Application Security

This section contains declarations that aim to secure your deployment.

Use the index on the right to locate specific examples.

Important

Most of the example declarations have been updated in the documentation for AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In AS3 3.20, the generic template is the default, which allows services to use any name.

This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.

1: Virtual service referencing an existing security policy

This example creates an HTTP service, and attaches an existing Web Application Firewall (WAF) security policy created with the BIG-IP Application Security Manager (ASM) module. See the BIG-IP ASM Implementations Guide for information on configuring security policies.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_01.
  • A virtual server named service.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the existing ASM policy named test-policy.
{
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "5489432",
  "label": "ASM_policy_existing",
  "remark": "ASM_policy_existing",
  "Sample_app_sec_01": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "bigip": "/Common/test-policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      }
    }
  }
 }

Back to top


2: Virtual service referencing an external security policy

This example creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. See the BIG-IP ASM Implementations Guide for information on configuring security policies, and the Exporting ASM Policies chapter for information on exporting policies.

Note the URL in the following declaration does not resolve, you need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_02.
  • A virtual server named service.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the external ASM policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "5489432",
  "label": "ASM_policy_external_URL",
  "remark": "ASM_policy_external_URL",
  "Sample_app_sec_02": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "use": "My_ASM_Policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      },
      "My_ASM_Policy": {
        "class": "WAF_Policy",
        "url": "https://example.com/asm-policy.xml",
        "ignoreChanges": true
      }
    }
  }
}

Back to top

3: Endpoint policy with default rule to disable WAF

This example shows an Endpoint policy that includes two rules, one that attempts to match a URI and then enables the WAF policy, and a default rule to disable the Web Application Firewall (WAF) if the first doesn’t match. See the Schema Reference for usage options and information on Endpoint policies. You can also see this page for example policy declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_03.
  • An Endpoint policy named testItem.
  • Two rules, one to enable the WAF and the other to disable it.
  • A WAF policy named wafPolicy which references an external policy (via URL).
{
  "class": "ADC",
  "schemaVersion": "3.7.0",
  "id": "Service_HTTP",
  "Sample_app_sec_03": {
      "class": "Tenant",
      "Application": {
          "class": "Application",
          "testItem": {
              "class": "Service_HTTP",
              "policyEndpoint": "endpointPolicy",
              "virtualAddresses": ["10.1.40.50"]
          },
          "endpointPolicy": {
              "class": "Endpoint_Policy",
              "rules": [
                  {
                    "name": "enableWAF",
                        "conditions": [{
                            "type": "httpUri",
                            "path": {
                                "values": ["example.com"]
                            }
                        }
                    ],
                    "actions": [{
                            "type": "waf",
                            "policy": {
                                "use": "wafPolicy"
                            }
                        }
                    ]
                  },
                  {
                    "name": "disableWAF",
                    "conditions": [],
                    "actions": [{
                            "type": "waf"
                        }
                    ]
                  }
              ]
          },
          "wafPolicy": {
              "class": "WAF_Policy",
              "url": "http://example.com/orchestration-as3-test/resources/asm_policy/policy.xml",
              "ignoreChanges": true
          }
      }
   }
}

Back to top

4: Endpoint policy with SSL SNI Match conditions and HTTP action

This example shows an Endpoint policy that includes SSL SNI Match conditions (sslExtension) and the ability to use HTTP actions in a declaration. The SSL extension property inspects SSL extensions being negotiated during the HELLO phase. See Policy_Condition and Policy_Condition_SSL_extension_HTTP in the Schema Reference for usage and options. The HTTP actions property provides the ability to enable or disable the BIG-IP system’s HTTP filter processing. See Policy_Action_HTTP in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_04.
  • An Endpoint policy named test1.
  • An Endpoint policy rule (sni0) which, if during the SSL client HELLO the server name (test1.com) is in the SSL extension, will forward to an existing pool (sni1) on the BIG-IP (with HTTP actions set to false).
  • A second rule (sni1) which, if during the SSL client HELLO the server name (test2.com) is in the SSL extension, will forward to an existing pool (sni2) on the BIG-IP (with HTTP actions set to false).
  • A default rule that drops the request if neither of the other two rules are matched.
{
    "class": "ADC",
    "schemaVersion": "3.8.0",
    "id": "Endpoint_Policy",
    "Sample_app_sec_04": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "test1": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "sni0",
                        "actions": [
                            {
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni1"
                                    }
                                }
                            },
                            {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test1.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "sni1",
                        "actions": [
                            {
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni2"
                                    }
                                }
                            },
                            {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test2.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "drop",
                                "event": "request"
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

5: Using a Security log profile with Application Security

This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles, and Security Log Profile class in the Schema Reference for AS3 usage options and information.

There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.

Local storage

This declaration creates a security log profile that uses local storage (for the remote storage example, click Remote storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Local.
  • A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile_local",
    "Security_Log_local": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogLocal": {
                "class": "Security_Log_Profile",
                "application": {
                    "storageFilter": {
                        "logicalOperation": "and",
                        "requestType": "all",
                        "responseCodes": [
                            "100",
                            "200",
                            "300",
                            "400"
                        ],
                        "protocols": [
                            "https",
                            "ws"
                        ],
                        "httpMethods": [
                            "ACL",
                            "GET",
                            "POLL",
                            "POST"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-headers",
                            "value": "The header string to search for"
                        },
                        "loginResults": [
                            "login-result-successful",
                            "login-result-failed"
                        ]
                    },
                    "guaranteeLoggingEnabled": true,
                    "guaranteeResponseLoggingEnabled": true,
                    "maxHeaderSize": 200,
                    "maxQuerySize": 1040,
                    "maxRequestSize": 900,
                    "responseLogging": "all"
                }
            }
        }
    }
}

Remote storage

This declaration creates a security log profile that uses remote storage (for the local storage example, click Local storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Remote.
  • A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile",
    "Security_Log_Remote": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogRemote": {
                "class": "Security_Log_Profile",
                "application": {
                    "facility": "local3",
                    "storageFilter": {
                        "requestType": "illegal-including-staged-signatures",
                        "responseCodes": [
                            "404",
                            "201"
                        ],
                        "protocols": [
                            "http"
                        ],
                        "httpMethods": [
                            "PATCH",
                            "DELETE"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-request",
                            "value": "The new value"
                        },
                        "loginResults": [
                            "login-result-unknown"
                        ]
                    },
                    "storageFormat": {
                        "fields": [
                            "attack_type",
                            "avr_id",
                            "headers",
                            "is_truncated"
                        ],
                        "delimiter": "."
                    },
                    "localStorage": false,
                    "maxEntryLength": "10k",
                    "protocol": "udp",
                    "remoteStorage": "remote",
                    "reportAnomaliesEnabled": true,
                    "servers": [
                        {
                            "address": "9.8.7.6",
                            "port": "9876"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

6: Using Persist Actions in an Endpoint Policy

This example shows an Endpoint policy that includes Persist actions in a declaration. The Persist actions give you control over how connections are persisted. You can use the following Persist actions: carp, cookie-insert, cookie-rewrite, disable, source-address, cookie-hash, cookie-passive, destination-address, hash, and universal (the example declaration includes an example of each). See Policy Action Persist in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_Endpoint_Policy.
  • An Endpoint policy named testPolicy.
  • An Endpoint policy rule with examples of each Persist action.
{
    "class": "ADC",
    "schemaVersion": "3.11.0",
    "id": "Endpoint_Policy",
    "Example_Endpoint_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "testPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule",
                        "conditions": [],
                        "actions": [
                            {
                                "type": "persist",
                                "event": "request",
                                "sourceAddress": {
                                    "netmask": "255.255.255.255",
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "destinationAddress": {
                                    "netmask": "255.255.255.255",
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieInsert": {
                                    "name": "foo_bar",
                                    "expiry": "1d01:01:01"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieRewrite": {
                                    "name": "bar_foo",
                                    "expiry": "2d02:02:02"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookiePassive": {
                                    "name": "theFooBaring"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieHash": {
                                    "name": "leFooBar",
                                    "offset": 5,
                                    "length": 50,
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "universal": {
                                    "key": "insertFooBar",
                                    "timeout": 65
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "hash": {
                                    "key": "hashFooBar",
                                    "timeout": 55
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "carp": {
                                    "key": "carpFooBar",
                                    "timeout": 50
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

7: Changing the enforcement mode of a WAF policy retrieved from a URL

This example shows how you can change the enforcement mode of a WAF policy that was retrieved from a URL. This declaration uses a new property in the WAF_Policy class called enforcementMode, which overrides the enforcement mode that is set in the policy itself.

This can be useful when you want to change the enforcement mode, but do not want to (or cannot) modify the WAF Policy. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
{
    "class": "ADC",
    "schemaVersion": "3.13.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top

8: Using an Anti-Fraud (FPS) profile in a declaration

This example shows how can use an Anti-Fraud profile (part of Fraud Protection Services (FPS)) that already exists on your BIG-IP system in an AS3 declaration. The Anti-Fraud profile includes logging settings that enable reporting of login attempts to third party platforms such as Splunk. See the Web Fraud protection page on F5.com for information about Fraud Protection Services.

See Pointer_FPS in the Schema Reference for usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_FPS.
  • A virtual service named FPSvs that references an existing anti-fraud profile on the BIG-IP system.
{
    "class": "ADC",
    "schemaVersion": "3.13.0",
    "id": "Service_HTTP",
    "Example_FPS": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "FPSvs": {
                "class": "Service_HTTP",
                "virtualPort": 100,
                "virtualAddresses": [
                    "10.10.20.20"
                ],
                "profileFPS": {
                	"bigip": "/Common/antifraud"
                }
            }
        }
    }
}

Back to top

9: Defining server technologies in a WAF policy

This example shows how you can define server technologies (such as Java Servlets or Apache Struts) for a WAF policy in an AS3 declaration. This allows you to assign signatures that specifically apply to the technologies used in the application being protected.

For more information on WAF server technologies, see Adding Server Technologies to a Policy in the ASM manual. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
  • Two server technologies attached to the policy, Java Servlets/JSP and Apache Struts.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent",
                "serverTechnologies": [
                    "Java Servlets/JSP",
                    "Apache Struts"
                ]
            }
        }
    }
}

Back to top

10: Disabling an attack signature in a WAF policy

This example shows how you can disable an attack signature(s) in a WAF policy which is referenced via a URL. This can be useful if you have an established WAF policy and don’t want to modify it, but want to disable specific signatures for a particular virtual service.

For more information on attack signatures, see Managing BIG-IP ASM attach signatures. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Sig_Disable.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
  • Two disabled attack signature IDs.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "Example_WAF_Sig_Disable": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent",
                "disabledSignatures": [
                    200000001,
                    200000002
                ]
            }
        }
    }
}

Back to top

11: Using negative string conditions in Endpoint policies

This example shows how you can use negative string conditions (such as “is not” or “does not contain”) in Endpoint policies (Local Traffic (LTM) policies on the BIG-IP). Use of negative operands has been available when configured directly on the BIG-IP, but added to AS3 in 3.17.0. For more information, see Local Traffic Policies in the BIG-IP documentation.

This declaration also shows the use pointer for the Endpoint policy, also introduced in AS3 3.17.0.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_negative_op.
  • A virtual service named EP_Virtual which references the Endpoint (Local Traffic) policy, as well as a pool and TLS certificate.
  • An Endpoint policy named test_EP, which contains rules with negative operands.
  • A Client SSL profile (TLS_Server in AS3) with a certificate and key.
  • A pool named web_pool with two members monitored by the default HTTP monitor.
{
    "class": "ADC",
    "schemaVersion": "3.17.0",
    "id": "Endpoint_Policy",
    "Example_negative_op": {
        "class": "Tenant",
        "Application1": {
            "class": "Application",
            "EP_Virtual": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "10.0.9.10"
                ],
                "virtualPort": 443,
                "pool": "web_pool",
                "serverTLS": "webtls",
                "policyEndpoint": {
                    "use": "test_EP"
                }
            },
            "test_EP": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule1",
                        "actions": [],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "does-not-contain",
                                    "values": [
                                        "test1.com"
                                    ]
                                }
                            }, {
                                "type": "httpUri",
                                "unnamedQueryParameter": {
                                    "operand": "does-not-equal",
                                    "values": [
                                        "13"
                                    ]
                                },
                                "index": 1
                            },
                            {
                                "type": "httpUri",
                                "path": {
                                    "operand": "does-not-end-with",
                                    "values": [
                                        "/"
                                    ]
                                }
                            },
                            {
                                "type": "httpUri",
                                "host": {
                                    "operand": "does-not-start-with",
                                    "values": [
                                        "site.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "drop",
                                "event": "request"
                            }
                        ]
                    }
                ]
            },
            "webtls": {
	          "class": "TLS_Server",
	          "certificates": [{
	            "certificate": "webcert"
	          }]
	        },
	        "webcert": {
	          "class": "Certificate",
	          "remark": "in practice we recommend using a passphrase",
	          "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
	          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
	          "passphrase": {
	            "ciphertext": "ZjVmNQ==",
	            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
	          }
           },
           "web_pool": {
            "class": "Pool",
            "monitors": [
                "http"
            ],
            "members": [{
                "servicePort": 80,
                "serverAddresses": [
                    "192.0.9.10",
                    "192.0.9.11"
                    ]
                }]
            }
        }
    }
}

Back to top

12: Adding Basic Auth when retrieving a WAF policy from a URL

This example shows you can add Basic Authentication when referencing a remote object, such as a WAF policy, from a URL in an AS3 declaration. This allows you to reference a URL that is protected by Basic Authentication, which was not possible in AS3 versions prior to 3.18.

Note

Currently only Basic Authentication is supported, other authentication methods may be added in future releases.

In this example, we are referencing a WAF policy that exists on a BIG-IQ device that is protected by Basic Auth.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A Application named Example_App
  • A WAF policy named exampleWAF that is retrieved from a URL located on a BIG-IQ behind Basic Authentication.
{
    "class": "ADC",
    "schemaVersion": "3.18.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Example_App": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": {
                    "url": "https://bigiq.example.com/mgmt/cm/asm/policy-files/download/0da5cae6-f106-3790-a72c-c58fb6b7a512/13.1.0",
                    "authentication": {
                        "method": "basic",
                        "username": "testUser",
                        "passphrase": {
                            "ciphertext": "ZjVmNQ==",
                            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                        }
                    }
                },
                "ignoreChanges": false,
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top

13: Configuring the status code used during a redirect with an endpoint policy

This example shows you can use AS3 to configure the HTTP status code of an LTM endpoint policy redirect in BIG-IP (TMOS) versions 14.0 and later.

See Policy_Action in the Schema Reference for AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • A Application named AS3_Application
  • An endpoint policy named test_EP which includes a rule with an HTTP redirect action and an HTTP status code of 300.
{
    "class": "ADC",
    "schemaVersion": "3.20.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "test_EP": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "httpRedirect",
                                "event": "request",
                                "location": "http://localhost",
                                "code": 300
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

14: Using TCP address and port conditions in an endpoint policy

This example shows how you can use TCP address and port conditions in an LTM Endpoint Policy. For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

See Policy_Condition_TCP in the Schema Reference for AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • A Application named AS3_Application
  • A data group named ipDataGroup
  • An endpoint policy named myPolicy which includes a rule with multiple TCP conditions.
{
    "class": "ADC",
    "schemaVersion": "3.20.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "ipDataGroup": {
                "class": "Data_Group",
                "remark": "description",
                "keyDataType": "ip",
                "records": [
                    {
                        "key": "10.10.1.1"
                    }
                ]
            },
            "myPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "default",
                        "conditions": [
                            {
                                "type": "tcp",
                                "address": {
                                    "values": [
                                        "10.10.10.10"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "port": {
                                    "values": [
                                        8080
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "address": {
                                    "datagroup": {
                                        "bigip": "/Common/private_net"
                                    }
                                }
                            },
                            {
                                "type": "tcp",
                                "address": {
                                    "operand": "does-not-match",
                                    "datagroup": {
                                        "use": "/AS3_Tenant/AS3_Application/ipDataGroup"
                                    }
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top