security scrubber profile
security scrubber profile(1) BIG-IP TMSH Manual security scrubber profile(1)
NAME
profile - Configures a scrubber profile for use by firewall. A
scrubber-profile-default specifies monitors and method (how and where)
to be monitored and scrubbed.
MODULE
security scrubber
SYNTAX
Configure the scrubber-profile-default component within the security
scrubber profile module using the syntax in the following sections.
MODIFY
modify profile [name]
options:
advertisement-ttl [integer]
scrubber-categories action [add | delete | modify | none | replace-all-with] {
[name] {
options:
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
blacklist-category [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
route-domain-name [string]
}
}
scrubber-netflow-protected-server [add | delete | modify | none | replace-all-with] {
[name] {
options:
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
blacklist-category [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
route-domain-name [string]
}
}
scrubber-rt-domain action [add | delete | modify | none | replace-all-with] {
[name] {
options:
absolute-threshold [integer]
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
percentage-threshold [integer]
route-domain [string]
scrubber-rd-network-prefix action [add | delete | modify | none | replace-all-with] {
[name] {
options:
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
dst-ip [IP address]
mask [integer]
next-hop [IP address]
}
}
excluded-vlans action [add | delete | none | replace-all-with] {
[name] {}
}
}
}
scrubber-virtual-server action [add | delete | modify | none | replace-all-with] {
[name] {
options:
absolute-threshold [integer]
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
next-hop [IP address]
percentage-threshold [integer]
vs-name [string]
}
}
silverline { url [string] user-id [string] user-passwd [string] }
app-service [[string] | none]
list profile [[name] | all | [property]]
show running-config profile [[name] | all | [property]]
options:
all-properties
non-default-properties
one-line
recursive
OPTIONS
app-service
Specifies the application service to which the object belongs. The
default value is none. Note: If the strict-updates option is
enabled on the Application Service that owns the object, you
cannot modify or delete the object. Only the Application Service
can modify or delete the object.
description
User defined description.
advertisement-ttl
Defines the scrubbing duration for all monitored entities in
seconds.
scrubber-categories
Defines how a blacklist-category to be scrubbed.
OPTIONS
advertisement-method
Defines a method to use to scrub a blacklist-category.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for
scrubbing Blacklist category. The default is redirect
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement
rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN,
where AA is 16-bit number and NNN is 32-bit number) for redirect-
to-VRF support when BGP Flowspec advertisement action is redirect.
blacklist-category
Identifies a blacklist-category to be scrubbed.
next-hop
Defines the nexthop to be used for scrubbing/redirecting traffic
for IPv4 shuns.
next-hop-v6
Defines the nexthop to be used for scrubbing/redirecting traffic
for IPv6 shuns.
route-domain-name
Identifies a route-domain to be used for route advertisement.
OPTIONS
absolute-threshold
Specifies aggregate maximum bandwidth threshold in Mbps.
advertisement-method
Defines a method to use to scrub a NetFlow protected server object.
app-service
The application service that the object belongs to.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for
scrubbing NetFlow protected server. The default is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement
rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN,
where AA is 16-bit number and NNN is 32-bit number) for redirect-
to-VRF support when BGP Flowspec advertisement action is redirect.
cps-absolute-threshold
Specifies aggregate maximum connection threshold in CPS (Connection
Per Second).
cps-percentage-threshold
Specifies aggregate maximum connection rate (CPS) threshold as a
percentage of NetFlow capacity.
next-hop
Specifies BGP redirection next hop property.
nps-name
Specifies the name of the specified NetFlow protected server.
percentage-threshold
Specifies aggregate maximum bandwidth (BPS) threshold as a
percentage of NetFlow capacity.
pps-absolute-threshold
Specifies aggregate maximum packet threshold in PPS (Packet Per
Second).
pps-percentage-threshold
Specifies aggregate maximum packet rate (PPS) threshold as a
percentage of NetFlow capacity.
OPTIONS
absolute-threshold
Defines bandwidth threshold which triggers scrubbing for
selected route domain.
advertisement-method
Defines a method to use to scrub a route domain.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for
scrubbing a route domain. The default is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos
action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for
advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format -
AA:NNN, where AA is 16-bit number and NNN is 32-bit number) for
redirect-to-VRF support when BGP Flowspec advertisement action
is redirect.
percentage-threshold
Defines bandwidth threshold which triggers scrubbing for
selected route domain. The percentage is calculate based on
route-domain bandwidth value.
next-hop
Defines the nexthop to be used for scrubbing/redirecting IPv4
traffic.
next-hop-v6
Defines the nexthop to be used for scrubbing/redirecting IPv6
traffic.
route-domain-name
Identifies a route-domain to be used for route advertisement.
excluded-vlans
Identifies VLANs to be excluded from traffic monitoring.
scrubber-rd-network-prefix
Defines subnets which to be used for scrubbing/redirecting
traffic. If is defined than the
scrubbing for parent route-domain would be ignored.
OPTIONS
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for
scrubbing route domain subnets. The default is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement
rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN,
where AA is 16-bit number and NNN is 32-bit number) for redirect-
to-VRF support when BGP Flowspec advertisement action is redirect.
dst-ip
Defines subnet to be used for redirection.
mask
Defines subnet mask to be used for redirection.
next-hop
Defines the nexthop to be used for scrubbing/redirecting traffic.
app-service
Specifies the application service to which the object belongs. The
default value is none. Note: If the strict-updates option is
enabled on the Application Service that owns the object, you cannot
modify or delete the object. Only the Application Service can
modify or delete the object.
scrubber-virtual-server
Defines how and when a virtual server to be scrubbed.
OPTIONS
absolute-threshold
Defines a bandwidth threshold which triggers scrubbing for a
selected virtual server.
advertisement-method
Defines a method to use to scrub a virtual server.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for
scrubbing a virtual server. The default is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos
action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for
advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format -
AA:NNN, where AA is 16-bit number and NNN is 32-bit number) for
redirect-to-VRF support when BGP Flowspec advertisement action is
redirect.
percentage-threshold
Defines bandwidth threshold which triggers scrubbing for selected
route domain. The percentage is calculate based on defined
virtual server bandwidth value.
next-hop
Defines the nexthop to be used for scrubbing/redirection traffic.
vs-name
Identifies a virtual server to be used for route advertisement.
app-service
Specifies the application service to which the object belongs.
The default value is none. Note: If the strict-updates option is
enabled on the Application Service that owns the object, you
cannot modify or delete the object. Only the Application Service
can modify or delete the object.
OPTIONS
url
Used to communicate with Silverline system.
user-id
Defines silverline user's user identification.
user-passwd
Defines silverline user's password.
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2016. All rights reserved.
BIG-IP 2018-09-12 security scrubber profile(1)