asm policy
asm policy(1) BIG-IP TMSH Manual asm policy(1)
NAME
policy - Configures an application security policy.
MODULE
asm
SYNTAX
Configure the policy component within the asm module using the syntax
shown in the following sections.
CREATE
create policy [name]
options:
[active | inactive]
app-service [[string] | none]
blocking-mode [enabled | disabled]
description [[string] | none]
encoding [[name] | none]
policy-builder [enabled | disabled]
policy-template [name]
policy-type [security | parent]
parent-policy [name]
MODIFY
modify policy [name]
options:
[active | inactive]
app-service [[string] | none]
blocking-mode [enabled | disabled]
description [[string] | none]
encoding [[name] | none]
policy-builder [enabled | disabled]
policy-template [name]
DISPLAY
list policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
one-line
partition
virtual-servers
DELETE
delete policy [name]
SAVE
save policy [name]
options:
overwrite
bin-file [filename]
min-xml-file [filename]
xml-file [filename]
LOAD
load policy [name]
options:
overwrite
file [filename]
xml-string [string]
PUBLISH
publish policy [name]
DESCRIPTION
You can use the policy component to create, modify, display, delete,
save, load, or publish an application security policy for use with
Application Security Manager functionality.
Note: To display all policy properties available in tmsh, including
initial settings used by iApp and advanced configuration accessible in
ASM GUI, specify the all-properties option or the detailed properties.
By default, only initial properties are displayed: encoding, policy-
template and [active | inactive].
Note: The modify command with the properties encoding and/or policy-
template causes ASM to reconfigure the security policy and clear all
its former data.
Note: The policy-type cannot be modified after the creation of the
policy.
Note: The parent-policy can only, optionally, be set while creating a
policy with policy-type set to security.
EXAMPLES
create policy my_asm_policy encoding utf-8
Creates a new policy named my_asm_policy with the default language
encoding, policy-type set to security and no parent-policy.
modify policy my_asm_policy active
Activates the inactive policy named my_asm_policy.
create policy my_parent_asm_policy encoding utf-8 policy-type parent
Creates a new policy named my_parent_asm_policy with the default
language encoding.
create policy my_security_asm_policy policy-type security parent-policy
my_parent_asm_policy
Creates a new policy named my_security_asm_policy, policy-type set to
security and my_parent_asm_policy set as the parent policy.
list policy
Displays the properties of all application security policies.
save policy my_asm_policy xml-file my_asm_policy.xml
Exports the policy named my_asm_policy to the XML file
/var/tmp/my_asm_policy.xml.
load policy my_asm_policy overwrite file /tmp/my_asm_policy.plc
Imports the policy named my_asm_policy from the file
/tmp/my_asm_policy.plc and overwrites the policy if it already exists.
publish policy my_asm_policy
Applies the active policy named my_asm_policy.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
[active | inactive]
Activates or deactivates the policy for later association with L7
policies and virtual servers. The default value is inactive.
bin-file
Specifies the exported file name to be saved in binary format when
using the save command. The file name should be simple (not a full
path); it is saved to the /var/tmp directory on the system.
blocking-mode
Specifies whether the system blocks a request that triggers a
security policy violation or only logs the violation event
(transparent mode).
description
Specifies an optional description of the security policy.
encoding
Specifies the language encoding, which determines how the security
policy processes the character sets. This property corresponds to
the language property of the httpclass-asm component.
file Specifies the file name from which the policy is going to be
imported when using the load command. A full path should be
specified.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
min-xml-file
Specifies the exported file name to be saved in compact XML format
when using the save command. The file name should be simple (not a
full path); it is saved to the /var/tmp directory on the system.
To display the XML output immediately, omit this property, the
properties xml-file and bin-file.
name Specifies a unique name for the component. This option is required
for the commands create, delete, modify, save, and publish. If it
is not specified for the load command, the policy name will be
taken from the imported settings.
overwrite
Specifies that the policy file for the save command or the policy
component for the load command can be overwritten if it exists.
partition
Displays the administrative partition within which the component
resides.
policy-builder
Enables or disables automatic policy building.
policy-template
Specifies whether the security policy is based on a predefined
security policy template, and if so, which one. If you create or
modify a security policy based on a template, the system
automatically configures the new security policy according to the
conditions of the template. This property corresponds to the
predefined-policy property of the httpclass-asm component.
policy-type
Specifies the security policy type, which cannot be changed after
you create the policy. The parent policy type cannot be active and
cannot have a parent. The security policy type may or may not have
a single parent policy defined.
parent-policy
Optionally, specifies the name of an existing policy, of policy-
type parent, to be set as the parent policy, while creating a
policy-type security.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
Note: This component supports matching by the regex expression
only when displaying the initial policy properties.
virtual-servers
Displays the name of the protected virtual server, or virtual
servers, which have attached to them the security policy via L7
policies.
xml-file
Specifies the exported file name to be saved in XML format when
using the save command. The file name should be simple (not a full
path); it is saved to the /var/tmp directory on the system. To
display the XML output immediately, omit this property, the
properties min-xml-file and bin-file.
xml-string
Specifies the XML document from which the policy is going to be
imported when using the load command.
SEE ALSO
asm predefined-policy, asm webapp-language, create, delete, glob, list,
load, ltm policy, ltm virtual, modify, publish, regex, save, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2010-2012. All rights reserved.
BIG-IP 2016-09-14 asm policy(1)