Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Network Security (AFM)
Known Affected Versions:
8.0.0.1
Opened: Jul 22, 2021 Severity: 3-Major
Adding a BIG-IP to BIG-IQ and importing with AFM with Protocol Inspection Signature Package fails.
Unable to perform AFM actions on BIG-IQ despite having permissions to do so.
When logged onto the BIG-IQ as a user who has permission to perform AFM actions (for example, a Network Security Manager)and try to upload (import) BIG-IP AFM Protocol Inspection Signature package from disk locally on BIG-IQ.
Administrators are able to perform this action normally, so that's a workaround in itself. However, to fix the permissions for impacted (non-admin) users you can the following steps: 1. Create new metadata file via CLI, edit content and restart services # cd /var/config/rest/metadata/ # cp cm.firewall.upload-signature-file.json cm.firewall.upload-signature-file.~.json # head -n5 /var/config/rest/metadata/cm.firewall.upload-signature-file.~.json { "uriPath": "/cm/firewall/upload-signature-file/*", "itemKind": "cm:firewall:upload-signature-file:~", "module": "firewall", "category": "other", # bigstart restart restjavad 2. Create a new temporary role-type via CLI and edit content # restcurl /shared/authorization/role-types/c1ae1318-b364-3193-b28e-04c437eebcf8 | jq 'del(.permissions,.id,.selfLink,.generation,.lastUpdateMicros)' > /var/tmp/myrole # cat /var/tmp/myrole | jq . { "kind": "shared:authorization:role-types:roletypestate", "name": "WorkaroundRoleType_Name", "isPublic": true, "isBuiltIn": false, "description": "Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.", "displayName": "WorkaroundRoleType_DisplayName", "createdMicros": 0, "permissions": [ { "actions": [ "read", "edit", "create", "delete" ], "itemKind": "cm:firewall:upload-signature-file:~" }, { "actions": [ "read", "edit", "create", "delete" ], "itemKind": "cm:firewall:upload-signature-file" } ] } # curl -X POST -d @/var/tmp/myrole -H 'content-type: application/json' -su admin: localhost:8100/shared/authorization/role-types/ -o /var/tmp/final -v 3. Create a new temporary resource group "WorkgroundResGroup" via GUI and edit content on CLI # restcurl /shared/authorization/patch-resource-groups -X POST -d '{"resourceGroupName":"WorkgroundResGroup","resourceGroupDisplayName":"WorkgroundResGroup","resourceGroupDescription":"","referenceExpressionsPatches":[{"targetKind":"cm:firewall:upload-signature-file:~","referenceExpressions":[{"name":"All Instances","description":"All existing and future objects of this type.","expression":"/cm/firewall/upload-signature-file/*"}]}]}' 4. Create a new temporary role (combine role-type and resource group) via GUI role name: WorkgroundRole res grp: WorkgroundResGroup role type: WorkaroundRoleType_DisplayName role mode: strict 5. Add WorkgroundRole to impacted user account(s) on BIG-IQ Above steps will fix the missing permissions
None