f5 Automation Labs
f5 Automation Labs
f5 Automation Labs
F5 Programmability Training
https://f5.com/supernetops
2
Contents:
1 Welcome 5
3
4
Welcome
1
Welcome to F5’s Automation, Orchestration and Programmability Training series. The intended audience for
these labs are Super NetOps and DevOps engineers that would like to leverage the various programmability
tools offered by the F5 platform. If you require a pre-built lab environment please contact your F5 account
team and they can provide access to environments on an as-needed basis.
The content contained here adheres to a DevOps methodology and automation pipeline. All content con-
tained here is sourced from the following GitHub repository:
https://github.com/f5devcentral/f5-automation-labs/
Bugs and Requests for enhancements are handled in two ways:
• Fork the Github Repo, fix or enhance as required and submit a Pull Request
– https://help.github.com/articles/creating-a-pull-request-from-a-fork/
• Open an Issue within the repository.
5
6
Class 1: Introduction to Automation & Orchestration
2
This introductory class covers the following topics:
• Imperative Automation using the F5 BIG-IP iControl REST API
• Service Abstraction and Automation using F5 iApp templates
• Building Declarative Interfaces with the F5 iWorkflow product
Expected time to complete: 4 hours
To continue please review the information about the Lab Environment. Additionally, if you are new to the F5
BIG-IP Platform we’ve created an overview in the BIG-IP Basics section.
Warning: All work for this lab will be performed exclusively from the Linux Jumphost. No installation or
interaction with your local system is required.
All pre-built environments implement the Lab Topology shown below. Please review the topology first, then
find the section matching the lab environment you are using for connection instructions.
The network topology implemented for this lab is very simple. Since the focus of the lab is Control Plane
programmability rather than Data Plane traffic flow we can keep the data plane fairly simple. The following
components have been included in your lab environment:
• 2 x F5 BIG-IP VE (v12.1.x)
• 1 x F5 iWorkflow VE (v2.3)
• 1 x Linux Server
• 1 x Linux Jumphost
The following table lists VLANS, IP Addresses and Credentials for all components:
7
Fig. 2.1: Lab Topology
In order to complete this class you will need to utilize a specific Lab Environment. You can consume this
training in a couple of ways:
8
• Pre-built Environment using a Ravello Blueprint
– Used at official F5 events such as F5 Agility, F5 Agility Roadshows, User Groups, MeetUps, etc.
– Access can be provided by your F5 Account Team
• Pre-built Environment using an Amazon AWS CloudFormation Template (CFT)
– Access is on-demand and uses your AWS account
• Pre-built Environment using the F5 Unified Demo Framework (UDF)
– This environment is currently available for F5 employees only
• Self-built Environment on your own infrastructure
– Review the Topology and Guide below for prerequisites
Select the Environment from the list below to get started:
Error: The AWS CFT is currently in testing and not complete. This notice will be updated as progress
is made. This functionality should be available by Dec 1st 2017.
Warning: The AWS CFT will run in your account. The template includes components and instances
that will incur a charge. This charge will be billed to your account.
You can use an Amazon CloudFormation Template (CFT) to launch your own lab environment in AWS. This
guide assumes the following:
• Pre-existing Amazon AWS account
• Access to create AWS Instances and Resources
• You have created an AWS Key Pair:
– http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
• You will be responsible for all charges incurred
More information about AWS can be found here:
https://aws.amazon.com/
The AWS lab environment restricts access based on your Source IP Address. We will use a website to
determine your Source IP for use in the next Task.
Note: If your Source IP address changes you will lose access to your environment.
9
2. Copy the IP Address shown in the Your IP Address is: box into your clipboard
2. Click Services at the top of the window. Then type cloud into the search box and look for the
CloudFormation item. Click on the CloudFormation item:
10
4. On the Select Template screen, select the Specify an Amazon S3 template URL option. Copy and
paste the URL below into the box:
https://s3.us-east-2.amazonaws.com/supernetops-cf-templates/class1.
template
Click on the Next button
Note: You can also specify a CIDR formatted Subnet in this field
11
9. Click the Super-NetOps-Lab stack to view details of the deployment
10. Monitor the Events section of the page as the Stack deploys:
11. The CFT used performs a nested deployment, leveraging other CFT’s. The Events will notify you when
new status messages are available. Total deployment time varies. As the Stack is being deployed you
will see periodic CREATE_COMPLETE messages:
12
12. You can also go back to the page listing ‘Stacks’ and monitor the progress of the nested templates
from there:
13. Once the Status of the Super-NetOps-Lab root stack shows CREATE_COMPLETE click the Outputs
tab. You will see a Key named JumpHostPublicIP. The Value is the IP Address you can use to
connect to the Lab Jumphost using RDP, HTTPS or SSH (diagnostics only).
13
14. You can now connect to the Jumphost using RDP or HTTPS:
• RDP: Configure your RDP client to connect to the JumpHostPublicIP
• HTTPS: Use a HTML5 browser to connect to https://<JumpHostPublicIP>
15. Select how you would like to continue:
• Review: BIG-IP Basics (optional)
• Start: Module 1: Imperative Automation with the BIG-IP iControl REST API
Ravello
If you are taking this class at a Meetup, User Group, F5 Agility or another official event, access details will
be provided by your instructor.
If you would like to take this class using our lab environment please contact your F5 Account Team for
access. You can also send and email to supernetopshelp (at) f5.com.
Once you have connected to your environment you can select how you would like to continue:
• Review: BIG-IP Basics (optional)
• Start: Module 1: Imperative Automation with the BIG-IP iControl REST API
To connect to the lab environment we will use a Remote Desktop Protocol client to connect to the Jumphost.
14
Note: We recommend that students open this lab guide on their Jumphost using the Chrome web browser.
The browser is configured to open the lab guide as it’s start page.
• Full Screen: Click the button to download an RDP file that will start the RDP session in
full screen mode
• Specify Resolution: Click the button and select a screen resolution to use for the connec-
tion:
15
6. If you do not have the official Microsoft Remote Desktop Client, please install it using the instruc-
tions at https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/
remote-desktop-clients
7.
Warning: If you have a HiDPI display please refer to the Using HiDPI Displays (RDP & Windows)
instructions below
8. Open the RDP file in the Remote Desktop Client and connect. If you have any problems please ask
your instructor for help
9. Select how you would like to continue:
• Review: BIG-IP Basics (optional)
• Start: Module 1: Imperative Automation with the BIG-IP iControl REST API
16
Using HiDPI Displays (RDP & Windows)
Warning: Do these steps BEFORE you connect via RDP. Choose ONE only. Do not do both.
If you are using Hi Resolution Display on Windows, we recommend that you either:
• RECOMMENDED: Resize your display to 1080p (1920 x 1080) or
• Use your RDP clients “Zoom” functionality to increase the size
3. Change the Resolution to 1920 x 1080 and click the Apply button
17
Use RDP Zoom
2. Under the Display tab change the resolution to 1920x1080, then click Connect
3. After you connect, access the menu at the top left of your RDP Window and change the Zoom level
(i.e. 175%).
Self-Built Environment
Note: Due to the variability of self-built environments we cannot guarantee that you will be able to complete
the class successfully.
18
If you are building your own lab environment please complete the following steps and pre-requisites first:
1. Your network configuration matches the topology in the Lab Topology
2. Ensure your BIG-IP devices are licensed and have the following modules provisioned:
• LTM
• ASM
3. Your server instance can be built two ways:
(a) Build or reuse your own instance. If should have the following services installed and running:
• HTTP Server - TCP/80
• DNS Server - UDP/53
(b) Use our server image build script located at the url below to configure an Ubuntu 16.04 base
installation automatically.
Note: Please ensure that HTTP & DNS services are not installed on the base image
https://raw.githubusercontent.com/f5devcentral/f5-automation-labs/master/lab_
environments/AWS/snops_server_setup.sh
19
• Start: Module 1: Imperative Automation with the BIG-IP iControl REST API
Just in case you’re new to the F5 BIG-IP platform (or need a refresher) we’ve included some links and
videos below that will help get you started.
Source: https://devcentral.f5.com/articles/lightboard-lessons-what-is-big-ip-26793
Source: https://devcentral.f5.com/articles/lightboard-lessons-big-ip-basic-nomenclature-26144
• Public Cloud:
– AWS/Azure/GCP/etc.: http://clouddocs.f5.com/cloud/public/v1/
• Private Cloud:
– OpenStack: http://clouddocs.f5.com/cloud/openstack/
– VMware: https://f5.com/solutions/technology-alliances/vmware
• Container Ecosystems:
– Cloud Foundry: http://clouddocs.f5.com/containers/latest/cloudfoundry/
– Kubernetes: http://clouddocs.f5.com/containers/latest/kubernetes
– Mesos Marathon: http://clouddocs.f5.com/containers/latest/marathon
– RedHat OpenShift: http://clouddocs.f5.com/containers/latest/openshift/
If you’re already familiar with HA Proxy, learning F5 BIG-IP is straightforward once you learn the associated
F5 terminology.
Here is a list of common HA Proxy configuration terminology and its F5 equivalent:
20
HA Proxy F5 BIG-IP
Frontend Virtual Server (VIP)
Backend Pool
Server Member
mode http HTTP Profile
default_backend Default pool
use_backend LTM policy
check port Health monitor
If you are already familiar with NGINX, learning F5 BIG-IP will be straightforward once you learn the F5
terminology.
NGINX administrators usually use multiple files and leverage the include command in their config to break
down the config and make it easier to manage. F5 leverages Profiles which can be applied to a Virtual
Server.
NGINX uses in-band (passive) health monitors which can be enabled on F5 through the creation of an
inband monitor. BIG-IP also supports the use of active health monitors, which will poll the pool member
periodically. Both can be used together for better monitoring of your services.
F5 BIG-IP supports control-plane and data-plane programmability with:
• Node.js through the use of iRulesLX, iControlLX and iAppsLX
• TCL through the use of iRules and iApp Templates
A lot of the manual configuration and scripting steps that are required with NGINX are supported more easily
through various config parameters and profiles in BIG-IP. By leveraging the control-plane programmability
features this class covers you can achieve full automation of your services with the BIG-IP platform.
F5 BIG-IP is designed to be a full proxy by default. In most cases there is no need to tune TCP & HTTP
buffering like you would on NGINX (i.e. using proxy_buffering). This is because the default settings
have been optimized and can adapt to most situations.
Here is a list of common NGINX configuration terminology and its F5 equivalent:
NGINX F5 BIG-IP
listen Virtual Server Port (VIP)
upstream Pool
proxy_pass Default Pool
server Member
ssl_certificate SSL Profile Option
return LTM HTTP Policy Option
proxy_set_header X Forwarded For HTTP Profile Option Insert X-Forwarded-For
proxy_set_header LTM HTTP Policy Option
add_header LTM HTTP Policy Option
location & proxy_pass LTM HTTP Policy Option
Proxy Cache Web Acceleration Policy
21
2.3 Module 1: Imperative Automation with the BIG-IP iControl REST
API
Tenant Provider
In this module you will learn the basic concepts required to interact with the BIG-IP iControl REST API.
Additionally, you will walk through a typical Device Onboarding workflow to deploy a fully functional BIG-
IP Active/Standby pair. It’s important to note that this module will focus on demonstrating an Imperative
approach to automation.
Note: The Lab Deployment for this lab includes two BIG-IP devices. For most of the labs, we will only be
configuring the BIG-IP A device (management IP configuration and licensing has been completed). BIG-IP
B will have some minimal configuration pre-loaded. In real-world scenario, it would be necessary to perform
Device Onboarding functions on ALL BIG-IP devices. In this lab exercise, we chose to perform it only on a
single device due to lab time allocation constraints.
Note: In order to confirm the results of REST API calls made in this lab, it’s recommended to keep
GUI/SSH sessions to BIG-IP and iWorkflow devices open. By default, BIG-IP and iWorkflow will log all
the REST API related events locally to restjavad.0.log . These logs can also be directed to a remote
syslog server (see https://support.f5.com/csp/article/K13080). On a side note, the ltm log files listed below
contains log messages specific to BIG-IP local traffic management events.
• BIG-IP:
– /var/log/ltm
– /var/log/restjavad.0.log
• iWorkflow:
– /var/log/restjavad.0.log
22
2.3.1 Lab 1.1: Exploring the iControl REST API
BIG-IP
In this lab, we will explore the API using an interface that is built into TMOS. This utility is useful for un-
derstanding how TMOS objects map to the REST API. The interfaces implement full Create, Read, Update
and Delete (CRUD) functionality, however, in most practical use cases it’s far easier to use this interface
as a ‘Read’ tool rather than trying to Create objects directly from it. You can use TMUI or TMSH to create
the object as needed and then use this tool to view the created object with all the correct attributes already
populated.
Note: This guide may require you to Copy/Paste information from the guide to your jumphost. To make
this easier you can open a copy of the guide by using the Lab Guide bookmark in Chrome.
1. Open Google Chrome and navigate to the following bookmarks: BIG-IP A GUI, BIG-IP B GUI and
iWorkflow GUI. Bypass any SSL errors that appear and ensure you see the login screen for each
bookmark.
Warning: We are using a self-signed certificate in this lab. In your environment you must make
sure that you use certificates issued by your certificate authority for both production and lab equip-
ments. Not doing so would make it possible for an attacker to do a man-in-the-middle attack and
allow him the ability to steal passwords and tokens.
2. Navigate to the URL https://10.1.1.10/mgmt/toc (or click the BIG-IP A REST TOC bookmark).
The /mgmt/toc path in the URL is available on all TMOS versions 11.6 or newer.
3. Authenticate to the interface using the default credentials (admin/admin)
23
4. You will now be presented with a top-level list of various REST resources. At the top of the page there
is a search box that can be used to find items on the page. Type
net in the search box and then click on the ‘net’ link under iControl REST Resources:
can see the default route domain of 0 is listed. You can also create new objects by clicking the
button. Additionally, resources can be deleted using the button or edited using the button.
The is used to copy JSON formatted resource with Ctrl+C. This can be useful when you want to
slightly change an existing resource.
7. Click the 0 resource to view the attributes of route-domain 0 on the device:
24
8. You can now see the properties of the route-domain 0 Resource. The components of the URI have
been labeled in the screenshot below:
25
Note: If you would like to learn more about the iControl REST API be sure to read the Demystifying
iControl REST article series at https://devcentral.f5.com/wiki/icontrolrest.homepage.ashx
BIG-IP
One of the many basic concepts related to interaction with REST API’s is how a particular consumer is
authenticated to the system. BIG-IP and iWorkflow support two types of authentication: HTTP BASIC and
Token-Based (TBA). It’s important to understand both of these authentication mechanisms, as consumers
26
of the API will often make use of both types depending on the use case. This lab will demonstrate how to
interact with both types of authentication.
Throughout this and other classes in the series we will make use of the Postman REST API Client. You can
find more information about Postman at https://getpostman.com
In this task you will Import a Postman Collection & Environment for this lab. Perform the following steps to
complete this task:
1. Open the Postman tool by clicking the icon of the desktop of your Linux Jumphost. The
initial window may take a few moments to appear.
Note: The Postman client receives very frequent updates. If you are prompted to update the client
please click the Remind me later button to skip updating the version installed in your lab environment
2. By default, the Postman client requires verification of SSL/TLS Certificates to a public Root Certifi-
cate Authority. However, by default, BIG-IP and many other devices use a self-signed certificate for
SSL/TLS connections. To allow connections with self-signed certificates we need to modify the default
settings of Postman.
• Open the Postman Settings windows by clicking File → Settings:
27
• Verify your client is configured to allow self-signed certificates by setting SSL certificate
verification to OFF
4. Click the Import from Link tab. Paste the following URL into the text box and click Import
https://raw.githubusercontent.com/f5devcentral/f5-automation-labs/master/
postman_collections/Class_1.postman_collection.json
28
5. You should now see a collection named F5 Programmability: Class 1 in your Postman Col-
lections sidebar. Postman automatically resizes its GUI depending on its window size. It might be
necessary to use the short Ctrl + \ (on Windows) or click the show sidebar icon at the bottom left
corner of postman if you do not see the sidebar.
6. To assist in multi-step procedures we make heavy use of the Environments capability in Postman.
29
This capability allows us to set various global variables that are then substituted into a request before
it’s sent. Import the Environment file by clicking Import → Import from Link and pasting the following
URL and clicking Import:
https://raw.githubusercontent.com/f5devcentral/f5-automation-labs/master/
postman_collections/Class_1.postman_environment.json
7. Set your environment to F5 Programmability: Class 1 by using the menu at the top right of
your Postman window:
In this task, we will use the Postman client to send API requests using HTTP BASIC authentication. As its
name implies this method of authentication encodes the user credentials via the existing BASIC authentica-
tion method provided by the HTTP protocol. The mechanism this method uses is to insert an HTTP header
named ‘Authorization’ with a value that is built by Base 64 encoding the string <username>:<password>.
The resulting header takes this form:
Authorization: Basic YWRtaW46YWRtaW4=
It should be noted that cracking this method of authentication is TRIVIAL; as a result API calls should
always be performed using HTTPS encryption (F5 default) with a certificate signed by an authority rather
than HTTP.
Perform the following steps to complete this task:
1. Click the Collections tab on the left side of the screen, expand the F5 Programmability: Class
1 collection on the left side of the screen, expand the Lab 1.2 - API Authentication &
'example' Templates folder:
30
2. Click the Step 1: HTTP BASIC Authentication item. Click the Authorization tab and select
Basic Auth as the Type. Fill in the username and password (admin/admin) and click the Send
button:
3. Click the Headers tab and examine the HTTP header. Notice that the number of Headers in the
Headers tab changed from 1 to 2. This is because Postman automatically created the HTTP header
and updated your request to include it.
31
4. Click the Body tab, if the request succeeded you should be presented with a listing of the /mgmt/tm/
ltm Organizing Collection:
5. Click the Test Results tab and ensure all the tests for this request have passed:
32
6. Update the credentials and specify an INCORRECT password. Send the request again and examine
the response:
7. Check the Test Results tab and notice that our Unit Tests for this request are now failing (as expected):
Important: As you progress through this lab be sure to check the Test Results tab. We have included Unit
Tests where applicable to help you verify the requests being sent are succeeding. If you notice a test has
failed please double check your input or ask for help.
One of the disadvantages of BASIC Authentication is that credentials are sent with each and every request.
This can result in a much greater attack surface being exposed unnecessarily. As a result, Token Based
Authentication (TBA) is preferred in many cases. TBA only sends the credentials once, on the first re-
quest. The system then responds with a unique token for that session and the consumer then uses that
token for all subsequent requests. BIG-IP and iWorkflow support token-based authentication that drops
33
down to the underlying authentication subsystems available in TMOS. As a result, the system can be con-
figured to support external authentication providers (Active Directory, RADIUS, TACACS, etc) and those
authentication methods can flow through to the REST API. In this task we will demonstrate TBA using the
local authentication database, however, authentication to external providers is fully supported.
Note: For more information about external authentication providers see the section titled About external
authentication providers with iControl REST in the iControl REST API User Guide available at https:
//devcentral.f5.com/d/icontrolr-rest-api-user-guide-version-1300-241 (v13)
3. Click the Body tab and examine the JSON that we will send to BIG-IP to provide credentials and the
authentication provider:
4. Modify the JSON Body and add the required credentials (admin/admin). Then click the Send button.
5. Examine the response status code. If authentication succeeded and a token was generated the
response will have a 200 OK status code. If the status code is 401 then check your credentials:
• Successful:
34
• Unsuccessful:
6. Once you receive a 200 OK status code examine the Response Body. The various attributes show the
parameters assigned to the particular token. Find the token attribute and copy it into your clipboard
(Ctrl+c) for use in the next step.
7. Click the Step 3: Verify Authentication Works item in the Lab 1.2 Postman collec-
tion. Click the Headers tab and paste the token value copied above as the VALUE for the
X-F5-Auth-Token header. This header is required to be sent on all requests when using token-
based authentication.
8. Click the Send button. If your request is successful you should see a 200 OK status and a listing of
the ltm Organizing Collection.
9. We will now update your Postman environment to use this auth token for the remainder of the lab.
Click the Environment menu in the top right of the Postman window and click Manage Environments:
35
10. Click the F5 Programmability: Class 1 item:
11. Update the value for bigip_a_auth_token by Pasting (Ctrl+v) in your auth token:
36
12. Click the Update button and then close the Manage Environments window. Because the subsequent
requests refer to the {{bigip_a_auth_token}} variable, you will not have to set the token in the
header of the following requests.
13. Click the Step 4: Set Authentication Token Timeout item in the Lab 1.2 Postman folder.
This request will PATCH your token Resource (notice the URI) and update the timeout attribute so
we can complete the lab easily. Examine the request type and JSON Body and then click the Send
button. Verify that the timeout has been changed to 36000 in the response:
In order to assist with REST API interactions, you can request a template of the various attributes of a
Resource type in a Collection. This template can then be used as the body of a POST, PUT or PATCH
request as needed.
Perform the following steps:
1. Click the Step 5: Get ‘example’ of a Pool Resource item in the Lab 1.2 Postman collec-
tion.
37
2. Examine the URI. Notice the addition of example at the end of the collection name:
3. Click Send and examine the FULL response. You will see descriptions and then all the attributes for
the Pool resource type. The response also shows the default values for the attributes if applicable:
BIG-IP
All devices are already licensed so we can focus on configuring the basic infrastructure related settings to
complete the Device Onboarding process. The remaining items include (list not exhaustive):
• Device Settings
38
– NTP/DNS Settings
– Remote Authentication
– Hostname
– Admin Credentials
• L1-3 Networking
– Physical Interface Settings
– L2 Connectivity (VLAN, VXLAN, etc.)
– L3 Connectivity (Self IPs, Routing, etc.)
• HA Settings
– Global Settings
* Config Sync IP
* Mirroring IP
* Failover Addresses
– CMI Device Trusts
– Device Groups
– Traffic Groups
– Floating Self IPs
We will specifically cover the items in BOLD above in the following labs. It should be noted that many
permutations of the Device Onboarding process exist due to the nature of real-world environments. This
class is designed to teach enough information so that you can then apply the knowledge learned and help
articulate and/or deliver a specific solution for your environment.
In this task we will modify the device hostname and disable the GUI Setup Wizard. The Resource that
contains these settings is /mgmt/tm/sys/global-settings.
Perform the following steps to complete this task:
1. Expand the Lab 1.3 - Review/Set Device Settings folder in the Postman collection.
2. Click the Step 1: Get System Global-Settings request. Click the Send button and review
the response Body to see what the current settings on the device are. Examine the resulting response
to understand what settings are currently applied.
3. Click the Step 2: Set System Global-Settings request. This item uses a PATCH request
to the global-settings resource to modify the attributes contained within it. We will update the
guiSetup and hostname attribute.
• Click on Body. Review the JSON body and modify the hostname attribute to set the hostname
to bigip-a.f5.local
• Also notice that we are disabling the GUI Setup Wizard as part of the same request:
39
4. Click the Send button and review the response Body. You should see that the attributes modified
above have been updated by looking at the response. You can also GET the global-settings by
sending the Step 1: Get System Global-Settings request again to verify they have been
updated.
Note: This task will make use of JSON arrays. The syntax for defining a JSON array is:
myArray: [ Object0, Object1 ... ObjectX ]
To define an array consisting of Strings the syntax is:
myStringArray: [ "string0", "string1" ... "stringX" ]
Much like the previous task we can update system DNS and NTP settings by sending a PATCH request to
the correct resource in the sys Organizing Collection. The relevant Resources for this task are:
URL Type
/mgmt/tm/sys/dns DNS Settings
/mgmt/tm/sys/ntp NTP Settings
40
3. Click the Send button and verify the requested changes were successfully implemented by looking at
the response or by sending the Step 3: Get System DNS Settings request again.
4. Click the Step 5: Get System NTP Settings item in the folder. Click Send and review the
current settings.
5. Click the Step 6: Set System NTP Settings item in the folder. Click Body. Review the JSON
body to verify the NTP servers with hostnames 0.pool.ntp.org and 1.pool.ntp.org are con-
tained in the servers attribute (another JSON array!).
6. Click the Send button and verify the requested changes were successfully implemented by looking at
the response or sending the Step 5: Get System NTP Settings again.
In this task we will update the passwords for the root and admin accounts. The process for updating the
root account is different than other system accounts because it is used by underlying Linux OS.
To update the root account password we will use a POST to the /mgmt/shared/authn/root REST
endpoint.
To update all other system accounts we will PATCH the /mgmt/tm/auth/user/<username> Resource.
Perform the following steps to change the root user password:
1. Click the Step 7: Set root User Password item in the folder.
2. We are performing a POST operation to change the root user password and have to specify the
oldPassword because the REST implementation on the BIG-IP uses the underlying Linux mecha-
nism. Click Body. Modify the JSON body to update the password to the value newdefault and click
the Send button.
41
3. You can verify the password has been changed by opening an SSH session to BIG-IP A. A shortcut to
a terminal is included on the desktop of the Linux jumphost. Open a Terminal window and then open
an SSH connection to BIG-IP A using the command ssh [email protected]:
3. You can verify the password has been changed by opening an SSH session OR by logging into
TMUI (HTTP GUI) to BIG-IP A in a Chrome browser tab.
4. Repeat the procedure above to change the password back to admin
42
2.3.4 Lab 1.4: Basic Network Connectivity
BIG-IP
Note: This lab shows how to configure VLAN tags, but does not deploy tagged interfaces. To use tagged
interfaces the tagged attribute needs to have the value true
43
Fig. 2.2: Lab Topology
2. Click the Step 1: Create a VLAN request in the folder. Click Body and examine the JSON
request body; the values for creating the Internal VLAN have already been populated.
3. Click the Send button to create the VLAN
4. Repeat Step 1, however, this time modify the JSON body to create the External VLAN using the
parameters shown in the table above. In order to do so you can replace the following:
• name: Internal –> External
• tag: 10 –> 20
• interfaces[] --> name: 1.1 –> 1.2
5. Click the Step 2: Get VLANs request in the folder. Click the Send button to GET the VLAN
collection. Examine the response to make sure both VLANs have been created.
44
Task 2 - Create Self IPs
Note: The JSON body sets the VLAN to /Common/External on purpose. You will modify this value
in the steps below. Please do not change the value.
Note: Postman has the ability to check the responses for specific values to verify if the result of a
request is what it is expected to be. The Test Results for this request will show a failure for the [Check
Value] vlan == /Common/Internal value. This is intentional and you should continue to the
next section.
45
Task 3 - Modify Existing Self IP Resource
In order to modify an existing object via the REST API, the URI path has to be changed. In the previous
examples we used a POST to create Resources under a Collection, therefore, the URI used was that of the
Collection itself. If you wish to update/modify a Resource you must refer to the Resource directly.
For example, the Collection URI for Self IPs is /mgmt/tm/net/self.
The Resource URI for the Self-Internal Self IP is /mgmt/tm/net/self/
~Common~Self-Internal. Notice that the BIG-IP partition and object name has been added to
the Collection URI to for the Resource URI.
1. On the open Step 5: Get Self-Internal Self IP Attributes request change the re-
quest method from GET to PATCH. The PATCH method is used to modify the attributes of an existing
Resource.
46
2. Copy (Ctrl+c) the entire JSON RESPONSE from the previous GET request.
47
Note: Be sure to highlight any existing text and replace it while pasting.
4. In the JSON body change the vlan attribute to /Common/Internal and click Send:
48
5. Click the Step 6: Get Self IPs item in the collection. Click the Send button to GET the Self IP
collection. Examine the response to make sure both Self IPs have been created and associated with
the appropriate vlan.
49
2.3.5 Lab 1.5: Building Imperative Workflows with Postman Collections
BIG-IP
As you have seen in the previous labs, we can use the Collections and Folders features of the Postman
client to group REST requests logically. Additionally, as you’ve seen most of the examples so far have
consisted of executing a sequence of REST request to achieve some outcome.
In this lab, we will use a feature in Postman called the Collection Runner (Runner) to execute a sequence
of REST requests. Using the Runner we can rapidly prototype REST requests into an Imperative Workflow
that can be executed without user intervention.
The purpose of this exercise is to provide an example of how new workflows can be built from scratch or
existing workflows can be modified.
Additionally, we will use some Postman Javascript Tests to programmatically populate environment variables
with the output of our workflow.
1. The collection we will run in this task will populate some environment variables with various data
about the BIG-IP system. First, let’s examine the Environment Variables that are currently set. Click
the icon in the top right of the Postman window. Notice that there are no variables starting
with the name lab1.5_:
50
2. Click the Lab 1.5 - Building Imperative Workflows folder to expand it
3. Click the Step 1: Get BIG-IP Software Version request. Click the Tests tab and examine
the Javascript code and comments:
51
The Javascript code in the Test script will populate an environment variable based on the response
from the BIG-IP system.
4. Click the Runner button at the top left of your Postman window:
5. Select the F5 Programmability: Class 1 Collection then the Lab 1.5 - Building
Imperative Workflows folder. Next, be sure the environment is set to F5 Programmability:
Class 1:
52
Your Runner window should look like:
53
As you can see from the screenshot or your own Collection Runner screen, we will be sending 3
requests (Steps 1-3 in Lab 1.5). Each request has a unit test implemented in JavaScript to ensure it’s
ok to continue to the next request when using the Collection Runner. The Runner will step through
each request unless one of the tests fails.
54
6. Click the Run Lab 1.5 - Buil. . . button
7. The results window will now populate. You will see each request in the folder is sent and its associated
test results are displayed on the screen. The last request in the folder includes some Javascript code
to dump the results to the screen:
8. Next, switch back to the main Postman window. Click the button again and examine the
environment variables. Notice that three new variables starting with the name lab1.5_ have been
populated. You may need to scroll down to see these variables:
Note: It is normal for the values of Software Version, CPU Count and Base MAC Address to be different
from the screenshot(s).
In this lab, we demonstrated running a simple Imperative Workflow using the Postman Collection Runner.
In subsequent labs, we will expand on this simple use case to perform more complex functions. As you
continue through the labs, be sure to take time to explore the details of the requests being sent. The
Postman Collection used in this class can also serve as a starting point for building your own collections or
modifying existing ones.
As we move through the rest of this module you will see the complexity involved in building Imperative Work-
55
flows. While these types of workflows are incredibly powerful, they are also time-consuming to build from
scratch. As we move into Module 2 you will see the importance of leveraging Abstraction and Declarative
Interfaces to minimize the amount of time spent on building Imperative Workflows.
BIG-IP
In this lab, we will build an active-standby cluster between BIG-IP A and BIG-IP B using the REST API. As
mentioned previously, to save time, BIG-IP B is already licensed and has its device-level settings configured.
This lab will use the Postman Runner functionality introduced in the previous lab. We will run the requests
in a Collection Folder to build the cluster. If you examine the Lab 1.6 - Build a Cluster folder in the
Collection you can see how complex Imperative processes can become. Clustering is one of the transition
points for most customers to move into the Declarative model (if not already done) due to the need to
abstract device/vendor level specifics from automation consumers.
The high-level procedure required to create the cluster is:
1. Obtain Authentication Tokens for BIG-IP A & B
2. Check that both devices are licensed and ready to configure
3. Configure Device Level settings on both devices
4. Configure Networking on BIG-IP B (remember this was already done in Lab 1.4 for BIG-IP A)
5. Set BIG-IP A & BIG-IP B CMI Parameters (Config Sync IP, Failover IPs, Mirroring IP)
6. Add BIG-IP B as a trusted peer on BIG-IP A
7. Check the status of the Sync Groups
8. Create a sync-failover Device Group
9. Check the status of the created Device Group
10. Perform initial sync of the Device Group
11. Check status (again)
12. Change the Traffic Group to use HA Order failover
13. Create Floating Self IPs
14. Failover the Traffic Group to make BIG-IP A the Active device
56
Task 1 - Build a Cluster using Runner
In this task we will use the Runner to execute a series of requests contained in the Lab 1.6 - Build
a Cluster folder. As mentioned previously this folder contains a large number of REST requests re-
quired to build an Active/Standby cluster. Additionally, we will make use of a JavaScript framework called
f5-postman-workflows that extends the Postman client to include common test and polling functions.
Perform the following steps to build the cluster:
1. Click the Runner button at the top left of your Postman window:
2. Select the F5 Programmability: Class 1 Collection then the Lab 1.6 - Build a
Cluster folder. Next, be sure the environment is set to F5 Programmability: Class 1:
57
58
Your Runner window should look like:
59
60
3. Click the Run Lab 1.6 - Buil. . . button
4. The results window will now populate. You will see each request in the folder is sent and its associated
test results are displayed on the screen. Building the cluster can take a few minutes. You can follow
the progress by scrolling down the results window.
5. Once the Run Summary button appears, the folder has completed running. You should have 0 failures
and the last item in the request list should be named Cleanup Environment
Note: If you are have an issue with your authentication token issue please return to Lab 1.3, Step 8 in
Postman to set your admin password to admin.
1. At this point you can log into BIG-IP A using Chrome at https://10.1.1.10. Verify that the cluster
was built by navigating to Device Management → Overview using the menu in the BIG-IP TMUI GUI.
Verify that the cluster and failover status indicators are all green.
61
2.3.7 Lab 1.7: Build a Basic LTM Config using REST Transactions
BIG-IP
In this lab we will build a basic LTM Config using iControl REST API Transactions.
Transactions are very useful in cases where you would like to have discrete REST operations to act as a
batch operation. As a result, the nature of a transaction is that either all the operations succeed or none
of them do (all-or-nothing). This is very useful when we are creating a configuration that is linked together
because it allows roll back of operations in case one fails. All the commands issued are queued one after
the other in the transaction. We will also review how to change the order of a queued command or remove
a single command from the queued list before committing.
Note: Transactions are essential to ensure that an Imperative process is Atomic in nature.
62
Warning: Transactions have a default timeout of 120 seconds. Taking longer than the timeout period
to execute a transaction will result in automatic deletion of the transaction. To avoid having to redo the
steps in this task, please first read through the steps below and execute each of them in a timely
manner.
2. Click the Step 1: Create a Transaction request. Examine the URL and JSON Body. We will
send a POST to the /mgmt/tm/transaction endpoint with an empty JSON body to create a new
transaction.
63
3. Click the Send button to send the request. Examine the response and find the transId attribute.
Additionally, notice that there are timeouts for both the submission of the transaction and how long
it would take to execute. Please be aware that upon exceeding the timeoutSeconds period, the
transId will be silently removed:
The transId value has been automatically populated for you in the bigip_transaction_id en-
vironment variable:
4. Click the Step 2: Add to Transaction: Create a HTTP Monitor request in the folder.
This request is similar to a non-transaction enabled request in terms of the POST request method, URI
and JSON body. The difference is that, a header named X-F5-REST-Coordination-Id with the
value of the transId attribute is added to the transaction:
64
5. Click the Send button and examine the response.
6. Examine and click Send on Steps 3-6 in the folder.
7. Click Step 7: View the Transaction Queue. Examine the request type and URI and click
Send. This request allows you to see the current list of ordered commands in the transaction.
1. Click the Step 8: View Queued Command 4 from Transaction request in the folder. Ex-
amine the request method and URI. We will GET command number 4 from the transaction queue.
2. Click the Step 9: Change Eval Order 4 -> 1 request in the folder. Examine the request
method, URI, JSON body, then click Send. We will PATCH our transaction resource and change the
65
value of the evalOrder attribute from 4 to 1 to move to the first position of the transaction queue:
Note: Requests in the ordered transaction queue must obey the order of operations present in the
underlying BIG-IP system.
Warning: When sending the Header X-F5-REST-Coordination-Id, the system assumes that
you want to ADD an entry in the transaction queue. You MUST remove this header if you want to
issue any other transaction queue changes (such as deleting an entry from the queue, changing
the order, or committing a transaction). If you fail to remove the header, the system will respond
with a 400 HTTP error code with the following error text:
"message": "Transaction XXXXX operation .... is not allowed to be
added to transaction."
3. Click the Step 10: View the Transaction Queue Changes request in the folder. Verify that
command number 4 has moved into position 1 and the order of all other commands has been updated
accordingly.
1. Click the Step 11: Commit the Transaction request in the folder. Examine the request type,
URI and JSON body. We will PATCH our transaction resource and change the value of the state
attribute to submit the transaction:
66
2. Click the Send button and examine the response. The state may already be COMPLETED, however,
it’s a good practice to explicitly check for this.
3. Click the Step 12: View the Transaction Status request in the folder and click the Send
button. Verify that the state of the transaction is COMPLETED
4. You can verify the configuration was created on the BIG-IP device via the BIG-IP A GUI at https:/
/10.1.1.10
5. Verify that the virtual server works by opening http://10.1.20.120 in Chrome web browser
Tenant Provider
In this Module, we will continue working with the BIG-IP REST interface. However, we will now introduce
F5 Declarative Interfaces built with F5 iApp Templates.
iApps is a user-customizable framework for deploying applications that enables you to templatize sets of
functionality on your F5 devices. For example, you can automate the process of adding Virtual Servers or
manage your iRules inventory through the use of a custom iApp Template.
iApps are commonly thought of as a Wizard style deployment helper, but they are actually a Declarative
Interface. When iApp Templates are created they can be written to accomodate API centric use cases.
When an iApp deploys, a single call - declaring the desired deployment - is processed on the BIG-IP with
the correct order of operations. If the deployment were to fail the iApp would automatically rollback the
transaction and leave the configuration unchanged. All created objects are associated with an Application
Service Object (ASO). The ASO model identifies which objects belong to the iApp service deployment.
Upon service deletion, all service related objects are recursively deleted.
We will be using the F5 App Services Integration iApp (App Services iApp for short).
For further information about the App Services iApp see:
• GitHub Repository: https://github.com/F5Networks/f5-application-services-integration-iApp
• User Guide: https://devcentral.f5.com/wiki/iApp.AppSvcsiApp_userguide_userguide.ashx
An overview of iApps and different iApp templates that available can be found at:
• https://devcentral.f5.com/iapps
Note: This module requires the underlying network configuration that was completed in Module 1. Addi-
tionally, BIG-IP A must be the Active node in the cluster. When viewing the BIG-IP A GUI it should say
67
ONLINE (ACTIVE) in the upper left corner of the interface.
Note: This module deploys the configuration to BIG-IP A. iApp deployments leverage the underlying config-
sync mechanisms in the cluster. Once deployed on BIG-IP A, the configuration will be automatically synced
to BIG-IP B.
You can learn more about clustering features in this video:
Source: https://devcentral.f5.com/articles/lightboard-lessons-device-services-clustering-25575
There are multiple ways to install an iApp on BIG-IP. These includes using TMOS Shell (TMSH through
SSH), the GUI (TMUI), and the REST Interface. All of these mechanisms are supported and, if required,
can be used in conjunction with each other.
For instance, you can install an iApp template from BIG-IP GUI and then deploy a new service via iControl
REST using tools such as cURL, Postman and Ansible.
F5 iApps was introduced in TMOS (BIG-IP operating system) Version 11. They can interact within and
across different F5 modules to provide full Layer 4-7 Application Services capabilities. The iApp Template
is used to execute an iApp Deployment that generates a series of configuration object grouped under an
Application Service Object (ASO). The ASO model houses objects belonging to the iApp service deploy-
ment. Upon deletion of a specific iApp service deployment, all the associated objects will be recursively
deleted.
Below are some of the modules that can be configured using iApp templates:
• Local Traffic Manager
• Advanced Firewall Manager
• Application Security Manager
68
• Access Policy Manager
Note: The term Application Service in the GUI and service in the REST API are the same objects.
The name is abbreviated in the API.
You can find the GUI representation of iApps on the left-hand side of the UI under iApps. iApp deployments
are located under Application Services, while iApp templates are located under Templates on the system.
• Application Services (iApp deployments)
69
The associated REST API endpoints are:
• iApp Deployments: /mgmt/tm/cloud/services/iapp
• iApp Templates: /mgmt/tm/sys/application/template
By default, iApp implements a strict source-of-truth preservation mechanism called Strict Updates. The
App Services iApp does allow granular configuration of underlying TMOS objects without disabling the
Strict Updates mechanism. However, not all iApp templates supports this functionality.
In an automated environment, we must always ensure that the iApp template inputs are being used as
the Source-of-Truth for an underlying deployment. Therefore, Strict Updates should not be disabled in
order to preserve the integrity of service deployments using iApp templates.
For instance, after an iApp service is deployed, modifying the underlying configuration with Strict Updates
disabled will result in Source-of-Truth violation. Changes made directly to the configuration will cause iApp
configuration objects to be overwritten. The direct modification of objects configured on BIG-IP will alter the
integrity of iApp deployment input values that automation tools are interacting with, causing failures. It is
therefore important to keep Strict Updates enabled at all times for automated deployments.
70
2.4.2 Lab 2.2: Deploying iApp Templates on BIG-IP
iApps typically come in the form of a .tmpl file, which contains the content needed for the BIG-IP to utilize
it as a Service framework. Different toolkits will install iApps in different ways. We’ll be using the REST API
in a raw form, so the content of the file is what we need. As a result, we need to ensure that the content of
the iApp is URL encoded to make sure the BIG-IP reads the payload correctly. This is specific for the iApp
deployment over REST API. When using other tools like Ansible, the whole .tmpl file can be uploaded,
removing the need for encoding.
Note: This lab work will be performed from Lab 2.2 - Deploying iApp Templates on BIG-IP
folder in the Postman Collection
71
Task 1 - View Installed iApp Templates
2. Review the JSON response Body. The JSON payload shows iApp templates that are installed on the
BIG-IP device:
72
Task 2 - Install the App Services iApp Template
2. Review the Request JSON Body, and the Response JSON Body. In this task we installed the App
Services iApp Template and the BIG-IP sent back a response that the iApp was installed with its object
name.
Note: The JSON body in the Request portion is automatically generated as part of the build process
for the App Services iApp and the request in the Postman Collection was copied from a pre-built
collection that ships with releases of the App Services iApp template.
73
2.4.3 Lab 2.3: Create iApp Deployments using the REST API
Now that the App Services iApp template is installed, we can deploy a new Layer 4 to 7 Service. We
will start with Creating a Basic HTTP Service, demonstrate Modifying/Mutate the service by changing the
node state, and finally Delete the whole service. Once we’ve demonstrated with these tasks, we’ll introduce
more complex deployments options with iRules, Custom Profiles, Certificates, and an ASM Policy.
Note: This lab work will be performed from Lab 2.3 - Create iApp Deployments using the
REST API folder in the Postman Collection
74
Task 1 - View Deployed Services
2. Review the JSON Response Body. The BIG-IP device does not have any iApp deployments. As a
result the items array is empty ([]):
75
Task 2 - Deploy Basic HTTP Service
76
In this task, we will deploy our first service. Review the Response JSON Body to verify if the Service
has been deployed.
Note: We’ve just progressed into a Declarative instantiation, by defining the end state and relying on
the iApp templates to handle the order of operations and configuration of specific objects. By doing
this, we have drastically reduced the amount of Domain Specific Knowledge required to interact
with the device. In the next module, we will combine this concept with Abstraction to further simplify
the interface the service consumer has to interact with.
3. Now that the service has been deployed, let’s review the BIG-IP configuration. You can validate
by sending the Step 1: Get Deployed iApp Services request again. Alternatively, you can
login to BIG-IP A GUI to observe the service deployment via TMUI:
• REST: Send Step 1: Get Deployed iApp Services request:
77
4. From the TMUI GUI, examine the Virtual Server that was created from this deployment by clicking
Local Traffic → Virtual Servers → Virtual Server List → Demo_vs. The configuration is simple, but
it does contain the key components for an HTTP service (Listener, HTTP Profile, Monitor, Pool, and
Pool Members):
5. The service is available and active, you can connect to the Virtual Server using Chrome web browser
at http://10.1.20.121 and examine its responses:
78
Note: The colors of the text, images, and borders may vary depending on the back-end server
selected during the load balancing process.
In this task, we will modify the existing service. We will disable all pool members and bring the service
down.
Perform the following steps to complete this task:
1. Click on Step 3: Modify Service - HTTP. Review the Request URL and JSON Body. Notice
that we specified the Resource URL for our deployment. Modifying or Redeploying a service is
handled by sending only the updated JSON to the specific Resource (our service) using a PUT request
method. We set the state of the pool members to disabled which forces the service to go offline.
79
2. Click the Send button to Modify the previously deployed Basic HTTP Service:
3. In the BIG-IP GUI click Local Traffic → Network Map to view the new state of the Pool Members (Black
indicators reflect the disabled state). The state has been updated to reflect the state we declared in
our call. The Virtual Server is no longer passing traffic at http://10.1.20.121 because all the
Members in the Pool have been disabled:
80
Task 4 - Delete our Deployed Service
The lifecycle of a service also includes the service removal. We will now delete an existing service.
Perform the following steps to complete this task:
1. Send the Step 4: Delete Service - HTTP request to Delete the previously deployed Basic
HTTP Service:
2. Similar to modification process, the deletion of a service is performed on the Resource URL. When
we created the service, we defined a Declarative state to the iApp template which subsequently cre-
ated the configuration and all of its associated objects. With a DELETE request, BIG-IP will process
the removal of all objects linked to the ASO in a recursive manner. This is crucial to Application Life-
cycle Management as it provides a mechanism to make sure all parts of the service are removed
successfully.
Note: There is no JSON body to a DELETE call, as the HTTP Method is defining the action.
Now that the service has been deleted, let’s review the BIG-IP configuration. You can review via REST
by sending the Step 1: Get Deployed iApp Services request again, or you can login to the
BIG-IP A GUI to observe the service deployment via TMUI:
• REST: Send Step 1: Get Deployed iApp Services request:
81
Task 5 - Deploy an HTTP Service with Custom created Profile and a referenced iRule
2. The App Services iApp can Create or Reference various objects. In this deployment we perform two
actions:
(a) Create custom profiles on the BIG-IP device with various options specified. These profiles do not
exist on the BIG-IP but are created dynamically during the deployment.
(b) Create an iRule on the BIG-IP device by using a URL Reference. The App Services iApp
downloads the iRule resource from the URL and then creates a new iRule object on the system.
The iRule object is then automatically linked to the Virtual Server
Warning: When using URL references, it is important to properly secure the repository which
hosts the resource(s). The example in this lab uses a publicly readable repository, however,
most environments should use a private repository with appropriate access control.
3. Review the Request JSON Body to see how the desired outcomes above were declared:
• Custom Profiles:
82
• URL Referenced iRule:
4. Open Chrome and connect to the Virtual Server at http://10.1.20.121. The iRule that was
attached to the service contains an HTTP_RESPOND event, which responds with a simple Maintenance
Page.
83
Task 6 - Deploy an HTTPS Service
2. iApps are a Declarative interface, allowing us to modify deployment without the need to delete it (this
also means we can re-name objects if we needed too). For this service we will:
• Use the same custom profiles
• Remove the iRule
• Change the Listener port to 443 (HTTPS)
• Use URL Resources to obtain the SSL/TLS Key, Certificate and Certificate Bundle
Warning: When using URL references, it is important to properly secure the repository which
hosts the resource(s). The example in this lab uses a publicly readable repository. However,
most environments should use a private repository with appropriate access control.
4. Review the configured Virtual Servers in the TMUI GUI. The App Services iApp created a new Virtual
Server to redirect TCP/80 traffic to TCP/443 and reconfigured the Virtual Server to listen on TCP/443
84
5. The configuration of the Virtual Server now uses an SSL Client profile containing our imported SSL
Resources. The deployment is now providing SSL Offload for the backend compute nodes.
85
6. Open Chrome and access the service with http://10.1.20.121. It should redirect you to
https://10.1.20.121.
Note: We are using self signed certificates in the lab so an SSL warning will be shown.
86
Important: RFC2616 (HTTP/1.1) allows for a TCP session to stay open. Had we not included
“noserver Cache-Control no-cache Connection Close” in the iRule the following would have happened:
When you would have refreshed the page, the maintenance page would still appear because of two
reasons:
(a) Chrome keeps HTTP connections open in the background to improve network performance
(b) BIG-IP maintains a fully versioned configuration internally. Stateful connections, like HTTP, are
then pinned to a specific version of the configuration for the lifetime of the connection.
As a result, because Chrome has not closed the actual TCP connection, BIG-IP still processes traffic
with the configuration that was present when the connection was originally created. That stale con-
nection was still using the version of the configuration with the iRule attached to the Virtual Service
resulting in the maintenance page being shown.
Another advantage of Service Deployment using iApp Templates is that they can deploy advanced Layer
4-7 services from various F5 modules. In this task we will deploy a service that includes a Web Application
Firewall policy with the base HTTPS offload and load balancing features.
Perform the following steps to complete this task:
1. Send the Step 7: Deploy Service - HTTPS w/ WAF Policy request to deploy an HTTPS
Service using URL Resources for a Web Application Firewall policy that will be used with the Appli-
cation Security Manager (ASM) module.
87
2. This final iApp deployment will build upon our service by having the iApp load a WAF policy Resource
from our repository. The App Services iApp will then create a Layer 7 Traffic Policy and apply it to the
Virtual Server.
This deployment recognizes the need for Security from the beginning of the application lifecycle. It
lays the groundwork for Continuous Improvement by having the policy reside in a repository. It
allows us to treat resources as code leading to an Infrastructure as Code (IaC) methodology. As the
policy is updated in the repository, additional automation and orchestration can be enabled to deploy
the policy into the environment. The result is an ability to rapidly build, test and iterate Layer 7 security
policies and guarantee deployment into the environment.
3. Review the Request JSON Body to see how the desired outcomes above were declared:
• Layer 7 Policy Rules:
88
• ASM Policy URL:
4. In the TMUI GUI, you will notice a Layer 7 policy has been applied to the Virtual Server. In Application
Security, we will be able to observe that the policy is being dynamically fetched, applied, and set to
Blocking mode.
• Layer 7 Policy:
89
• ASM WAF Policy:
90
2.5 Module 3: Creating Declarative Service Interfaces with iWorkflow
Tenant Provider
2.5.1 Overview
In this module we will explore how to use F5’s iWorkflow platform to further abstract Application Services
and deliver those services, with a Declarative interface to Consumers.
When moving to an iWorkflow based toolchain it’s important to understand that automation in L1-3 (De-
vice Onboarding, Networking, etc) and L4-7 (Deployment of Virtual Servers, Pools, etc) is separated and
delivered by different features.
L1-3 Networking and Device Onboarding are highly specific to the particular environment the BIG-IP in-
stances are deployed on. The onboarding process for various platforms and ecosystems is very different
due to differences in the L1-3 capabilities and APIs of each platform. As a result F5 publishes specific
documentation and guidance for each of these environments:
• Public Cloud:
– AWS/Azure/GCP/etc.: http://clouddocs.f5.com/cloud/public/v1/
• Private Cloud:
– OpenStack: http://clouddocs.f5.com/cloud/openstack/
– VMware: https://f5.com/solutions/technology-alliances/vmware
iWorkflow enables generic functionality in all of these environments by using a BIG-IP Cloud Connector.
This connector allows iWorkflow to utilize BIG-IP devices running on any of these environments.
Note: F5 BIG-IP also supports integration with Container Ecosystems. However, in these environments
iWorkflow may not be required. For more information you can refer to:
• Container Ecosystems:
– Cloud Foundry: http://clouddocs.f5.com/containers/latest/cloudfoundry/
– Kubernetes: http://clouddocs.f5.com/containers/latest/kubernetes
– Mesos Marathon: http://clouddocs.f5.com/containers/latest/marathon
91
– RedHat OpenShift: http://clouddocs.f5.com/containers/latest/openshift/
In this lab we will use the Runner, introduced in previous labs to complete the onboarding of the F5 iWork-
flow device. The onboarding process creates the initial configuration required to start creation of Service
Catalog Templates.
92
iWorkflow Overview
Before looking at the details of the onboarding process, lets discuss the new components iWorkflow intro-
duces to our toolchain.
Device Discovery
In order for iWorkflow to interact with a BIG-IP device it must be discovered by iWorkflow. The device
discovery process leverages the existing CMI Device Trust infrastructure on BIG-IP. Currently there is a
limitation that a single BIG-IP device can only be ‘discovered’ by ONE of iWorkflow or BIG-IQ CM at a time.
In this lab will we discover the existing BIG-IP devices from your lab environment.
iWorkflow implements a Tenant/Provider interface to enable abstracted deployments of L4-7 Services into
various environments. In conjunction, iWorkflow Connectors serve as the L1-3 Network and Device On-
boarding automation component in the automation toolchain. In this lab we will create a ‘BIG-IP Connector’
for the BIG-IP devices in the lab environment. This connector will then allow you to drive a fully automated
deployment from the iWorkflow Service Catalog.
iApp Templates
iWorkflow serves as an iApp Template Source-of-Truth for discovered BIG-IP devices. This allows an F5
administrator to manage iApp templates in a single place with iWorkflow installing required templates on
BIG-IP devices as required during service deployment.
The process implemented in the Lab 3.1 - iWorkflow Onboarding folder of the Postman collection
is diagrammed below.
Note: The diagram below represents environment variables in blue. You can follow the lines on each
variable to understand which request populates the variable and how they are subsequently used.
93
Start iWorkflow Onboarding
Token-Based Authentication
In this task we will use the Runner to execute a series of requests contained in the Lab 3.1 - iWorkflow
Onboarding folder.
Perform the following steps to build the cluster:
1. Click the Runner button at the top left of your Postman window:
2. Select the F5 Programmability: Class 1 Collection then the Lab 3.1 - iWorkflow
Onboarding folder. Next, be sure the environment is set to F5 Programmability: Class 1:
95
96
3. Click the Run Lab 3.1 - iWor. . . button
4. The results window will now populate. You will see each request in the folder is sent and it’s associated
test results are displayed on the screen. Onboarding iWorkflow can take a few minutes. You can follow
the progress by scrolling down the results window.
5. Once the Run Summary button appears the folder has finished running. You should have 0 fail-
ures and the last item in the request list should be named Install App Services Template on
iWorkflow
6. At this point you can log into iWorkflow using Chrome at https://10.1.1.12 and admin/admin
credentials. Click Clouds and Services at the top of the window:
97
7. Browse the various panes to see what was created:
98
Lab 3.2: Create a Declarative Service Catalog
In the introduction to this module we discussed the importance of using Service Templates to build a
Declarative Service Catalog. This lab will show to create a few examples of Service Templates (Tem-
plates). It’s important to understand that while the packaged examples used in this lab are great starting
points, you should use them as a starting point for creating your own Service Catalog that meets the
requirements of your environment.
We will explore the first example in depth so you can gain an understanding of how the templates are
structured. For the remaining templates you can just repeat the steps used with the first example.
The templates used in this lab all have a version number appended to the name (Example:
f5-http-lb-v1.0). It’s important that this pattern is followed in your environment. Explicitly version-
ing the templates allows for migration between template versions in a stable manner. Without versioning
any changes to the template could result in every deployment associated with the template being modified
at the same time. With versioning, the application owner or F5 administrator can choose to either migrate
all deployments at the same time OR perform the migration on a per deployment manner.
In this task we will use the Runner to quickly create our sample Service Templates. Perform the following
steps to complete this task:
1. Click the Runner button at the top left of your Postman window.
2. Select F5 Programmability: Class 1 → Lab 3.2 - Create a Declarative Service Catalog folder.
3. Select the F5 Programmability: Class 1 environment
4. Click the Run Lab 3.2 - Crea. . . button and wait for the run to complete. Verify no errors were
encountered.
5. Open the iWorkflow GUI in Chrome by navigating to https://10.1.1.12
6. Expand the Service Templates panel and verify all the templates have been created:
99
Task 2 - Explore the f5-http-lb-v1.0 Template
Now that we’ve created our Templates let’s review one of them in depth.
Perform the following steps to complete this task:
1. Open the f5-http-lb-v1.0 Template by double clicking it:
100
2. Let’s examine the Properties pane.
3. Select All in the Displayed Parameters section:
4. This pane shows detailed information about the Template such as:
• iApp Template Name & Version the Service Template is using
• The Connectors/Clouds that may use this template
• A control that toggles which Parameters are displayed in the pane
• The input Sections and Fields (collapsed in screenshot) for the iApp Template
101
5. In the Sections portion of the pane, find the Virtual Server Listener & Pool Configuration section. Click
the triangle to expand the section:
6. You can now see all the input fields associated with this section of the iApp template. These fields
are defined by the iApp Template itself. In the previous lab, when we installed the App Services iApp
Template, iWorkflow created a internal representation of the input fields used in the iApp template.
iWorkflow then allows you to create a template that:
• Define which fields are Tenant Editable, therefore exposed to the Tenant interface
• Setting a default value for the field
102
– If the field is NOT Tenant Editable the default value is sent during a Service Deployment,
however, the Tenant cannot see or modify the value
– If the field is Tenant Editable the default value is populated for the Tenant and the Tenant
may edit it during a Service Deployment
Note: The App Services iApp Template has been specifically designed to integrate with iWorkflow
and Automation use cases. While any iApp template that is properly versioned can be used with
iWorkflow, you should consider whether the template was designed for Automation use cases or not.
Many iApp templates were designed for a GUI or Wizard based interaction through the BIG-IP TMUI
GUI. As a result those templates may not present a good API interface.
7. In addition to simple text fields, iApp templates also support table based input. The App Services iApp
uses this capability to allow input of more complex data such as Pools, Pool Members and Layer 7
Routing Policies. iWorkflow allows you to have granular control over how the Tenant can interact with
a table. Let’s find the pool__Pools table and click the triangle to expand it:
Note: To accomodate screen size this screenshot does not show all the columns in the table.
103
The highlighted sections in the image above correspond to the capabilities in the list below:
• [1] Definition of the Min and Max number of rows in a table
– Example: Define a fixed number or limit for the number of Pools a Tenant can deploy
• [2] Default Values for each column in a table
– Example: Define a default Load Balancing Method for deployed Pools
• [3] Tenant Editable flag for each column in the table
– Example: Only allow the Tenant to control the Load Balancing Method and Name of a Pool,
while defaulting all other values.
• [4] Default Rows that auto-populate a desired input for the Tenant. Each row can have a No
Access, Read-Only or Write ACL applied.
– Example: Define a Service that allows URL Based Content Routing to only two pools.
104
9. The preview window shows how the Tenant UI would present the Service Template. As you can
see the interface is vastly simplified and only Tenant Editable fields are shown. Because the true
deployment details are filtered from the Tenant, the Service Deployment requires much less Domain
Specific Knowledge. Keep in mind that while the Tenant interface may be simple, you can still
leverage advanced functionality in the Service Template.
Using the pattern in the last task explore the other Service Templates that were created earlier. A description
of each Service Template is included in the table below. In all cases the Template has been configured with
the appropriate Monitors, Profiles and Options for the use case.
105
Lab 3.3: Deploy L4-7 Services
Up to this point we have spent a lot of time building our toolchain to create a Declarative Service Catalog.
We are now at the point where we can perform a Declarative, Abstracted Service Deployment using the
iWorkflow Tenant Service Catalog, Tenant API and optionally the built-in Tenant GUI.
As we did in the previous lab we will explore the first deployment in depth so you can implement a full
Service Lifecycle: Create, Read, Update and Delete (CRUD) operations. For the remaining deployments
you can just repeat the steps used with the first example.
Tenant Overview
iWorkflow Tenants allow Consumers to perform Service Lifecycle operations in an isolated environment.
All actions performed prior to this lab have been in what’s called the Provider space and, by nature, are
masked from Tenants unless specifically exposed. As a result of the Tenant isolation, each Tenant maintains
its own set of Users and Roles associated with those users, allowing each Tenant full control of the actions
Tenant Users can perform.
During our iWorkflow Onboarding process in Lab 3.1 we created a Tenant named MyTenant and an as-
sociated Tenant User with a username of tenant. Additionally we gave MyTenant access to the BIG-IP
Connector named BIG-IP A&B Connector:
106
This gives the tenant user the ability to perform CRUD operations on Service Deployments.
Note: Service Templates can also be assigned to specific Cloud Connectors, allowing you to restrict the
use of Templates to a specific Tenant and set of BIG-IP resources.
iWorkflow provides a Tenant UI that can act as a simple self-service portal for Tenants. In this lab we’ll use
the Tenant UI to monitor the results of various actions we take via the iWorkflow Tenant API.
Perform the following steps to complete this task:
1. Open a new Chrome window/tab and connect to https://10.1.1.12
2. Use the MyTenant Tenant User credentials to login:
• Username: tenant
• Password: tenant
3. You will see a user interface that looks similar to the Provider UI, however, the access is limited
to Tenant specific objects. You can see a list of available Service Templates and Clouds with their
associated Connectors:
107
Task 2 - Authenticate to the iWorkflow Tenant API
As described above, the Tenant interfaces to iWorkflow maintain their own access control mechanisms. As
a result, when performing operations via the Tenant API you must authenticate with a Tenant User (tenant
in this case).
Perform the following steps to complete this task:
1. In Postman expand the Lab 3.3 - Deploy L4-7 Services folder in the collection.
2. Click the Authenticate and Obtain Token for Tenant User request and examine the
JSON request Body. Notice that we are sending the credentials for the Tenant User (tenant). This
request will automatically populate the iwf_tenant_auth_token variable in the Postman environ-
ment so it can be used by subsequent requests.
3. Click the Send button on the Authenticate and Obtain Token for Tenant User request.
Check the Test Results tab to ensure the token was populated.
4. Click the Set Tenant Authentication Token Timeout request and click the Send button.
This request will increase the timeout value for the token so we can complete the lab without hav-
ing to re-authenticate.
In this task we will perform CRUD operations on Service Deployments demonstrating a full Service Lifecycle
for a Tenant Service.
Create
108
1. Click the Deploy example-f5-http-lb Service request in the folder.
2. Examine the URI. Notice that the variable iwf_tenant_name is used to specify the Tenant we are
performing the operation on. In this case iwf_tenant_name is set to MyTenant in the Postman
environment:
109
4. Click the Send button to Create the Service Deployment
5. Switch to the Chrome iWorkflow Tenant UI window. The example-f5-http-lb Service is now
present in the L4-L7 Services pane. Double click the Service and examine its properties. You can
compare the values in the UI to the JSON Request Body from the step above.
110
6. Open a Chrome window/tab to the BIG-IP A GUI at https://10.1.1.10 and login with admin/
admin credentials. Navigate to iApps → Application Services. Select example-f5-http-lb from
the list of deployed services and examine the Components of the deployed service:
Update
111
2. We will send a PUT request to the Resource URI for the existing deployment and add a Pool Member
as shown in the JSON Request Body :
112
5. Update the BIG-IP GUI and notice that the Components tree has been updated:
113
Read
Delete
114
4. Update the iWorkflow Tenant UI and verify that the Service has been deleted:
5. In the BIG-IP GUI navigate to iApps → Application Services and verify the service was deleted.
115
Task 3 - Deploy Additional Services
Examples Create requests are included in the Lab 3.3 - Deploy L4-7 Services folder. For the
remaining services refer to the table below to see which ones apply most to your specific use cases. You
can repeat the steps in Task 2 for the additional services by modifying the requests as needed.
116
While the focus so far has been on building Declarative Interfaces with iWorkflow, it’s important to note
iWorkflow can also help simplify Imperative operations to BIG-IP devices when needed.
iWorkflow includes a REST proxy that allows pass-through of REST requests to devices discovered on
iWorkflow. The REST proxy feature allows customers to simplify Imperative Automation by:
• Providing a centralized API endpoint for BIG-IP infrastructure
– No need to communicate with individual BIG-IP devices, only with iWorkflow
• Simplified authentication
– Strong authentication can be implemented at iWorkflow rather than on each BIG-IP
• Simplified Role Based Access Control (RBAC)
– RBAC can be implemented at iWorkflow for all devices rather than on individual devices in the
environment
The REST proxy works by passing data sent to a specific URL through to the BIG-IP device. The root URL
for a particular devices REST proxy is:
/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/
<device_uuid>/rest-proxy/
Any URL segments included after .../rest-proxy/ are forwarded unaltered to the BIG-IP device. Query
parameters (e.g. ?expandSubcollections=true) are also passed unaltered along with the request type
and request body.
In this task we will perform a sample CRUD operation utilizing the REST Proxy. The intent of this task is to
show the basic mechanism used to perform these tasks. Simply changing the URL to include the iWorkflow
REST Proxy root for that device could easily change all the Imperative operations we have completed in
this lab to use the REST Proxy.
Perform the following steps to complete this task:
1. Expand the Lab 3.4 - iWorkflow REST Proxy folder in the Postman collection.
2. Click the Step 1: Create pool on BIG-IP A. Examine the request type, URL and JSON
body. Essentially we are performing a POST to the ‘/mgmt/tm/ltm/pool’ collection on BIG-IP A. The
last part of the URL includes this URI path (the part after .../rest-proxy/). The JSON body and
all other parameters are passed unaltered. Also, notice that we are still using our iWorkflow Token to
Authenticate, not the BIG-IP one in the Headers tab.
117
3. Click the Send button and examine the response.
4. Complete Steps 2-5 for the remaining items in the Lab 3.4 - iWorkflow REST Proxy collection.
Examine each request carefully so you understand what is happening.
118
2.6 Conclusion
Basics
Authentication
REST Basics
In this class we learned the base concepts and skills required to effectively automate the F5 BIG-IP platform.
The diagram above shows a high-level view of the different components to this base level of knowledge. In
subsequent classes we will expand on the core concepts and knowledge learned in this class.
This content has been created with a DevOps methodology and fully Continuous Toolchain. All content
contained here is sourced from the following GitHub repository:
https://github.com/f5devcentral/f5-automation-labs/
Bug Reports and Requests for Enhancement are handled in two ways:
• Fork the Github Repo, fix or enhance as required, and submit a Pull Request
– https://help.github.com/articles/creating-a-pull-request-from-a-fork/
• Open an Issue within the repository.
Lastly, this content would not be possible without the contributions from many F5 Employees, Partners, and
Customers. A full list of contributors to this content can be found at:
https://github.com/f5devcentral/f5-automation-labs/graphs/contributors
119
120
Class 2: Building Continuous Delivery Pipelines
3
This class covers the following topics:
• Continuous Integration(CI) and Continuous Delivery(CD) Concepts
• F5 Automation Toolkits:
– F5-Super-NetOps-Container
– F5 Postman Collections and f5-postman-workflows extensions
– F5 f5-newman-wrapper for Automating Workflows
• Building CI/CD Pipelines with Jenkins
• Team Collaboration with Automated Slack Notifications
The entire class will be run from within the F5 Lab Created environment, for access to the lab please ask
your instructor, or continue with the self-paced labs from f5.com/supernetops.
Note: If you are running this lab independent from Class 1 you will want to restore BIGIP-A from UCS
bigip-a-module3.ucs located in the in_case_of_emergency folder. Not restoring BIGIP-A will
result in services unable to be accessed and nodes/pool members offline. This restore MUST be done via
TMSH with a no-license flag.
In this module, we will explore how to use the f5-super-netops-container toolkit to easily integrate various
F5 Automation, Orchestration, Super-NetOps and DevOps tools, along with framework technologies.
The f5-super-netops-container is meant to be provided as a technical leave behind, a functional solution
that contains tools (which we will use in this Class) and documentation around F5 Cloud Solutions. The
container is continuously updated to always include our latest information.
The labs in this module will show you how to install the f5-super-netops-container image; you can also start
it in your local environment and access the same various tools and documentation.
121
To install the f5-super-netops-container, your system must support running Docker Community Edition (CE).
Please refer to https://docs.docker.com/engine/installation/#platform-support-matrix for more information.
This toolkit is fully open source and is on GitHub at https://github.com/f5devcentral/
f5-super-netops-container
Open Root Terminal from your desktop and test your Docker CE setup is functional with the hello-world
container; run the following command
docker run --rm hello-world
Example output:
Share images, automate workflows, and more with a free Docker ID:
https://cloud.docker.com/
Note: The --rm option will delete the container as soon as it stops running.
If you see this message: Cannot connect to the Docker daemon. Is the docker daemon running on
this host?, it is likely that you don’t have enough privileges with your user, try to use sudo when executing
docker commands.
If you want to remove the hello-world container, you can run the command sudo docker rmi
hello-world If your container is running, you cannot remove the image. You can issue the following
commands in that case (this will stop ALL your container instances): sudo docker stop $(docker ps
-aq)
In this lab we will use the docker cli tools to obtain and start the f5-super-netops-container image.
122
Task 1 - Obtain and verify the container image
$ docker images
REPOSITORY TAG IMAGE ID
˓→CREATED SIZE
f5devcentral/f5-super-netops-container jenkins b71fc40407e4
˓→2 weeks ago 490MB
123
Note: The image requires Internet connectivity to download the latest versions of tools and documentation.
Please ensure you have proper connectivity from your host prior to starting the image. If you need to use a
proxy please refer to the documentation at https://docs.docker.com
The image will now start and load resources from the Internet. This process may take a while depending on
the speed of your connection. When the startup process is complete you will be presented in the root user
prompt. You can interact with the image with standard Linux commands. In the next lab we will connect to
the image via SSH and HTTP.
The -p option publishes a L4 port from the container to the host. For example the -p 8080:80 option will
redirect port 8080 on the host system to port 80 in the container.
The -it option will make the session interactive and allocate a pseudo-TTY
The -e option will specify a Github Branch, in this case we are pulling from master
The f5devcentral/f5-super-netops-container:jenkins option is the name associated with the
image we obtained in Task 1.
Example startup output:
container:jenkins
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[environment] SNOPS_HOST_SSH=2222
[environment] SNOPS_REPO=https://github.com/f5devcentral/f5-super-netops-container.git
[environment] SNOPS_AUTOCLONE=1
[environment] SNOPS_HOST_IP=172.17.0.2
[environment] SNOPS_ISALIVE=1
[environment] SNOPS_GIT_HOST=github.com
[environment] SNOPS_REVEALJS_DEV=0
[environment] SNOPS_HOST_HTTP=8080
[environment] SNOPS_IMAGE=jenkins
[environment] SNOPS_GH_BRANCH=master
Reticulating splines...
Becoming self-aware...
[cloneGitRepos] Retrieving repository list from https://github.com/f5devcentral/f5-
˓→super-netops-container.git#develop
124
[cloneGitRepos][4/7] Cloning f5-postman-workflows#develop from https://github.com/
˓→0xHiteshPatel/f5-postman-workflows.git
SSH tcp/22
HTTP tcp/80
To access these services you may need to remap ports on your host to the
local container using the command:
HTTP: http://localhost:8080
SSH: ssh -p 2222 snops@localhost
Default Credentials:
snops/default
root/default
125
Go forth and automate!
[root@f5-super-netops] [/] #
When running containers it’s important to understand how you launched it, ours was launched as a fore-
ground process, if you typed the exit command in the running container it will shutdown. In order to avoid
this you should detach from the container once it has completed booting. You can still perform functions by
using SSH to access the container as explained in the next lab.
Its likely that the installation of the f5-super-netops-container will not be on a localhost while running in a
large environment, the steps below show how you can leave this instance running as a background process,
if needed.
˓→NAMES
˓→loving_montalcini
1. Execute docker ps
Example output:
hostname:~ user$ docker ps
$ docker ps
CONTAINER ID IMAGE
˓→COMMAND CREATED STATUS PORTS
˓→
˓→NAMES
126
4cf75944bfbc f5devcentral/f5-super-netops-container:jenkins "/
˓→init /snopsboot/..." 2 minutes ago Up 2 minutes 8000/tcp, 50000/
˓→tcp, 0.0.0.0:2222->22/tcp, 0.0.0.0:8080->80/tcp, 0.0.0.0:10000->8080/tcp
˓→loving_montalcini
|------------|
^- YOUR CONTAINER ID
2. Copy the value under the CONTAINER ID column that correspond to the f5devcentral/f5-super-
netops-container:jenkins image.
3. Execute docker attach <container_id>
4. You may have to hit <Enter> twice to display the command prompt
5. Detach the container again by entering <Ctrl+p+q>
In the previous lab we started the container image and were presented in a root user terminal. In order to
use the container and its associated tools properly we will connect via SSH and/or HTTP.
To connect to the image via SSH we must use the published port specified in the docker run command.
To review the command used to start the container was:
docker run -p 8080:80 -p 2222:22 -p 10000:8080 --rm -it -e
SNOPS_GH_BRANCH=master f5devcentral/f5-super-netops-container:jenkins
This will publish the standard SSH service from TCP/22 to TCP/2222. In the case of the SSH service the
following mapping applies:
localhost:2222 -> f5-super-netops-container:22
The container includes the snops user with a password of default.
ssh -p 2222 snops@localhost
Note: The host SSH keys for our environment are regenerated each time the container boots, you may
receive an error when trying to connect indicating the host key has changed. This error is safe to ignore in
this case and can be resolved by removing the key from ~/.ssh/known_hosts. You can also configure
your local SSH config by adding the following to ~/.ssh/config:
Host localhost
Port 2222
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
127
_.._ / /_
.' .._/ '''--.
| ' '___ `.
__| |__ `'. |
|__ __| ) |
| | ......-' /
| | \ _..'`
| | '------'''
| | _
|_| | |
___ _ _ _ __ ___ _ __ _ __ ___| |_ ___ _ __ ___
/ __| | | | '_ \ / _ \ '__| ______ | '_ \ / _ \ __/ _ \| '_ \/ __|
\__ \ |_| | |_) | __/ | |______|| | | | __/ || (_) | |_) \__ \
|___/\__,_| .__/ \___|_| |_| |_|\___|\__\___/| .__/|___/
| | | |
|_| |_|
SSH tcp/22
HTTP tcp/80
To access these services you may need to remap ports on your host to the
local container using the command:
HTTP: http://localhost:8080
SSH: ssh -p 2222 snops@localhost
Default Credentials:
snops/default
root/default
To connect to the image via HTTP we use the published port specified in the docker run command. To
review the command used to start the container was:
docker run -p 8080:80 -p 2222:22 -p 10000:8080 --rm -it -e
SNOPS_GH_BRANCH=master f5devcentral/f5-super-netops-container:jenkins
This will publish the standard HTTP service from TCP/80 to TCP/8080. In the case of the HTTP service
the following mapping applies:
128
localhost:8080 -> f5-super-netops-container:80
Open Chrome on your Linux Jumphost and enter the URL:
http://localhost:8080/start
You should see a page like this:
To connect to the image via Jenkins we use the published port specified in the docker run command. To
review the command used to start the container was:
docker run -p 8080:80 -p 2222:22 -p 10000:8080 --rm -it -e
SNOPS_GH_BRANCH=master f5devcentral/f5-super-netops-container:jenkins
This will publish the standard Jenkins service from TCP/8080 to TCP/10000. In the case of the Jenkins
service the following mapping applies:
10.1.1.8:10000 -> f5-super-netops-container:8080
To connect to Jenkins open a web browser and enter the URL:
http://localhost:10000
You should see a page like this:
129
3.2 Module 2: F5 f5-postman-workflows & f5-newman-wrapper
In the previous Class you may have found the tasks associated with checking various response values and
populating environment variables very tedious. In addition to being tedious, these tasks are not fundamen-
tally automatable due to the requirement for human interaction.
In order to assist users with automating the F5 BIG-IP platform we have developed a set of tools that can
be used with the Postman REST Client (http://getpostman.com).
The tools are:
• f5-postman-workflows
– Provide re-usable JavaScript functions that ease testing of API responses and populating envi-
ronment variables
– Implement a delay-based polling mechanism
• f5-newman-wrapper
– Allow users to easily assemble Postman collections into workflows
– Enabled integration with third-party tools such as Ansible, Chef & Puppet
This framework allows collection developers to create automatable collections that include full testing of
response values, population of environment variables to establish chains of requests and time-based polling
to allow long-lived API processes time to complete.
Users can then interact with these collections via the Postman GUI client, run the collections with the
Postman Runner or the Newman CLI client.
This lab module will walk you through using the tools. If you are interested in developing collections us-
ing the f5-postman-workflows framework please visit the official GitHub repository at https://github.com/
0xHiteshPatel/f5-postman-workflows
130
3.2.1 Lab 2.1: Install the f5-postman-workflows Framework
In this lab you will walk through installing the f5-postman-workflows framework into the Postman REST
Client.
In this task you will Import a Postman Collection that contains Installation helpers, Examples and a auto-
mated Test Framework. The collection is installed from the f5-postman-workflows GitHub repository.
Perform the following steps to complete this task:
To utilize the helper functions the framework includes, we must install those functions into the Postman
Client. The installation helpers perform the following tasks:
1. Determine the most current version of the framework
2. Dynamically minify the JavaScript code from the f5-postman-workflows GitHub repository using
Google’s Closure Compiler
3. Install the minified JS code into a Postman Global Variable
4. Set a number of Global variables that allow you to configure various options
To install the framework complete the following tasks:
1. Open the F5_Postman_Workflows collection
2. Open the Install folder
3. Select the Check f5-postman-workflows Version item and click ‘Send’
4. Examine the ‘Tests’ portion of the RESPONSE:
131
5. Select the Install/Upgrade f5-postman-workflows item and click ‘Send’
6. Examine the ‘Tests’ again and ensure that Installation was successful:
7. Click the ‘Eye’ button in the top right of the Postman window and examine the Global variables that
have been populated
132
The f5-postman-workflows framework is now installed in your Postman client.
In this lab we will walk through how to obtain two collections, and then we’ll use the f5-postman-workflows
framework to execute a simple workflow using the Postman GUI client. The f5-postman-workflows GitHub
repository is continually updated with new collections that can be used as is, or customized, to automate
the F5 platform. Additionally, the f5-super-netops-container automatically downloads these and other tools
so users can rapidly execute workflows in their environments.
133
Postman collections also serve as a reference example of how various tasks can be accomplished using
an Imperative process. When executing a collection you are actually providing a Declarative input to an
Imperative process.
Collections are self-documenting, and we will explore how to access the included documentation to assem-
ble a workflow from beginning to end. In the next lab we will use this base knowledge to create workflows as
JSON templates that can be executed by the f5-newman-wrapper on the f5-super-netops-container image
(or any system that has Newman installed)
First, we will import two collections to Postman using the same steps in the previous labs. The two dif-
ferent collections will allow us to perform REST API Authentication to BIG-IP devices and then execute
Operational actions on the BIG-IP device. We are stitching together two Imperative process’s.
Execute the following steps to complete this task:
1. Click Import -> Import from Link and import both of these collection URLs:
• https://raw.githubusercontent.com/0xHiteshPatel/f5-postman-workflows/
master/collections/BIG_IP/BIGIP_API_Authentication.postman_collection.
json
• https://raw.githubusercontent.com/0xHiteshPatel/f5-postman-workflows/
master/collections/BIG_IP/BIGIP_Operational_Workflows.
postman_collection.json
2. You should now have two additional Collections in the sidebar:
• BIGIP_API_Authentication
• BIGIP_Operational_Workflows
3. Expand the BIGIP_API_Authentication collection. Within the collection you will see one folder
named 1_Authenticate. Folders are used to organize various workflows within a collection. In this
case this collection performs exactly one task, authentication, therefore one folder is present.
4. Expand the 1_Authenticate folder. Notice there are three requests in the folder. These three
requests will be executed in a synchronous manner (one-after-another).
5. Click the ... icon on the 1_Authenticate folder, then click Edit
134
6. In the opened window you will see documentation explaining what the requests in this folder accom-
plish. Additionally you will see a series of Input and Output variables. Unless marked otherwise it is
assumed that all Input variables are required. In this case the bigip_token_timeout variable is
optional.
Folders may also contain output variables that are set to pass data between requests in different
collections (A Waterfall). In this case the output variable is named bigip_token and contains the
authentication token that can be sent in the X-F5-Auth-Token HTTP header to perform authentica-
tion.
7. Close the window by clicking ‘Cancel’
8. Repeat the steps above and explore the BIGIP_Operational_Workflows collection, specifically
the 4A_Get_BIGIP_Version folder
In this task we will explore how to chain two folders together and manually execute a workflow. This example
is simple, but should help illustrate how we can use folders as building blocks that can be assembled or
chained together to construct a workflow.
We will use the 1_Authenticate folder in the BIGIP_API_Authentication collec-
tion and then pass the authentication token to the 4A_Get_BIGIP_Version folder in the
BIGIP_Operational_Workflows collection.
Execute the following steps to complete this task:
1. Create a new Postman environment by clicking the Gear icon -> Manage Environments -> Add.
2. Name the environment Lab 2.2 and populate the following key/value pairs:
• bigip_mgmt: 10.1.1.4
• bigip_username: admin
• bigip_password: admin
3. Click the ‘Add’ button, then close the ‘Manage Environments’ window.
135
4. Select the Lab 2.2 environment:
The preceding steps configured the Input Variables required for all the folders that comprise our workflow.
We will now manually execute all the requests in the folders.
1. Expand the BIGIP_API_Authentication -> 1_Authenticate folder.
2. Select the Authenticate and Obtain Token item and click Send
3. Examine the Tests in the response portion of the request. All the tests should be passing. Addition-
ally you should see a test similar to:
[Populate Variable] bigip_token=....
These test items and their corresponding actions (populating a variable in this case) are generated by
the f5-postman-workflows framework.
4. Examine your Postman Environment variables and confirm that the bigip_token variable is present
and populated.
136
5. Select the Verify Authentication Works request in the folder and click ‘Send’. Examine the
Tests and ensure they are all passing
6. Select the Set Authentication Token Timeout request, click Send and verify all Tests pass.
At this point we have successfully authenticated to our device and stored the authentication token in the
bigip_token environment variable. We will now execute a request in a different collection and folder that
uses the bigip_token variable value to authenticate and perform its actions.
1. Expand the BIGIP_Operational_Workflows -> 4A_Get_BIGIP_Version folder.
2. Click the Get Software Version request.
3. Click the ‘Headers’ tab. Notice that the value for the X-F5-Auth-Token header is populated with the
bigip_token variable value.
Note: Postman uses the {{variable_name}} syntax to perform variable value substitution.
137
4. Click ‘Send’ to send the request. Examine the Tests and ensure all tests have passed.
5. Examine your environment variables and note that the bigip_version and bigip_build variables
are now populated.
While the example above was simple, it should show how we can chain together different collections and
folders to assemble custom workflows. The key concepts to understand are:
• The f5-postman-workflows framework and collection test-code performs unit tests on the response
data, and verifies the request executed successfully.
• The framework also populates Output Variables as documented so they can be used in subsequent
requests as Inputs to assemble a workflow
Next, we will explore how to use this base knowledge to assemble various collections and folders into
workflows using Newman and the f5-newman-wrapper.
As shown in the previous lab, we can manually execute collections and folders using the Postman GUI to
achieve end results on BIG-IP devices. While this capability is important in a test/prototyping phase, we
need to ensure we can execute these manual steps as an automated process.
To achieve this goal we can use the f5-newman-wrapper tool. This tool allows a user to specify a workflow
in a JSON formatted file, this includes Input Variables, the collections and folders, and executes various
output options to provide feedback and run details in a programmatic fashion.
The core element of a workflow that can be executed by f5-newman-wrapper is a JSON formatted input
file. In this lab we will introduce the file format.
To introduce the format of the workflow file we will use an example that recreates the simple workflow we
executed manually in the previous lab. We will explore the file in sections followed by showing the whole
file.
138
Define Name and Description
1 {
2 "name":"Wrapper_Demo_1",
3 "description":"Execute a chained workflow that authenticates to a BIG-IP and
˓→retrieves it's software version"
4 }
This section defines how f5-newman-wrapper will run this workflow. The attributes are explained in the table
below.
1 {
2 "globalEnvVars":"../framework/f5-postman-workflows.postman_globals.json",
3 "globalOptions": {
4 "insecure":true,
5 "reporters":["cli"]
6 },
7 "saveEnvVars":true,
8 "outputFile":"Wrapper_Demo_1-run.json",
9 "envOutputFile":"Wrapper_Demo_1-env.json"
10 }
Attribute Description
globalEnvVars This is the file that contains the Global environment variables used by Newman.
This file is generated by the f5-postman-workflows build scripts and contains the
same global variables as we saw in the previous lab that installed the framework
into the Postman GUI client
globalOptions Specify the global options for newman. Available options are documented at: https:
//github.com/postmanlabs/newman#api-reference
Note: Removing the cli option from the reporters array will disable verbose
CLI output
saveEnvVars Save the environment variables at the end of the run to a file
outputFile The file to save the run details to.
envOutputFile The file to save the environment variables at the end of the run to.
This section specifies the Input Variables for the workflow. The name globalVars conveys that the vari-
ables defined here will be present for each request in the defined workflow (the global scope from a workflow
perspective). Variables can also be defined within each item in a workflow (the local scope from a item per-
spective). In the case of a global and local variable that is named identically, the local scope variable will
take precedence.
1 {
2 "globalVars": {
3 "bigip_mgmt": "10.1.1.4",
139
4 "bigip_username":"admin",
5 "bigip_password":"admin"
6 }
7 }
This section defines the workflow and collections and folders that it is comprised of. The workflow attribute
is an ordered array that contains objects defining each collection and folder to run.
1 {
2 "workflow": [
3 {
4 "name":"Authenticate to BIG-IP",
5 "options": {
6 "collection":".. /collections/BIG_IP/BIGIP_API_Authentication.postman_
˓→collection.json",
7 "folder":"1_Authenticate"
8 }
9 },
10 {
11 "name":"Get BIG-IP Software Version",
12 "options": {
13 "collection":"../collections/BIG_IP/BIGIP_Operational_Workflows.
˓→postman_collection.json",
14 "folder":"4A_Get_BIGIP_Version"
15 }
16 }
17 ]
18 }
1 {
2 "name":"Authenticate to BIG-IP",
3 "options": {
4 "collection":".. /collections/BIG_IP/BIGIP_API_
˓→Authentication.postman_collection.json",
5 "folder":"1_Authenticate"
6 }
7 }
The name attribute specifies the name for this item. The options object specifies the parameters used
to execute this particular item. In our case the collection attribute refers to the file containing the
BIGIP_API_Authentication collection. The folder attribute specifies the name of the folder to run in
the collection.
By default all output variables from a collection or folder are passed to the next item in the workflow. This
allows us to chain collections together as needed to build workflows.
1 {
2 "name":"Wrapper_Demo_1",
140
3 "description":"Execute a chained workflow that authenticates to a BIG-IP
˓→ and retrieves it's software version",
4 "globalEnvVars":"../framework/f5-postman-workflows.postman_globals.json",
5 "globalOptions": {
6 "insecure":true,
7 "reporters":["cli"]
8 },
9 "globalVars": {
10 "bigip_mgmt": "10.1.1.4",
11 "bigip_username":"admin",
12 "bigip_password":"admin"
13 },
14 "saveEnvVars":true,
15 "outputFile":"Wrapper_Demo_1-run.json",
16 "envOutputFile":"Wrapper_Demo_1-env.json",
17 "workflow": [
18 {
19 "name":"Authenticate to BIG-IP",
20 "options": {
21 "collection":".. /collections/BIG_IP/BIGIP_API_
˓→Authentication. postman_collection.json",
22 "folder":"1_Authenticate"
23 }
24 },
25 {
26 "name":"Get BIG-IP Software Version",
27 "skip":false,
28 "options": {
29 "collection":".. /collections/BIG_IP/BIGIP_
˓→Operational_Workflows. postman_collection.json",
30 "folder":"4A_Get_BIGIP_Version"
31 }
32 }
33 ]
34 }
In this lab we will use the f5-super-netops-container to run the workflow we reviewed in the previous lab.
The advantage of using the f5-super-netops Container is that all the tools, collections and frameworks are
pre-installed and ready to use.
"globalVars": {
"bigip_mgmt": "10.1.1.4",
"bigip_username":"admin",
141
"bigip_password":"admin"
},
newman
BIGIP_API_Authentication
? 1_Authenticate
? Authenticate and Obtain Token
POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 108ms]
X [POST Response Code]=200
X [Populate Variable] bigip_token=WYKIVPHCNASNVEC55ZDVNH5OO2
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 3 | 0 |
?-----------------?-------?-------?
| test-scripts | 3 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 1 | 0 |
?-----------------?-------?-------?
| assertions | 8 | 0 |
?-----------------?-------?-------?
| total run duration: 297ms |
?-------------------------------?
| total data received: 1.71KB (approx) |
?-------------------------------?
| average response time: 43ms |
?-------------------------------?
[Wrapper_Demo_1-2017-03-30-04-08-12] [runCollection][Get BIG-IP Software Version]
˓→running...
142
newman
BIGIP_Operational_Workflows
? 4A_Get_BIGIP_Version
? Get Software Version
GET https://10.1.1.4/mgmt/tm/sys/software/volume [200 OK, 1.32KB, 16ms]
X [GET Response Code]=200
X [Populate Variable] bigip_version=12.1.1
X [Populate Variable] bigip_build=1.0.196
[Wrapper_Demo_1-2017-03-30-04-08-12] run completed
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 1 | 0 |
?-----------------?-------?-------?
| test-scripts | 1 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 0 | 0 |
?-----------------?-------?-------?
| assertions | 3 | 0 |
?-----------------?-------?-------?
| total run duration: 58ms |
?-------------------------------?
| total data received: 611B (approx) |
?-------------------------------?
| average response time: 16ms |
?-------------------------------?
7. Examine the environment variables that were saved at the end of the run by executing cat
Wrapper_Demo_1-env.json
Example output:
1 {
2 "id": "c0550892-36d4-4412-bf35-a1d9aa8d2efe",
3 "values": [
4 {
5 "type": "any",
6 "value": "10.1.1.4",
7 "key": "bigip_mgmt"
8 },
9 {
10 "type": "any",
11 "value": "admin",
12 "key": "bigip_username"
13 },
14 {
15 "type": "any",
16 "value": "admin",
17 "key": "bigip_password"
18 },
19 {
20 "type": "any",
21 "value": "WYKIVPHCNASNVEC55ZDVNH5OO2",
143
22 "key": "bigip_token"
23 },
24 {
25 "type": "any",
26 "value": "1200",
27 "key": "bigip_token_timeout"
28 },
29 {
30 "type": "any",
31 "value": "12.1.1",
32 "key": "bigip_version"
33 },
34 {
35 "type": "any",
36 "value": "1.0.196",
37 "key": "bigip_build"
38 }
39 ]
40 }
Notice that the bigip_version and bigip_build variables were saved, similar to how this was shown
in the Postman GUI Environment Variables. This file is JSON formatted and can easily be used directly by
other tools to drive further automation.
In the previous lab we reviewed and ran a very simple workflow. To support more complex use cases
f5-newman-wrapper includes features to help build more complex workflows.
These features allow users to:
• Create infinitely nested items
• Rename/remap variables name pre and post run of an item
• Load variables from a saved environment file
• Define variables in the global (workflow) or local (item) scope
To explore all the available options currently implemented please refer to https://raw.githubusercontent.com/
0xHiteshPatel/f5-postman-workflows/master/framework/f5-newman-wrapper/workflow-schema.json
By using the ‘children’ array within an item in a workflow you can create nested items. In this task, we will
create a more advanced version of the workflow we used in the previous lab. This workflow will perform
authentication to two BIG-IP devices and then retrieve the software version running on each.
We will implement a workflow that is best depicted by the following branch diagram:
Start
|
|- Authenticate
| |- Authenticate to BIG-IP A
| |- Authenticate to BIG-IP B
|
|- Get BIGIP Version
144
| |- Get BIGIP Version on BIG-IP A
| |- Get BIGIP Version on BIG-IP B
|
Stop
To implement this workflow we need to consider how Input Variables are passed to each item in the work-
flow. Previously, we saw that the following variables are required to the the 1_Authenticate folder in the
BIGIP_API_Authentication collection:
• bigip_mgmt
• bigip_username
• bigip_password
The issue we encounter when building this workflow is that we, at a minimum, have different values for
bigip_mgmt because we are trying to communicate with two BIG-IP devices. To address this issue, we
could define our input variables as follows:
• bigip_a_mgmt = 10.1.1.4
• bigip_b_mgmt = 10.1.1.5
• bigip_username = admin
• bigip_password = admin
This solves the problem of providing both BIG-IP management addresses, however, it introduces an-
other issue. The 1_Authenticate folder requires that the management IP address be passed in the
bigip_mgmt input variable. To solve this issue, we will use variable name remapping to remap a globalVar
to a different name before the 1_Authenticate folder is run for each BIG-IP device. To illustrate this, we
will add more information to our diagram:
Start
|
|- Define globalVars
| |- bigip_a_mgmt = 10.1.1.4
| |- bigip_b_mgmt = 10.1.1.5
| |- bigip_username = admin
| |- bigip_password = admin
|
|- Authenticate
| |- Authenticate to BIG-IP A
| | | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
| |
| |- Authenticate to BIG-IP B
| | | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
|
|- Get BIGIP Version
| |- Get BIGIP Version on BIG-IP A
| |- Get BIGIP Version on BIG-IP B
|
Stop
We’ve now addressed our issues regarding defining and passing the BIG-IP management address, but
have to consider one last problem. The output variable of the 1_Authenticate folder is bigip_token.
By default f5-newman-wrapper will store all output variables from one folder and automatically pass them to
the next item. In this case, an issue occurs because the Authenticate to BIG-IP B item will overwrite
145
the bigip_token variable that was outputted by the Authenticate to BIG-IP A item. To resolve this
issue, we can remap variables AFTER or post-run of an item. We can modify our diagram to handle this
issue like this:
Start
|
|- Define globalVars
| |- bigip_a_mgmt = 10.1.1.4
| |- bigip_b_mgmt = 10.1.1.5
| |- bigip_username = admin
| |- bigip_password = admin
|
|- Authenticate
| |- Authenticate to BIG-IP A
| | | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
| | | Post-run: Remap bigip_token -> bigip_a_token
| |
| |- Authenticate to BIG-IP B
| | | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
| | | Post-run: Remap bigip_token -> bigip_b_token
|
|- Get BIGIP Version
| |- Get BIGIP Version on BIG-IP A
| |- Get BIGIP Version on BIG-IP B
|
Stop
The last step is to perform some additional pre-run remapping to pass the correct token to the
4A_Get_BIGIP_Version folder to get our BIG-IP software version. Additionally, we will perform some
post-run remaps so we can save the output variables for each device:
Start
|
|- Define globalVars
| |- bigip_a_mgmt = 10.1.1.4
| |- bigip_b_mgmt = 10.1.1.5
| |- bigip_username = admin
| |- bigip_password = admin
|
|- Authenticate
| |- Authenticate to BIG-IP A
| | | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
| | | Post-run: Remap bigip_token -> bigip_a_token
| |
| |- Authenticate to BIG-IP B
| | | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| | | Run: 1_Authenticate folder
| | | Post-run: Remap bigip_token -> bigip_b_token
|
|- Get BIGIP Version
| |- Get BIGIP Version on BIG-IP A
| | | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | | Pre-run: Remap bigip_a_token -> bigip_token
| | | Run: 4A_Get_BIGIP_Version folder
| | | Post-run: Remap bigip_version -> bigip_a_version
146
| | | Post-run: Remap bigip_build -> bigip_a_build
| |
| |- Get BIGIP Version on BIG-IP B
| | | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| | Pre-run: Remap bigip_b_token -> bigip_token
| | Run: 4A_Get_BIGIP_Version folder
| | Post-run: Remap bigip_version -> bigip_b_version
| | Post-run: Remap bigip_build -> bigip_b_build
|
|- Save globarVars to file
|
Stop
Note: Collections and folders that are designed to act on multiple devices are designed to automatically
use the bigip_a_... and bigip_b_... syntax to avoid having to remap variables. In this case the
BIGIP_Operational_Workflows collection is designed to perform actions on one device at a time, thus
the need for remapping of the bigip_token input variables.
Note: Another option that is available to solve this issue is to define all variables in the local scope for each
item. This method is not preferred because it decreases portability and increases complexity in definition of
input variables.
1 {
2 "name":"Wrapper_Demo_2",
3 "description":"Execute a chained workflow that authenticates to two BIG-IPs and
˓→retrieves their software version",
4 "globalEnvVars":"../framework/f5-postman-workflows.postman_globals.json",
5 "globalOptions": {
6 "insecure":true,
7 "reporters":["cli"]
8 },
9 "globalVars": {
10 "bigip_a_mgmt": "10.1.1.4",
11 "bigip_b_mgmt": "10.1.1.5",
12 "bigip_username":"admin",
13 "bigip_password":"admin"
14 },
15 "saveEnvVars":true,
16 "outputFile":"Wrapper_Demo_2-run.json",
17 "envOutputFile":"Wrapper_Demo_2-env.json"
18 }
147
Note: As shown below, we can use the skip: true attribute to signal f5-newman-wrapper to not run
that particular item. The items children will still be processed. The skip attribute can be used to create
a container for similar requests.
1 {
2 "workflow": [
3 {
4 "name":"Authenticate to BIG-IPs",
5 "skip":true,
6 "children": [
7 {
8 "name":"Authenticate to BIG-IP A",
9 "options": {
10 "collection":"../collections/BIG_IP/BIGIP_API_Authentication.postman_
˓→collection.json",
11 "remapPreRun": {
12 "bigip_a_mgmt": "bigip_mgmt"
13 },
14 "folder":"1_Authenticate",
15 "remapPostRun": {
16 "bigip_token": "bigip_a_token"
17 }
18 }
19 },
20 {
21 "name":"Authenticate to BIG-IP B",
22 "options": {
23 "collection":"../collections/BIG_IP/BIGIP_API_Authentication.postman_
˓→collection.json",
24 "remapPreRun": {
25 "bigip_b_mgmt": "bigip_mgmt"
26 },
27 "folder":"1_Authenticate",
28 "remapPostRun": {
29 "bigip_token": "bigip_b_token"
30 }
31 }
32 }
33 ]
34 }
35 ]
36 }
The JSON above implements the following part of our branch diagram:
|- Authenticate
|- Authenticate to BIG-IP A
| | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | Run: 1_Authenticate folder
| | Post-run: Remap bigip_token -> bigip_a_token
|
|- Run: Authenticate to BIG-IP B
| | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| | Run: 1_Authenticate folder
| | Post-run: Remap bigip_token -> bigip_b_token
148
Specifically, note the use of the skip attribute on line 5 to create a container to group the items together.
1 {
2 "workflow": [
3 {
4 "name":"Get BIG-IP Software Versions",
5 "skip":true,
6 "children": [
7 {
8 "name":"Get BIG-IP A Software Version",
9 "options": {
10 "collection":"../collections/BIG_IP/BIGIP_Operational_Workflows.postman_
˓→collection.json",
11 "remapPreRun": {
12 "bigip_a_mgmt": "bigip_mgmt",
13 "bigip_a_token": "bigip_token"
14 },
15 "folder":"4A_Get_BIGIP_Version",
16 "remapPostRun": {
17 "bigip_version": "bigip_a_version",
18 "bigip_build": "bigip_a_build"
19 }
20 }
21 },
22 {
23 "name":"Get BIG-IP B Software Version",
24 "options": {
25 "collection":"../collections/BIG_IP/BIGIP_Operational_Workflows.postman_
˓→collection.json",
26 "remapPreRun": {
27 "bigip_b_mgmt": "bigip_mgmt",
28 "bigip_b_token": "bigip_token"
29 },
30 "folder":"4A_Get_BIGIP_Version",
31 "remapPostRun": {
32 "bigip_version": "bigip_b_version",
33 "bigip_build": "bigip_b_build"
34 }
35 }
36 }
37 ]
38 }
39 ]
40 }
The JSON above implements the following part of our branch diagram:
|- Get BIGIP Version
|- Get BIGIP Version on BIG-IP A
| | Pre-run: Remap bigip_a_mgmt -> bigip_mgmt
| | Pre-run: Remap bigip_a_token -> bigip_token
| | Run: 4A_Get_BIGIP_Version folder
| | Post-run: Remap bigip_version -> bigip_a_version
| | Post-run: Remap bigip_build -> bigip_a_build
|
149
|- Get BIGIP Version on BIG-IP B
| | Pre-run: Remap bigip_b_mgmt -> bigip_mgmt
| Pre-run: Remap bigip_b_token -> bigip_token
| Run: 4A_Get_BIGIP_Version folder
| Post-run: Remap bigip_version -> bigip_b_version
| Post-run: Remap bigip_build -> bigip_b_build
1 {
2 "name":"Wrapper_Demo_2",
3 "description":"Execute a chained workflow that authenticates to two BIG-IPs and
˓→retrieves their software version",
4 "globalEnvVars":"../framework/f5-postman-workflows.postman_globals.json",
5 "globalOptions": {
6 "insecure":true,
7 "reporters":["cli"]
8 },
9 "globalVars": {
10 "bigip_a_mgmt": "",
11 "bigip_b_mgmt": "",
12 "bigip_username":"admin",
13 "bigip_password":"admin"
14 },
15 "saveEnvVars":true,
16 "outputFile":"Wrapper_Demo_2-run.json",
17 "envOutputFile":"Wrapper_Demo_2-env.json",
18 "workflow": [
19 {
20 "name":"Authenticate to BIG-IPs",
21 "skip":true,
22 "children": [
23 {
24 "name":"Authenticate to BIG-IP A",
25 "options": {
26 "collection":"../collections/BIG_IP/BIGIP_API_Authentication.postman_
˓→collection.json",
27 "remapPreRun": {
28 "bigip_a_mgmt": "bigip_mgmt"
29 },
30 "folder":"1_Authenticate",
31 "remapPostRun": {
32 "bigip_token": "bigip_a_token"
33 }
34 }
35 },
36 {
37 "name":"Authenticate to BIG-IP B",
38 "options": {
39 "collection":"../collections/BIG_IP/BIGIP_API_Authentication.postman_
˓→collection.json",
40 "remapPreRun": {
41 "bigip_b_mgmt": "bigip_mgmt"
42 },
43 "folder":"1_Authenticate",
44 "remapPostRun": {
150
45 "bigip_token": "bigip_b_token"
46 }
47 }
48 }
49 ]
50 },
51 {
52 "name":"Get BIG-IP Software Versions",
53 "skip":true,
54 "children": [
55 {
56 "name":"Get BIG-IP A Software Version",
57 "options": {
58 "collection":"../collections/BIG_IP/BIGIP_Operational_Workflows.postman_
˓→collection.json",
59 "remapPreRun": {
60 "bigip_a_mgmt": "bigip_mgmt",
61 "bigip_a_token": "bigip_token"
62 },
63 "folder":"4A_Get_BIGIP_Version",
64 "remapPostRun": {
65 "bigip_version": "bigip_a_version",
66 "bigip_build": "bigip_a_build"
67 }
68 }
69 },
70 {
71 "name":"Get BIG-IP B Software Version",
72 "options": {
73 "collection":"../collections/BIG_IP/BIGIP_Operational_Workflows.postman_
˓→collection.json",
74 "remapPreRun": {
75 "bigip_b_mgmt": "bigip_mgmt",
76 "bigip_b_token": "bigip_token"
77 },
78 "folder":"4A_Get_BIGIP_Version",
79 "remapPostRun": {
80 "bigip_version": "bigip_b_version",
81 "bigip_build": "bigip_b_build"
82 }
83 }
84 }
85 ]
86 }
87 ]
88 }
151
1 {
2 "globalVars": {
3 "bigip_a_mgmt": "10.1.1.4",
4 "bigip_b_mgmt": "10.1.1.5",
5 "bigip_username":"admin",
6 "bigip_password":"admin"
7 }
8 }
newman
BIGIP_API_Authentication
? 1_Authenticate
? Authenticate and Obtain Token
POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 570ms]
X [POST Response Code]=200
X [Populate Variable] bigip_token=UE7W5CXWM5SJ6SZEV5A7KTAI5Q
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 3 | 0 |
?-----------------?-------?-------?
| test-scripts | 3 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 1 | 0 |
?-----------------?-------?-------?
| assertions | 8 | 0 |
?-----------------?-------?-------?
| total run duration: 740ms |
?-------------------------------?
152
| total data received: 1.71KB (approx) |
?-------------------------------?
| average response time: 197ms |
?-------------------------------?
[Wrapper_Demo_2-2017-03-30-19-22-52] [runCollection][Authenticate to BIG-IP B]
˓→running...
newman
BIGIP_API_Authentication
? 1_Authenticate
? Authenticate and Obtain Token
POST https://10.1.1.5/mgmt/shared/authn/login [200 OK, 1.41KB, 350ms]
X [POST Response Code]=200
X [Populate Variable] bigip_token=ONQXOQPNCVOHZELKIFSPHETL3I
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 3 | 0 |
?-----------------?-------?-------?
| test-scripts | 3 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 1 | 0 |
?-----------------?-------?-------?
| assertions | 8 | 0 |
?-----------------?-------?-------?
| total run duration: 472ms |
?-------------------------------?
| total data received: 1.71KB (approx) |
?-------------------------------?
| average response time: 123ms |
?-------------------------------?
[Wrapper_Demo_2-2017-03-30-19-22-52] [runCollection][Get BIG-IP A Software
˓→Version] running...
newman
BIGIP_Operational_Workflows
? 4A_Get_BIGIP_Version
? Get Software Version
GET https://10.1.1.4/mgmt/tm/sys/software/volume [200 OK, 1.32KB, 207ms]
153
X [GET Response Code]=200
X [Populate Variable] bigip_version=12.1.1
X [Populate Variable] bigip_build=1.0.196
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 1 | 0 |
?-----------------?-------?-------?
| test-scripts | 1 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 0 | 0 |
?-----------------?-------?-------?
| assertions | 3 | 0 |
?-----------------?-------?-------?
| total run duration: 250ms |
?-------------------------------?
| total data received: 611B (approx) |
?-------------------------------?
| average response time: 207ms |
?-------------------------------?
[Wrapper_Demo_2-2017-03-30-19-22-52] [runCollection][Get BIG-IP B Software
˓→Version] running...
newman
BIGIP_Operational_Workflows
? 4A_Get_BIGIP_Version
? Get Software Version
GET https://10.1.1.5/mgmt/tm/sys/software/volume [200 OK, 1.32KB, 191ms]
X [GET Response Code]=200
X [Populate Variable] bigip_version=12.1.1
X [Populate Variable] bigip_build=1.0.196
?-----------------?-------?-------?
| | executed | failed |
?-----------------?-------?-------?
| iterations | 1 | 0 |
?-----------------?-------?-------?
| requests | 1 | 0 |
?-----------------?-------?-------?
| test-scripts | 1 | 0 |
?-----------------?-------?-------?
| prerequest-scripts | 0 | 0 |
?-----------------?-------?-------?
| assertions | 3 | 0 |
?-----------------?-------?-------?
| total run duration: 230ms |
?-------------------------------?
| total data received: 611B (approx) |
?-------------------------------?
| average response time: 191ms |
?-------------------------------?
[Wrapper_Demo_2-2017-03-30-19-22-52] run completed in 3s, 316.921 ms
7. Examine the environment variables that were saved at the end of the run by executing cat
154
Wrapper_Demo_2-env.json. The resulting BIG-IP software versions are now present and have
been highlighted below.
Example output:
1 {
2 "id": "d459e491-4936-4be7-a910-567f711a636a",
3 "values": [
4 {
5 "type": "any",
6 "value": "10.1.1.4",
7 "key": "bigip_a_mgmt"
8 },
9 {
10 "type": "any",
11 "value": "10.1.1.5",
12 "key": "bigip_b_mgmt"
13 },
14 {
15 "type": "any",
16 "value": "10.1.1.5",
17 "key": "bigip_mgmt"
18 },
19 {
20 "type": "any",
21 "value": "admin",
22 "key": "bigip_username"
23 },
24 {
25 "type": "any",
26 "value": "admin",
27 "key": "bigip_password"
28 },
29 {
30 "type": "any",
31 "value": "UE7W5CXWM5SJ6SZEV5A7KTAI5Q",
32 "key": "bigip_a_token"
33 },
34 {
35 "type": "any",
36 "value": "ONQXOQPNCVOHZELKIFSPHETL3I",
37 "key": "bigip_b_token"
38 },
39 {
40 "type": "any",
41 "value": "ONQXOQPNCVOHZELKIFSPHETL3I",
42 "key": "bigip_token"
43 },
44 {
45 "type": "any",
46 "value": "12.1.1",
47 "key": "bigip_a_version"
48 },
49 {
50 "type": "any",
51 "value": "1.0.196",
52 "key": "bigip_a_build"
53 },
54 {
155
55 "type": "any",
56 "value": "1200",
57 "key": "bigip_token_timeout"
58 },
59 {
60 "type": "any",
61 "value": "12.1.1",
62 "key": "bigip_b_version"
63 },
64 {
65 "type": "any",
66 "value": "1.0.196",
67 "key": "bigip_b_build"
68 }
69 ]
70 }
In the previous module we saw the example of stitching together the Authentication Folder and some facts
gathering. We will now stitch together the Postman Collection from Class 1 and the Authentication Collection
from Module 2. Once we validate the new file we’ll use f5-newman-wrapper to execute.
Stitching together the collections and workflows allows Super-NetOps engineers the ability to start quickly
Orchestrating calls running Automation workflows. This also allows BIG-IP to be Orchestrated from upper
level orchestration toolkits.
Using this structure allows you to build your own solutions, to manage BIG-IP quickly as native REST calls
are used.
1. During the installation of the super-netops-container there were several github repositories
cloned, all of which are mapped to the /home/snops/ directory.
Let’s make sure all repositories were mapped correctly.
Execute: cd /home/snops
The Collections we will be using are located here:
|- /f5-automation-labs
|- /postman_collections
| | f5-programmability-class-2.postman_collection.json
156
|- /f5-postman-workflows
|- /collections
| | /BIG_IP
| | BIGIP_Operational_Workflows.postman_collection.json
|- /f5-automation-labs
|- /jenkins
| | /f5-newman-build
| | f5-newman-build-1
| | f5-newman-build-2
| | f5-newman-build-5
| | /f5-newman-operation
| | f5-newman-build-3
| | f5-newman-build-4
Your environment has already been seeded with 5 f5-newman-wrapper files, these files will execute
against the collections noted in the previous lab. This lab will cover the Build aspect, creating a Virtual
Server Framework containing all the pieces required for this demo service.
Note: This is a Postman Collection, and can also be imported into the Postman GUI client for viewing
157
Note: You do not need to have all these operations individually broken out, it is shown this way to educate
that Workflows can be as small (update a pool member) or as large (deploy a whole service) as needed
Note: The contents of this folder contain files for this lab, and upcoming labs in this class
158
2. Let’s examine the contents of the first f5-newman-wrapper file cat f5-newman-build-1
1 {
2 "name":"f5-newman-build-1",
3 "description":"Execute a chained workflow that authenticates to a BIG-IP
˓→and builds configuration",
4 "globalEnvVars":"/home/snops/f5-postman-workflows/framework/f5-postman-
˓→workflows.postman_globals.json",
5 "globalOptions": {
6 "insecure":true,
7 "reporters":["cli"]
8 },
9 "globalVars": {
10 "bigip_mgmt": "10.1.1.4",
11 "bigip_username":"admin",
12 "bigip_password":"admin",
13 "bigip_partition":"Common",
14 "bigip_pool_name":"module_3_pool",
15 "bigip_pool_member":"75.67.228.133:80",
16 "bigip_object_state":"user-up",
17 "bigip_object_session":"user-enabled",
18 "bigip_vs_name":"module_3_vs",
19 "bigip_vs_destination":"10.1.20.129:80",
20 "bigip_node_name":"75.67.228.133",
21 "bigip_http_monitor":"module_3_http_monitor",
22 "bigip_http_profile":"module_3_http",
23 "bigip_tcp_profile":"module_3_tcp_clientside"
24 },
25 "workflow": [
26 {
27 "name":"Authenticate to BIG-IP",
28 "options": {
29 "collection":"/home/snops/f5-postman-workflows/
˓→collections/BIG_IP/BIGIP_API_Authentication.postman_collection.json",
30 "folder":"1_Authenticate"
31 }
32 }, (REMOVE THIS TEXT AND ADD YOUR CODE BELOW)
33
34 }
35 ]
36 }
#. The above f5-newman-wrapper file only has the Authenticate to BIG-IP Collection/Folder refer-
enced, we will need to add in another collection. You are going to add this code snippet after the last
},. This shows the method for chaining together multiple calls from multiple sources, shown in a previous
lab. For editing files VIM/VI is installed on the container, if you do not know how to use VIM/VI please let
the instructor know.
1 {
2 "name":"1 - Build a Basic LTM Config",
3 "skip":false,
4 "options": {
5 "collection":"/home/snops/f5-automation-labs/postman_
˓→collections/f5-programmability-class-2.postman_collection.json",
1. Now that you have the full file you can see what it will look like with cat f5-newman-build-1. The
159
environment variables will float into both Collections, and the returned Global Variables will persist
during the whole run.
Example of a complete file:
1 {
2 "name":"f5-newman-build-1",
3 "description":"Execute a chained workflow that authenticates to a BIG-IP and
˓→builds configuration",
4 "globalEnvVars":"/home/snops/f5-postman-workflows/framework/f5-postman-
˓→workflows.postman_globals.json",
5 "globalOptions": {
6 "insecure":true,
7 "reporters":["cli"]
8 },
9 "globalVars": {
10 "bigip_mgmt": "10.1.1.4",
11 "bigip_username":"admin",
12 "bigip_password":"admin",
13 "bigip_partition":"Common",
14 "bigip_pool_name":"module_3_pool",
15 "bigip_pool_member":"75.67.228.133:80",
16 "bigip_object_state":"user-up",
17 "bigip_object_session":"user-enabled",
18 "bigip_vs_name":"module_3_vs",
19 "bigip_vs_destination":"10.1.20.129:80",
20 "bigip_node_name":"75.67.228.133",
21 "bigip_http_monitor":"module_3_http_monitor",
22 "bigip_http_profile":"module_3_http",
23 "bigip_tcp_profile":"module_3_tcp_clientside"
24 },
25 "workflow": [
26 {
27 "name":"Authenticate to BIG-IP",
28 "options": {
29 "collection":"/home/snops/f5-postman-workflows/
˓→collections/BIG_IP/BIGIP_API_Authentication.postman_collection.json",
30 "folder":"1_Authenticate"
31 }
32 },
33 {
34 "name":"1 - Build a Basic LTM Config",
35 "skip":false,
36 "options": {
37 "collection":"/home/snops/f5-automation-labs/postman_
˓→collections/f5-programmability-class-2.postman_collection.json",
1. Login to your BIG-IP lab machine and verify you do not have any Virtual Servers or Pools
Note: If you are using the F5 lab systems there are already shortcuts in your Chrome browser
160
called BIG-IP A GUI, if you receive a certificate warning accept and add exception (the BIG-IP has
a self-signed cert which violates Chrome’s security). BIG-IP A Login credentials are admin\admin
2. f5-newman-build-1 now contains the needed calls to build the Framework of an Application Ser-
vice (Virtual Server, Pool and needed Profiles), it doesn’t however include any pool members.
Execute: f5-newman-wrapper f5-newman-build-1
Output should look like:
1 $ f5-newman-wrapper f5-newman-build-1
2 [f5-newman-build-1-2017-07-26-08-23-00] starting run
3 [f5-newman-build-1-2017-07-26-08-23-00] [runCollection][Authenticate to BIG-IP]
˓→running...
4 newman
5
6 BIGIP_API_Authentication
7
8 ? 1_Authenticate
9 ? Authenticate and Obtain Token
10 POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 505ms]
11 X [POST Response Code]=200
12 X [Populate Variable] bigip_token=MB4YMPICV3XEZ3B47LJRQKGHTJ
13
26 ?-----------------?-------?-------?
27 | | executed | failed |
28 ?-----------------?-------?-------?
29 | iterations | 1 | 0 |
30 ?-----------------?-------?-------?
31 | requests | 3 | 0 |
32 ?-----------------?-------?-------?
33 | test-scripts | 3 | 0 |
34 ?-----------------?-------?-------?
35 | prerequest-scripts | 1 | 0 |
36 ?-----------------?-------?-------?
37 | assertions | 8 | 0 |
38 ?-----------------?-------?-------?
39 | total run duration: 1197ms |
40 ?-------------------------------?
41 | total data received: 1.71KB (approx) |
42 ?-------------------------------?
43 | average response time: 190ms |
44 ?-------------------------------?
45 [f5-newman-build-1-2017-07-26-08-23-00] [runCollection][1 - Build a Basic LTM
˓→Config] running...
161
46 newman
47
48 f5-programmability-class-2
49
66 ?-----------------?-------?-------?
67 | | executed | failed |
68 ?-----------------?-------?-------?
69 | iterations | 1 | 0 |
70 ?-----------------?-------?-------?
71 | requests | 5 | 0 |
72 ?-----------------?-------?-------?
73 | test-scripts | 0 | 0 |
74 ?-----------------?-------?-------?
75 | prerequest-scripts | 0 | 0 |
76 ?-----------------?-------?-------?
77 | assertions | 0 | 0 |
78 ?-----------------?-------?-------?
79 | total run duration: 1406ms |
80 ?-------------------------------?
81 | total data received: 5.79KB (approx) |
82 ?-------------------------------?
83 | average response time: 251ms |
84 ?-------------------------------?
85 [f5-newman-build-1-2017-07-26-08-23-00] run completed in 6s, 90.207 ms
Note: Notice the 200 OK responses, the number of requests etc., we’re building in testing and
logging, look back at BIGIP-A for the newly created Application Service Framework
162
Task 3 - Execute the second f5-newman-wrapper file
1. f5-newman-build-2 contains calls to add pool members to the Application Service Framework
created above; this is done independently of the build, to show Service staging as a possible use
case.
Execute: f5-newman-wrapper f5-newman-build-2
Output should look like:
1 $ f5-newman-wrapper f5-newman-build-2
2 [f5-newman-build-2-2017-07-26-08-40-52] starting run
3 [f5-newman-build-2-2017-07-26-08-40-52] [runCollection][Authenticate to BIG-IP]
˓→running...
4 newman
5
6 BIGIP_API_Authentication
7
8 ? 1_Authenticate
9 ? Authenticate and Obtain Token
10 POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 272ms]
11 X [POST Response Code]=200
12 X [Populate Variable] bigip_token=WSNAXWTCWNZGJG7MDBVF6CRXTB
13
26 ?-----------------?-------?-------?
27 | | executed | failed |
28 ?-----------------?-------?-------?
29 | iterations | 1 | 0 |
30 ?-----------------?-------?-------?
31 | requests | 3 | 0 |
32 ?-----------------?-------?-------?
33 | test-scripts | 3 | 0 |
34 ?-----------------?-------?-------?
35 | prerequest-scripts | 1 | 0 |
36 ?-----------------?-------?-------?
37 | assertions | 8 | 0 |
38 ?-----------------?-------?-------?
39 | total run duration: 1034ms |
40 ?-------------------------------?
41 | total data received: 1.71KB (approx) |
42 ?-------------------------------?
43 | average response time: 116ms |
44 ?-------------------------------?
45 [f5-newman-build-2-2017-07-26-08-40-52] [runCollection][2 - Add Members to LTM
˓→Config] running...
163
46 newman
47
48 f5-programmability-class-2
49
54 ?-----------------?-------?-------?
55 | | executed | failed |
56 ?-----------------?-------?-------?
57 | iterations | 1 | 0 |
58 ?-----------------?-------?-------?
59 | requests | 1 | 0 |
60 ?-----------------?-------?-------?
61 | test-scripts | 0 | 0 |
62 ?-----------------?-------?-------?
63 | prerequest-scripts | 0 | 0 |
64 ?-----------------?-------?-------?
65 | assertions | 0 | 0 |
66 ?-----------------?-------?-------?
67 | total run duration: 182ms |
68 ?-------------------------------?
69 | total data received: 818B (approx) |
70 ?-------------------------------?
71 | average response time: 143ms |
72 ?-------------------------------?
73 [f5-newman-build-2-2017-07-26-08-40-52] run completed in 4s, 328.497 ms
2. On BIG-IP A examine Virtual Server module_3_vs, the Virtual Server should be healthy and Green:
In the last lab we walked through creating an Application Service Framework, and then updating the Service
Framework in a separate call. This lab has 2 f5-newman-files also, one used to user-down a pool member,
and another to user-up the same member. These could be used as individual calls from another toolkit
(which we’ll see later) or run independently as a single commands.
164
3. f5-newman-build-3 contains calls to change the node state to user-down for
"bigip_pool_member":"10.1.10.101:8002", both of these are specified as variables in
the f5-newman-wrapper files.
Execute: f5-newman-wrapper f5-newman-build-3
Output should look like:
1 $ f5-newman-wrapper f5-newman-build-3
2 [f5-newman-build-3-2017-07-26-09-06-53] starting run
3 [f5-newman-build-3-2017-07-26-09-06-53] [runCollection][Authenticate to BIG-IP]
˓→running...
4 newman
5
6 BIGIP_API_Authentication
7
8 ? 1_Authenticate
9 ? Authenticate and Obtain Token
10 POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 267ms]
11 X [POST Response Code]=200
12 X [Populate Variable] bigip_token=JFN6TNIRAWEKNR5QPM26VT4QFE
13
165
26 ?-----------------?-------?-------?
27 | | executed | failed |
28 ?-----------------?-------?-------?
29 | iterations | 1 | 0 |
30 ?-----------------?-------?-------?
31 | requests | 3 | 0 |
32 ?-----------------?-------?-------?
33 | test-scripts | 3 | 0 |
34 ?-----------------?-------?-------?
35 | prerequest-scripts | 1 | 0 |
36 ?-----------------?-------?-------?
37 | assertions | 8 | 0 |
38 ?-----------------?-------?-------?
39 | total run duration: 1243ms |
40 ?-------------------------------?
41 | total data received: 1.71KB (approx) |
42 ?-------------------------------?
43 | average response time: 105ms |
44 ?-------------------------------?
45 [f5-newman-build-3-2017-07-26-09-06-53] [runCollection][3 - Disable Node] running.
˓→..
46 newman
47
48 f5-programmability-class-2
49
50 ? 3 - Disable Node
51 ? Step 1: Check Pool Exists
52 GET https://10.1.1.4/mgmt/tm/ltm/pool/~Common~module_3_pool [200 OK, 1.56KB,
˓→39ms]
63 ?-----------------?-------?-------?
64 | | executed | failed |
65 ?-----------------?-------?-------?
66 | iterations | 1 | 0 |
67 ?-----------------?-------?-------?
68 | requests | 3 | 0 |
69 ?-----------------?-------?-------?
70 | test-scripts | 3 | 0 |
71 ?-----------------?-------?-------?
72 | prerequest-scripts | 1 | 0 |
73 ?-----------------?-------?-------?
74 | assertions | 3 | 0 |
75 ?-----------------?-------?-------?
76 | total run duration: 1092ms |
77 ?-------------------------------?
78 | total data received: 1.89KB (approx) |
79 ?-------------------------------?
166
80 | average response time: 123ms |
81 ?-------------------------------?
82 [f5-newman-build-3-2017-07-26-09-06-53] run completed in 6s, 564.868 ms
4. Log back into BIG-IP A examine the pool module_3_pool status page you should see on black
diamond node and another node green and online:
167
3. f5-newman-build-3 contains calls to user-up variable node "bigip_pool_member":"10.1.
10.101:8002"
Execute: f5-newman-wrapper f5-newman-build-4
Output should look like:
1 $ f5-newman-wrapper f5-newman-build-4
2 [f5-newman-build-4-2017-07-26-09-12-47] starting run
3 [f5-newman-build-4-2017-07-26-09-12-47] [runCollection][Authenticate to BIG-IP]
˓→running...
4 newman
5
6 BIGIP_API_Authentication
7
8 ? 1_Authenticate
9 ? Authenticate and Obtain Token
10 POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 240ms]
11 X [POST Response Code]=200
12 X [Populate Variable] bigip_token=LN5IEBCKW5TTNXZLX5VYRUTOW5
13
26 ?-----------------?-------?-------?
168
27 | | executed | failed |
28 ?-----------------?-------?-------?
29 | iterations | 1 | 0 |
30 ?-----------------?-------?-------?
31 | requests | 3 | 0 |
32 ?-----------------?-------?-------?
33 | test-scripts | 3 | 0 |
34 ?-----------------?-------?-------?
35 | prerequest-scripts | 1 | 0 |
36 ?-----------------?-------?-------?
37 | assertions | 8 | 0 |
38 ?-----------------?-------?-------?
39 | total run duration: 922ms |
40 ?-------------------------------?
41 | total data received: 1.71KB (approx) |
42 ?-------------------------------?
43 | average response time: 94ms |
44 ?-------------------------------?
45 [f5-newman-build-4-2017-07-26-09-12-47] [runCollection][4 - Enable Node] running..
˓→.
46 newman
47
48 f5-programmability-class-2
49
50 ? 4 - Enable Node
51 ? Step 1: Check Pool Exists
52 GET https://10.1.1.4/mgmt/tm/ltm/pool/~Common~module_3_pool [200 OK, 1.56KB,
˓→31ms]
63 ?-----------------?-------?-------?
64 | | executed | failed |
65 ?-----------------?-------?-------?
66 | iterations | 1 | 0 |
67 ?-----------------?-------?-------?
68 | requests | 3 | 0 |
69 ?-----------------?-------?-------?
70 | test-scripts | 3 | 0 |
71 ?-----------------?-------?-------?
72 | prerequest-scripts | 1 | 0 |
73 ?-----------------?-------?-------?
74 | assertions | 3 | 0 |
75 ?-----------------?-------?-------?
76 | total run duration: 519ms |
77 ?-------------------------------?
78 | total data received: 1.89KB (approx) |
79 ?-------------------------------?
80 | average response time: 40ms |
169
81 ?-------------------------------?
82 [f5-newman-build-4-2017-07-26-09-12-47] run completed in 4s, 510.429 ms
4. On BIG-IP A examine Pool module_3_pool all Nodes should be back to the beginning state:
To get ready for the next module, we’re going to execute one last f5-newman-wrapper directly. This file
is designed to delete the framework and service we created in the last few labs. We used 2 f5-newman-
wrapper files to create our service, but for the deletion we will only use 1. This is important because we
can seperate the service nodes availability into Infrastructure as Code concepts loosely coupled from the
service and calls needed.
3. On BIGIP-A examine the pool module_3_pool, you should show 2 active members Green:
170
4. f5-newman-build-5 contains calls to delete all items we’ve created in the last few modules
Execute: f5-newman-wrapper f5-newman-build-5
Output should look like:
1 $ f5-newman-wrapper f5-newman-build-5
2 [f5-newman-build-5-2017-07-26-09-28-13] starting run
3 [f5-newman-build-5-2017-07-26-09-28-13] [runCollection][Authenticate to BIG-IP]
˓→running...
4 newman
5
6 BIGIP_API_Authentication
7
8 ? 1_Authenticate
9 ? Authenticate and Obtain Token
10 POST https://10.1.1.4/mgmt/shared/authn/login [200 OK, 1.41KB, 194ms]
11 X [POST Response Code]=200
12 X [Populate Variable] bigip_token=NGEHHD6ZDJFD2MNF2UL3UXTGVH
13
26 ?-----------------?-------?-------?
27 | | executed | failed |
28 ?-----------------?-------?-------?
29 | iterations | 1 | 0 |
30 ?-----------------?-------?-------?
31 | requests | 3 | 0 |
32 ?-----------------?-------?-------?
33 | test-scripts | 3 | 0 |
34 ?-----------------?-------?-------?
35 | prerequest-scripts | 1 | 0 |
36 ?-----------------?-------?-------?
37 | assertions | 8 | 0 |
38 ?-----------------?-------?-------?
39 | total run duration: 835ms |
40 ?-------------------------------?
41 | total data received: 1.71KB (approx) |
42 ?-------------------------------?
43 | average response time: 75ms |
44 ?-------------------------------?
45 [f5-newman-build-5-2017-07-26-09-28-13] [runCollection][5 - Clean Up Service]
˓→running...
46 newman
47
48 f5-programmability-class-2
49
171
50 ? 5 - Clean Up Service
51 ? Step 1: Delete a Virtual Server
52 DELETE https://10.1.1.4/mgmt/tm/ltm/virtual/module_3_vs [200 OK, 740B, 57ms]
53
56
59
65
66 ?-----------------?-------?-------?
67 | | executed | failed |
68 ?-----------------?-------?-------?
69 | iterations | 1 | 0 |
70 ?-----------------?-------?-------?
71 | requests | 5 | 0 |
72 ?-----------------?-------?-------?
73 | test-scripts | 0 | 0 |
74 ?-----------------?-------?-------?
75 | prerequest-scripts | 0 | 0 |
76 ?-----------------?-------?-------?
77 | assertions | 0 | 0 |
78 ?-----------------?-------?-------?
79 | total run duration: 445ms |
80 ?-------------------------------?
81 | total data received: 0B (approx) |
82 ?-------------------------------?
83 | average response time: 61ms |
84 ?-------------------------------?
85 [f5-newman-build-5-2017-07-26-09-28-13] run completed in 4s, 267.464 ms
This Module will continue to build up our Infrastructure to a Self-Service or CI/CD goal. We will be building
on the code that was utilized in the previous modules and labs, though now we’ll use Jenkins to provide a
CI/CD mechanism. This lab will also use Slack to notify users of changes going on in real time.
Tools we will be using:
• f5-newman-wrapper & previous workflows
– The previous 5 wrapper workflows files will be executed, but from a Jenkins Pipeline
172
• f5-super-netops-container
– Continuing delivery of F5 configuration from a self contained toolkit
– This version or variant of the container has Jenkins installed for you, this is depicted from tag
associated to the Docker Image f5devcentral/f5-super-netops-container:jenkins
• Slack
– There has been a Slack channel already setup on your behalf, which we will all be monitoring for
environment changes
– Any person with an @f5.com email address can join the Slack Channel. To join and view the
transactions use https://f5agilitydevops.slack.com/signup
• Jenkins
– Jenkins is installed on the f5-super-netops-container, accessed via http://
localhost:10000 (Web) user credentials are admin/default
From the previous labs you should already have your Super-NetOps-Container already running, if it’s not
please refer to Class 2 Module 2 on starting the service.
We’ve been executing all our commands locally from Automated scripts; we are now going to take the
different toolkits and tie them together to form a Pipeline. Pipelines will vary in deployments and even
within solutions. Our lab will show you just one way one could be utilized.
Task 1 - Locating the Jenkins files and how they are setup
3. Lets review the first Jenkins file, from the current folder structure execute cat Jenkinsfile1-2
File output:
1 node {
2 stage('Testing') {
3 //Run the tests
4 //sh "python -m /home/snops/f5-automation-labs/jenkins/f5-newman-build/f5-
˓→newman-build-1"
173
6 }
7 stage('Frameword-Deployment') {
8 //Run SNOPS Container Newman Package Virtual and Pool
9 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-
˓→build/f5-newman-build-1"
15 teamDomain: 'f5agilitydevops',
16 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
17 )
18 }
19 stage('Approval') {
20 //Gate the process and require approval
21 input 'Proceed?'
22 //chatops slack message that run has completed
23 slackSend(
24 channel: '#jenkins_builds',
25 color: 'good',
26 message: 'Super-NetOps Engineer just approved a new F5 Service
˓→Framework, thats some serious Continuous Delivery!',
27 teamDomain: 'f5agilitydevops',
28 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
29 )
30 }
31 stage('Add-Sevice-Node') {
32 //Run SNOPS Container Newman Package add Node to Pool
33 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-
˓→build/f5-newman-build-2"
39 teamDomain: 'f5agilitydevops',
40 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
41 )
42 }
43 }
• This is a Jenkins Pipeline file, which we will be inputing into a Pipeline deployment via our Jenkins
Toolkit.
• The file should be human readable even without Jenkins experience, a stage can be thought
of as a step in the Pipeline (or a work-center in manufacturing terms); right after the stage is its
name, followed by some commands. Since the super-netops-container is running this Jenkins
installation locally, we can use local mappings to file structure.
• In more common deployments the Jenkins file would be stored in a SCM (like Github) and called
during an Event (Build/Pull Request) or a Polling Timer, or even some other kind of scripting
launch.
• Testing in Pipeline before executing code with tools like linter or python scripts can make sure
formatting is valid, reducing errors from happening during builds.
174
Our installation also has some Slack calls. Which we will setup next.
Slack is a ChatOps toolkit, think of Skype, Teams, Messenger, or IIRC! Except Slack also has the ability
to take in bots. slackbots are used to interact with services, they might query for something when asked,
or give you information when they notice something. In our case our Jenkins Pipeline file will use Slack to
notify all of us when an action happens, collaborative teamwork.
Note: In the Jenkins Files, the message piece is sent to the Slack channel, if you would like to modify your
messages for our lab change the text!
1. Access Jenkins via Chrome, open a new tab to http://localhost:10000, the user credentials
are admin\default.
2. Once you are logged into Jenkins it should look like below
175
3. Click on Manage Jenkins
4. On the Manage Jenkins tab Select Available then filter on slack, once the filter is complete choose
176
Slack Notification Plugin and execute Install without Restart
5. Once the Slack Notification Plugin has changed to Success, tick the radio button for Restart
Jenkins when installation is complete and no jobs are running
6. Slack can take a few minutes to install in the background (give it 30 seconds), once the Restarting
Jenkins globe is grey and the status is Running go back to Jenkins Home
177
7. Executing a restart of Jenkins will stop your session, you will need to log back into the system
178
3.4.2 Lab 4.2 - Executing Jenkins Jobs for Creation or Modify
Now that we have Jenkins running, and the dependent Slack Plugin installed we can utilize our Jenkins
Pipeline Scripts successfully.
This step is executing the f5-newman-wrapper files. Instead of having to run the two different builds (Ap-
plication Service Framework and Pool member add) individually we’ll use a pause. Jenkins has a pause
functionality which pauses a deployment looking for an approval to continue. After the approving step the
node will be added; using the 2 f5-newman-wrapper files, but in conjunction with a single solution (Jenkins).
Jenkins will continue to update the class via Slack as people are progressing. Jenkins also keeps a running
console for logging, which we will also review.
1. From the Jenkins Dashboard click on create new jobs
179
2. We are going to create our first Pipeline Job. Name the item module_4_jenkinsfile1-2, choose
the Pipeline project style and select OK
180
3. We are going to be using the raw Jenkinsfile1-2 right in the Pipeline Script option at the end
of the config page. Scroll to the bottom of the page but please look at the other options which can
deploy a Pipeline. The different options in here are for an SCM (like GitHub), the Polling or Commit
methods enable Continuous Deployment, as Jenkins will deploy the change on an event basis. Tie
this with automatic testing to make sure you’re not breaking the build!
4. We need to enter the contents of the Jenkinsfile1-2 into the Script section under Pipeline. After
the contents are added click the Save Option.
1 node {
2 stage('Testing') {
3 //Run the tests
4 //sh "python -m /home/snops/f5-automation-labs/jenkins/f5-newman-build/f5-
˓→newman-build-1"
6 }
7 stage('Frameword-Deployment') {
8 //Run SNOPS Container Newman Package Virtual and Pool
9 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-build/
˓→f5-newman-build-1"
181
13 color: 'good',
14 message: 'Super-NetOps Engineer is about to deploy an F5 Service Framework,
˓→Approval Needed!',
15 teamDomain: 'f5agilitydevops',
16 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
17 )
18 }
19 stage('Approval') {
20 //Gate the process and require approval
21 input 'Proceed?'
22 //chatops slack message that run has completed
23 slackSend(
24 channel: '#jenkins_builds',
25 color: 'good',
26 message: 'Super-NetOps Engineer just approved a new F5 Service Framework,
˓→thats some serious Continuous Delivery!',
27 teamDomain: 'f5agilitydevops',
28 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
29 )
30 }
31 stage('Add-Sevice-Node') {
32 //Run SNOPS Container Newman Package add Node to Pool
33 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-build/
˓→f5-newman-build-2"
39 teamDomain: 'f5agilitydevops',
40 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
41 )
42 }
43 }
Contents in Pipeline:
182
1. Once the Job is saved, you will be taken to the stage view page, from here we are going to execute
our Pipeline build, choose the Build Now option.
183
2. The Build is now running, and the stages are being executed in order. However, on our third stage
we have a pause and an approval needed. Also at the same time Slack has began to notify us that a
new service is being deployed, and someone needs to approve it.
184
Highlight over the third Stage to prompt for the Approval
3. Approve the change in Jenkins to allow the build to finish. Once this is done, the approval and finished
Slack notification will be sent.
185
4. At the end of the Build event (success or failure) there is a console output from Jenkins. Select the
blue globe on the left to see the outputs
186
5. The Console Output file not only contains the Jenkins output from the Build, but also the f5-newman-
wrapper toolkit logs for easy troubleshooting
7. Verify on the BIG-IP that the pool module_3_vs has been created and the services are Green
187
Task 2 - Jenkinsfile3 and Jenkinsfile4
These two Jenkins files were completed to show the ability of creating smaller deployments. In our case
we will use the f5-newman-wrapper toolkit to again change the user selected state of a pool member. The
different Pipelines notifications also have different Slack Color depictions, helping to quickly identify issues
to team members.
1. Return to the Jenkins Dashboard and select New Item
2. Repeat steps 2 & 3 of the last module, creating 2 new Jenkins jobs, one for each desired node state.
3. Create and Execute module_4_jenkinsfile_3 for a down node
Pipeline Job Name: module_4_jenkinsfile_3
1 node {
2 stage('Testing') {
3 //Run the tests
4 //sh "python -m /home/snops/f5-automation-labs/jenkins/f5-newman-operation/
˓→f5-newman-build-3"
5 }
6 stage('Disable-Node') {
7 //Run SNOPS Container Newman Package Virtual and Pool
8 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-
˓→operation/f5-newman-build-3"
188
4. Verify on the BIG-IP that the pool module_3_pool has a down node
5. Create and Execute module_4_jenkinsfile_4 for an up node
Pipeline Job Name: module_4_jenkinsfile_4
1 node {
2 stage('Testing') {
3 //Run the tests
4 //sh "python -m /home/snops/f5-automation-labs/jenkins/f5-newman-operation/
˓→f5-newman-build-4"
5 }
6 stage('Enable-Node') {
7 //Run SNOPS Container Newman Package Virtual and Pool
8 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-
˓→operation/f5-newman-build-4"
For the last module we will teardown the Application Service we’ve been working with today. Destruction
of an Application Services is an easy step often overlooked because of the perceived complexity it takes
to reverse engineer a build. Utilizing Postman and the f5-newman-wrapper this is actually a very easy
step, and will be incredibly valuable to teams seeking to strive for better Application Lifecycle Management.
Because Postman and Newman operate in sequential order, simply reversing the order of creation will
result in the correct teardown order. Also, since we’re using the native F5 REST endpoints, all you need is
a Resource with a DELETE method.
189
2. Repeat steps 2 & 3 of the first module, creating the final Jenkins job
3. Create and Execute module_4_jenkinsfile_5 to destroy our Application Service
Pipeline Job Name: module_4_jenkinsfile_5
1 node {
2 stage('Testing') {
3 //Run the tests
4 //sh "python -m /home/snops/f5-automation-labs/jenkins/f5-newman-build/f5-
˓→newman-build-5"
5 }
6 stage('Removal-Notification') {
7 //Run SNOPS Container Newman Package Delete Service
8 //chatops slack message that run has completed
9 slackSend(
10 channel: '#jenkins_builds',
11 color: 'bad',
12 message: 'Super-NetOps Engineer is about to remove an F5 Service!',
13 teamDomain: 'f5agilitydevops',
14 token: 'vLMQmBq2tiyiCcZoNlbmAi0Z'
15 )
16 }
17 stage('Approval') {
18 //Gate the process and require approval
19 input 'Delete?'
20 }
21 stage('Service-Delete') {
22 //Run SNOPS Container Newman Package add Node to Pool
23 sh "f5-newman-wrapper /home/snops/f5-automation-labs/jenkins/f5-newman-
˓→build/f5-newman-build-5"
190
Class 3: Introduction to SecDevOps
4
This hands-on lab will demonstrate how to secure applications programmatically using a BIG-IP’s iControl
based REST API.
Leveraging programmability to deploy security policies and/or adhere to best practices during an applica-
tion’s lifecycle reduces the operational (e.g. time and money) cost of a defense in depth strategy. Program-
matic workflows can be developed and deployed for specific security use cases, and integrated into the
SDLC process, allowing for the protection of an application to iterate in parallel with the development of the
application.
This course will feature the following topics.
• General interaction with tmm via BIG-IPs REST APIs
• Create, modify and assign an AFM policy
• Create, modify and assign an ASM policy
Lab Guide
This lab is divided into three modules. Each module of the lab, will require configuration of the BIG-IP, AFM,
or ASM using the iControl REST based API. It is recommended that each lab be executed in order.
To perform the steps required in the lab, Postman will be used from the Windows jump box.
Prior to beginning the exercises, it is recommended to review the Lab Topology .
1. Module 1: Configuring BIG-IP
2. Module 2: Configuring AFM (Advanced Firewall Module)
3. Module 3: Configuring ASM (Application Security Module)
Support
Bugs and enhancements can be made by opening an issue within the GitHub repository.
Getting Started
Please follow the instructions provided by the instructor to start your lab and access your jump host.
Note: All work for this lab will be performed exclusively from the Windows jumphost. No software installa-
tion or interaction with your local system is required.
191
4.1 Lab Topology
The network topology implemented for this lab is very simple. Since the focus of the lab is Control Plane
programmability rather that Data Plane traffic flow we can keep the data plane fairly simple. The following
components have been included in your lab environment:
• 1 x F5 BIG-IP (v13.0)
• 1 x Linux webserver (Ubuntu 16.04)
• 1 x Windows 7 jump box
The following table lists VLANS, IP Addresses and Credentials for all components:
BIG-IP admin/admin
• Management: 10.1.1.5
• External: 10.1.10.5
• Internal: 10.1.20.5
The iControl REST API available via TMOS can be directly accessed and endpoints explored.
1. Open Google Chrome and navigate to the following bookmarks: BIG-IP A GUI and BIG-IP API ToC.
Accept any SSL warnings/errors that appear and ensure that you can access both login prompts.
2. Click on the BIG-IP API ToC bookmark to access the API Table of Contents for BIG-IP A. The /mgmt/
toc path in the URL is available on all TMOS versions 11.6 or newer.
3. Authenticate using the default admin/admin credentials.
4. After successfully authenticating, you will be presented with a top-level list of REST resources avail-
able on the BIG-IP. At the top of the page is a search box that can be used to search for specific REST
resources.
192
4.2.2 Lab 1.2: API Authentication
This lab utilizes the Postman Chrome extension to facilitate the sending data to and receiving data from the
iControl REST API.
One of the many basic concepts related to interaction with REST API’s is how a particular consumer is au-
thenticated to the system. BIG-IP, BIG-IQ and iWorkflow support two types of authentication: HTTP BASIC
and Token based. It’s important to understand both of these authentication mechanisms, as consumers of
the API will often make use of both types depending on the use case. This lab will demonstrate how to
interact with both types of authentication.
Warning: Prior to performing any of the below steps, ensure that you can log into the BIG-IP with
Chrome after accepting the invalid certificate. Postman relies on the Chrome certificate store and if the
self-signed cert has not been accepted via Chrome, this extension will not work properly.
In this task we will use the Postman tool to send API requests using HTTP BASIC authentication. As its
name implies this method of authentication encodes the user credentials via the existing BASIC authentica-
tion method provided by the HTTP protocol. The mechanism this method uses is to insert an HTTP header
named ‘Authorization’ with a value that is built by Base 64 encoding the string “<username>:<password>”.
The resulting header takes this form:
It should be noted that cracking the method of authentication is TRIVIAL; as a result API calls should always
be performed using HTTPS (F5 default) rather than HTTP.
Perform the following steps to complete this task:
193
3. Click the ‘Collections’ tab on the left side of the screen, expand the ‘F5 SecDevOps’ collection on the
left side of the screen, expand the Lab 1.2 - API Authentication folder:
(Ignore the # of requests on the screen below versus what you might see, the # of requests will grow and
change as this lab grows)
4. Click the 1. HTTP BASIC Authentication item. Click the ‘Authorization’ tab and select ‘Basic Auth’
as the Type. Fill in the username and password (admin/admin) and click the ‘Update Request’ button.
Notice that the number of Headers in the Headers tab changed from 1 to 2. This is because Postman
automatically created the HTTP header and updated your request to include it. Click the ‘Headers’
tab and examine the HTTP header:
194
5. Click the ‘Send’ button to send the request. If the request succeeds you should be presented with a
listing of the ‘/mgmt/tm/ltm’ Organizing Collection.
195
Task 2 - Token Based Authentication
One of the disadvantages of BASIC Authentication is that credentials are sent with each and every request.
This can result in a much greater attack surface being exposed unnecessarily. As a result Token Based
Authentication (TBA) is preferred in many cases. This method only sends the credentials once, on the
first request. The system then responds with a unique token for that session and the consumer then uses
that token for all subsequent requests. BIG-IP, BIG-IQ and iWorkflow support token-based authentication
that drops down to the underlying authentication subsystems available in TMOS. As a result the system
can be configured to support external authentication providers (RADIUS, TACACS, AD, etc) and those
authentication methods can flow through to the REST API. In this task we will demonstrate TBA using the
local authentication database, however, authentication to external providers is fully supported.
Tip: For more information about external authentication providers see the section titled “About external
authentication providers with iControl REST” in the iControl REST API User Guide available at https://
devcentral.f5.com
Unsuccessful:
196
6. Once you receive a 200 OK status code examine the response body. The various attributes show the
parameters assigned to the particular token. Find the ‘token’ attribute and copy it into your clipboard
(Ctrl+c) for use in the next step:
7. Click the 3: Verify Authentication Works item in the Lab 1.2 - API Authentication Postman col-
lection. Click the ‘Headers’ tab and paste the token value copied above as the VALUE for the ‘X-
F5-Auth-Token’ header. This header is required to be sent on all requests when using token based
authentication.
8. Click the ‘Send’ button. If you’re request is successful you should see a ‘200 OK’ status and a listing
of the ‘ltm’ Organizing Collection.
9. We will now update your Postman environment to use this auth token for the remainder of the lab.
Click the Environment menu in the top right of the Postman window and click ‘Manage Environments’:
197
10. Click the F5 SecDevOps item:
11. Update the value for ‘big_ip_a_auth_token’ by Pasting (Ctrl-v) in your auth token:
12. Click the ‘Update’ button and then close the ‘Manage Environments’ window. You’re subsequent
requests will now automatically substitute the token’s value where the {{big_ip_a_auth_token}} en-
vironmental variable is used.
13. Click the 4: Set Authentication Token Timeout item in the Lab 1.2 - API Authentication Postman
collection. This request will PATCH your token Resource (check the URI) and update the timeout
attribute so we can complete the lab easily. Examine the request type and JSON Body and then click
the ‘Send’ button. Verify that the timeout has been changed to ‘36000’ in the response:
198
4.2.3 Lab 1.3: Building a Basic LTM Config
Overview
In this lab, the iControl REST API will be used to build a basic monitor, node, pool, and virtual server
configuration on the BIG-IP.
Specific Instructions
Prior to performing the below steps, validate that the Hackazon web site is not accessible via the Windows
jump box by clicking on the Hackazon bookmark in the Chrome toolbar.
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
An HTTP POST to the /mgmt/tm/ltm/monitor/http endpoint with a body containing the monitor con-
figuration creates a monitor.
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/monitor/http
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
199
{
"name":"hackazon_monitor",
"send":"GET /\r\n"
}
Example Response
{
"kind": "tm:ltm:monitor:http:httpstate",
"name": "hackazon_monitor",
"partition": "Common",
"fullPath": "/Common/hackazon_monitor",
"generation": 0,
"selfLink": "https://localhost/mgmt/tm/ltm/monitor/http/~Common~hackazon_monitor?
˓→ver=13.0.0",
"adaptive": "disabled",
"adaptiveDivergenceType": "relative",
"adaptiveDivergenceValue": 25,
"adaptiveLimit": 200,
"adaptiveSamplingTimespan": 300,
"defaultsFrom": "/Common/http",
"destination": "*:*",
"interval": 5,
"ipDscp": 0,
"manualResume": "disabled",
"reverse": "disabled",
"send": "GET / HTTP/\r\n",
"timeUntilUp": 0,
"timeout": 16,
"transparent": "disabled",
"upInterval": 0
}
2. Create a Pool
An HTTP POST to the /mgmt/tm/ltm/pool endpoint with a body containing the configuration creates a
pool with a node(s).
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/pool
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"hackazon_pool",
"monitor":"/Common/hackazon_monitor",
"members": ["10.1.20.10:80"]
}
Example Response
200
{
"kind": "tm:ltm:pool:poolstate",
"name": "hackazon_pool",
"partition": "Common",
"fullPath": "/Common/hackazon_pool",
"generation": 10781,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~hackazon_pool?ver=13.0.0",
"allowNat": "yes",
"allowSnat": "yes",
"ignorePersistedWeight": "disabled",
"ipTosToClient": "pass-through",
"ipTosToServer": "pass-through",
"linkQosToClient": "pass-through",
"linkQosToServer": "pass-through",
"loadBalancingMode": "round-robin",
"minActiveMembers": 0,
"minUpMembers": 0,
"minUpMembersAction": "failover",
"minUpMembersChecking": "disabled",
"monitor": "/Common/hackazon_monitor ",
"queueDepthLimit": 0,
"queueOnConnectionLimit": "disabled",
"queueTimeLimit": 0,
"reselectTries": 0,
"serviceDownAction": "none",
"slowRampTime": 10,
"membersReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~hackazon_pool/members?
˓→ver=13.0.0",
"isSubcollection": true
}
}
An HTTP POST to the /mgmt/tm/ltm/profile/http endpoint with a body containing the configuration
creates a profile.
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/profile/http
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"hackazon_http_profile",
"insertXforwardedFor":"enabled",
"serverAgentName":"hackazon"
}
Example Response
201
{
"kind": "tm:ltm:profile:http:httpstate",
"name": "hackazon_http_profile",
"partition": "Common",
"fullPath": "/Common/hackazon_http_profile",
"generation": 10783,
"selfLink": "https://localhost/mgmt/tm/ltm/profile/http/~Common~hackazon_http_
˓→profile?ver=13.0.0",
"acceptXff": "disabled",
"appService": "none",
"basicAuthRealm": "none",
"defaultsFrom": "/Common/http",
"defaultsFromReference": {
"link": "https://localhost/mgmt/tm/ltm/profile/http/~Common~http?ver=13.0.0"
},
"description": "none",
"encryptCookies": [],
"insertXforwardedFor": "enabled",
"serverAgentName": "hackazon"
}
An HTTP POST to the /mgmt/tm/ltm/profile/tcp endpoint with a body containing the configuration
creates a TCP profile.
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/profile/tcp
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"hackazon_tcp_clientside_profile",
"nagle":"disabled",
"sendBufferSize":"16000"
}
Example Response
{
"kind": "tm:ltm:profile:tcp:tcpstate",
"name": "hackazon_tcp_clientside_profile",
"partition": "Common",
"fullPath": "/Common/hackazon_tcp_clientside_profile",
"generation": 10784,
"selfLink": "https://localhost/mgmt/tm/ltm/profile/tcp/~Common~hackazon_tcp_
˓→clientside_profile?ver=13.0.0",
"abc": "enabled",
"ackOnPush": "enabled",
"appService": "none",
"autoProxyBufferSize": "disabled",
202
"autoReceiveWindowSize": "disabled",
"autoSendBufferSize": "disabled",
"closeWaitTimeout": 5,
"cmetricsCache": "enabled",
"cmetricsCacheTimeout": 0,
"congestionControl": "high-speed",
"defaultsFrom": "/Common/tcp",
"defaultsFromReference": {
"link": "https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp?ver=13.0.0"
},
"keepAliveInterval": 1800,
"nagle": "disabled",
"sendBufferSize": 16000
}
An HTTP POST to the /mgmt/tm/ltm/virtual endpoint with a body containing the configuration creates
a virtual server.
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/virtual
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"hackazon_vs",
"destination":"10.1.10.10:80",
"ipProtocol":"tcp",
"pool":"hackazon_pool",
"sourceAddressTranslation": { "type":"automap" },
"profiles": [
{ "name":"/Common/hackazon_tcp_clientside_profile", "context":"clientside" },
{ "name":"/Common/tcp-wan-optimized", "context":"serverside" },
"/Common/hackazon_http_profile"
]
}
Example Response
Note: The profiles for this virtual server is a subcollection. This collection can be access by performing a
GET on the profiles endpoint for this specific virtual server https://{{big_ip_a_mgmt}}/mgmt/tm/
ltm/virtual/~Common~hackazon_vs/profiles.
{
"kind": "tm:ltm:virtual:virtualstate",
"name": "hackazon_vs",
"partition": "Common",
"fullPath": "/Common/hackazon_vs",
203
"generation": 10785,
"selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs?ver=13.0.0
˓→",
"addressStatus": "yes",
"autoLasthop": "default",
"cmpEnabled": "yes",
"connectionLimit": 0,
"destination": "/Common/10.1.10.20:80",
"enabled": true,
"gtmScore": 0,
"ipProtocol": "tcp",
"mask": "255.255.255.255",
"mirror": "disabled",
"mobileAppTunnel": "disabled",
"nat64": "disabled",
"pool": "/Common/hackazon_pool",
"poolReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~hackazon_pool?ver=13.0.0"
},
"rateLimit": "disabled",
"rateLimitDstMask": 0,
"rateLimitMode": "object",
"rateLimitSrcMask": 0,
"serviceDownImmediateAction": "none",
"source": "0.0.0.0/0",
"sourceAddressTranslation": {
"type": "automap"
},
"sourcePort": "preserve",
"synCookieStatus": "not-activated",
"translateAddress": "enabled",
"translatePort": "enabled",
"vlansDisabled": true,
"vsIndex": 9,
"policiesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs/policies?
˓→ver=13.0.0",
"isSubcollection": true
},
"profilesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs/profiles?
˓→ver=13.0.0",
"isSubcollection": true
}
}
6. Retrieve VS information
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/ltm/virtual/~Common~hackazon_vs/
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
204
{
"kind": "tm:ltm:virtual:virtualstate",
"name": "hackazon_vs",
"partition": "Common",
"fullPath": "/Common/hackazon_vs",
"generation": 10785,
"selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs?ver=13.0.0
˓→",
"addressStatus": "yes",
"autoLasthop": "default",
"cmpEnabled": "yes",
"connectionLimit": 0,
"destination": "/Common/10.1.10.20:80",
"enabled": true,
"gtmScore": 0,
"ipProtocol": "tcp",
"mask": "255.255.255.255",
"mirror": "disabled",
"mobileAppTunnel": "disabled",
"nat64": "disabled",
"pool": "/Common/hackazon_pool",
"poolReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~hackazon_pool?ver=13.0.0"
},
"rateLimit": "disabled",
"rateLimitDstMask": 0,
"rateLimitMode": "object",
"rateLimitSrcMask": 0,
"serviceDownImmediateAction": "none",
"source": "0.0.0.0/0",
"sourceAddressTranslation": {
"type": "automap"
},
"sourcePort": "preserve",
"synCookieStatus": "not-activated",
"translateAddress": "enabled",
"translatePort": "enabled",
"vlansDisabled": true,
"vsIndex": 9,
"policiesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs/policies?
˓→ver=13.0.0",
"isSubcollection": true
},
"profilesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~hackazon_vs/profiles?
˓→ver=13.0.0",
"isSubcollection": true
}
}
Click on the Hackazon bookmark in the Chrome toolbar and validate that the Hackazon web site is now
accessible.
205
4.3 Module 2: Programmatic Control of Firewall Services
Overview
In this lab, the iControl REST API will be used to provision a module on the BIG-IP. More specifically, the
Advanced Firewall Manager (AFM) module will be provisioned for use in Module 2: Configuring AFM
(Advanced Firewall Module).
Specific Instructions
Prior to performing the below steps, validate the {{module}} Postman environment variable. The {{mod-
ule}} should be set to afm.
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: The afm module is currently provisioned for none while the ltm module is provisioned for nominal.
{
"kind": "tm:sys:provision:provisioncollectionstate",
"selfLink": "https://localhost/mgmt/tm/sys/provision?ver=13.0.0",
"items": [
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
206
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
},
{
"kind": "tm:sys:provision:provisionstate",
"name": "ltm",
"fullPath": "ltm",
"generation": 1,
"selfLink": "https://localhost/mgmt/tm/sys/provision/ltm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: The afm module should still be provisioned after performing the steps in Lab 1.
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
Warning: This step is optional and should only be performed if afm is not provisioned.
207
The afm module is provisioned using an HTTP PATCH with a body containing a provisioning level to the
REST endpoint for mgmt/tm/sys/provision/{{module}}.
Note: Performing a provision/deprovision operation takes some time to complete. If the original request is
still being processed, the below error may be encountered.
{
"code": 400,
"message": "01071003:3: A previous provisioning operation is in progress. Try
˓→again when the BIGIP is active.",
"errorStack": [],
"apiError": 3
}
Request
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"level":"nominal"
}
Example Response
Note: The afm module has been provisioned with a level of nominal.
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10636,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
208
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"level":"none"
}
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10714,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"level":"nominal"
}
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10636,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
209
4.3.2 Lab 2.2: Create AFM Address List
Overview
In this lab, the iControl REST based API will be used to create an address list that will be used with an AFM
policy in a later lab.
Specific Instructions
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: A test policy has already been created on the BIG-IP for demonstration purposes.
{
"kind": "tm:security:firewall:policy:policycollectionstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy?ver=13.0.0",
"items": [
{
"kind": "tm:security:firewall:policy:policystate",
"name": "block_all",
"partition": "Common",
"fullPath": "/Common/block_all",
"generation": 5789,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~
˓→block_all?ver=13.0.0",
"rulesReference": {
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~
˓→block_all/rules?ver=13.0.0",
"isSubcollection": true
}
}
]
}
210
2. List all Firewall Address Lists
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/address-list
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: A test address list has already been created on the BIG-IP for demonstration purposes.
{
"kind": "tm:security:firewall:address-list:address-listcollectionstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/address-list?ver=13.0.0",
"items": [
{
"kind": "tm:security:firewall:address-list:address-liststate",
"name": "test_address_list",
"partition": "Common",
"fullPath": "/Common/test_address_list",
"generation": 6326,
"selfLink": "https://localhost/mgmt/tm/security/firewall/address-list/~
˓→Common~test_address_list?ver=13.0.0",
"addresses": [
{
"name": "1.1.1.1"
}
]
}
]
}
POST https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/address-list/
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name": "google-dns_address_list",
"addresses": [
{
211
"name": "8.8.4.4"
}
]
}
Example Response
Note: Copy the name of the address list, highlighted below, from the response into the afm_address_list
Postman environment variable.
{
"kind": "tm:security:firewall:address-list:address-liststate",
"name": "google-dns_address_list",
"partition": "Common",
"fullPath": "/Common/google-dns_address_list",
"generation": 11436,
"selfLink": "https://localhost/mgmt/tm/security/firewall/address-list/~Common~
˓→google-dns_address_list?ver=13.0.0",
"addresses": [
{
"name": "8.8.4.4"
}
]
}
Note: Ensure that the afm_address_list Postman environment variable has been populated with the
name of the address list.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/address-list/{{afm_address_
˓→list}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:security:firewall:address-list:address-liststate",
"name": "google-dns_address_list",
"partition": "Common",
"fullPath": "/Common/google-dns_address_list",
"generation": 11436,
"selfLink": "https://localhost/mgmt/tm/security/firewall/address-list/~Common~
˓→google-dns_address_list?ver=13.0.0",
"addresses": [
{
"name": "8.8.4.4"
212
}
]
}
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/address-list/{{afm_address_
˓→list}}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Note: Include the contents of the address list plus the new address(es) to ensure that the contents are not
overwritten.
Body
Warning: When patching an address list, be sure to include all addresses (e.g. existing and new) to
ensure that the list does not get overwritten.
{
"addresses": [
{
"name": "8.8.4.4"
},
{
"name": "8.8.8.8"
}
]
}
Example Response
{
"kind": "tm:security:firewall:address-list:address-liststate",
"name": "google-dns_address_list",
"partition": "Common",
"fullPath": "/Common/google-dns_address_list",
"generation": 11436,
"selfLink": "https://localhost/mgmt/tm/security/firewall/address-list/~Common~
˓→google-dns_address_list?ver=13.0.0",
"addresses": [
{
"name": "8.8.4.4"
},
213
{
"name": "8.8.8.8"
}
]
}
Overview
In this lab, the iControl REST based API will be used to create a firewall policy that will leverage the previ-
ously created address list.
Specific Instructions
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:security:firewall:policy:policycollectionstate",ƒ
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy?ver=13.0.0",
"items": [
{
"kind": "tm:security:firewall:policy:policystate",
"name": "block_all",
"partition": "Common",
"fullPath": "/Common/block_all",
"generation": 5789,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~
˓→block_all?ver=13.0.0",
"rulesReference": {
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~
˓→block_all/rules?ver=13.0.0",
"isSubcollection": true
}
}
]
}
214
2. Create AFM policy
POST https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name": "global_default_deny"
}
Example Response
Note: Copy the full policy name as it appears in the "selfLink": "https://localhost/mgmt/
tm/security/firewall/policy/~Common~global_default_deny?ver=13.0.0" line of the re-
sponse and populate the {{afm_policy}} Postman environment variable. In this case, the name of the
policy is ~Common~global_default_deny.
{
"kind": "tm:security:firewall:policy:policystate",
"name": "global_default_deny",
"partition": "Common",
"fullPath": "/Common/global_default_deny",
"generation": 11451,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny?ver=13.0.0",
"rulesReference": {
"link": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules?ver=13.0.0",
"isSubcollection": true
}
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy/{{afm_policy}}/rules
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
215
Note: There will be no rules listed in the newly created policy. Rules are populated in the "items": []
sub collection.
{
"kind": "tm:security:firewall:policy:rules:rulescollectionstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules?ver=13.0.0",
"items": []
}
POST https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy/{{afm_policy}}/rules
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name": "default_deny",
"fullPath": "default_deny",
"action": "drop",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "enabled",
"destination": { }
"place-before": "none"
}
Example Response
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "default_deny",
"fullPath": "default_deny",
"generation": 11464,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules/default_deny?ver=13.0.0",
"action": "drop",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "enabled",
"destination": {},
"source": {
"identity": {}
216
}
}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name": "allow_google-dns",
"fullPath": "allow_google-dns",
"action": "accept",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "enabled",
"placeBefore": "default_deny",
"destination": {
"addressLists": [
"/Common/google-dns_address_list"
]
}
}
Example Response
Note: Copy the newly created rule name allow_google-dns and populate the {{afm_policy_rule}} Post-
man environment variable.
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "allow_google-dns",
"fullPath": "allow_google-dns",
"generation": 13210,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules/allow_google-dns?ver=13.0.0",
"action": "accept",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "enabled",
"destination": {
"addressLists": [
217
"/Common/google-dns_address_list"
],
"addressListsReference": [
{
"link": "https://localhost/mgmt/tm/security/firewall/address-list/~Common~
˓→allow_google-dns?ver=13.0.0"
}
]
},
"source": {
"identity": {}
}
}
The "items" sub collection will now be populated with the all the firewall rules when performing an HTTP
GET on the rules endpoint of the {{afm_policy}}.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy/{{afm_policy}}/rules
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:security:firewall:policy:rules:rulescollectionstate",
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules?ver=13.0.0",
"items": [
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "allow_google-dns",
"fullPath": "allow_google-dns",
"generation": 11483,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~
˓→Common~global_default_deny/rules/allow_google-dns?ver=13.0.0",
"action": "accept",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "yes",
"status": "enabled",
"destination": {
"addressLists": [
"/Common/google-dns_address_list"
],
"addressListsReference": [
{
"link": "https://localhost/mgmt/tm/security/firewall/address-
˓→list/~Common~google-dns_address_list?ver=13.0.0"
}
]
},
218
"source": {
"identity": {}
}
},
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "default_deny",
"fullPath": "default_deny",
"generation": 11464,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~
˓→Common~global_default_deny/rules/default_deny?ver=13.0.0",
"action": "drop",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "enabled",
"destination": {},
"source": {
"identity": {}
}
}
]
}
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy/{{afm_policy}}/rules/
˓→{{afm_policy_rule}}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"status": "disabled"
}
Example Response
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "allow_google-dns",
"fullPath": "allow_google-dns",
"generation": 11470,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules/allow_google-dns?ver=13.0.0",
"action": "accept",
219
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "no",
"status": "disabled",
"destination": {
"addressLists": [
"/Common/google-dns_address_list"
],
"addressListsReference": [
{
"link": "https://localhost/mgmt/tm/security/firewall/address-list/~
˓→Common~google-dns_address_list?ver=13.0.0"
}
]
},
"source": {
"identity": {}
}
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/security/firewall/policy/{{afm_policy}}/rules/{
˓→{afm_policy_rule}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:security:firewall:policy:rules:rulesstate",
"name": "allow_google-dns",
"fullPath": "allow_google-dns",
"generation": 11483,
"selfLink": "https://localhost/mgmt/tm/security/firewall/policy/~Common~global_
˓→default_deny/rules/allow_google-dns?ver=13.0.0",
"action": "accept",
"ipProtocol": "any",
"iruleSampleRate": 1,
"log": "yes",
"status": "disabled",
"destination": {
"addressLists": [
"/Common/google-dns_address_list"
],
"addressListsReference": [
{
"link": "https://localhost/mgmt/tm/security/firewall/address-list/~Common~
˓→google-dns_address_list?ver=13.0.0"
}
]
},
220
"source": {
"identity": {}
}
}
Overview
In this lab, the iControl REST API will be used to provision a module on the BIG-IP. More specifically, the
Application Security Manager (ASM) module will be provisioned for use in Module 3: Configuring ASM
(Application Security Module).
Specific Instructions
Prior to performing the steps below, validate the {{module}} Postman environment variable. The {{mod-
ule}} should be set to asm.
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/afm
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
221
{
"level":"none"
}
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10714,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: The asm module is currently provisioned for none while the ltm module is provisioned for nominal.
{
"kind": "tm:sys:provision:provisioncollectionstate",
"selfLink": "https://localhost/mgmt/tm/sys/provision?ver=13.0.0",
"items": [
{
"kind": "tm:sys:provision:provisionstate",
"name": "asm",
"fullPath": "asm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/asm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
},
{
"kind": "tm:sys:provision:provisionstate",
"name": "ltm",
"fullPath": "ltm",
"generation": 1,
"selfLink": "https://localhost/mgmt/tm/sys/provision/ltm?ver=13.0.0",
"cpuRatio": 0,
222
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "asm",
"fullPath": "asm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/asm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
The asm module is provisioned using an HTTP PATCH with a body containing a provisioning level to the
REST endpoint for mgmt/tm/sys/provision/{{module}}.
Request
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/sys/provision/{{module}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"level":"nominal"
}
223
Example Response
Note: The asm module has been provisioned with a level of nominal.
{
"kind": "tm:sys:provision:provisionstate",
"name": "asm",
"fullPath": "asm",
"generation": 10636,
"selfLink": "https://localhost/mgmt/tm/sys/provision/asm?ver=13.0.0",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
Overview
In this lab, the iControl REST based API will be used to explore some of the ASM related endpoints.
Specific Instructions
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:asmcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm?ver=13.0.0",
"items": [
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/policies?ver=13.0.0"
}
},
224
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/server-technologies?ver=13.0.0"
}
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/server-technologies
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:server-technologies:server-technologycollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/server-technologies?ver=13.0.0",
"totalItems": 40,
"items": [
{
"serverTechnologyDisplayName": "jQuery",
"serverTechnologyName": "jQuery",
"logoFileName": "jquery.png",
"lastUpdateMicros": 1476919661000000,
"description": "jQuery is a cross-platform JavaScript library designed to
˓→simplify the client-side scripting of HTML.",
"kind": "tm:asm:server-technologies:server-technologystate",
"serverTechnologyReferences": [],
"selfLink": "https://localhost/mgmt/tm/asm/server-technologies/9ZC0_aLDC-
˓→KN08jDyvXHew?ver=13.0.0",
"id": "9ZC0_aLDC-KN08jDyvXHew"
},
{
"serverTechnologyDisplayName": "Java Servlets/JSP",
"serverTechnologyName": "Java Servlets/JSP",
"logoFileName": "java.png",
"lastUpdateMicros": 1476919661000000,
"description": "A Java servlet is a Java program that extends the
˓→capabilities of a server.",
"kind": "tm:asm:server-technologies:server-technologystate",
"serverTechnologyReferences": [],
"selfLink": "https://localhost/mgmt/tm/asm/server-technologies/
˓→9ySigIBMpBbYU4r8FNAt4g?ver=13.0.0",
"id": "9ySigIBMpBbYU4r8FNAt4g"
}
]
}
225
2.0. Retrieve ASM policies
A test policy named test_asm_policy has already been created on the BIG-IP for demonstration pur-
poses.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
Note: Copy the ASM policy hash as it appears in the "link": "https://localhost/mgmt/tm/
asm/policies/W-w3q351kYbr1A9OEaUOag/plain-text-profiles?ver=13.0.0", line of the re-
sponse and populate the {{asm_policy_hash}} Postman environment variable.
{
"kind": "tm:asm:policies:policycollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies?ver=13.0.0",
"totalItems": 1,
"items": [
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→plain-text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→data-guard?ver=13.0.0"
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
226
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-06-02T04:37:22Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/cookie-
˓→settings?ver=13.0.0"
},
"versionLastChange": " Security Policy /Common/test_asm_policy [add]: Type was
˓→set to Security.\nEncoding Selected was set to false.\nApplication Language was set
˓→to utf-8.\nCase Sensitivity was set to Case Sensitive.\nTemplate was set to POLICY_
˓→HTTPS URLs was set to Protocol Specific.\nPolicy Name was set to /Common/test_asm_
"name": "test_asm_policy",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/header-
˓→settings?ver=13.0.0"
},
"versionPolicyName": "/Common/test_asm_policy",
"generalReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→general?ver=13.0.0"
}
}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-06-02T04:37:22Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/cookie-
˓→settings?ver=13.0.0"
227
},
"versionLastChange": " Security Policy /Common/test_asm_policy [add]: Type was
˓→set to Security.\nEncoding Selected was set to false.\nApplication Language was set
˓→to utf-8.\nCase Sensitivity was set to Case Sensitive.\nTemplate was set to POLICY_
˓→HTTPS URLs was set to Protocol Specific.\nPolicy Name was set to /Common/test_asm_
"name": "test_asm_policy",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/header-
˓→settings?ver=13.0.0"
},
"versionPolicyName": "/Common/test_asm_policy",
"generalReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→general?ver=13.0.0"
}
}
An HTTP GET to the /mgmt/tm/asm/tasks/ endpoint lists the various ASM related tasks that can be
performed via the iControl REST API.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/tasks/
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:tasks",
"selfLink": "https://localhost/mgmt/tm/asm/tasks?ver=13.0.0",
"items": [
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/export-policy?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/resolve-vulnerabilities?
˓→ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/check-signatures?ver=13.
˓→0.0"
}
},
228
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/terminate-vulnerability-
˓→assessment?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/apply-server-
˓→technologies?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/associate-xml-validation-
˓→files-to-xml-profile?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/export-policy-template?
˓→ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/export-requests?ver=13.0.
˓→0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/initiate-vulnerability-
˓→assessment?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/import-policy-template?
˓→ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/update-signatures?ver=13.
˓→0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/import-policy?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/bulk?ver=13.0.0"
}
},
229
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/get-vulnerability-
˓→assessment-subscriptions?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/apply-policy?ver=13.0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/export-signatures?ver=13.
˓→0.0"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/asm/tasks/import-vulnerabilities?
˓→ver=13.0.0"
}
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/tasks/export-policy
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:tasks:export-policy:export-policy-taskcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/tasks/export-policy?ver=13.0.0",
"totalItems": 0,
"items": []
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policy-templates
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
230
Example Response
{
"kind": "tm:asm:policy-templates:policy-templatecollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/policy-templates?ver=13.0.0",
"totalItems": 32,
"items": [
{
"policyType": "security",
"name": "POLICY_TEMPLATE_SHAREPOINT_2007_HTTP",
"description": "Generic template for SharePoint 2007 (http)",
"kind": "tm:asm:policy-templates:policy-templatestate",
"templateType": "application-ready",
"selfLink": "https://localhost/mgmt/tm/asm/policy-templates/jmHjN-Fpm-
˓→SGwYQsrZp57A?ver=13.0.0",
"templateDefaults": {
"caseInsensitive": true,
"learningSpeed": {
"untrustedTrafficSiteChangeTracking": {
"maxDaysBetweenSamples": 7,
"differentSources": 10,
"minMinutesBetweenSamples": 5
},
"untrustedTrafficLoosen": {
"maxDaysBetweenSamples": 7,
"differentSources": 20,
"minHoursBetweenSamples": 1
},
"trustedTrafficSiteChangeTracking": {
"maxDaysBetweenSamples": 7,
"differentSources": 1,
"minMinutesBetweenSamples": 0
},
"trustedTrafficLoosen": {
"maxDaysBetweenSamples": 7,
"differentSources": 1,
"minHoursBetweenSamples": 0
},
"trafficTighten": {
"minDaysBetweenSamples": 1,
"totalRequests": 15000,
"maxModificationSuggestionScore": 50
}
},
"enforcementReadinessPeriod": 7,
"learningMode": "disabled",
"applicationLanguage": "utf-8",
"enforcementMode": "transparent",
"signatureStaging": true,
"type": "security",
"protocolIndependent": false
},
"title": "SharePoint 2007 (http)",
"id": "jmHjN-Fpm-SGwYQsrZp57A"
}
]
}
231
6. Retrieve ASM signature sets
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/signature-sets
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:signature-sets:signature-setcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/signature-sets?ver=13.0.0",
"totalItems": 29,
"items": [
{
"filter": {
"riskFilter": "all",
"accuracyFilter": "all",
"userDefinedFilter": "all",
"lastUpdatedFilter": "all",
"accuracyValue": "all",
"riskValue": "all",
"signatureType": "all"
},
"isUserDefined": false,
"name": "Generic Detection Signatures",
"assignToPolicyByDefault": true,
"lastUpdateMicros": 0,
"kind": "tm:asm:signature-sets:signature-setstate",
"selfLink": "https://localhost/mgmt/tm/asm/signature-sets/pBeUaadz6x-Z55_
˓→GkLxfsg?ver=13.0.0",
"defaultAlarm": true,
"systems": [
{
"systemReference": {
"link": "https://localhost/mgmt/tm/asm/signature-systems/
˓→EStDgGiP9nSPgKBhSlDyvQ?ver=13.0.0"
}
},
{
"systemReference": {
"link": "https://localhost/mgmt/tm/asm/signature-systems/
˓→rMiBJmL6DLmnfmW_pXHmdw?ver=13.0.0"
}
},
{
"systemReference": {
"link": "https://localhost/mgmt/tm/asm/signature-systems/
˓→b9hI1sIulARJ09bbdy0VQw?ver=13.0.0"
}
}
],
"id": "pBeUaadz6x-Z55_GkLxfsg",
"type": "filter-based",
"signatureReferences": [
232
{
"link": "https://localhost/mgmt/tm/asm/signatures/nHU-8zUxj8ldUevwMgFpvw?
˓→ver=13.0.0"
},
{
"link": "https://localhost/mgmt/tm/asm/signatures/RTFj6E66sH7g7XMa9ihQOQ?
˓→ver=13.0.0"
}
],
"category": "User-defined",
"defaultBlock": true,
"defaultLearn": true
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/signature-systems
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:signature-systems:signature-systemcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/signature-systems?ver=13.0.0",
"totalItems": 44,
"items": [
{
"kind": "tm:asm:signature-systems:signature-systemstate",
"selfLink": "https://localhost/mgmt/tm/asm/signature-systems/
˓→EStDgGiP9nSPgKBhSlDyvQ?ver=13.0.0",
Request
233
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/attack-types
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:attack-types:attack-typecollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/attack-types?ver=13.0.0",
"totalItems": 37,
"items": [
{
"kind": "tm:asm:attack-types:attack-typestate",
"selfLink": "https://localhost/mgmt/tm/asm/attack-types/9yL3q5_
˓→pO0E3pK1Uz9x2cw?ver=13.0.0",
},
{
"kind": "tm:asm:attack-types:attack-typestate",
"selfLink": "https://localhost/mgmt/tm/asm/attack-types/
˓→ufg0smEkZrpmkoDHfSPGdQ?ver=13.0.0",
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}/urls
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:policies:urls:urlcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/urls?
˓→ver=13.0.0",
"totalItems": 2,
"items": [
{
"protocol": "http",
"wildcardIncludesSlash": true,
"lastLearnedNewEntityDatetime": "2017-06-02T04:37:25Z",
234
"html5CrossOriginRequestsEnforcement": {
"enforcementMode": "disabled"
},
"kind": "tm:asm:policies:urls:urlstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→urls/faiefv884qtHRU3Qva2AbQ?ver=13.0.0",
"methodsOverrideOnUrlCheck": false,
"id": "faiefv884qtHRU3Qva2AbQ",
"isAllowed": true,
"metacharsOnUrlCheck": false,
"name": "*",
"lastUpdateMicros": 1496378251000000,
"description": "",
"parameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→urls/faiefv884qtHRU3Qva2AbQ/parameters?ver=13.0.0",
"isSubCollection": true
},
"attackSignaturesCheck": true,
"signatureOverrides": [],
"clickjackingProtection": false,
"urlContentProfiles": [
{
"headerValue": "*",
"headerName": "*",
"headerOrder": "default",
"type": "apply-value-and-content-signatures"
},
{
"headerValue": "*form*",
"headerName": "Content-Type",
"headerOrder": "1",
"type": "form-data"
},
{
"contentProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-
˓→w3q351kYbr1A9OEaUOag/json-profiles/X8FbXF48VWJ5Tecp5ATd4A?ver=13.0.0"
},
"headerValue": "*json*",
"headerName": "Content-Type",
"headerOrder": "2",
"type": "json"
},
{
"contentProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-
˓→w3q351kYbr1A9OEaUOag/xml-profiles/jwQd_XYZPfNGYnc3l7P4Pg?ver=13.0.0"
},
"headerValue": "*xml*",
"headerName": "Content-Type",
"headerOrder": "3",
"type": "xml"
}
],
"performStaging": true,
"type": "wildcard",
"wildcardOrder": 2
235
},
{
"protocol": "https",
"wildcardIncludesSlash": true,
"lastLearnedNewEntityDatetime": "2017-06-02T04:37:25Z",
"html5CrossOriginRequestsEnforcement": {
"enforcementMode": "disabled"
},
"kind": "tm:asm:policies:urls:urlstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→urls/N_a3D1S7OKDehYEPb-mgCg?ver=13.0.0",
"methodsOverrideOnUrlCheck": false,
"id": "N_a3D1S7OKDehYEPb-mgCg",
"isAllowed": true,
"metacharsOnUrlCheck": false,
"name": "*",
"lastUpdateMicros": 1496378251000000,
"description": "",
"parameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→urls/N_a3D1S7OKDehYEPb-mgCg/parameters?ver=13.0.0",
"isSubCollection": true
},
"attackSignaturesCheck": true,
"signatureOverrides": [],
"clickjackingProtection": false,
"urlContentProfiles": [
{
"headerValue": "*",
"headerName": "*",
"headerOrder": "default",
"type": "apply-value-and-content-signatures"
},
{
"headerValue": "*form*",
"headerName": "Content-Type",
"headerOrder": "1",
"type": "form-data"
},
{
"contentProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-
˓→w3q351kYbr1A9OEaUOag/json-profiles/X8FbXF48VWJ5Tecp5ATd4A?ver=13.0.0"
},
"headerValue": "*json*",
"headerName": "Content-Type",
"headerOrder": "2",
"type": "json"
},
{
"contentProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/W-
˓→w3q351kYbr1A9OEaUOag/xml-profiles/jwQd_XYZPfNGYnc3l7P4Pg?ver=13.0.0"
},
"headerValue": "*xml*",
"headerName": "Content-Type",
"headerOrder": "3",
"type": "xml"
236
}
],
"performStaging": true,
"type": "wildcard",
"wildcardOrder": 1
}
]
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}/signature-sets
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:policies:signature-sets:signature-setcollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→signature-sets?ver=13.0.0",
"totalItems": 1,
"items": [
{
"signatureSetReference": {
"link": "https://localhost/mgmt/tm/asm/signature-sets/pBeUaadz6x-Z55_
˓→GkLxfsg?ver=13.0.0"
},
"lastUpdateMicros": 1496378251000000,
"selfLink": "https://localhost/mgmt/tm/asm/policies/W-w3q351kYbr1A9OEaUOag/
˓→signature-sets/xMpCOKC5I4INzFCab3WEmw?ver=13.0.0",
"kind": "tm:asm:policies:signature-sets:signature-setstate",
"alarm": true,
"block": true,
"id": "xMpCOKC5I4INzFCab3WEmw",
"learn": true
}
]
}
Overview
In this lab, the iControl REST based API will be used to create both an ASM parent and child policy.
Specific Instructions
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
237
Attention: Some response content has been removed for brevity.
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"kind": "tm:asm:policies:policycollectionstate",
"selfLink": "https://localhost/mgmt/tm/asm/policies?ver=13.0.0",
"totalItems": 1,
"items": [
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/8JuF2s3Lb26BYwLXpaHLIg/
˓→plain-text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/8JuF2s3Lb26BYwLXpaHLIg/
˓→data-guard?ver=13.0.0"
}
]
}
An HTTP POST to the /mgmt/tm/asm/policies endpoint with a body containing basic policy config-
uration including "type":"parent" will create a new ASM parent policy which can then be used for
inheritance when a child policy is created.
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"API_ASM_POLICY_TEST",
"description":"Test ASM policy",
"applicationLanguage":"utf-8",
"type":"parent",
238
"enforcementMode":"transparent",
"protocolIndependent":"true",
"learningMode":"disabled",
"serverTechnologyName": "Unix/Linux"
}
Example Response
Note: Copy the ASM policy hash for the newly created policy and populate the {{asm_policy_hash}}
Postman environment variable. The hash in the example below is JEQPVWeJcdso_rEC7Xxo6Q
{
"historyRevisionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→history-revisions?ver=13.0.0",
"isSubCollection": true
},
"childPolicyCount": 0,
"responsePageReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→response-pages?ver=13.0.0",
"isSubCollection": true
},
"policyBuilderReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/policy-
˓→builder?ver=13.0.0"
},
"serverTechnologyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/server-
˓→technologies?ver=13.0.0",
"isSubCollection": true
},
"blockingSettingReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→blocking-settings?ver=13.0.0",
"isSubCollection": true
},
"hostNameReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/host-
˓→names?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/data-
˓→guard?ver=13.0.0"
},
"selfLink": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q?ver=13.
˓→0.0",
"signatureReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→signatures?ver=13.0.0",
"isSubCollection": true
},
"filetypeReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→filetypes?ver=13.0.0",
239
"isSubCollection": true
},
"createdDatetime": "2017-05-30T15:02:11Z",
"modifierName": "",
"id": "JEQPVWeJcdso_rEC7Xxo6Q",
"subPath": "/Common",
"name": "API_ASM_POLICY_TEST",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/header-
˓→settings?ver=13.0.0"
}
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"historyRevisionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→history-revisions?ver=13.0.0",
"isSubCollection": true
},
"childPolicyCount": 0,
"responsePageReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/
˓→response-pages?ver=13.0.0",
"isSubCollection": true
},
"policyBuilderReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/policy-
˓→builder?ver=13.0.0"
},
"serverTechnologyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q/server-
˓→technologies?ver=13.0.0",
"isSubCollection": true
}
}
An HTTP POST to the /mgmt/tm/asm/policies endpoint with a body containing basic policy configu-
ration including "parentPolicyName": "/Common/API_ASM_POLICY_TEST" will create a new child
policy which inherits a base configuration from the specified parent.
240
Request
POST https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"name":"API_ASM_POLICY_CHILD_TEST",
"description":"Test ASM policy",
"applicationLanguage":"utf-8",
"parentPolicyName": "/Common/API_ASM_POLICY_TEST",
"enforcementMode":"transparent",
"protocolIndependent":"true",
"learningMode":"automatic",
"learningSpeed":"slow",
"serverTechnologyName": "Apache Tomcat"
}
Example Response
Note: Take note of the ASM policy hash for the newly created policy. Copy this value into your Postman’s
collection environmental variable for {{asm_policy_hash}}
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
"name": "API_ASM_POLICY_CHILD_TEST",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
},
"sectionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/
˓→sections?ver=13.0.0",
"isSubCollection": true
},
"loginPageReference": {
241
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/login-
˓→ pages?ver=13.0.0",
"isSubCollection": true
},
"description": "Test ASM policy",
"fullPath": "/Common/API_ASM_POLICY_CHILD_TEST",
"policyBuilderParameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/policy-
˓→builder-parameter?ver=13.0.0"
},
"hasParent": true,
"partition": "Common",
"parentPolicyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q?ver=13.
˓→0.0"
}
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
"versionLastChange": " Security Policy /Common/API_ASM_POLICY_CHILD_TEST [add]:
˓→Parent Policy was set to /Common/API_ASM_POLICY_TEST.\nType was set to Security.
˓→\nDifferentiate between HTTP and HTTPS URLs was set to Protocol Specific.\nPolicy
"name": "API_ASM_POLICY_CHILD_TEST",
"caseInsensitive": false,
242
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
},
"sectionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/
˓→sections?ver=13.0.0",
"isSubCollection": true
},
"loginPageReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/login-
˓→pages?ver=13.0.0",
"isSubCollection": true
},
"description": "Test ASM policy",
"fullPath": "/Common/API_ASM_POLICY_CHILD_TEST",
"policyBuilderParameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/policy-
˓→builder-parameter?ver=13.0.0"
},
"hasParent": true,
"partition": "Common",
"parentPolicyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q?ver=13.
˓→0.0"
},
"webScrapingReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/web-
˓→scraping?ver=13.0.0"
},
"csrfProtectionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/csrf-
˓→protection?ver=13.0.0"
},
"policyAntivirusReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/
˓→antivirus?ver=13.0.0"
},
"kind": "tm:asm:policies:policystate",
"virtualServers": [],
"policyBuilderCookieReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/policy-
˓→builder-cookie?ver=13.0.0"
}
}
Overview
In this lab, the previously created ASM policy will be applied to a virtual server using the iControl REST API.
243
Specific Instructions
Follow the below steps in order found in the Postman collection to complete this portion of the lab. The
requests and responses have been included below for reference.
PATCH https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"virtualServers":["/Common/hackazon_vs"]
}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
"versionLastChange": " Security Policy /Common/API_ASM_POLICY_CHILD_TEST [add]:
˓→Parent Policy was set to /Common/API_ASM_POLICY_TEST.\nType was set to Security.
˓→\nDifferentiate between HTTP and HTTPS URLs was set to Protocol Specific.\nPolicy
"name": "API_ASM_POLICY_CHILD_TEST",
244
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
},
"sectionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/
˓→sections?ver=13.0.0",
"isSubCollection": true
},
"loginPageReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/login-
˓→pages?ver=13.0.0",
"isSubCollection": true
},
"description": "Test ASM policy",
"fullPath": "/Common/API_ASM_POLICY_CHILD_TEST",
"policyBuilderParameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/policy-
˓→builder-parameter?ver=13.0.0"
},
"hasParent": true,
"partition": "Common",
"parentPolicyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q?ver=13.
˓→0.0"
},
}
Request
GET https://{{big_ip_a_mgmt}}/mgmt/tm/asm/policies/{{asm_policy_hash}}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
245
"versionLastChange": "Policy Building Settings Policy Building Settings [update]:
˓→ Internal Statistics have been updated { audit: policy = /Common/API_ASM_POLICY_
˓→CHILD_TEST, component = Policy Builder }",
"name": "API_ASM_POLICY_CHILD_TEST",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
}
}
Headers
Content-Type: application/json
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Body
{
"virtualServers":[""]
}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
"versionLastChange": "Policy Building Settings Policy Building Settings [update]:
˓→Internal Statistics have been updated { audit: policy = /Common/API_ASM_POLICY_
"name": "API_ASM_POLICY_CHILD_TEST",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
246
},
"sectionReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/
˓→sections?ver=13.0.0",
"isSubCollection": true
},
"loginPageReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/login-
˓→pages?ver=13.0.0",
"isSubCollection": true
},
"description": "Test ASM policy",
"fullPath": "/Common/API_ASM_POLICY_CHILD_TEST",
"policyBuilderParameterReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/policy-
˓→builder-parameter?ver=13.0.0"
},
"hasParent": true,
"partition": "Common",
"parentPolicyReference": {
"link": "https://localhost/mgmt/tm/asm/policies/JEQPVWeJcdso_rEC7Xxo6Q?ver=13.
˓→0.0"
}
}
Headers
X-F5-Auth-Token: {{big_ip_a_auth_token}}
Example Response
{
"plainTextProfileReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/plain-
˓→text-profiles?ver=13.0.0",
"isSubCollection": true
},
"dataGuardReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/data-
˓→guard?ver=13.0.0"
},
"createdDatetime": "2017-05-30T15:45:59Z",
"cookieSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/cookie-
˓→settings?ver=13.0.0"
},
"versionLastChange": "Policy Building Settings Policy Building Settings [update]:
˓→Internal Statistics have been updated { audit: policy = /Common/API_ASM_POLICY_
247
"name": "API_ASM_POLICY_CHILD_TEST",
"caseInsensitive": false,
"headerSettingsReference": {
"link": "https://localhost/mgmt/tm/asm/policies/zD8sehzULw6Ni7GJG2XwJQ/header-
˓→settings?ver=13.0.0"
}
}
248
HOWTOs: Index
5
This section contains useful HOWTOs
This HOWTO document describes the minimal changes required to update an existing iApp template and
add a version number to the template name.
Adding the version number allows the iApp template to be used by iWorkflow v2.1 and later. Versioning is
required to enable iApp templates to be installed across many BIG-IP devices in a production-safe manner.
Without version information it is possible that iApp templates could be overwritten leading to deployment
failures and/or outages.
The iApp template can be exported from a BIG-IP system where it has been installed. The file has a .tmpl
extension and is a plaintext, readable format.
Complete the following steps:
1. Login to the BIG-IP GUI with admin credentials
2. Click iApps -> Templates
3. Find the desired template in the list and click the template name to open it
4. Scroll to the bottom of the page and click the ‘Export’ button
5. Click the Download: ... button and save the file to your computer
We will now edit the template name to add a version number. iWorkflow currently supports the following
formats:
• template_name_v1.0_0
249
• template_name.v.1.0.0
• /<partition>/template_name.v1.0.0
Complete the following steps:
1. Open the previously saved .tmpl file in a text editor
2. Perform a text search for sys application template
Example:
1 cli admin-partitions {
2 update-partition Common
3 }
4
3. Modify the template name to include a version number using one of the formats specified at the
beginning of this task.
Example:
1 cli admin-partitions {
2 update-partition Common
3 }
4
The updated iApp template is now ready to be imported to iWorkflow. Instructions on how to do this can be
found at:
https://devcentral.f5.com/wiki/iWorkflow.iWorkflowOpsGuide_7.ashx
250