Reference: iRules


An iRule is a powerful and flexible feature that you can use to configure your systems and manage your network traffic. Using the Tools Command Language (Tcl) syntax, iRules allows you to write simple pieces of code that will influence your network traffic in various ways. With iRules, you can add business and application logic to your deployment at the network layer as per your requirements. It plays a critical role in advancing the flexibility of the BIG-IP Next system and provides a robust mechanism for controlling nearly every aspect of the authentication and access process.

On a BIG-IP device, an iRule is an individual object attached to a virtual server, but on a BIG-IP Next instance, an iRule is an attribute configured with the virtual server. You cannot refer to objects based on names created, they are referred by the UUID auto-generated during object creation. iRules are similar in BIG-IP and BIG-IP Next with some exceptions to commands and configuration methods.

Refer iRules for more information. For more information on BIG-IP iRules, see iRules Home.

iRule components

An iRule consists of one or more event declarations, each containing TCL code that runs when that event occurs. iRules are made up of five basic elements:

  • Events

  • Operators

  • Commands

  • Functions

  • Statements

Refer to the Tcl Reference Manual for details on Tcl built-in commands.


During a connection flow, a series of internal states are reached by that connection. Each of these states equate to an event in the iRule language. Some events are triggered for all connection flows, while others are profile-specific, meaning the event can only be triggered if an associated profile has been applied to the virtual server processing the flow in question. An event is declared using the “when” statement.


Events allow iRules to be broken into logical pieces and run in a non-serial manner. This means that only the code for a specific event runs when that event occurs.


An operator is a token that “operates” on other values. When you compare two values, you will use an operator to make the comparison. In addition to the built-in TCL operators (==, <=, >=, …), you can use operators such as “starts_with,” “contains,” and “ends_with” to act as helpers for common comparisons.


Commands are responsible for the majority of the work within iRules. They allow you to do things like get the URI of an HTTP request (HTTP::uri) or encrypt data with an Advanced Encryption Standard (AES) key (AES::encrypt). In addition to the standard TCL command set, you can use additional commands that are either global in scope (TCP::client_port, IP::addr, etc.) or specific to a particular profile. Commands are pretty much every other control structure you can use within TCL.


Functions are utility commands that, most often, return a value. Functions like “findclass” and “matchclass” assist in Data Group access, while “findstr,” “getfield,” and “substr” assist in working with strings.


Statements are commands that typically don’t return a value. The purpose of a statement is to “do something.” You can use TCL’s “if” and “switch” statements to perform conditional tests, or you can use the iRules specific statement “log” to log messages to the system log, or “pool” to assign a load balancing decision to a specified pool of servers.

Reference Topics

Here’s a list of some reference information that you can use to help you with all of your iRules needs.