Profiles¶
This section contains example declarations that include useful BIG-IP profiles. This page does not include TLS/SSL profiles, see TLS Encryption for TLS/SSL profile examples.
Use the index on the right to locate specific examples.
1: Using an Analytics profile in a declaration¶
This example shows how you can use the Application Visibility and Reporting (AVR, or Analytics) module in a declaration as an analytics profile. The Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application. For detailed information on AVR and the Analytics profile, see the BIG-IP Analytics: Implementations (pdf) guide and Analytics Profile class in the Schema Reference for information and usage options for using these features in your AS3 declarations.
Important notes for using an Analytics profile:
- You must have AVR provisioned on your BIG-IP system.
- You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.
- The notificationBySnmp property set to true requires configuration of SNMP. AS3 does not support configuration of SNMP.
- The notificationByEmail property set to true requires the configuration of SMTP. In addition a HTTP Analytics profile inherits this property from the base /Common/analytics profile. AS3 does not support configuration of SMTP or modification of the base /Common/analytics profile.
- The following properties have recommended values that are different than the default values:
- collectClientSideStatistics - recommended value true (default value is false)
- collectOsAndBrowser - recommended value false (default value is true)
- collectMethod - recommended value false (default value is true)
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_01.
- An HTTP service (virtual server) named serviceHttp.
- An analytics profile for collecting statistics. See the schema reference and documentation for details.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "SAMPLE_ANALYTICS_PROFILE",
"remark": "Sample analytics profile",
"Sample_profile_01": {
"class": "Tenant",
"Sample_Analytics_Profile": {
"class": "Application",
"template": "generic",
"apTest": {
"class": "Analytics_Profile",
"collectedStatsInternalLogging": true,
"collectedStatsExternalLogging": true,
"capturedTrafficInternalLogging": true,
"capturedTrafficExternalLogging": true,
"externalLoggingPublisher": {"bigip": "/Common/default-ipsec-log-publisher"},
"notificationBySyslog": true,
"notificationBySnmp": false,
"notificationByEmail": true,
"notificationEmailAddresses": [
"aaaa@aa.a",
"bbbb@bb.b",
"cccc@cc.c"
],
"publishIruleStatistics": true,
"collectMaxTpsAndThroughput": true,
"collectPageLoadTime": true,
"collectClientSideStatistics": true,
"collectUserSession": true,
"collectUrl": true,
"urlsForStatCollection": [
"a.f5test/a.htm",
"b.f5test/b.htm",
"c.f5test/c.htm"
],
"collectGeo": true,
"countriesForStatCollection": [
"Afghanistan",
"Bahamas",
"Cambodia",
"Denmark",
"Ecuador",
"Falkland Islands (Malvinas)"
],
"collectIp": true,
"collectSubnet": true,
"subnetsForStatCollection": [
"198.19.192.0/24",
"198.19.224.0/24"
],
"collectResponseCode": true,
"collectUserAgent": true,
"collectMethod": true,
"collectOsAndBrowser": true,
"sessionCookieSecurity": "always-secure",
"sessionTimeoutMinutes": 30
},
"serviceHttp": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.240"
],
"virtualPort": 8080,
"profileAnalytics": { "use": "apTest" }
}
}
}
}
2: Using an Analytics profile with a Capture filter¶
This example shows how you can use the capture filter with the analytics profile to collect application traffic so that you can troubleshoot problems that have become apparent by monitoring application statistics. For detailed information the Capture filter, see the Capture filter documentation and Analytics Profile class in the Schema Reference for information and usage options for using these features in your AS3 declarations.
Important notes for using an Analytics profile:
- You must have AVR provisioned on your BIG-IP system.
- You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.
- The notificationBySnmp property set to true requires configuration of SNMP. AS3 does not support configuration of SNMP.
- The notificationByEmail property set to true requires the configuration of SMTP. In addition a HTTP Analytics profile inherits this property from the base /Common/analytics profile. AS3 does not support configuration of SMTP or modification of the base /Common/analytics profile.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_analytics_capture.
- An HTTP service (virtual server) named serviceHttp.
- An analytics profile for collecting statistics with a capture filter. See the schema reference and documentation for details.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "SAMPLE_ANALYTICS_PROFILE",
"remark": "Sample analytics profile",
"Sample_profile_01": {
"class": "Tenant",
"Sample_Analytics_Profile": {
"class": "Application",
"template": "generic",
"apTest": {
"class": "Analytics_Profile",
"collectedStatsInternalLogging": true,
"collectedStatsExternalLogging": true,
"capturedTrafficInternalLogging": true,
"capturedTrafficExternalLogging": true,
"externalLoggingPublisher": {"bigip": "/Common/default-ipsec-log-publisher"},
"notificationBySyslog": true,
"notificationBySnmp": false,
"notificationByEmail": true,
"notificationEmailAddresses": [
"aaaa@aa.a",
"bbbb@bb.b",
"cccc@cc.c"
],
"publishIruleStatistics": true,
"collectMaxTpsAndThroughput": true,
"collectPageLoadTime": true,
"collectClientSideStatistics": true,
"collectUserSession": true,
"collectUrl": true,
"urlsForStatCollection": [
"a.f5test/a.htm",
"b.f5test/b.htm",
"c.f5test/c.htm"
],
"collectGeo": true,
"countriesForStatCollection": [
"Afghanistan",
"Bahamas",
"Cambodia",
"Denmark",
"Ecuador",
"Falkland Islands (Malvinas)"
],
"collectIp": true,
"collectSubnet": true,
"subnetsForStatCollection": [
"198.19.192.0/24",
"198.19.224.0/24"
],
"collectResponseCode": true,
"collectUserAgent": true,
"collectMethod": true,
"collectOsAndBrowser": true,
"sessionCookieSecurity": "always-secure",
"sessionTimeoutMinutes": 30
},
"serviceHttp": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.240"
],
"virtualPort": 8080,
"profileAnalytics": { "use": "apTest" }
}
}
}
}
3: Using a Multiplex (OneConnect) profile in a declaration¶
This example shows how you can use a multiplex (called OneConnect on the BIG-IP) profile in your declarations. See the Schema Reference for usage options and information. For more information on the OneConnect profile, see About OneConnect Profiles in the BIG-IP documentation.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_02.
- An HTTP service (virtual server) named serviceMain.
- An OneConnect profile named testMux for multiplexing connections.
{
"class": "ADC",
"schemaVersion": "3.7.0",
"id": "1234",
"remark": "Sample OneConnect multiplex profile",
"Sample_profile_02": {
"class": "Tenant",
"Tenant_1": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.10.1.3"
],
"profileMultiplex": {
"use": "testMux"
}
},
"testMux": {
"class": "Multiplex_Profile",
"maxConnections": 5000,
"maxConnectionAge": 3600,
"maxConnectionReuse": 20000,
"idleTimeoutOverride": 900,
"connectionLimitEnforcement": "idle",
"sharePools": true
}
}
}
}
4: Using existing FTP and SIP profiles in a declaration¶
This example shows how you can use existing SIP and FTP profiles in a declaration. In this example, our BIG-IP system already has testSIP and testFTP profiles in the Common partition. See the Schema Reference for usage options and information.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_03.
- Two TCP services (virtual servers) named serviceMain, with Descriptions of A1 and A2.
- A profileSIP object that references our existing testSIP profile.
- A profileFTP object that references our existing testFTP profile.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "fghijkl7890",
"label": "existing SIP and FTP profiles",
"Sample_profile_03": {
"class": "Tenant",
"A1": {
"class": "Application",
"template": "tcp",
"serviceMain": {
"class": "Service_TCP",
"virtualAddresses": [
"10.0.6.100"
],
"virtualPort": 443,
"profileSIP": {
"bigip": "/Common/testSIP"
},
"pool": "tcp_pool"
},
"tcp_pool": {
"class": "Pool",
"monitors": [
"tcp"
],
"members": [{
"servicePort": 443,
"serverAddresses": [
"192.0.6.10",
"192.0.6.11"
]
}]
}
},
"A2": {
"class": "Application",
"template": "tcp",
"serviceMain": {
"class": "Service_TCP",
"virtualAddresses": [
"10.0.6.100"
],
"virtualPort": 443,
"profileFTP": {
"bigip": "/Common/testFTP"
},
"pool": "ftp_pool"
},
"ftp_pool": {
"class": "Pool",
"monitors": [
"tcp"
],
"members": [{
"servicePort": 21,
"serverAddresses": [
"192.0.6.10",
"192.0.6.11"
]
}]
}
}
}
}
}
5: Using a Traffic Log profile in a declaration¶
This example shows how you can use a Traffic Log profile in a declaration. The Traffic Log profile in AS3 creates a Request Logging profile on the BIG-IP system, which gives you the ability to configure data within a log file for HTTP requests and responses, in accordance with specified parameters. For more information, see Request Logging documentation, and the Schema Reference for AS3 usage options and information.
This declaration creates the following objects on the BIG-IP:
- Two partitions (tenants) named Sample_profile_04, and tenant2.
- The Sample_profile_04 tenant includes a detailed Traffic Log profile (see Traffic Log profile in the Schema Reference for details and usage) and a pool named “thePool”.
- The tenant2 tenant includes a virtual server named serviceMain and the default Traffic Log profile.
Note: This example does not include real certificates, so if you post the following declaration, you will receive an invalid certificate error. Replace the values of certificate and privateKey with your own certificates.
{
"class": "ADC",
"schemaVersion": "3.8.0",
"id": "Traffic_Log_Profile",
"Sample_profile_04": {
"class": "Tenant",
"app": {
"class": "Application",
"template": "generic",
"trafLogProf": {
"class": "Traffic_Log_Profile",
"parentProfile": {
"use": "trafLog"
},
"requestSettings": {
"requestErrorLoggingEnabled": true,
"proxyCloseOnErrorEnabled": true,
"proxyRespondOnLoggingErrorEnabled": true,
"requestErrorProtocol": "mds-tcp",
"requestProtocol": "mds-tcp",
"requestEnabled": true,
"proxyResponse": "Proxy Response",
"requestErrorPool": {
"use": "thePool"
},
"requestErrorTemplate": "ERR TEMPLATE:",
"requestPool": {
"use": "thePool"
},
"requestTemplate": "REQ TEMP"
},
"responseSettings": {
"byDefaultEnabled": false,
"responseErrorLoggingEnabled": true,
"responseErrorProtocol": "mds-tcp",
"responseProtocol": "mds-tcp",
"responseEnabled": true,
"responseErrorPool": {
"use": "thePool"
},
"responseErrorTemplate": "ERROR: ",
"responsePool": {
"use": "thePool"
},
"responseTemplate": "TEMPLATE"
}
},
"thePool": {
"class": "Pool"
},
"trafLog": {
"class": "Traffic_Log_Profile"
}
}
},
"tenant2": {
"class": "Tenant",
"app2": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": ["1.1.1.1"],
"virtualPort": 23,
"profileTrafficLog": {
"use": "trafLogProf2"
}
},
"trafLogProf2": {
"class": "Traffic_Log_Profile"
}
}
}
}
6: Using a WebSocket profile in a declaration¶
This example shows how you can use a WebSocket profile in a declaration. When you assign a WebSocket profile to a virtual server, the virtual server informs clients that a WebSocket virtual server is available to respond to WebSocket requests. WebSocket frames that contain payload data are masked with a 32-bit key. You can determine what the BIG-IP system does with this key by specifying one of the following values: preserve, remask, selective, unmask. For detailed information on the WebSocket profile, see Websocket documentation and HTTP Profile class in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_05.
- An HTTP service (virtual server) named serviceMain.
- An HTTP profile that includes WebSocket properties.
{
"class": "ADC",
"schemaVersion": "3.8.0",
"id": "TEST_Websocket_Profile",
"remark": "Test Websocket profiles",
"Sample_profile_05": {
"class": "Tenant",
"TEST_Websocket_Profile": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": ["1.2.3.4"],
"profileHTTP": {
"use": "httpProfile"
}
},
"httpProfile": {
"class": "HTTP_Profile",
"webSocketsEnabled": true,
"webSocketMasking": "preserve"
}
}
}
}
7: Using a Rewrite profile in a declaration¶
This example shows how you can use a Rewrite profile in a declaration. With a Rewrite profile, the BIG-IP system can perform URI scheme, host, port, and path modifications as HTTP traffic passes through the system. For detailed information, see Rewrite profile documentation and Rewrite profile in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_06.
- A Generic service (virtual server) named virtualServer.
- A Rewrite profile named rewriteProf that includes a number of properties (see Rewrite profile in the Schema Reference for details and usage).
{
"class": "ADC",
"updateMode": "selective",
"schemaVersion": "3.0.0",
"id": "TEST_Rewrite_Profile",
"Sample_profile_06": {
"class": "Tenant",
"TEST_Rewrite_Profile": {
"class": "Application",
"template": "generic",
"virtualServer": {
"class": "Service_HTTP",
"virtualAddresses": [
"1.1.1.2"
],
"virtualPort": 80,
"profileRewrite": {
"use": "rewriteProf"
}
},
"rewriteProf": {
"class": "Rewrite_Profile",
"bypassList": [
"https://www.google.com",
"http://www.a.uri.com"
],
"clientCachingType": "no-cache",
"javaCaFile": {
"bigip": "/Common/default.crt"
},
"certificate": "cert_and_key",
"javaSignKeyPassphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"locationSpecificEnabled": true,
"requestSettings": {
"insertXforwardedForEnabled": false,
"insertXforwardedHostEnabled": true,
"insertXforwardedProtoEnabled": true,
"rewriteHeadersEnabled": false
},
"responseSettings": {
"rewriteContentEnabled": false,
"rewriteHeadersEnabled": false
},
"rewriteList": [
"https://www.example.com",
"https://www.rewritethis.net"
],
"rewriteMode": "uri-translation",
"setCookieRules": [
{
"client": {
"domain": "clientDomain1",
"path": "/"
},
"server": {
"domain": "serverDomain1",
"path": "/"
}
},
{
"client": {
"domain": "clientDomain2",
"path": "/"
},
"server": {
"domain": "serverDomain2",
"path": "/"
}
}
],
"splitTunnelingEnabled": true,
"uriRules": [
{
"type": "response",
"client": {
"path": "/",
"host": "www.google.com",
"scheme": "https",
"port": "100"
},
"server": {
"path": "/",
"host": "www.example.com",
"scheme": "http",
"port": "80"
}
},
{
"type": "request",
"client": {
"path": "/"
},
"server": {
"path": "/"
}
}
]
},
"cert_and_key": {
"class": "Certificate",
"remark": "in practice not using a passphrase is not recommended",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
}
}
}
}
8: Using a DoS profile in a declaration¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see DoS Protection and Protocol Firewall Implementations (pdf). Also see the Schema Reference for usage options for using these features in your AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_01.
- A DoS profile with blacklisted and whitelisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "DOS_Profile",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Sample_dos_01": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"blacklistedGeolocations": ["Timor-Leste", "Cocos (Keeling) Islands"],
"whitelistedGeolocations": ["Bonaire, Saint Eustatius and Saba", "Cote D'Ivoire"],
"captchaResponse": {
"first": "Are you a robot?<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
"failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
},
"heavyURLProtection": {
"automaticDetectionEnabled": true,
"detectionThreshold": 16,
"excludeList": ["example.com"],
"protectList": [{
"url": "www.google.com",
"threshold": 0
}
]
},
"triggerIRule": true,
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"profileAcceleration": {
"bigip": "/Common/full-acceleration"
},
"botDefense": {
"mode": "during-attacks",
"blockSuspiscousBrowsers": true,
"issueCaptchaChallenge": true,
"gracePeriod": 4000,
"crossDomainRequests": "validate-bulk",
"siteDomains": ["www.google.com"],
"externalDomains": ["www.yahoo.com"],
"urlWhitelist": ["www.bing.com"]
},
"botSignatures": {
"checkingEnabled": true,
"blockedCategories": [{
"bigip": "/Common/Search Engine"
}
],
"reportedCategories": [{
"bigip": "/Common/Crawler"
}
]
},
"rateBasedDetection": {
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"stressBasedDetection": {
"badActor": {
"detectionEnabled": false,
"mitigationMode": "none",
"signatureDetectionEnabled": false,
"useApprovedSignaturesOnly": false
},
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"heavyURLProtectionEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"recordTraffic": {
"maximumDuration": 10,
"maximumSize": 10,
"recordTrafficEnabled": false,
"repetitionInterval": 10
}
},
"network": {
"dynamicSignatures": {
"detectionMode": "enabled",
"mitigationMode": "medium",
"scrubbingEnabled": true,
"scrubbingCategory": {
"bigip": "/Common/botnets"
},
"scrubbingDuration": 60
},
"vectors": [{
"type": "hop-cnt-low",
"state": "learn-only",
"thresholdMode": "manual",
"rateThreshold": 40000,
"rateIncreaseThreshold": 600,
"rateLimit": 1000000,
"simulateAutoThresholdEnabled": true,
"badActorSettings": {
"enabled": true,
"sourceDetectionThreshold": 0,
"sourceMitigationThreshold": 0
},
"autoBlacklistSettings": {
"enabled": true,
"category": {
"bigip": "/Common/botnets"
},
"attackDetectionTime": 1,
"categoryDuration": 60,
"externalAdvertisementEnabled": true
}
}
]
},
"protocolDNS": {
"vectors": [{
"type": "ptr",
"state": "mitigate",
"thresholdMode": "fully-automatic",
"autoAttackFloor": 0,
"autoAttackCeiling": 0
}
]
},
"protocolSIP": {
"vectors": [{
"type": "cancel",
"state": "disabled",
"thresholdMode": "fully-automatic",
"autoAttackFloor": 4294967295,
"autoAttackCeiling": 4294967295,
"rateIncreaseThreshold": 4294967295
}
]
},
"whitelist": {
"use": "addressList"
},
"applicationWhitelist": {
"use": "addressListHTTP"
}
},
"addressList": {
"class": "Firewall_Address_List",
"addresses": ["10.0.0.10"]
},
"addressListHTTP": {
"class": "Firewall_Address_List",
"addresses": ["10.0.0.11"]
}
}
}
}
9: Using a DoS profile for Mobile Defense¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See the Schema Reference for usage options for using these features in your AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_02.
- A DoS profile with mobile defense enabled.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "DOS_Profile",
"Sample_dos_02": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"mobileDefense": {
"enabled": true,
"allowAndroidPublishers": [{
"bigip": "/Common/default.crt"
}
],
"allowAndroidRootedDevice": true,
"allowIosPackageNames": ["theName"],
"allowJailbrokenDevices": true,
"allowEmulators": true,
"clientSideChallengeMode": "challenge"
}
}
}
}
}
}
10: Using a HTTP Acceleration profile in a declaration¶
This example shows how you can use a Web (HTTP) Acceleration profile in a declaration, which helps speed your HTTP traffic. For detailed information, see Web Acceleration profile and HTTP Acceleration Profile class in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_06.
- A Generic service (virtual server) named http_accel.
- A Web Acceleration profile named testItem that includes a number of properties (see HTTP Acceleration Profile class in the Schema Reference for details and usage).
{
"class": "ADC",
"updateMode": "selective",
"schemaVersion": "3.0.0",
"id": "TEST_Rewrite_Profile",
"Sample_profile_06": {
"class": "Tenant",
"TEST_Rewrite_Profile": {
"class": "Application",
"template": "generic",
"virtualServer": {
"class": "Service_HTTP",
"virtualAddresses": [
"1.1.1.2"
],
"virtualPort": 80,
"profileRewrite": {
"use": "rewriteProf"
}
},
"rewriteProf": {
"class": "Rewrite_Profile",
"bypassList": [
"https://www.google.com",
"http://www.a.uri.com"
],
"clientCachingType": "no-cache",
"javaCaFile": {
"bigip": "/Common/default.crt"
},
"certificate": "cert_and_key",
"javaSignKeyPassphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"locationSpecificEnabled": true,
"requestSettings": {
"insertXforwardedForEnabled": false,
"insertXforwardedHostEnabled": true,
"insertXforwardedProtoEnabled": true,
"rewriteHeadersEnabled": false
},
"responseSettings": {
"rewriteContentEnabled": false,
"rewriteHeadersEnabled": false
},
"rewriteList": [
"https://www.example.com",
"https://www.rewritethis.net"
],
"rewriteMode": "uri-translation",
"setCookieRules": [
{
"client": {
"domain": "clientDomain1",
"path": "/"
},
"server": {
"domain": "serverDomain1",
"path": "/"
}
},
{
"client": {
"domain": "clientDomain2",
"path": "/"
},
"server": {
"domain": "serverDomain2",
"path": "/"
}
}
],
"splitTunnelingEnabled": true,
"uriRules": [
{
"type": "response",
"client": {
"path": "/",
"host": "www.google.com",
"scheme": "https",
"port": "100"
},
"server": {
"path": "/",
"host": "www.example.com",
"scheme": "http",
"port": "80"
}
},
{
"type": "request",
"client": {
"path": "/"
},
"server": {
"path": "/"
}
}
]
},
"cert_and_key": {
"class": "Certificate",
"remark": "in practice not using a passphrase is not recommended",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
}
}
}
}
11: Using a Security log profile with Application Security¶
This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles section of the ASM documentation., and Security Log Profile class in the Schema Reference for AS3 usage options and information.
There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.
..local:
Local storage¶
This declaration creates a security log profile that uses local storage (for the remote storage example, click ref:remote). This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Local.
- A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Security_Log_Profile_local",
"Security_Log_local": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"secLogLocal": {
"class": "Security_Log_Profile",
"application": {
"storageFilter": {
"logicalOperation": "and",
"requestType": "all",
"responseCodes": [
"100",
"200",
"300",
"400"
],
"protocols": [
"https",
"ws"
],
"httpMethods": [
"ACL",
"GET",
"POLL",
"POST"
],
"requestContains": {
"searchIn": "search-in-headers",
"value": "The header string to search for"
},
"loginResults": [
"login-result-successful",
"login-result-failed"
]
},
"guaranteeLoggingEnabled": true,
"guaranteeResponseLoggingEnabled": true,
"maxHeaderSize": 200,
"maxQuerySize": 1040,
"maxRequestSize": 900,
"responseLogging": "all"
}
}
}
}
}
..remote:
Remote storage¶
This declaration creates a security log profile that uses remote storage (for the local storage example, click ref:local). This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Remote.
- A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Security_Log_Profile",
"Security_Log_Remote": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"secLogRemote": {
"class": "Security_Log_Profile",
"application": {
"facility": "local3",
"storageFilter": {
"requestType": "illegal-including-staged-signatures",
"responseCodes": [
"404",
"201"
],
"protocols": [
"http"
],
"httpMethods": [
"PATCH",
"DELETE"
],
"requestContains": {
"searchIn": "search-in-request",
"value": "The new value"
},
"loginResults": [
"login-result-unknown"
]
},
"storageFormat": {
"fields": [
"attack_type",
"avr_id",
"headers",
"is_truncated"
],
"delimiter": "."
},
"localStorage": false,
"maxEntryLength": "10k",
"protocol": "udp",
"remoteStorage": "remote",
"reportAnomaliesEnabled": true,
"servers": [
{
"address": "9.8.7.6",
"port": "9876"
}
]
}
}
}
}
}
12: Using a Stream profile in a declaration¶
This example shows how you can use a Stream profile in a declaration. With a Stream profile, the BIG-IP system performs a search and replace procedure for all occurrences of a string in a data stream, such as a TCP connection. For detailed information, see Overview of the Stream profile and < a href="https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#stream-profile" target="_blank">Stream Profile in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Stream_tenant.
- An HTTP service (virtual server) named Stream_service on port 100.
- A Stream profile named Stream_profile that includes a number of properties (see < a href="https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#stream-profile" target="_blank">Stream Profile in the Schema Reference for details and usage). This declaration also includes a default stream profile that is not referenced by the virtual server.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Stream_Profile",
"Stream_tenant": {
"class": "Tenant",
"Stream_app": {
"class": "Application",
"template": "generic",
"Stream_service": {
"class": "Service_HTTP",
"virtualAddresses": [
"5.4.3.2"
],
"virtualPort": 100,
"profileStream": {
"use": "testStream"
}
},
"testStream": {
"class": "Stream_Profile",
"remark": "Description",
"parentProfile": {
"use": "streamProfile"
},
"chunkingEnabled": true,
"chunkSize": 10000,
"source": "The source",
"target": "The target"
},
"streamProfile": {
"class": "Stream_Profile"
}
}
}
}
13: Creating an FTP profile in a declaration¶
This example shows how you can create an FTP profile in a declaration (example (#4) showed how to use an existing FTP profile). See FTP_Profile in the Schema Reference for more usage options and information.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TEST_FTP_Profile.
- A FTP profile named sampleFTPprofile
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "FTP_Profile",
"TEST_FTP_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"sampleFTPprofile": {
"class": "FTP_Profile",
"remark": "description",
"port": 300,
"ftpsMode": "require",
"enforceTlsSessionReuseEnabled": true,
"activeModeEnabled": false,
"securityEnabled": true,
"translateExtendedEnabled": false,
"inheritParentProfileEnabled": true
}
}
}
}
14: Referencing existing iRules LX Profiles¶
This example shows how you can reference an existing iRules LX profile in a BIG-IP virtual server. An iRules LX profile is a method to associate an LX Plugin to a virtual server. See the BIG-IP documentation for more information on iRules LX profiles.
There are a few things to note about iRules LX profiles:
- You must be using BIG-IP (TMOS) v13.0 or later.
- You must provision the iRules Language Extensions (iRulesLX).
- AS3 cannot yet create iRules LX Profiles, but can reference them.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_ILX_Profile.
- A virtual service named exampleVS
- A profileILX property referencing an existing iRules LX profile on the target BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.12.0",
"id": "Service_TCP",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Example_ILX_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"exampleVS": {
"class": "Service_TCP",
"remark": "description",
"virtualPort": 123,
"virtualAddresses": [
"192.0.2.10"
],
"profileILX": {
"bigip": "/Common/iRulesProfile"
}
}
}
}
}
15: Using the HTTP/2 profile in a declaration¶
This example shows how you can create an HTTP/2 profile in a declaration.
See Overview of HTTP/2 profile, and HTTP2_Profile in the Schema Reference for more usage options and information.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_ILX_Profile.
- A virtual service named exampleVS
- A profileILX property referencing an existing iRules LX profile on the target BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.12.0",
"id": "Service_TCP",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Example_ILX_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"exampleVS": {
"class": "Service_TCP",
"remark": "description",
"virtualPort": 123,
"virtualAddresses": [
"192.0.2.10"
],
"profileILX": {
"bigip": "/Common/iRulesProfile"
}
}
}
}
}