Skip to main content
Skip table of contents

F5 Application Security Manager (WAF)

LAST UPDATED: JAN. 13, 2025

Overview

F5 Application Security Manager (WAF) is a unified cloud security platform designed for both cloud security and development teams, offering capabilities for prevention, active detection and response.

D3 SOAR is providing REST operations to function with F5 Application Security Manager (WAF).

F5 Application Security Manager (WAF) is available for use in:

D3 SOAR

V16.8+

Category

Network Security

Deployment Options

Option I, Option III

Connection

To connect to F5 Application Security Manager (WAF) from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL used for the connection.

https://*****. ****.****.****

User Name

The username used for authenticating the connection.

admin

Password

The password used for authenticating the connection.

*****

Configuring D3 SOAR to Work with F5 Application Security Manager (WAF)

  1. Log in to D3 SOAR.

  2. Find the F5 Application Security Manager (WAF) integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type F5 Application Security Manager (WAF) in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to F5 Application Security Manager (WAF).

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Active: Check the checkbox to ensure the connection is available for use.

    7. Privileged: Chooses access level for the connection. Only roles with Privileged Connection settings can set and use privileged integration connections.

    8. Configure User Permissions: Defines which users have access to the connection.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Server URL where the F5 Application Security Manager (WAF) platform is hosted.

      2. Input the User Name used to log into the F5 Application Security Manager (WAF) platform.

      3. Input the Password used to log into the F5 Application Security Manager (WAF) platform.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

F5 Application Security Manager (WAF) includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the F5 Application Security Manager (WAF) API, refer to the F5 Application Security Manager (WAF) API references below.

Add Policy Element

Adds a new item to the specified element of the given policy.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy to which new elements will be added.

NewPolicy1220Importqq

Element Type

Required

The type of element to be added to the policy.

URLs

Element Object

Required

The JSON object representing the elements to be added to the policy.

JSON
{
    "name": "login.php",
    "protocol": "https",
    "description": "A Login Page 1219",
    "isAllowed": false
}

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Policy Element failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: URL '[HTTPS] login.php' already exists in this policy.

Error Sample Data

Add Policy Element failed.

Status Code: 400.

Message: URL '[HTTPS] login.php' already exists in this policy.

Apply Policy

Applies the specified policy.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy to be applied.

NewPolicy1220Importqq

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Apply Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Apply Policy command failed to find policy name: demo.

Error Sample Data

Apply Policy failed.

Status Code: 404.

Message: Apply Policy command failed to find policy name: demo.

Create Policy

Creates a new Application Security Manager policy.

READER NOTE

Policy Template ID and Parent Policy Name are optional parameters to run this command.

  • Run the List Policy Templates command to obtain the Policy Template ID. Policy Template IDs can be found in the raw data at the path $.items[*].id.

  • Run the List Policies command to obtain the Parent Policy Name. Parent Policy Names can be found in the raw data at the path $.items[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy to be created.

NewPolicy1220Importqq

Description

Optional

The description for the policy to be created.

By default, "Fundamental Policy" will be added as the description.

ASM Policy

Policy Type

Optional

The type of policy to be created.

Available options are:

  • Security

  • Parent

By default, the value is set to Security.

Security

Policy Template ID

Optional

The ID of the policy template used to create the policy. Policy Template ID can be obtained using the List Policy Templates command.

By default, the default policy template will be used.

*****

Parent Policy Name

Optional

The parent policy name of the policy to be created. Parent Policy Name can be obtained using the List Policies command with the Policy Type set to Parent.

TestPolicy1217api001

Enforcement Mode

Optional

The enforcement mode of the policy to be created.

Available options are:

  • Blocking

  • Transparent

By default, the value is set to Blocking.

Blocking

Protocol Independent

Optional

Whether the policy to be created is protocol independent.

By default, the value is False.

True

Active

Optional

Whether the policy to be created is active.

By default, the value is False.

True

Case Sensitive

Optional

Whether the policy to be created is case-sensitive. If a value for Parent Policy is specified, the Case Sensitive parameter value is overridden.

By default, the value is Yes.

Yes

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Could not add the Policy '/Common/Demo Policy'. Failed validating value '/Common/Demo Policy' for fullPath: The value contains an illegal character (\" \")

Error Sample Data

Create Policy failed.

Status Code: 400.

Message: Could not add the Policy '/Common/Demo Policy'. Failed validating value '/Common/Demo Policy' for fullPath: The value contains an illegal character (\" \")

Delete Policy

Deletes the specified policies.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The names of the policies to be deleted.

JSON
[ "NewPolicy1220Importaa" ]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Delete Policy command failed to find policy name Demo

Error Sample Data

Delete Policy failed.

Status Code: 404.

Message: Delete Policy command failed to find policy name Demo

Export Policy

Exports the specified policy to another Application Security Manager system. The exported policy can be used as a base policy on another system.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy to be exported.

NewPolicy1220Importqq

Exported File Name

Optional

The name of the exported file.

By default, <policyName>.xml will be used as the file name.

NewPolicy1220Importqq.xml

Minimal

Optional

Whether to export only custom policy settings.

False

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Export Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Export Policy command failed to find policy name Demo.

Error Sample Data

Export Policy failed.

Status Code: 404.

Message: Export Policy command failed to find policy name Demo.

Get Policy

Retrieves the details of the specified policy.

READER NOTE

Policy Name is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy to be retrieved. Policy Name can be obtained using the List Policies command.

TestPolicy1220api002secpar

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Get Policy command failed to find policy name Demo.

Error Sample Data

Get Policy failed.

Status Code: 404.

Message: Get Policy command failed to find policy name Demo.

Import Policy

Imports a policy from another Application Security Manager system.

READER NOTE

Parent Policy Name is an optional parameter to run this command.

  • Run the List Policies command to obtain the Parent Policy Name. Parent Policy Names can be found in the raw data at the path $.items[*].name.

File ID and File Source

It is not recommended to use the Test Command feature with the Import Policy command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  2. Click on Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Click on the Test tab.

  5. Input the required information for the parameters.

  6. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

File ID

Required

The file ID of the policy to be imported.

*****

File Source

Optional

The file source.

Available options are:

  • IR Attachment: Manually uploaded file from Incident

  • Playbook File: Output from another Task

  • Artifact File: Ingested Artifact in an Event

By default, the value is set to Playbook File.

Playbook File

Policy Name

Required

The name of the imported policy.

NewPolicy1220Importqq

Description

Optional

The description of the imported policy.

Updated Jan 2025

Parent Policy Name

Optional

The parent policy name of the policy to be imported. Parent Policy Name can be obtained using the List Policies command with the Policy Type set to Parent.

ParentPolicy1220a

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Import Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Parameter 'File ID' is invalid.

Error Sample Data

Import Policy failed.

Status Code: 400.

Message: Parameter 'File ID' is invalid.

List Policies

Lists web application firewall policies according to the filter criteria.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Optional

The full or partial name of the policies to be retrieved.

testAppSecurity

Policy Type

Optional

The type of policies to be retrieved.

Available options are:

  • Security

  • Parent

By default, all policies regardless of their type will be returned.

Security

Enforcement Mode

Optional

The enforcement mode of the policies to be retrieved.

Available options are:

  • Blocking

  • Transparent

By default, all policies regardless of their mode will be returned.

Blocking

Filter

Optional

The case-sensitive conditions used to filter the policies to be retrieved.

For example, use "active eq false" to query policies with an active status. Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax.

active eq false

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policies failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Can not parse $filter: 'filter error'.

Error Sample Data

List Policies failed.

Status Code: 400.

Message: Can not parse $filter: 'filter error'.

List Policy Elements

Lists the elements of the specified policy according to the filter criteria.

READER NOTE

Policy Name is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy whose elements are to be retrieved. Policy Name can be obtained using the List Policies command.

NewPolicy1220Importqq

Element Type

Required

The type of elements to retrieve.

Signatures

Filter

Optional

The case-sensitive conditions used to filter the policy elements to be retrieved.

Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax.

enabled eq true and signature/name eq 'location.assign() (Header)'

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policy Elements failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: List Policies Elements command failed to get policy id.

Error Sample Data

List Policy Elements failed.

Status Code: 400.

Message: List Policies Elements command failed to get policy id.

List Policy Signatures

Lists the signatures of the specified policy according to the filter criteria.

READER NOTE

Policy Name is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Policy Name

Required

The name of the policy whose signatures are to be retrieved. Policy Name can be obtained using the List Policies command.

NewPolicy1220Importqq

Filter

Optional

The case-sensitive conditions used to filter the policy signatures to be retrieved.

Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax.

enabled eq true and signature/name eq 'location.assign() (Header)'

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policy Signatures failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: List Policies Signatures command failed to get policy id.

Error Sample Data

List Policy Signatures failed.

Status Code: 400.

Message: List Policies Signatures command failed to get policy id.

List Policy Templates

Lists policy templates according to the filter criteria.

Input

Input Parameter

Required/Optional

Description

Example

Policy Template Name

Optional

The case-sensitive name of the policy template to retrieve. All policy templates containing the entered name will be returned.

EXCHANGE

Is Deprecated

Optional

Whether to retrieve deprecated or valid policy templates.

By default, both deprecated and valid policy templates will be returned.

False

Filter

Optional

The case-sensitive conditions used to filter the policy templates to be retrieved.

Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax.

contains(title,'OWA Exchange')

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policy Templates failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: List Policies Templates command failed to get policy id.

Error Sample Data

List Policy Templates failed.

Status Code: 400.

Message: List Policies Templates command failed to get policy id.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Url is not valid in format.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: Server Url is not valid in format.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.