 optional |
attributes | object | optional |
inspectHttpUploads | boolean | Flag to enable inspection of all http uploads. The default: false. optional |
maskCreditCardNumbersInRequest | boolean | If enabled, the system masks credit card numbers. If disabled (cleared), the system does not mask credit card numbers. optional |
maximumCookieHeaderLength | string | 0<= number<=8192 The default is: 8192 |
maximumHttpHeaderLength | string | Maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. optional |
pathParameterHandling | string | Specifies how the system handles path parameters that are attached to path segments in URIs. Possible options: as parameter, as url, ignore. optional |
triggerAsmIruleEvent | string | Enable iRule event. List of values: disabled, enabled-compatibility, enabled-normal. optional |
useDynamicSessionIdInUrl | boolean | Specifies how the security policy processes URLs that use dynamic sessions. Possible options: disabled, default pattern, custom pattern. optional |
bruteForceAttackPreventionReference | object | Reference link to brute force attach prevention configuration preventing brute force attacks performed when a hacker tries to log on to a URL numerous times, running many combinations of user names and passwords, until successfully logs on. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
csrfUrlReference | object | Reference link to a list of csrf URLs which require token verification during requests optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
cpbDeviceReference | object | When defined, indicates the DCD assigned to centrally learn the policy optional |
link | string | Reference link to the Centralized Policy Builder device |
parentPolicyReference | object | A reference link to the Parent policy optional |
link | string | Reference link to the parent Policy. |
serverTechnologyReference | object | A Reference link to a list of server technologies. The server technology is a server side application, framework, Web Server or Operating System type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
suggestionReference | object | A reference Link to a list of suggestions. When the policy is set to learn centrally, the CPB will generate suggestions to change the policy according to the traffic received. |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
isPublishedForTemplates | boolean | This value indicates if the policy is available to be used in Application Templates. optional |
caseInsensitive | boolean | Is the ASM web application policy elements case sensitive. True / False optional |
characterSetReference | object | Reference link to character set configuration which lists characters (letters, digits, and symbols) available, and how the security policy responds when that character appears in the value field of an HTTP header in a request, and an uncommon header name. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
cookieReference | object | Reference link to cookie configuration which handles the cookies in a list based on the specific cookie type (Enforced/Allowed). optional, read-only |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
createDateTime | string | Date / Time when web application policy was created. e.g. 2016-11-28T20:50:12Z optional |
creatorName | string | Name of user that created the web application policy. optional |
csrfProtectionReference | object | Reference link to configured cross site request forgery. Unauthorized user access to authenticated accounts using cross-site request forgery (CSRF) Proerty as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
customXffHeaders | < string > array | Additional HTTP header, the X-Forwarded-For header, to proxy an HTTP request to another server. optional |
dataGuardReference | object | Reference link to policy data guard configuration which protects sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or pattern that matches a user-defined pattern, then the system responds based on the enforcement mode setting. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
description | string | Description of security policy. optional |
disallowedGeolocationReference | object | Reference link to configured countries that can access your web application. Property as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
enforcementMode | string | Specifies how the system processes a request that triggers a security policy violation. Possible options: Transparent / Blocking. optional |
evasionsReference | object | Reference link to list of evasion technique detected, which is triggered when the BIG-IP ASM system fails to normalize requests. Normalization is the process of decoding requests that are encoded. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
extractionsReference | object | Reference link to extraction service configuration which manages how the system extracts dynamic values for dynamic parameters from the responses returned by the web application server. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
filetypeReference | object | Reference link to a list allow / disallow file types in the web application that the security policy considers legal. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
fullPath | string | Full path containing BIG-IP partition and name of web application security policy. e.g. /Common/Policy_3 |
generation | string | optional |
gwtProfileReference | object | Reference link to gwt configuration used to protect web applications created by google web toolkit (gwt). Google Web Toolkit (GWT) is a Java framework that is used to create AJAX applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect malformed GWT data, request payloads and parameter values. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
hasParent | boolean | Does this policy contain a parent to inherit configuration. True / False optional |
headerReference | object | Reference link to policy header configuration. Each parameter can perform normalization and attack signature checks on HTTP headers. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
hostNameReference | object | Reference link to a list of allow / disallow host name that are used to access the web application that this security policy protects. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
httpProtocolsReference | object | Reference link to a http protocol compliance option which are validation checks that are performed on HTTP requests to ensure the requests are properly formatted. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
id | string | Unique id associated with security policy. optional |
ipIntelligenceReference | object | Reference link to configured ASM ip intelligence functions, such as log and block requests from source IP addresses that, according to an IP Address Intelligence database, have a bad reputation. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
jsonProfileReference | object | Reference link to json profiles which defines what the security policy enforces and considers legal when it detects traffic that contains JSON data. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
kind | string | Type information for security policy. cm:asm:working-config:policies:policystate. |
lastUpdateMicros | string | Update time (micros) for last change made to a security policy object. time. |
learningMode | string | ASM will attempt to adapt to changing patterms in learning mode. Possible options: Automatic, Manual, or Disabled. For Automatic, the system makes suggestions, and enforces most suggestions after sufficient traffic over a period of time. For Manual, the system examines traffic and makes suggestions on what to add to the policy. You manually examine the changes and accept, delete, or ignore the suggestions. For Disabled, the system does not do any learning for the security policy, and makes no suggestions. |
loginEnforcementReference | object | Reference link to login enforcement configuration which will allow a user to create or edit the properties of authenticated URLs. Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
loginPageReference | object | Reference link to session login page configuration used to protect restricted parts of the web application by forcing users to pass through the login page before viewing the restricted (authenticated) URL. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
methodReference | object | Reference link to configured ASM methods. Allowable - GET, POST and HEAD. Methods settings are used to specify the HTTP methods that are acceptable within the context of the web application and to specify whether the method should act as the GET method or as the POST method. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
modifierName | string | ASM policy modifiers from the custom syntax. optional |
name | string | Name of security policy. |
parameterReference | object | Reference link to configured ASM parameters that the policy permits, such as attack signature check, perform staging and enable regular expressions and other pieces of information within a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
partition | string | The BIG-IP partition which this policy lives. |
plainTextProfileReference | object | Reference link to plain text content profile that defines the properties that a security policy enforces for unstructured text content, such as those used in websocket messages. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
policyBuilderReference | object | Reference link to policy builder configuration which provides functions such as traffic learning and enforcement readiness. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
protocolIndependent | boolean | Does the user want to allow for protocol independent URLs? True / False optional |
redirectionProtectionReference | object | Reference link to redirection protection configuration to prevent open redirect vulnerability where the server tries to redirect the user to a target domain that is not defined in the security policy. The server redirects a user to a different web application, without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
responsePageReference | object | Reference link to policy response page configuration, where the user can edit the default response page, the login response page, the XML response page, the AJAX blocking response page, and the AJAX login response page for a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
sectionReference | object | Reference link to a list of each ASC property sections. Such as evasion techniques, policy-building, websocket protocol, general settings etc. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
selfLink | string | Reference link to security policy object. |
sensitiveParameterReference | object | Reference link to sensitive parameter configuration used to protect sensitive user input, such as a password or a credit card number, in a validated request. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
sessionTrackingReference | object | Reference link to configured ASM session tracking to track, enforce, and report on user sessions and IP addresses. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
signatureReference | object | Reference link to configured attach signatures. Property as defined by the policy. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
signatureSetReference | object | Reference link to signature sets used by ASM to mitigate attack. Attack signatures belong to signature sets assigned to the security policy. A user can enable or disable security policy attack signatures. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
stagingSettings | object | Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them. optional |
enforcementReadinessPeriod | integer | Period in days both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. optional |
placeSignaturesInStaging | boolean | Signature staging - the system places new or updated signatures in staging for the number of days specified in the enforcement readiness period. optional |
signatureStaging | boolean | Signature staging is supported on the security policy. True / False optional |
trustXff | boolean | Trust flag for XFF HTTP request header. optional |
type | string | This is a descriptive type of policy. optional e.g. security |
urlReference | object | Reference link to policy url configuration which will match URLs, or URLs specified string to manage the flow allow / disallow. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
versionDatetime | string | Date time of provisioned security policy. optional |
versionDeviceName | string | Security Policy name as represented by version of BIG-IP. optional |
versionLastChange | string | Operation of last change to a security policy represented. optional |
versionPolicyName | string | Partition and security policy full path. optional |
violationsReference | object | Reference link to a list of violations that occur when some aspect of a request or response does not comply with the security policy for a web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
webScrapingReference | object | Reference link to policy web scraping configuation detection such as prevent web data extraction by detecting session anomalies in web application usage. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
webServicesSecurityReference | object | Reference link to a web service with will verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
websocketUrlReference | object | Reference link to web socket url list used to simplifies and speeds up communication between clients and servers. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
whitelistIpReference | object | Reference link to configured white list ip list used to identify source IP addresses for the system to consider safe even if it found in the IP Address Intelligence database. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
xmlProfileReference | object | Reference link to policy xml profile configuration. An XML profile is a set of content definitions that determine whether the system allows or disallows requests that contain XML. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
xmlValidationFileReference | object | Reference link to xml validation configuration used to enforce or validate xml content for web application. optional |
isSubcollection | boolean | Is a subcollection (True/False) |
link | string | Reference link to the Subcollection |
Error Response¶
HTTP/1.1 400 Bad Request
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection if policies. 400 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
HTTP/1.1 403 Unauthorized
Name | Type | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only |
message | string | Error message returned from server. Unauthorized optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
HTTP/1.1 404
Name | Schema | Description |
---|---|---|
errorStack | string | Error stack trace returned by java. optional, read-only |
items | < object > array | Collection of policies. 404 error. optional |
kind | string | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate optional, read-only |
message | string | Error message returned from server. optional, read-only |
requestBody | string | The data in the request body. GET (None) optional, read-only |
requestOperationId | integer(int64) | Unique id assigned to rest operation. optional, read-only |
referer | string | IP address. optional, read-only |
Permissions¶
Role | Allow |
---|---|
Security Manager | Yes |
Web Application Manager | Yes |
Web Application Editor | Yes |
Web Application Viewer | Yes |
Web Application Deployer | Yes |