saas bd profile
saas bd profile(1) BIG-IP TMSH Manual saas bd profile(1)
NAME
profile - Configures an Bot Defense Service profile.
MODULE
saas profile
SYNTAX
Configure the profile component within the saas bd module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
allow-headers [none] | { {header-name [string] header-value [string]} ... }
allow-ip-addresses [none | add | delete | replace-all-with] { [string] ... }
api-auth-key [[string] | none]
api-hostname [string]
api-key [string]
app-service [[string] | none]
application-id [[string] | none]
bigip-handles-js-injections [disabled | enabled]
block-response-body [[string] | none]
block-response-code [[integer] | none]
defaults-from [[name] | none]
description [[string] | none]
exclude-js-injection-from-specific-url [disabled | enabled]
include-post-body [disabled | enabled]
inject-js-in-specific-url [disabled | enabled]
inject-telemetry-js-in-body-tag [disabled | enabled]
irules [none | add | delete | replace-all-with] { [name] ... }
js-inject-exclude-paths [none | add | delete | replace-all-with] { [string] ... }
js-inject-include-paths [none | add | delete | replace-all-with] { [string] ... }
location-for-shape-js-injection [ after-head | after-title | before-script ]
log-level [ alert | crit | debug | default-value | emerg | err | info | notice | warn]
log-publisher [[string] | none]
mitigation-handler [ bigip | shape-policy ]
mobile-api-hostname [[string] | none]
mobile-applications-in-scope [disabled | enabled]
mobile-block-response-body [[string] | none]
mobile-block-response-code [[integer] | none]
mobile-identifier-body-keywords [none | add | delete | replace-all-with] { [string] ... }
mobile-identifier-request-headers [none] | { {header-name [string] header-value [string]} ... }
mobile-include-post-body [disabled | enabled]
mobile-mitigation-handler [ bigip | shape-policy ]
mobile-protected-endpoints {[ add | delete | modify | replace-all-with ] {
[ [name] ] {
options:
any-method [disabled | enabled]
app-service[[string] | none]
check-mobile-request-identifier [body | header | skip]
endpoint [[string] | none]
get [disabled | enabled]
host [[string] | none]
mitigation-action [ block | continue ]
post [disabled | enabled]
}
}
mobile-proxy-shape-endpoint-url [[string] | none]
mobile-sdk-config-fetch-url-android [[string] | none]
mobile-sdk-config-fetch-url-ios [[string] | none]
mobile-sdk-reload-header-name [[string] | none]
mobile-shape-protection-pool [[string] | none]
partition [string]
pool-cookie-persistence [disabled | enabled]
protected-endpoints [ add | delete | modify | replace-all-with ] {
[ [name] ] {
options:
any-method [disabled | enabled]
app-service[[string] | none]
endpoint [[string] | none]
get-document [disabled | enabled]
get-xhr-or-fetch [disabled | enabled]
host [[string] | none]
mitigation-action [ block | continue | drop | redirect]
post [disabled | enabled]
put [disabled | enabled]
}
}
proxy-password [[string] | none]
proxy-pool [[string] | none]
proxy-shape-endpoint-url [[string] | none]
proxy-username [[string] | none]
redirect-path [[string] | none]
redirect-response-code [[integer] | none]
rewrite-xff-header-with-connecting-ip [disabled | enabled]
service-level [ standard | enterprise ]
shape-api-response-timeout [[integer] | none]
shape-inference-header [[string] | none]
shape-js-url-or-path [string]
shape-protection-pool [string]
ssl-profile [string]
telemetry-header-prefix [string]
telemetry-request-body-size [[integer] | none]
tenant-id [[string] | none]
tls-fingerprint [disabled | enabled]
use-proxy [disabled | enabled]
use-sni [disabled | enabled]
web-applications-in-scope [disabled | enabled]
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
show profile
show profile [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to manage an BD profile.
EXAMPLES
create profile my_bd_profile
Creates an ATI profile named my_bd_profile using the system defaults.
OPTIONS
allow-headers
Specifies the list of header names and values for headers in the HTTP requests that does not need to be checked by the
SSE. The default value is none.
allow-ip-addresses
Specifies the list of IP addresses that do not need to be checked by the SSE. The default value is none.
api-auth-key
Specifies api auth key provided by F5 Support. This is mandatory if the service level is standard. The default value
is none.
api-hostname
Specifies hostname received in VoltConsole (or F5 Support). This is mandatory for BD profile. The default value is
ibd-web.fastcache.net.
api-key
Specifies api key provided by F5 Support. This is mandatory for BD profile. The default value is none.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
application-id
Specifies api key provided by F5 Support. This is mandatory if the service level is standard. The default value is
none.
bigip-handles-js-injections
Specifies whether BIG-IP handles JS injections. The default value is enabled.
block-response-body
Specifies the HTML code you want for the Response Body in the blocking page.
block-response-code
Specifies the Response Code that will appear on the blocking page. The default value is 200.
defaults-from
Specifies the profile that you want to use as the parent profile. The new profile inherits all settings and values
from the parent profile specified. The default value is bd.
description
User defined description.
exclude-js-injection-from-specific-url
Specifies whether to exclude the JS injection from specific URL paths. The default value is disabled.
include-post-body
Provides an option for web application to disable transmission of the POST body in the API request to Shape. The
default value is enabled.
inject-js-in-specific-url
Specifies whether to include the specific URL paths to receive the JS injections. When disabled all URL paths receive
the JS injection. The default value is disabled.
inject-telemetry-js-in-body-tag
Specifies whether to inject the Telemetry JS in the tag in the HTML code of your webpage. The default value is
enabled.
irules
Specifies the iRules to attach to shape-protection-pool or proxy-pool. iRules help automate the intercepting,
processing, and routing of BD-related traffic to the BD backend server. The BIG-IP applies iRules in the order that
they appear in the list. The default value is none.
js-inject-exclude-paths
Specifies list of URL paths that the JS injections should be excluded from. You can use * for wildcard pattern
matching. The default value is none.
js-inject-include-paths
Specifies list of URL paths to receive the JS injections. You can use * for wildcard pattern matching. The default
value is none.
location-for-shape-js-injection
Specifies the location of the JS injection. The default value is after after-head.
log-level
Specifies the level of log messages for the specified profile that you want to display in the system log. The default
value is notice.
log-publisher
Specifies the log publisher name. The default value is local-syslog-publisher.
mitigation-handler
Specifies whether you want the BIG-IP or Shape Policy to handle mitigation of malicious HTTP requests. The default
value is bigip.
mobile-api-hostname
Specifies mobile application hostname received in VoltConsole (or F5 Support). This is mandatory for mobile
application BD profile. The default value is ibd-mobileus.fastcache.net.
mobile-applications-in-scope
Provides an option to specify if mobile application needs to be enabled or not. The default value is disabled.
mobile-block-response-body
Specifies the HTML code you want for the Response Body in the blocking page for mobile application.
mobile-block-response-code
Specifies the Response Code that will appear on the blocking page for mobile application. The default value is 200.
mobile-identifier-body-keywords
Provides an option to specify POST body keywords that must be matched. This input will be used to distinguish web and
mobile traffic under the same URL.
mobile-identifier-request-headers
Provides an option to specify Header name and value (can be wildcard) that must be matched. This input will be used
to distinguish web and mobile traffic under the same URL.
mobile-include-post-body
Provides an option for mobile application to disable transmission of the POST body in the API request to Shape. The
default value is enabled.
mobile-mitigation-handler
Specifies whether you want the BIG-IP or Shape Policy to handle mitigation of malicious HTTP requests for mobile
application. The default value is bigip.
mobile-protected-endpoints
Adds, deletes, replaces, displays, or reset-stats a set of mobile protected endpoints, by specifying a [mobile
protected endpoint name]. If a mobile protected endpoint by the specified name does not exist, it will be created.
any-method
Specifies whether you want the path to be protected with any type of method. The default value is disabled.
app-service
Specifies the name of the application service to which the mobile protected endpoint belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
check-mobile-request-identifier
Specifies an option to add request matching criteria where Web and Mobile endpoints under the same URL. The default
value is skip.
endpoint
Specifies the path to the web page you want to be protected by SSE. The default value is none.
get Specifies whether you want the path protected when it has a GET method. The default value is disabled.
host Specifies the hostname or ipaddress of web page you want to be protected by SSE. You can add a port number if you are
using a port that is not standard for http or https. You can use * for wildcard pattern matching. This is mandatory
for BD profile. The default value is none.
mitigation-action
Specifies the mitigation actions you want the BIG-IP to take if a malicious HTTP request is detected on the endpoint.
The default value is none.
post Specifies whether you want the path protected when it has a POST method. The default value is disabled.
put Specifies whether you want the path protected when it has a PUT method. The default value is disabled.
partition
Displays the administrative partition within which the component resides. The default value is Common.
pool-cookie-persistence
Specifies whether HTTP requests of the same session always sent to the same pool member in the Service Pool. The
default value is disabled.
protected-endpoints
Adds, deletes, replaces, displays, or reset-stats a set of protected endpoints, by specifying a [protected endpoint
name]. If a protected endpoint by the specified name does not exist, it will be created.
any-method
Specifies whether you want the path to be protected with any type of method. The default value is disabled.
app-service
Specifies the name of the application service to which the protected-endpoint belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot modify or
delete the protected-endpoint. Only the application service can modify or delete the object.
endpoint
Specifies the path to the web page you want to be protected by SSE. The default value is none.
get-document
Specifies whether you need protection for Document GETs. If user selects GET Document, the other methods will not be
selectable. ANY will not include GET Document. The default value is disabled.
get-xhr-or-fetch
Specifies whether you want the path protected when it has a GET method. GET XHR or Fetch and GET Document will be
mutually exclusive. The default value is disabled.
host Specifies the hostname or ipaddress of web page you want to be protected by SSE. You can add a port number if you are
using a port that is not standard for http or https. You can use * for wildcard pattern matching. This is mandatory
for BD profile. The default value is none.
mitigation-action
Specifies the mitigation actions you want the BIG-IP to take if a malicious HTTP request is detected on the endpoint.
The default value is none.
post Specifies whether you want the path protected when it has a POST method. The default value is disabled.
put Specifies whether you want the path protected when it has a PUT method. The default value is disabled.
mobile-proxy-shape-endpoint-url
Specifies the protocol and domain from the JS URL you received in VoltConsole (or from F5 Support) for mobile
application. You can add a port number if you are using a port that is not standard for http or https. The default
value is none.
mobile-sdk-config-fetch-url-android
Route calls for the update config URL to the Shape Mobile clusters for Android. The default value is
/v1/android/update.
mobile-sdk-config-fetch-url-ios
Route calls for the update config URL to the Shape Mobile clusters for IOS. The default value is /v1/ios/update.
mobile-sdk-reload-header-name
Provides an option to specify the "reload" header for mobile applications received in VoltConsole (or F5 Support).
The default value is ggaj1661
mobile-shape-protection-pool
Specifies the pool for mobile application created using the domain received in VoltConsole (or F5 Support). The
default value is none.
proxy-password
Specifies the proxy password for the proxy pool. The default value is none.
proxy-pool
Specifies the proxy server pool used for routing traffic to the backend server. The default value is none.
proxy-shape-endpoint-url
Specifies the protocol and domain from the JS URL you received in VoltConsole (or from F5 Support). You can add a
port number if you are using a port that is not standard for http or https. The default value is none.
proxy-username
Specifies the username for the proxy pool. The default value is none.
redirect-path
Specifies the path where you want the HTTP request redirected. The path you enter can be either relative or absolute.
If absolute, it must contain the protocol, either http or https. If relative, it must start with "/". The default
value is none.
redirect-response-code
Specifies the Response Code that will appear on the redirect page. The default value is 302.
rewrite-xff-header-with-connecting-ip
Specifies whether to add XFF header to requests. The default value is disabled.
service-level
Specifies whether service level is standard or enterprise. The default value is standard.
shape-api-response-timeout
Specifies the length of time (in milliseconds) that the BIG-IP should wait to receive a response from the SSE after
the BIG-IP sends the API request to the SSE. If the BIG-IP does not receive a response from the SSE after this time
period, the BIG-IP sends the original API request back to the original server. The default value is 300.
shape-inference-header
Specifies the header name that indicates the HTTP request is considered malicious but allowed to continue to the web
page. This setting is optional, if empty no header is added to the request. The default value is none.
shape-js-url-or-path
Specifies the JavaScript path received in VoltConsole (or F5 Support). The default value is /customer1.js.
shape-protection-pool
Specifies the pool created using the domain received in VoltConsole (or F5 Support). The default value is none.
ssl-profile
Specifies the server SSL profile the system uses to connect to the backend server. This is mandatory for BD profile.
The default value is none.
telemetry-header-prefix
Specifies the telemetry header prefix provided by F5 Support. This is mandatory for BD profile. The default value is
none.
telemetry-request-body-size
Specifies the size of telemetry request body in bytes. The default value is 65536.
tenant-id
Specifies the tenant id provided by F5 Support. This is mandatory for BD profile if service level is standard. The
default value is none.
tls-fingerprint
Specifies whether to to send API requests to the SSE with a TLS fingerprint. The default value is enabled.
use-proxy
Specifies whether to route data to proxy-destination via the proxy-pool, otherwise data is sent using api-svc-domain-
pool. The default value is disabled.
use-sni
Specifies whether use Server Name Indication (SNI) for pool members. The default value is enabled.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
SEE ALSO
create, delete, glob, list, ltm virtual, modify, regex, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2021. All rights reserved.
BIG-IP 2021-12-22 saas bd profile(1)