F5 Application Security Manager (WAF)
LAST UPDATED: JAN. 13, 2025
Overview
F5 Application Security Manager (WAF) is a unified cloud security platform designed for both cloud security and development teams, offering capabilities for prevention, active detection and response.
D3 SOAR is providing REST operations to function with F5 Application Security Manager (WAF).
F5 Application Security Manager (WAF) is available for use in:
D3 SOAR | V16.8+ |
Category | Network Security |
Deployment Options |
Connection
To connect to F5 Application Security Manager (WAF) from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL used for the connection. | https://*****. ****.****.**** |
User Name | The username used for authenticating the connection. | admin |
Password | The password used for authenticating the connection. | ***** |
Configuring D3 SOAR to Work with F5 Application Security Manager (WAF)
Log in to D3 SOAR.
Find the F5 Application Security Manager (WAF) integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type F5 Application Security Manager (WAF) in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to F5 Application Security Manager (WAF).
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Active: Check the checkbox to ensure the connection is available for use.
Privileged: Chooses access level for the connection. Only roles with Privileged Connection settings can set and use privileged integration connections.
Configure User Permissions: Defines which users have access to the connection.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL where the F5 Application Security Manager (WAF) platform is hosted.
2. Input the User Name used to log into the F5 Application Security Manager (WAF) platform.
3. Input the Password used to log into the F5 Application Security Manager (WAF) platform.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
F5 Application Security Manager (WAF) includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the F5 Application Security Manager (WAF) API, refer to the F5 Application Security Manager (WAF) API references below.
Add Policy Element
Adds a new item to the specified element of the given policy.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy to which new elements will be added. | NewPolicy1220Importqq |
Element Type | Required | The type of element to be added to the policy. | URLs |
Element Object | Required | The JSON object representing the elements to be added to the policy. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Policy Element failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: URL '[HTTPS] login.php' already exists in this policy. |
Error Sample Data Add Policy Element failed. Status Code: 400. Message: URL '[HTTPS] login.php' already exists in this policy. |
Apply Policy
Applies the specified policy.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy to be applied. | NewPolicy1220Importqq |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Apply Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Apply Policy command failed to find policy name: demo. |
Error Sample Data Apply Policy failed. Status Code: 404. Message: Apply Policy command failed to find policy name: demo. |
Create Policy
Creates a new Application Security Manager policy.
READER NOTE
Policy Template ID and Parent Policy Name are optional parameters to run this command.
Run the List Policy Templates command to obtain the Policy Template ID. Policy Template IDs can be found in the raw data at the path $.items[*].id.
Run the List Policies command to obtain the Parent Policy Name. Parent Policy Names can be found in the raw data at the path $.items[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy to be created. | NewPolicy1220Importqq |
Description | Optional | The description for the policy to be created. By default, "Fundamental Policy" will be added as the description. | ASM Policy |
Policy Type | Optional | The type of policy to be created. Available options are:
By default, the value is set to Security. | Security |
Policy Template ID | Optional | The ID of the policy template used to create the policy. Policy Template ID can be obtained using the List Policy Templates command. By default, the default policy template will be used. | ***** |
Parent Policy Name | Optional | The parent policy name of the policy to be created. Parent Policy Name can be obtained using the List Policies command with the Policy Type set to Parent. | TestPolicy1217api001 |
Enforcement Mode | Optional | The enforcement mode of the policy to be created. Available options are:
By default, the value is set to Blocking. | Blocking |
Protocol Independent | Optional | Whether the policy to be created is protocol independent. By default, the value is False. | True |
Active | Optional | Whether the policy to be created is active. By default, the value is False. | True |
Case Sensitive | Optional | Whether the policy to be created is case-sensitive. If a value for Parent Policy is specified, the Case Sensitive parameter value is overridden. By default, the value is Yes. | Yes |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not add the Policy '/Common/Demo Policy'. Failed validating value '/Common/Demo Policy' for fullPath: The value contains an illegal character (\" \") |
Error Sample Data Create Policy failed. Status Code: 400. Message: Could not add the Policy '/Common/Demo Policy'. Failed validating value '/Common/Demo Policy' for fullPath: The value contains an illegal character (\" \") |
Delete Policy
Deletes the specified policies.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The names of the policies to be deleted. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Delete Policy command failed to find policy name Demo |
Error Sample Data Delete Policy failed. Status Code: 404. Message: Delete Policy command failed to find policy name Demo |
Export Policy
Exports the specified policy to another Application Security Manager system. The exported policy can be used as a base policy on another system.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy to be exported. | NewPolicy1220Importqq |
Exported File Name | Optional | The name of the exported file. By default, <policyName>.xml will be used as the file name. | NewPolicy1220Importqq.xml |
Minimal | Optional | Whether to export only custom policy settings. | False |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Export Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Export Policy command failed to find policy name Demo. |
Error Sample Data Export Policy failed. Status Code: 404. Message: Export Policy command failed to find policy name Demo. |
Get Policy
Retrieves the details of the specified policy.
READER NOTE
Policy Name is a required parameter to run this command.
Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy to be retrieved. Policy Name can be obtained using the List Policies command. | TestPolicy1220api002secpar |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Get Policy command failed to find policy name Demo. |
Error Sample Data Get Policy failed. Status Code: 404. Message: Get Policy command failed to find policy name Demo. |
Import Policy
Imports a policy from another Application Security Manager system.
READER NOTE
Parent Policy Name is an optional parameter to run this command.
Run the List Policies command to obtain the Parent Policy Name. Parent Policy Names can be found in the raw data at the path $.items[*].name.
File ID and File Source
It is not recommended to use the Test Command feature with the Import Policy command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:
Navigate to Configuration on the top bar menu.
Click on Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Click on the Test tab.
Input the required information for the parameters.
Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.
Input
Input Parameter | Required/Optional | Description | Example |
File ID | Required | The file ID of the policy to be imported. | ***** |
File Source | Optional | The file source. Available options are:
By default, the value is set to Playbook File. | Playbook File |
Policy Name | Required | The name of the imported policy. | NewPolicy1220Importqq |
Description | Optional | The description of the imported policy. | Updated Jan 2025 |
Parent Policy Name | Optional | The parent policy name of the policy to be imported. Parent Policy Name can be obtained using the List Policies command with the Policy Type set to Parent. | ParentPolicy1220a |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Import Policy failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Parameter 'File ID' is invalid. |
Error Sample Data Import Policy failed. Status Code: 400. Message: Parameter 'File ID' is invalid. |
List Policies
Lists web application firewall policies according to the filter criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Optional | The full or partial name of the policies to be retrieved. | testAppSecurity |
Policy Type | Optional | The type of policies to be retrieved. Available options are:
By default, all policies regardless of their type will be returned. | Security |
Enforcement Mode | Optional | The enforcement mode of the policies to be retrieved. Available options are:
By default, all policies regardless of their mode will be returned. | Blocking |
Filter | Optional | The case-sensitive conditions used to filter the policies to be retrieved. For example, use "active eq false" to query policies with an active status. Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax. | active eq false |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policies failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Can not parse $filter: 'filter error'. |
Error Sample Data List Policies failed. Status Code: 400. Message: Can not parse $filter: 'filter error'. |
List Policy Elements
Lists the elements of the specified policy according to the filter criteria.
READER NOTE
Policy Name is a required parameter to run this command.
Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy whose elements are to be retrieved. Policy Name can be obtained using the List Policies command. | NewPolicy1220Importqq |
Element Type | Required | The type of elements to retrieve. | Signatures |
Filter | Optional | The case-sensitive conditions used to filter the policy elements to be retrieved. Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax. | enabled eq true and signature/name eq 'location.assign() (Header)' |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policy Elements failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: List Policies Elements command failed to get policy id. |
Error Sample Data List Policy Elements failed. Status Code: 400. Message: List Policies Elements command failed to get policy id. |
List Policy Signatures
Lists the signatures of the specified policy according to the filter criteria.
READER NOTE
Policy Name is a required parameter to run this command.
Run the List Policies command to obtain the Policy Name. Policy Names can be found in the raw data at the path $.items[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Name | Required | The name of the policy whose signatures are to be retrieved. Policy Name can be obtained using the List Policies command. | NewPolicy1220Importqq |
Filter | Optional | The case-sensitive conditions used to filter the policy signatures to be retrieved. Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax. | enabled eq true and signature/name eq 'location.assign() (Header)' |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policy Signatures failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: List Policies Signatures command failed to get policy id. |
Error Sample Data List Policy Signatures failed. Status Code: 400. Message: List Policies Signatures command failed to get policy id. |
List Policy Templates
Lists policy templates according to the filter criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Policy Template Name | Optional | The case-sensitive name of the policy template to retrieve. All policy templates containing the entered name will be returned. | EXCHANGE |
Is Deprecated | Optional | Whether to retrieve deprecated or valid policy templates. By default, both deprecated and valid policy templates will be returned. | False |
Filter | Optional | The case-sensitive conditions used to filter the policy templates to be retrieved. Refer to the iControl REST User Guide and the OData Basic Tutorial for the OData filter syntax. | contains(title,'OWA Exchange') |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policy Templates failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: List Policies Templates command failed to get policy id. |
Error Sample Data List Policy Templates failed. Status Code: 400. Message: List Policies Templates command failed to get policy id. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
You can view more details about an error in the Error tab. | String |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the F5 Application Security Manager (WAF) portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server Url is not valid in format. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: Server Url is not valid in format. |