bigip_awaf_policy – Manage WAF policy with input parameters¶
New in version 2.0.0.
Parameters¶
Parameter | Choices/Defaults | Configuration | Comments | |
---|---|---|---|---|
allowed_file_types
list
/ elements=dictionary
|
List of allowed file types.
|
|||
name
string
/ required
|
Defines the name of the file.
|
|||
type
string
/ required
|
|
Defines whether the value provided in
name is to be treated as explicit or a wildcard . |
||
apply_policy
boolean
|
|
When
true , applies the WAF policy after creating or modifying.This parameter is mutually exclusive with
dump_json . |
||
case_insensitive
boolean
|
|
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not.
When
true , the system stores these security policy elements in lowercase in the security policy configuration.When unspecified, this parameter is set to
false when creating a new WAF policy. |
||
description
string
|
Specifies descriptive text that identifies the WAF policy.
|
|||
disallowed_file_types
list
/ elements=dictionary
|
List of disallowed file types.
|
|||
name
string
/ required
|
Defines the name of the file.
The type of this file is always explicit.
|
|||
dump_json
boolean
|
|
Sets the module to output a WAF policy in JSON for further consumption.
When
true , does not make any changes on the device and always returns changed=False .The output provided is idempotent in nature, meaning if there are no changes to be made, the output will not be generated except when
force is set to true .This parameter is mutually exclusive with
apply_policy . |
||
enable_passive_mode
boolean
|
|
When
true , the policy can be associated with a Performance L4 Virtual Server.When unspecified, this parameter is set to
false when creating a new WAF policy. |
||
enforcement_mode
string
|
|
Defines how the system processes a request that triggers a security policy violation.
When
blocking , the traffic is blocked if it causes a violation.When
transparent , the traffic is not blocked even if a violation is triggered.When unspecified, this parameter is set to
transparent when creating a new WAF policy. |
||
force
boolean
|
|
If
true , the policy_in_json will be applied in its entirety over the existing WAF policy.When
true , module operations are not idempotent. |
||
language
string
|
|
The character encoding for the web application.
The character encoding determines how the policy processes the character sets.
When unspecified the parameter is set to
auto-detect when creating a new WAF policy. |
||
name
string
|
The unique user-given name of the policy. Policy names cannot contain spaces or special characters.
This parameter is mutually exclusive with
policy_id .This parameter is mandatory when creating a new WAF policy.
|
|||
open_api_files
list
/ elements=string
|
List of links for open API files on the policy.
|
|||
partition
string
|
Default: "Common"
|
Device partition to manage resources on.
|
||
pb_learning_mode
string
|
|
Learning setting for Policy Builder.
When unspecified, this parameter is set to
manual when creating a new WAF policy. |
||
policy_id
string
|
The device generated ID of the existing WAF policy.
This parameter is mutually exclusive with
name . |
|||
policy_in_json
raw
|
User provided JSON for a WAF policy, normally used as a end user template for rapid policy deployments.
When specified, the parameters in this module take precedence over parameters defined in
policy_in_json , and will overwrite them when a new WAF policy is created.When using
policy_in_json to modify an existing WAF policy, the force parameter must be true in order to apply the policy_in_json in its entirety, as each WAF policy contains parameters not covered by the parameters in this module, therefore there is no comparison operation run on them, and they might remain unchanged on the device. |
|||
protocol_independent
boolean
|
|
When
true , the security policy differentiates between HTTP and HTTPS.When
false , the security policy configures URLs without specifying a specific protocol.When unspecified, this parameter is set to
false when creating a new WAF policy. |
||
server_technologies
list
/ elements=string
|
The server technology is a server-side application, framework, web server, or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology.
This parameter must be specified when creating new WAF policy.
The valid elements that can be specified in the list are: ASP, ASP.NET, AngularJS, Apache Struts, Apache Tomcat, Apache/NCSA HTTP Server, BEA Systems WebLogic Server, Backbone.js, CGI, Cisco, Citrix, CodeIgniter, CouchDB, Django, Elasticsearch, Ember.js, Express.js, Front Page Server Extensions (FPSE), Google Web Toolkit, GraphQL, Handlebars, IBM DB2, IIS, JBoss, Java Servlets/JSP, JavaScript, JavaServer Faces (JSF), Jenkins, Jetty, Joomla, Laravel, Lotus Domino, Macromedia ColdFusion, Macromedia JRun, Microsoft SQL Server, Microsoft Windows, MongoDB, MooTools, Mustache, MySQL, Nginx, Node.js, Novell, Oracle, Oracle Application Server, Oracle Identity Manager, Outlook Web Access, PHP, PostgreSQL, Prototype, Proxy Servers, Python, React, Redis, RequireJS, Ruby, SQLite, SSI (Server Side Includes), SharePoint, Spring Boot, Sybase/ASE, TYPO3 CMS, UIKit, Underscore.js, Unix/Linux, Vue.js, WebDAV, WordPress, XML, ZURB Foundation, Zend, ef.js, jQuery.
|
|||
state
string
|
|
When
present , ensures the security WAF policy is created/modified.When
absent , ensures the security WAF policy is removed. |
||
template
string
|
Specifies the name of the template used for WAF policy creation.
The parameter is required when creating a new WAF policy.
|
|||
type
string
|
|
The type of policy to be created.
When
parent , the policy can be used as a basis for similar child policies. Parent policy settings can be inherited to its child policies. A parent policy cannot be applied to Virtual Servers.When
security , the policy can be created from a parent policy or as a stand-alone policy. Changes to a security policy do not affect other security policies. A security policy can be applied to a virtual server.When unspecified, this parameter is set to
security when creating a new WAF policy. |
Examples¶
- name: Create aWAF policy with json template
bigip_awaf_policy:
name: "foobar_awaf"
policy_in_json: "{{ lookup('file', 'awaf_big_policy.json') }}"
server_technologies:
- "Apache Tomcat"
apply_policy: "yes"
- name: Create aWAF policy without json
bigip_awaf_policy:
name: "custom_awaf"
server_technologies:
- "AngularJS"
- "Apache Struts"
- "Apache Tomcat"
template: "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
pb_learning_mode: "disabled"
allowed_file_types:
- name: "js"
type: "explicit"
- name: "jpg"
type: "explicit"
disallowed_file_types:
- name: "php"
apply_policy: "yes"
- name: Modify aWAF policy using policy_id
bigip_awaf_policy:
policy_id: "{{ policy_id }}"
language: "utf-8"
pb_learning_mode: "manual"
apply_policy: 'yes'
- name: Overwrite existing aWAF policy with json template
bigip_awaf_policy:
name: "foobar_awaf"
policy_in_json: "{{ lookup('file', 'awaf_new_policy.json') }}"
server_technologies:
- "AngularJS"
allowed_file_types:
- name: "php"
type: "explicit"
- name: "jpg"
type: "explicit"
- name: "js"
type: "explicit"
disallowed_file_types:
- name: "*"
apply_policy: "yes"
force: "yes"
- name: Remove aWAF policies
bigip_awaf_policy:
name: "foobar_awaf"
state: absent
Return Values¶
The following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
allowed_file_types
complex
|
changed |
List of allowed file types.
|
|
name
string
|
changed |
Defines the name of the file.
Sample:
php
|
|
type
string
|
changed |
Defines whether the value provided in the name is to be treated as explicit or a wildcard.
Sample:
explicit
|
|
case_insensitive
boolean
|
changed |
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not.
|
|
description
string
|
changed |
Specifies descriptive text that identifies the WAF policy.
Sample:
this is a new policy
|
|
disallowed_file_types
complex
|
changed |
List of disallowed file types.
|
|
name
string
|
changed |
Defines the name of the file.
Sample:
php
|
|
enable_passive_mode
boolean
|
changed |
Specifies whether the security policy can be associated with a Performance L4 Virtual Server.
|
|
enforcement_mode
string
|
changed |
Defines how the system processes a request that triggers a security policy violation.
Sample:
blocking
|
|
json
string
|
changed |
Policy JSON in string format.
Sample:
{
"policy" : {
"name": "foobar_awaf",
"fullPath": "/Common/foobar_awaf"
|
|
language
string
|
changed |
The character encoding for the web application.
Sample:
utf-8
|
|
open_api_files
list
|
changed |
List of links for open api files on the policy.
Sample:
['https://foobar.com/file/api/foo.txt']
|
|
pb_learning_mode
string
|
changed |
Learning setting for Policy Builder.
Sample:
manual
|
|
policy_id
string
|
changed |
The device generated ID of the existing or created WAF policy.
Sample:
yE48MEYUzFoeevnd8UjAoQ
|
|
protocol_independent
boolean
|
changed |
Specifies whether the security policy differentiates between HTTP and HTTPS.
|
|
server_technologies
list
|
changed |
The list of server technologies applied on the WAF policy.
Sample:
['ef.js', 'jQuery']
|
|
template
string
|
changed |
Specifies the name of the template used for WAF policy creation.
Sample:
POLICY_TEMPLATE_RAPID_DEPLOYMENT
|
|
type
string
|
changed |
The type of policy to be created.
Sample:
security
|