f5-declarative-onboarding
f5-declarative-onboarding copied to clipboard
F5Networks
Add ASM signature update (live update) to DO
When onboarding a new F5 ASM WAF device, after DO and AS3 have been executed, there is an extraneous step to update the ASM attack signature file (.IM).
Many F5 ASM WAF customers will prefer to use specific ASM attack signature versions as they test new ASM signatures, put them in staging, and move them into blocking mode. This is a constant process as new attack signatures are released. As of now, DO, and AS3 can only deploy F5 ASM WAF instances that will use the latest attack signature version, not the desired ASM attack signature from the previous testing.
Add option to provide ASM signature file (.im) via URL that DO would download to the local F5 ASM WAF device and install as a signature package.
Ideally, a way to define a specific ASM attack signature file via URL that DO would fetch and install as an ASM signature version. It would also be ideal if DO could be invoked after initial deployment to update the ASM attack signature version later. The ASM policy can be referenced by URL with AS3 and updated over time. ASM policy is closely coupled to the attack signature version; it makes sense that you could deploy them in similar ways.
Alternatively, add an option to specify an ASM signature version that DO would fetch from downloads.f5.com and install as an ASM signature version.
Alternatively, rather than host the.IM file yourself, you could provide the ASM signature version such as ASM-AttackSignatures_20201123_114529.im, which DO could fetch from downloads.f5.com and install to the local ASM device. This would require the Big-IP to have internet access.
Additional context
ASM signature is one of the dynamic updates that F5 security modules reference. Another example is Bot signatures, which need to be updated as well. Ideally, DO could update any of the live update components or configure the TMOS live update system to download/install specific versions only.
Requires review with AWAF PM to understand if this would be blocked by changes required in AWAF code.
