Enable and enforce a specific signature in a policy by signatureId

Overview

Describes how you use the REST API to update the attributes of a specific signature in a policy.

Prerequisites

  • Retrieve a policy selfLink using the policy name, as shown on other examples in this chapter.
  • Find the signatureId that needs to be updated. The signatureId is shown on the BIG-IP and BIG-IQ UI and is reported in violation logs.

Description

Describes how you use the REST API to update the attributes of a specific signature in a policy.

Perform the REST API actions in the following order:

  1. Perform a GET operation to the policy signatures to validate that the signature is listed within the security policy signatures.
  2. Perform a POST operation with the new attributes to a special URI that updates policy signature attributes.

The following extended example shows each of these REST API actions.

1. Perform a GET operation to the policy signatures to validate that the signature is listed within the security policy signatures.

Perform a GET operation on the signatures sub collection link, with a special parameter called ‘filterBySignatureSets’ that limits the results to signatures part of the sets defined in the policy. To accommodate specific signature filtering, use special parameter ‘filterForGlobalSignatures’ that accepts any filter applied to the signatures collection, such as filter by signatureId. ‘filterForGlobalSignatures’ parameter can only be applied when using the ‘filterBySignatureSets’ parameter. While using both of the parameters, the query result will contain an intersection of policy-signatures that match the sets defined in the policy and the signatures that match the filter specified in ‘filterForGlobalSignatures’ parameter. The signatures sub collection link can be found in the ‘signatureReference’ reference structure (link attribute) in the policy above. The link can also be determined by the policy selfLink - add ‘/signatures’ to the policy selfLink. The same logic applies to all other sub collections as listed above. Note - further filtering by the ‘enabled’/’performStaging’/’readyToBeEnforced’ or any other attribute can be accomplished by using the $filter parameter. To validate that the signature is used in the policy, validate that the query with ‘filterForGlobalSignatures’ while filtering by signatureId returned 1 item inside the ‘items’ array in the response. If zero items were returned, it means the signature is not used in the policy.

GET: https://<BIG-IQ>/mgmt/cm/asm/working-config/policies/<id>/signatures?filterBySignatureSets=true&filterForGlobalSignatures=signatureId eq '200010008'

The following is the JSON response from the GET operation:

{
"items": [
    {
        "id": "152bcf94-4ab3-3f8b-b524-4648f83249e0",
        "kind": "cm:asm:working-config:policies:signatures:policysignaturestate",
        "name": ""/config/" access",
        "enabled": true,
        "selfLink": "https://localhost/mgmt/cm/asm/working-config/policies/a4007022-1c58-33c0-8c47-390914a6c62d/signatures/152bcf94-4ab3-3f8b-b524-4648f83249e0",
        "generation": 1,
        "performStaging": true,
        "lastUpdateMicros": 1605081123371231,
        "readyToBeEnforced": false,
        "signatureReference": {
            "id": "152bcf94-4ab3-3f8b-b524-4648f83249e0",
            "kind": "cm:asm:working-config:signatures:signaturestate",
            "link": "https://localhost/mgmt/cm/asm/working-config/signatures/152bcf94-4ab3-3f8b-b524-4648f83249e0",
            "name": ""/config/" access",
            "partition": "Common",
            "signatureId": "200010008"
        }
    }
  ],
    "generation": 2,
    "lastUpdateMicros": 1479388438906235,
    "kind": "cm:asm:working-config:policies:signatures:policysignaturecollectionstate",
    "selfLink": "https://localhost/mgmt/cm/asm/working-config/policies/1005831c-7e40-30ed-bd0d-f8068526d7ef/signatures"
}

2. Perform a POST operation with the new attributes to a special URI that updates policy signature attributes.

Perform a POST operation with the new attributes to a special URI that updates policy signature attributes. The URI is the string “/signatures/update” appended to the policy selfLink. The POST data contains an array of updated signatures. Use the ‘signatureReference’ as obtained in step #1 for each element inside ‘updatedSignatures’ array as it acts as the signature identifier. Choose the ‘enabled’ and ‘performStaging’ values as needed. Note - the example shows one signature in the ‘updatedSignatures’ array, but multiple signatures can be chosen. Note - starting from BIG-IQ version 8.0.0 a normal PATCH operation performed on the policy-signature selfLink (obtained in step #1) is also supported.

POST: https://<BIG-IQ>/mgmt/cm/asm/working-config/policies/<policy id>/signatures/update
{
   "updatedSignatures":[
      {
         "signatureReference":{
            "link":"https://localhost/mgmt/cm/asm/working-config/signatures/152bcf94-4ab3-3f8b-b524-4648f83249e0"
         },
         "enabled":true,
         "performStaging":true
      }
   ]
}

The following is the JSON response from the POST operation:

{
    "updatedSignatures": [
        {
            "signatureReference": {
                "link": "https://localhost/mgmt/cm/asm/working-config/signatures/152bcf94-4ab3-3f8b-b524-4648f83249e0"
            },
            "enabled": true,
            "performStaging": true
        }
    ]
}