F5 BIG-IP Rest API Security

I’ve been using the BIG-IP rest API to read the configuration of LTM, and I wanted to reduce the risk of accidental changes.  During my investigation I can across the post: https://devcentral.f5.com/questions/read-only-access-to-icontrol-rest-api, which showed the way to configure role based access control for the Rest API.

I wanted to create a new rule for a read only account (‘monitor’), the account is configured as Guest within BIG-IP.  In order to do this I created a new access rule you need the POST method:

curl -k -u admin:adminpass -X POST https://1.1.1.1/mgmt/shared/authz/roles -d @addRule.json

where addRule.json is:

{"name": "iControl_REST_API_monitor","userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/monitor"}],"resources":[{"resourceMask":"/mgmt/tm/ltm","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*","restMethod":"GET"}]}

This worked fine until I discovered I did not have enough depth in rules to cover the data I wanted to retrieve. To update the rule you need the PUT method:

curl -k -u admin:adminpass -X PUT https://1.1.1.1/mgmt/shared/authz/roles/iControl_REST_API_monitor -d @updateRule.json

where updateRule.json is:

{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/monitor"}],"resources":[{"resourceMask":"/mgmt/tm/ltm","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*/*/*","restMethod":"GET"}]}

TMG from PowerShell

I recently had to perform an audit of TMG rules and used PowerShell to access the object model.  Below are a couple of sample commands that show accessing various parts of the TMG object model with PowerShell.

$tmg = New-Object -ComObject "FPC.Root"
$proxy = $tmg.Arrays | ? {$_.DNSName -eq "PROXY"}
($proxy.ArrayPolicy.PolicyRules | ? {$_.Name -eq "Allow Sample Sites Access"}).AccessProperties.DestinationDomainNameSets
($proxy.ArrayPolicy.PolicyRules | ? {$_.Name -eq "Allow Sample Sites Access"}).AccessProperties.UserSets
$proxy.RuleElements.DomainNameSets.Item("Sample Sites")
$proxy.RuleElements.UserSets.Item("Sample Site Access Group").Accounts

The following links are useful reference material for interpreting TMG logs: