ltm policy
ltm policy(1) BIG-IP TMSH Manual ltm policy(1)
NAME
policy - Configures a policy for Centralized Policy Manager.
MODULE
ltm
SYNTAX
Create or modify LTM Policies within the ltm module, using the syntax shown in the following sections.
Policies exist in 2 forms, draft and published. Only draft policies can be modified, and only published policies can be
applied to a virtual server. A draft policy can be turned into a published policy using the publish command. A draft copy
can be obtained from a published policy using modify [name] create-draft. Draft policies are placed in a Drafts folder.
For additional details, refer to Local Traffic Policy documentation on the AskF5 knowledge base at http://support.f5.com.
CREATE/MODIFY
create policy Drafts/[name]
modify policy Drafts/[name]
options:
strategy [STRING | none]
copy-from [name | Drafts/name]
create-draft
rules [add | delete | modify | replace-all-with] {
STRING {
ordinal NUMBER |
app-service STRING |
conditions [add | delete | modify | replace-all-with] {
NUMBER { CONDITION_SPEC [[CONDITION_SPEC] ...] }
} |
actions [add | delete | modify | replace-all-with] {
NUMBER { ACTION_SPEC [[ACTION_SPEC] ...] }
}
}
}
[controls [add | delete | modify | replace-all-with] {
CONTROLS_ASPECT [[CONTROLS_ASPECT] ...]
}]
[requires [add | delete | modify | replace-all-with] {
REQUIRES_ASPECT [[REQUIRES_ASPECT] ...]
}]
PUBLISH
publish policy name
DISPLAY
list policy
list policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show policy
show policy [name]
options:
all-properties
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
detail
field-fmt
DELETE
delete policy [name]
Note: Before a policy can be deleted, it must be removed from all virtual servers holding a reference to it.
DESCRIPTION
An LTM Policy is a set of rules which can be attached to a virtual server to efficiently process traffic. Similar in
concept to iRules, Policies can inspect requests and responses, and perform programmed actions.
The controls and requires aspects for a policy are automatically set by the system based on an inspection of the conditions
and actions specified in LTM Policy rules. User should not specify either of these.
EXAMPLES
create policy Drafts/my_policy
strategy my_strategy
Creates a Local Traffic Manager policy in the Drafts folder named my_policy. The strategy determining policy actions is
my_strategy. Draft policies may be modified, but cannot be applied to a virtual server until they are published.
create ltm policy Drafts/new_policy copy-from published_policy
create ltm policy Drafts/new_policy copy-from Drafts/old_policy
Creates a Local Traffic Manager policy based on an existing published policy, and from an existing draft policy,
respectively.
modify ltm policy new_policy create-draft
Creates a draft policy of an existing published policy.
publish ltm policy Drafts/my_policy
Takes a policy that was created or modified in the Drafts folder, and publishes it. Published policies can then be applied
to a virtual server.
delete policy my_policy
Deletes the policy named my_policy.
show policy
Displays statistics and status for all Local Traffic Manager policies in the system configuration.
show policy all-properties
Displays statistics and status for all Local Traffic Manager policies in the system configuration.
Note that if the system includes Packet Velocity(r) ASIC (PVA) and PVA Assist capabilities, this command displays status
and statistics for that feature.
list policy my_policy
Displays properties of the policy named my_policy.
app-service - Specifies the name of the application service to which the policy belongs. The default value
is none. Note: If the strict-updates option is enabled on the application service that owns
the object, you cannot modify or delete the policy. Only the application service can modify
or delete the policy.
CONTROLS_ASPECT is one or more of the following:
none - Associated with unrestricted actions that are always available, like logging.
forwarding - Enables many options for Forwarding connections to the back end.
caching - Caching enable or disable on a per-request basis.
compression - Actions which enable / disable compression and decompression. Virtual server will need to have an
appropriate compression profile applied.
acceleration - Enable or disable Web Acceleration
asm - Enable or disable Application Security Management
avr - Enable or disable Application Visibility Reporting
l7dos - Enable or disable Layer 7 Denial-of-Service protection
bot-defense - Enable or disable Unified Bot Defense protection
classification - Used by the Traffic classification engine
request-adaptation - Enable or disable Request Adaptation
response-adaptation - Enable or disable Response Adaptation
client-ssl - Enable or disable SSL connection on the client side
server-ssl - Enable or disable SSL connection on the server side
websocket - Actions related to WebSockets
REQUIRES_ASPECT is one or more of the following:
none - Associated with conditions that are always available, like cpu-usage, with no specific profiles required to
be attached to a virtual server
http - Makes available HTTP-protocol conditions. A profile that communicates using the HTTP protocol needs to be
attached to a virtual server with this policy.
http-explicit - Makes available HTTP Explicit Proxy specific conditions. An HTTP Explicit Proxy profile needs to
be attached to a virtual server with this policy.
http-connect - Makes available HTTP Connect specific conditions. An HTTP Connect profile needs to be attached to
a virtual server with this policy.
tcp - A TCP profile needs to be attached to a virtual with this policy. Makes available TCP-specific conditions.
client-ssl - A Client-SSL profile needs to be attached to a virtual with this policy.
server-ssl - A Server-SSL profile needs to be attached to a virtual with this policy.
classification - A classification profile needs to be attached to a virtual with this policy.
Data Types
BOOLEAN - [true* | false]
NUMBER - signed 32-bit integer
STRING - Bare_string -or- "quoted string"
TCLSTRING - A STRING optionally containing Tcl command substitutions to be evaluated at runtime. If string begins with the
4-character prefix "tcl:", then the prefix is removed and the rest of the string is passed to the Tcl interpreter. If no
prefix, then whole string is treated as a plain string with no Tcl interpreter overhead. Examples:
log request message "tcl:This is Tcl-enabled and the URI is [HTTP::uri]"
log request message "This is just a plain old string"
IP_ADDRESS - IPv4 or IPv6 address
Comparison operators
Core to defining conditions is the need to compare quantities at run time against pre-defined values. LTM Policy allows
you to specify single or multiple values in a comparison.
NUMBER_COMPARISON
[not] [equals* | less | greater | less-or-equal | greater-or-equal]
values { VAL1 [[VAL2] ...]}
Sample numeric comparisons:
not greater values { 1024 } # no more than 1024
values { 80 443 8080 } # compare against 80, 443, or 8080, equals implied
STRING_COMPARISON
[not] [equals* | starts-with | ends-with | contains]
values { VAL1 [[VAL2 ...}] [case-insensitive* | case-sensitive ]
Sample string comparisons:
equals values { Abel bAkEr chArlIe } # case-insensitive match of 3 candidates
values { Abel bAkEr chArlIe } # same as above, equals implied
ends-with values { html txt } # match if string ends with either candidate
contains values { "jj83Q@@#AFRT@==" } case-sensitive # match value, case must match
*default if not specified
CONDITION_SPEC
A CONDITION_SPEC, or condition specification, is where you can tell the system the specific attributes you would like to
inspect and use as a trigger for action.
Conditions are associated with an event, so conditions can be evaluated at different times during a request-response cycle.
Below is a list of all supported conditions, the events during which they can be evaluated, additional qualifiers, and
parameters.
http-uri
Inspect the URI on a request and match on various parts or the entire URI (since 11.4.0)
Specifying http-uri in a condition automatically adds "requires {http}" to the policy.
http-uri [proxy-request* | request | proxy-connect]
[all STRING_COMPARISON
[normalized BOOL]
]
[scheme STRING_COMPARISON
[normalized BOOL]
]
[host STRING_COMPARISON
[normalized BOOL]
]
[port NUMBER_COMPARISON
[normalized BOOL]
]
[path STRING_COMPARISON
[normalized BOOL]
]
[extension STRING_COMPARISON
[normalized BOOL]
]
[query-string STRING_COMPARISON
[normalized BOOL]
]
[query-param STRING_COMPARISON
name STRING
[normalized BOOL]
]
[unnamed-query-param STRING_COMPARISON
index NUMBER
[normalized BOOL]
]
[path-segment STRING_COMPARISON
index NUMBER
[normalized BOOL]
]
[urlcat
[normalized BOOL]
]
where
all - match on the full URI
normalized - Convert URI to standard form for
consistent comparison.
scheme - match on the scheme, e.g. http, https, ftp,
file
normalized - Convert URI to standard form for
consistent comparison.
host - match on the hostname in the URI
normalized - Convert URI to standard form for
consistent comparison.
port - match on the port number in the URI
normalized - Convert URI to standard form for
consistent comparison.
path - match on the URI path
normalized - Convert URI to standard form for
consistent comparison.
extension - match on the file extension in the URI,
e.g. jpg, html, cgi
normalized - Convert URI to standard form for
consistent comparison.
query-string - match against text in the query string
normalized - Convert URI to standard form for
consistent comparison.
query-param - match value of the named query parameter
from the query string
name - Specify the name of the particular query
parameter whose value is to be used
normalized - Convert URI to standard form for
consistent comparison.
unnamed-query-param - match the value of a query
parameter by a numeric index instead of by name
index - The numeric order of the query parameter
whose value is to be used, starting at 1. Negative
values indicate counting right to left.
normalized - Convert URI to standard form for
consistent comparison.
path-segment - Match a part of the URI path by a
numeric index
index - The numeric order of a segment in the
path, starting at 1. Negative values indicate
counting right to left.
normalized - Convert URI to standard form for
consistent comparison.
urlcat - Run URI through a categorization engine. List
of categories - 'tmsh list sys url-db url-category'
normalized - Convert URI to standard form for
consistent comparison.
tcp
Inspect and match on various TCP properties of a connection (since 11.5.0)
Specifying tcp in a condition automatically adds "requires {tcp}" to the policy.
tcp [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
request | response | proxy-request | proxy-connect |
proxy-response | ws_request | ws_response |
classification-detected]
[address IP_COMPARISON
[internal BOOL]
[local BOOL]
]
[port NUMBER_COMPARISON
[internal BOOL]
[local BOOL]
]
[mss NUMBER_COMPARISON
[internal BOOL]
]
[rtt NUMBER_COMPARISON
[internal BOOL]
]
[vlan STRING_COMPARISON
[internal BOOL]
]
[vlan-id NUMBER_COMPARISON
[internal BOOL]
]
[route-domain NUMBER_COMPARISON
[internal BOOL]
]
where
address - Match on IP address. By default the IP
address is the one associated with the external
interface, remote end of the connection.
internal - Internal specifies the IP address of
the endpoint on the "internal" side of the
connection.
local - Local specifies the IP address of the
local side of the connection, i.e. not the remote
side.
port - Match on port number. By default the port is
the one associated with the external interface, remote
end of the connection.
internal - Internal specifies the port of the
endpoint on the "internal" side of the connection.
local - Local specifies the port of the local side
of the connection, i.e. not the remote side.
mss - Compare the TCP maximum segment size on the
external network interface.
internal - Refers to the maximum segment size on
the internal interface.
rtt - Inspect the round trip time on the external
network interface.
internal - Refers to the round trip time on the
internal interface.
vlan - Compare traffic with specified vlan on the
external network interface.
internal - Refers to the vlan on the internal
interface.
vlan-id - Compare traffic with specified vlan-id
number on the external network interface.
internal - Refers to the vlan-id on the internal
interface.
route-domain - Compare traffic with specified route
domain number on the external network interface.
internal - Specifies the route domain on the
internal interface.
Examples
tcp address matches values { 141.202.53.16 }
tcp address internal matches values { 192.168.63.1 192.168.63.121 }
tcp port matches values { 8080 3128 }
client-ssl
Inspect properties of the SSL connection on the client side of the device. (since 11.4.0)
Specifying client-ssl in a condition automatically adds "requires {client-ssl}" to the policy.
client-ssl [proxy-request* | request | proxy-connect |
proxy-response | response]
[protocol STRING_COMPARISON]
[cipher STRING_COMPARISON]
[cipher-bits NUMBER_COMPARISON]
where
protocol - Compare SSL protocol name
cipher - Cipher name
cipher-bits - cipher strength in number of bits
http-method
Inspect the request's HTTP method, e.g. GET, POST, HEAD (since 11.4.0)
Specifying http-method in a condition automatically adds "requires {http}" to the policy.
http-method [request* | proxy-request]
all STRING_COMPARISON
Example
http-method all values { POST }
http-version
Inspect the version of an HTTP request or response (since 11.4.0)
Specifying http-version in a condition automatically adds "requires {http}" to the policy.
http-version [proxy-request* | request | proxy-connect |
proxy-response | response]
[all STRING_COMPARISON]
[protocol STRING_COMPARISON]
[major NUMBER_COMPARISON]
[minor NUMBER_COMPARISON]
where
all - Compare against full version string
protocol - HTTP protocol
major - Numeric major part of HTTP version
minor - Numeric minor part of HTTP version
Examples
http-version all contains values { HTTP/1.1 }
http-version protocol values { HTTP }
http-version major values { 1 }
http-version minor greater-or-equal values { 0 }
http-status
Inspect the HTTP response's status (since 11.4.0)
Specifying http-status in a condition automatically adds "requires {http}" to the policy.
http-status [proxy-response* | response]
[all STRING_COMPARISON]
[code NUMBER_COMPARISON]
[text STRING_COMPARISON]
where
all - Compare against full HTTP status response
including both code and text
code - Numeric HTTP response status code
text - HTTP response status string, e.g.
"Authentication Required"
Examples
http-status response values { "HTTP/1.1 200 OK" }
http-status response code values { 401 }
http-status response text contains values { "Authentication Required" }
http-host
Match against an HTTP request's Host: header (since 11.4.0)
Specifying http-host in a condition automatically adds "requires {http}" to the policy.
http-host [proxy-request* | request | proxy-connect]
[all STRING_COMPARISON]
[host STRING_COMPARISON]
[port NUMBER_COMPARISON]
where
all - Compare against full Host header string
host - compare against hostname
port - compare against port number
Examples
http-host values { example.com }
http-host host values { ns1.example.com ns2.example.com }
http-host port values { 80 443 3128 8080 }
http-header
Match against any HTTP header (since 11.4.0)
Specifying http-header in a condition automatically adds "requires {http}" to the policy.
http-header [proxy-request* | request | proxy-connect |
proxy-response | response]
all STRING_COMPARISON
name STRING
Example
http-header response name Content-type starts-with values { text/ }
http-referer
Inspect HTTP Referer: header or specific parts of the URI value. (since 11.4.0)
Specifying http-referer in a condition automatically adds "requires {http}" to the policy.
http-referer [proxy-request* | request | proxy-connect]
[all STRING_COMPARISON
[normalized BOOL]
]
[scheme STRING_COMPARISON
[normalized BOOL]
]
[host STRING_COMPARISON
[normalized BOOL]
]
[port NUMBER_COMPARISON
[normalized BOOL]
]
[path STRING_COMPARISON
[normalized BOOL]
]
[extension STRING_COMPARISON
[normalized BOOL]
]
[query-string STRING_COMPARISON
[normalized BOOL]
]
[path-segment STRING_COMPARISON
index NUMBER
[normalized BOOL]
]
[query-param STRING_COMPARISON
name STRING
[normalized BOOL]
]
[unnamed-query-param STRING_COMPARISON
index NUMBER
[normalized BOOL]
]
[urlcat
[normalized BOOL]
]
where
all - entire URI, e.g.
http://example.com/path/to/page.cgi?a=b&c=d
normalized - Convert URI to standard form for
consistent comparison.
scheme - e.g. http, https, ftp
normalized - Convert URI to standard form for
consistent comparison.
host - DNS hostname or IP address
normalized - Convert URI to standard form for
consistent comparison.
port - numeric port number, e.g. 80
normalized - Convert URI to standard form for
consistent comparison.
path - URI path, e.g. /path/to
normalized - Convert URI to standard form for
consistent comparison.
extension - document extension, e.g. cgi
normalized - Convert URI to standard form for
consistent comparison.
query-string - full query string, e.g. a=b&c=d
normalized - Convert URI to standard form for
consistent comparison.
path-segment - path segment by numerical index
index - Identify a segment of a path by its
numerical order starting at 1. Negative values
indicate counting right to left.
normalized - Convert URI to standard form for
consistent comparison.
query-param - value of query param by name
name - Identify a query string parameter by its
name
normalized - Convert URI to standard form for
consistent comparison.
unnamed-query-param - value of query parameter by
numerical index
index - Identify a query string parameter by its
numerical order starting at 1. Negative values
indicate counting right to left.
normalized - Convert URI to standard form for
consistent comparison.
urlcat - Run URI through a categorization engine. List
of categories - 'tmsh list sys url-db url-category'
normalized - Convert URI to standard form for
consistent comparison.
Examples
http-referer request all contains values { cgi }
http-referer request all scheme values { http https }
http-referer request all host values { example.com 127.0.0.1 }
http-referer request all port values { 80 8080 }
http-referer request all path contains values { /cgi-bin/ }
http-referer request all extension contains values { xml xhtml xsd }
http-referer request all query-string contains values { __utmz }
http-referer path-segment index 2 values { to }
http-referer query-parameter name foo contains values { bar }
http-referer request unnamed-query-param index 1 values { a }
http-cookie
Inspect an HTTP request's Cookie: header (since 11.4.0)
Specifying http-cookie in a condition automatically adds "requires {http}" to the policy.
http-cookie [proxy-request* | request | proxy-connect]
all STRING_COMPARISON
name STRING
Example
http-cookie name User values { xyz123 }
http-set-cookie
Inspect an HTTP response's Set-Cookie: header (since 11.4.0)
Specifying http-set-cookie in a condition automatically adds "requires {http}" to the policy.
http-set-cookie [proxy-response* | response]
[value STRING_COMPARISON
name STRING
]
[version STRING_COMPARISON
name STRING
]
[path STRING_COMPARISON
name STRING
]
[domain STRING_COMPARISON
name STRING
]
[expiry STRING_COMPARISON
name STRING
]
where
value - value of the named cookie named by the
parameter
version - version of the named cookie
path - path of the named cookie
domain - value of the domain specified by the named
cookie
expiry - Time when validity of named cookie expires,
in RFC 6265 format (Wdy, DD Mon YYYY HH:MM:SS GMT)
Examples
http-set-cookie response value name Cust-Id values { org177 org187 org197 }
http-set-cookie response version name mycook values { 1.1 }
http-set-cookie response path name mycook values { /private/cgi-bin/ }
http-set-cookie response domain name mycook values { example.com }
http-set-cookie response expiry name MyCookie contains values { "Wed, 09 Jun 2021" }
http-basic-auth
Inspect an HTTP request's username/password specified for Basic authentication. (since 11.4.0)
Specifying http-basic-auth in a condition automatically adds "requires {http}" to the policy.
http-basic-auth [proxy-request* | request | proxy-connect]
[username STRING_COMPARISON]
[password STRING_COMPARISON]
where
username - basic authentication username
password - basic authentication password
Example
http-basic-auth password not values { password }
http-proxy
Inspect properties of the HTTP Explicit Proxy feature (since 13.1.0)
Specifying http-proxy in a condition automatically adds "requires {http-explicit}" to the policy.
http-proxy [request*]
[address IP_COMPARISON]
[port NUMBER_COMPARISON]
[route-domain NUMBER_COMPARISON]
where
address - The resolved IP address
Examples
http-proxy address equals values { 10.0.0.1 }
http-proxy port matches values { 80 }
http-proxy route-domain matches values { 2 }
http-connect
Inspect properties of the HTTP Proxy Connect feature (since 13.1.0)
Specifying http-connect in a condition automatically adds "requires {http-connect}" to the policy.
http-connect [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response]
[host STRING_COMPARISON]
[port NUMBER_COMPARISON]
where
host - The host sent to the remote proxy
Examples
http-proxy-connect host matches values { http://example.com }
http-proxy-connect port matches values { 80 }
ssl-extension
Inspect SSL extensions being negotiated during HELLO phase. (since 11.4.0)
This condition is available to all policies.
ssl-extension [ssl-client-hello* | ssl-server-hello]
[server-name STRING_COMPARISON]
[npn STRING_COMPARISON
[index NUMBER]
]
[alpn STRING_COMPARISON
[index NUMBER]
]
where
server-name - server name indication
npn - next protocol negotiation
alpn - application layer protocol negotiation
Example
ssl-extension ssl-client-hello server-name values { secure43.example.org }
ssl-cert
Inspect properties of an SSL certificate. (since 11.4.0)
Specifying ssl-cert in a condition automatically adds "requires {server-ssl}" to the policy.
ssl-cert [ssl-server-handshake*]
common-name STRING_COMPARISON
[index NUMBER]
where
common-name - hostname covered by the SSL certificate
geoip
Specify a condition based upon properties of the geographical location of the IP address, such as continent code, country
code, city, region, or organization. The default is to inspect the external interface, remote endpoint. (since 11.5.0)
This condition is available to all policies.
geoip [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response]
[continent STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[country-code STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[country-name STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[region-code STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[region-name STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[org STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
[isp STRING_COMPARISON
[internal BOOL]
[local BOOL]
]
where
continent - Two-character continent code: AF, AN, AS,
OC, EU, NA, SA
country-code - Two-character country code as defined
in ISO-3166-2
country-name - Full name of country
region-code - Abbreviation of State, Province, or
country-specific region
region-name - Full name of State, Province, or
country-specific region
org - Organization associated with address
isp - Internet Service Provider associated with
address
Examples
geoip continent values { NA }
geoip country-code values { us }
geoip country-name values { "United States" }
geoip region-code values { NY CA TX }
geoip region-name values { Washington Oregon Idaho }
geoip organization values { "Acme Widgets" }
geoip isp values { "Fastcast Networks" "Responsive Cable Inc." }
cpu-usage
Specify a condition based upon CPU usage percentage for the past 15 seconds, 1 minute or 5 minutes intervals. (since
11.5.0)
This condition is available to all policies.
cpu-usage [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response]
[last-15secs NUMBER_COMPARISON]
[last-1min NUMBER_COMPARISON]
[last-5mins NUMBER_COMPARISON]
where
last-15secs - CPU usage ratio % over the past 15
seconds, 0-100
last-1min - CPU usage ratio % over the past minute,
0-100
last-5mins - CPU usage ratio % over the past 5
minutes, 0-100
Examples
cpu-usage request last-15secs 8
cpu-usage response last-1min 10
cpu-usage last-5mins 12
http-user-agent
Specify a condition based upon User Agent sub-string, i.e. version, browser type, or mobile device make and model. (since
11.4.0)
Specifying http-user-agent in a condition automatically adds "requires {http}" to the policy.
http-user-agent [proxy-request* | request]
[device-make STRING_COMPARISON]
[device-model STRING_COMPARISON]
[browser-type STRING_COMPARISON]
[browser-version STRING_COMPARISON]
[ua-token STRING_COMPARISON
name STRING
]
where
device-make - Make of device
device-model - Model of device
browser-type - Browser name/type
browser-version - Browser version string
ua-token - Sub version string associated with
specified parameter
Examples
http-user-agent device-make values { Samsung ASUS }
http-user-agent device-model values { DroidX }
http-user-agent request browser-type values { Mozilla }
http-user-agent request browser-version values { "37.0.2049.0" }
http-user-agent user-agent-token name Mozilla values { 9.0 }
websocket
Specify a condition based upon properties of a websockets connection. (since 12.1.0)
Specifying websocket in a condition automatically adds "requires {websocket}" to the policy.
websocket [ws_request* | ws_response]
[protocol STRING_COMPARISON]
[extension STRING_COMPARISON]
[version STRING_COMPARISON]
[ws_key STRING_COMPARISON]
where
protocol - value of the Sec-WebSocket-Protocol header
extension - value of the Sec-WebSocket-Extensions
header
version - value of the Sec-WebSocket-Version header
ws_key - value of the masking-key
classification
Specify a condition based on flow's classification results. (since 13.0.0)
Specifying classification in a condition automatically adds "requires {classification}" to the policy.
classification [classification-detected*]
[application STRING_COMPARISON]
[application-id ]
[application-risk ]
[category STRING_COMPARISON]
[category-id ]
[url-category STRING_COMPARISON]
[url-category-id ]
where
application - Classification Application Name
application-id - Classification Application ID
application-risk - Classification Application Risk
category - Application's category name
category-id - Application's category ID
url-category - URL's category name
url-category-id - URL's category ID
Examples
application values { cnn youtube }
application-id values { 1245 }
application-risk greater-or-equal values { 3 }
category values { News_And_Media }
category-id values { 16666 }
url-category starts-with values { News }
url-category-id values { 25555 }
iprep
Perform a reputation lookup on IP address (since 13.1.0)
This condition is available to all policies.
iprep [client-accepted* | proxy-request | request |
server-connected]
all
[internal BOOL]
[local BOOL]
Example
iprep all values { "Spam Sources" "Denial of Service" }
ACTION_SPEC
An ACTION_SPEC, or action specification, is where you can tell the system the specific programmed actions you would like to
take.
Actions are associated with an event, and depending on the action, can be set to run at different times during the request-
response cycle.
Below is a list of all supported actions, the events during which they can be executed, their specific sub-actions, and
parameters (if any).
ltm-policy
Provides the ability to disable LTM Policy processing on a request by request basis. (since 11.4.0)
This action is available to all policies.
ltm-policy [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response]
disable*
http
Provides the ability to enable or disable Big Ip's HTTP filter processing (since 11.4.0)
This action is available to all policies.
http [client-accepted* | proxy-request | request |
response | server-connected]
[enable*]
[disable]
http-uri
Modify the request's URI or path or query string. Setting URI value overrides path and query-string setting. (since 11.4.0)
This action is available to all policies.
http-uri [proxy-request* | request | proxy-connect]
replace*
[value TCLSTRING]
[path TCLSTRING]
[query-string TCLSTRING]
http-host
Modify the request's Host: header (since 11.4.0)
This action is available to all policies.
http-host [proxy-request* | request | proxy-connect]
replace*
value TCLSTRING
http-header
Modify HTTP header in request or response (since 11.4.0)
This action is available to all policies.
http-header [proxy-request* | request | proxy-connect |
proxy-response | response]
[replace*
name STRING
value TCLSTRING
]
[insert
name STRING
value TCLSTRING
]
[remove
name STRING
]
http-referer
Modify the request's Referer: header (since 11.4.0)
This action is available to all policies.
http-referer [proxy-request* | request | proxy-connect]
[replace*
[value TCLSTRING]
]
[insert
value TCLSTRING
]
[remove]
where
replace - Replace request's Referer: header.
value - New value for request's Referer: header.
Values beginning with "tcl:" are treated as Tcl
command substitutions and expanded before use.
insert - Insert an HTTP Referer: header into the
request
value - New value for request's Referer: header.
Values beginning with "tcl:" are treated as Tcl
command substitutions and expanded before use.
remove - Remove the HTTP Referer: header from the
request
http-cookie
Modify the request's Cookie: header (since 11.4.0)
This action is available to all policies.
http-cookie [proxy-request* | request | proxy-connect]
[insert*
name STRING
[value TCLSTRING]
]
[remove
name STRING
]
where
insert - Insert an HTTP Cookie: header into the
request
name - Name of the cookie being inserted into
request's Cookie: header.
value - New value for the cookie in the request's
Cookie: header. Values beginning with "tcl:" are
treated as Tcl command substitutions and expanded
before use.
remove - Remove the HTTP Cookie: header from the
request
name - Name of the cookie being inserted into
request's Cookie: header.
Examples
http-cookie request insert name "Source-IP" value "tcl:[IP::remote_addr]"
http-cookie remove name "X-Tracker"
http-set-cookie
Modify the response's Set-Cookie: header (since 11.4.0)
This action is available to all policies.
http-set-cookie [response*]
[insert*
name STRING
value TCLSTRING
[domain TCLSTRING]
[path TCLSTRING]
]
[remove
name STRING
]
where
insert - Insert an HTTP Set-Cookie: header into the
response
name - Name of the cookie being inserted into
response's Set-Cookie: header.
value - New value for the cookie in the response's
Set-Cookie: header. Values beginning with "tcl:"
are treated as Tcl command substitutions and
expanded before use.
domain - Value for the domain attribute of a
cookie in Set-Cookie header. Tcl command
substitutions are allowed for this field.
path - Value for the path attribute of a cookie in
Set-Cookie header. Tcl command substitutions are
allowed for this field.
remove - Remove the HTTP Cookie: header from the
request
name - Name of the cookie to be removed from
response's Set-Cookie: header.
http-reply
Redirect an HTTP request to a different URL (since 11.4.0)
Specifying http-reply in an action automatically adds "controls {forwarding}" to the policy.
http-reply [proxy-request* | request | response]
redirect*
location TCLSTRING
[code NUMBER]
where
redirect - Redirect an HTTP request to a different URL
location - The new URL for which a redirect
response will be sent. A Tcl command substitution
can be used for this field.
code - Optional HTTP response code for redirect.
Default value is 302 if not specified. Valid
values are in the range of 300-399.
log
Write messages to local or remote system log (since 11.4.0)
This action is available to all policies.
log [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response | ws_request |
ws_response | classification-detected]
write*
[message TCLSTRING]
[facility STRING]
[priority STRING]
[ip_address STRING]
[port NUMBER]
where
write - Write a message to the system log files, local
or remote
message - The message to write to the system log.
A Tcl command substitution is allowed here.
facility - Standard syslog facility associated
with message, such as auth, kern, daemon, user.
priority - Standard syslog priority associated
with message, such as emerg, alert, err, warning,
notice, info, debug.
ip_address - For remote logging, the IP address of
the remote syslog server.
port - For remote logging, the port number of the
remote syslog server.
Examples
log request message "tcl:This is Tcl-enabled and the URI is [HTTP::uri]"
log request message "This is just a plain old string"
log request message "Something serious is happening!" priority alert
pem
Classify traffic (since 11.4.0)
Specifying pem in an action automatically adds "controls {classification}" to the policy.
pem [ssl-client-hello* | ssl-client-serverhello-send |
ssl-server-hello | ssl-server-handshake |
proxy-request | request | response]
classify*
[application STRING]
[category STRING]
[protocol STRING]
[defer BOOL]
[ssl-session-id BOOL]
where
classify - Classify traffic
ce
Classify traffic (since 12.1.0)
Specifying ce in an action automatically adds "controls {ce}" to the policy.
ce [ssl-client-hello* | ssl-server-hello |
ssl-server-handshake | request | response]
classify*
[application STRING]
[category STRING]
where
classify - Classify traffic
cache
Control caching (since 11.4.0)
Specifying cache in an action automatically adds "controls {caching}" to the policy.
cache [client-accepted* | proxy-request | request |
response | server-connected]
[enable*
[pin BOOL]
]
[disable]
where
enable - Enable caching for a connection
disable - Disable caching for a connection
compress
Control compression (since 11.4.0)
Specifying compress in an action automatically adds "controls {compression}" to the policy.
compress [client-accepted* | proxy-request | request |
response | server-connected]
[enable*]
[disable]
where
enable - Enable compression for a connection
disable - Disable compression for a connection
decompress
Control decompression (since 11.4.0)
Specifying decompress in an action automatically adds "controls {compression}" to the policy.
decompress [client-accepted* | proxy-request | request |
response | server-connected]
[enable*]
[disable]
where
enable - Enable decompression for a connection
disable - Disable decompression for a connection
forward
Many options for controlling where a connection is forwarded (since 11.4.0)
Specifying forward in an action automatically adds "controls {forwarding}" to the policy.
forward [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | proxy-request |
request]
[select*
[pool STRING]
[fallback-pool STRING]
[clone-pool STRING]
[node STRING]
[snat STRING]
[snatpool STRING]
[nexthop STRING]
[vlan STRING]
[vlan-id NUMBER]
[virtual STRING]
[rateclass STRING]
]
[reset]
where
select - Select appropriate location for forwarding
the connection based on specified parameters. While
all of the parameters are marked as optional, at least
one must be specified.
pool - Forward connection to the specified pool.
fallback-pool - Forward connection to the
specified pool when the default pool does not have
active members.
clone-pool - Clone traffic to the specified clone
pool.
node - Forward connection to the specified node.
snat - Control snat automap.
snatpool - Forward connection to the specified
snat pool.
nexthop - Set the next destination for the
connection to the specified endpoint. A vlan or
vlan-id must also be specified.
vlan - Forward connection to the specified vlan.
vlan-id - Forward connection to the vlan specified
by the vlan-id.
virtual - Forward connection to the specified
virtual server.
rateclass - Control rate class properties on the
connection.
reset - Deprecated. See target "shutdown connection".
shutdown
Reset connection (since 13.1.0)
This action is available to all policies.
shutdown [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response | ws_request |
ws_response]
connection*
where
connection - Terminate the connection through the Big
IP.
persist
Many options for controlling how a connection is persisted (since 12.0.0)
Specifying persist in an action automatically adds "controls {persistence}" to the policy.
persist [client-accepted* | proxy-request | request]
[disable]
[src-addr*
[netmask STRING]
[timeout NUMBER]
]
[dest-addr
[netmask STRING]
[timeout NUMBER]
]
[cookie-insert
[name STRING]
[expiry STRING]
]
[cookie-rewrite
[name STRING]
[expiry STRING]
]
[cookie-passive
[name STRING]
]
[cookie-hash
name STRING
[offset NUMBER]
[length NUMBER]
[timeout NUMBER]
]
[universal
key TCLSTRING
[timeout NUMBER]
]
[hash
key TCLSTRING
[timeout NUMBER]
]
[carp
key TCLSTRING
[timeout NUMBER]
]
where
disable - Disable persistence
src-addr - Persist the connection based on the source
IP address.
netmask - Network mask, e.g. 192.168.13.23/16 or
10.0.2.15/255.0.0.0.
timeout - Timeout value in seconds.
dest-addr - Persist the connection based on the
destination IP address.
netmask - Network mask, e.g. 192.168.13.23/16 or
10.0.2.15/255.0.0.0.
timeout - Timeout value in seconds.
cookie-insert - Persist the connection using cookie
insertion method
name - cookie name
expiry - Expiration duration expressed as [Dd]
[[HH:]MM:]SS
cookie-rewrite - Persist the connection using cookie
rewrite method
name - cookie name
expiry - Expiration duration expressed as [Dd]
[[HH:]MM:]SS
cookie-passive - Persist the connection using cookie
passive method
name - cookie name
cookie-hash - Persist the connection using cookie hash
method
name - cookie name
offset - offset into hash
length - substring length
timeout - Timeout value in seconds.
universal - persistence based on user-defined key
key - The key to use. Tcl command substitution is
allowed.
timeout - Timeout value in seconds.
hash - persistence based on hash of the key
key - The key to use. Tcl command substitution is
allowed.
timeout - Timeout value in seconds.
carp - hash persistence using Cache Array Routing
Protocol (CARP) algorithm
key - The key to use. Tcl command substitution is
allowed.
timeout - Timeout value in seconds.
wam
Control web acceleration (since 11.4.0)
Specifying wam in an action automatically adds "controls {wam}" to the policy.
wam [client-accepted* | proxy-request | request]
[enable*]
[disable]
where
enable - Enable web acceleration for a connection
disable - Disable web acceleration for a connection
asm
Control web security (since 11.4.0)
Specifying asm in an action automatically adds "controls {asm}" to the policy.
asm [client-accepted* | proxy-request | request]
[enable*
policy STRING
]
[disable]
where
enable - Enable web security for a connection
policy - name of security policy to enable
disable - disable web security for the connection
l7dos
Enable or disable Layer 7 Denial-of-Service processing (since 11.4.0)
Specifying l7dos in an action automatically adds "controls {l7dos}" to the policy.
l7dos [client-accepted* | proxy-request | request]
[enable*
[from-profile STRING]
]
[disable]
where
enable - turn on Layer 7 DOS protection
from-profile - name of DOS profile to enable
disable - turn off Layer 7 DOS protection
bot-defense
Enable or disable Unified Bot Defense processing (since 14.1.0)
Specifying bot-defense in an action automatically adds "controls {bot-defense}" to the policy.
bot-defense [client-accepted* | proxy-request | request]
[enable*
[from-profile STRING]
]
[disable]
where
enable - turn on Bot Defense protection
from-profile - name of bot-defense profile to
enable
disable - turn off Bot Defense protection
avr
Enable or disable Application Visibility and Reporting (since 11.4.0)
Specifying avr in an action automatically adds "controls {avr}" to the policy.
avr [client-accepted* | proxy-request | request]
[enable*]
[disable]
where
enable - turn on reporting
disable - turn off reporting
tcl
Set a Tcl variable in runtime environment (since 11.4.0)
This action is available to all policies.
tcl [client-accepted* | ssl-client-hello |
ssl-client-serverhello-send | ssl-server-hello |
ssl-server-handshake | server-connected |
proxy-request | request | proxy-connect |
proxy-response | response]
set-variable*
name STRING
expression STRING
where
set-variable - set a Tcl variable in the runtime
environment
name - name of variable
expression - Tcl expression to evaluate
Example
tcl set-variable expression tcl:[HTTP::uri] name my_uri
request-adapt
Enable or disable request adaptation, optionally sending traffic to specified internal virtual server (since 11.4.0)
Specifying request-adapt in an action automatically adds "controls {request-adaptation}" to the policy.
request-adapt [client-accepted* | server-connected |
proxy-request | request | response]
[enable*
[internal-virtual STRING]
]
[disable]
where
enable - turn on request adaptation
internal-virtual - which internal virtual server
disable - turn off request adaptation
response-adapt
Enable or disable response adaptation, optionally sending traffic to specified internal virtual server (since 11.4.0)
Specifying response-adapt in an action automatically adds "controls {response-adaptation}" to the policy.
response-adapt [client-accepted* | server-connected |
proxy-request | request | response]
[enable*
[internal-virtual STRING]
]
[disable]
where
enable - turn on response adaptation
internal-virtual - which internal virtual server
disable - turn off response adaptation
tcp-nagle
Enable or disable Nagle's algorithm on a connection, or allow BIG-IP to determine the best setting. (since 11.4.0)
This action is available to all policies.
tcp-nagle [client-accepted* | request]
[enable*
[auto-mode BOOL]
]
[disable]
where
enable - turn on Nagle
auto-mode - turn on Auto Nagle
disable - turn off Nagle
server-ssl
Enable or disable encrypted connections to backend servers (since 11.4.0)
Specifying server-ssl in an action automatically adds "controls {server-ssl}" to the policy.
server-ssl [client-accepted* | proxy-request | request |
proxy-connect | proxy-response | server-connected]
[enable*]
[disable]
where
enable - encrypted connection to backend
disable - plaintext connection to backend
client-ssl
Enable or disable encrypted connections to client (since 13.1.0)
Specifying client-ssl in an action automatically adds "controls {client-ssl}" to the policy.
client-ssl [client-accepted*]
[enable*]
[disable]
where
enable - encrypted connection to client
disable - plaintext connection to client
ssl-intercept
Switch the SSL Intercept feature between bypass and intercept modes (since 13.1.0)
Specifying ssl-intercept in an action automatically adds "controls {ssl-intercept}" to the policy.
ssl-intercept [ssl-client-serverhello-send*]
[enable*]
[disable]
where
enable - SSL Intercept feature is in intercept mode
disable - SSL Intercept feature is in bypass mode
websocket
Enable or disable websocket processing (since 12.1.0)
Specifying websocket in an action automatically adds "controls {websocket}" to the policy.
websocket [client-accepted* | ws_request | ws_response |
proxy-request | request | proxy-connect |
proxy-response | response | server-connected]
[enable*]
[disable]
where
enable - turn on websocket filter
disable - turn off websocket filter
websocket-payload-processing
Enable or disable websocket payload processing (since 13.1.0)
Specifying websocket-payload-processing in an action automatically adds "controls {websocket}" to the policy.
websocket-payload-processing [ws_request* | request]
[enable*]
[disable]
where
enable - turn on websocket payload processing
disable - turn off websocket paylaod processing
classification
Perform classification/enforcement of the connection (since 13.0.0)
Specifying classification in an action automatically adds "controls {classification}" to the policy.
classification [ssl-client-hello* | ssl-client-serverhello-send |
ssl-server-hello | ssl-server-handshake |
proxy-request | request | response | classification-detected]
[drop]
[reject]
where
drop - Silently drop connection
reject - Gracefully close connection
server-ssl-profile
Dynamic selection of SSL server profile (since 13.1.0)
Specifying server-ssl-profile in an action automatically adds "controls {server-ssl}" to the policy.
server-ssl-profile [server-connected*]
select*
name STRING
http-proxy
Enable or Disable the HTTP Explicit Proxy (since 13.1.0)
This action is available to all policies.
http-proxy [proxy-request*]
[enable*]
[disable]
where
enable - turn on the HTTP Explicit Proxy feature
disable - turn off the HTTP Explicit Proxy feature
http-uri-rewrite
Enable or Disable the rewriting of HTTP URI's into proxy form (since 13.1.0)
This action is available to all policies.
http-uri-rewrite [client-accepted* | ssl-client-hello |
ssl-server-hello | ssl-server-handshake |
proxy-request | request | server-connected]
[enable*]
[disable]
where
enable - turn on rewriting the URI into proxy form
disable - turn off rewriting the URI into proxy form
http-connect
Control the HTTP Proxy Connect feature (since 13.1.0)
This action is available to all policies.
http-connect [client-accepted* | ssl-client-hello |
proxy-request | request | server-connected |
proxy-connect | proxy-response]
[enable*]
[disable]
[replace
[port NUMBER]
[host STRING]
]
[retry]
where
enable - turn on the HTTP Proxy Connect feature
disable - turn off the HTTP Proxy Connect feature
retry - retry the HTTP CONNECT
SEE ALSO
create, delete, edit, glob, list, modify, ltm policy-strategy, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2016-2022. All rights reserved.
BIG-IP 2022-04-12 ltm policy(1)