Manual Chapter : Working with Declarative Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.1.2, 15.1.0
Manual Chapter

Working with Declarative Policy

Uploading a user defined signatures set

User defined signature sets are only supported from BIG-IP version 16.x.
  1. Upload the signatures set file to the BIG-IP.
    Send a POST request to
    https:/ /<your-BIG-IP>/mgmt/tm/asm/file-transfer/uploads/sigfile.json
    .
    Use following headers:
    Authorization : Basic <base64-encoded string of your BIG-IP username:password> Content-Type : application/json Content-Range : 0-[filesize-1]/filesize
    The following is an example signatures set file content:
    { "softwareVersion":"16.0.0", "tag":"user", "signatures":[ { "name":"user_sig 5", "rule":"valuecontent:\"/userSig/V\"; nocase; httponly; norm;", "signatureType":"request", "attackType":{ "name":"Brute Force Attack" }, "systems":[ { "name":"Microsoft Windows" }, { "name":"Unix/Linux" } ], "risk":"medium", "accuracy":"medium", "description":"Users user defined sig 5 updated" }, { "name":"user_sig_51", "rule":"re2:\"/UserSig51/V\"; nocase; norm;", "signatureType":"request", "attackType":{ "name":"Brute Force Attack" }, "systems":[ { "name":"Microsoft Windows" }, { "name":"Unix/Linux" } ], "risk":"medium", "accuracy":"medium", "description":"Users user defined sig 51 updated" } ] }
  2. Update the signatures.
    Send a POST request to
    https:/ /<your-BIG-IP>/mgmt/tm/asm/tasks/update-signatures/
    .
    Use following headers:
    Authorization : Basic <base64-encoded string of your BIG-IP username:password> Content-Type : application/json
  3. Verify the updated signatures.
    Send a GET request to
    https:/ /<your-BIG-IP>/mgmt/tm/asm/tasks/update-signatures/<task-ID>
    .
    The signatures are updated successfully if the response contain status code 200 with "
    status": "COMPLETED"
    .
  4. Upload the policy to the BIG-IP.
    The following is an example policy file with reference user defined signatures:
    { "policy":{ "name":"policy_override_user_defined_sig_on_parameter_foo", "description":"JSON declarative policy for CICD", "template":{ "name":"POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage":"utf-8", "enforcementMode":"blocking", "caseInsensitive":false, "protocolIndependent":false, "enablePassiveMode":false, "signature-requirements":[ { "tag":"user", "minRevisionDatetime":"2019-01-15T08:57:10Z", "maxRevisionDatetime":"2020-02-15T08:57:10Z" } ], "signatures":[ { "name":"user_sig", "tag":"user", "enabled":true, "learn":true, "performStaging":false } ], "signature-sets":[ { "name":"user_sigs", "block":true, "learn":true, "signatureSet":{ "filter":{ "tagValue":"user", "tagFilter":"eq" } } } ] } }

Incorporating policy builder suggestions

  1. Export policy builder suggestions.
    Send a POST request to
    https://<your-BIG-IP>/mgmt/tm/asm/tasks/export-suggestions
    . Use the following body content:
    { "inline": "true", "policyReference": { "link": "https://<Your_BigIP_Ip>/mgmt/tm/asm/policies/Policy_Key/" } }
    Send a GET request to
    https://<your-BIG-IP>/mgmt/tm/asm/tasks/export-suggestions
    .
    The following is an example for exported suggestions:
    "suggestions": [ { "entityChanges": { "signatureOverrides": [ { "name": "my_TAGGED_SIG", "tag": "my_tag", "enabled": false } ], "type": "explicit" }, "entity": { "protocol": "http", "name": "/index.php", "method": "*" }, "entityType": "url", "action": "update-append", "description": "Disable the matched signature on the matched URL" }, { "entityChanges": { "signatureOverrides": [ { "name": "my_UNTAGGED_SIG", "tag": "", "enabled": false } ], "type": "explicit" }, "entity": { "protocol": "http", "name": "/index.php", "method": "*" }, "entityType": "url", "action": "update-append", "description": "Disable the matched signature on the matched URL" } ]
  2. Update the declarative policy with exported suggestions.
    Use the
    Modifications
    property to add suggestions in the policy. The following is an example:
    "modifications": [ { "entity": { "protocol": "http", "name": "/index.php", "method": "*" }, "entityChanges": { "signatureOverrides": [ { "name": "my_TAGGED_SIG", "tag": "my_tag", "enabled": false } ], "type": "explicit" }, "entityType": "url", "action": "update-append", "description": "Disable the matched signature on the matched URL" }, { "entity": { "protocol": "http", "name": "/index.php", "method": "*" }, "entityChanges": { "signatureOverrides": [ { "name": "my_UNTAGGED_SIG", "tag": "", "enabled": false } ], "type": "explicit" }, "entityType": "url", "action": "update-append", "description": "Disable the matched signature on the matched URL" } ]
  3. Import the updated declarative policy, refer to Declarative policy import.

Declarative policy log files

Advanced WAF and ASM store the import policy log file in BIG-IP device folder
/var/log/asm
.
These log files can be used to identify and troubleshoot issues while processing the declarative policies.