net timer-policy
net timer-policy(1) BIG-IP TMSH Manual net timer-policy(1)
NAME
timer-policy - Configures the timer policy.
MODULE
net
SYNTAX
Modify the timer policy component within the net module using the syntax shown in the following sections. A timer-policy is
attached to a service-policy and applied either through an ACL rule or policy applied on a context. The list of supported
contexts where a timer policy can be applied are: Virtual Server, SelfIP, Route Domain and Global. The precedence of the
timer policy is as follows (highest precedence is 1):
1. ACL rule configured on a Virtual Server or SelfIP
2. Policy configured on a Virtual Server or SelfIP
3. ACL rule configured on a Route Domain
4. Policy configured on a Route Domain
5. ACL rule configured through Global Rules
6. Policy configured on Global Service Policy
Note that within the same context, ACL rule based service policy takes first precedence. Among the different contexts, the
order of precedence is as follows: Virtual Server, SelfIP, Route Domain, Global.
CREATE/MODIFY
create timer-policy [name]
modify timer-policy [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [rule name] ] {
options:
description [string]
destination-ports [add | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
destination-ports none
ip-protocol [protocol name]
timers [add | delete | modify | replace-all-with] {
[ [flow timer type] ] {
value [timeout]
}
}
timers none
}
}
rules none
edit timer-policy [[name] | all]
options:
all-properties
non-default-properties
DISPLAY
list timer-policy
show running-config timer-policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the timer-policy component to configure a shareable and reusable set of network timer policies which can be
associated with a service policy object.
EXAMPLES
create net timer-policy add idle-flow-policy { rules add { r1 { ip-protocol tcp destination-ports add { 80 8080 } timers
add { flow-idle-timeout { value 120 } } } r2 { ip-protocol udp destination-ports add { 7878 } timers add { flow-idle-
timeout { value 300 } } } } }
list timer-policy
net timer-policy {
idle-flow-policy {
rules {
r1 {
ip-protocol tcp
destination-ports {
http { }
webcache { }
}
timers {
flow-idle-timeout {
value 120
}
}
}
r2 {
ip-protocol udp
destination-ports {
7878 { }
}
timers {
flow-idle-timeout {
value 300
}
}
}
}
}
}
Creates timer policy rules to set specific timeout configuration for tcp ports 80 & 8080 traffic and another entry for
protocol udp.
Here is another example to illustrate the rule match behavior for policy with rules configured with 'all-other' for
destination-ports and ip-protocol. Consider a policy as listed below.
list timer-policy
net timer-policy {
flow-idle-policy {
rules {
r1 {
ip-protocol tcp
destination-ports {
all-other { }
}
timers {
flow-idle-timeout {
value 120
}
}
}
r2 {
ip-protocol udp
destination-ports {
9090 { }
}
timers {
flow-idle-timeout {
value 300
}
}
}
r3 {
ip-protocol all-other
destination-ports {
all-other { }
}
timers {
flow-idle-timeout {
value 40
}
}
}
}
}
}
For an incoming flow:-
a) TCP, any port: Matches rule r1
b) UDP, port 1010: Matches no rule
c) ICMP: Matches rule r3
For the above policy, since there is a specific UDP rule for port 9090, a UDP flow with port other than 9090 will not match
any rule. If the rule r2 were to be deleted, all UDP traffic will match against the 'all-other' ip-protocol rule r3.
If the user would like to apply a specific timeout for UDP traffic with destination port being anything other than 9090,
one can enter rule r4 to the above policy:
r4 {
ip-protocol udp
destination-ports {
all-other { }
}
timers {
flow-idle-timeout {
value 60
}
}
}
modify timer-policy idle-flow-policy delete r1
Removes the timer policy rule r1.
list timer-policy
Displays the current timer policy configuration list.
OPTIONS
description
User defined description.
rules
Adds, deletes, or replaces a named timer policy rule.
ip-protocol
Specifies the IP protocol entry for which the timer policy rule is being configured. This could be a layer-4
protocol (such as tcp, udp or sctp). Only flows matching the configured protocol will make use of this rule.
Press the key for a full list of valid protocols. Keyword 'all-other' as an ip-protocol entry means, if
there are no specific ip-protocol rule that matches the flow, the flow then matches the 'all-other' ip-protocol
rule. Please see example above for rule match behavior.
destination-ports
Specifies the destination port or port range to match against the flow. Keyword 'all-other' as a port entry
means, if there are no specific port entry rules to match against the flow, the flow then matches the 'all-other'
port rule. For eg. if a policy consists of just two rules r1 and r2, with the same protocol 'tcp' but destination
port 80 for r1 and port 'all-other' for r2 configured, an incoming flow with port 80 will match r1 and incoming
flow with port 9090 will match r2. Without the 'all-other' port rule r2, incoming flow with port 9090 will not
match any rule.
timers
Specifies the flow timer configuration for the different timer types.
value
Specifies the timeout value in seconds.
SEE ALSO
create, edit, list, modify, security firewall rule-list, security firewall policy, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2013-2016. All rights reserved.
BIG-IP 2016-03-14 net timer-policy(1)