F5 - ASM Repro with Ansible (WAF Advanced)

F5 - ASM Repro with Ansible (WAF Advanced)

Jefferson Navarro Jefferson Navarro

Jefferson Navarro

Sr Network Engineer

发布日期: 2021年8月1日
+ 关注

Description?

This article describes how to create a fast ASM repro by using Ansible without needing a pool or server, and above all, without affecting service. Sometimes, we don't understand why the policy generates violations and/or block legitimate requests. This configuration will help to deploy two virtual servers, one to receive the client traffic, and the second will act as a server or pool.

Pre-requisites?

  • Linux with Ansible
  • Access to the ASM BIG-IP?with admin user

Installing Ansible and Running the playbook?

  1. Install Ansible on Linux box, e.g. Debian, CentOs, Ubuntu. 

# 1. Install python
?
$?sudo?apt?install?python
?
?
# 2. Install "pip"
?
$ curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
?
# OR
?
https://bootstrap.pypa.io/pip/2.7/get-pip.py
?
$ python3 get-pip.py --user
?
?
?
# 3. Install ansible using "pip" :
?
$?sudo?pip?install?ansible??## installation pip? ---?https://pip.pypa.io/en/stable/installing/
?
$ pip --version?## check the pip version
?
$ apt?install?python-pip?## If pip is not installed, please run this command for installation
?
$?sudo?pip?install?virtualenv
?
?
?
# 4. Ansible can also be installed inside a new or existing virtualenv:
?
$ python -m virtualenv ansible??# Create a virtualenv if one does not already exist
$?source?ansible/bin/activate???# Activate the virtual environment
$ pip?install?ansible
?
# NOTE: to avoid "The python f5-sdk module is required" errors:
# pip install f5-sdk
?
?
# 5. Create the repository
?
sudo?mkdir?~/ansible
cd?~/ansible
sudo?mkdir?inventory library playbooks files roles scripts templates
sudo?mkdir?-p inventory/group_vars/?inventory/host_vars??????????
sudo?touch?ansible.cfg inventory/hosts
sudo?touch?ansible.cfg inventory/hosts?inventory/group_vars/all.yaml inventory/host_vars/host1.yaml playbooks/site.yaml
?
?
# 6. Add localhost in inventory file and save it.
?
/ansible/inventory$?cat?hosts        


localhost

2. Create two files with the following iRules:?

Note: In this example, I used vi as an editor. However, feel free to use the one you like.

  • ?Forwarding iRules:?


$?vi?forwarding.tcl

  • Copy, paste, and save this iRule:?

when HTTP_REQUEST? {

??virtual response

}

  • Response iRule:


$?vi?response.tcl

  • Copy, paste, and save this iRule:?

领英推荐

when HTTP_REQUEST? {?
? ? HTTP::respond 200 content {?
? ? 200 OK }?
? ? http::close        

}

3. Create the playbook file:? 

$?vi?~/ansible/playbooks/asm_repro.yaml

4.?Now, let's edit the playbook by replacing the following fields:?

server: XXX.XXX.XXX.XXX??= BIG-IP address?

destination: YYY.YYY.YYY.YYY = Virtual Server IP address which goes to receive traffic?

destination: ZZZ.ZZZ.ZZZ.ZZZ = Virtual Server IP address which goes to act as a pool or server 

- name: Create two VS, iRules?for?ASM repro
??hosts: all
??connection:?local
??vars:
????provider:
??????password: admin
??????server: XXX.XXX.XXX.XXX
??????user: admin
??????validate_certs: no
??????server_port: 443
??tasks:
????- name: Create a VIP?test
??????bigip_virtual_server:
????????provider:?"{{ provider }}"
????????description:?test
????????destination: YYY.YYY.YYY.YYY
????????name:?test
????????port: 80
????????snat: Automap
????????profiles:
??????????- http
??????delegate_to: localhost
????- name: Create a VIP response
??????bigip_virtual_server:
????????provider:?"{{ provider }}"
????????description: response
????????destination: ZZZ.ZZZ.ZZZ.ZZZ
????????name: response
????????port: 80
????????snat: Automap
????????profiles:
??????????- http
??????delegate_to: localhost
????- name: Add the iRule contained?in?static?file?forwarding.tcl to the LTM module
??????bigip_irule:
????????module: ltm
????????name: forwarding
????????src: forwarding.tcl
????????state: present
????????provider:?"{{ provider }}"
??????delegate_to: localhost
????- name: Add the iRule contained?in?static?file?response.tcl to the LTM module
??????bigip_irule:
????????module: ltm
????????name: response
????????src: response.tcl
????????state: present
????????provider:?"{{ provider }}"
??????delegate_to: localhost
????- name: Attach iRules to VS?test
??????bigip_virtual_server:
????????provider:?"{{provider}}"
????????name:?"test"
????????port: 80
????????irules: forwarding
??????delegate_to: localhost
????- name: Attach iRules to VS forwarding
??????bigip_virtual_server:
????????provider:?"{{provider}}"
????????name:?"forwarding"
????????port: 80
????????irules: response        

??????delegate_to: localhost

Note: Bear in mind that Ansible is sensitive to indentation.

?5. Once everything is done, let's execute the playbook:? 

~/ansible$ ansible-playbook -i inventory/hosts?playbooks/asm_repro.yaml

6. Import and attach the ASM policy to the Virtual Server called "Test"

7. Apply the logging profile.

8. Send the request to the virtual server " test" to log and validate the violation caused by the client request in the ASM policy.

Hopefully, this article helps to test your own policies, understand how the traffic behaves with your configuration, and make the right corrections to avoid blocking legitimate traffic.


要查看或添加评论,请登录

Jefferson Navarro的更多文章

  • Working with Git & Github? Cheatsheet
    2021年11月17日

    Working with Git & Github? Cheatsheet

    This graph might help you to understand much easier each command to backup your code, notes, etc and collaborate with…

  • Student Guide: 201 - TMOS Administration
    2021年10月3日

    Student Guide: 201 - TMOS Administration

    Hello guys, this is a new guide that I have created for those who are interested in taking the 201 - TMOS…

    5 条评论
  • Study Guide: The 301a LTM Specialist: Architect, Set-up & Deploy exam
    2021年7月4日

    Study Guide: The 301a LTM Specialist: Architect, Set-up & Deploy exam

    If you are looking for a study guide to prepare for the 301-a LTM Certification: Architect, Set-up & Deploy, then this…

    2 条评论
  • VMs vs Containers | Houses vs Flats
    2019年12月17日

    VMs vs Containers | Houses vs Flats

    I spend a good time working with docker and I found people or community where they response as a natural way to Docker,…

  • Stegenography - Penetration Test
    2019年3月30日

    Stegenography - Penetration Test

    Stegenography is the practice of concealing a file, message, image, or video within another file, message, image, or…

  • Practising for CCNA
    2016年12月25日

    Practising for CCNA

    I am leaving a great exercise for whose who are thinking to do CCNA certification. The topics for this exercise, are…

  • Switch LED Indicators
    2016年12月25日

    Switch LED Indicators

    I am leaving a brief document where you could identify a problem in your switch or router cisco immediately without…

  • Recruitment Avaya Admin
    2016年11月2日

    Recruitment Avaya Admin

    Recruitment Avaya Engineer to join a client based in Cardiff, Wales on an initial 6 Month Contract. Daily Rate: £300 -…

  • Work Place To Work in UK 2016
    2016年8月6日

    Work Place To Work in UK 2016

  • Six typical phrases things recruiters say by Reed.
    2016年6月10日

    Six typical phrases things recruiters say by Reed.

    https://www.reed.

社区洞察

其他会员也浏览了