search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
165 stars 53 forks source link

Add ASM Settings configuration #656

Open correiap opened 1 year ago

correiap commented 1 year ago

Is your feature request related to a problem? Please describe.

As part of our F5 Onboarding Process we need to set some ASM Settings (below) that are non existing on AS3 nor DO

Describe the solution you'd like

We'd like to perform such configuration trough AS3 or DO.

Describe alternatives you've considered

Today we're using Ansible to configure everything that can't be done either through DO or AS3, which adds complexity to our Onboarding process

Additional context

Ansible Tasks Workaround

Anti-Virus Protection (ASM Integrated Services) - 

- name: Set ASM Antivirus Protection (ICAP)
  uri:
    url: https://{{ ansible_host }}:{{ bigip_port }}/mgmt/tm/asm/virus-detection-server
    user: "{{ bigip_admin_username }}"
    password: "{{ bigip_admin_password }}"
    headers:
      Content-Type: "application/json"
    body_format: json
    body: '{"guaranteeEnforcement":true,"hostname":"{{ icap_server.vs_ip }}", "port":{{ icap_server.port }} }'
    force_basic_auth: yes
    method: PATCH
    validate_certs: no
    return_content: no
    status_code: 201
  delegate_to: localhost

ASM Advanced Configuration - Systems Variables

  bigip_asm_advanced_settings:
    provider: "{{ provider }}"
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  delegate_to: localhost
  loop:
     "{{ asm_adv_config_from_file.json }}"
  loop_control:
    pause: 10
  register: asm_sys_variables
sunitharonan commented 1 year ago

Thank you for your feedback. I have added this issue to our internal product backlog as AUTOTOOL-3518.

mdditt2000 commented 1 year ago

@correiap after looking into this issue we believe that AS3 shouldn't be configuring the ASM API. This is something the ASM declaration API tooling needs to handle. Or handled by Ansible/Terraform. AS3 will simple add the ASM profile to the VirtualServer.

Closing out at this time.

correiap commented 1 year ago

@mdditt2000 That's why I asked it to be added to AS3 or DO. We need to set some ASM Variables and Anti-Virus Protection during the onboarding process. The idea is to minimize as much as possible the dependency of Ansible and/or Terraform.

mdditt2000 commented 1 year ago

Understand however AS3 is application creation only. I asked the support engineer to reach out to the WAF API PM as this would be the better option. AS3/DO dont configure a WAF policy.

correiap commented 1 year ago

@mdditt2000 I'm not asking to configure a Policy. I want to configure ASM global settings. ASM Advanced System Variables are not related to WAF Policies. ICAP (integrated services, anti-virus protection configuration) is not a Policy feature either, it's related to to the device configuration.

mdditt2000 commented 1 year ago

true those global settings should be adding via the /mgmt/tm/asm/ API

correiap commented 1 year ago

and those being global/base settings cannot be added to DO?

mdditt2000 commented 1 year ago

@correiap one of the dev's is going to run some test to check if DO is an option. Standby

mdditt2000 commented 1 year ago

@correiap was able modify that object (mgmt/tm/asm/virus-detection-server) with curl so DO should be able to do this. Want to make sure i capture the required variables below

image

correiap commented 1 year ago

@mdditt2000 thanks, that's exactly what we need. Specially the restart ASM part, it's much easier if it's done at an early stage.

correiap commented 1 year ago

Hi @mdditt2000, Do you have any updates on this enhancement request?

Thanks