search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

profileBotDefense references are missing #32

Closed frslater closed 3 years ago

frslater commented 3 years ago

Environment

Summary

When bot-defense profiles are converted, the declaration contains the profileBotDefense property in the appropriate Service classes, but as an object with the "use" property instead of "bigip". "use" implies that the definition is within the declaration. Since AS3 does not support bot-defense definitions, it cannot be in the declaration. The following is required:

  1. replace "use" with "bigip".
  2. provide documentation explaining that users who wish to preserve their bot-defense profiles must maintain them outside of AS3. ACC will put a reference in the declaration that assumes the existence of the named bot-defense profile.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config: 
    
security bot-defense asm-profile /Common/xyz {
app-service none
}
ltm virtual /Common/abc {
destination /Common/10.0.11.22:80
ip-protocol tcp
profiles {
    /Common/xyz { }
    /Common/serverssl {
        context serverside
    }
    /Common/tcp { }
    /Common/websecurity { }
}
}

2. Observe the following result within the declaration:
            "profileBotDefense": {
                "use": "/Common/Shared/xyz"
            }

This is invalid because AS3 does not support "use" with "profileBotDefense".
mdditt2000 commented 3 years ago

Created Jira CHARON-301 for PM tracking. Currently no milestone.

p-semenov-f5 commented 3 years ago

Hello!

I tried to solve that and found that security 'bot-defense asm-profile' is not fully supported in as3 and big-ip.

I can create 'bot-defense profile', but not 'bot-defense asm-profile'. That profiles has absolutely different fields.

I could load last one only with 'tmsh load sys config from-terminal merge'.

And also I tried create preexisted objects and post AS3 with right reference (as3 3.28), but it wasn't worked.

[root@ltm-50_charon:Active:Standalone] config # tmsh list security bot-defense asm-profile /Common/Shared/xyz security bot-defense asm-profile Shared/xyz { app-service none clientside-in-use disabled flags 0 inject-javascript disabled persistent-data-validity-period 0 send-brute-force-challenge disabled send-javascript-challenge disabled send-javascript-efoxy disabled send-javascript-fingerprint disabled } [root@ltm-50_charon:Active:Standalone] config #

{ "class": "ADC", "schemaVersion": "3.28.0", "id": "urn:uuid:34ea2594-d2fd-4c78-a8c7-a5c68391b791", "label": "Converted Declaration", "remark": "Auto-generated by AS3 Config Converter", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "abc": { "layer4": "tcp", "class": "Service_TCP", "profileBotDefense": { "bigip": "/Common/Shared/xyz" }, "clientTLS": { "bigip": "/Common/serverssl" }, "profileTCP": { "bigip": "/Common/tcp" }, "virtualAddresses": [ "10.0.11.22" ], "virtualPort": 80, "persistenceMethods": [], "snat": "none" } } } }

Error:

{ "code": 422, "declarationFullId": "", "message": "Unable to find /Common/Shared/xyz for /Common/Shared/abc/profileBotDefense" }

-- I've described better inside jira task

mdditt2000 commented 3 years ago

There is no such instance as "security bot-defense asm-profile" in the AS3 code, which means it is not supported, closing this bug as blocked/invalid