Application Security

This section contains declarations that aim to secure your deployment.

Use the index on the right to locate specific examples.

Important

Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.

This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.

New in BIG-IP AS3 3.34
BIG-IP AS3 3.34 added support for the proxy-request event on the following Endpoint Policy items.

Virtual service referencing an existing security policy

This example creates an HTTP service, and attaches an existing Web Application Firewall (WAF) security policy created with the BIG-IP Application Security Manager (ASM) module. See the BIG-IP ASM Implementations Guide for information on configuring security policies.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_01.
  • A virtual server named service.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the existing ASM policy named test-policy.
{
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "5489432",
  "label": "ASM_policy_existing",
  "remark": "ASM_policy_existing",
  "Sample_app_sec_01": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "bigip": "/Common/test-policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      }
    }
  }
 }

Back to top


Virtual service referencing an external security policy

This example creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. See the BIG-IP ASM Implementations Guide for information on configuring security policies, and the Exporting ASM Policies chapter for information on exporting policies.

Note the URL in the following declaration does not resolve, you need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_02.
  • A virtual server named service.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the external ASM policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "5489432",
  "label": "ASM_policy_external_URL",
  "remark": "ASM_policy_external_URL",
  "Sample_app_sec_02": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "use": "My_ASM_Policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      },
      "My_ASM_Policy": {
        "class": "WAF_Policy",
        "url": "https://example.com/asm-policy.xml",
        "ignoreChanges": true
      }
    }
  }
}

Back to top

Endpoint policy with default rule to disable WAF

This example shows an Endpoint policy that includes two rules, one that attempts to match a URI and then enables the WAF policy, and a default rule to disable the Web Application Firewall (WAF) if the first doesn’t match. See the Schema Reference for usage options and information on Endpoint policies. You can also see this page for example policy declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_03.
  • An Endpoint policy named testItem.
  • Two rules, one to enable the WAF and the other to disable it.
  • A WAF policy named wafPolicy which references an external policy (via URL).
{
  "class": "ADC",
  "schemaVersion": "3.7.0",
  "id": "Service_HTTP",
  "Sample_app_sec_03": {
      "class": "Tenant",
      "Application": {
          "class": "Application",
          "testItem": {
              "class": "Service_HTTP",
              "policyEndpoint": "endpointPolicy",
              "virtualAddresses": ["10.1.40.50"]
          },
          "endpointPolicy": {
              "class": "Endpoint_Policy",
              "rules": [
                  {
                    "name": "enableWAF",
                        "conditions": [{
                            "type": "httpUri",
                            "path": {
                                "values": ["example.com"]
                            }
                        }
                    ],
                    "actions": [{
                            "type": "waf",
                            "policy": {
                                "use": "wafPolicy"
                            }
                        }
                    ]
                  },
                  {
                    "name": "disableWAF",
                    "conditions": [],
                    "actions": [{
                            "type": "waf"
                        }
                    ]
                  }
              ]
          },
          "wafPolicy": {
              "class": "WAF_Policy",
              "url": "http://example.com/orchestration-as3-test/resources/asm_policy/policy.xml",
              "ignoreChanges": true
          }
      }
   }
}

Back to top

Endpoint policy with SSL SNI Match conditions and HTTP action

This example shows an Endpoint policy that includes SSL SNI Match conditions (sslExtension) and the ability to use HTTP actions in a declaration. The SSL extension property inspects SSL extensions being negotiated during the HELLO phase. See Policy_Condition and Policy_Condition_SSL_extension_HTTP in the Schema Reference for usage and options. The HTTP actions property provides the ability to enable or disable the BIG-IP system’s HTTP filter processing. See Policy_Action_HTTP in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_app_sec_04.
  • An Endpoint policy named test1.
  • An Endpoint policy rule (sni0) which, if during the SSL client HELLO the server name (test1.com) is in the SSL extension, will forward to an existing pool (sni1) on the BIG-IP (with HTTP actions set to false).
  • A second rule (sni1) which, if during the SSL client HELLO the server name (test2.com) is in the SSL extension, will forward to an existing pool (sni2) on the BIG-IP (with HTTP actions set to false).
  • A default rule that drops the request if neither of the other two rules are matched.
{
    "class": "ADC",
    "schemaVersion": "3.8.0",
    "id": "Endpoint_Policy",
    "Sample_app_sec_04": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "test1": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "sni0",
                        "actions": [
                            {
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni1"
                                    }
                                }
                            },
                            {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test1.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "sni1",
                        "actions": [
                            {
                                "type": "forward",
                                "select": {
                                    "pool": {
                                        "bigip": "/Common/sni2"
                                    }
                                }
                            },
                            {
                                "type": "http",
                                "enabled": false
                            }
                        ],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "equals",
                                    "values": [
                                        "test2.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "drop",
                                "event": "request"
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

Using a Security log profile with Application Security

This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles, and Security Log Profile class in the Schema Reference for BIG-IP AS3 usage options and information.

There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.

Local storage

This declaration creates a security log profile that uses local storage (for the remote storage example, click Remote storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Local.
  • A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile_local",
    "Security_Log_local": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogLocal": {
                "class": "Security_Log_Profile",
                "application": {
                    "storageFilter": {
                        "logicalOperation": "and",
                        "requestType": "all",
                        "responseCodes": [
                            "100",
                            "200",
                            "300",
                            "400"
                        ],
                        "protocols": [
                            "https",
                            "ws"
                        ],
                        "httpMethods": [
                            "ACL",
                            "GET",
                            "POLL",
                            "POST"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-headers",
                            "value": "The header string to search for"
                        },
                        "loginResults": [
                            "login-result-successful",
                            "login-result-failed"
                        ]
                    },
                    "guaranteeLoggingEnabled": true,
                    "guaranteeResponseLoggingEnabled": true,
                    "maxHeaderSize": 200,
                    "maxQuerySize": 1040,
                    "maxRequestSize": 900,
                    "responseLogging": "all"
                }
            }
        }
    }
}

Remote storage

This declaration creates a security log profile that uses remote storage (for the local storage example, click Local storage). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Remote.
  • A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile",
    "Security_Log_Remote": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogRemote": {
                "class": "Security_Log_Profile",
                "application": {
                    "facility": "local3",
                    "storageFilter": {
                        "requestType": "illegal-including-staged-signatures",
                        "responseCodes": [
                            "404",
                            "201"
                        ],
                        "protocols": [
                            "http"
                        ],
                        "httpMethods": [
                            "PATCH",
                            "DELETE"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-request",
                            "value": "The new value"
                        },
                        "loginResults": [
                            "login-result-unknown"
                        ]
                    },
                    "storageFormat": {
                        "fields": [
                            "attack_type",
                            "avr_id",
                            "headers",
                            "is_truncated"
                        ],
                        "delimiter": "."
                    },
                    "localStorage": false,
                    "maxEntryLength": "10k",
                    "protocol": "udp",
                    "remoteStorage": "remote",
                    "reportAnomaliesEnabled": true,
                    "servers": [
                        {
                            "address": "9.8.7.6",
                            "port": "9876"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

Using Persist Actions in an Endpoint Policy

This example shows an Endpoint policy that includes Persist actions in a declaration. The Persist actions give you control over how connections are persisted. You can use the following Persist actions: carp, cookie-insert, cookie-rewrite, disable, source-address, cookie-hash, cookie-passive, destination-address, hash, and universal (the example declaration includes an example of each). See Policy_Action_Persist in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_Endpoint_Policy.
  • An Endpoint policy named testPolicy.
  • An Endpoint policy rule with examples of each Persist action.
{
    "class": "ADC",
    "schemaVersion": "3.11.0",
    "id": "Endpoint_Policy",
    "Example_Endpoint_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "testPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule",
                        "conditions": [],
                        "actions": [
                            {
                                "type": "persist",
                                "event": "request",
                                "sourceAddress": {
                                    "netmask": "255.255.255.255",
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "destinationAddress": {
                                    "netmask": "255.255.255.255",
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieInsert": {
                                    "name": "foo_bar",
                                    "expiry": "1d01:01:01"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieRewrite": {
                                    "name": "bar_foo",
                                    "expiry": "2d02:02:02"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookiePassive": {
                                    "name": "theFooBaring"
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "cookieHash": {
                                    "name": "leFooBar",
                                    "offset": 5,
                                    "length": 50,
                                    "timeout": 60
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "universal": {
                                    "key": "insertFooBar",
                                    "timeout": 65
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "hash": {
                                    "key": "hashFooBar",
                                    "timeout": 55
                                }
                            },
                            {
                                "type": "persist",
                                "event": "request",
                                "carp": {
                                    "key": "carpFooBar",
                                    "timeout": 50
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

Changing the enforcement mode of a WAF policy retrieved from a URL

This example shows how you can change the enforcement mode of a WAF policy that was retrieved from a URL. This declaration uses a new property in the WAF_Policy class called enforcementMode, which overrides the enforcement mode that is set in the policy itself.

This can be useful when you want to change the enforcement mode, but do not want to (or cannot) modify the WAF Policy. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
{
    "class": "ADC",
    "schemaVersion": "3.13.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top

Using an Anti-Fraud (FPS) profile in a declaration

This example shows how can use an Anti-Fraud profile (part of Fraud Protection Services (FPS)) that already exists on your BIG-IP system in a BIG-IP AS3 declaration. The Anti-Fraud profile includes logging settings that enable reporting of login attempts to third party platforms such as Splunk. See the Web Fraud protection page on F5.com for information about Fraud Protection Services.

See Pointer_FPS in the Schema Reference for usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_FPS.
  • A virtual service named FPSvs that references an existing anti-fraud profile on the BIG-IP system.
{
    "class": "ADC",
    "schemaVersion": "3.13.0",
    "id": "Service_HTTP",
    "Example_FPS": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "FPSvs": {
                "class": "Service_HTTP",
                "virtualPort": 100,
                "virtualAddresses": [
                    "10.10.20.20"
                ],
                "profileFPS": {
                	"bigip": "/Common/antifraud"
                }
            }
        }
    }
}

Back to top

Defining server technologies in a WAF policy

This example shows how you can define server technologies (such as Java Servlets or Apache Struts) for a WAF policy in a BIG-IP AS3 declaration. This allows you to assign signatures that specifically apply to the technologies used in the application being protected.

For more information on WAF server technologies, see Adding Server Technologies to a Policy in the ASM manual. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
  • Two server technologies attached to the policy, Java Servlets/JSP and Apache Struts.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent",
                "serverTechnologies": [
                    "Java Servlets/JSP",
                    "Apache Struts"
                ]
            }
        }
    }
}

Back to top

Disabling an attack signature in a WAF policy

This example shows how you can disable an attack signature(s) in a WAF policy which is referenced via a URL. This can be useful if you have an established WAF policy and don’t want to modify it, but want to disable specific signatures for a particular virtual service.

For more information on attack signatures, see Managing BIG-IP ASM attach signatures. See WAF_Policy in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Sig_Disable.
  • A WAF policy named exampleWAF, which pulls the policy from a URL.
  • The enforcement mode of the policy is set to transparent, which overrides the setting in the policy itself.
  • Two disabled attack signature IDs.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "Example_WAF_Sig_Disable": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": "https://example.com/files/wordpress_template_12.0.xml",
                "ignoreChanges": false,
                "enforcementMode": "transparent",
                "disabledSignatures": [
                    200000001,
                    200000002
                ]
            }
        }
    }
}

Back to top

Using negative string conditions in Endpoint policies

This example shows how you can use negative string conditions (such as “is not” or “does not contain”) in Endpoint policies (Local Traffic (LTM) policies on the BIG-IP). Use of negative operands has been available when configured directly on the BIG-IP, but added to BIG-IP AS3 in 3.17.0. For more information, see Local Traffic Policies in the BIG-IP documentation.

This declaration also shows the use pointer for the Endpoint policy, also introduced in BIG-IP AS3 3.17.0.

Note

The example declaration has been updated with the BIG-IP AS3 3.24 release to include a chainCA (a bundle of one or more CA certificates in trust-chain from root CA to certificate).

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_negative_op.
  • A virtual service named EP_Virtual which references the Endpoint (Local Traffic) policy, as well as a pool and TLS certificate.
  • An Endpoint policy named test_EP, which contains rules with negative operands.
  • A Client SSL profile (TLS_Server in BIG-IP AS3) with a certificate and key.
  • A pool named web_pool with two members monitored by the default HTTP monitor.
{
    "class": "ADC",
    "schemaVersion": "3.17.0",
    "id": "Endpoint_Policy",
    "Example_negative_op": {
        "class": "Tenant",
        "Application1": {
            "class": "Application",
            "EP_Virtual": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "10.0.9.10"
                ],
                "virtualPort": 443,
                "pool": "web_pool",
                "serverTLS": "webtls",
                "policyEndpoint": {
                    "use": "test_EP"
                }
            },
            "test_EP": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule1",
                        "actions": [],
                        "conditions": [
                            {
                                "type": "sslExtension",
                                "event": "ssl-client-hello",
                                "serverName": {
                                    "operand": "does-not-contain",
                                    "values": [
                                        "test1.com"
                                    ]
                                }
                            }, {
                                "type": "httpUri",
                                "unnamedQueryParameter": {
                                    "operand": "does-not-equal",
                                    "values": [
                                        "13"
                                    ]
                                },
                                "index": 1
                            },
                            {
                                "type": "httpUri",
                                "path": {
                                    "operand": "does-not-end-with",
                                    "values": [
                                        "/"
                                    ]
                                }
                            },
                            {
                                "type": "httpUri",
                                "host": {
                                    "operand": "does-not-start-with",
                                    "values": [
                                        "site.com"
                                    ]
                                }
                            }
                        ]
                    },
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "drop",
                                "event": "request"
                            }
                        ]
                    }
                ]
            },
            "webtls": {
	          "class": "TLS_Server",
	          "certificates": [{
	            "certificate": "webcert"
	          }]
	        },
	        "webcert": {
	          "class": "Certificate",
	          "remark": "in practice we recommend using a passphrase",
              "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
              "chainCA": "-----BEGIN CERTIFICATE-----\nMIID9TCCAt2gAwIBAgIJALxQA/NW2bpRMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTELMAkGA1UECgwCRjUxDTALBgNVBAsMBFRlc3QxFzAVBgNVBAMMDnRlc3RfQ0FfYnVuZGxlMSUwIwYJKoZIhvcNAQkBFhZzb21lYm9keUBzb21ld2hlcmUub3JnMB4XDTE4MDIyNzE5MjEyNVoXDTE4MDMyOTE5MjEyNVowgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMQswCQYDVQQKDAJGNTENMAsGA1UECwwEVGVzdDEXMBUGA1UEAwwOdGVzdF9DQV9idW5kbGUxJTAjBgkqhkiG9w0BCQEWFnNvbWVib2R5QHNvbWV3aGVyZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjhUZmbwwuMMFTNic73t0mfJ/pyM3BnEs0riv6lbrF5znFKBlAM2pxWBfkQvr92gUwitij7BqMagnR26/C7GcJJNJQGNK482vgSPhUpGeN0t4W71Dv5SpwJN+0do6gV0eXPwvcgA/XZxXqZAePwXTp36YMrNTgw49OWZpHoNXfYCZ+1KUL032RdQ/Ik2wO/UwV0csL1Rwuu2L8/NI9VtrThCAr8dsMsDJ53jDh7xQdP3K2V9NYtAHk66697kk7TpzR1moqTJxSVaPKo2eDuKNke1BRbjYWoamu0hfC5YG6l5P9i8QaVklbtmDcmoLpU9fLVSSW6CWHkrtdifQiCOChAgMBAAGjUDBOMB0GA1UdDgQWBBRv7/Q0VoBgDYzgJOKLz4GsgXP27zAfBgNVHSMEGDAWgBRv7/Q0VoBgDYzgJOKLz4GsgXP27zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9r6+6hGVlQ188l+wLFJ1wI83y27BdtE0ZsZGdFv98qi9kcUm17Z0tprEwypODZ1/syt9b1JhD4RgU30qwgeF4kec8UpoG49UkQImRD3AqfsiYSdjZeBpcpEl3n8lkjKGoVY7GB2lMGoWDxv/1A0CSjVTmWgQSFGHoMtzOW1tCr9yGXVEdy691l7PVC1kK5ekwkO8YbSO6hvV/u83KuUiGcIoY1PIzAK301i9YXWUNxybIVfHregoQ11QzjhfdfpOLBTtW1B4QZqZz8qFGIr1remmQK3ljEcct9bWjMLOx2QYMvk6uRFzh+V5L2UnhldNy5wQYMXRDz6SU3LdTJ2OA\n-----END CERTIFICATE-----",
              "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
              "passphrase": {
                "ciphertext": "ZjVmNQ==",
                "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
              }
           },
           "web_pool": {
            "class": "Pool",
            "monitors": [
                "http"
            ],
            "members": [{
                "servicePort": 80,
                "serverAddresses": [
                    "192.0.9.10",
                    "192.0.9.11"
                    ]
                }]
            }
        }
    }
}

Back to top

Adding Basic Auth when retrieving a WAF policy from a URL

This example shows you can add Basic Authentication when referencing a remote object, such as a WAF policy, from a URL in a BIG-IP AS3 declaration. This allows you to reference a URL that is protected by Basic Authentication, which was not possible in BIG-IP AS3 versions prior to 3.18.

Note

Currently only Basic Authentication is supported, other authentication methods may be added in future releases.

In this example, we are referencing a WAF policy that exists on a BIG-IQ device that is protected by Basic Auth.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • A Application named Example_App.
  • A WAF policy named exampleWAF that is retrieved from a URL located on a BIG-IQ behind Basic Authentication.
{
    "class": "ADC",
    "schemaVersion": "3.18.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Example_App": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": {
                    "url": "https://bigiq.example.com/mgmt/cm/asm/policy-files/download/0da5cae6-f106-3790-a72c-c58fb6b7a512/13.1.0",
                    "authentication": {
                        "method": "basic",
                        "username": "testUser",
                        "passphrase": {
                            "ciphertext": "ZjVmNQ==",
                            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                        }
                    }
                },
                "ignoreChanges": false,
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top

Configuring the status code used during a redirect with an Endpoint policy

This example shows you can use BIG-IP AS3 to configure the HTTP status code of an LTM Endpoint policy redirect in BIG-IP (TMOS) versions 14.0 and later.

See Policy_Action in the Schema Reference for BIG-IP AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • A Application named AS3_Application.
  • An Endpoint policy named test_EP which includes a rule with an HTTP redirect action and an HTTP status code of 300.
{
    "class": "ADC",
    "schemaVersion": "3.20.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "test_EP": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "default",
                        "actions": [
                            {
                                "type": "httpRedirect",
                                "event": "request",
                                "location": "http://localhost",
                                "code": 300
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top

Using TCP address and port conditions in an Endpoint policy

This example shows how you can use TCP address and port conditions in an LTM Endpoint Policy. For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

See Policy_Condition_TCP in the Schema Reference for BIG-IP AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • A Application named AS3_Application.
  • A data group named ipDataGroup.
  • An Endpoint policy named myPolicy which includes a rule with multiple TCP conditions.
{
    "class": "ADC",
    "schemaVersion": "3.20.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "ipDataGroup": {
                "class": "Data_Group",
                "remark": "description",
                "keyDataType": "ip",
                "records": [
                    {
                        "key": "10.10.1.1"
                    }
                ]
            },
            "myPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "default",
                        "conditions": [
                            {
                                "type": "tcp",
                                "address": {
                                    "values": [
                                        "10.10.10.10"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "port": {
                                    "values": [
                                        8080
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "address": {
                                    "datagroup": {
                                        "bigip": "/Common/private_net"
                                    }
                                }
                            },
                            {
                                "type": "tcp",
                                "address": {
                                    "operand": "does-not-match",
                                    "datagroup": {
                                        "use": "/AS3_Tenant/AS3_Application/ipDataGroup"
                                    }
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Referencing an Advanced WAF policy in a declaration

This example shows how you can reference an Advanced Web Application Policy (AWAF) hosted in an external location in a BIG-IP AS3 declaration. The AWAF policies are declarative, JSON files.

In the following example, we reference an Open Web Application Security Project (OWASP) Top Ten protection policy from a URL hosted on GitHub. The OWASP Top 10 defines the most serious web application security risks, and it is a baseline standard for application security.

Important

You must be using BIG-IP (TMOS) version 16.0 or later to reference AWAF policies. You must also have the BIG-IP ASM module licensed and provisioned.
BIG-IP AS3 does not support overriding policy settings on AWAF policies. You should use the adjustments section of a AWAF policy instead.

For more information on F5 and OWASP, see Securing against the OWASP Top 10. For more information on F5 AWAF, see Advanced WAF on F5.com.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named owaspTenant.
  • A Application named owaspApp
  • A virtual server named service that references a WAF policy.
  • An WAF policy named asmPolicy which references the OWASP top ten AWAF policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.24.0",
  "owaspTenant": {
    "class": "Tenant",
    "owaspApp": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.2.0"
        ],
        "policyWAF": {
          "use": "asmPolicy"
        }
      },
      "asmPolicy": {
        "class": "WAF_Policy",
        "url": "https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/v1.1/owasp_ready_template/owasp_policy_v1.0.json",
        "ignoreChanges": false
      }
    }
  }
}

Back to top


Embedding a WAF policy in a declaration

BIG-IP AS3 3.26 introduced the ability to embed JSON/XML WAF policies directly in a declaration, using the new policy property in the WAF_Policy class. This example includes three declarations for including WAF policies, one that is base64 encoded, one that text, and one using a URL. Each of declarations uses the same WAF policy.

See WAF_Policy for more information and BIG-IP AS3 usage.

All of the declarations create the following objects on the BIG-IP:

  • Partition (tenant) named Tenant.
  • A Application named Application
  • A virtual server named service that references a WAF policy.
  • A WAF policy that uses the policy property to specify the way the policy is included (options for base64, text, and url).

Base64 example

In this declaration, the WAF policy is embedded in base64 encoding.

{
    "class": "ADC",
    "schemaVersion": "3.26.0",
    "id": "WAF_Policy",
    "Tenant": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": ["10.10.20.20"],
                "policyWAF": {
                    "use": "wafPolicy"
                }
            },
            "wafPolicy": {
                "class": "WAF_Policy",
                "policy": {
                    "base64": "ewogICAgInBvbGljeSI6IHsKICAgICAgICAibmFtZSI6IkFwcFBvbGljeTAxIiwKICAgICAgICAiZGVzY3JpcHRpb24iOiJlbWJlZGRlZCBXQUYgUG9saWN5IiwKICAgICAgICAidGVtcGxhdGUiOiB7CiAgICAgICAgICAgICJuYW1lIjoiUE9MSUNZX1RFTVBMQVRFX1JBUElEX0RFUExPWU1FTlQiCiAgICAgICAgfQogICAgfQp9"
                },
                "ignoreChanges": false
            }
        }
    }
}

Text example

In this declaration, the WAF policy is embedded in text.

{
    "class": "ADC",
    "schemaVersion": "3.26.0",
    "id": "WAF_Policy",
    "Tenant": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": ["10.10.20.20"],
                "policyWAF": {
                    "use": "wafPolicy"
                }
            },
            "wafPolicy": {
                "class": "WAF_Policy",
                "policy": {
                    "text": "{\n  \"policy\": {\n    \"name\":\"AppPolicy01\",\n    \"description\":\"embedded WAF Policy\",\n    \"template\": {\n    \"name\":\"POLICY_TEMPLATE_RAPID_DEPLOYMENT\"\n    }\n    }\n  }"
                },
                "ignoreChanges": false
            }
        }
    }
}

URL example

In this declaration, the WAF policy is referenced from a URL.

{
    "class": "ADC",
    "schemaVersion": "3.26.0",
    "id": "WAF_Policy",
    "Tenant": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": ["10.10.20.20"],
                "policyWAF": {
                    "use": "wafPolicy"
                }
            },
            "wafPolicy": {
                "class": "WAF_Policy",
                "policy": {
                    "url": "https://example.xml"
                },
                "ignoreChanges": false
            }
        }
    }
}

Back to top


Referencing an API Protection profile in a declaration

This example shows how you can reference an API Protection profile in a BIG-IP AS3 declaration, which safeguards your API servers. Protection profiles define groups of related RESTful APIs used by applications. The protection profile contains a list of paths that may appear in a request, and the system classifies requests and sends them to specific API servers.

For more information, including how to manually create an API Protection profile that can be referenced in a BIG-IP AS3 declaration, see APM API Protection. This example does not create an API Protection profile, only references profiles that already exist on the BIG-IP.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named API_Protection_Service_HTTP.
  • A Application named apiProtectionApp
  • A virtual server named service with a virtual address and a reference to an existing API Protection profile named apiProtectionProfile.
{
    "class": "ADC",
    "schemaVersion": "3.26.0",
    "id": "Service_HTTP",
    "API_Protection_Service_HTTP": {
        "class": "Tenant",
        "apiProtectionApp": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualPort": 8080,
                "virtualAddresses": [
                    "1.2.3.4"
                ],
                "profileApiProtection": {
                    "bigip": "/Common/apiProtectionProfile"
                }
            }
        }
    }
}

Back to top


Using Tcl set-variable actions in an Endpoint policy

This example shows how you use Tcl set-variable actions in an Endpoint policy, which allows you to set a Tcl variable in the runtime environment. In the declaration, you need to specify the name of variable, and the Tcl expression to evaluate.

For BIG-IP AS3 options and usage, see Policy_Action_TCL_setVariable and Policy_Action_TCL.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • A Application named AS3_Application
  • A virtual server named service with a virtual address and a reference to an Endpoint policy.
  • An Endpoint policy named endpointPolicy with a rule and an action of type Tcl that sets a variable named variableName and an expression to evaluate.
{
    "class": "ADC",
    "schemaVersion": "3.27.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.2.3.4"
                ],
                "policyEndpoint": {
                    "use": "endpointPolicy"
                }
            },
            "endpointPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule",
                        "actions": [
                            {
                                "type": "tcl",
                                "event": "request",
                                "setVariable": {
                                    "expression": "tclExpression",
                                    "name": "variableName"
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Retrieving a WAF Policy from a URL using token-based authentication

In this example, we show how you can retrieve a WAF Policy from secured URLs that do not use Basic Authentication, using token (bearer token) authentication (OAuth2 in this example). This is necessary when trying to retrieve data from URLs from locations such as Microsoft Azure Dev Ops, and GitHub (after 11/13/2020) that do not support Basic authentication.

This functionality is enabled by using the new bearer-token authentication method introduced in BIG-IP AS3 3.28. Currently, you must provide the token in the declaration. Future versions may include the ability to retrieve the token.

Your application must be configured appropriately so BIG-IP AS3 can retrieve data from the URLs. For example, if using Azure Dev Ops, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. If using GitHub, see the Basics of Authentication guide on GitHub. If using other applications, see the appropriate documentation.

See Bearer Token and WAF_Policy in the Schema Reference for more information and BIG-IP AS3 usage.

Note

This example retrieves a URL as a part of a WAF policy, but bearer token authentication works with any BIG-IP AS3 class that can retrieve data from a URL.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_WAF_Policy.
  • An Application named Example_App.
  • A WAF policy named exampleWAF that retrieves the policy via URL using bearer token authentication, and the token is included in the declaration.
{
    "class": "ADC",
    "schemaVersion": "3.28.0",
    "Example_WAF_Policy": {
        "class": "Tenant",
        "Example_App": {
            "class": "Application",
            "exampleWAF": {
                "class": "WAF_Policy",
                "url": {
                    "url": "https://bigiq.example.com/mgmt/cm/asm/policy-files/download/0da5cae6-f106-3790-a72c-c58fb6b7a512/13.1.0",
                    "authentication": {
                        "method": "bearer-token",
                        "token": {
                            "ciphertext": "ZjVmNQ==",
                            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                        }
                    }
                },
                "ignoreChanges": false,
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top


Using the HTTP method condition in an Endpoint policy

In this example, we show how you can use the httpMethod condition in your Endpoint policy rules. This allows you to match against any HTTP method.

For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

When using httpMethod, you must also decide when to evaluate this condition in the request-response cycle. You can specify request or proxy-request.

See Policy_Condition and Policy_Condition_HTTP_Method in the schema reference for more information and BIG-IP AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_Application.
  • An Endpoint policy named test_EP that contains rules with actions and the httpMethod condition.
{
  "class": "ADC",
  "schemaVersion": "3.32.0",
  "id": "Endpoint_Policy",
  "AS3_Tenant": {
      "class": "Tenant",
      "AS3_Application": {
          "class": "Application",
          "service": {
              "class": "Service_HTTP",
              "virtualAddresses": [
                  "1.2.3.4"
              ],
              "policyEndpoint": {
                  "use": "test_EP"
              }
          },
          "uriDataGroup": {
              "class": "Data_Group",
              "label": "URI Example",
              "storageType": "internal",
              "name": "URI Example",
              "keyDataType": "string",
              "records": [
                  {
                      "key": "test.com"
                  }
              ]
          },
          "test_EP": {
              "class": "Endpoint_Policy",
              "rules": [
                  {
                      "name": "replace",
                      "actions": [
                          {
                              "type": "httpUri",
                              "event": "request",
                              "replace": {
                                  "value": "http://127.0.0.1"
                              }
                          }
                      ],
                      "conditions": [
                          {
                              "type": "httpMethod",
                              "event": "request",
                              "all": {
                                  "operand": "equals",
                                  "values": [
                                      "GET",
                                      "POST",
                                      "PATCH"
                                  ]
                              }
                          },
                          {
                              "type": "httpUri",
                              "event": "request",
                              "host": {
                                  "operand": "contains",
                                  "datagroup": {
                                      "use": "uriDataGroup"
                                  }
                              }
                          }
                      ]
                  },
                  {
                      "name": "default",
                      "actions": [
                          {
                              "type": "drop",
                              "event": "request"
                          }
                      ]
                  }
              ]
          }
      }
  }
}

Back to top


Using “exist” and “does not exist” string comparison operands in an Endpoint policy

In this example, we show how you can use the string comparison operands exists and does-not-exist in Endpoint policy rules. These operands are part of the Policy_Compare_String, which specifies the comparison that the system should perform as a part of the Endpoint policy.

As their names suggest, exists checks if the string being compared exists, and does-not-exist checks if it does not exist.

These operands are only supported on BIG-IP 15.0 or later, and do not accept values.

For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

See Endpoint_Policy and Policy_Compare_String in the Schema Reference for more information and BIG-IP AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_ep_operands.
  • An Application named Application.
  • A virtual server named service that references the Endpoint Policy.
  • An Endpoint policy named endpointPolicy that contains a rule with two httpMethod conditions, one using exists and one does-not-exist.
{
    "class": "ADC",
    "schemaVersion": "3.29.0",
    "id": "Service_HTTP",
    "Sample_ep_operands": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "policyEndpoint": "endpointPolicy",
                "virtualAddresses": [
                    "10.1.40.50"
                ]
            },
            "endpointPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "default",
                        "conditions": [
                            {
                                "type": "httpCookie",
                                "all": {
                                    "operand": "exists"
                                },
                                "name": "test"
                            },
                            {
                                "type": "httpCookie",
                                "all": {
                                    "operand": "does-not-exist"
                                },
                                "name": "test2"
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Configuring TCP Endpoint Policy Conditions in a declaration

In this example, we show how you can use the TCP Endpoint Policy Conditions added in BIG-IP AS3 3.29. These event options determine when to evaluate the condition in the request-response cycle.

Request and Response were supported in previous versions, BIG-IP AS3 3.29 adds the following conditions:

  • classification-detected
  • proxy-connect
  • proxy-response
  • ssl-client-hello
  • ssl-server-handshake
  • ws-request
  • client-accepted
  • proxy-request
  • server-connected
  • ssl-client-serverhello-send
  • ssl-server-hello
  • ws-response

Note

client-accepted, server-connected, proxy-connect, proxy-request, proxy-response, and ssl-client-serverhello-send require BIG-IP v13.1 or later.

See Policy_Condition_TCP in the Schema Reference for more information and BIG-IP AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_Application.
  • A virtual server named tcpItem that references the Endpoint Policy.
  • Seven different Endpoint policies that contain examples of the newly supported events.
{
    "class": "ADC",
    "schemaVersion": "3.29.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "tcpItem": {
                "class": "Service_HTTP",
                "policyEndpoint": "tcpPolicy",
                "virtualAddresses": [
                    "10.1.40.50"
                ]
            },
            "tcpPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "tcpDefault",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "request",
                                "address": {
                                    "operand": "matches",
                                    "values": [
                                        "10.10.10.11"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "response",
                                "address": {
                                    "operand": "does-not-match",
                                    "values": [
                                        "10.10.10.12"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "client-accepted",
                                "address": {
                                    "operand": "does-not-match",
                                    "values": [
                                        "10.10.10.14"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "server-connected",
                                "address": {
                                    "operand": "does-not-match",
                                    "values": [
                                        "10.10.10.18"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "httpConnectPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "httpConnectPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "proxy-response",
                                "address": {
                                    "values": [
                                        "10.10.10.17"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "proxy-connect",
                                "address": {
                                    "values": [
                                        "10.10.10.15"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "httpExplicitPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "httpExplicitPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "proxy-request",
                                "address": {
                                    "values": [
                                        "10.10.10.16"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "classificationPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "classificationPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "classification-detected",
                                "address": {
                                    "values": [
                                        "10.10.10.13"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "clientSslPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "clientSslPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "ssl-client-hello",
                                "address": {
                                    "values": [
                                        "10.10.10.19"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "ssl-client-serverhello-send",
                                "address": {
                                    "values": [
                                        "10.10.10.20"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "serverSslPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "serverSslPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "ssl-server-handshake",
                                "address": {
                                    "values": [
                                        "10.10.10.21"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "ssl-server-hello",
                                "address": {
                                    "values": [
                                        "10.10.10.22"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            },
            "websocketPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "websocketPolicy",
                        "conditions": [
                            {
                                "type": "tcp",
                                "event": "ws-request",
                                "address": {
                                    "values": [
                                        "10.10.10.23"
                                    ]
                                }
                            },
                            {
                                "type": "tcp",
                                "event": "ws-response",
                                "address": {
                                    "values": [
                                        "10.10.10.24"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Using the log Endpoint Policy Rule action

In this example, we show how you can use the log Endpoint Policy rule actions introduced in BIG-IP AS3 3.34. This feature writes messages to a local or remote system log, based on the information you provide.

When using the log action type, you specify the timing with the log event property, which determines when to run this event in the request-response cycle (see Policy_Action_Log in the Schema Reference to see a list of the possible event values). The write property determines how and where the logs are written (see Policy_Action_Log_Write for the possible options for write).

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_Application.
  • A virtual server named service that references the Endpoint Policy.
  • An Endpoint policy rule action of log with event and write properties.
{
    "class": "ADC",
    "schemaVersion": "3.34.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.2.3.4"
                ],
                "policyEndpoint": {
                    "use": "endpointPolicy"
                }
            },
            "endpointPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "rule",
                        "actions": [
                            {
                                "type": "log",
                                "event": "request",
                                "write": {
                                    "message": "The message",
                                    "facility": "local1",
                                    "priority": "warning",
                                    "ipAddress": "5.6.7.8",
                                    "port": 123
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Referencing a WAF policy from a file on the BIG-IP

In this example, we show how you can use the file property to reference a WAF policy file that exists on the BIG-IP system. This must be the absolute file path for the ASM policy stored on the BIG-IP.

In BIG-IP AS3 3.37 and later, any overrides available for the WAF policy (such as enforcementMode) are honored when referencing the policy from a file on the BIG-IP. In previous versions, these overrides were ignored.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named WAF_Policy_File.
  • An Application named Application.
  • A virtual server named service that references the WAF Policy.
  • A WAF policy named wafPolicy that references a policy file on the BIG-IP.
{
    "class": "ADC",
    "schemaVersion": "3.37.0",
    "WAF_Policy_File": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "192.0.2.0"
                ],
                "policyWAF": {
                    "use": "wafPolicy"
                }
            },
            "wafPolicy": {
                "class": "WAF_Policy",
                "file": "/path/to/file",
                "enforcementMode": "transparent"
            }
        }
    }
}

Back to top


Using GeoIP Conditions in an Endpoint policy

In this example, we show how you can use GeoIP Conditions (introduced in BIG-IP AS3 3.42) in an Endpoint Policy. GeoIP Conditions allow you to configure an Endpoint policy to match against specific IP geolocation properties. For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

See Policy_Condition_GeoIP in the Schema Reference for available properties, descriptions, and AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_Application.
  • A virtual server named tcpItem that references the Endpoint Policy.
  • An Endpoint policy named geoIPPolicy with a set or rules named geoIPDefault
  • Multiple rules using the geoip type.
{
    "class": "ADC",
    "schemaVersion": "3.42.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "tcpItem": {
                "class": "Service_HTTP",
                "policyEndpoint": "geoIPPolicy",
                "virtualAddresses": [
                    "10.1.0.1"
                ]
            },
            "geoIPPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "geoIPDefault",
                        "conditions": [
                            {
                                "type": "geoip",
                                "event": "request",
                                "continent": {
                                    "operand": "matches",
                                    "values": [
                                        "AF"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "countryCode": {
                                    "operand": "matches",
                                    "values": [
                                        "AT"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "countryName": {
                                    "operand": "matches",
                                    "values": [
                                        "Germany"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "isp": {
                                    "operand": "matches",
                                    "values": [
                                        "AT&T"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "org": {
                                    "operand": "matches",
                                    "values": [
                                        "myORG"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "regionCode": {
                                    "operand": "matches",
                                    "values": [
                                        "OR"
                                    ]
                                }
                            },
                            {
                                "type": "geoip",
                                "event": "request",
                                "regionName": {
                                    "operand": "matches",
                                    "values": [
                                        "Ohio"
                                    ]
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Configuring Security Log Profile NAT settings

In this example, we show how you can configure Security Log Profile NAT settings in an AS3 declaration. These settings determine how the system logs firewall NAT events.

While the Security Log Profile with NAT settings has long been supported, AS3 3.43 introduced three new properties for the NAT object, related to LSN legacy mode:

  • lsnLegacyMode: specifies whether translation events and other NAT events are logged in existing CGNAT/LSN formats (for backward compatibility with LSN events). The following options are applicable only if lsnLegacyMode is enabled (true).
    • logStartOutboundSessionDestination: includes the destination address and port with the log entry for the start of the translation event for a NAT client.
    • logEndOutboundSessionDestination: includes the destination address and port with log entry for the end of the translation event for a NAT client.

Important

If lsnLegacyMode is enabled, you cannot set the rateLimitStartInboundSession, rateLimitEndInboundSession, rateLimitStartOutboundSession, or rateLimitEndOutboundSession properties.

For more information on the Security Log Profile, see Security Log Profile class. For details on all of the available NAT settings, see Security_Log_Profile.nat.

This declaration creates the following objects on the BIG-IP (if you try to use the following declaration on an AS3 version prior to 3.43, it will fail. On previous versions, remove the new settings, highlighted in yellow):

  • Partition (tenant) named Sample_sec_log_profile_nat.
  • An Application named A1.
  • A Security Log Profile named secLogNAT with a number of settings, including lsnLegacyMode, logStartOutboundSessionDestination, and logEndOutboundSessionDestination introduced in AS3 3.43.
{
    "class": "ADC",
    "label": "Sample Security Log Profile NAT",
    "schemaVersion": "3.43.0",
    "id": "Security_Log_Profile_NAT",
    "Sample_sec_log_profile_nat": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "secLogNAT": {
                "class": "Security_Log_Profile",
                "nat": {
                    "publisher": {
                        "bigip": "/Common/default-ipsec-log-publisher"
                    },
                    "logErrors": true,
                    "logSubscriberId": true,
                    "logQuotaExceeded": true,
                    "logStartInboundSession": true,
                    "logEndInboundSession": true,
                    "logStartOutboundSession": true,
                    "logStartOutboundSessionDestination": false,
                    "logEndOutboundSession": true,
                    "logEndOutboundSessionDestination": false,
                    "lsnLegacyMode": false,
                    "rateLimitAggregate": 100,
                    "rateLimitErrors": 10,
                    "rateLimitQuotaExceeded": 20,
                    "rateLimitStartInboundSession": 30,
                    "rateLimitEndInboundSession": 40,
                    "rateLimitStartOutboundSession": 50,
                    "rateLimitEndOutboundSession": 60,
                    "formatErrors": {
                        "fields": [
                            "context-name",
                            "event-name",
                            "dest-ip"
                        ],
                        "delimiter": "."
                    }
                }
            }
        }
    }
}

Back to top


Enabling and disabling a bot defense profile in an Endpoint policy

In this example, we show how you can enable or disable a bot defense profile in an Endpoint policy using BIG-IP AS3 3.46 or later. This allows you to enable or disable the bot defense profile when specific conditions occur, such as when a particular HTTP URI is called.

For more information, see Endpoint_Policy and DOS_Profile_Application_Bot_Defense in the Schema Reference.

For detailed information on bot defense, see Bot defense overview and Configuring Bot defense.

This declaration creates the following objects on the BIG-IP

  • Partition (tenant) named Endpoint_Policy_BotDefense.
  • An Application named Application.
  • A virtual server named testItem that references an endpoint policy and a bot defense profile.
  • An endpoint policy named endpointPolicy with multiple rules that enable or disable the bot defense profile.
{
    "class": "ADC",
    "schemaVersion": "3.46.0",
    "id": "Service_HTTP",
    "Endpoint_Policy_BotDefense": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "testItem": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "10.1.40.50"
                ],
                "policyEndpoint": "endpointPolicy",
                "profileBotDefense": {
                    "bigip": "/Common/bot-defense"
                }
            },
            "endpointPolicy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "enableBotDefense",
                        "conditions": [
                            {
                                "type": "httpUri",
                                "path": {
                                    "values": [
                                        "example.com"
                                    ]
                                }
                            }
                        ],
                        "actions": [
                            {
                                "type": "botDefense",
                                "profile": {
                                    "bigip": "/Common/bot-defense"
                                }
                            }
                        ]
                    },
                    {
                        "name": "disableBotDefense",
                        "conditions": [],
                        "actions": [
                            {
                                "type": "botDefense"
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Using expand for values in a WAF policy

In this example, we show how you can use the expand property in a WAF policy in BIG-IP AS3 3.46 or later. When using expand, BIG-IP AS3 performs string expansion on specified values within the WAF Policy.

Note

To use expand, the WAF Policy must be in JSON format; WAF policies that are not in JSON format are ignored.

The expand property accepts an array of JSON pointers that denote which properties in the imported WAF policy should have AS3 string expansion performed on them. AS3 expands the target property values in the WAF policy and overwrites the data before passing it to the BIG-IP.

For more information, see WAF_Policy in the Schema Reference.

For more information on BIG-IP AS3 string expansion, see String Expansion in URLs, iRules, and Other Values in the Reference Guide.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Tenant.
  • An Application named Application.
  • A virtual server named service that references a WAF policy.
  • A WAF policy named wafPolicy with a text policy, and the expand property that includes a JSON pointer to a value to expand.
{
    "class": "ADC",
    "schemaVersion": "3.46.0",
    "id": "WAF_Policy",
    "Tenant": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": ["192.0.2.10"],
                "policyWAF": {
                    "use": "wafPolicy"
                }
            },
            "wafPolicy": {
                "class": "WAF_Policy",
                "policy": {
                    "text": "{\n  \"policy\": {\n    \"name\": \"AppPolicy01\",\n    \"description\": \"embedded WAF Policy\",\n    \"template\": {\n      \"name\": \"POLICY_TEMPLATE_RAPID_DEPLOYMENT\"\n    },\n    \"open-api-files\": [\n      {\n        \"link\": \"https:\/\/example.com\/files\/`A`\/openapi.yaml\"\n      }\n    ]\n  }\n}\n"
                },
                "expand": [
                    "/policy/open-api-files/0/link"
                ]
            }
        }
    }
}

Back to top


Using the httpHost condition in an Endpoint policy rule

In this example, we show how you can use the httpHost condition in your Endpoint policy rules. This allows you to match the host of an HTTP request, proxy request, or proxy connect.

The options for httpHost are:

  • host - Matches the host name.
  • port - Matches the port number.
  • all - Matches the full host header string.

For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

Also see Policy_Condition_HTTP_Host in the Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Tenant.
  • An Application named Application.
  • A virtual server named http_host_service
  • An HTTP profile named httpProfile
  • A Data Group named hostnames
  • An Endpoint policy named http_host_policy that contains three rules that use the different options for the httpHost condition.
{
    "class": "ADC",
    "schemaVersion": "3.47.0",
    "remark": "HTTP Host condition with LTM policy",
    "Tenant": {
        "class": "Tenant",
        "Application": {            
            "class": "Application",
            "http_host_service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "10.0.1.10"
                ],
                "policyEndpoint": "http_host_policy",
                "profileHTTP": {
                    "use": "httpProfile"
                }
            },
            "httpProfile": {
                "class": "HTTP_Profile",
                "proxyConnectEnabled": true,
                "proxyType": "explicit",
                "resolver": {
                    "bigip": "/Common/f5-aws-dns"
                }
            },
            "hostnames": {
                "class": "Data_Group",
                "keyDataType": "string",
                "records": [
                    {
                        "key": "testKey",
                        "value": "test.com"
                    },
                    {
                        "key": "exampleKey",
                        "value": "example.com"
                    }
                ]
            },
            "http_host_policy": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "http_host_1",
                        "conditions": [
                            {
                                "type": "httpHost",
                                "event": "proxy-request",
                                "all": {
                                    "operand": "contains",
                                    "datagroup": {
                                        "bigip": "/Common/hostnames"
                                    }
                                }
                            }
                        ]
                    },
                    {
                        "name": "http_host_2",
                        "conditions": [
                            {
                                "type": "httpHost",
                                "event": "request",
                                "host": {
                                    "operand": "ends-with",
                                    "values": [
                                        "test.com",
                                        "example.com"
                                    ]
                                },
                                "caseSensitive": true
                            }
                        ]
                    },
                    {
                        "name": "http_host_3",
                        "conditions": [
                            {
                                "type": "httpHost",
                                "event": "proxy-connect",
                                "port": {
                                    "operand": "equals",
                                    "values": [
                                        8080,
                                        8443
                                    ]
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top


Using HTTP Status condition in an Endpoint policy rule

In this example, we show how you can use the httpStatus condition in your Endpoint policy rules. This allows you to match the HTTP status code of an HTTP request and configure the appropriate action.

For more information on LTM Endpoint Policies, see Local Traffic Policies in the BIG-IP documentation.

Also see Policy_Condition Type in the Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_Application.
  • A virtual server named service that references an endpoint policy
  • Three Data Groups named allDataGroup, textDataGroup, and codeDataGroup
  • An Endpoint policy named test_EP that contains a rule that includes a number of httpStatus condition examples.
{
    "class": "ADC",
    "schemaVersion": "3.48.0",
    "id": "Endpoint_Policy",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.2.3.4"
                ],
                "policyEndpoint": {
                    "use": "test_EP"
                }
            },
            "allDataGroup": {
                "class": "Data_Group",
                "label": "HTTP Status All",
                "storageType": "internal",
                "name": "HTTP Status All",
                "keyDataType": "string",
                "records": [
                    {
                        "key": "403 Forbidden"
                    },
                    {
                        "key": "404 Not Found"
                    }
                ]
            },
            "textDataGroup": {
                "class": "Data_Group",
                "label": "HTTP Status Text",
                "storageType": "internal",
                "name": "HTTP Status Text",
                "keyDataType": "string",
                "records": [
                    {
                        "key": "Bad Request"
                    },
                    {
                        "key": "Unauthorized"
                    }
                ]
            },
            "codeDataGroup": {
                "class": "Data_Group",
                "label": "HTTP Status Codes",
                "storageType": "internal",
                "name": "HTTP Status Codes",
                "keyDataType": "integer",
                "records": [
                    {
                        "key": 400
                    },
                    {
                        "key": 500
                    }
                ]
            },
            "test_EP": {
                "class": "Endpoint_Policy",
                "rules": [
                    {
                        "name": "log",
                        "actions": [
                            {
                                "type": "log",
                                "event": "response",
                                "write": {
                                    "message": "The message",
                                    "facility": "local1",
                                    "priority": "warning",
                                    "ipAddress": "5.6.7.8",
                                    "port": 123
                                }
                            }
                        ],
                        "conditions": [
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "all": {
                                    "operand": "equals",
                                    "values": [
                                        "204 No Content",
                                        "205 Reset Content",
                                        "206 Partial Content"
                                    ]
                                }
                            },
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "all": {
                                    "operand": "equals",
                                    "datagroup": {
                                        "use": "allDataGroup"
                                    }
                                }
                            },
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "text": {
                                    "operand": "contains",
                                    "values": [
                                        "Unauthorized",
                                        "Payment Required"
                                    ]
                                }
                            },
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "text": {
                                    "operand": "ends-with",
                                    "datagroup": {
                                        "use": "textDataGroup"
                                    }
                                }
                            },
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "code": {
                                    "operand": "greater",
                                    "values": [
                                        500
                                    ]
                                }
                            },
                            {
                                "type": "httpStatus",
                                "event": "response",
                                "code": {
                                    "operand": "equals",
                                    "datagroup": {
                                        "use": "codeDataGroup"
                                    }
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

Back to top