pem policy
pem policy(1) BIG-IP TMSH Manual pem policy(1)
NAME
policy - Configures policies for the Policy Enforcement Manager (PEM).
MODULE
pem
SYNTAX
Modify the policy component within the pem module using the syntax
shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
description [string]
status [enabled | disabled]
transactional [enabled | disabled]
rules [add | delete | modify | replace-all-with] {
[rule_name ... ] {
options:
app-service [[string] | none]
classification-filters [add | delete | modify | replace-all-with] {
[filter_name ...] {
options:
app-service [[string] | none]
application [application_name]
category [category_name]
operation [match | nomatch]
}
}
dscp-marking-downlink [integer]
dscp-marking-uplink [integer]
dtos-tethering {
options:
dtos-detect [enabled | disabled]
tethering-detect [enabled | disabled]
report {
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
}
ran-congestion {
options:
detect [enabled | disabled]
lowerthreshold-bw [integer]
report {
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
}
flow-info-filters [add | delete | modify | replace-all-with] {
[filter-name ...] {
options:
app-service [[string] | none]
dscp-code [integer]
dst-ip-addr [ip address/prefixlen]
dst-port [port]
from-vlan [vlan_name]
l2-endpoint [disabled | vlan]
operation [match | nomatch]
ip-addr-type [IPv4 | IPv6 | any]
proto [ tcp | udp | any]
src-ip-addr [ip address/prefixlen]
src-port [port]
}
}
flow-info-filters [none]
forwarding {
options:
endpoint [forwarding_endpoint_name]
fallback-action [drop | continue]
internal-virtual [name]
icap-type [request | response | both | none]
type [icap | pool | route-to-network | none]
}
gate-status [enabled | disabled]
http-redirect {
options:
redirect-url [string]
fallback-action [drop | continue]
}
intercept [intercept_endpoint_name]
l2-marking-downlink [integer]
l2-marking-uplink [integer]
tcp-optimization-downlink [string]
tcp-optimization-uplink [string]
tcp-analytics-enable [enabled | disabled]
modify-http-hdr {
options:
name [header_name]
operation [insert | none | remove]
value-content [header_value]
value-type [string | tcl-snippet]
}
insert-content {
options:
duration [integer]
frequency [always | once | once-every]
position [append | prepend]
tag_name [name]
value-content [string]
value-type [string | tcl-snippet]
}
precedence [integer]
qoe-reporting {
options:
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
reporting {
options:
dest {
gx {
options:
application-reporting [enabled | disabled]
monitoring-key [name]
}
hsl {
options:
publisher [name]
format-script [name]
session-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
flow-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
transaction-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
}
radius-accounting {
options:
radius-aaa-virtual [name]
}
sd {
options:
application-reporting [enabled | disabled]
monitoring-key [name]
}
}
granularity [flow | session | transaction]
interval [integer]
transaction {
http {
options:
hostname-len [integer]
uri-len [integer]
user-agent-len [integer]
}
}
volume {
options:
downlink
total
uplink
}
}
quota {
options:
rating-group [name]
reporting-level [rating-group | service-id]
}
qos-rate-pir-downlink [bwc policy name | none]-> [category name | none]
qos-rate-pir-uplink [bwc policy name | none]-> [category name | none]
service-chain [service chain endpoint name]
tcl-filter [tcl-script]
url-categorization-filters [add | delete | modify | replace-all-with] {
[filter_name ...] {
options:
category [category_name]
operation [match | nomatch]
}
}
}
}
rules [none]
edit policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list policy
list policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config policy
show running-config policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show policy
show policy [name]
options:
all-properties
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
detail
field-fmt
DELETE
delete policy [name]
Note: You must remove all references to a policy before you can delete
the policy.
DESCRIPTION
You can use this policy component to configure the policy definitions
on the Policy Enforcement Manager. A policy is a set of rules which are
used to match traffic flow and apply actions. A rule has configuration
for filters and actions. All configured filters must match before the
actions can be applied to the traffic flow. There are four filters:
classification-filter, url-category-filter, flow-info-filter, and tcl-
filter. Classification-filter allows for matching the traffic based on
the flow L7 features, such as a specific application (for example,
Google Mail) or application category (for example, Web). URL-category-
filter allows for matching the type of URL, such as adult content.
Flow-info-filter allows for matching the traffic using L2-L4 flow
parameters. Tcl-filter provides a customized method to match traffic
flows using iRule commands. The actions can be steering or/and
reporting. Steering allows the user to manipulate the traffic when all
configured filters match the flow. The steering options can be
forwarded (option forwarding), drop/pass(option gate-status),
redirect(option http-redirect), or intercept(option intercept).
Reporting allows the user to report the usage to different endpoints by
different output formats. The reporting options can be gx or hsl.
Policy attribute transactional allow policy enforcement for HTTP
traffic for each transaction. Quota allows users to do quota management
over Gy by specifying the rating group, which has all the parameters
associated.
EXAMPLES
create policy my_policy rules add {
rule_1 {
flow-info-filters {
flow_1 {
dscp-code 8
}
flow_2 {
dst-port 80
}
forwarding {
endpoint server1
fallback-action continue
}
}
precedence 1
}
rule_2 {
reporting {
dest {
hsl {
endpoint-id pem_hsl
format-script fm1
}
}
granularity flow
volume {
total 5000
}
}
precedence 2
}
}
Creates a Policy Enforcement Manager policy named my_policy with two
rules, rule_1 and rule_2. rule_1 defines the flow-info-filters so that
when the flow with DSCP is 8 or destination port is 80, the traffic
will be forwarded to server1. rule_2 defines a flow-based reporting
rule which will send flow usage record to pem_hsl endpoint using format
script defined in fm1 whenever total increases by 5000 bytes.
delete policy my_policy
Deletes the policy named my_policy.
list policy my_policy
Displays properties of the policy named my_policy.
OPTIONS
app-service
Specifies the name of the application service to which the policy
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the policy. Only the application
service can modify or delete the policy.
description
User defined description.
transactional
Indicate the policy enable or disable policy enforcement for each
HTTP transaction.
partition
Displays the administrative partition within which the policy
resides.
rules
Adds, deletes, or replaces a set of rules, by specifying a rule
name. If a rule by the specified name does not exist, it will be
created. You can configure the following options for a rule:
app-service
Specifies the name of the application service to which the
rule belongs. The default value is none. Note: If the strict-
updates option is enabled on the application service that
owns the object, you cannot modify or delete the rule. Only
the application service can modify or delete the rule.
classification-filters
Adds, deletes, or replaces a set of classification-filters.
You can configure the following options for a classification-
filter.
app-service
Specifies the name of the application service to which
the classification-filter belongs. The default value is
none. Note: If the strict-updates option is enabled on
the application service that owns the object, you cannot
modify or delete the rule. Only the application service
can modify or delete the classification-filter.
application
Specifies the name of the application where the rule
applies to the traffic. The default value is none.
category
Specifies the name of the category of applications where
the rule applies to the traffic. The default value is
none.
operation
The options match and nomatch indicate the traffic flow
must match or not match the condition specified in the
classification filter. The default value is match.
dscp-marking-downlink
Specifies the action to modify the DSCP code in the downlink
packet when the traffic flow matches the rule matching
criteria. The range is 0 to 63, or pass-through. The default
value is pass-through, indicating the DSCP code of the
downlink packet will not be changed when the traffic flow
matches the rule.
dscp-marking-uplink
Specifies the action to modify the DSCP code in the uplink
packet when the traffic flow matches the rule matching
criteria. The range is 0 to 63, or pass-through. The default
value is pass-through, indicating the DSCP code of the uplink
packet will not be changed when the traffic flow matches the
rule.
dtos-tethering
Defines the device type & OS and tethering detection action
and its options.
dtos-detect
Specifies the device type & OS detection to be enabled
or disabled. Default is disabled
tethering-detect
Specifies the tethering detection to be enabled or
disabled. Default is disabled
report
You can configure the following options for dtos and
tethering reporting.
dest You can configure the following options for
destination.
hsl You can configure the following options for
hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to
format the HSL output string format.
ran-congestion
Detect congestion in the Radio Access Network.
detect
Enable or disable the ran congestion detection. Default
is disabled.
lowerthreshold-bw
Configured lowerthreshold bandwidth for a session in
kbps. Session bandwidth below this value will be marked
as congested. Default is 1000kbps.
report
You can configure the following options for ran
congestion reporting.
dest You can configure the following options for
destination.
hsl You can configure the following options for
hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to
format the HSL output string format.
flow-info-filters
Adds, deletes, or replaces a set of the flow-info-filters.
The flow info filter defines the flow conditions (Layer 4)
that the traffic should meet (or not meet) for this
enforcement policy rule to apply. You can configure the
following options for a flow-info-filter.
app-service
Specifies the name of the application service to which
the flow-info-filter belongs. The default value is none.
Note: If the strict-updates option is enabled on the
application service that owns the object, you cannot
modify or delete the rule. Only the application service
can modify or delete the flow-info-filter.
dscp-code
Specifies the value of DSCP code which matches incoming
traffic based on a value in the DSCP field in the IP
header. The range is 0 to 63, or disabled. The default
value is disabled, indicating that the DSCP code will
not be used to filter the packet in the flow-info-
filter.
dst-ip-addr
Specifies the destination IP address and prefix length
that the rule applies to. The format is [ip
address/prefixlen]. The default value is 0.0.0.0/0.
dst-port
Specifies the destination port against which the packet
will be compared. The default value is any.
from-vlan
Specifies the name of the source vlan to match the
ingress flow arriving from that vlan.
l2-endpoint
Specifies an L2 endpoint type to be used when matching
the traffic flows. The default value is disabled,
indicating that L2 endpoint is not used for matching the
flows. You can configure the following options:
disabled
Flows are not matched based on the L2 endpoint
specification.
vlan The vlan name specified in from-vlan is used to
match the traffic flows.
operation
Specifies whether the rule applies to traffic that
matches (match) or does not match (nomatch) the traffic
flow defined here. The options are match and nomatch.
The default value is match.
proto
Specifies the protocol that this rule applies to. The
options are any, tcp, and udp. The default value is any.
ip-add-type
Specifies the ip address type (IPv4 or IPv6) that this
rule applies to. The options are any, IPv4, and IPv6.
The default value is any.
src-ip-addr
Species the source IP address and prefix length that the
rule applies to. The format is [ip address/prefixlen].
The default value is 0.0.0.0/0.
src-port
Specifies the source port of the network you want the
rule to affect. The default value is any.
forwarding
Manages the forwarding action and its attributes.
endpoint
Specifies the forwarding endpoint. The endpoint can be
icap, pool or route-to-network. Depending on the type
chosen flow can be steered to icap server, pool or to
the network.
fallback-action
Specifies whether the connection should continue
unchanged or should be dropped in the event the
forwarding action fails for any reason. The options are:
drop or continue, and the default is drop.
internal-virtual
Specifies the internal virtual server name if the type
selected is icap.
icap-type
Defines the ICAP adaptation type: request only
adaptation, request and response adaptation or both
types of adaptations combined.
type Specifies the type of forwarding action.
gate-status
Specifies, when set to enabled, that the traffic can pass
through the system without being changed. Set disabled to
drop traffic that this rule applies to. The options are
disabled and enabled. The default is enabled.
http-redirect
Manages the HTTP redirect action and its attributes.
redirect-url
Specifies the HTTP redirection URL.
fallback-action
Specifies whether the connection should continue
unchanged or should be dropped in the event the
forwarding action fails for any reason. The options
are: drop or continue, and the default is drop.
intercept
Specifies the name of the intercept endpoint.
l2-marking-downlink
Set Layer-2 Quality of Service Marking in downlink
traffic that matches a rule. Setting a L2 QoS Marking
affects the packet delivery priority. The range is 0 to
7, or pass-through. The default value is pass-through,
indicating the L2 QoS Marking of the packet will not be
changed when the packet matches the rule.
l2-marking-uplink
Set Layer-2 Quality of Service Marking in uplink traffic
that matches a rule. Setting a L2 QoS marking affects
the packet delivery priority. The range is 0 to 7, or
pass-through. The default value is pass-through,
indicating the L2 QoS Marking of the packet will not be
changed when the packet matches the rule.
tcp-optimization-uplink
Set tcp optimization profile to be applied to the uplink
traffic that matches a rule.The profile name should be
one from the common tcp profile list.
tcp-optimization-downlink
Set tcp optimization profile to be applied to the
downlink traffic that matches a rule.The profile name
should be one from the common tcp profile list.
tcp-analytics-enable
Specifies the action to enable tcp analytics when the
traffic flow matches the rule matching criteria.The
options are disabled and enabled. The default is
disabled.
modify-http-hdr
Specifies the action to modify the HTTP header when the
traffic flow matches the rule matching criteria. You can
configure the following options for modifying the HTTP
header.
name Specifies the HTTP header name used by the
operation option to modify the HTTP header.
operation
Specifies the operation used to modify the HTTP
header. The options are insert, none, and remove.
The default value is none which indicates that no
HTTP header modifications will be made.
value-content
Specifies the HTTP header value content used by the
operation option to modify the HTTP header. Based
on the selected value-type option, the content
format will be interpreted either as a string or a
tcl snippet. Note: This field is applicable only
when the operation option is set to insert.
value-type
Specifies the type of content format used in the
value-content field. The options are string and
tcl-snippet. The default value is string which
indicates that the value-content field will be
interpreted as a string.
insert-content
Specifies the action to insert content into the webpage.
duration
Specifies the periodicity of the insert action.
Note: This value is useful only when the frequency
is set to once-every.
frequency
Specifies the frequency of the insert content
action. It can take values once, once-every,
always.
The options are:
always
Specifies if the action need to be applied
always on the matched flow.
once Specifies if the action need to be applied
once per subscriber.
once-every
Specifies if the action need to be applied
once-every time interval configured in
duration per subscriber.
position
Specifies the position with respect to the tag name
configured. It can take values append, prepend.
value-content
Specifies the value content to be inserted into the
webpage. Based on the selected value-type option,
the content format will be interpreted either as a
string or a tcl-snippet.
value-type
Specifies the type of content format used in the
value-content field. The options are string and
tcl-snippet. The default value is string which
indicates that the value-content field will be
interpreted as a string.
tag_name
Specifies the tag name to which the content is
either appended or prepended.
precedence
Specifies the precedence for the rule in relation to the
other rules. The range is 1 to 4294967295 where 1 has
the highest precedence. A rule with higher precedence is
evaluated at a high priority. It is mandatory to specify
precedence when creating a rule in a policy.
qoe-reporting
You can configure the following options for Quality-of-
Experience (QoE) reporting.
dest You can configure the following options for
destination.
hsl You can configure the following options for
hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to
format the HSL output string format.
reporting
You can configure the following options for reporting.
dest You can configure the following options for
destination.
gx You can configure the following options for gx
endpoint.
application-reporting
Specifies whether the application
reporting is enabled. When it is enabled,
the APPLICATION_START and
APPLICATION_STOP Event-Triggers will be
reported when the application start/stop
is detected. The default value is
disabled.
monitoring-key
Specifies the monitoring-key.
hsl You can configure the following options for
hsl endpoint.
publisher
Specifies the publisher.
format-script
Specifies the format script name to
format the HSL output string format.
session-reporting-fields
Specifies the session fields and their
order based on which messages should be
published.
3gpp-parameters
Reports the 3gpp-parameters of the
session subscriber.
application-id
Reports the application/category ID
that is classified for this session.
called-station-id
Reports the called station ID of the
session subscriber.
calling-station-id
Reports the calling station ID of
the session subscriber.
concurrent-flows
Reports the number of concurrent
flows of this session.
downlink-volume
Reports the aggregate incoming bytes
for the traffic associated with this
session.
duration-seconds
Reports the total duration of all
the flows belonging to the traffic
associated with this session.
last-record-sent
Reports the time (seconds) when
sending the last record.
new-flows
Reports the number of new flows
associated with this session since
last record.
observation-time-seconds
Reports the timestamp of the record.
record-reason
Reports the reason for sending the
record.
record-type
Reports the reporting record type as
3 : session based record.
report-id
Reports the reporting module ID.
report-version
Reports the format version of this
record.
subscriber-id
Reports the subscriber ID that of
this session.
subscriber-id-type
Reports the ID type of the
subscriber of this session.
successful-transactions
Reports the total number of
successful transactions associated
with this session.
terminated-flows
Reports the total number of
terminated flows during this
session.
timestamp-msec
Reports the time stamp on this
record in milli-seconds.
total-transactions
Reports the total number of
transactions of this session.
uplink-volume
Reports the aggregate outgoing bytes
for the traffic associated with this
session.
flow-reporting-fields
Specifies the flow fields and their order
based on which messages should be
published.
application-id
Reports the application/category ID
that is classified for this flow.
destination-ip
Reports the destination IP address
of the traffic.
destination-transport-port
Reports the destination port of the
traffic.
downlink-volume
Reports the total number of bytes
received for this flow by the
subscriber.
flow-end-milli-seconds
Reports the timestamp (milli-
seconds) in UNIX time format when
the flow ends.
flow-end-seconds
Reports the timestamp (seconds) in
UNIX time format when the flow ends.
flow-start-milli-seconds
Reports the timestamp (milli-
seconds) in UNIX time format when
the flow starts.
flow-start-seconds
Reports the timestamp (seconds) in
UNIX time format when the flow
starts.
observation-time-seconds
Reports the timestamp (seconds) of
the record.
protocol-identifier
Reports the transport layer protocol
of the flow (TCP or UDP).
record-type
Reports the reporting record type of
the flow: 0 - flow start, 1 - flow
end, 2 - flow interim.
report-id
Reports the reporting module ID.
report-version
Reports the format version of this
record.
route-domain
Reports the route domain ID of the
flow.
source-ip
Reports the source IP address of the
subscriber that initiates the flow.
source-transport-port
Reports the source port of the
subscriber.
subscriber-id
Reports the subscriber ID that
initiates this flow.
subscriber-id-type
Reports the ID type of the
subscriber that initiates this flow.
timestamp-msec
Reports the timestamp (milli-
seconds) of the record.
total-transactions
Reports the total number of
transactions of this flow.
uplink-volume
Reports the number of bytes sent
from the subscriber in this flow.
url-category-id
Reports the ID of the first URL
category that is classified for the
flow.
vlan-id
Reports the Vlan ID of the flow.
transaction-reporting-fields
Specifies the transaction fields and
their order based on which messages
should be published.
application-id
Reports the application/category ID
that is classified for this
transaction.
destination-ip
Reports the destination IP address
of the traffic.
destination-transport-port
Reports the destination port of the
traffic.
downlink-volume
Reports the number of HTTP response
bytes for this transaction.
http-hostname
Reports the HTTP host name of this
traffic.
http-hostname-truncated
Reports the truncated HTTP host name
due to excessive length.
http-response-code
Reports the HTTP response code of
the transaction.
http-url
Reports the HTTP URL of the
transaction.
http-url-truncated
Reports the truncated HTTP URL of
the transaction due to excessive
length.
http-user-agent
Reports the user agent of the HTTP
request in this transaction.
http-user-agent-truncated
Reports the truncated user agent of
the HTTP request in this transaction
due to excessive length.
protocol-identifier
Reports the transport layer protocol
of the traffic (TCP or UDP).
record-type
Reports the reporting record type as
10-transactional.
report-id
Reports the reporting module ID.
report-version
Reports the format version of the
transaction record.
route-domain
Reports the route domain ID of the
traffic.
skipped-transactions
Reports the number of transactional
reports skipped within the flow
since the last successfully
transmission in the transaction.
source-ip
Reports the source IP address of the
subscriber.
source-transport-port
Reports the source port of the
subscriber.
subscriber-id
Reports the subscriber ID that
initiates this transaction.
subscriber-id-type
Reports the subscriber ID type of
the subscriber that initiates this
transaction.
transaction-classification-result
Reports all the classification
tokens from the classification
engine.
transaction-end-milli-seconds
Reports the transaction timestamp
(milli-seconds) in UNIX time format
when the corresponding HTTP response
is received.
transaction-end-seconds
Reports the transaction timestamp
(seconds) in UNIX time format when
the corresponding HTTP response is
received.
transaction-number
Reports the sequential number of
transaction in this flow (starting
from 1).
transaction-start-milli-seconds
Reports the transaction timestamp
(milli-seconds) in UNIX time format
when an HTTP request is received.
transaction-start-seconds
Reports the transaction timestamp
(seconds) in UNIX time format when
an HTTP request is received.
uplink-volume
Reports the number of HTTP request
bytes for this transaction.
url-category-id
Reports the ID of the first URL
category that is classified for the
transaction.
vlan-id
Reports the Vlan ID of traffic.
radius-accounting
You can configure the following options for
radius-accounting endpoint.
radius-aaa-virtual
Specifies the internal virtual server for
radius-accounting endpoint.
sd You can configure the following options for sd
endpoint.
application-reporting
Specifies whether the application
reporting is enabled. When it is enabled,
the APPLICATION_START and
APPLICATION_STOP Event-Triggers will be
reported when the application start/stop
is detected. The default value is
disabled.
monitoring-key
Specifies the monitoring-key.
granularity
Specifies the type of reporting will be generated
when the policy applies. The options are flow,
session and transaction. The default value is
session which indicates the session report will be
generated if this policy applies.
interval
Specifies the time interval in seconds the report
will be generated. The default value is 0 which
indicates this feature is disabled.
transaction
You can configure the following options when the
transaction report granularity is selected.
http Specifies the HTTP transaction report options
for the following HTTP attributes.
hostname-len
Specifies the maximum HTTP hostname
string length to include in the HTTP
transaction report. The range is 0 to
65535. The default value is 0.
uri-len
Specifies the maximum HTTP URI string
length to include in the HTTP transaction
report. The range is 0 to 65535. The
default value is 256.
user-agent-max
Specifies the maximum HTTP user agent
string length to include in the HTTP
transaction report. The range is 0 to
65535. The default value is 0.
volume
You can configure the following options for volume
threshold. The report will be generated when any of
the following conditions happened. If reporting
dest is set, either interval must be set to non-0
or one of volume properties must be set to non-0.
downlink
The report will be generated if the downlink
traffic exceeds the threshold. The default
value is 0 which indicates this feature is
disabled.
total
The report will be generated if the uplink and
downlink traffic exceeds the threshold. The
default value is 0 which indicates this
feature is disabled.
uplink
The report will be generated if the uplink
traffic exceeds the threshold. The default
value is 0 which indicates this feature is
disabled.
quota
You can configure the following options for quota
management.
rating-group
Specifies the rating-group name.
reporting-level
Specifies the quota reporting level whether per
rating group or per service-id.
qos-rate-pir-downlink
Specifies the configured bandwidth control policy for
Peak Information Rate (PIR) to apply to downlink traffic
that matches this rule. Use none to reset bwc policy
name or category name.
qos-rate-pir-uplink
Specifies the configured bandwidth control policy for
Peak Information Rate (PIR) to apply to uplink traffic
that matches this rule. Use none to reset bwc policy
name or category name.
service-chain
Specifies where to forward the traffic affected by this
rule.
tcl-filter
Specifies the tcl expression which uses iRule commands
to filter the packet. It is a match if tcl-filter
returns TRUE/1 or nomatch if FALSE/0. All configured
filters (flow-info-filters, classification-filters, and
tcl-filter) must match before rule actions are applied.
url-categorization-filters
Adds, deletes, or replaces a set of url-categorization-
filters. You can configure the following options for a url-
categorization-filter.
app-service
Specifies the name of the application service to which
the url-categorization-filter belongs. The default value
is none. Note: If the strict-updates option is enabled
on the application service that owns the object, you
cannot modify or delete the rule. Only the application
service can modify or delete the url-categorization-
filter.
url-category
Specifies the name of the url-category of the traffic
where the rule applies. The default value is none.
operation
The options match and nomatch indicate the traffic flow
must match or not match the condition specified in the
classification filter. The default value is match.
status
Specifies the current status of the policy. The options are
disabled and enabled. The default value is enabled.
SEE ALSO
create, delete, edit, glob, list, ltm profile qoe, modify, pem
forwarding-endpoint, pem interception-endpoint, pem listener, pem
profile diameter-endpoint, pem profile spm, pem reporting format-
script, pem service-chain-endpoint, pem subscriber, pem subscribers,
regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015-2016. All rights
reserved.
BIG-IP 2016-04-07 pem policy(1)