Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generated AS3 declaration is invalid when virtualAddress is a reference to serviceAddress #39

Closed
andreykashcheev opened this issue Jun 22, 2021 · 2 comments
Closed

Generated AS3 declaration is invalid when virtualAddress is a reference to serviceAddress #39

andreykashcheev opened this issue Jun 22, 2021 · 2 comments
Labels
bug Something isn't working jira Jira created for this issue
Milestone
1.15

Comments

@andreykashcheev
Copy link

Environment

  • Application Services Version: 1.12.0
  • BIG-IP Version: v16

Summary

A clear and concise description of what the bug is.
Please also include information about the reproducibility and the severity/impact of the issue.

ACC generated AS3 declaration and attempt to post generated AS3 declaration results with 422 response:

{
    "code": 422,
    "errors": [
        "/waf/http/serviceMain/virtualAddresses/0: should match format \"f5ip\""
    ],
    "declarationFullId": "",
    "message": "declaration is invalid"
}

this validation error is related to the following portion of AS3 config:

    "waf": {
        "class": "Tenant",
        "http": {
            "class": "Application",
            "template": "http",
            "WAF__http": {
                "rules": [
                    {
                        "name": "default",
                        "actions": [
                            {
                                "event": "request",
                                "enabled": true,
                                "type": "http"
                            }
                        ]
                    }
                ],
                "strategy": "first-match",
                "class": "Endpoint_Policy"
            },
            "pool": {
                "members": [
                    {
                        "addressDiscovery": "fqdn",
                        "hostname": "test-hostname.local",
                        "servicePort": 443
                    }
                ],
                "class": "Pool",
                "minimumMonitors": 1,
                "monitors": [
                    {
                        "bigip": "/Common/http"
                    }
                ]
            },
            "serviceMain": {
                "remark": "http",
                "layer4": "tcp",
                "persistenceMethods": [
                    "cookie"
                ],
                "pool": "pool",
                "securityLogProfiles": [
                    {
                        "use": "/Common/Shared/Log_illegal_requests"
                    }
                ],
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_HTTP",
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-progressive"
                },
                "profileHTTP": {
                    "bigip": "/Common/http"
                },
                "profileBotDefense": {
                    "use": "/waf/Shared/ASM_policyWAF"
                },
                "virtualAddresses": [
                    "serviceAddress/0"
                ],
                "snat": "auto",
                "policyEndpoint": "/waf/http/WAF__http"
            }
        },
        "Shared": {
            "class": "Application",
            "template": "shared",
            "serviceAddress": {
                "virtualAddress": "any/0",
                "icmpEcho": "disable",
                "trafficGroup": "/Common/traffic-group-1",
                "class": "Service_Address"
            }
        }
    }

and after looking at BIGIP configurations, it was discovered that AS3 declaration was generated from the following config:

ltm virtual /waf/http/serviceMain {
    description http
    destination /waf/serviceAddress:80
    ip-protocol tcp
    mask any
    persist {
        /Common/cookie {
            default yes
        }
    }
    policies {
        /waf/http/_WAF__http { }
    }
    pool /waf/http/pool
    profiles {
        /Common/f5-tcp-progressive { }
        /Common/http { }
        /Common/websecurity { }
        /waf/Shared/ASM_policyWAF { }
    }
    security-log-profiles {
        "/Common/Log illegal requests"
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual-address /waf/serviceAddress {
    address any
    arp enabled
    icmp-echo disabled
    inherited-traffic-group true
    mask any
    traffic-group /Common/traffic-group-1
}

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:
ltm virtual /waf/http/serviceMain {
    description http
    destination /waf/serviceAddress:80
    ip-protocol tcp
    mask any
    persist {
        /Common/cookie {
            default yes
        }
    }
    policies {
        /waf/http/_WAF__http { }
    }
    pool /waf/http/pool
    profiles {
        /Common/f5-tcp-progressive { }
        /Common/http { }
        /Common/websecurity { }
        /waf/Shared/ASM_policyWAF { }
    }
    security-log-profiles {
        "/Common/Log illegal requests"
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual-address /waf/serviceAddress {
    address any
    arp enabled
    icmp-echo disabled
    inherited-traffic-group true
    mask any
    traffic-group /Common/traffic-group-1
}
  1. Review generated AS3 declaration:
    "waf": {
        "class": "Tenant",
        "http": {
            "class": "Application",
            "template": "http",
            "WAF__http": {
                "rules": [
                    {
                        "name": "default",
                        "actions": [
                            {
                                "event": "request",
                                "enabled": true,
                                "type": "http"
                            }
                        ]
                    }
                ],
                "strategy": "first-match",
                "class": "Endpoint_Policy"
            },
            "pool": {
                "members": [
                    {
                        "addressDiscovery": "fqdn",
                        "hostname": "f5-waf.int.coles-dps-uat.sandbox.rmbspay.net",
                        "servicePort": 443
                    }
                ],
                "class": "Pool",
                "minimumMonitors": 1,
                "monitors": [
                    {
                        "bigip": "/Common/http"
                    }
                ]
            },
            "serviceMain": {
                "remark": "http",
                "layer4": "tcp",
                "persistenceMethods": [
                    "cookie"
                ],
                "pool": "pool",
                "securityLogProfiles": [
                    {
                        "use": "/Common/Shared/Log_illegal_requests"
                    }
                ],
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_HTTP",
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-progressive"
                },
                "profileHTTP": {
                    "bigip": "/Common/http"
                },
                "profileBotDefense": {
                    "use": "/waf/Shared/ASM_policyWAF"
                },
                "virtualAddresses": [
                    "serviceAddress/0"
                ],
                "snat": "auto",
                "policyEndpoint": "/waf/http/WAF__http"
            }
        },
        "Shared": {
            "class": "Application",
            "template": "shared",
            "serviceAddress": {
                "virtualAddress": "any/0",
                "icmpEcho": "disable",
                "trafficGroup": "/Common/traffic-group-1",
                "class": "Service_Address"
            }
        }
    }
  1. POST generated AS3 declaration to AS3

Expected Behavior

A clear and concise description of what you expected to happen.

AS3 accepts declaration and creates all needed objects

Actual Behavior

A clear and concise description of what actually happens.
Please include any applicable error output.

AS3 throws the following validation exception:

{
    "code": 422,
    "errors": [
        "/waf/http/serviceMain/virtualAddresses/0: should match format \"f5ip\""
    ],
    "declarationFullId": "",
    "message": "declaration is invalid"
}
@andreykashcheev andreykashcheev added the bug Something isn't working label Jun 22, 2021
@mdditt2000 mdditt2000 added the PME PME Action Item label Jun 29, 2021
@mdditt2000
Copy link

Created Jira CHARON-401 for PM tracking

@mdditt2000 mdditt2000 added jira Jira created for this issue and removed PME PME Action Item labels Jul 26, 2021
@mdditt2000 mdditt2000 added this to the 1.15 milestone Aug 12, 2021
@mdditt2000
Copy link

Merge branch 'CHARON-401-virtual-address-ref' into 'develop'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working jira Jira created for this issue
Projects
None yet
Milestone
1.15
Development

No branches or pull requests
2 participants
@mdditt2000 @andreykashcheev