security scrubber profile
security scrubber profile(1) BIG-IP TMSH Manual security scrubber profile(1)
NAME
profile - Configures a scrubber profile for use by firewall. A scrubber-profile-default specifies monitors and
method (how and where) to be monitored and scrubbed.
MODULE
security scrubber
SYNTAX
Configure the scrubber-profile-default component within the security scrubber profile module using the syntax
in the following sections.
MODIFY
modify profile [name]
options:
advertisement-ttl [integer]
scrubber-categories action [add | delete | modify | none | replace-all-with] {
[name] {
options:
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
blacklist-category [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
route-domain-name [string]
}
}
scrubber-netflow-protected-server [add | delete | modify | none | replace-all-with] {
[name] {
options:
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
blacklist-category [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
route-domain-name [string]
}
}
scrubber-rt-domain action [add | delete | modify | none | replace-all-with] {
[name] {
options:
absolute-threshold [integer]
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
percentage-threshold [integer]
route-domain [string]
scrubber-rd-network-prefix action [add | delete | modify | none | replace-all-with] {
[name] {
options:
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
dst-ip [IP address]
mask [integer]
next-hop [IP address]
}
}
excluded-vlans action [add | delete | none | replace-all-with] {
[name] {}
}
}
}
scrubber-virtual-server action [add | delete | modify | none | replace-all-with] {
[name] {
options:
absolute-threshold [integer]
advertisement-method [bgp-flowspec-method | bgp-method | none-method | silverline-method]
app-service [[string] | none]
bgp-flowspec-advertisement-action [drop | redirect | rate-limit | qos]
bgp-flowspec-dscp-value [integer]
bgp-flowspec-rate-limit [integer]
bgp-flowspec-redirect-asn-community [string]
next-hop [IPv4 address]
next-hop-v6 [IPv6 address]
percentage-threshold [integer]
vs-name [string]
}
}
silverline { url [string] user-id [string] user-passwd [string] }
app-service [[string] | none]
list profile [[name] | all | [property]]
show running-config profile [[name] | all | [property]]
options:
all-properties
non-default-properties
one-line
recursive
OPTIONS
app-service
Specifies the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the Application Service that owns the object, you cannot modify or
delete the object. Only the Application Service can modify or delete the object.
description
User defined description.
advertisement-ttl
Defines the scrubbing duration for all monitored entities in seconds.
scrubber-categories
Defines how a blacklist-category to be scrubbed.
OPTIONS
advertisement-method
Defines a method to use to scrub a blacklist-category.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for scrubbing Blacklist category. The default
is redirect
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number and NNN is
32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is redirect.
blacklist-category
Identifies a blacklist-category to be scrubbed.
next-hop
Defines the nexthop to be used for scrubbing/redirecting traffic for IPv4 shuns.
next-hop-v6
Defines the nexthop to be used for scrubbing/redirecting traffic for IPv6 shuns.
route-domain-name
Identifies a route-domain to be used for route advertisement.
OPTIONS
absolute-threshold
Specifies aggregate maximum bandwidth threshold in Mbps.
advertisement-method
Defines a method to use to scrub a NetFlow protected server object.
app-service
The application service that the object belongs to.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for scrubbing NetFlow protected server. The
default is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number and NNN is
32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is redirect.
cps-absolute-threshold
Specifies aggregate maximum connection threshold in CPS (Connection Per Second).
cps-percentage-threshold
Specifies aggregate maximum connection rate (CPS) threshold as a percentage of NetFlow capacity.
next-hop
Specifies BGP redirection next hop property.
nps-name
Specifies the name of the specified NetFlow protected server.
percentage-threshold
Specifies aggregate maximum bandwidth (BPS) threshold as a percentage of NetFlow capacity.
pps-absolute-threshold
Specifies aggregate maximum packet threshold in PPS (Packet Per Second).
pps-percentage-threshold
Specifies aggregate maximum packet rate (PPS) threshold as a percentage of NetFlow capacity.
OPTIONS
absolute-threshold
Defines bandwidth threshold which triggers scrubbing for selected route domain.
advertisement-method
Defines a method to use to scrub a route domain.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for scrubbing a route domain. The default
is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number and NNN
is 32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is redirect.
percentage-threshold
Defines bandwidth threshold which triggers scrubbing for selected route domain. The percentage is
calculate based on route-domain bandwidth value.
next-hop
Defines the nexthop to be used for scrubbing/redirecting IPv4 traffic.
next-hop-v6
Defines the nexthop to be used for scrubbing/redirecting IPv6 traffic.
route-domain-name
Identifies a route-domain to be used for route advertisement.
excluded-vlans
Identifies VLANs to be excluded from traffic monitoring.
scrubber-rd-network-prefix
Defines subnets which to be used for scrubbing/redirecting traffic. If is
defined than the scrubbing for parent route-domain would be ignored.
OPTIONS
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for scrubbing route domain subnets. The default
is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number and NNN is
32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is redirect.
dst-ip
Defines subnet to be used for redirection.
mask
Defines subnet mask to be used for redirection.
next-hop
Defines the nexthop to be used for scrubbing/redirecting traffic.
app-service
Specifies the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the Application Service that owns the object, you cannot modify or
delete the object. Only the Application Service can modify or delete the object.
scrubber-virtual-server
Defines how and when a virtual server to be scrubbed.
OPTIONS
absolute-threshold
Defines a bandwidth threshold which triggers scrubbing for a selected virtual server.
advertisement-method
Defines a method to use to scrub a virtual server.
bgp-flowspec-advertisement-action
Specifies the BGP FlowSpec Advertisement Action to be used for scrubbing a virtual server. The default
is redirect.
bgp-flowspec-dscp-value
Specifies the BGP FlowSpec DSCP value for advertisement qos action.
bgp-flowspec-rate-limit
Specifies the BGP FlowSpec rate limit (bytes/sec) for advertisement rate limiting action.
bgp-flowspec-redirect-asn-community
Specifies the BGP Extended Community value (in the format - AA:NNN, where AA is 16-bit number and NNN is
32-bit number) for redirect-to-VRF support when BGP Flowspec advertisement action is redirect.
percentage-threshold
Defines bandwidth threshold which triggers scrubbing for selected route domain. The percentage is
calculate based on defined virtual server bandwidth value.
next-hop
Defines the nexthop to be used for scrubbing/redirection traffic for IPv4 VS destination addresses.
next-hop-v6
Defines the nexthop to be used for scrubbing/redirection traffic for IPv6 VS destination addresses.
vs-name
Identifies a virtual server to be used for route advertisement.
app-service
Specifies the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the Application Service that owns the object, you cannot modify or
delete the object. Only the Application Service can modify or delete the object.
OPTIONS
url
Used to communicate with Silverline system.
user-id
Defines silverline user's user identification.
user-passwd
Defines silverline user's password.
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2016. All rights reserved.
BIG-IP 2019-12-09 security scrubber profile(1)