PEM::Policy

Introduced : BIG-IP_v11.4.0
The Policy interface enables you to work with attributes for policies. You can use this policy component to configure the policy definitions on the Policy Enforcement Manager. A policy is a set of rules which are used to match traffic flow and apply actions. A rule has filters and actions configuration. All configured filters must match before the actions can be applied to the traffic flow.

Methods

Method Description Introduced
add_classification_filter Adds a set of classification filters for the specified rules. No more than 100,000 entries is supported in one call. For example, 100 policies, each policy has 100 rules, and each rule has 10 classification filters, then there are total 100,000 filters. If there are more than 100,000 entries, call this function more than once. BIG-IP_v11.4.0
add_flow_info_filter Adds a set of flow info filters for the specified rules. No more than 100,000 entries is supported in one call. For example, 100 policies, each policy has 100 rules, and each rule has 10 flow info filters, then there are total 100,000 filters. If there are more than 100,000 entries, call this function more than once. BIG-IP_v11.4.0
add_rule Adds a set of rules for the specified policies. BIG-IP_v11.4.0
create Creates a set of PEM policies. BIG-IP_v11.4.0
delete_all_policies Deletes all user defined policies. BIG-IP_v11.4.0
delete_policy Deletes the specified policies. BIG-IP_v11.4.0
get_classification_filter Gets a set of classification filters for the specified rules. BIG-IP_v11.4.0
get_classification_filter_application Gets the applications for the specified classification filters. BIG-IP_v11.4.0
get_classification_filter_category Gets the categories for the specified classification filters. BIG-IP_v11.4.0
get_classification_filter_operation_type Gets the filter operation types for the specified classification filters. BIG-IP_v11.4.0
get_description Gets the descriptions for a set of policies. BIG-IP_v11.4.0
get_enabled_state Gets the states indicating if the specified policies are enabled or disabled. BIG-IP_v11.4.0
get_flow_info_filter Gets a set of flow info filters for the specified rules. The flow info filter defines the flow conditions (Layer 4) that the traffic should meet (or not meet) for this enforcement policy rule to apply. BIG-IP_v11.4.0
get_flow_info_filter_destination_ip Gets the destination IP address/netmasks for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_destination_port Gets the destination ports for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_dscp_code Gets the DSCP codes for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_from_vlan Gets the from-vlans for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_l2_endpoint_type Gets the L2 endpoint types for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_operation_type Gets the filter operation types for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_protocol_type Gets the protocol types for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_source_ip Gets the source IP address/netmasks for the specified flow info filters. BIG-IP_v11.4.0
get_flow_info_filter_source_port Gets the source ports for the specified flow info filters. BIG-IP_v11.4.0
get_list Gets a list of all policies. BIG-IP_v11.4.0
get_rule Gets a set of rules for the specified policies. A set of rules form a policy. These rules are used to match traffic flow and apply actions. A rule has filters and actions configuration. All configured filters must match before the actions can be applied to the traffic flow. BIG-IP_v11.4.0
get_rule_downlink_volume_threshold Gets the volume threshold in downlink traffic, in octets, for the specified rules. BIG-IP_v11.4.0
get_rule_dscp_marking_downlink Gets the types of DSCP markings in downlink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_dscp_marking_uplink Gets the types of DSCP markings in uplink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_forwarding_action_type Gets the forwarding action types for the specified rules. BIG-IP_v11.5.0
get_rule_forwarding_endpoint Gets the forwarding endpoints for the specified rules. BIG-IP_v11.4.0
get_rule_gate_state Gets the gate status states for the specified rules. BIG-IP_v11.4.0
get_rule_gx_monitoring_key Gets the Gx monitoring keys for the specified rules. BIG-IP_v11.4.0
get_rule_hsl_endpoint Gets the HSL endpoints for the specified rules. BIG-IP_v11.4.0
get_rule_hsl_format_script Gets the HSL format scripts for the specified rules. BIG-IP_v11.4.0
get_rule_http_redirect Gets the http redirects for the specified rules. BIG-IP_v11.4.0
get_rule_intercept Gets the intercepts for the specified rules. BIG-IP_v11.4.0
get_rule_internal_virtual_server Gets the internal virtual servers for the specified rules. BIG-IP_v11.5.0
get_rule_interval Gets the intervals for the specified rules. BIG-IP_v11.4.0
get_rule_l2_marking_downlink_level Gets the L2 marking levels in downlink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_l2_marking_uplink_level Gets the L2 marking levels in uplink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_modify_http_header_name Gets the modify HTTP header names for the specified rules. BIG-IP_v11.5.0
get_rule_modify_http_header_operation Gets the modify HTTP header operations for the specified rules. BIG-IP_v11.5.0
get_rule_modify_http_header_value_content Gets the modify HTTP header value contents for the specified rules. BIG-IP_v11.5.0
get_rule_modify_http_header_value_type Gets the modify HTTP header value types for the specified rules. BIG-IP_v11.5.0
get_rule_precedence Gets the precedences for the specified rules. BIG-IP_v11.4.0
get_rule_qos_rate_pir_downlink Gets the QoS rate for Peak Information Rate (PIR) in downlink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_qos_rate_pir_uplink Gets the QoS rate for Peak Information Rate (PIR) in uplink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_report_granularity Gets the report granularity types for the specified rules. BIG-IP_v11.4.0
get_rule_service_chain Gets the service chains for the specified rules. BIG-IP_v11.4.0
get_rule_sub_policy_downlink Gets the QoS rate control sub-policies in downlink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_sub_policy_uplink Gets the QoS rate control sub-policies in uplink traffic for the specified rules. BIG-IP_v11.4.0
get_rule_tcl_filter Gets the tcl-filters for the specified rules. BIG-IP_v11.4.0
get_rule_total_volume_threshold Gets the volume total octets for the specified rules. BIG-IP_v11.4.0
get_rule_uplink_volume_threshold Gets the volume threshold in uplink traffic, in octet, for the specified rules. BIG-IP_v11.4.0
get_version Gets the version information for this interface. BIG-IP_v11.4.0
remove_all_classification_filters Removes all classification filters for the specified rules. BIG-IP_v11.4.0
remove_all_flow_info_filters Removes all flow info filters for the specified rules. BIG-IP_v11.4.0
remove_all_rules Removes all rules for the specified policies. BIG-IP_v11.4.0
remove_classification_filter Removes a set of classification filters for the specified rules. BIG-IP_v11.4.0
remove_flow_info_filter Removes a set of flow info filters for the specified rules. BIG-IP_v11.4.0
remove_rule Removes a set of rules for the specified policies. BIG-IP_v11.4.0
set_classification_filter_application Sets the applications for the specified classification filters. This specifies the application that the rule applies to the traffic. The default value is empty string (no application). BIG-IP_v11.4.0
set_classification_filter_category Sets the categories for the specified classification filters. This specifies the category of applications where the rule applies to the traffic. The default value is empty string (no category). BIG-IP_v11.4.0
set_classification_filter_operation_type Sets the filter operation types for the specified classification filters. A filter operation type specifies whether the rule applies to traffic that matches (match) or does not match (nomatch) the traffic flow defined here. The options are match and nomatch. The default value is match. BIG-IP_v11.4.0
set_description Sets the descriptions for a set of policies. BIG-IP_v11.4.0
set_enabled_state Sets the states indicating if the specified policies are enabled or disabled. BIG-IP_v11.4.0
set_flow_info_filter_destination_ip Sets the destination IP address/netmasks for the specified flow info filters. They specify the destination IP address/netmask of the network you want the rule to affect. The default value is 0.0.0.0/0. BIG-IP_v11.4.0
set_flow_info_filter_destination_port Sets the destination ports for the specified flow info filters. A destination port specifies the destination port of the network you want the rule to affect. The default value is any (value 0). BIG-IP_v11.4.0
set_flow_info_filter_dscp_code Sets the DSCP code types for the specified flow info filters. A DSCP code specifies the value of DSCP code which matches incoming traffic based on a value in the DSCP field in the IP header. The range is 0 to 63, or disabled (value 64). The default value is disabled, indicating that the DSCP code will not be used to filter the packet in the flow info filter. BIG-IP_v11.4.0
set_flow_info_filter_from_vlan Sets the from-vlans for the specified flow info filters. A from-vlan specifies the name of the source vlan to match the ingress flow arriving from that vlan. BIG-IP_v11.4.0
set_flow_info_filter_l2_endpoint_type Sets the L2 endpoint (vlan tag) types for the specified flow info filters. The default value is disabled. BIG-IP_v11.4.0
set_flow_info_filter_operation_type Sets the filter operation types for the specified flow info filters. A filter operation type specifies whether the rule applies to traffic that matches (match) or does not match (nomatch) the traffic flow defined here. The options are match and nomatch. The default value is match. BIG-IP_v11.4.0
set_flow_info_filter_protocol_type Sets the protocol types for the specified flow info filters. A protocol type specifies the protocol that this rule applies to. The options are any, tcp, and udp. The default value is any. BIG-IP_v11.4.0
set_flow_info_filter_source_ip Sets the source IP address/netmasks for the specified flow info filters. They specify the source IP address/netmask of the network you want the rule to affect. The default value is 0.0.0.0/0. BIG-IP_v11.4.0
set_flow_info_filter_source_ip_and_destination_ip Sets the source IP address/netmasks and destination IP address/netmasks for the specified flow info filters. If either source or destination address family needs to be changed, this method provides a convenient way to change both. This method is a convenience to allow you to avoid using a transaction, because both source IP and destination IP must be the same type, either both IPv4 or both IPv6. (Either a transaction or this method are good ways of satisfying this validation). BIG-IP_v11.4.0
set_flow_info_filter_source_port Sets the source ports for the specified flow info filters. A source port specifies the source port of the network you want the rule to affect. The default value is any (value 0). BIG-IP_v11.4.0
set_rule_downlink_volume_threshold Sets the volume threshold in downlink traffic, in octets, for the specified rules. The report is generated if the amount of octets in downlink traffic exceeds the threshold. The default value is 0 which indicates this feature is disabled. If the reporting destination is set, at least one of the following reporting properties must be set to non-zero: uplink octets, downlink octets, total octets (sum of the previous two), and/or interval. If any one of these thresholds is met, the report will be generated. If multiple thresholds are met, reports will be generated for all of them. For example, if interval is set to 5 seconds, uplink octets volume threshold is set to 8, and total octets volume threshold is set to 10, then reports will be generated every 5 seconds, when uplink octets reach 8, and when total octets reach 10. BIG-IP_v11.4.0
set_rule_dscp_marking_downlink Sets the types of DSCP markings in downlink traffic for the specified rules. This specifies the action to modify the DSCP code in the downlink packet when the traffic flow matches the rule matching criteria. The range is 0 to 63, or pass-through (value 64). The default value is pass-through, indicating the DSCP code of the downlink packet will not be changed when the traffic flow matches the rule. BIG-IP_v11.4.0
set_rule_dscp_marking_uplink Sets the types of DSCP markings in uplink traffic for the specified rules. This specifies the action to modify the DSCP code in the uplink packet when the traffic flow matches the rule matching criteria. The range is 0 to 63, or pass-through (value 64). The default value is pass-through, indicating the DSCP code of the uplink packet will not be changed when the traffic flow matches the rule. BIG-IP_v11.4.0
set_rule_forwarding_action_type Sets the forwarding action types for the specified rules. Specifies the forwarding action type. Depending on the type flow is steered to icap server, forwarding endpoint or to the network. BIG-IP_v11.5.0
set_rule_forwarding_endpoint Sets the forwarding endpoints for the specified rules. A forwarding endpoint specifies where to send the traffic. BIG-IP_v11.4.0
set_rule_gate_state Sets the gate status states for the specified rules. This specifies whether the traffic passes through the system. If gate status is enabled, then the traffic passes through the system. If gate status is disabled, then the traffic is not allowed to pass through. The default value is enabled. BIG-IP_v11.4.0
set_rule_gx_monitoring_key Sets the Gx monitoring keys for the specified rules. The Gx monitoring key is used for usage monitoring of the service data that the enforcement policy rule or dynamic policy and charging control (PCC) rule controls. BIG-IP_v11.4.0
set_rule_hsl_endpoint Sets the HSL endpoints for the specified rules. An HSL endpoint specifies the server or pool of remote HSL servers to send the logs. BIG-IP_v11.4.0
set_rule_hsl_format_script Sets the HSL format scripts for the specified rules. An HSL format script allows you to report usage data to an external analytics server. BIG-IP_v11.4.0
set_rule_http_redirect Sets the http redirects for the specified rules. An http redirect specifies the URL where the traffic affected by this rule should be redirected to. The default value is empty string (no http redirect). BIG-IP_v11.4.0
set_rule_intercept Sets the intercepts for the specified rules. An intercept specifies the traffic that subscribers are trying to send. BIG-IP_v11.4.0
set_rule_internal_virtual_server Sets the internal virtual servers for the specified rules. Specifies the internal virtual server name if the type selected is icap. BIG-IP_v11.5.0
set_rule_interval Sets the intervals for the specified rules. An interval specifies the time interval in seconds when the report is generated. The default value is 0 which indicates this feature is disabled. If the reporting destination is set, at least one of the following reporting properties must be set to non-zero: uplink octets, downlink octets, total octets (sum of the previous two), and/or interval. If any one of these thresholds is met, the report will be generated. If multiple thresholds are met, reports will be generated for all of them. For example, if interval is set to 5 seconds, uplink octets volume threshold is set to 8, and total octets volume threshold is set to 10, then reports will be generated every 5 seconds, when uplink octets reach 8, and when total octets reach 10. BIG-IP_v11.4.0
set_rule_l2_marking_downlink_level Sets the L2 marking levels in downlink traffic for the specified rules. This sets Layer-2 Quality of Service Marking in downlink traffic that matches a rule. Setting an L2 QoS Marking affects the packet delivery priority. The range is 0 to 7, or pass-through (value 8). The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule. BIG-IP_v11.4.0
set_rule_l2_marking_uplink_level Sets the L2 marking levels in uplink traffic for the specified rules. This sets Layer-2 Quality of Service Marking in uplink traffic that matches a rule. Setting an L2 QoS marking affects the packet delivery priority. The range is 0 to 7, or pass-through (value 8). The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule. BIG-IP_v11.4.0
set_rule_modify_http_header_name Sets the modify HTTP header names for the specified rules. Specifies the HTTP header name to insert or remove in an HTTP request that matches the policy rule. BIG-IP_v11.5.0
set_rule_modify_http_header_operation Sets the modify HTTP header operations for the specified rules. Specifies the type of operation used to modify an HTTP request header when the action is applied to traffic that matches the policy rule. The default value is none. BIG-IP_v11.5.0
set_rule_modify_http_header_value_content Sets the modify HTTP header value contents for the specified rules. Specifies the HTTP header value content used to modify the HTTP header. Based on the selected “Value Type” option, the “Value Content” format will be interpreted either as a string or a TCL snippet. Note: This field is applicable only when the “Operation” option is set to insert. BIG-IP_v11.5.0
set_rule_modify_http_header_value_type Sets the modify HTTP header value types for the specified rules. Specifies the data type used in the “Value Content” field. The options are string and tcl-snippet. If the string option is selected, the data entered in the “Value Content” field is interpreted as a literal string. If the tcl-snippet option is selected, the data entered in the “Value Content” field is interpreted as a TCL snippet. The default value is string. BIG-IP_v11.5.0
set_rule_precedence Sets the precedences for the specified rules. A precedence specifies the precedence for the rule in relation to the other rules. The range is 1 to 4294967295 where 1 has the highest precedence. A rule with higher precedence is evaluated before other rules with lower precedence. It is mandatory to specify precedence when creating a rule in a policy. BIG-IP_v11.4.0
set_rule_qos_rate_pir_downlink Sets the QoS rate for Peak Information Rate (PIR) in downlink traffic for the specified rules. This specifies the configured bandwidth control policy for Peak Information Rate (PIR) to apply to downlink traffic that matches this rule. An empty string specifies that there is no QoS rate for PIR in downlink traffic for this rule. BIG-IP_v11.4.0
set_rule_qos_rate_pir_uplink Sets the QoS rate for Peak Information Rate (PIR) in uplink traffic for the specified rules. This specifies the configured bandwidth control policy for Peak Information Rate (PIR) to apply to uplink traffic that matches this rule. An empty string specifies that there is no QoS rate for PIR in uplink traffic for this rule. BIG-IP_v11.4.0
set_rule_report_granularity Sets the report granularity types for the specified rules. The default value is session. BIG-IP_v11.4.0
set_rule_service_chain Sets the service chains for the rules. The service chain is essentially a list of endpoints for traffic to stop at on its way to the server it is headed to. BIG-IP_v11.4.0
set_rule_sub_policy_downlink Sets the QoS rate control sub-policies in downlink traffic for the specified rules. A sub-policy specifies a category in downlink traffic within the bandwidth control policy; the rule is applied to the specified category. This option provides more specific rate control to a certain type in downlink traffic. The category must be defined in the specified bandwidth control policy. The default value is Disabled, meaning that rate control applies to all downlink traffic that matches the rule. BIG-IP_v11.4.0
set_rule_sub_policy_uplink Sets the QoS rate control sub-policies in uplink traffic for the specified rules. A sub-policy specifies a category in uplink traffic within the bandwidth control policy; the rule is applied to the specified category. This option provides more specific rate control to a certain type in uplink traffic. The category must be defined in the specified bandwidth control policy. The default value is Disabled, meaning that rate control applies to all uplink traffic that matches the rule. BIG-IP_v11.4.0
set_rule_tcl_filter Sets the tcl-filters for the specified rules. A tcl-filter specifies the tcl expression which uses iRule commands to filter the packet. It is a match if tcl-filter returns TRUE/1 or nomatch if FALSE/0. All configured filters (flow-info-filters, classification-filters, and tcl-filter) must match before rule actions are applied. For example, to classify traffic as xxx_app, a custom classification application that you created, you can use this iRule: when HTTP_REQUEST { if { [HTTP::header “Host”] contains “xxx” } { CLASSIFY::application set xxx_app } } BIG-IP_v11.4.0
set_rule_total_volume_threshold Sets the volume threshold, in total octets, for the specified rules. The report is generated if the amount of total octets exceeds the threshold. The default value is 0 which indicates this feature is disabled. If the reporting destination is set, at least one of the following reporting properties must be set to non-zero: octets uplink, octets downlink, total octets (sum of the previous two), and/or interval. If any one of these thresholds is met, the report will be generated. If multiple thresholds are met, reports will be generated for all of them. For example, if interval is set to 5 seconds, octets uplink volume threshold is set to 8, and total octets volume threshold is set to 10, then reports will be generated every 5 seconds, when octets uplink reach 8, and when total octets reach 10. BIG-IP_v11.4.0
set_rule_uplink_volume_threshold Sets the volume threshold in uplink traffic, in octets, for the specified rules. The report is generated if the amount of octets in uplink traffic exceeds the threshold. The default value is 0 which indicates this feature is disabled. If the reporting destination is set, at least one of the following reporting properties must be set to non-zero: uplink octets, downlink octets, total octets (sum of the previous two), and/or interval. If any one of these thresholds is met, the report will be generated. If multiple thresholds are met, reports will be generated for all of them. For example, if interval is set to 5 seconds, uplink octets volume threshold is set to 8, and total octets volume threshold is set to 10, then reports will be generated every 5 seconds, when uplink octets reach 8, and when total octets reach 10. BIG-IP_v11.4.0

Structures

Structure Description

Enumerations

Enumeration Description
FilterOperationType The options match and nomatch indicate the traffic flow must match or not match the condition specified in the classification filter or flow info filter.
ForwardingActionType Describes the forwarding action type. Depending on the type chosen flow can be steered to icap server, forwarding endpoint or to the network.
GateStatusType Specifies whether the traffic can pass through the system without being changed. The options are enabled and disabled.
L2EndpointType Specifies an L2 endpoint type to be used when matching the traffic flows. You can configure the following options: disabled, where flows are not matched based on the L2 endpoint specification; and vlan, where the vlan name specified in from-vlan is used to match the traffic flows.
ModifyHTTPHeaderOperationType Specifies the type of operation used to modify an HTTP request header when the action is applied to traffic that matches the policy rule.
ModifyHTTPHeaderValueType Specifies the data type entered in the “Value Content” field.
ProtocolType Specifies the protocol that this rule applies to. The options are any, tcp, and udp.
ReportGranularityType Specifies the type of report that is generated when the policy applies. The options are session and flow. The session option logs details about subscribers and application sessions, whereas the flow option provides more granular reporting of every TCP connection.

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description
FilterOperationTypeSequence FilterOperationType [] A sequence of filter operation types.
FilterOperationTypeSequenceSequence FilterOperationType [] [] A sequence of sequence of filter operation types.
FilterOperationTypeSequenceSequenceSequence FilterOperationType [] [] [] A sequence of sequence of sequence of filter operation types.
ForwardingActionTypeSequence ForwardingActionType [] A sequence of forwarding action types.
ForwardingActionTypeSequenceSequence ForwardingActionType [] [] A sequence of sequence of forwarding action types.
ForwardingActionTypeSequenceSequenceSequence ForwardingActionType [] [] [] A sequence of sequence of sequence of forwarding action types.
GateStatusTypeSequence GateStatusType [] A sequence of gate status types.
GateStatusTypeSequenceSequence GateStatusType [] [] A sequence of sequence of gate status types.
L2EndpointTypeSequence L2EndpointType [] A sequence of L2 endpoint types.
L2EndpointTypeSequenceSequence L2EndpointType [] [] A sequence of sequence of L2 endpoint types.
L2EndpointTypeSequenceSequenceSequence L2EndpointType [] [] [] A sequence of sequence of sequence of L2 endpoint types.
ModifyHTTPHeaderOperationTypeSequence ModifyHTTPHeaderOperationType [] A sequence of modify HTTP header operation types.
ModifyHTTPHeaderOperationTypeSequenceSequence ModifyHTTPHeaderOperationType [] [] A sequence of sequence of modify HTTP header operation types.
ModifyHTTPHeaderOperationTypeSequenceSequenceSequence ModifyHTTPHeaderOperationType [] [] [] A sequence of sequence of sequence of modify HTTP header operation types.
ModifyHTTPHeaderValueTypeSequence ModifyHTTPHeaderValueType [] A sequence of modify HTTP header value types.
ModifyHTTPHeaderValueTypeSequenceSequence ModifyHTTPHeaderValueType [] [] A sequence of sequence of modify HTTP header value types.
ModifyHTTPHeaderValueTypeSequenceSequenceSequence ModifyHTTPHeaderValueType [] [] [] A sequence of sequence of sequence of modify HTTP header value types.
ProtocolTypeSequence ProtocolType [] A sequence of protocol types.
ProtocolTypeSequenceSequence ProtocolType [] [] A sequence of sequence of protocol types.
ProtocolTypeSequenceSequenceSequence ProtocolType [] [] [] A sequence of sequence of sequence of protocol types.
ReportGranularityTypeSequence ReportGranularityType [] A sequence of report granularity types.
ReportGranularityTypeSequenceSequence ReportGranularityType [] [] A sequence of sequence of report granularity types.

See Also

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code


The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.