pem policy
pem policy(1) BIG-IP TMSH Manual pem policy(1)
NAME
policy - Configures policies for the Policy Enforcement Manager (PEM).
MODULE
pem
SYNTAX
Modify the policy component within the pem module using the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
description [string]
status [enabled | disabled]
transactional [enabled | disabled]
rules [add | delete | modify | replace-all-with] {
[rule_name ... ] {
options:
app-service [[string] | none]
classification-filters [add | delete | modify | replace-all-with] {
[filter_name ...] {
options:
app-service [[string] | none]
application [application_name]
category [category_name]
operation [match | nomatch]
}
}
dscp-marking-downlink [integer]
dscp-marking-uplink [integer]
dtos-tethering {
options:
dtos-detect [enabled | disabled]
tethering-detect [enabled | disabled]
report {
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
}
ran-congestion {
options:
detect [enabled | disabled]
lowerthreshold-bw [integer]
report {
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
}
flow-info-filters [add | delete | modify | replace-all-with] {
[filter-name ...] {
options:
app-service [[string] | none]
dscp-code [integer]
dst-ip-addr [ip address/prefixlen]
dst-port [port]
from-vlan [vlan_name]
l2-endpoint [disabled | vlan]
operation [match | nomatch]
ip-addr-type [IPv4 | IPv6 | any]
proto [ tcp | udp | any]
src-ip-addr [ip address/prefixlen]
src-port [port]
}
}
flow-info-filters [none]
forwarding {
options:
endpoint [forwarding_endpoint_name]
fallback-action [drop | continue]
internal-virtual [name]
icap-type [request | response | both | none]
type [icap | pool | route-to-network | none]
}
gate-status [enabled | disabled]
http-redirect {
options:
redirect-url [string]
fallback-action [drop | continue]
}
intercept [intercept_endpoint_name]
l2-marking-downlink [integer]
l2-marking-uplink [integer]
tcp-optimization-downlink [string]
tcp-optimization-uplink [string]
tcp-analytics-enable [enabled | disabled]
modify-http-hdr {
options:
name [header_name]
operation [insert | none | remove]
value-content [header_value]
value-type [string | tcl-snippet]
}
insert-content {
options:
duration [integer]
frequency [always | once | once-every]
position [append | prepend]
tag_name [name]
value-content [string]
value-type [string | tcl-snippet]
}
precedence [integer]
deprecated since 15.0.0:
qoe-reporting {
options:
dest {
hsl {
options:
format-script [ [format_script_name] | none]
publisher [ [publisher_name] | none ]
}
}
}
reporting {
options:
dest {
gx {
options:
application-reporting [enabled | disabled]
monitoring-key [name]
}
hsl {
options:
publisher [name]
format-script [name]
session-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
flow-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
transaction-reporting-fields
[add | delete | replace-all-with] {
[reporting field ... ]
}
}
radius-accounting {
options:
radius-aaa-virtual [name]
}
sd {
options:
application-reporting [enabled | disabled]
monitoring-key [name]
}
}
granularity [flow | session | transaction]
interval [integer]
transaction {
http {
options:
hostname-len [integer]
uri-len [integer]
user-agent-len [integer]
}
}
volume {
options:
downlink
total
uplink
}
}
quota {
options:
rating-group [name]
reporting-level [rating-group | service-id]
}
qos-rate-pir-downlink [bwc policy name | none]-> [category name | none]
qos-rate-pir-uplink [bwc policy name | none]-> [category name | none]
service-chain [service chain endpoint name]
sfc-action {
options:
path-name [string]
metadata-template [string]
}
tcl-filter [tcl-script]
url-categorization-filters [add | delete | modify | replace-all-with] {
[filter_name ...] {
options:
category [category_name]
operation [match | nomatch]
}
}
}
}
rules [none]
edit policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list policy
list policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config policy
show running-config policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show policy
show policy [name]
options:
all-properties
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
detail
field-fmt
DELETE
delete policy [name]
Note: You must remove all references to a policy before you can delete the policy.
DESCRIPTION
You can use this policy component to configure the policy definitions on the Policy Enforcement Manager. A
policy is a set of rules which are used to match traffic flow and apply actions. A rule has configuration for
filters and actions. All configured filters must match before the actions can be applied to the traffic flow.
There are four filters: classification-filter, url-category-filter, flow-info-filter, and tcl-filter.
Classification-filter allows for matching the traffic based on the flow L7 features, such as a specific
application (for example, Google Mail) or application category (for example, Web). URL-category-filter allows
for matching the type of URL, such as adult content. Flow-info-filter allows for matching the traffic using
L2-L4 flow parameters. Tcl-filter provides a customized method to match traffic flows using iRule commands.
The actions can be steering or/and reporting. Steering allows the user to manipulate the traffic when all
configured filters match the flow. The steering options can be forwarded (option forwarding), drop/pass(option
gate-status), redirect(option http-redirect), or intercept(option intercept). Reporting allows the user to
report the usage to different endpoints by different output formats. The reporting options can be gx or hsl.
Policy attribute transactional allow policy enforcement for HTTP traffic for each transaction. Quota allows
users to do quota management over Gy by specifying the rating group, which has all the parameters associated.
EXAMPLES
create policy my_policy rules add {
rule_1 {
flow-info-filters {
flow_1 {
dscp-code 8
}
flow_2 {
dst-port 80
}
forwarding {
endpoint server1
fallback-action continue
}
}
precedence 1
}
rule_2 {
reporting {
dest {
hsl {
endpoint-id pem_hsl
format-script fm1
}
}
granularity flow
volume {
total 5000
}
}
precedence 2
}
}
Creates a Policy Enforcement Manager policy named my_policy with two rules, rule_1 and rule_2. rule_1 defines
the flow-info-filters so that when the flow with DSCP is 8 or destination port is 80, the traffic will be
forwarded to server1. rule_2 defines a flow-based reporting rule which will send flow usage record to pem_hsl
endpoint using format script defined in fm1 whenever total increases by 5000 bytes.
delete policy my_policy
Deletes the policy named my_policy.
list policy my_policy
Displays properties of the policy named my_policy.
OPTIONS
app-service
Specifies the name of the application service to which the policy belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the policy. Only the application service can modify or delete the policy.
description
User defined description.
transactional
Indicate the policy enable or disable policy enforcement for each HTTP transaction.
partition
Displays the administrative partition within which the policy resides.
rules
Adds, deletes, or replaces a set of rules, by specifying a rule name. If a rule by the specified name
does not exist, it will be created. You can configure the following options for a rule:
app-service
Specifies the name of the application service to which the rule belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you
cannot modify or delete the rule. Only the application service can modify or delete the rule.
classification-filters
Adds, deletes, or replaces a set of classification-filters. You can configure the following options
for a classification-filter.
app-service
Specifies the name of the application service to which the classification-filter belongs. The
default value is none. Note: If the strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the rule. Only the application service can
modify or delete the classification-filter.
application
Specifies the name of the application where the rule applies to the traffic. The default value
is none.
category
Specifies the name of the category of applications where the rule applies to the traffic. The
default value is none.
operation
The options match and nomatch indicate the traffic flow must match or not match the condition
specified in the classification filter. The default value is match.
dscp-marking-downlink
Specifies the action to modify the DSCP code in the downlink packet when the traffic flow matches
the rule matching criteria. The range is 0 to 63, or pass-through. The default value is pass-
through, indicating the DSCP code of the downlink packet will not be changed when the traffic flow
matches the rule.
dscp-marking-uplink
Specifies the action to modify the DSCP code in the uplink packet when the traffic flow matches the
rule matching criteria. The range is 0 to 63, or pass-through. The default value is pass-through,
indicating the DSCP code of the uplink packet will not be changed when the traffic flow matches the
rule.
dtos-tethering
Defines the device type & OS and tethering detection action and its options.
dtos-detect
Specifies the device type & OS detection to be enabled or disabled. Default is disabled
tethering-detect
Specifies the tethering detection to be enabled or disabled. Default is disabled
report
You can configure the following options for dtos and tethering reporting.
dest You can configure the following options for destination.
hsl You can configure the following options for hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to format the HSL output string format.
ran-congestion
Detect congestion in the Radio Access Network.
detect
Enable or disable the ran congestion detection. Default is disabled.
lowerthreshold-bw
Configured lowerthreshold bandwidth for a session in kbps. Session bandwidth below this value
will be marked as congested. Default is 1000kbps.
report
You can configure the following options for ran congestion reporting.
dest You can configure the following options for destination.
hsl You can configure the following options for hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to format the HSL output string format.
flow-info-filters
Adds, deletes, or replaces a set of the flow-info-filters. The flow info filter defines the flow
conditions (Layer 4) that the traffic should meet (or not meet) for this enforcement policy rule to
apply. You can configure the following options for a flow-info-filter.
app-service
Specifies the name of the application service to which the flow-info-filter belongs. The
default value is none. Note: If the strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the rule. Only the application service can
modify or delete the flow-info-filter.
dscp-code
Specifies the value of DSCP code which matches incoming traffic based on a value in the DSCP
field in the IP header. The range is 0 to 63, or disabled. The default value is disabled,
indicating that the DSCP code will not be used to filter the packet in the flow-info-filter.
dst-ip-addr
Specifies the destination IP address and prefix length that the rule applies to. The format is
[ip address/prefixlen]. The default value is 0.0.0.0/0.
dst-port
Specifies the destination port against which the packet will be compared. The default value is
any.
from-vlan
Specifies the name of the source vlan to match the ingress flow arriving from that vlan.
l2-endpoint
Specifies an L2 endpoint type to be used when matching the traffic flows. The default value is
disabled, indicating that L2 endpoint is not used for matching the flows. You can configure the
following options:
disabled
Flows are not matched based on the L2 endpoint specification.
vlan The vlan name specified in from-vlan is used to match the traffic flows.
operation
Specifies whether the rule applies to traffic that matches (match) or does not match (nomatch)
the traffic flow defined here. The options are match and nomatch. The default value is match.
proto
Specifies the protocol that this rule applies to. The options are any, tcp, and udp. The
default value is any.
ip-add-type
Specifies the ip address type (IPv4 or IPv6) that this rule applies to. The options are any,
IPv4, and IPv6. The default value is any.
src-ip-addr
Species the source IP address and prefix length that the rule applies to. The format is [ip
address/prefixlen]. The default value is 0.0.0.0/0.
src-port
Specifies the source port of the network you want the rule to affect. The default value is any.
forwarding
Manages the forwarding action and its attributes.
endpoint
Specifies the forwarding endpoint. The endpoint can be icap, pool or route-to-network.
Depending on the type chosen flow can be steered to icap server, pool or to the network.
fallback-action
Specifies whether the connection should continue unchanged or should be dropped in the event
the forwarding action fails for any reason. The options are: drop or continue, and the default
is drop.
internal-virtual
Specifies the internal virtual server name if the type selected is icap.
icap-type
Defines the ICAP adaptation type: request only adaptation, request and response adaptation or
both types of adaptations combined.
type Specifies the type of forwarding action.
gate-status
Specifies, when set to enabled, that the traffic can pass through the system without being changed.
Set disabled to drop traffic that this rule applies to. The options are disabled and enabled. The
default is enabled.
http-redirect
Manages the HTTP redirect action and its attributes.
redirect-url
Specifies the HTTP redirection URL.
fallback-action
Specifies whether the connection should continue unchanged or should be dropped in the
event the forwarding action fails for any reason. The options are: drop or continue, and
the default is drop.
intercept
Specifies the name of the intercept endpoint.
l2-marking-downlink
Set Layer-2 Quality of Service Marking in downlink traffic that matches a rule. Setting a L2
QoS Marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The
default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed
when the packet matches the rule.
l2-marking-uplink
Set Layer-2 Quality of Service Marking in uplink traffic that matches a rule. Setting a L2 QoS
marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default
value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the
packet matches the rule.
tcp-optimization-uplink
Set tcp optimization profile to be applied to the uplink traffic that matches a rule.The
profile name should be one from the common tcp profile list.
tcp-optimization-downlink
Set tcp optimization profile to be applied to the downlink traffic that matches a rule.The
profile name should be one from the common tcp profile list.
tcp-analytics-enable
Specifies the action to enable tcp analytics when the traffic flow matches the rule matching
criteria.The options are disabled and enabled. The default is disabled.
modify-http-hdr
Specifies the action to modify the HTTP header when the traffic flow matches the rule matching
criteria. You can configure the following options for modifying the HTTP header.
name Specifies the HTTP header name used by the operation option to modify the HTTP header.
operation
Specifies the operation used to modify the HTTP header. The options are insert, none, and
remove. The default value is none which indicates that no HTTP header modifications will
be made.
value-content
Specifies the HTTP header value content used by the operation option to modify the HTTP
header. Based on the selected value-type option, the content format will be interpreted
either as a string or a tcl snippet. Note: This field is applicable only when the
operation option is set to insert.
value-type
Specifies the type of content format used in the value-content field. The options are
string and tcl-snippet. The default value is string which indicates that the value-content
field will be interpreted as a string.
insert-content
Specifies the action to insert content into the webpage.
duration
Specifies the periodicity of the insert action. Note: This value is useful only when the
frequency is set to once-every.
frequency
Specifies the frequency of the insert content action. It can take values once, once-every,
always.
The options are:
always
Specifies if the action need to be applied always on the matched flow.
once Specifies if the action need to be applied once per subscriber.
once-every
Specifies if the action need to be applied once-every time interval configured in
duration per subscriber.
position
Specifies the position with respect to the tag name configured. It can take values append,
prepend.
value-content
Specifies the value content to be inserted into the webpage. Based on the selected value-
type option, the content format will be interpreted either as a string or a tcl-snippet.
value-type
Specifies the type of content format used in the value-content field. The options are
string and tcl-snippet. The default value is string which indicates that the value-content
field will be interpreted as a string.
tag_name
Specifies the tag name to which the content is either appended or prepended.
precedence
Specifies the precedence for the rule in relation to the other rules. The range is 1 to
4294967295 where 1 has the highest precedence. A rule with higher precedence is evaluated at a
high priority. It is mandatory to specify precedence when creating a rule in a policy.
qoe-reporting
Deprecated since 15.0.0. You can configure the following options for Quality-of-Experience
(QoE) reporting.
dest You can configure the following options for destination.
hsl You can configure the following options for hsl publisher.
publisher
Specifies the publisher name.
format-script
Specifies the format script name to format the HSL output string format.
reporting
You can configure the following options for reporting.
dest You can configure the following options for destination.
gx You can configure the following options for gx endpoint.
application-reporting
Specifies whether the application reporting is enabled. When it is enabled, the
APPLICATION_START and APPLICATION_STOP Event-Triggers will be reported when the
application start/stop is detected. The default value is disabled.
monitoring-key
Specifies the monitoring-key.
hsl You can configure the following options for hsl endpoint.
publisher
Specifies the publisher.
format-script
Specifies the format script name to format the HSL output string format.
session-reporting-fields
Specifies the session fields and their order based on which messages should be
published.
3gpp-parameters
Reports the 3gpp-parameters of the session subscriber.
application-id
Reports the application/category ID that is classified for this session.
called-station-id
Reports the called station ID of the session subscriber.
calling-station-id
Reports the calling station ID of the session subscriber.
concurrent-flows
Reports the number of concurrent flows of this session.
downlink-volume
Reports the aggregate incoming bytes for the traffic associated with this
session.
duration-seconds
Reports the total duration of all the flows belonging to the traffic
associated with this session.
last-record-sent
Reports the time (seconds) when sending the last record.
new-flows
Reports the number of new flows associated with this session since last
record.
observation-time-seconds
Reports the timestamp of the record.
record-reason
Reports the reason for sending the record.
record-type
Reports the reporting record type as 3 : session based record.
report-id
Reports the reporting module ID.
report-version
Reports the format version of this record.
subscriber-id
Reports the subscriber ID that of this session.
subscriber-id-type
Reports the ID type of the subscriber of this session.
successful-transactions
Reports the total number of successful transactions associated with this
session.
terminated-flows
Reports the total number of terminated flows during this session.
timestamp-msec
Reports the time stamp on this record in milli-seconds.
total-transactions
Reports the total number of transactions of this session.
uplink-volume
Reports the aggregate outgoing bytes for the traffic associated with this
session.
flow-reporting-fields
Specifies the flow fields and their order based on which messages should be
published.
application-id
Reports the application/category ID that is classified for this flow.
destination-ip
Reports the destination IP address of the traffic.
destination-transport-port
Reports the destination port of the traffic.
downlink-volume
Reports the total number of bytes received for this flow by the subscriber.
flow-end-milli-seconds
Reports the timestamp (milli-seconds) in UNIX time format when the flow
ends.
flow-end-seconds
Reports the timestamp (seconds) in UNIX time format when the flow ends.
flow-start-milli-seconds
Reports the timestamp (milli-seconds) in UNIX time format when the flow
starts.
flow-start-seconds
Reports the timestamp (seconds) in UNIX time format when the flow starts.
observation-time-seconds
Reports the timestamp (seconds) of the record.
protocol-identifier
Reports the transport layer protocol of the flow (TCP or UDP).
record-type
Reports the reporting record type of the flow: 0 - flow start, 1 - flow
end, 2 - flow interim.
report-id
Reports the reporting module ID.
report-version
Reports the format version of this record.
route-domain
Reports the route domain ID of the flow.
source-ip
Reports the source IP address of the subscriber that initiates the flow.
source-transport-port
Reports the source port of the subscriber.
subscriber-id
Reports the subscriber ID that initiates this flow.
subscriber-id-type
Reports the ID type of the subscriber that initiates this flow.
timestamp-msec
Reports the timestamp (milli-seconds) of the record.
total-transactions
Reports the total number of transactions of this flow.
uplink-volume
Reports the number of bytes sent from the subscriber in this flow.
url-category-id
Reports the ID of the first URL category that is classified for the flow.
vlan-id
Reports the Vlan ID of the flow.
transaction-reporting-fields
Specifies the transaction fields and their order based on which messages should
be published.
application-id
Reports the application/category ID that is classified for this
transaction.
destination-ip
Reports the destination IP address of the traffic.
destination-transport-port
Reports the destination port of the traffic.
downlink-volume
Reports the number of HTTP response bytes for this transaction.
http-hostname
Reports the HTTP host name of this traffic.
http-hostname-truncated
Reports the truncated HTTP host name due to excessive length.
http-response-code
Reports the HTTP response code of the transaction.
http-url
Reports the HTTP URL of the transaction.
http-url-truncated
Reports the truncated HTTP URL of the transaction due to excessive length.
http-user-agent
Reports the user agent of the HTTP request in this transaction.
http-user-agent-truncated
Reports the truncated user agent of the HTTP request in this transaction
due to excessive length.
protocol-identifier
Reports the transport layer protocol of the traffic (TCP or UDP).
record-type
Reports the reporting record type as 10-transactional.
report-id
Reports the reporting module ID.
report-version
Reports the format version of the transaction record.
route-domain
Reports the route domain ID of the traffic.
skipped-transactions
Reports the number of transactional reports skipped within the flow since
the last successfully transmission in the transaction.
source-ip
Reports the source IP address of the subscriber.
source-transport-port
Reports the source port of the subscriber.
subscriber-id
Reports the subscriber ID that initiates this transaction.
subscriber-id-type
Reports the subscriber ID type of the subscriber that initiates this
transaction.
transaction-classification-result
Reports all the classification tokens from the classification engine.
transaction-end-milli-seconds
Reports the transaction timestamp (milli-seconds) in UNIX time format when
the corresponding HTTP response is received.
transaction-end-seconds
Reports the transaction timestamp (seconds) in UNIX time format when the
corresponding HTTP response is received.
transaction-number
Reports the sequential number of transaction in this flow (starting from
1).
transaction-start-milli-seconds
Reports the transaction timestamp (milli-seconds) in UNIX time format when
an HTTP request is received.
transaction-start-seconds
Reports the transaction timestamp (seconds) in UNIX time format when an
HTTP request is received.
uplink-volume
Reports the number of HTTP request bytes for this transaction.
url-category-id
Reports the ID of the first URL category that is classified for the
transaction.
vlan-id
Reports the Vlan ID of traffic.
radius-accounting
You can configure the following options for radius-accounting endpoint.
radius-aaa-virtual
Specifies the internal virtual server for radius-accounting endpoint.
sd You can configure the following options for sd endpoint.
application-reporting
Specifies whether the application reporting is enabled. When it is enabled, the
APPLICATION_START and APPLICATION_STOP Event-Triggers will be reported when the
application start/stop is detected. The default value is disabled.
monitoring-key
Specifies the monitoring-key.
granularity
Specifies the type of reporting will be generated when the policy applies. The options are
flow, session and transaction. The default value is session which indicates the session
report will be generated if this policy applies.
interval
Specifies the time interval in seconds the report will be generated. The default value is
0 which indicates this feature is disabled.
transaction
You can configure the following options when the transaction report granularity is
selected.
http Specifies the HTTP transaction report options for the following HTTP attributes.
hostname-len
Specifies the maximum HTTP hostname string length to include in the HTTP
transaction report. The range is 0 to 65535. The default value is 0.
uri-len
Specifies the maximum HTTP URI string length to include in the HTTP transaction
report. The range is 0 to 65535. The default value is 256.
user-agent-max
Specifies the maximum HTTP user agent string length to include in the HTTP
transaction report. The range is 0 to 65535. The default value is 0.
volume
You can configure the following options for volume threshold. The report will be generated
when any of the following conditions happened. If reporting dest is set, either interval
must be set to non-0 or one of volume properties must be set to non-0.
downlink
The report will be generated if the downlink traffic exceeds the threshold. The
default value is 0 which indicates this feature is disabled.
total
The report will be generated if the uplink and downlink traffic exceeds the
threshold. The default value is 0 which indicates this feature is disabled.
uplink
The report will be generated if the uplink traffic exceeds the threshold. The default
value is 0 which indicates this feature is disabled.
quota
You can configure the following options for quota management.
rating-group
Specifies the rating-group name.
reporting-level
Specifies the quota reporting level whether per rating group or per service-id.
qos-rate-pir-downlink
Specifies the configured bandwidth control policy for Peak Information Rate (PIR) to apply to
downlink traffic that matches this rule. Use none to reset bwc policy name or category name.
qos-rate-pir-uplink
Specifies the configured bandwidth control policy for Peak Information Rate (PIR) to apply to
uplink traffic that matches this rule. Use none to reset bwc policy name or category name.
service-chain
Specifies where to forward the traffic affected by this rule.
sfc-action The following options can be configured for sfc-action.
path-name
Specifies the path name used by Service Function Chain (SFC) to program the path-id.
metadata-template
Specifies the SFC (Service-Function-Chain) metadata template.
tcl-filter
Specifies the tcl expression which uses iRule commands to filter the packet. It is a
match if tcl-filter returns TRUE/1 or nomatch if FALSE/0. All configured filters
(flow-info-filters, classification-filters, and tcl-filter) must match before rule
actions are applied.
url-categorization-filters
Adds, deletes, or replaces a set of url-categorization-filters. You can configure the
following options for a url-categorization-filter.
app-service
Specifies the name of the application service to which the url-categorization-filter
belongs. The default value is none. Note: If the strict-updates option is enabled on
the application service that owns the object, you cannot modify or delete the rule.
Only the application service can modify or delete the url-categorization-filter.
url-category
Specifies the name of the url-category of the traffic where the rule applies. The
default value is none.
operation
The options match and nomatch indicate the traffic flow must match or not match the
condition specified in the classification filter. The default value is match.
status
Specifies the current status of the policy. The options are disabled and enabled. The
default value is enabled.
SEE ALSO
create, delete, edit, glob, list, ltm profile qoe, modify, pem forwarding-endpoint, pem interception-endpoint,
pem listener, pem profile diameter-endpoint, pem profile spm, pem reporting format-script, pem service-chain-
endpoint, pem subscriber, pem subscribers, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015-2016. All rights reserved.
BIG-IP 2018-11-01 pem policy(1)