There is a specific section of the AFM config which refers to the default action of the firewall, the below query checks that the default action is Drop.
F5 AFM Config to check for.
}
sys db tm.fw.defaultaction {
value "drop"
}
/**
* @intent Check that all F5's that are running AFM have the default action set to deny
* @description THis will check sys db tm.fw.defaultaction for the value drop and error
* if it is not drop.
**/
// Note {} have been removed as they can not be included in the pattern.
defaultPattern = ```
sys db tm.fw.defaultaction
value "drop"
```;
foreach device in network.devices
where device.platform.os == OS.F5
foreach command in device.outputs.commands
//Check for only the F5's with AFM Config
where command.commandType == CommandType.F5_AFM_CONFIG
//Extract the command response.
let AFMConfig = parseConfigBlocks(OS.F5,command.response)
//Match the pattern
let match = blockMatches(AFMConfig,defaultPattern)
let violation = if length(match) == 0 then true else false
let DropActionPresent = if violation then withInfoStatus("ERROR",InfoStatus.ERROR) else withInfoStatus("OK",InfoStatus.OK)
select {
name:device.name,
location:device.locationName,
State:DropActionPresent,
violation:violation
}
