f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Protocol_Inspection_Profiles have no method to adjust settings for all signatures or compliance checks
Is your feature request related to a problem? Please describe.
When adding an AFM IPS/IDS Protocol Inspection Profile, AS3 allows creation of the profile using the Protocol_Inspection_Profile class. Default profiles have signatures already set to combinations of drop or accept. Creating a new profile sets all signatures to don't inspect. The logging is set to log but no logs are created when the rule is set to don't inspect.
The F5 recommendation for IPS is to NOT have any drop/reject settings on a new service but to set all signatures to "accept" and "log" and then monitor any hits. However, this is not easy. There is no details on how to reference the signatures. The AS3 API schema reference provides no information, it just says "No properties": https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#protocol-inspection-profile-service-signature-checks
There is an example here for DNS: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/network-security.html?highlight=protocol_inspection_profile#creating-protocol-inspection-profiles ... but this suggests that we have to list out each individual signature in the declaration and set it's action and log status. The "check" tag property also is not viewable anywhere in the GUI or in any F5 documentation. In the example above, the DNS signature with description "PROTOCOL-DNS DNS Query Amplification Attempt" has a tag of "dns_dns_query_amplification_attempt" - but where is the list of signatures and their tag names?
Full Example Declaration - no idea what to put in the tag value as there is no definitive list anywhere:
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.34.0",
"id": "test",
"label": "test",
"testpart": {
"class": "Tenant",
"testapp": {
"class": "Application",
"pip-https": {
"class": "Protocol_Inspection_Profile",
"remark": "HTTP Inspection Profile",
"collectAVRStats": false,
"enableComplianceChecks": true,
"enableSignatureChecks": true,
"autoAddNewInspections": true,
"autoPublish": true,
"services": [
{
"type": "http",
"ports": [
443
],
"signature": [
{
"check": "< tag value unknown >",
"action": "accept",
"log": true
}
]
}
]
}
Describe the solution you'd like
Two things:
(1) update to the API schema to show exactly what syntax can be used for the compliance (Protocol_Inspection_Profile_Service_Compliance_Checks) and signature (Protocol_Inspection_Profile_Service_Signature_Checks) properties, and a list of allowed tag names.
(2) an ability to set all the signatures (or a subset) within a service to a given action and log value - one way of doing this would be to use a wildcard in the 'check' property as shown below.
Describe alternatives you've considered
Tried to use a wildcard:
"signature": [
{
"check": "*",
"action": "accept",
"log": true
}
]
- but this failed with:
"code": 422,
"message": "declaration failed",
"response": "the \\\"create\\\" command does not accept wildcard configuration identifiers",
I don't think we are going to be able to provide a complete list inside the schema reference. A quick check on a random bigip shows over 1800 signatures and over 200 compliances and there are regular updates available expanding their numbers. As we start investigating what we can do to make working with this profile less awkward with documentation and code updates I wanted to stop by with a few early quick tips.
The names can be found either in iControl REST or TMSH. Let's say you see the signature "PROTOCOL-DNS DNS query amplification attempt." in the GUI. You see it has an id of 2402. In TMSH you can find the name with
tmsh list security protocol-inspection signature one-line | grep 'id 2402' | cut -d ' ' -f4
and the result is
dns_dns_query_amplification_attempt
Likewise for a compliance such as "Disallowed Query Type" you can see in the GUI it has the id 10010. In TMSH you can find the name with
tmsh list security protocol-inspection compliance one-line | grep 'id 10010' | cut -d ' ' -f4
and the result is
dns_disallowed_query_type
You can also list all of the signatures or compliances by removing the grep from these samples.
Using iControl REST you can do a GET on either
https://{{host}}/mgmt/tm/security/protocol-inspection/signature
or
https://{{host}}/mgmt/tm/security/protocol-inspection/compliance
to get a list of all of signatures and compliances on a BIGIP but I do not know of any easy way to filter the results on the command line.
hi @mdditt2000 - do you have any details of the enhancement? I see that in 3.45 the documentation was made clearer around the properties of the Protocol_Inspection_Profile but there is no reference to the check names. In 3.46 the notes mention "Updated list of services for Protocol_Inspection_Profile" - but not sure where these are. As @RobCupples says above, with over 1800 signatures and over 200 compliances it would be a little unweildy to have to include every check in the AS3 - so something similar to a matchAll or wildcard option would bevery valuable.