Try SpotterManage application settings for a DOS profile
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manages Application settings for an ASM/AFM DOS profile.
- name: Create an ASM dos application profile
bigip_asm_dos_application:
profile: dos_foo
geolocations:
blacklist:
- Afghanistan
- Andora
whitelist:
- Cuba
heavy_urls:
auto_detect: true
latency_threshold: 1000
rtbh_duration: 3600
rtbh_enable: true
single_page_application: true
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Update an ASM dos application profile
bigip_asm_dos_application:
profile: dos_foo
mobile_detection:
enabled: true
allow_any_ios_package: true
allow_emulators: true
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Remove an ASM dos application profile
bigip_asm_dos_application:
profile: dos_foo
state: absent
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures that the Application object exists.
- When C(state) is C(absent), ensures that the Application object is removed.
type: str
profile:
description:
- Specifies the name of the profile to manage application settings in.
required: true
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
heavy_urls:
description:
- Manages Heavy URL protection.
- Heavy URLs are a small number of site URLs that might consume considerable server
resources per request.
suboptions:
auto_detect:
description:
- Enables or disables automatic heavy URL detection.
type: bool
exclude:
description:
- Specifies a list of URLs or wildcards to exclude from the heavy URLs.
elements: str
type: list
include:
description:
- Configures additional URLs to include in the heavy URLs that were auto-detected.
elements: dict
suboptions:
threshold:
description:
- Specifies the threshold of requests per second, where the URL in question
is considered under attack.
- The acceptable range is between 1 and 4294967295 inclusive, or C(auto).
type: str
url:
description:
- Specifies the URL to be added to the list of heavy URLs, in addition to
those automatically detected.
required: true
type: str
type: list
latency_threshold:
description:
- Specifies the latency threshold for automatic heavy URL detection.
- The acceptable range is between 0 and 4294967295 miliseconds inclusive.
type: int
type: dict
rtbh_enable:
description:
- Specifies whether to enable Remote Triggered Black Hole C(RTBH) of attacking IPs
by advertising BGP routes.
type: bool
geolocations:
description:
- Manages the geolocations countries whitelist, blacklist.
suboptions:
blacklist:
description:
- A list of countries to be put on the blacklist, must not have overlapping elements
with C(whitelist).
elements: str
type: list
whitelist:
description:
- A list of countries to be put on the whitelist, must not have overlapping elements
with C(blacklist).
elements: str
type: list
type: dict
rtbh_duration:
description:
- Specifies the duration of the RTBH BGP route advertisement, in seconds.
- The acceptable range is between 0 and 4294967295 inclusive.
type: int
trigger_irule:
description:
- When C(true), specifies the system activates an Application DoS iRule event.
type: bool
mobile_detection:
description:
- Configures detection of mobile applications built with the Anti-Bot Mobile SDK and
defines how requests from these mobile application clients are handled.
suboptions:
allow_android_rooted_device:
description:
- When C(true), the device allows traffic from rooted Android devices.
type: bool
allow_any_android_package:
description:
- When C(true), allows any application publisher.
- A publisher is identified by the certificate used to sign the application.
type: bool
allow_any_ios_package:
description:
- When C(true), allows any iOS package.
- A package name is the unique identifier of the mobile application.
type: bool
allow_emulators:
description:
- When C(true), allows traffic from applications run on emulators.
type: bool
allow_jailbroken_devices:
description:
- When C(true), allows traffic from jailbroken iOS devices.
type: bool
android_publishers:
description:
- This option has no effect when C(allow_any_android_package) is set to C(true).
- Specifies the allowed publisher certificates for android applications.
- The publisher certificate needs to be installed on the BIG-IP beforehand.
- The certificate name located on a different partition than the one specified
in the C(partition) parameter needs to be provided in C(full_path) format, e.g.
C(/Foo/cert.crt).
elements: str
type: list
client_side_challenge_mode:
choices:
- pass
- cshui
description:
- Action to take when a CAPTCHA or Client Side Integrity challenge needs to be
presented.
- The mobile application user will not see a CAPTCHA challenge and the mobile
application will not be presented with the Client Side Integrity challenge.
The such options for mobile applications are C(pass) or C(cshui).
- When C(pass) the traffic is passed without incident.
- When C(cshui) the SDK checks for human interactions with the screen in the last
few seconds. If none are detected, the traffic is blocked.
type: str
enabled:
description:
- When C(true), requests from mobile applications built with Anti-Bot Mobile SDK
are detected and handled according to the parameters set.
- When C(false), these requests are handled like any other request which may let
attacks in, or cause false positives.
type: bool
ios_allowed_package_names:
description:
- Specifies the names of iOS packages to allow traffic on.
- This option has no effect when C(allow_any_ios_package) is set to C(true).
elements: str
type: list
type: dict
scrubbing_enable:
description:
- Specifies whether to enable Traffic Scrubbing during attacks by advertising BGP
routes.
type: bool
scrubbing_duration:
description:
- Specifies the duration of the Traffic Scrubbing BGP route advertisement, in seconds.
- The acceptable range is between 0 and 4294967295 inclusive.
type: int
single_page_application:
description:
- When C(true), specifies the system supports a Single Page Applications.
type: bool
geolocations:
contains:
blacklist:
description: A list of countries to be put on the blacklist.
returned: changed
sample:
- Russia
- Germany
type: list
whitelist:
description: A list of countries to be put on the whitelist.
returned: changed
sample:
- United States, United Kingdom
type: list
description: Specifies geolocations countries whitelist, blacklist.
returned: changed
sample: hash/dictionary of values
type: complex
heavy_urls:
contains:
auto_detect:
description: Enables or disables automatic heavy URL detection.
returned: changed
sample: true
type: bool
exclude:
description: Specifies a list of URLs or wildcards to exclude from the heavy
URLs.
returned: changed
sample:
- /exclude.html
- /exclude2.html
type: list
include:
contains:
threshold:
description: The threshold of requests per second.
returned: changed
sample: auto
type: str
url:
description: The URL to be added to the list of heavy URLs.
returned: changed
sample: /include.html
type: str
description: Configures additional URLs to include in the heavy URLs.
returned: changed
sample: hash/dictionary of values
type: complex
latency_threshold:
description: Specifies the latency threshold for automatic heavy URL detection.
returned: changed
sample: 2000
type: int
description: Manages Heavy URL protection.
returned: changed
sample: hash/dictionary of values
type: complex
mobile_detection:
contains:
allow_android_rooted_device:
description: Allows traffic from rooted Android devices.
returned: changed
sample: false
type: bool
allow_any_android_package:
description: Allows any application publisher.
returned: changed
sample: false
type: bool
allow_any_ios_package:
description: Allows any iOS package.
returned: changed
sample: true
type: bool
allow_emulators:
description: Allows traffic from applications run on emulators.
returned: changed
sample: true
type: bool
allow_jailbroken_devices:
description: Allows traffic from jailbroken iOS devices.
returned: changed
sample: false
type: bool
android_publishers:
description: The allowed publisher certificates for android applications.
returned: changed
sample:
- /Common/cert1.crt
- /Common/cert2.crt
type: list
client_side_challenge_mode:
description: Action to take when a CAPTCHA or Client Side Integrity challenge
needs to be presented.
returned: changed
sample: pass
type: str
enable:
description: Enables or disables automatic mobile detection.
returned: changed
sample: true
type: bool
ios_allowed_package_names:
description: The names of iOS packages to allow traffic on.
returned: changed
sample:
- package1
- package2
type: list
description: Configures detection of mobile applications built with the Anti-Bot
Mobile SDK.
returned: changed
sample: hash/dictionary of values
type: complex
rtbh_duration:
description: The duration of the RTBH BGP route advertisement.
returned: changed
sample: 3600
type: int
rtbh_enable:
description: Enables Remote Triggered Black Hole of attacking IPs.
returned: changed
sample: false
type: bool
scrubbing_duration:
description: The duration of the Traffic Scrubbing BGP route advertisement.
returned: changed
sample: 3600
type: int
scrubbing_enable:
description: Enables Traffic Scrubbing during attacks.
returned: changed
sample: true
type: bool
single_page_application:
description: Enables support of Single Page Applications.
returned: changed
sample: false
type: bool
trigger_irule:
description: Activates an Application DoS iRule event.
returned: changed
sample: true
type: bool