BIG-IQ ASM Policies¶
Overview¶
API used to create / edit BIG-IQ web application policies in ASM.
Version information¶
Version : 5.2, 5.3, 5.4
URI scheme¶
BasePath : /mgmt/cm/asm/working-config
Schemes : HTTPS
Consumes¶
application/json
Produces¶
application/json
Paths¶
Create a new BIG-IQ web application security policy for ASM.¶
POST /policies
Description¶
Add a new web application security policy.
Parameters¶
| Type | Name | Description | Schema | Default |
|---|---|---|---|---|
| Body | Json string for request body. | Input parameter list in json format. ex. {“name”:”Policy_3”, “partition”:”Common”, “fullPath”:”/Common/Policy_3”, “applicationLanguage”: “utf-8”} required | post_asm_body | None |
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | POST to create a web application security policy. | properties_asm |
| 400 | Error response Bad Request | 400_error_collection |
| 404 | Error response Public URI path not registered. | 404_error_collection |
Used to GET the BIG-IQ web application security policies for ASM.¶
GET /policies
Description¶
Returns all web application security policies as part of a item collection.
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | GET BIG-IQ web application security policies. | properties_asm_collection |
| 400 | Error response Bad Request | 400_error_collection |
| 404 | Error response Public URI path not registered. | 404_error_collection |
Used to GET the BIG-IQ web application policy.¶
GET /policies/{objectId}
Description¶
Returns a web application policy defined by a object id.
Parameters¶
| Type | Name | Description | Schema | Default |
|---|---|---|---|---|
| Path | objectId | Unique id associated with policy. required | string(UUID) | None |
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | BIG-IQ web application policy. | properties_asm |
| 400 | Server error response Bad Request. | 400_error_collection |
| 404 | Error response Public URI path not registered. | 404_error_collection |
Definitions¶
400_error_collection¶
| Name | Description | Schema |
|---|---|---|
| errorStack | Error stack trace returned by java. optional, read-only | string |
| items | Collection if policies. 400 error. optional | < object > array |
| kind | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate. optional, read-only | string |
| message | Error message returned from server. optional, read-only | string |
| requestBody | The data in the request body. GET (None) optional, read-only | string |
| requestOperationId | Unique id assigned to rest operation. optional, read-only | integer(int64) |
404_error_collection¶
| Name | Description | Schema |
|---|---|---|
| errorStack | Error stack trace returned by java. optional, read-only | string |
| items | Collection of policies. 404 error. optional | < object > array |
| kind | Type information for ASM web application security policies - cm:asm:working-config:policies:policycollectionstate optional, read-only | string |
| message | Error message returned from server. optional, read-only | string |
| requestBody | The data in the request body. GET (None) optional, read-only | string |
| requestOperationId | Unique id assigned to rest operation. optional, read-only | integer(int64) |
post_asm_body¶
| Name | Description | Schema |
|---|---|---|
| applicationLanguage | Character encoding used by BIGIQ to create the policy object. optional ex. utf8 | string |
| fullPath | BIGIP full path which includes partition / policy name. ex. /Common/Policy_3 optional | string |
| name | Name of ASM web application security policy. optional | string |
| partition | BIGIP partition name as to where this policy will reside. default. Common optional | string |
properties_asm¶
| Name | Description | Schema |
|---|---|---|
| allowedResponseCodes | Array of response codes from server. optional | < integer > array |
| applicationLanguage | Character encoding used by BIGIQ to create the policy object. ex. utf8 optional | string |
| attributes | optional | attributes |
| bruteForceAttackPreventionReference | Reference link to brute force attach prevention configuration preventing brute force attacks performed when a hacker tries to log on to a URL numerous times, running many combinations of user names and passwords, until successfully logs on. optional | bruteForceAttackPreventionReference |
| caseInsensitive | Is the ASM web application policy elements case sensitive. True / False optional | boolean |
| characterSetReference | Reference link to character set configuration which lists characters (letters, digits, and symbols) available, and how the security policy responds when that character appears in the value field of an HTTP header in a request, and an uncommon header name. optional | characterSetReference |
| cookieReference | Reference link to cookie configuration which handles the cookies in a list based on the specific cookie type (Enforced/Allowed). optional, read-only | cookieReference |
| createDateTime | Date / Time when web application policy was created. ex. 2016-11-28T20:50:12Z optional | string |
| creatorName | Name of user that created the web application policy. optional | string |
| csrfProtectionReference | Reference link to configured cross site request forgery. Unauthorized user access to authenticated accounts using cross-site request forgery (CSRF) Proerty as defined by the policy. optional | csrfProtectionReference |
| customXffHeaders | Additional HTTP header, the X-Forwarded-For header, to proxy an HTTP request to another server. optional | < string > array |
| dataGuardReference | Reference link to policy data guard configuration which protects sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or pattern that matches a user-defined pattern, then the system responds based on the enforcement mode setting. optional | dataGuardReference |
| description | Description of security policy. optional | string |
| disallowedGeolocationReference | Reference link to configured countries that can access your web application. Property as defined by the policy. optional | disallowedGeolocationReference |
| enforcementMode | Specifies how the system processes a request that triggers a security policy violation. options. Transparent / Blocking optional | string |
| evasionsReference | Reference link to list of evasion technique detected, which is triggered when the BIG-IP ASM system fails to normalize requests. Normalization is the process of decoding requests that are encoded. optional | evasionsReference |
| extractionsReference | Reference link to extraction service configuration which manages how the system extracts dynamic values for dynamic parameters from the responses returned by the web application server. optional | extractionsReference |
| filetypeReference | Reference link to a list allow / disallow file types in the web application that the security policy considers legal. optional | filetypeReference |
| fullPath | Full path containing BIG-IP partition and name of web application security policy. optional ex. /Common/Policy_3 | string |
| generation | optional | string |
| gwtProfileReference | Reference link to gwt configuration used to protect web applications created by google web toolkit (gwt). Google Web Toolkit (GWT) is a Java framework that is used to create AJAX applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect malformed GWT data, request payloads and parameter values. optional | gwtProfileReference |
| hasParent | Does this policy contain a parent to inherit configuration. True / False optional | boolean |
| headerReference | Reference link to policy header configuration. Each parameter can perform normalization and attack signature checks on HTTP headers. optional | headerReference |
| hostNameReference | Reference link to a list of allow / disallow host name that are used to access the web application that this security policy protects. optional | hostNameReference |
| httpProtocolsReference | Reference link to a http protocol compliance option which are validation checks that are performed on HTTP requests to ensure the requests are properly formatted. optional | httpProtocolsReference |
| id | Unique id associated with security policy. optional | string |
| ipIntelligenceReference | Reference link to configured ASM ip intelligence functions, such as log and block requests from source IP addresses that, according to an IP Address Intelligence database, have a bad reputation. optional | ipIntelligenceReference |
| jsonProfileReference | Reference link to json profiles which defines what the security policy enforces and considers legal when it detects traffic that contains JSON data. optional | jsonProfileReference |
| kind | Type information for security policy. cm:asm:working-config:policies:policystate. optional | string |
| lastUpdateMicros | Update time (micros) for last change made to a security policy object. time. optional | string |
| learningMode | ASM will attempt to adapt to changing patterms in learning mode. options Automatic makes suggestions, and enforces most suggestions after sufficient traffic over a period of time, Manual. The system examines traffic and makes suggestions on what to add to the policy. You manually examine the changes and accept, delete, or ignore the suggestions. Disabled. The system does not do any learning for the security policy, and makes no suggestions. | string |
| loginEnforcementReference | Reference link to login enforcement configuration which will allow a user to create or edit the properties of authenticated URLs. Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. optional | loginEnforcementReference |
| loginPageReference | Reference link to session login page configuration used to protect restricted parts of the web application by forcing users to pass through the login page before viewing the restricted (authenticated) URL. optional | loginPageReference |
| methodReference | Reference link to configured ASM methods. Allowable - GET, POST and HEAD. Methods settings are used to specify the HTTP methods that are acceptable within the context of the web application and to specify whether the method should act as the GET method or as the POST method. optional | methodReference |
| modifierName | ASM policy modifiers from the custom syntax. optional | string |
| name | Name of security policy. | string |
| parameterReference | Reference link to configured ASM parameters that the policy permits, such as attack signature check, perform staging and enable regular expressions and other pieces of information within a web application. optional | parameterReference |
| partition | The BIG-IP partition which this policy lives. optional | string |
| plainTextProfileReference | Reference link to plain text content profile that defines the properties that a security policy enforces for unstructured text content, such as those used in websocket messages. optional | plainTextProfileReference |
| policyBuilderReference | Reference link to policy builder configuration which provides functions such as traffic learning and enforcement readiness. optional | policyBuilderReference |
| protocolIndependent | Does the user want to allow for protocol independent URLs? True / False optional | boolean |
| redirectionProtectionReference | Reference link to redirection protection configuration to prevent open redirect vulnerability where the server tries to redirect the user to a target domain that is not defined in the security policy. The server redirects a user to a different web application, without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. optional | redirectionProtectionReference |
| responsePageReference | Reference link to policy response page configuration, where the user can edit the default response page, the login response page, the XML response page, the AJAX blocking response page, and the AJAX login response page for a web application. optional | responsePageReference |
| sectionReference | Reference link to a list of each ASC property sections. Such as evasion techniques, policy-building, websocket protocol, general settings etc. optional | sectionReference |
| selfLink | Reference link to security policy object. optional | string |
| sensitiveParameterReference | Reference link to sensitive parameter configuration used to protect sensitive user input, such as a password or a credit card number, in a validated request. optional | sensitiveParameterReference |
| sessionTrackingReference | Reference link to configured ASM session tracking to track, enforce, and report on user sessions and IP addresses. optional | sessionTrackingReference |
| signatureReference | Reference link to configured attach signitures. Property as defined by the policy. optional | signatureReference |
| signatureSetReference | Reference link to signature sets used by ASM to mitigate attack. Attack signatures belong to signature sets assigned to the security policy. A user can enable or disable security policy attack signatures. optional | signatureSetReference |
| stagingSettings | Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them. optional | stagingSettings |
| trustXff | Trust flag for XFF HTTP request header. optional | boolean |
| type | This is a descripive type of policy. optional ex. security | string |
| urlReference | Reference link to policy url configuration which will match URLs, or URLs specified string to manage the flow allow / disallow. optional | urlReference |
| versionDatetime | Date time of provisioned security policy. optional | string |
| versionDeviceName | Security Policy name as represented by version of BIGIP. optional | string |
| versionLastChange | Operation of last change to a security policy represented. optional | string |
| versionPolicyName | Partition and security policy full path. optional | string |
| violationsReference | Reference link to a list of violations that occur when some aspect of a request or response does not comply with the security policy for a web application. optional | violationsReference |
| webScrapingReference | Reference link to policy web scraping configuation detection such as prevent web data extraction by detecting session anomalies in web application usage. optional | webScrapingReference |
| webServicesSecurityReference | Reference link to a web service with will verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services. optional | webServicesSecurityReference |
| websocketUrlReference | Reference link to web socket url list used to simplifies and speeds up communication between clients and servers. optional | websocketUrlReference |
| whitelistIpReference | Reference link to configured white list ip list used to identify source IP addresses for the system to consider safe even if it found in the IP Address Intelligence database. optional | whitelistIpReference |
| xmlProfileReference | Reference link to policy xml profile configuration. An XML profile is a set of content definitions that determine whether the system allows or disallows requests that contain XML. optional | xmlProfileReference |
| xmlValidationFileReference | Reference link to xml validation configuration used to enforce or validate xml content for web application. optional | xmlValidationFileReference |
attributes
| Name | Description | Schema |
|---|---|---|
| inspectHttpUploads | Flag to enable inspection of all http uploads. default false optional | boolean |
| maskCreditCardNumbersInRequest | If enabled, the system masks credit card numbers. If disabled (cleared), the system does not mask credit card numbers. optional | boolean |
| maximumCookieHeaderLength | 0<= number<=8192 default. 8192 | string |
| maximumHttpHeaderLength | Maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. optional | string |
| pathParameterHandling | Specifies how the system handles path parameters that are attached to path segments in URIs. options. as parameter, as url, ignore. optional | string |
| triggerAsmIruleEvent | Enable irule event. List of values. disabled, enabled-compatibility, enabled-normal. optional | string |
| useDynamicSessionIdInUrl | Specifies how the security policy processes URLs that use dynamic sessions. options. disabled, default pattern, custom pattern. optional | boolean |
bruteForceAttackPreventionReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
characterSetReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
cookieReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
csrfProtectionReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
dataGuardReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
disallowedGeolocationReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
evasionsReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
extractionsReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
filetypeReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
gwtProfileReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
headerReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
hostNameReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
httpProtocolsReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
ipIntelligenceReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
jsonProfileReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
loginEnforcementReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
loginPageReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
methodReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
parameterReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
plainTextProfileReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
policyBuilderReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
redirectionProtectionReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
responsePageReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
sectionReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
sensitiveParameterReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
sessionTrackingReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
signatureReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
signatureSetReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
stagingSettings
| Name | Description | Schema |
|---|---|---|
| enforcementReadinessPeriod | Period in days both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. optional | integer |
| placeSignaturesInStaging | Signature staging - the system places new or updated signatures in staging for the number of days specified in the enforcement readiness period. optional | boolean |
| signatureStaging | Signature staging is supported on the security policy. True / False optional | boolean |
urlReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to url asm signature. optional | string |
violationsReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
webScrapingReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
webServicesSecurityReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
websocketUrlReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
whitelistIpReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
xmlProfileReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
xmlValidationFileReference
| Name | Description | Schema |
|---|---|---|
| isSubcollection | Is a subcollection (True/False) optional | boolean |
| link | Reference link to asm signature. optional | string |
properties_asm_collection¶
| Name | Description | Schema |
|---|---|---|
| generation | A integer that will track change made to a ASM web application security policy collection object. generation. optional, read-only | integer(int64) |
| items | Collection if asm signatures. | < object > array |
| kind | Type information for a ASM web application security policy collection object - cm:asm:working-config:policies:policycollectionstate. optional, read-only | string |
| lastUpdateMicros | Update time (micros) for last change made to an ASM web application security policy collection object. time. optional, read-only | integer(int64) |
| selfLink | A reference link URI to a ASM web application security policy collection object. optional, read-only | string |