Last updated on: 2024-01-16 03:25:50.

bigip_awaf_policy – Manage WAF policy with input parameters

New in version 2.0.0.

Synopsis

  • Manage WAF policy with input parameters.

Parameters

Parameter Choices/Defaults Configuration Comments
allowed_file_types
list / elements=dictionary
List of allowed file types.
name
string / required
Defines the name of the file.
type
string / required
    Choices:
  • explicit
  • wildcard
Defines whether the value provided in name is to be treated as explicit or a wildcard.
apply_policy
boolean
    Choices:
  • no ←
  • yes
When true, applies the WAF policy after creating or modifying.
This parameter is mutually exclusive with dump_json.
case_insensitive
boolean
    Choices:
  • no
  • yes
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not.
When true, the system stores these security policy elements in lowercase in the security policy configuration.
When unspecified, this parameter is set to false when creating a new WAF policy.
description
string
Specifies descriptive text that identifies the WAF policy.
disallowed_file_types
list / elements=dictionary
List of disallowed file types.
name
string / required
Defines the name of the file.
The type of this file is always explicit.
dump_json
boolean
    Choices:
  • no ←
  • yes
Sets the module to output a WAF policy in JSON for further consumption.
When true, does not make any changes on the device and always returns changed=False.
The output provided is idempotent in nature, meaning if there are no changes to be made, the output will not be generated except when force is set to true.
This parameter is mutually exclusive with apply_policy.
enable_passive_mode
boolean
    Choices:
  • no
  • yes
When true, the policy can be associated with a Performance L4 Virtual Server.
When unspecified, this parameter is set to false when creating a new WAF policy.
enforcement_mode
string
    Choices:
  • blocking
  • transparent
Defines how the system processes a request that triggers a security policy violation.
When blocking, the traffic is blocked if it causes a violation.
When transparent, the traffic is not blocked even if a violation is triggered.
When unspecified, this parameter is set to transparent when creating a new WAF policy.
force
boolean
    Choices:
  • no ←
  • yes
If true, the policy_in_json will be applied in its entirety over the existing WAF policy.
When true, module operations are not idempotent.
language
string
    Choices:
  • auto-detect
  • big5
  • euc-jp
  • euc-kr
  • gb18030
  • gb2312
  • gbk
  • iso-8859-1
  • iso-8859-10
  • iso-8859-13
  • iso-8859-15
  • iso-8859-16
  • iso-8859-2
  • iso-8859-3
  • iso-8859-4
  • iso-8859-5
  • iso-8859-6
  • iso-8859-7
  • iso-8859-8
  • iso-8859-9
  • koi8-r
  • shift_jis
  • utf-8
  • windows-1250
  • windows-1251
  • windows-1252
  • windows-1253
  • windows-1255
  • windows-1256
  • windows-1257
  • windows-874
The character encoding for the web application.
The character encoding determines how the policy processes the character sets.
When unspecified the parameter is set to auto-detect when creating a new WAF policy.
name
string
The unique user-given name of the policy. Policy names cannot contain spaces or special characters.
This parameter is mutually exclusive with policy_id.
This parameter is mandatory when creating a new WAF policy.
open_api_files
list / elements=string
List of links for open API files on the policy.
partition
string
Default:
"Common"
Device partition to manage resources on.
pb_learning_mode
string
    Choices:
  • automatic
  • disabled
  • manual
Learning setting for Policy Builder.
When unspecified, this parameter is set to manual when creating a new WAF policy.
policy_id
string
The device generated ID of the existing WAF policy.
This parameter is mutually exclusive with name.
policy_in_json
raw
User provided JSON for a WAF policy, normally used as a end user template for rapid policy deployments.
When specified, the parameters in this module take precedence over parameters defined in policy_in_json, and will overwrite them when a new WAF policy is created.
When using policy_in_json to modify an existing WAF policy, the force parameter must be true in order to apply the policy_in_json in its entirety, as each WAF policy contains parameters not covered by the parameters in this module, therefore there is no comparison operation run on them, and they might remain unchanged on the device.
protocol_independent
boolean
    Choices:
  • no
  • yes
When true, the security policy differentiates between HTTP and HTTPS.
When false, the security policy configures URLs without specifying a specific protocol.
When unspecified, this parameter is set to false when creating a new WAF policy.
server_technologies
list / elements=string
The server technology is a server-side application, framework, web server, or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology.
This parameter must be specified when creating new WAF policy.
The valid elements that can be specified in the list are: ASP, ASP.NET, AngularJS, Apache Struts, Apache Tomcat, Apache/NCSA HTTP Server, BEA Systems WebLogic Server, Backbone.js, CGI, Cisco, Citrix, CodeIgniter, CouchDB, Django, Elasticsearch, Ember.js, Express.js, Front Page Server Extensions (FPSE), Google Web Toolkit, GraphQL, Handlebars, IBM DB2, IIS, JBoss, Java Servlets/JSP, JavaScript, JavaServer Faces (JSF), Jenkins, Jetty, Joomla, Laravel, Lotus Domino, Macromedia ColdFusion, Macromedia JRun, Microsoft SQL Server, Microsoft Windows, MongoDB, MooTools, Mustache, MySQL, Nginx, Node.js, Novell, Oracle, Oracle Application Server, Oracle Identity Manager, Outlook Web Access, PHP, PostgreSQL, Prototype, Proxy Servers, Python, React, Redis, RequireJS, Ruby, SQLite, SSI (Server Side Includes), SharePoint, Spring Boot, Sybase/ASE, TYPO3 CMS, UIKit, Underscore.js, Unix/Linux, Vue.js, WebDAV, WordPress, XML, ZURB Foundation, Zend, ef.js, jQuery.
state
string
    Choices:
  • absent
  • present ←
When present, ensures the security WAF policy is created/modified.
When absent, ensures the security WAF policy is removed.
template
string
Specifies the name of the template used for WAF policy creation.
The parameter is required when creating a new WAF policy.
type
string
    Choices:
  • parent
  • security
The type of policy to be created.
When parent, the policy can be used as a basis for similar child policies. Parent policy settings can be inherited to its child policies. A parent policy cannot be applied to Virtual Servers.
When security, the policy can be created from a parent policy or as a stand-alone policy. Changes to a security policy do not affect other security policies. A security policy can be applied to a virtual server.
When unspecified, this parameter is set to security when creating a new WAF policy.

Examples

- name: Create aWAF policy with json template
  bigip_awaf_policy:
    name: "foobar_awaf"
    policy_in_json: "{{ lookup('file', 'awaf_big_policy.json') }}"
    server_technologies:
      - "Apache Tomcat"
    apply_policy: "yes"

- name: Create aWAF policy without json
  bigip_awaf_policy:
    name: "custom_awaf"
    server_technologies:
      - "AngularJS"
      - "Apache Struts"
      - "Apache Tomcat"
    template: "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
    pb_learning_mode: "disabled"
    allowed_file_types:
      - name: "js"
        type: "explicit"
      - name: "jpg"
        type: "explicit"
    disallowed_file_types:
      - name: "php"
    apply_policy: "yes"

- name: Modify aWAF policy using policy_id
  bigip_awaf_policy:
    policy_id: "{{ policy_id }}"
    language: "utf-8"
    pb_learning_mode: "manual"
    apply_policy: 'yes'

- name: Overwrite existing aWAF policy with json template
  bigip_awaf_policy:
    name: "foobar_awaf"
    policy_in_json: "{{ lookup('file', 'awaf_new_policy.json') }}"
    server_technologies:
      - "AngularJS"
    allowed_file_types:
      - name: "php"
        type: "explicit"
      - name: "jpg"
        type: "explicit"
      - name: "js"
        type: "explicit"
    disallowed_file_types:
      - name: "*"
    apply_policy: "yes"
    force: "yes"

- name: Remove aWAF policies
  bigip_awaf_policy:
    name: "foobar_awaf"
    state: absent

Return Values

The following are the fields unique to this module:

Key Returned Description
allowed_file_types
complex
changed
List of allowed file types.

  name
string
changed
Defines the name of the file.

Sample:
php
  type
string
changed
Defines whether the value provided in the name is to be treated as explicit or a wildcard.

Sample:
explicit
case_insensitive
boolean
changed
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not.

description
string
changed
Specifies descriptive text that identifies the WAF policy.

Sample:
this is a new policy
disallowed_file_types
complex
changed
List of disallowed file types.

  name
string
changed
Defines the name of the file.

Sample:
php
enable_passive_mode
boolean
changed
Specifies whether the security policy can be associated with a Performance L4 Virtual Server.

enforcement_mode
string
changed
Defines how the system processes a request that triggers a security policy violation.

Sample:
blocking
json
string
changed
Policy JSON in string format.

Sample:
{ "policy" : { "name": "foobar_awaf", "fullPath": "/Common/foobar_awaf"
language
string
changed
The character encoding for the web application.

Sample:
utf-8
open_api_files
list
changed
List of links for open api files on the policy.

Sample:
['https://foobar.com/file/api/foo.txt']
pb_learning_mode
string
changed
Learning setting for Policy Builder.

Sample:
manual
policy_id
string
changed
The device generated ID of the existing or created WAF policy.

Sample:
yE48MEYUzFoeevnd8UjAoQ
protocol_independent
boolean
changed
Specifies whether the security policy differentiates between HTTP and HTTPS.

server_technologies
list
changed
The list of server technologies applied on the WAF policy.

Sample:
['ef.js', 'jQuery']
template
string
changed
Specifies the name of the template used for WAF policy creation.

Sample:
POLICY_TEMPLATE_RAPID_DEPLOYMENT
type
string
changed
The type of policy to be created.

Sample:
security


Status

Authors

  • Wojciech Wypior (@wojtek0806)