search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

Cant reference security policy created by bigip_sslo_config_policy #69

Open megamattzilla opened 1 year ago

megamattzilla commented 1 year ago
COMPONENT NAME

bigip_sslo_config_policy

Environment

ANSIBLE VERSION
ansible [core 2.12.2]
  config file = None
  configured module search path = ['/home/azureuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/azureuser/python3.8-ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/azureuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/azureuser/python3.8-ansible/bin/ansible
  python version = 3.8.5 (default, Jan 27 2021, 15:41:15) [GCC 9.3.0]
  jinja version = 3.0.3
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.3
  Build       0.0.3
  Edition     Point Release 3
  Date        Thu Dec 22 12:07:59 PST 2022
CONFIGURATION
OS / ENVIRONMENT

Ubuntu 20.04.3

SUMMARY

After creating an sslo security policy using the ansible module bigip_sslo_config_policy , the created policy cannot be referenced by a manually created SSLO topology. The GUI hangs with no error message.

STEPS TO REPRODUCE

Create the following SSLO security Policy via Ansible (which is successful) 

    - name: Create Explicit HTTP Proxy Security_Policy
      bigip_sslo_config_policy:
        name: "Explicit_proxy"
        server_cert_check: false
        default_rule:
          allow_block: "allow"
          tls_intercept: "intercept"
          service_chain: "Explicit_Proxy"

        policy_rules:
          - name: "Pinners_Rule"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "category_lookup_sni"
                condition_option_category:
                  - "Pinners"
              - condition_type: "ssl_check"

          - name: "Category_Bypass"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "category_lookup_all"
                condition_option_category:
                  - "Financial Data and Services"
                  - "General Email"
                  - "Health and Medicine"
              - condition_type: "ssl_check"

          - name: "Dest_IP_Bypass"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "server_ip_subnet_match"
                condition_option_subnet:
                  - "10.0.0.0/8"
                  - "192.168.1.100/32"
                  - "192.168.1.200/32"
              - condition_type: "ssl_check"

After the security policy has been successfully created via ansible, navigate to SSLO web GUI and create a new SSLO topology and attempt to reference security policy Explicit_proxy

EXPECTED RESULTS

SSLO GUI allows you to associate the security policy Explicit_proxy with the SSLO topology being created

ACTUAL RESULTS

After choosing "Use Existing" and selecting Explicit_proxy policy and clicking save & next, the GUI hangs with no error message indicating a fatal error. sslo-gui-hang

pgouband commented 11 months ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1265.