Manual Chapter : Using external referencing

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 16.0.0
Manual Chapter

Using external referencing

An external reference in the declarative policy is a reference to a code block that can be used as part of the policy without including the actual code block within the policy file. A set of predefined configurations for parts of the policy are incorporated as part of the policy by referencing them. This ensures that the policy is always up-to-date in a constantly changing environment.
For example, to build a dynamic policy, configure the code block files relevant to the policy, and then configure the policy to reference the files. Every time the policy is imported into the BIG-IP, it uses the most up-to-date version of the referenced files.
External references are only supported from BIG-IP version 16.x.
The following are some recommendations to use with external reference:
  • Use HTTPS instead of HTTP.
  • Use trusted CA-signed certificates.
  • Make sure sensitive URLs cannot be accessed from BIG-IP as external references
In the policy file, the direct property is suffixed by
Reference
and
link
is used to call the reference. For example, the property
urls
is updated to
urlReference
and
data-guard
to
dataGuardReference
.
In following example, references are called using
link
:
{ "policy":{ "name":"External_References", "description":"Testing 'link'", "template":{ "name":"POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage":"utf-8", "enforcementMode":"blocking", "protocolIndependent":false, "enablePassiveMode":false, "urlReference":{ "link":"http://172.29.42.75/REF_URLs.txt" }, "dataGuardReference":{ "link":"http://172.29.42.75/data-guard-ref.txt" }, "filetypeReference":{ "link":"http://172.29.42.75/File-types.txt" }, "whitelistIpReference":{ "link":"http://172.29.42.75/whitelist-ips-ref.txt" } }, "modificationsReference":{ "link":"file://my_modifications.json" } }
The following is an example for whitelist IP reference file (whitelist-ips-ref.txt):
[ { "ignoreIpReputation":false, "blockRequests":"policy-default", "ignoreAnomalies":false, "neverLogRequests":true, "ipAddress":"1.1.1.1", "neverLearnRequests":false, "ipMask":"255.255.255.255", "trustedByPolicyBuilder":false }, { "ignoreIpReputation":false, "blockRequests":"policy-default", "ignoreAnomalies":true, "neverLogRequests":true, "ipAddress":"2.2.2.2", "neverLearnRequests":false, "ipMask":"255.255.255.255", "trustedByPolicyBuilder":true }, { "ignoreIpReputation":true, "blockRequests":"policy-default", "ignoreAnomalies":false, "neverLogRequests":false, "ipAddress":"3.3.3.3", "neverLearnRequests":false, "ipMask":"255.255.255.255", "trustedByPolicyBuilder":false } ]
The following is an example for modification reference file (my_modifications.json):
{ "modifications":[ { "entityChanges":{ "type":"explicit" }, "entity":{ "name":"log" }, "entityType":"filetype", "action":"delete", "description":"Delete Disallowed File Type" } ] }