My Support
  1. AskF5 Home
  2. Knowledge Center
  3. BIG-IP Declarative Security Policies
  4. Working with Declarative Policy
Manual Chapter : Working with Declarative Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Working with Declarative Policy

Incorporating policy builder suggestions

  1. Export policy builder suggestions.
    Send a POST request to
    https://<your-BIG-IP>/mgmt/tm/asm/tasks/export-suggestions
    . Use the following body content:
    {
    "inline": "true",
    "policyReference": {
        "link": "https://<Your_BigIP_Ip>/mgmt/tm/asm/policies/Policy_Key/"
    }
}
    Send a GET request to
    https://<your-BIG-IP>/mgmt/tm/asm/tasks/export-suggestions
    .
    The following is an example for exported suggestions:
    "suggestions": [
    {
        "entityChanges": {
            "signatureOverrides": [
                {
                    "name": "my_TAGGED_SIG",
                    "tag": "my_tag",
                    "enabled": false
                }
            ],
            "type": "explicit"
        },
        "entity": {
            "protocol": "http",
            "name": "/index.php",
            "method": "*"
        },
        "entityType": "url",
        "action": "update-append",
        "description": "Disable the matched signature on the matched URL"
    },
    {
        "entityChanges": {
            "signatureOverrides": [
                {
                    "name": "my_UNTAGGED_SIG",
                    "tag": "",
                    "enabled": false
                }
            ],
            "type": "explicit"
        },
        "entity": {
            "protocol": "http",
            "name": "/index.php",
            "method": "*"
        },
        "entityType": "url",
        "action": "update-append",
        "description": "Disable the matched signature on the matched URL"
    }
]
  2. Update the declarative policy with exported suggestions.
    Use the
    Modifications
     property to add suggestions in the policy. The following is an example:
    "modifications": [
    {
        "entity": {
            "protocol": "http",
            "name": "/index.php",
            "method": "*"
        },
        "entityChanges": {
            "signatureOverrides": [
                {
                    "name": "my_TAGGED_SIG",
                    "tag": "my_tag",
                    "enabled": false
                }
            ],
            "type": "explicit"
        },
        "entityType": "url",
        "action": "update-append",
        "description": "Disable the matched signature on the matched URL"
    },
    {
        "entity": {
            "protocol": "http",
            "name": "/index.php",
            "method": "*"
        },
        "entityChanges": {
            "signatureOverrides": [
                {
                    "name": "my_UNTAGGED_SIG",
                    "tag": "",
                    "enabled": false
                }
            ],
            "type": "explicit"
        },
        "entityType": "url",
        "action": "update-append",
        "description": "Disable the matched signature on the matched URL"
    }
]
  3. Import the updated declarative policy, refer to Declarative policy import.

Declarative policy log files

Advanced WAF and ASM store the import policy log file in BIG-IP device folder
/var/log/asm
.
These log files can be used to identify and troubleshoot issues while processing the declarative policies.

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2021 F5, Inc. All rights reserved.

Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information