asm policy
asm policy(1) BIG-IP TMSH Manual asm policy(1)
NAME
policy - Configures an application security policy.
MODULE
asm
SYNTAX
Configure the policy component within the asm module using the syntax shown in the following sections.
CREATE
create policy [name]
options:
[active | inactive]
app-service [[string] | none]
blocking-mode [enabled | disabled]
description [[string] | none]
encoding [[name] | none]
policy-builder [enabled | disabled]
policy-template [name]
policy-type [security | parent]
parent-policy [name]
MODIFY
modify policy [name]
options:
[active | inactive]
app-service [[string] | none]
blocking-mode [enabled | disabled]
description [[string] | none]
encoding [[name] | none]
policy-builder [enabled | disabled]
policy-template [name]
DISPLAY
list policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
one-line
partition
virtual-servers
DELETE
delete policy [name]
SAVE
save policy [name]
options:
include-suggestions
overwrite
bin-file [filename]
json-file [filename]
min-json-file [filename]
min-xml-file [filename]
policy-template [name]
xml-file [filename]
LOAD
load policy [name]
options:
overwrite
file [filename]
xml-string [string]
PUBLISH
publish policy [name]
DESCRIPTION
You can use the policy component to create, modify, display, delete, save, load, or publish an application security policy
for use with Application Security Manager functionality.
Note: To display all policy properties available in tmsh, including initial settings used by iApp and advanced
configuration accessible in ASM GUI, specify the all-properties option or the detailed properties. By default, only initial
properties are displayed: encoding, policy-template and [active | inactive].
Note: The modify command with the properties encoding and/or policy-template causes ASM to reconfigure the security policy
and clear all its former data.
Note: The policy-type cannot be modified after the creation of the policy.
Note: The parent-policy can only, optionally, be set while creating a policy with policy-type set to security.
EXAMPLES
create policy my_asm_policy encoding utf-8
Creates a new policy named my_asm_policy with the default language encoding, policy-type set to security and no parent-
policy.
modify policy my_asm_policy active
Activates the inactive policy named my_asm_policy.
create policy my_parent_asm_policy encoding utf-8 policy-type parent
Creates a new policy named my_parent_asm_policy with the default language encoding.
create policy my_security_asm_policy policy-type security parent-policy my_parent_asm_policy
Creates a new policy named my_security_asm_policy, policy-type set to security and my_parent_asm_policy set as the parent
policy.
list policy
Displays the properties of all application security policies.
save policy my_asm_policy xml-file my_asm_policy.xml
Exports the policy named my_asm_policy to the XML file /var/tmp/my_asm_policy.xml.
load policy my_asm_policy overwrite file /tmp/my_asm_policy.plc
Imports the policy named my_asm_policy from the file /tmp/my_asm_policy.plc and overwrites the policy if it already exists.
publish policy my_asm_policy
Applies the active policy named my_asm_policy.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
[active | inactive]
Activates or deactivates the policy for later association with L7 policies and virtual servers. The default value is
inactive.
bin-file
Specifies the exported file name to be saved in binary format when using the save command. The file name should be
simple (not a full path); it is saved to the /var/tmp directory on the system.
blocking-mode
Specifies whether the system blocks a request that triggers a security policy violation or only logs the violation
event (transparent mode).
description
Specifies an optional description of the security policy.
encoding
Specifies the language encoding, which determines how the security policy processes the character sets. This property
corresponds to the language property of the httpclass-asm component.
file Specifies the file name from which the policy is going to be imported when using the load command. A full path should
be specified.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
include-suggestions
Specifies that the JSON policy file for the save command should also include the suggestions.
json-file
Specifies the exported file name to be saved in a JSON format when using the save command. The file name should be
simple (not a full path); it is saved to the /var/tmp directory on the system.
min-json-file
Specifies the exported file name to be saved in compact JSON format when using the save command. The file name should
be simple (not a full path); it is saved to the /var/tmp directory on the system.
min-xml-file
Specifies the exported file name to be saved in compact XML format when using the save command. The file name should
be simple (not a full path); it is saved to the /var/tmp directory on the system. To display the XML output
immediately, omit this property, the properties xml-file json-file min-json-file and bin-file.
name Specifies a unique name for the component. This option is required for the commands create, delete, modify, save, and
publish. If it is not specified for the load command, the policy name will be taken from the imported settings.
overwrite
Specifies that the policy file for the save command or the policy component for the load command can be overwritten if
it exists.
partition
Displays the administrative partition within which the component resides.
policy-builder
Enables or disables automatic policy building.
policy-template
Specifies whether the security policy is based on a predefined security policy template, and if so, which one. If you
create or modify a security policy based on a template, the system automatically configures the new security policy
according to the conditions of the template. This property corresponds to the predefined-policy property of the
httpclass-asm component. If you save a security policy in compact JSON format, you can choose a template which the
saved policy will be based on.
policy-type
Specifies the security policy type, which cannot be changed after you create the policy. The parent policy type cannot
be active and cannot have a parent. The security policy type may or may not have a single parent policy defined.
parent-policy
Optionally, specifies the name of an existing policy, of policy-type parent, to be set as the parent policy, while
creating a policy-type security.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
Note: This component supports matching by the regex expression only when displaying the initial policy properties.
virtual-servers
Displays the name of the protected virtual server, or virtual servers, which have attached to them the security policy
via L7 policies.
xml-file
Specifies the exported file name to be saved in XML format when using the save command. The file name should be simple
(not a full path); it is saved to the /var/tmp directory on the system. To display the XML output immediately, omit
this property, the properties min-xml-file json-file min-json-file and bin-file.
xml-string
Specifies the XML document from which the policy is going to be imported when using the load command.
SEE ALSO
asm predefined-policy, asm webapp-language, create, delete, glob, list, load, ltm policy, ltm virtual, modify, publish,
regex, save, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2010-2012. All rights reserved.
BIG-IP 2020-09-29 asm policy(1)