Policy Enforcement¶
This section contains example policy enforcement declarations.
Use the index on the right to locate specific examples.
Important
Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Using BIG-IP PEM in a declaration¶
This example shows how you can use BIG-IP Policy Enforcement Manager (PEM) in your BIG-IP AS3 declarations. BIG-IP PEM helps you deliver high-quality customized services while optimizing your network by efficiently managing the explosion of data and traffic. For more information on BIG-IP PEM, see PEM on f5.com and PEM on AskF5. Also see the Schema Reference for usage options for your BIG-IP AS3 declarations.
Important
You must have the Policy Enforcement Manager (PEM) module licensed and provisioned on your BIG-IP to use these features.
Note
The following example declaration includes all of the PEM options currently available. BIG-IP AS3 currently does not create many of the PEM options, so these objects MUST be present on your BIG-IP system and properly referenced in your declaration. The objects that must be present on the BIG-IP include: pem interception-endpoint, pem irule, pem service-chain-endpoint, pem reporting format-script, pem quota-mgmt rating-group, pem forwarding-endpoint, net bwc policy, net vlan, ltm virtual (internal). See the PEM on AskF5 for information on creating these objects.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_pe_01.
- Because of the large number of objects created and referenced by this declaration, we do not list them all here. See the declaration and the Schema Reference for usage options.
{
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d",
"controls": {
"logLevel": "debug",
"trace": true
},
"Sample_pe_01": {
"class": "Tenant",
"testApp": {
"class": "Application",
"testPemPolicy": {
"class": "Enforcement_Policy",
"remark": "Test Enforcement Policy",
"enable": false,
"allTransactions": true,
"rules": [
{
"name": "testPolicyRule1",
"precedence": 1,
"dscpMarkingDownlink": 0,
"dscpMarkingUplink": 0,
"gateStatusEnabled": true,
"interceptionEndpoint": {
"bigip": "/Common/testInterceptionEndpoint"
},
"iRule": {
"bigip": "/Common/testPemIRule"
},
"l2MarkingDownlink": 0,
"l2MarkingUplink": 0,
"qosBandwidthControllerUplink": {
"policy": {
"bigip": "/Common/testBwcPolicy"
},
"category": "testCat1"
},
"qosBandwidthControllerDownlink": {
"policy": {
"bigip": "/Common/testBwcPolicy"
},
"category": "testCat1"
},
"serviceChain": {
"bigip": "/Common/testServiceChain"
},
"tclFilter": "set str \"Hello World \";for {set i 1} {$i <= 3} {incr i} {\nappend str \"\" $i; }\n return [string match $str [ concat \"Hello World\" \"123\" ]]",
"tcpAnalyticsEnabled": true,
"tcpOptimizationDownlink": {
"use": "testTcpProfile"
},
"tcpOptimizationUplink": {
"use": "testTcpProfile"
},
"classificationFilters": [
{
"name": "testClassFilter1",
"application": {
"bigip": "/Common/acrobat"
},
"invertMatch": true
},
{
"name": "testClassFilter2",
"category": {
"bigip": "/Common/Audio"
},
"invertMatch": true
}
],
"flowInfoFilters": [
{
"name": "testFlowFilter",
"invertMatch": true,
"dscpMarking": 0,
"destinationAddress": "10.238.8.60/32",
"destinationPort": 8080,
"sourceVlan": {
"bigip": "/Common/testVlan"
},
"sourceAddress": "10.238.8.61/32",
"sourcePort": 8081,
"protocol": "tcp",
"ipAddressType": "ipv4"
},
{
"name": "testFlowFilterDefault"
}
],
"forwarding": {
"type": "icap",
"fallbackAction": "continue",
"icapType": "both",
"icapService": {
"bigip": "/Common/testServiceTcp"
}
},
"insertContent": {
"duration": 5,
"frequency": "once-every",
"position": "prepend",
"tagName": "testTag",
"valueContent": "testContent",
"valueType": "tcl-snippet"
},
"modifyHttpHeader": {
"headerName": "testHeaderName",
"operation": "insert",
"valueContent": "testContent",
"valueType": "tcl-snippet"
},
"qoeReporting": {
"highSpeedLogPublisher": {
"use": "testLogPublisher"
},
"formatScript": {
"bigip": "/Common/testFormatScript"
}
},
"quota": {
"ratingGroup": {
"bigip": "/Common/testRatingGroup"
},
"reportingLevel": "rating-group"
},
"ranCongestion": {
"threshold": 2500,
"reportDestinationHsl": {
"highSpeedLogPublisher": {
"use": "testLogPublisher"
},
"formatScript": {
"bigip": "/Common/testFormatScript"
}
}
},
"usageReporting": {
"destination": "gx",
"applicationReportingEnabled": true,
"monitoringKey": "testMonitoringKey",
"granularity": "session",
"interval": 0,
"volume": {
"downlink": 5000,
"total": 10000,
"uplink": 5000
}
},
"urlCategorizationFilters": [
{
"name": "testUrlFilter",
"category": {
"bigip": "/Common/Music"
},
"invertMatch": true
}
]
},
{
"name": "testPolicyRule2",
"precedence": 1,
"gateStatusEnabled": false,
"DTOSTethering": {
"detectDtos": true,
"detectTethering": true,
"reportDestinationHsl": {
"highSpeedLogPublisher": {
"use": "testLogPublisher"
},
"formatScript": {
"bigip": "/Common/testFormatScript"
}
}
},
"quota": {
"reportingLevel": "service-id"
},
"usageReporting": {
"destination": "sd",
"applicationReportingEnabled": true,
"monitoringKey": "testMonitoringKey",
"granularity": "session",
"interval": 0,
"volume": {
"downlink": 5000,
"total": 10000,
"uplink": 5000
}
}
},
{
"name": "testPolicyRule3",
"precedence": 1,
"qosBandwidthControllerUplink": {
"policy": {
"bigip": "/Common/testBwcPolicy"
}
},
"qosBandwidthControllerDownlink": {
"policy": {
"bigip": "/Common/testBwcPolicy"
}
},
"forwarding": {
"type": "endpoint",
"fallbackAction": "continue",
"endpoint": {
"bigip": "/Common/testForwardEndpoint"
}
},
"usageReporting": {
"destination": "hsl",
"publisher": {
"use": "testLogPublisher"
},
"formatScript": {
"bigip": "/Common/testFormatScript"
},
"sessionReportingFields": [
"3gpp-parameters",
"application-id",
"called-station-id",
"calling-station-id",
"concurrent-flows",
"downlink-volume",
"duration-seconds",
"last-record-sent",
"new-flows",
"observation-time-seconds",
"record-reason",
"record-type",
"report-id",
"report-version",
"subscriber-id",
"subscriber-id-type",
"successful-transactions",
"terminated-flows",
"timestamp-msec",
"total-transactions",
"uplink-volume"
],
"granularity": "session",
"interval": 5,
"volume": {
"downlink": 5000,
"total": 10000,
"uplink": 5000
}
}
},
{
"name": "testPolicyRule4",
"precedence": 1,
"forwarding": {
"type": "route-to-network",
"fallbackAction": "continue"
},
"usageReporting": {
"destination": "hsl",
"publisher": {
"use": "testLogPublisher"
},
"formatScript": {
"bigip": "/Common/testFormatScript"
},
"flowReportingFields": [
"application-id",
"destination-ip",
"destination-transport-port",
"downlink-volume",
"flow-end-milli-seconds",
"flow-end-seconds",
"flow-start-milli-seconds",
"flow-start-seconds",
"observation-time-seconds",
"protocol-identifier",
"record-type",
"report-id",
"report-version",
"route-domain",
"source-ip",
"source-transport-port",
"subscriber-id",
"subscriber-id-type",
"timestamp-msec",
"total-transactions",
"uplink-volume",
"url-category-id",
"vlan-id"
],
"granularity": "flow",
"interval": 5,
"volume": {
"downlink": 5000,
"total": 10000,
"uplink": 5000
}
}
},
{
"name": "testPolicyRule5",
"precedence": 1,
"forwarding": {
"type": "http",
"redirectUrl": "https://localhost",
"fallbackAction": "continue"
},
"usageReporting": {
"destination": "hsl",
"publisher": {
"use": "testLogPublisher"
},
"transactionReportingFields": [
"application-id",
"destination-ip",
"destination-transport-port",
"downlink-volume",
"http-hostname",
"http-hostname-truncated",
"http-response-code",
"http-url",
"http-url-truncated",
"http-user-agent",
"http-user-agent-truncated",
"protocol-identifier",
"record-type",
"report-id",
"report-version",
"route-domain",
"skipped-transactions",
"source-ip",
"source-transport-port",
"subscriber-id",
"subscriber-id-type",
"transaction-classification-result",
"transaction-end-milli-seconds",
"transaction-end-seconds",
"transaction-number",
"transaction-start-milli-seconds",
"transaction-start-seconds",
"uplink-volume",
"url-category-id",
"vlan-id"
],
"granularity": "transaction",
"interval": 0,
"transaction": {
"hostname": 500,
"uri": 60,
"userAgent": 10
}
}
},
{
"name": "testPolicyRule6",
"precedence": 1,
"usageReporting": {
"destination": "radius-accounting",
"radiusAAAService": {
"bigip": "/Common/testServiceRadiusAAA"
},
"granularity": "session",
"interval": 5,
"volume": {
"downlink": 5000,
"total": 10000,
"uplink": 5000
}
}
}
]
},
"testPemPolicyDefault": {
"class": "Enforcement_Policy",
"rules": [
{
"name": "testPolicyRuleDefault",
"precedence": 10
}
]
},
"testPemPolicyDefaultNoRule": {
"class": "Enforcement_Policy"
},
"testTcpProfile": {
"class": "TCP_Profile"
},
"testLogPublisher": {
"class": "Log_Publisher",
"destinations": [
{
"use": "testLogDestination"
}
]
},
"testLogDestination": {
"class": "Log_Destination",
"type": "remote-high-speed-log",
"pool": {
"use": "testPool"
}
},
"testPool": {
"class": "Pool"
}
}
}
}
Using BIG-IP PEM iRules in a declaration¶
This example shows how you can use BIG-IP Policy Enforcement Manager (PEM) iRules in your BIG-IP AS3 declarations.
BIG-IP PEM iRules have some differences from typical BIG-IP iRules, see the documentation for details (PEM iRules in the TMSH reference and PEM Policy documentation, PEM on f5.com and PEM on AskF5).
Also see Enforcement_iRule for usage options in your BIG-IP AS3 declarations.
Important
You must have the Policy Enforcement Manager (PEM) module licensed and provisioned on your BIG-IP to use these features.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_pem_irule_01.
- An Enforcement Policy named testPemPolicy which contains rules which point to PEM iRules.
- Two Enforcement (PEM) iRules.
{
"class": "ADC",
"schemaVersion": "3.16.0",
"id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d",
"controls": {
"logLevel": "debug",
"trace": true
},
"Sample_pem_irule_01": {
"class": "Tenant",
"testApp": {
"class": "Application",
"testPemPolicy": {
"class": "Enforcement_Policy",
"remark": "Test Enforcement Policy with iRule",
"enable": false,
"allTransactions": true,
"rules": [
{
"name": "testPolicyRule1",
"precedence": 1,
"iRule": {
"use": "pem_irule"
}
},
{
"name": "testPolicyRule2",
"precedence": 1,
"iRule": {
"use": "pem_irule_b64"
}
}
]
},
"pem_irule": {
"class": "Enforcement_iRule",
"iRule": "when PEM_POLICY {PEM::session create 192.0.3.10 subscriber-id a123 subscriber-type e164}"
},
"pem_irule_b64": {
"class": "Enforcement_iRule",
"iRule": {
"base64": "d2hlbiBQRU1fUE9MSUNZIHtQRU06OnNlc3Npb24gY3JlYXRlIDE5Mi4wLjMuMTAgc3Vic2NyaWJlci1pZCBhMTIzIHN1YnNjcmliZXItdHlwZSBlMTY0fQo=="
}
}
}
}
}
Using a Bandwidth Control policy in a virtual service¶
This example shows how you can reference a Bandwidth Control policy in a virtual service with the new policyBandwidthControl pointer in the Service classes. Bandwidth Control policies allow you to restrict bandwidth usage per subscriber, group of subscribers, per application, and so on. For more information, see Configuring Global Application Policies with Bandwidth Control. For BIG-IP AS3 usage, see Service_Generic or another Service object in the Schema Reference.
Note
The policyBandwidthControl property must point to a static policy, and not a dynamic policy. See Bandwidth_Control_Policy for usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named AS3_Tenant.
- An Application named AS3_App.
- A virtual server named myService that references the bandwidth control policy.
- A bandwidth control policy named bwcPolicy that sets maxBandwidth to 10Mbps.
{
"class": "ADC",
"schemaVersion": "3.19.0",
"id": "declarationId",
"AS3_Tenant": {
"class": "Tenant",
"AS3_App": {
"class": "Application",
"myService": {
"class": "Service_Generic",
"virtualAddresses": [
"1.1.1.1"
],
"virtualPort": 1000,
"policyBandwidthControl": {
"use": "bwcPolicy"
}
},
"bwcPolicy": {
"class": "Bandwidth_Control_Policy",
"maxBandwidth": 10
}
}
}
}