f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Cannot add AFM Global Firewall Policy
Is your feature request related to a problem? Please describe.
BIGIP: 16.1.2.2 Build 0.0.28 Point Release 2 (VE) AS3 version: f5-appsvcs | 3.34.0
AS3 includes the following classes to build an AFM firewall policy:
- Firewall_Port_List
- Firewall_Address_List
- Firewall_Rule_List
- Firewall_Policy
However, there does not appear to be any class/method to apply a firewall policy to the global (device) context.
Describe the solution you'd like
Presume a new class is needed to allow this to be configured as there is no "Device" class in AS3, only DO.
Describe alternatives you've considered
Only non-AS3 alternative which works is to call on the iControlREST API which can be used to set the policy:
PATCH: https://{{big_ip}}/mgmt/tm/security/firewall/global-rules
{
"stagedPolicy": "{{Firewall_Policy}}"
}
Hi @antonywm, AUTOTOOL-3682 has been created for the same and added to our internal product backlog.
AS3 creates the AFM firewall policy at the application and not global. AS3/DO dev is validating if the AFM firewall policy can be applied globally via declarative onboarding
Hi Mark - only problem with applying at DO level is that DO does not contain any classes at all for AFM. Also our DO is ran in as part of our f5-bigip-runtime-init script which is where we provision the AFM feature so I doubt we can also define AFM stuff in DO as well.
hi @sunitharonan - any update on this enhancement request please - it's been over a year since it was added to the backlog.