Profiles¶
This section contains example declarations that include useful BIG-IP profiles. This page does not include TLS/SSL profiles, see TLS Encryption for TLS/SSL profile examples.
Use the index on the right to locate specific examples.
Important
Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Creating an HTTP Analytics profile in a declaration¶
These examples show how you can use the Application Visibility and Reporting (AVR, or Analytics) module in a declaration as an analytics profile. The Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application. For detailed information on AVR and the Analytics profile, see the BIG-IP Analytics: Implementations guide and Analytics Profile class in the Schema Reference for information and usage options for using these features in your BIG-IP AS3 declarations.
Important notes for using an Analytics profile:
- You must have AVR provisioned on your BIG-IP system.
- You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.
- The notificationBySnmp property set to true requires configuration of SNMP. BIG-IP AS3 does not support configuration of SNMP.
- The notificationByEmail property set to true requires the configuration of SMTP. In addition a HTTP Analytics profile inherits this property from the base /Common/analytics profile. BIG-IP AS3 does not support configuration of SMTP or modification of the base /Common/analytics profile.
- The following properties have recommended values that are different than the default values:
- collectClientSideStatistics - recommended value true (default value is false)
- collectOsAndBrowser - recommended value false (default value is true)
- collectMethod - recommended value false (default value is true)
There are two example declarations, one simple, one more full-featured. Both of the following declarations create the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_01.
- An HTTP service (virtual server) named serviceHttp.
- An analytics profile for collecting statistics. See the schema reference and documentation for details.
a: Simple example of HTTP Analytics profile¶
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "SAMPLE_ANALYTICS_PROFILE_SIMPLE",
"remark": "Simple analytics profile",
"Sample_profile_01": {
"class": "Tenant",
"Sample_Analytics_Profile": {
"class": "Application",
"serviceHttp": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.240"
],
"virtualPort": 8080,
"profileAnalytics": {
"use": "statsProfile"
}
},
"statsProfile": {
"class": "Analytics_Profile",
"collectClientSideStatistics": true,
"collectOsAndBrowser": false,
"collectMethod": false
}
}
}
}
b: Detailed example of HTTP Analytics profile¶
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "SAMPLE_ANALYTICS_PROFILE",
"remark": "Sample analytics profile",
"Sample_profile_01": {
"class": "Tenant",
"Sample_Analytics_Profile": {
"class": "Application",
"apTest": {
"class": "Analytics_Profile",
"collectedStatsInternalLogging": true,
"collectedStatsExternalLogging": true,
"capturedTrafficInternalLogging": true,
"capturedTrafficExternalLogging": true,
"externalLoggingPublisher": {"bigip": "/Common/default-ipsec-log-publisher"},
"notificationBySyslog": true,
"notificationBySnmp": false,
"notificationByEmail": true,
"notificationEmailAddresses": [
"aaaa@aa.a",
"bbbb@bb.b",
"cccc@cc.c"
],
"publishIruleStatistics": true,
"collectMaxTpsAndThroughput": true,
"collectPageLoadTime": true,
"collectClientSideStatistics": true,
"collectUserSession": true,
"collectUrl": true,
"urlsForStatCollection": [
"a.f5test/a.htm",
"b.f5test/b.htm",
"c.f5test/c.htm"
],
"collectGeo": true,
"countriesForStatCollection": [
"Afghanistan",
"Bahamas",
"Cambodia",
"Denmark",
"Ecuador",
"Falkland Islands (Malvinas)"
],
"collectIp": true,
"collectSubnet": true,
"subnetsForStatCollection": [
"198.19.192.0",
"198.19.224.0"
],
"collectResponseCode": true,
"collectUserAgent": true,
"collectMethod": true,
"collectOsAndBrowser": true,
"sessionCookieSecurity": "always-secure",
"sessionTimeoutMinutes": 30
},
"serviceHttp": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.240"
],
"virtualPort": 8080,
"profileAnalytics": { "use": "apTest" }
}
}
}
}
Using an Analytics profile with a Capture filter¶
These examples show how you can use the capture filter with the analytics profile to collect application traffic so that you can troubleshoot problems that have become apparent by monitoring application statistics. For detailed information the Capture filter, see the Capture filter documentation and Analytics Profile class in the Schema Reference for information and usage options for using these features in your BIG-IP AS3 declarations.
Important notes for using an Analytics profile:
- You must have AVR provisioned on your BIG-IP system.
- You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.
There are two example declarations, one simple, one more full-featured. Both of the following declarations create the following objects on the BIG-IP:
- Partition (tenant) named Sample_analytics_capture.
- An HTTP service (virtual server) named serviceHttp.
- An analytics profile for collecting statistics with a capture filter. See the schema reference and documentation for details.
a: Simple example of HTTP Analytics profile with Capture filter¶
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "SAMPLE_ANALYTICS_capture_simple",
"remark": "Sample analytics capture profile simple",
"Sample_analytics_capture": {
"class": "Tenant",
"Sample_Analytics_Request": {
"class": "Application",
"serviceHttp": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.241"
],
"virtualPort": 8080,
"profileAnalytics": {
"use": "statsProf"
}
},
"statsProf": {
"class": "Analytics_Profile",
"capturedTrafficInternalLogging": true,
"captureFilter": {
"requestCapturedParts": "headers",
"responseCapturedParts": "headers"
}
}
}
}
}
b: Detailed example of HTTP Analytics profile with Capture filter¶
{
"class": "ADC",
"schemaVersion": "3.9.0",
"id": "Example_ANALYTICS_PROFILE_with_Capture_filter",
"remark": "Analytics example full with capture filter",
"Sample_analytics_capture": {
"class": "Tenant",
"TEST_ANALYTICS_Profile": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.19",
"192.0.2.20",
"192.0.2.21"
],
"virtualPort": 80,
"profileAnalytics": { "use": "pA_Sample"},
"pool": "poolRoundRobin"
},
"poolRoundRobin": {
"class": "Pool",
"loadBalancingMode": "round-robin",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80,
"serverAddresses": [
"192.0.2.58",
"192.0.2.59",
"192.0.2.60"
]
}
]
},
"pA_Sample": {
"class": "Analytics_Profile",
"collectedStatsInternalLogging": true,
"collectedStatsExternalLogging": false,
"capturedTrafficInternalLogging": true,
"capturedTrafficExternalLogging": false,
"captureFilter": {
"requestCapturedParts": "body",
"responseCapturedParts": "all",
"dosActivity": "mitigated-by-dosl7",
"capturedProtocols": "http",
"capturedReadyForJsInjection": "enabled",
"requestContentFilterSearchPart": "body",
"requestContentFilterSearchString": "something request something",
"responseContentFilterSearchPart": "all",
"responseContentFilterSearchString": "something respone something",
"virtualServers": [
"service-1-"
],
"nodeAddresses": [
"192.0.2.59"
],
"responseCodes": [
400,
401,
402
],
"methods": [
"GET",
"POST",
"PUT"
],
"urlFilterType": "white-list",
"urlPathPrefixes": [
"a.org",
"b.org",
"c.org"
],
"userAgentSubstrings": [
"Mozilla (01",
"Mozilla (02",
"Mozilla (03"
],
"clientIps": [
"10.9.10.10",
"10.9.10.11",
"10.9.10.12"
]
}
}
}
}
}
Using a Multiplex (OneConnect) profile in a declaration¶
This example shows how you can use a multiplex (called OneConnect on the BIG-IP) profile in your declarations. See the Schema Reference for usage options and information. For more information on the OneConnect profile, see About OneConnect Profiles in the BIG-IP documentation.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_02.
- An HTTP service (virtual server) named service.
- An OneConnect profile named testMux for multiplexing connections.
{
"class": "ADC",
"schemaVersion": "3.7.0",
"id": "1234",
"remark": "Sample OneConnect multiplex profile",
"Sample_profile_02": {
"class": "Tenant",
"Tenant_1": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.10.1.3"
],
"profileMultiplex": {
"use": "testMux"
}
},
"testMux": {
"class": "Multiplex_Profile",
"maxConnections": 5000,
"maxConnectionAge": 3600,
"maxConnectionReuse": 20000,
"idleTimeoutOverride": 900,
"connectionLimitEnforcement": "idle",
"sharePools": true
}
}
}
}
Using existing FTP and SIP profiles in a declaration¶
This example shows how you can use existing SIP and FTP profiles in a declaration. In this example, our BIG-IP system already has testSIP and testFTP profiles in the Common partition. See the Schema Reference for usage options and information.
Note
In BIG-IP AS3 3.39 and later, you can also reference a SIP profile from the Service_UDP class.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_03.
- Two TCP services (virtual servers) named service, with Descriptions of A1 and A2.
- A profileSIP object that references our existing testSIP profile.
- A profileFTP object that references our existing testFTP profile.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "fghijkl7890",
"label": "existing SIP and FTP profiles",
"Sample_profile_03": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualAddresses": [
"10.0.6.100"
],
"virtualPort": 443,
"profileSIP": {
"bigip": "/Common/testSIP"
},
"pool": "tcp_pool"
},
"tcp_pool": {
"class": "Pool",
"monitors": [
"tcp"
],
"members": [{
"servicePort": 443,
"serverAddresses": [
"192.0.6.10",
"192.0.6.11"
]
}]
}
},
"A2": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualAddresses": [
"10.0.6.100"
],
"virtualPort": 443,
"profileFTP": {
"bigip": "/Common/testFTP"
},
"pool": "ftp_pool"
},
"ftp_pool": {
"class": "Pool",
"monitors": [
"tcp"
],
"members": [{
"servicePort": 21,
"serverAddresses": [
"192.0.6.10",
"192.0.6.11"
]
}]
}
}
}
}
}
Using a Traffic Log profile in a declaration¶
This example shows how you can use a Traffic Log profile in a declaration. The Traffic Log profile in BIG-IP AS3 creates a Request Logging profile on the BIG-IP system, which gives you the ability to configure data within a log file for HTTP requests and responses, in accordance with specified parameters. For more information, see Request Logging documentation, and the Schema Reference for BIG-IP AS3 usage options and information.
This declaration creates the following objects on the BIG-IP:
- Two partitions (tenants) named Sample_profile_04, and tenant2.
- The Sample_profile_04 tenant includes a detailed Traffic Log profile (see Traffic Log profile in the Schema Reference for details and usage) and a pool named “thePool”.
- The tenant2 tenant includes a virtual server named service and the default Traffic Log profile.
Note: This example does not include real certificates, so if you post the following declaration, you will receive an invalid certificate error. Replace the values of certificate and privateKey with your own certificates.
{
"class": "ADC",
"schemaVersion": "3.8.0",
"id": "Traffic_Log_Profile",
"Sample_profile_04": {
"class": "Tenant",
"app": {
"class": "Application",
"trafLogProf": {
"class": "Traffic_Log_Profile",
"parentProfile": {
"use": "trafLog"
},
"requestSettings": {
"requestErrorLoggingEnabled": true,
"proxyCloseOnErrorEnabled": true,
"proxyRespondOnLoggingErrorEnabled": true,
"requestErrorProtocol": "mds-tcp",
"requestProtocol": "mds-tcp",
"requestEnabled": true,
"proxyResponse": "Proxy Response",
"requestErrorPool": {
"use": "thePool"
},
"requestErrorTemplate": "ERR TEMPLATE:",
"requestPool": {
"use": "thePool"
},
"requestTemplate": "REQ TEMP"
},
"responseSettings": {
"byDefaultEnabled": false,
"responseErrorLoggingEnabled": true,
"responseErrorProtocol": "mds-tcp",
"responseProtocol": "mds-tcp",
"responseEnabled": true,
"responseErrorPool": {
"use": "thePool"
},
"responseErrorTemplate": "ERROR: ",
"responsePool": {
"use": "thePool"
},
"responseTemplate": "TEMPLATE"
}
},
"thePool": {
"class": "Pool"
},
"trafLog": {
"class": "Traffic_Log_Profile"
}
}
},
"tenant2": {
"class": "Tenant",
"app2": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": ["1.1.1.1"],
"virtualPort": 23,
"profileTrafficLog": {
"use": "trafLogProf2"
}
},
"trafLogProf2": {
"class": "Traffic_Log_Profile"
}
}
}
}
Using a WebSocket profile in a declaration¶
This example shows how you can use a WebSocket profile in a declaration. When you assign a WebSocket profile to a virtual server, the virtual server informs clients that a WebSocket virtual server is available to respond to WebSocket requests. WebSocket frames that contain payload data are masked with a 32-bit key. You can determine what the BIG-IP system does with this key by specifying one of the following values: preserve, remask, selective, unmask. For detailed information on the WebSocket profile, see Websocket documentation and HTTP Profile class in the Schema Reference for usage and options.
Important
The following properties require TMOS 16.1 or later: compressMode, compression, maximumWindowSize, and noDelay. The example was updated in AS3 3.40 to include the Websocket profile.
New in BIG-IP AS3 3.45 and later
In BIG-IP AS3 versions prior to 3.45, the WebSocket profile was referenced from an HTTP profile. In AS3 3.45 and later, the WebSocket profile can be referenced directly from the virtual service (an HTTP profile is still required). Referencing from an HTTP profile is deprecated, but still allowed for backwards compatibility. We include examples of both methods in the following examples.
Example for BIG-IP AS3 3.45 and later
This declaration creates the following objects on the BIG-IP (you MUST be on AS3 3.45 or later to use this example):
- Partition (tenant) named Sample_WebSocket_Profile.
- An HTTP service (virtual server) named service that references the WebSocket profile and the HTTP profile.
- A default HTTP profile.
- A WebSocket profile with a number of properties.
{
"class": "ADC",
"schemaVersion": "3.45.0",
"id": "TEST_Websocket_Profile",
"remark": "Test Websocket profiles",
"Sample_WebSocket_Profile": {
"class": "Tenant",
"TEST_Websocket_Profile": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.0"
],
"profileHTTP": {
"use": "httpProfile"
},
"profileWebSocket": {
"use": "webSocketProfile"
}
},
"httpProfile": {
"class": "HTTP_Profile"
},
"webSocketProfile": {
"class": "WebSocket_Profile",
"masking": "selective",
"compressMode": "preserved",
"compression": true,
"maximumWindowSize": 10,
"noDelay": true
}
}
}
}
Example for BIG-IP AS3 3.44 and earlier
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_WebSocket_Profile.
- An HTTP service (virtual server) named service that references the HTTP profile.
- An HTTP profile that references the WebSocket profile.
- A WebSocket profile with a number of properties.
{
"class": "ADC",
"schemaVersion": "3.8.0",
"id": "TEST_Websocket_Profile",
"remark": "Test Websocket profiles",
"Sample_WebSocket_Profile": {
"class": "Tenant",
"TEST_Websocket_Profile": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"1.2.3.4"
],
"profileHTTP": {
"use": "httpProfile"
}
},
"httpProfile": {
"class": "HTTP_Profile",
"profileWebSocket": {
"use": "webSocketProfile"
}
},
"webSocketProfile": {
"class": "WebSocket_Profile",
"masking": "selective",
"compressMode": "preserved",
"compression": true,
"maximumWindowSize": 10,
"noDelay": true
}
}
}
}
Using a Rewrite profile in a declaration¶
This example shows how you can use a Rewrite profile in a declaration. With a Rewrite profile, the BIG-IP system can perform URI scheme, host, port, and path modifications as HTTP traffic passes through the system. For detailed information, see Rewrite profile documentation and Rewrite profile in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_06.
- A Generic service (virtual server) named virtualServer.
- A Rewrite profile named rewriteProf that includes a number of properties (see Rewrite profile in the Schema Reference for details and usage).
{
"class": "ADC",
"updateMode": "selective",
"schemaVersion": "3.0.0",
"id": "TEST_Rewrite_Profile",
"Sample_profile_06": {
"class": "Tenant",
"TEST_Rewrite_Profile": {
"class": "Application",
"virtualServer": {
"class": "Service_HTTP",
"virtualAddresses": [
"1.1.1.2"
],
"virtualPort": 80,
"profileRewrite": {
"use": "rewriteProf"
}
},
"rewriteProf": {
"class": "Rewrite_Profile",
"bypassList": [
"https://www.google.com",
"http://www.a.uri.com"
],
"clientCachingType": "no-cache",
"javaCaFile": {
"bigip": "/Common/default.crt"
},
"certificate": "cert_and_key",
"javaSignKeyPassphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"locationSpecificEnabled": true,
"requestSettings": {
"insertXforwardedForEnabled": false,
"insertXforwardedHostEnabled": true,
"insertXforwardedProtoEnabled": true,
"rewriteHeadersEnabled": false
},
"responseSettings": {
"rewriteContentEnabled": false,
"rewriteHeadersEnabled": false
},
"rewriteList": [
"https://www.example.com",
"https://www.rewritethis.net"
],
"rewriteMode": "uri-translation",
"setCookieRules": [
{
"client": {
"domain": "clientDomain1",
"path": "/"
},
"server": {
"domain": "serverDomain1",
"path": "/"
}
},
{
"client": {
"domain": "clientDomain2",
"path": "/"
},
"server": {
"domain": "serverDomain2",
"path": "/"
}
}
],
"splitTunnelingEnabled": true,
"uriRules": [
{
"type": "response",
"client": {
"path": "/",
"host": "www.google.com",
"scheme": "https",
"port": "100"
},
"server": {
"path": "/",
"host": "www.example.com",
"scheme": "http",
"port": "80"
}
},
{
"type": "request",
"client": {
"path": "/"
},
"server": {
"path": "/"
}
}
]
},
"cert_and_key": {
"class": "Certificate",
"remark": "in practice not using a passphrase is not recommended",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
}
}
}
}
Using a DoS profile in a declaration¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see DoS Protection and Protocol Firewall Implementations (pdf). Also see the Schema Reference for usage options for using these features in your BIG-IP AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_01.
- A DoS profile with denylisted and allowlisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
"class": "ADC",
"schemaVersion": "3.26.0",
"id": "DOS_Profile",
"Sample_dos_01": {
"class": "Tenant",
"DOSApp": {
"class": "Application",
"Service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.1"
],
"profileDOS": {
"use": "DOS_Profile"
}
},
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"denylistedGeolocations": [
"Timor-Leste",
"Cocos (Keeling) Islands"
],
"allowlistedGeolocations": [
"Bonaire, Saint Eustatius and Saba",
"Cote D'Ivoire"
],
"captchaResponse": {
"first": "Are you a robot?<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
"failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
},
"heavyURLProtection": {
"automaticDetectionEnabled": true,
"detectionThreshold": 16,
"excludeList": [
"example.com"
],
"protectList": [
{
"url": "www.google.com",
"threshold": 0
}
]
},
"triggerIRule": true,
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"botDefense": {
"mode": "during-attacks",
"blockSuspiscousBrowsers": true,
"issueCaptchaChallenge": true,
"gracePeriod": 4000,
"crossDomainRequests": "validate-bulk",
"siteDomains": [
"www.google.com"
],
"externalDomains": [
"www.yahoo.com"
],
"urlAllowlist": [
"www.bing.com"
]
},
"botSignatures": {
"checkingEnabled": true,
"blockedCategories": [
{
"bigip": "/Common/Search Engine"
}
],
"reportedCategories": [
{
"bigip": "/Common/Crawler"
}
]
},
"rateBasedDetection": {
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"stressBasedDetection": {
"badActor": {
"detectionEnabled": false,
"mitigationMode": "none",
"signatureDetectionEnabled": false,
"useApprovedSignaturesOnly": false
},
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"heavyURLProtectionEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"recordTraffic": {
"maximumDuration": 10,
"maximumSize": 10,
"recordTrafficEnabled": false,
"repetitionInterval": 10
}
},
"network": {
"dynamicSignatures": {
"detectionMode": "enabled",
"mitigationMode": "medium",
"scrubbingEnabled": true,
"scrubbingCategory": {
"bigip": "/Common/attacked_ips"
},
"scrubbingDuration": 60
},
"vectors": [
{
"type": "hop-cnt-low",
"state": "learn-only",
"thresholdMode": "manual",
"rateThreshold": 40000,
"rateIncreaseThreshold": 600,
"rateLimit": 1000000,
"simulateAutoThresholdEnabled": true,
"badActorSettings": {
"enabled": true,
"sourceDetectionThreshold": 0,
"sourceMitigationThreshold": 0
},
"autoDenylistSettings": {
"enabled": true,
"category": {
"bigip": "/Common/botnets"
},
"attackDetectionTime": 1,
"categoryDuration": 60,
"externalAdvertisementEnabled": true
}
}
]
},
"protocolDNS": {
"vectors": [
{
"type": "ptr",
"state": "mitigate",
"thresholdMode": "fully-automatic",
"autoAttackFloor": 0,
"autoAttackCeiling": 0
}
]
},
"allowlist": {
"use": "addressList"
},
"applicationAllowlist": {
"use": "addressListHTTP"
}
},
"addressList": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.10"
]
},
"addressListHTTP": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.11"
]
}
}
}
}
Using a DoS profile for Mobile Defense¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See the Schema Reference for usage options for using these features in your BIG-IP AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_02.
- A DoS profile with mobile defense enabled.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "DOS_Profile",
"Sample_dos_02": {
"class": "Tenant",
"Application": {
"class": "Application",
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"mobileDefense": {
"enabled": true,
"allowAndroidPublishers": [{
"bigip": "/Common/default.crt"
}
],
"allowAndroidRootedDevice": true,
"allowIosPackageNames": ["theName"],
"allowJailbrokenDevices": true,
"allowEmulators": true,
"clientSideChallengeMode": "challenge"
}
}
}
}
}
}
Using a HTTP Acceleration profile in a declaration¶
This example shows how you can use a Web (HTTP) Acceleration profile in a declaration, which helps speed your HTTP traffic. For detailed information, see Web Acceleration profile and HTTP Acceleration Profile class in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_profile_06.
- A Generic service (virtual server) named http_accel.
- A Web Acceleration profile named testItem that includes a number of properties (see HTTP Acceleration Profile class in the Schema Reference for details and usage).
{
"class":"ADC",
"schemaVersion":"3.8.0",
"id":"TEST_HTTP_Acceleration_Profile",
"Sample_profile_06":{
"class":"Tenant",
"Application":{
"class":"Application",
"template":"generic",
"http_accel": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"1.2.3.4"
],
"profileHTTPAcceleration": {
"use": "testItem"
}
},
"testItem": {
"class": "HTTP_Acceleration_Profile",
"parentProfile": {
"use": "accel"
},
"agingRate": 5,
"ignoreHeaders": "none",
"insertAgeHeaderEnabled": false,
"maximumAge": 100000,
"maximumEntries": 200000,
"maximumObjectSize": 300000,
"minimumObjectSize": 1000,
"cacheSize": 200,
"uriExcludeList": [
"."
],
"uriIncludeList": [
"www.google.com"
],
"uriIncludeOverrideList": [
"1.1.2.2",
"1.2.3.4"
],
"uriPinnedList": [
"///"
],
"metadataMaxSize": 30
},
"accel": {
"class": "HTTP_Acceleration_Profile"
}
}
}
}
Using a Security log profile with Application Security¶
This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles section of the ASM documentation., and Security Log Profile class in the Schema Reference for BIG-IP AS3 usage options and information.
There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.
..local:
Local storage¶
This declaration creates a security log profile that uses local storage (for the remote storage example, click ref:remote). This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Local.
- A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Security_Log_Profile_local",
"Security_Log_local": {
"class": "Tenant",
"Application": {
"class": "Application",
"secLogLocal": {
"class": "Security_Log_Profile",
"application": {
"storageFilter": {
"logicalOperation": "and",
"requestType": "all",
"responseCodes": [
"100",
"200",
"300",
"400"
],
"protocols": [
"https",
"ws"
],
"httpMethods": [
"ACL",
"GET",
"POLL",
"POST"
],
"requestContains": {
"searchIn": "search-in-headers",
"value": "The header string to search for"
},
"loginResults": [
"login-result-successful",
"login-result-failed"
]
},
"guaranteeLoggingEnabled": true,
"guaranteeResponseLoggingEnabled": true,
"maxHeaderSize": 200,
"maxQuerySize": 1040,
"maxRequestSize": 900,
"responseLogging": "all"
}
}
}
}
}
..remote:
Remote storage¶
This declaration creates a security log profile that uses remote storage (for the local storage example, click ref:local). This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Remote.
- A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Security_Log_Profile",
"Security_Log_Remote": {
"class": "Tenant",
"Application": {
"class": "Application",
"secLogRemote": {
"class": "Security_Log_Profile",
"application": {
"facility": "local3",
"storageFilter": {
"requestType": "illegal-including-staged-signatures",
"responseCodes": [
"404",
"201"
],
"protocols": [
"http"
],
"httpMethods": [
"PATCH",
"DELETE"
],
"requestContains": {
"searchIn": "search-in-request",
"value": "The new value"
},
"loginResults": [
"login-result-unknown"
]
},
"storageFormat": {
"fields": [
"attack_type",
"avr_id",
"headers",
"is_truncated"
],
"delimiter": "."
},
"localStorage": false,
"maxEntryLength": "10k",
"protocol": "udp",
"remoteStorage": "remote",
"reportAnomaliesEnabled": true,
"servers": [
{
"address": "9.8.7.6",
"port": "9876"
}
]
}
}
}
}
}
Using a Stream profile in a declaration¶
This example shows how you can use a Stream profile in a declaration. With a Stream profile, the BIG-IP system performs a search and replace procedure for all occurrences of a string in a data stream, such as a TCP connection. For detailed information, see Overview of the Stream profile and Stream Profile in the Schema Reference for usage and options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Stream_tenant.
- An HTTP service (virtual server) named Stream_service on port 100.
- A Stream profile named Stream_profile that includes a number of properties (see Stream Profile in the Schema Reference for details and usage). This declaration also includes a default stream profile that is not referenced by the virtual server.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "Stream_Profile",
"Stream_tenant": {
"class": "Tenant",
"Stream_app": {
"class": "Application",
"Stream_service": {
"class": "Service_HTTP",
"virtualAddresses": [
"5.4.3.2"
],
"virtualPort": 100,
"profileStream": {
"use": "testStream"
}
},
"testStream": {
"class": "Stream_Profile",
"remark": "Description",
"parentProfile": {
"use": "streamProfile"
},
"chunkingEnabled": true,
"chunkSize": 10000,
"source": "The source",
"target": "The target"
},
"streamProfile": {
"class": "Stream_Profile"
}
}
}
}
Creating an FTP profile in a declaration¶
This example shows how you can create an FTP profile in a declaration (example (#4) showed how to use an existing FTP profile). See FTP_Profile in the Schema Reference for more usage options and information.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TEST_FTP_Profile.
- A FTP profile named sampleFTPprofile.
{
"class": "ADC",
"schemaVersion": "3.43.0",
"id": "FTP_Profile",
"TEST_FTP_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualAddresses": [
"192.0.2.210"
],
"virtualPort": 10,
"profileFTP": {
"use": "sampleFTPprofile"
}
},
"sampleFTPprofile": {
"class": "FTP_Profile",
"remark": "description",
"port": 300,
"ftpsMode": "disallow",
"enforceTlsSessionReuseEnabled": true,
"activeModeEnabled": false,
"securityEnabled": true,
"translateExtendedEnabled": false,
"inheritParentProfileEnabled": true,
"algLogProfile": {
"bigip": "/Common/alg_log_profile"
},
"logPublisher": {
"bigip": "/Common/local-db-publisher"
}
}
}
}
}
Referencing existing iRules LX Profiles¶
This example shows how you can reference an existing iRules LX profile in a BIG-IP virtual server. An iRules LX profile is a method to associate an LX Plugin to a virtual server. See the BIG-IP documentation for more information on iRules LX profiles.
There are a few things to note about iRules LX profiles:
- You must be using BIG-IP (TMOS) v13.0 or later.
- You must provision the iRules Language Extensions (iRulesLX).
- BIG-IP AS3 cannot yet create iRules LX Profiles, but can reference them.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_ILX_Profile.
- A virtual service named exampleVS
- A profileILX property referencing an existing iRules LX profile on the target BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.12.0",
"id": "Service_TCP",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Example_ILX_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"exampleVS": {
"class": "Service_TCP",
"remark": "description",
"virtualPort": 123,
"virtualAddresses": [
"192.0.2.10"
],
"profileILX": {
"bigip": "/Common/iRulesProfile"
}
}
}
}
}
Using the HTTP/2 profile in a declaration¶
This example shows how you can create an HTTP/2 profile in a declaration.
See Overview of HTTP/2 profile, and HTTP2_Profile in the Schema Reference for more usage options and information.
See Configuring HTTP/2 Full-proxy Support on the BIG-IP System for more information on configuring HTTP/2 Full Proxy support on the BIG-IP.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TENANT_1.
- An HTTP/2 profile named http2profile with a number of properties.
- A Client SSL profile (Server TLS in AS3) referencing a certificate.
- A virtual service named service that calls the HTTP/2 profile and SSL profile.
{
"class": "ADC",
"schemaVersion": "3.13.0",
"TENANT_1": {
"class": "Tenant",
"APPLICATION_1": {
"class": "Application",
"http2profile": {
"class": "HTTP2_Profile",
"activationMode": "alpn",
"concurrentStreamsPerConnection": 10,
"connectionIdleTimeout": 300,
"enforceTlsRequirements": true,
"frameSize": 2048,
"headerTableSize": 4096,
"includeContentLength": false,
"insertHeader": false,
"insertHeaderName": "X-HTTP2",
"receiveWindow": 32,
"writeSize": 16384
},
"webtls": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "webcert"
}
],
"renegotiationEnabled": false
},
"service": {
"class": "Service_HTTPS",
"profileHTTP2": {
"use": "http2profile"
},
"serverTLS": "webtls",
"virtualAddresses": [
"10.0.1.10"
]
},
"webcert": {
"class": "Certificate",
"remark": "in practice we recommend using a passphrase",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
"passphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
}
}
}
}
}
Creating an RTSP profile in a declaration¶
This updated example shows how you can create an RTSP profile in a declaration using BIG-IP AS3 3.43 and later. In previous versions of BIG-IP AS3, you could reference an existing profile, but not create one. For information on RTSP, see RFC 2326; for information on the RTSP profile, see the RTSP documentation.
See RTSP_Profile in the Schema Reference for AS3 options and usage.
Important
In the following example, the algLogProfile and logPublisher properties require the CGNAT module to be provisioned and BIG-IP version to be 15.1 or higher.
This declaration creates the following objects on the BIG-IP (NOTE If you attempt to use this declaration on an AS3 version prior to 3.43, it will fail. Remove the ALG profile and log publisher for previous versions):
- Partition (tenant) named example_RTSP.
- An Application named App1.
- A virtual service named RTSP_vs which references the RTSP profile
- An RTSP profile named RTSP_profile with a number of configured properties.
- An ALG Log Profile named ALG_Log_profile with a number of configured properties.
{
"class": "ADC",
"schemaVersion": "3.43.0",
"id": "Service_TCP",
"example_RTSP": {
"class": "Tenant",
"App1": {
"class": "Application",
"RTSP_vs": {
"class": "Service_TCP",
"virtualPort": 8080,
"virtualAddresses": [
"1.1.1.10"
],
"profileRTSP": {
"use": "RTSP_profile"
}
},
"RTSP_profile": {
"class": "RTSP_Profile",
"remark": "My Remark",
"idleTimeout": "indefinite",
"maxHeaderSize": 5096,
"maxQueuedData": 42768,
"unicastRedirect": true,
"multicastRedirect": true,
"sessionReconnect": true,
"realHTTPPersistence": false,
"checkSource": false,
"proxy": "external",
"proxyHeader": "X-Proxy",
"RTPPort": 49152,
"RTCPPort": 49153,
"algLogProfile": {
"use": "ALG_Log_profile"
},
"logPublisher": {
"bigip": "/Common/local-db-publisher"
}
},
"ALG_Log_profile": {
"class": "ALG_Log_Profile",
"remark": "My Remark",
"csvFormat": true,
"startControlChannel": {
"action": "enabled",
"includeDestination": false
},
"endControlChannel": {
"action": "disabled",
"includeDestination": true
},
"startDataChannel": {
"action": "backup-allocation-only",
"includeDestination": false
},
"endDataChannel": {
"action": "enabled",
"includeDestination": true
},
"inboundTransaction": {
"action": "enabled"
}
}
}
}
}
Creating a TCP Analytics profile in a declaration¶
This example shows how you can use the Application Visibility and Reporting (AVR, or Analytics) module in a declaration as a TCP analytics profile (for an HTTP Analytics profile, see Creating an HTTP Analytics profile in a declaration). The Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application.
For detailed information on AVR and the Analytics profile, see TCP Analytics Profile class in the Schema Reference for information and usage options for using these features in your BIG-IP AS3 declarations, and the BIG-IP Analytics: Implementations guide.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TcpAnalytics.
- A TCP service (virtual server) named serviceHttp.
- A TCP analytics profile in the virtual service named myAnalyticsTcp for collecting statistics. See TCP Analytics Profile class in the schema reference and for details on the options.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.14.0",
"label": "TCP Analytics Example",
"remark": "Service_TCP with TCP Analytics",
"TcpAnalytics": {
"class": "Tenant",
"tcpAnalytics": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualAddresses": [
"10.0.5.10"
],
"virtualPort": 1344,
"pool": "svc_pool",
"profileAnalyticsTcp": { "use": "myAnalyticsTcp" }
},
"myAnalyticsTcp": {
"class": "Analytics_TCP_Profile",
"collectedStatsInternalLogging": true,
"collectedStatsExternalLogging": true,
"externalLoggingPublisher": { "bigip": "/Common/local-db-publisher" },
"collectedByClientSide": true,
"collectedByServerSide": true,
"collectRemoteHostIp": true,
"collectRemoteHostSubnet": true,
"collectNexthop": true,
"collectContinent": true,
"collectCountry": true,
"collectRegion": true,
"collectCity": true,
"collectPostCode": true
},
"svc_pool": {
"class": "Pool",
"members": [{
"servicePort": 1344,
"serverAddresses": [
"192.0.5.10",
"192.0.5.11"
]
}]
}
}
}
}
}
Referencing a PPTP profile in a declaration¶
This example shows how you can reference an existing PPTP profile in a declaration. The PPTP (point-to-point tunneling protocol) profile enables you to configure the BIG-IP system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. The PPTP protocol is described in RFC 2637.
Important
You cannot combine or use the PPTP Profile with another profile other than a TCP Profile. The PPTP Profile must be used separately and independently.
For detailed information on the PPTP profile, see PPTP in the TMSH reference and PPTP in CGNAT documentation.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_pptp_profile.
- An TCP service (virtual server) named service, which references an existing PPTP profile on the BIG-IP system.
{
"class": "ADC",
"schemaVersion": "3.15.0",
"label": "PPTP_profile_existing",
"remark": "PPTP_profile_existing",
"Sample_pptp_profile": {
"class": "Tenant",
"HTTP_Service": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualAddresses": [
"192.0.2.107"
],
"virtualPort": 8181,
"snat": "auto",
"profilePPTP": {
"bigip": "/Common/pptp"
}
}
}
}
}
Configuring SCTP services and referencing SCTP profiles in a declaration¶
This example shows how you can reference existing SCTP profiles in a BIG-IP AS3 declaration. It also shows the new Service_SCTP class, which creates a virtual service that uses the SCTP protocol. For information on BIG-IP and the SCTP profile, see SCTP Profile Type in the product manual. For AS3, see Service_SCTP for detailed information and usage for the SCTP Class, and Pointer_SCTP_Profile for the SCTP profile.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_sctp_01.
- An application named mySCTP that uses the sctp template.
- A virtual service named service that uses Service_SCTP, and references an existing SCTP profile on the BIG-IP system.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.15.0",
"id": "service-sctp",
"label": "Sample Service_SCTP",
"remark": "Simple SCTP application reference",
"Sample_sctp_01": {
"class": "Tenant",
"mySCTP": {
"class": "Application",
"service": {
"class": "Service_SCTP",
"virtualAddresses": [
"10.0.1.10"
],
"virtualPort": 132,
"profileSCTP": {
"bigip": "/Common/sctp"
}
}
}
}
}
}
Referencing Request and Response Adapt profiles in a declaration¶
This example shows how you can reference an existing Request and Response Adapt profiles in a declaration. These profiles are a part of the BIG-IP content adaptation feature for adapting HTTP requests and responses.
For detailed information on the Adapt profiles, see Overview: Configuring HTTP Request Adaptation and Pointer Request Adapt profile in the schema reference for usage guidance.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_adapt_profile.
- A HTTP service (virtual server) named service, which references existing Request and Response Adapt profiles on the BIG-IP system.
{
"class": "ADC",
"schemaVersion": "3.15.0",
"label": "Adapt_profile_existing",
"remark": "Adapt_profile_existing",
"Sample_adapt_profile": {
"class": "Tenant",
"HTTP_Service": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.107"
],
"virtualPort": 8181,
"snat": "auto",
"profileRequestAdapt": {
"bigip": "/Common/requestadapt"
},
"profileResponseAdapt": {
"bigip": "/Common/responseadapt"
}
}
}
}
}
Creating Request and Response Adapt profiles in a declaration¶
This example shows how you can create Request and Response Adapt profiles in a declaration. These profiles are a part of the BIG-IP content adaptation feature for adapting HTTP requests and responses.
For detailed information on the Adapt profiles, see Overview: Configuring HTTP Request Adaptation and Pointer Request Adapt profile in the schema reference for usage guidance.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named tenant.
- A HTTP service (virtual server) named service, which references Request and Response Adapt profiles in the declaration.
- An Adapt request profile named adaptRequestProfile which points to an internal service.
- An Adapt response profile named adaptResponseProfile which points to the same internal service.
- An internal TCP virtual server named internalService.
{
"class": "ADC",
"schemaVersion": "3.15.0",
"id": "123456",
"tenant": {
"class": "Tenant",
"appAdapt": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": ["10.10.10.10"],
"profileRequestAdapt": {
"use": "adaptRequestProfile"
},
"profileResponseAdapt": {
"use": "adaptResponseProfile"
}
},
"adaptRequestProfile": {
"class": "Adapt_Profile",
"messageType": "request",
"enableHttpAdaptation": false,
"previewSize": 2048,
"serviceDownAction": "reset",
"timeout": 1000,
"allowHTTP10": true,
"internalService": {
"use": "internalService"
}
},
"adaptResponseProfile": {
"class": "Adapt_Profile",
"messageType": "response",
"enableHttpAdaptation": false,
"previewSize": 2048,
"serviceDownAction": "reset",
"timeout": 1000,
"allowHTTP10": true,
"internalService": {
"use": "internalService"
}
},
"internalService": {
"class": "Service_TCP",
"virtualType": "internal"
}
}
}
}
Referencing existing ICAP profiles in a declaration¶
This example shows how you can reference an existing ICAP (Internet Content Adaptation Protocol) profile in a declaration. You can use an ICAP profile when you want to use the BIG-IP content adaptation feature for adapting HTTP requests and responses. This feature allows a BIG-IP virtual server to conditionally forward HTTP requests and HTTP responses to a pool of ICAP servers for modification, before sending a request to a web server or returning a response to the client system. For more information on using the ICAP profile, see the BIG-IP documentation.
Important
ICAP profile must use TCP services and is only supported in Service_TCP.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_ICAP_profile.
- An application named TCP_Service that uses the tcp template.
- A virtual service named service that references an existing ICAP profile on the BIG-IP system.
{
"class": "ADC",
"schemaVersion": "3.16.0",
"label": "ICAP_profile_existing",
"remark": "ICAP_profile_existing",
"Sample_ICAP_profile": {
"class": "Tenant",
"TCP_Service": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualPort": 8181,
"virtualAddresses": [
"192.0.2.100"
],
"virtualType": "internal",
"profileICAP": {
"bigip": "/Common/icap"
}
}
}
}
}
Creating ICAP profiles in a declaration¶
This example shows how you can create an ICAP profile in a declaration. You can use an ICAP profile when you want to use the BIG-IP content adaptation feature for adapting HTTP requests and responses. For more information on using the ICAP profile, see the example above, and BIG-IP documentation.
Important
ICAP profile must use TCP services and is only supported in Service_TCP.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_ICAP_profile.
- An application named icapApp.
- A virtual service named service that references an ICAP profile in the declaration.
- An ICAP profile named icapProfile
{
"class": "ADC",
"schemaVersion": "3.15.0",
"id": "ICAP_Profile",
"Sample_ICAP_Profile": {
"class": "Tenant",
"icapApp": {
"class": "Application",
"service": {
"class": "Service_TCP",
"virtualType": "internal",
"sourceAddress": "192.0.2.0/24",
"profileICAP": {
"use": "icapProfile"
}
},
"icapProfile": {
"class": "ICAP_Profile",
"uri": "icap://${SERVER_IP}:${SERVER_PORT}/videoOptimization",
"fromHeader": "admin@example.com",
"hostHeader": "www.example.com",
"refererHeader": "http://www.example.com/video/resource.html",
"userAgentHeader": "CERN-LineMode/2.15 libwww/2.17b3",
"previewLength": 100
}
}
}
}
Configuring an ingress HTTP/2 profile in an HTTPS service¶
This example shows how you can configure a separate HTTP/2 profile for ingress (client-side) traffic on an HTTPS service (only). Prior to version 3.20, you could not specify a specific profile for ingress traffic.
HTTP/2 is a major revision to the HTTP protocol, offering both speed and efficiency benefits. See K04412053: Overview of the BIG-IP HTTP/2 profile for a detailed explanation of HTTP/2 profiles on the BIG-IP and an overview of the benefits of HTTP/2.
See Service_HTTPS_profileHTTP2, HTTP2_Profile, and Service_HTTPS in the Schema Reference for more detail on BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TENANT_1.
- An Application named APPLICATION_1.
- An HTTP2_Profile named http2profile
- A Client SSL profile (TLS_Server in AS3) named webtls that references the certificate and key later in the declaration.
- A virtual server named service that references the HTTP/2 profile and specifies ingress.
{
"class": "ADC",
"schemaVersion": "3.20.0",
"TENANT_1": {
"class": "Tenant",
"APPLICATION_1": {
"class": "Application",
"http2profile": {
"class": "HTTP2_Profile",
"enforceTlsRequirements": false
},
"webtls": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "webcert"
}
],
"renegotiationEnabled": false
},
"service": {
"class": "Service_HTTPS",
"profileHTTP2": {
"ingress": {
"use": "http2profile"
}
},
"serverTLS": "webtls",
"virtualAddresses": [
"10.0.1.10"
]
},
"webcert": {
"class": "Certificate",
"certificate": { "bigip": "/Common/default.crt" },
"privateKey": { "bigip": "/Common/default.key" }
}
}
}
}
Configuring a FastL4 profile in a declaration¶
This example shows how you can configure a FastL4 profile in a BIG-IP declaration. You can use the FastL4 profile to manage Layer 4 (L4) traffic on the BIG-IP system. The FastL4 profile can increase virtual server performance and throughput for supported platforms by using the embedded Packet Velocity Acceleration (ePVA) chip to accelerate traffic. For complete information on the FastL4 profile, see Overview of the FastL4 profile on AskF5.
New in BIG-IP AS3 3.31
BIG-IP AS3 3.31 introduced two additional properties for the L4 profile: synCookieEnable (default true) and synCookieAllowlist (default false). These options allow you to enable syn cookie options. See L4_Profile for descriptions of these properties.
Important
If you try to use the following example with a version prior to 3.31, it will fail. For previous versions, remove the lines in yellow.
See L4_Profile in the Schema Reference for more detail on BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named L4_Tenant.
- An Application named L4_App
- A virtual server named service which references the L4 profile.
- A Fast L4 Profile named l4Profile, which includes a number of properties, including synCookieEnable and synCookieAllowlist introduced in 3.31.
{
"class": "ADC",
"schemaVersion": "3.31.0",
"id": "TEST_L4_Profile",
"remark": "Test L4 profiles",
"L4_Tenant": {
"class": "Tenant",
"L4_App": {
"class": "Application",
"service": {
"class": "Service_L4",
"virtualPort": 80,
"virtualAddresses": ["1.2.3.4"],
"profileL4": {
"use": "l4Profile"
}
},
"l4Profile": {
"class": "L4_Profile",
"clientTimeout": 60,
"idleTimeout": 600,
"keepAliveInterval": 600,
"looseClose": true,
"looseInitialization": true,
"maxSegmentSize": 4096,
"resetOnTimeout": false,
"synCookieEnable": false,
"synCookieAllowlist": false,
"tcpCloseTimeout": 43200,
"tcpHandshakeTimeout": 43200
}
}
}
}
Referencing an existing NTLM profile in a declaration¶
This example shows how you can reference an NTLM profile that exists on the BIG-IP system (including the system-supplied default NTLM profile) in declarations for HTTP and HTTPS services. The BIG-IP NTLM profile optimizes network performance when the system is processing NT LAN Manager traffic.
Important
To reference an NTLM profile, you must also include a Multplex_Profile profile (known as a OneConnect profile on the BIG-IP) for the declaration to succeed.
When both an NTLM profile and a OneConnect profile are associated with a virtual server, the BIG-IP can take advantage of server-side connection pooling for NTLM connections. See the BIG-IP documentation for more information on NTLM and OneConnect profiles.
See Service_HTTP amd Service_HTTPS in the Schema Reference for more detail on BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_NTLM.
- An Application named NTLM_App.
- A virtual server named NTLMvs which references the default NTLM profile on the BIG-IP system.
- A OneConnect (multiplex) profile named testMux, which required when referencing an NTLM profile.
{
"class": "ADC",
"schemaVersion": "3.23.0",
"id": "Service_HTTP",
"Example_NTLM": {
"class": "Tenant",
"NTLM_App": {
"class": "Application",
"NTLMvs": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.10.20.20"
],
"profileNTLM": {
"bigip": "/Common/ntlm"
},
"profileMultiplex": {
"use": "testMux"
}
},
"testMux": {
"class": "Multiplex_Profile",
"maxConnections": 5000,
"maxConnectionAge": 3600,
"maxConnectionReuse": 20000,
"idleTimeoutOverride": 900,
"connectionLimitEnforcement": "idle",
"sharePools": true
}
}
}
}
Configuring an egress HTTP/2 profile in a declaration¶
This example shows how to configure an HTTP/2 profile that is specific to egress (server-side) traffic on an HTTPS service (see Configuring an ingress HTTP/2 profile in an HTTPS service for ingress).
It also shows how you can set the httpMrfRoutingEnabled property on a virtual service, which enables the HTTP message routing framework (MRF) functionality, and is necessary for using HTTP/2 profiles in a full proxy configuration.
See K04412053: Overview of the BIG-IP HTTP/2 profile for a detailed explanation of HTTP/2 profiles on the BIG-IP and an overview of the benefits of HTTP/2. See Configuring HTTP/2 Full-proxy Support on the BIG-IP System for more information on manually configuring HTTP/2 Full Proxy support on the BIG-IP.
See Service_HTTPS_profileHTTP2, HTTP2_Profile, and Service_HTTPS in the Schema Reference for more detail on BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TENANT_1.
- An Application named APPLICATION_1.
- An HTTP2_Profile named http2profile.
- A Client SSL profile (TLS_Server in AS3) named webtls that references the certificate and key later in the declaration.
- A virtual server named service that references the HTTP/2 profile and specifies engress, with httpMrfRoutingEnabled set to true.
{
"class": "ADC",
"schemaVersion": "3.24.0",
"TENANT_1": {
"class": "Tenant",
"APPLICATION_1": {
"class": "Application",
"http2profile": {
"class": "HTTP2_Profile",
"enforceTlsRequirements": false
},
"webtls": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "webcert"
}
],
"renegotiationEnabled": false
},
"tlsClient": {
"class": "TLS_Client",
"clientCertificate": "webcert"
},
"service": {
"class": "Service_HTTPS",
"httpMrfRoutingEnabled": true,
"profileHTTP2": {
"egress": {
"use": "http2profile"
}
},
"serverTLS": "webtls",
"clientTLS": "tlsClient",
"virtualAddresses": [
"10.0.1.10"
]
},
"webcert": {
"class": "Certificate",
"certificate": { "bigip": "/Common/default.crt" },
"privateKey": { "bigip": "/Common/default.key" }
}
}
}
}
Configuring an HTML profile in a declaration¶
This example shows how to configure an HTML profile in a BIG-IP AS3 declaration. HTML profiles allow the system to modify HTML content that passes through the system, according to your specifications. See the BIG-IP documentation for complete information about HTML profiles and manual configuration.
HTML profiles make use of HTML rules, such as tag-append-html introduced in BIG-IP AS3 3.30.
See HTML_Profile in the Schema Reference for options and BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TEST_HTML_Profile.
- An Application named Application.
- A virtual server named service that references the HTML profile defined later in the declaration.
- An HTML Profile named htmlProfile which sets content options and references an HTML rule.
- An HTML rule named htmlRule of type tag-append-html that specifies matching criteria.
{
"class": "ADC",
"schemaVersion": "3.31.0",
"id": "HTML_Profile",
"TEST_HTML_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 123,
"virtualAddresses": [
"192.0.2.100"
],
"profileHTML": {
"use": "htmlProfile"
}
},
"htmlProfile": {
"class": "HTML_Profile",
"contentDetectionEnabled": true,
"contentSelection": [
"text/html",
"text/xhtml"
],
"rules": [
{
"use": "htmlRule"
}
]
},
"htmlRule": {
"class": "HTML_Rule",
"ruleType": "tag-append-html",
"content": "some content here",
"match": {
"attributeName": "pie",
"attributeValue": "apple",
"tagName": "/dessert"
}
}
}
}
}
Using a string for the route domain property in an ‘explicit’ HTTP profile¶
This example shows how you can now use a string for the routeDomain property in an HTTP profile with a proxy type of explicit. Previously, only integers were allowed.
Important
BIG-IP AS3 does NOT create route domains, and only references route domains that already exist on the BIG-IP system.
For more information on route domains, see Route Domains in the BIG-IP documentation.
See HTTP_Profile_Explicit in the Schema Reference for options and BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named miscTenant.
- An Application named Application.
- An HTTP profile named httpProfile with a proxyType of explicit and a reference to route domain routeDomainAlpha.
- A DNS Nameserver named DNS_Nameserver that references a route domain in the Common partition named 3.
You must update the route domains in the following example to match route domains on your BIG-IP system, otherwise, the example will fail.
{
"class": "ADC",
"schemaVersion": "3.35.0",
"id": "DNS_Nameserver",
"miscTenant": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"httpProfile": {
"class": "HTTP_Profile",
"proxyType": "explicit",
"resolver": {
"bigip": "/Common/tempTest"
},
"routeDomain": "routeDomainAlpha"
},
"DNS_Nameserver": {
"class": "DNS_Nameserver",
"routeDomain": {
"bigip": "/Common/3"
}
}
}
}
}
Using a SMTPS profile in a declaration¶
This example shows how you can add an SMTPS profile to the TLS_Server class in a declaration using the new smtpsStartTLS property. The SMTPS profile provides a way to add SSL encryption to SMTP traffic quickly and easily.
For the SMTPS profile, you must decide whether you want to allow, disallow, or require STARTTLS activation for SMTP traffic. The STARTTLS extension effectively upgrades a plain-text connection to an encrypted connection on the same port, instead of using a separate port for encrypted communication.
See TLS_Server in the Schema Reference for options and BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named TLS_smtps.
- An Application named Application.
- A virtual server named smtpsVip that references a TLS server.
- A Client SSL profile (Server TLS in AS3) named tlsServer with smtpsStartTLS set to require, and reference to a certificate.
- A certificate named tlsservercert that includes a certificate and private key.
{
"class": "ADC",
"schemaVersion": "3.38.0",
"id": "TLS_Server",
"TLS_smtps": {
"class": "Tenant",
"Application": {
"class": "Application",
"smtpsVip": {
"class": "Service_TCP",
"virtualAddresses": [
"192.0.2.6"
],
"serverTLS": "tlsServer",
"virtualPort": 587
},
"tlsServer": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "tlsservercert"
}
],
"smtpsStartTLS": "require"
},
"tlsservercert": {
"class": "Certificate",
"remark": "in practice using a passphrase is recommended",
"certificate": "-----BEGIN CERTIFICATE-----\nMIID7TCCAtWgAwIBAgIJAJH4sMVzl1dMMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTELMAkGA1UECgwCRjUxDTALBgNVBAsMBFRlc3QxEzARBgNVBAMMCnRscy1zZXJ2ZXIxJTAjBgkqhkiG9w0BCQEWFnNvbWVib2R5QHNvbWV3aGVyZS5jb20wHhcNMTgwMjI4MTkwNzMyWhcNMjgwMjI2MTkwNzMyWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxCzAJBgNVBAoMAkY1MQ0wCwYDVQQLDARUZXN0MRMwEQYDVQQDDAp0bHMtc2VydmVyMSUwIwYJKoZIhvcNAQkBFhZzb21lYm9keUBzb21ld2hlcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEMNPATg7Vz3jqInIVf2jnOi/9/HYIr8xZYgU0YHHFEiquQ6nYfX4mwezZ6zo9GJom7gHiQ3FNy3fN+RatatZmBmuyvJ+z/uZ6pbKmsuJLPLT89olO9JxMtb4a83oHDz3f6rcc2j8KwTr4lUDc452jLF4ZQ55O17s2tYMg4XW2G5DqUGzp1UKiClaDvpN23ZVOlnqDVpIlnVvJ1mz12AzFPny8xD1lhILv78yMltimdaWhyCLcFom0DbloRvYmowjGLHqLTAZ40jI3YUdw39LEqTXgfDF3DnOgZCIdRpouD9cVZBoQroXpVVfWG7sfzKLqWaAEHhjbhdK5l/p3mT7wIDAQABo1AwTjAdBgNVHQ4EFgQUBlCKIZ0+9DQ4ylW86qsyXoW8KjkwHwYDVR0jBBgwFoAUBlCKIZ0+9DQ4ylW86qsyXoW8KjkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAuiE5MocznYDc+JHvEgSaiK9fyRBl/bitKTkiOtxWjEFpF5nH6QddV0pqQziXLb6iSbTBwlDJr9Bwzng8moOYbsD7hP2/mCKJj8o/lsRaPAk+abekWXRqYFNucct/ipBG3s+N2PH+MEpy3ioPH1OBuam6UomjE+mqoP09FrQha1hHEbabt4nN11l8fM5GW+0zRU0SwLFvnR58zUSlTMwczSPA0eUrhEU4AGPD/KN8d1fYnCcWqPF5ePcU11k7SNFl5PZQsgXv9cOc2Vq+qc/NmDBO0rQyKEAPDxbM8CK212G1M+ENTqmuePnr+mNope3AhEsqfH8IOPEoT7fIwmpqLw==\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDAQw08BODtXPeOoichV/aOc6L/38dgivzFliBTRgccUSKq5Dqdh9fibB7NnrOj0YmibuAeJDcU3Ld835Fq1q1mYGa7K8n7P+5nqlsqay4ks8tPz2iU70nEy1vhrzegcPPd/qtxzaPwrBOviVQNzjnaMsXhlDnk7Xuza1gyDhdbYbkOpQbOnVQqIKVoO+k3bdlU6WeoNWkiWdW8nWbPXYDMU+fLzEPWWEgu/vzIyW2KZ1paHIItwWibQNuWhG9iajCMYseotMBnjSMjdhR3Df0sSpNeB8MXcOc6BkIh1Gmi4P1xVkGhCuhelVV9Ybux/MoupZoAQeGNuF0rmX+neZPvAgMBAAECggEAHm3eV9v7z4WRxtjiMZRO+Q/TQgUkdKK6y/jtR9DDClfLEVoK7ujTocnz/B48l1ZwHq3Gue6IazxdrB1kUhEFI7lpOQF+t83QCUc8o5OQG437RTfx+PSAa+21rpwBRVrrNfz7HIlsA4jwmq01CPRVUrQLfp7rpNBzbhu0u0Ngrf0ccOwXZkEUVvZ55WaPY1YADI9PBExQ2k04LvHJjoz/tJH3nsQLA/+90UXqy8ctUSMJ8Ko3crxJhnIO91BtCugkgS+U+pTEnvdAebE4pd7J5e6qqEyCu9F3DC5R6hH+K8bAj76VGwjxOr9a90o/js92HoCVAlQMHnW06Uk2RdIRmQKBgQD0uQPlA2PLBysWA+IQvd8oBfZuXWQjUZPBU9MK5k7bfuRbNeCA2kbTt1MVf15lv7vcwrwAbYo+Ur+L9CVL3lA8d/lQkz51r1ISChTPUiAMyU+CDDnXjQ1Gik/nC399AeluxS62Tur8hGPAb4rkVEyU60hPFVZTjmv13n81EjUoNwKBgQDJHyiPIgbwI+OoZYMUcGQrsr+yp1MdJrjpuFloc7+sdUpsvelyc146h3+TSAlhDce2BMH68kMUWUYHxHIooQjtDMu9S9b8VAF52F3E9osyjMzsywTri3hgBPy69j/Kr623gbZpbm6lYmdxRp/FKZyWtAbPts45GH1GPdv+9fUmCQKBgQCX7CfDy1fvWXLhBuYXuJfJs/HpT+bzmhgdA5nXgWRhFSRUj1zhASDJHFzi0qBakC3i/a1Soq4YxKwPCTECKXAsKdrHr7Etw/oyIroKfpRQ+8R1GnvqGbGtIf46k8PAaihtUNIP8Wwl+VYnx9c0qjSkmm/YUIm384mIKGlWHAiN/wKBgDV5bF5KLNASqsguXWDE1U1tFF0a8hVRI185HcSQ6gifku9Au14r4ITtW/U79QpyEISL1Uu0uDMj3WPZToUQ8/+bJFyrWnjymQXdimkBKFeDakUXYbKC/bmB+fR33tQ0S5r8CRUVQKQGevx6S6avfqvvJ9R4hXJW2ZAgiGrM2KaJAoGAPXuy4KHRmeeBZj8AT/shQ0VrDWIMNYDrhx0T6q9hVMahBS0SJaKDlQn6cSF7TX5N9PFAbwzcrvRKKfNjQVSZpQdR4l42f+N/5q0c1wihf43k9FgeYQ8jHGJ05uJnh3nj/O57FKgjlZ4FZVQdR8ieHN+rT4sHWj36a/FLHa6p1oo=\n-----END PRIVATE KEY-----"
}
}
}
}
Configuring a Statistics profile in a declaration¶
This example shows how you can configure a Statistics profile to the TLS_Server class in a declaration using the Statistics_Profile class introduced in AS3 3.43.
The Statistics profile provides user-defined statistical counters. Each profile contains 32 settings (Field1 through Field32), which define named counters. Using a Tcl-based iRule command, you can use the names to manipulate the counters while processing traffic. For more information, see Statistics profile in the BIG-IP documentation and ltm profile statistics in the TMSH reference.
See Statistics_Profile in the Schema Reference for options and BIG-IP AS3 usage.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Statistics_Profile.
- An Application named Application.
- A virtual server named service that references a Statistics profile and an iRule.
- A Statistics profile named statisticsProfile with 4 fields configured.
- A iRule named countIrule that triggers the Statistics profile when a specific URI is visited.
{
"class": "AS3",
"declaration": {
"class": "ADC",
"schemaVersion": "3.41.0",
"id": "Statistics_Profile",
"Statistics_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.202"
],
"iRules": [
"countIrule"
],
"profileStatistics": {
"use": "statisticsProfile"
}
},
"statisticsProfile": {
"class": "Statistics_Profile",
"remark": "my first stats profile",
"field1": "triggered",
"field2": "apple",
"field3": "bear",
"field4": "cat"
},
"countIrule": {
"class": "iRule",
"iRule": "when HTTP_REQUEST {\n if {[HTTP::uri] starts_with \"/countMe/\"} {\n STATS::incr /TEST_Service_Generic/Application/statisticsProfile \"triggered\"\n return\n }\n}"
}
}
}
}
}
Configuring a SOCKS profile in a declaration¶
This example shows how you can configure a SOCKS (Socket Secure) profile in a declaration using the SOCKS_Profile class introduced in AS3 3.43.
You can use the SOCKS profile to configure the BIG-IP system to handle proxy requests and function as a gateway. By configuring browser traffic to use the proxy, you can control whether to allow or deny a requested connection. For more information on the SOCKS profile, see SOCKS Profile in the BIG-IP documentation.
See SOCKS Profile in the Schema Reference for options and BIG-IP AS3 usage.
New in 3.46
BIG-IP AS3 3.46 and later adds support for using a string to specify a route domain in the SOCKS profile. The example declaration has been updated with an additional SOCKS profile using a string for the route domain.
This declaration creates the following objects on the BIG-IP. IMPORTANT: If you are using this example on a version prior to 3.46, it will fail. Remove the additional SOCKS profile, highlighted in yellow, and the preceeding comma:
- Partition (tenant) named Tenant.
- An Application named Application.
- A virtual server named TCP that references a SOCKS profile.
- A SOCKS profile named socksProfile with a number of properties configured.
- A SOCKS profile named socksProfileString that uses a string for the route domain property (3.46+ only)
{
"class": "ADC",
"schemaVersion": "3.43.0",
"id": "SOCKS_Profile",
"Tenant": {
"class": "Tenant",
"Application": {
"class": "Application",
"TCP": {
"class": "Service_TCP",
"virtualAddresses": [
"192.0.2.3"
],
"virtualPort": 443,
"redirect80": false,
"profileSOCKS": {
"use": "socksProfile"
}
},
"socksProfile": {
"class": "SOCKS_Profile",
"protocolVersions": [
"socks4"
],
"resolver": {
"bigip": "/Common/f5-aws-dns"
},
"ipv6First": true,
"routeDomain": 2222,
"tunnelName": "http-tunnel",
"defaultConnectAction": "allow"
},
"socksProfileString": {
"class": "SOCKS_Profile",
"protocolVersions": [
"socks4"
],
"resolver": {
"bigip": "/Common/f5-azure-dns"
},
"ipv6First": true,
"routeDomain": "myRouteDomain",
"tunnelName": "http-tunnel",
"defaultConnectAction": "allow"
}
}
}
}