ESD L7 policy which uses ASM does not work

[thomsonjames]

• Title: With ESD, if you try to apply a policy which points to an ASM policy, it does not work.
• Attachments: For bugs, attach the agent log and configuration files
  • /etc/neutron/services/f5/f5-openstack-agent.ini
  • /var/log/neutron/f5-openstack-agent.log

2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver [req-dd4324bc-34df-4329-a499-de1d740c821a 5d2f6b8a78d84a78a8c10589db0cd641 19fb201047d3468d9a3514e4689a9cba - - -] 400 Unexpected Error: Bad Request for uri: https://10.1.3.131:443/mgmt/tm/ltm/virtual/~Project_19fb201047d3468d9a3514e4689a9cba~Project_0963bb1f-f78e-4c96-933e-9e0ffebd01ab/
Text: u'{"code":400,"message":"010716d9:3: Virtual server /Project_19fb201047d3468d9a3514e4689a9cba/Project_0963bb1f-f78e-4c96-933e-9e0ffebd01ab requires a profile of type websecurity for ltm policy /Common/asmpolicy.","errorStack":[],"apiError":3}'
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver Traceback (most recent call last):
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver File "/usr/lib/python2.7/site-packages/f5_openstack_agent/lbaasv2/drivers/bigip/icontrol_driver.py", line 1250, in _common_service_handler
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver all_subnet_hints)
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver File "/usr/lib/python2.7/site-packages/f5_openstack_agent/lbaasv2/drivers/bigip/lbaas_builder.py", line 63, in assure_service
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver self._assure_l7policies_created(service)
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver File "/usr/lib/python2.7/site-packages/f5_openstack_agent/lbaasv2/drivers/bigip/lbaas_builder.py", line 435, in _assure_l7policies_created
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver raise f5_ex.L7PolicyCreationException(err.message)
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver L7PolicyCreationException: 400 Unexpected Error: Bad Request for uri: https://10.1.3.131:443/mgmt/tm/ltm/virtual/~Project_19fb201047d3468d9a3514e4689a9cba~Project_0963bb1f-f78e-4c96-933e-9e0ffebd01ab/
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver Text: u'{"code":400,"message":"010716d9:3: Virtual server /Project_19fb201047d3468d9a3514e4689a9cba/Project_0963bb1f-f78e-4c96-933e-9e0ffebd01ab requires a profile of type websecurity for ltm policy /Common/asmpolicy.","errorStack":[],"apiError":3}'
2017-05-03 14:58:37.007 6238 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver

• Details: For bugs, copy and paste the following template into your new issue and fill it out.

Agent Version

9.3.0

Operating System

Centos7

OpenStack Release

Mitaka

Bug Severity

For bugs enter the bug severity level. Do not set any labels.

Severity: 3

Description

<Describe the bug in detail, steps taken prior to encountering the issue, yand a short explanation of you have deployed openstack and F5 agent>

Deployment

<Explain in reasonable detail your OpenStack deployment, the F5 OpenStack agent, and BIG-IP(s)>
<Example: Single OpenStack controller with one F5 agent managing a cluster of 4 BIG-IP VEs>
<Example: Three OpenStack controllers in HA, each with one standalone F5 agent managing a single BIG-IP appliance>

• Details: For enhancements, copy and paste the following template into your new issue and fill it out.

OpenStack Release

Mitaka

Description

BIG-IP does some magic when you apply an L7 policy with ASM. If you apply an L7 policy like this:

ltm policy asmpolicy {
controls { asm }
last-modified 2017-05-03:15:47:13
requires { http }
rules {
defrule {
actions {
0 {
asm
enable
policy /Common/asmpolicy2
}
}
}
}
status published
strategy first-match
}

Then, the BIG-IP adds 2 profiles to the virtual. See the bigip.conf if I do it manually by GUI.

ltm virtual myvs1 {
destination 3.4.5.5:http
ip-protocol tcp
mask 255.255.255.255
policies {
asmpolicy { }
}
profiles {
bot_defense_asm_aggregated { }
http { }
tcp { }
websecurity { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 5
}

Notice "websecurity" and "bot_defense_asm_aggregated".
I did not add those in the GUI, I only added my L7 policy called "asmpolicy"

Since the openstack agent doesn't know what is in the L7 policy, you wouldn't know to do this.
I wonder if the REST call we're using to add policies is not allowing this "magic" that the BIG-IP does.

[dflanigan]

@szakeri could you triage this issue.

[szakeri]

Some policies require profiles to exists before creation of the policy. To fix this issue websecurity profile needs to be added to virtual server before applying ASM policy (mentioned in the log message:Text: u'{ requires a profile of type websecurity for ltm policy /Common/asmpolicy."}'). You can refer to this page:

https://devcentral.f5.com/questions/virtual-server-requires-a-profile-type-web-security-53043

Other solutions are either writing an irule or asking for enhancement request to support websecurity profile.

[jgruber]

There are MANY combination of things possible in defined traffic policies which we don't support with the current set of ESD tags. ASM is just one of them. There are an infinite (not really) number of dependencies we would have to track down to see what dependent profiles to add to make any given combination of things work.

We should just add an ESD tag like lbaas_ws to name the profile if that's what's required.

This is an enhancement request.

[thomsonjames]

Thanks for the feedback. I figured out how to do it manually to the BIG-IP with REST call. To replicate what the F5 GUI does when adding a policy with ASM, I had to create a POST to virtual servers that looked like this:
{ "name": "iControl-REST-test-virtual_https", "description": "A virtual server to demonstrate iControl-REST API", "destination": "10.84.3.201:http", "ipProtocol": "tcp", "mask": "255.255.255.255", "pool": "none", "sourceAddressTranslation": { "pool": "none", "type": "automap" }, "profiles": [ { "name": "http" }, { "name": "tcp" }, { "name": "bot_defense_asm_aggregated" }, { "name": "websecurity" } ], "policies": [ { "name": "asmpolicy" } ] }

[thomsonjames]

@szakeri Yes, I see what you mean about profiles needing to exist beforehand. The websecurity and, in later versions, the bot_defense_asm_aggregated profiles need to be attached. The same goes for enabling ASM in an iRule as well. As soon as you use the "ASM::enable" command, it wants the websecurity profile to exist.

The easiest feature enhancement is probably to add the ability to add profiles via ESD, then this should work.

[ianwijaya]

Hi @jgruber,

I'm facing a similar situation. I want to apply WAF policies to a VS. Have we come with the workaround for this?

Thanks,