ASM Policy Analyzer Suggestions¶
Overview¶
The ASM Policy Analyzer Suggestions API can be used to retrieve the security score and suggestion references that have been generated by the ASM Policy Analyzer API. The ASM Policy Analyzer can analyze a security policy, calculate a security score, and store suggestions to improve the policy. After the policy analyzer task has completed, you can use the ASM Policy Analyzer Suggestions API and the ASM Policy Analyzer Rules API to get the policy analyzer results which can be reported to the user. You can also use the ASM Policy Difference API to compare two security policies for the purpose of distinguishing differences in security levels. The policy analyzer can be rerun after changing the policy configuration to check for improvement of the configuration.
REST Endpoint: /mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/{policyId}¶
Requests¶
GET /mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/{policyId}¶
Send a GET request to the analyzer/config-analyzer-suggestions/{policyId} to retrieve the score, aggregated category details of the suggestions, and the reference to the suggestions generated by the policy analyzer for the ASM policy specified by policyId.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| categories | object | An array of category name and number of suggestions in the category. |
| count | number | The number of suggestions in this category. |
| name | string | The category name. |
| id | string | UUID identifying the policy analyzer suggestions collection. |
| policyReference | object | A reference link to a ASM policy existing on the BIG-IQ for which the policy analyzer can run. |
| link | string | URL of ASM policy for which the policy analyzer generated suggestions. |
| score | string | The security score calculated by the policy analyzer. Possible values: “A”, “B”, “C”, “D”, “E”, or “F”. |
| selfLink | string | URL to the policy suggestions. |
| suggestionRuleReference | object | A reference link to the suggestions generated by the policy analyzer. |
| link | string | URL of the suggestions generated by the policy analyzer and the corresponding rule reference. |
| isSubcollection | string | This value is true. |
Permissions¶
| Role | Allow |
|---|---|
| Web Application Security Manager | Yes |
| Web Application Security Editor | Yes |
| Web Application Security Viewer | Yes |
| Web Application Security Deployer | Yes |
GET /mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/{policyId}/suggestions¶
Send a GET request to the analyzer/config-analyzer-suggestions/{policyId}/suggestions endpoint to retrieve the suggestions subcollection generated by the policy analyzer for a given policyId.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| items | object | An array of suggestions |
| id | string | UUID of a single suggestion and recommendation |
| ruleId | string | The rule id from which this suggestion is generated |
| selfLink | string | URL of a single suggestion and recommendation |
| isignored | boolean | This value is true if this suggestion is part of the ignoredSuggestions posted by the user, otherwise false. |
| description | string | A description of this suggestion |
| suggestionRuleReference | object | A reference link for the rule from which this suggestion is generated. You can use this when sending a GET to the ASM Policy Analyzer Rules API to get details about the rule used to generate suggestions. |
| link | string | URL of suggestion rule reference. You can use the suggestionsReference and the ASM Policy Analyzer Rules API to get details about the rule used to generated suggestions. |
| selfLink | string | URL to the policy suggestions. |
Permissions¶
| Role | Allow |
|---|---|
| Web Application Security Manager | Yes |
| Web Application Security Editor | Yes |
| Web Application Security Viewer | Yes |
| Web Application Security Deployer | Yes |
Examples¶
GET to get suggestions¶
The following example sends a GET request to get suggestions.
GET https://<BIG-IQ>/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4
Response¶
The JSON in the response to the GET can look similar to the following.
HTTP/1.1 200 OK
{
"id": "6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4",
"kind": "cm:asm:reports:analyzer:config-analyzer-suggestions:configanalyzersuggestionstate",
"score": "B",
"selfLink": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4",
"categories": [{
"name": "Violations",
"count": 3
},
{
"name": "General",
"count": 2
},
{
"name": "Signatures",
"count": 1
},
{
"name": "Entities",
"count": 1
}
],
"generation": 12,
"policyReference": {
"link": "https://localhost/mgmt/cm/asm/working-config/policies/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4"
},
"lastUpdateMicros": 1611755516118036,
"suggestionRuleReference": {
"link": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4/suggestions",
"isSubcollection": true
}
}
GET to get suggestion subcollection¶
The following example sends a GET request to get suggestion subcollection
GET https://<BIG-IQ>/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4/suggestions
Response¶
The JSON in the response to the GET can look similar to the following.
HTTP/1.1 200 OK
{
"items": [{
"id": "b8c37e33-defd-351c-b91e-1e03e51657da",
"kind": "cm:asm:reports:analyzer:config-analyzer-suggestions:suggestions:configanalyzersuggestionrulestate",
"ruleId": "1001",
"selfLink": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4/suggestions/b8c37e33-defd-351c-b91e-1e03e51657da",
"isIgnored": false,
"generation": 1,
"description": "Policy enforcement not set to block attacks",
"lastUpdateMicros": 1611755515807779,
"suggestionRuleReference": {
"link": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-rules/b8c37e33-defd-351c-b91e-1e03e51657da"
}
}],
"generation": 64,
"kind": "cm:asm:reports:analyzer:config-analyzer-suggestions:suggestions:configanalyzersuggestionrulecollectionstate",
"lastUpdateMicros": 1611755515965424,
"selfLink": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-suggestions/6c6ef0a0-d6ca-31b3-887a-5bfe5001a7e4/suggestions"
}