WAF_Policy: allow use of policy/use refering an existing ASM Policy on the BIG-IP

amolari commented 1 month ago

Environment

Application Services Version: 3.52.0
BIG-IP Version: 17.1.1.3

Summary

It would be expected that in the WAF_Policy class, one can refer to an existing ASM policy. For example, the LTM policy rule's action refers to the WAF_Policy object, which refers to an existing (already installed on the BIG-IP) on the BIG-IP (pointer).

[...]
            "actions": [
              {
                "event": "request",
                "type": "waf",
                "enabled": true,
                "policy": {
                  "use": "myPolicyA"
                }
              }
            ]
          }
        ],
        "strategy": "best-match",
        "class": "Endpoint_Policy"
      },
      "myPolicyA": {
        "class": "WAF_Policy",
        "policy": {
          "use": "/Common/policy_a"
        }
      },
[...]

Expected Behavior

Scenario mentioned above works. The WAF_Policy class object is a simple pointer to an existing ASM policy.

Actual Behavior

Not working, we get the following error: {"code":422,"errors":["/Tenant/App/myPolicyA/policy: should NOT have additional properties"],"declarationFullId":"","message":"declaration is invalid","declarationId":"691121"}

JuergenMang commented 1 month ago

You can use following snippet to assign an existing waf policy. There is no requirement to define a policy object.

"vs_waf": {
    "class": "Service_HTTPS",
    "policyWAF": {
        "bigip": "/Common/asm-policy-name"
    }
}

amolari commented 1 month ago

@JuergenMang Indeed, we're using today what you've mentioned. But we have a special request/use-case where we would like to switch easily the declaration from using existing (on the BIG-IP) ASM policies to URL-fetched policies.

sunitharonan commented 1 month ago

Thanks Alexandre, we have created AUTOTOOL-4470 and added to our backlog.

F5Networks / f5-appsvcs-extension