Add or delete a parameter from multiple ASM policy or modify multiple ASM policy via API (iControlREST)
Problem this snippet solves: Sometimes it is necessary to add a parameter into multiple policy or all policies or to delete a parameter from multiple policies. If you have hundreds of asm polices and you try to do it via GUI, It takes long time and It is boring. For example, you have a new vulnerability scanner and you want to add all policies, or your contract with a security analysis company and you want to delete their IP address from all asm policies. If you have lots of policy, this gets big issue. How to use this snippet: I wrote a sample bash script, It adds an IP into the trusted IP list of multiple asm policy or deletes an IP from the trusted IP list of all asm policies. Firstly, you must choose which asm polices you want to change. Use this command to get list of the asm policies and write it into a file(asmPolicies.txt😞 curl -k -u <admin>:<password> -H "Content-Type: application/json" -X GET https://<F5 IP Address>/mgmt/tm/asm/policies?$select=id,name,fullPath | jq -r '.items[] | "\(.id) \(.name) \(.fullPath)"' > asmPolicies.txt This is the sample content of an asmPolicies.txt [root@f5 asmPolicies]# cat asmPolicies.txt x3yyOJTe3CvcWJDMqpnrgQ First /Common/First RqXf73h6qZY94EFGVDSlbg SecPolManual_First /Common/SecPolManual_First d928o8by0WBrWdW7oadMQg SecPol-Lab14 /Common/SecPol-Lab14 i4LnoF4GwMKRhTZ81RCeSQ SecPol-Lab14.2 /Common/SecPol-Lab14.2 kLoqhuDoa6bEeBjcrFo4VA SecPol-Lab15.1 /Common/SecPol-Lab15.1 DvE_fPp2tLUZvJi8cb8Rpg SecPol-Lab15.2 /Common/SecPol-Lab15.2 52dxLNxjExt6QRNvbg7fHA SecPol-Lab15.3 /Common/SecPol-Lab15.3 DcSvljkbLZQD19adkVdV3A SecPol-Lab16.2 /Common/SecPol-Lab16.2 rJ6Mt9sPxzgLu6WHyyifLg SecPol-Lab16.4 /Common/SecPol-Lab16.4 Sy_0vNh-5VXal-xDlMXMqw Single_URI /Common/Single_URI Hzyj8pZF6flV3VhTkCFkig SecPol-Lab22.2 /Common/SecPol-Lab22.2 sPR5LNQrrf29I1xZ8MtcRA SecPol-Lab16.4_2 /Common/SecPol-Lab16.4_2 Secondly, check the asmPolicies.txt, and erase the lines which policies you dont want to change Last, copy updateAsmPolicies.sh(attached) in a directory, then run updateAsmPolicies.sh with an appropriate command and parameter Usage: updateAsmPolicies.sh command parameter Commands: -a, -add add an IP address into the trusted IP list -d, -delete delete an IP address from the trusted IP list -c, -change <orgIP-newIP> delete the orgIP from the trusted IP list, then add the newIP into the trusted IP list updateAsmPolicies.sh -a 1.1.1.1 -> adds 1.1.1.1 into the trusted IP list updateAsmPolicies.sh -d 1.1.1.1 -> delete 1.1.1.1 from the trusted IP list that is it. This is just a sample. Code : #!/bin/bash #### #### AUTHOR: FARUK AYDIN --- farukaydin at yahoo.com #### DATE: 2018.01.25 #### This script adds or deletes or changes the trusted IP addresses in the asm policies #### #### Prerequest commands: ####echo ####curl ####jq ####shift ####cut ####cat function usage { echo "Usage: $0 command parameter" echo "Commands:" echo "-a, -add add an IP address into the trusted IP lists" echo "-d, -delete delete an IP address from the trusted IP lists" echo "-c, -change delete the orgIP from trusted IP lists, then add the newIP into the trusted IP lists" exit 0 } if [ ${#@} == 0 ]; then usage fi addingIP() { echo adding $2 into $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X POST -d '{"ipAddress":"'"$2"'","ipMask":"255.255.255.255","trustedByPolicyBuilder":true}' https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips } deleteIP() { md5IP=$(curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X GET https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips | jq -r '.items[] | select(.ipAddress=="'"$2"'") |"\(.id)"') if [ -z "$md5IP" ]; then echo $2 is not found in $1 policy; else echo deleting $1 from $1 policy; curl -sk -u ${f5user}:${f5pass} -H "Content-Type: application/json" -X DELETE https://${f5host}/mgmt/tm/asm/policies/$1/whitelist-ips/${md5IP} fi } UNKNOWN=() param=0 whatTodo="nothing" whatToDoN=0 f5user="admin" f5pass="password" f5host="192.168.1.245" while [[ $# -gt 0 ]] do key="$1" case $key in -a|--add) ((param++)) addIP="$2" whatToDo="adding a new trusted IP(${addIP}) to all asm policies" whatToDoN=1 shift # past argument shift # past value ;; -d|--delete) ((param++)) delIP="$2" whatToDo="deleting the trusted IP(${delIP}) from all asm policies" whatToDoN=2 shift # past argument shift # past value ;; -c|--change) ((param++)) changeIP="$2" orgIP=$(echo $changeIP | cut -f1 -d-) newIP=$(echo $changeIP | cut -f2 -d-) if [ "${orgIP}" == "${newIP}" ] ; then orgIP=$(echo $changeIP | cut -f1 -d:) newIP=$(echo $changeIP | cut -f2 -d:) fi whatToDo="changing the trusted IP(${orgIP}) with the new IP(${newIP}) in all asm policies" whatToDoN=3 shift # past argument shift # past value ;; --default) DEFAULT=YES ((param++)) shift # past argument ;; *) # unknown option UNKNOWN+=("$1") # save it in an array for later shift # past argument ;; esac done if [ "${param}" -gt 1 ] ; then echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!!!!!!!! you used ${param} commands !!!!!!!!" echo "!!! you must use only one command !!!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" usage fi echo "${whatToDo}", Option: "${whatToDoN}" for i in $(cat asmPolicies.txt | cut -d " " -f 1); do case $whatToDoN in 1) addingIP $i $addIP ;; 2) deleteIP $i $delIP ;; 3) deleteIP $i $orgIP addingIP $i $newIP ;; esac done Tested this on version: 12.1623Views0likes0CommentsDDoS IPI List - Whitelist NTP Servers
Problem this snippet solves: Legitimate IP address ranges of valid NTP Servers. Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_ntp_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0442Views0likes0CommentsDDoS IPI List - Whitelist DNS Servers
Problem this snippet solves: Legitimate IP address ranges of valid DNS Servers Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_dns_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0441Views0likes0CommentsDDoS IPI List - Bogons
Problem this snippet solves: Bogon IP address ranges to block traffic from Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: blacklist_bogon List Type: blacklist Update frequency: 432000 Default Blacklist Category: (Create new one) Blacklisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0406Views0likes0CommentsDDoS IPI List - Whitelist Update Domains
Problem this snippet solves: Legitimate IP address ranges and Domain Names of valid update servers. Additional info can be found: https://github.com/c2theg/DDoS_lists How to use this snippet: Add to IPI feeds. Security >> Network Firewall >> IP Intelligence : Feed Lists Create new list: DDoS_Feeds Add rule. Give a good name, IE: whitelist_update_servers List Type: whitelist Update frequency: 3600 Default Blacklist Category: (Create new one) Whitelisted_Source Admin / Password: <Leave Blank> Tested this on version: 13.0377Views0likes0Comments