Import, Export, Clone, Revert, or Delete a WAF Policy

The BIG-IP Next Central Manager allows you to manage and store WAF policies that can be deployed onto your managed instances, as needed.

Import a WAF policy from a local JSON declaration

Import a policy (JSON declaration) from your local system. A template is required to import a policy. For more information about the WAF JSON declaration, see Declarative WAF Policy Schema.

Note: If exporting from an earlier version of BIG-IP, you must select the Export Full option.

Support for WAF imported policy on BIG-IP Next

Some WAF protection features are not supported on BIG-IP Next, or are supported on the BIG-IP Next instance, but not directly in BIG-IP Next Central Manager’s UI. This may present issues in editing the policy once it is imported to BIG-IP Next Central Manager. To make changes to the policy, first see WAF Feature Mapping between BIG-IP and BIG-IP Next.

Import a WAF policy

Use the following procedure to import a WAF policy using the BIG-IP Next Central Manager UI.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. At the top of the screen, click Import.

  4. Click Choose a file….

  5. Select the JSON declaration to import.

  6. Click Import.

The imported policy is added to your Policies list. If there are WAF features that are unsupported by BIG-IP Next, you will receive an inline notification.

Clone a WAF policy

Create a new WAF policy by cloning an existing policy configured on BIG-IP Next Central Manager. The cloned policy will include all settings configured to the original policy, including the option to clone tags.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the check box next to the policy you would like to clone.

  4. At the top of the screen, click Actions and select Clone.

  5. Enter a Name and Description for the cloned policy.

  6. Clone Tags is enabled by default. You can de-select this option to remove previous tags from the newly cloned policy.

  7. Click Clone.

The newly-cloned policy is added to the WAF Policies list. You can select the policy name to edit the settings. To manage policy settings, see How To: Manage and Edit a WAF Policy on BIG-IP Next Central Manager.

Export WAF Policies

Export one or more WAF policies from BIG-IP Next Central Manager to your local system. You can export up to 100 policies at a time.

  1. Click the Workspace icon next to the F5 logo, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the check box next to the policy (or policies) you would like to export.

Note: You can export up to 100 policies at a time.

  1. At the top of the screen, click Actions and select Export.

The download process starts automatically after you click Export. If you selected only one policy, the downloaded result is a JSON file with the policy’s name and export date. If you selected more than one policy, the download results in a zip file named ‘WAF Policies’ with the export date and time.

Delete a WAF policy

Delete a WAF policy from BIG-IP Next Central Manager.

Ensure that the policy is not deployed to an application.

  1. Click the Workspace icon next to the F5 logo, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the check box next to the policy (or policies) you would like to delete.

  4. At the top of the screen, click Actions and select Delete.

  5. Confirm your action.

The policy is deleted from BIG-IP Next Central Manager and removed from the Policies list.

Revert a WAF policy to previous version

Updates to a WAF policy may not be optimal for your application’s protection. By default, the most recent changes deployed is the active version, but you can review the version history and select an earlier version to restore.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. From the policy’s Last Modified column, select the date and time to view the version history of the last 10 modifications. The version history shows the date of each modification, the comment by the modifier before deployment, and the user that created the modification.

    Note: This option only appears when changes to a policy were deployed.

  4. Select the check box next to the policy you would like to restore.

  5. Click Restore from the top right of the panel.

1.(Optional) Add a comment about why the version was restored.

  1. Click Yes, Restore.

The restored version is now the active, deployed version and the newest entry on the version list.

Create a new security policy using a template - API

Use the following procedure to create an WAF policy using the system default template. For more information about supported policy templates, see Reference: WAF Policy Templates.

Send a POST request using the WAF OpenAPI.
POST https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/waf-policies

The body of the POST must include:

  • name

  • template_name - You must specify a template for your policy. See note about available templates.

    Note: The “Moderate-Protection” template is the only template currently available. This is a general template that protects against high accuracy signatures, and most violations are enabled.

  • application_language - Specifies the application language applied in the policy. To request a list of supported application languages send a GET request:
    GET https://{{bigip_next_cm_mgmt_ip}}/api/waf/v1/application-languages

    Note: You will not be able to edit this setting once the policy is configured.

  • case_insensitive - Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case-sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration.

Import a WAF policy from local JSON declaration - API

Use the following post request to import the WAF policy:

POST https://{{bigip_next_cm_mgmt_ip}}/api/waf/v1/tasks/policy-import/{id}

Clone a WAF Policy - API

Use the following post request to clone an existing policy:

POST https://{{bigip_next_cm_mgmt_ip}}/api/waf/v1/tasks/clone-policy

Request body example (with cloned tags):

{
    "policy_name": "policy1_name",
    "cloned_policy_name": "policy1_name_clone",
    "clone_policy_tags": true
}

Use the following get request to view the statuses and IDs of all current policy cloning tasks:

GET https://{{bigip_next_cm_mgmt_ip}}/api/waf/v1/tasks/clone-policy

Export WAF Policies - API

Use the following post request to export specified WAF policies:

POST https://{{bigip_next_cm_mgmt_ip}}/api/waf/v1/export-policies

Request body example:

{
    "policies": [
        "first_policy_name",
        "second_policy_name"
    ]
}

A zip file of the specified policies is downloaded to your local system.