Profiles

This section contains example declarations that include useful BIG-IP profiles. This page does not include TLS/SSL profiles, see TLS Encryption for TLS/SSL profile examples.

Use the index on the right to locate specific examples.

Important

Most of the example declarations have been updated in the documentation for AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In AS3 3.20, the generic template is the default, which allows services to use any name.

This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.

1: Creating an HTTP Analytics profile in a declaration

These examples show how you can use the Application Visibility and Reporting (AVR, or Analytics) module in a declaration as an analytics profile. The Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application. For detailed information on AVR and the Analytics profile, see the BIG-IP Analytics: Implementations guide and Analytics Profile class in the Schema Reference for information and usage options for using these features in your AS3 declarations.

Important notes for using an Analytics profile:

  • You must have AVR provisioned on your BIG-IP system.
  • You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.
  • The notificationBySnmp property set to true requires configuration of SNMP. AS3 does not support configuration of SNMP.
  • The notificationByEmail property set to true requires the configuration of SMTP. In addition a HTTP Analytics profile inherits this property from the base /Common/analytics profile. AS3 does not support configuration of SMTP or modification of the base /Common/analytics profile.
  • The following properties have recommended values that are different than the default values:
    • collectClientSideStatistics - recommended value true (default value is false)
    • collectOsAndBrowser - recommended value false (default value is true)
    • collectMethod - recommended value false (default value is true)

There are two example declarations, one simple, one more full-featured. Both of the following declarations create the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_01.
  • An HTTP service (virtual server) named serviceHttp.
  • An analytics profile for collecting statistics. See the schema reference and documentation for details.

1a: Simple example of HTTP Analytics profile

{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "SAMPLE_ANALYTICS_PROFILE_SIMPLE",
    "remark": "Simple analytics profile",
    "Sample_profile_01": {
        "class": "Tenant",
        "Sample_Analytics_Profile": {
            "class": "Application",
            "serviceHttp": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "192.0.2.240"
                ],
                "virtualPort": 8080,
                "profileAnalytics": {
                    "use": "statsProfile"
                }
            },
            "statsProfile": {
                "class": "Analytics_Profile",
                "collectClientSideStatistics": true,
                "collectOsAndBrowser": false,
                "collectMethod": false
            }
        }
    }
}

1b: Detailed example of HTTP Analytics profile

{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "SAMPLE_ANALYTICS_PROFILE",
    "remark": "Sample analytics profile",
    "Sample_profile_01": {
      "class": "Tenant",
      "Sample_Analytics_Profile": {
        "class": "Application",
        "apTest": {
          "class": "Analytics_Profile",
          "collectedStatsInternalLogging": true,
          "collectedStatsExternalLogging": true,
          "capturedTrafficInternalLogging": true,
          "capturedTrafficExternalLogging": true,
          "externalLoggingPublisher": {"bigip": "/Common/default-ipsec-log-publisher"},
          "notificationBySyslog": true,
          "notificationBySnmp": false,
          "notificationByEmail": true,
          "notificationEmailAddresses": [
            "aaaa@aa.a",
            "bbbb@bb.b",
            "cccc@cc.c"
          ],
          "publishIruleStatistics": true,
          "collectMaxTpsAndThroughput": true,
          "collectPageLoadTime": true,
          "collectClientSideStatistics": true,
          "collectUserSession": true,
          "collectUrl": true,
          "urlsForStatCollection": [
            "a.f5test/a.htm",
            "b.f5test/b.htm",
            "c.f5test/c.htm"
          ],
          "collectGeo": true,
          "countriesForStatCollection": [
            "Afghanistan",
            "Bahamas",
            "Cambodia",
            "Denmark",
            "Ecuador",
            "Falkland Islands (Malvinas)"
          ],
          "collectIp": true,
          "collectSubnet": true,
          "subnetsForStatCollection": [
            "198.19.192.0",
            "198.19.224.0"
          ],
          "collectResponseCode": true,
          "collectUserAgent": true,
          "collectMethod": true,
          "collectOsAndBrowser": true,
          "sessionCookieSecurity": "always-secure",
          "sessionTimeoutMinutes": 30
        },
        "serviceHttp": {
          "class": "Service_HTTP",
          "virtualAddresses": [
              "192.0.2.240"
          ],
          "virtualPort": 8080,
          "profileAnalytics": { "use": "apTest" }
        }
      }
    }
  }
  

Back to top

2: Using an Analytics profile with a Capture filter

These examples show how you can use the capture filter with the analytics profile to collect application traffic so that you can troubleshoot problems that have become apparent by monitoring application statistics. For detailed information the Capture filter, see the Capture filter documentation and Analytics Profile class in the Schema Reference for information and usage options for using these features in your AS3 declarations.

Important notes for using an Analytics profile:

  • You must have AVR provisioned on your BIG-IP system.
  • You cannot be using a BIG-IP version between 13.1 and 13.1.0.6 to use the Analytics profile. There are certain properties that currently do not work on these versions.

There are two example declarations, one simple, one more full-featured. Both of the following declarations create the following objects on the BIG-IP:

  • Partition (tenant) named Sample_analytics_capture.
  • An HTTP service (virtual server) named serviceHttp.
  • An analytics profile for collecting statistics with a capture filter. See the schema reference and documentation for details.

2a: Simple example of HTTP Analytics profile with Capture filter

{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "SAMPLE_ANALYTICS_capture_simple",
    "remark": "Sample analytics capture profile simple",
    "Sample_analytics_capture": {
        "class": "Tenant",
        "Sample_Analytics_Request": {
            "class": "Application",
            "serviceHttp": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "192.0.2.241"
                ],
                "virtualPort": 8080,
                "profileAnalytics": {
                    "use": "statsProf"
                }
            },
            "statsProf": {
                "class": "Analytics_Profile",
                "capturedTrafficInternalLogging": true,
                "captureFilter": {
                    "requestCapturedParts": "headers",
                    "responseCapturedParts": "headers"
                }
            }
        }
    }
}

2b: Detailed example of HTTP Analytics profile with Capture filter

{
    "class": "ADC",
    "schemaVersion": "3.9.0",
    "id": "Example_ANALYTICS_PROFILE_with_Capture_filter",
    "remark": "Analytics example full with capture filter",
    "Sample_analytics_capture": {
      "class": "Tenant",
      "TEST_ANALYTICS_Profile": {
        "class": "Application",
        "service": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "192.0.2.19",
            "192.0.2.20",
            "192.0.2.21"
          ],
          "virtualPort": 80,
          "profileAnalytics": { "use": "pA_Sample"},
          "pool": "poolRoundRobin"
        },
        "poolRoundRobin": {
          "class": "Pool",
          "loadBalancingMode": "round-robin",
          "monitors": [
              "http"
          ],
          "members": [
            {
              "servicePort": 80,
              "serverAddresses": [
                "192.0.2.58",
                "192.0.2.59",
                "192.0.2.60"
              ]
            }
          ]
        },
        "pA_Sample": {
          "class": "Analytics_Profile",
          "collectedStatsInternalLogging": true,
          "collectedStatsExternalLogging": false,
          "capturedTrafficInternalLogging": true,
          "capturedTrafficExternalLogging": false,
          "captureFilter": {
              "requestCapturedParts": "body",
              "responseCapturedParts": "all",
              "dosActivity": "mitigated-by-dosl7",
              "capturedProtocols": "http",
              "capturedReadyForJsInjection": "enabled",
              "requestContentFilterSearchPart": "body",
              "requestContentFilterSearchString": "something request something",
              "responseContentFilterSearchPart": "all",
              "responseContentFilterSearchString": "something respone something",
              "virtualServers": [
                  "service-1-"
              ],
              "nodeAddresses": [
                  "192.0.2.59"
              ],
              "responseCodes": [
                  400,
                  401,
                  402
              ],
              "methods": [
                  "GET",
                  "POST",
                  "PUT"
              ],
              "urlFilterType": "white-list",
              "urlPathPrefixes": [
                  "a.org",
                  "b.org",
                  "c.org"
              ],
              "userAgentSubstrings": [
                  "Mozilla (01",
                  "Mozilla (02",
                  "Mozilla (03"
              ],
              "clientIps": [
                  "10.9.10.10",
                  "10.9.10.11",
                  "10.9.10.12"
              ]
          }
        }
      }
    }
  }
  

Back to top

3: Using a Multiplex (OneConnect) profile in a declaration

This example shows how you can use a multiplex (called OneConnect on the BIG-IP) profile in your declarations. See the Schema Reference for usage options and information. For more information on the OneConnect profile, see About OneConnect Profiles in the BIG-IP documentation.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_02.
  • An HTTP service (virtual server) named service.
  • An OneConnect profile named testMux for multiplexing connections.
{
    "class": "ADC",
    "schemaVersion": "3.7.0",
    "id": "1234",
    "remark": "Sample OneConnect multiplex profile",
    "Sample_profile_02": {
        "class": "Tenant",
        "Tenant_1": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                "10.10.1.3"
                ],
                "profileMultiplex": {
                    "use": "testMux"
                }
            },
            "testMux": {
                "class": "Multiplex_Profile",
                "maxConnections": 5000,
                "maxConnectionAge": 3600,
                "maxConnectionReuse": 20000,
                "idleTimeoutOverride": 900,
                "connectionLimitEnforcement": "idle",
                "sharePools": true
            }
        }
    }
}

Back to top

4: Using existing FTP and SIP profiles in a declaration

This example shows how you can use existing SIP and FTP profiles in a declaration. In this example, our BIG-IP system already has testSIP and testFTP profiles in the Common partition. See the Schema Reference for usage options and information.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_03.
  • Two TCP services (virtual servers) named service, with Descriptions of A1 and A2.
  • A profileSIP object that references our existing testSIP profile.
  • A profileFTP object that references our existing testFTP profile.
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
       "class": "ADC",
       "schemaVersion": "3.0.0",
       "id": "fghijkl7890",
       "label": "existing SIP and FTP profiles",
       "Sample_profile_03": {
          "class": "Tenant",
          "A1": {
             "class": "Application",
             "service": {
                "class": "Service_TCP",
                "virtualAddresses": [
                   "10.0.6.100"
                ],
                "virtualPort": 443,
                "profileSIP":  {
                    "bigip": "/Common/testSIP"
             },
                "pool": "tcp_pool"
             },
            "tcp_pool": {
                "class": "Pool",
                "monitors": [
                   "tcp"
                ],
                "members": [{
                   "servicePort": 443,
                   "serverAddresses": [
                      "192.0.6.10",
                      "192.0.6.11"
                   ]
                }]
             }
          },

         "A2": {
             "class": "Application",
             "service": {
                "class": "Service_TCP",
                "virtualAddresses": [
                   "10.0.6.100"
                ],
                "virtualPort": 443,
                "profileFTP":  {
                    "bigip": "/Common/testFTP"
             },
                "pool": "ftp_pool"
             },

             "ftp_pool": {
                "class": "Pool",
                "monitors": [
                   "tcp"
                ],
                "members": [{
                   "servicePort": 21,
                   "serverAddresses": [
                      "192.0.6.10",
                      "192.0.6.11"
                   ]
                }]
             }
          }
       }     
    }
}

Back to top

5: Using a Traffic Log profile in a declaration

This example shows how you can use a Traffic Log profile in a declaration. The Traffic Log profile in AS3 creates a Request Logging profile on the BIG-IP system, which gives you the ability to configure data within a log file for HTTP requests and responses, in accordance with specified parameters. For more information, see Request Logging documentation, and the Schema Reference for AS3 usage options and information.

This declaration creates the following objects on the BIG-IP:

  • Two partitions (tenants) named Sample_profile_04, and tenant2.
  • The Sample_profile_04 tenant includes a detailed Traffic Log profile (see Traffic Log profile in the Schema Reference for details and usage) and a pool named “thePool”.
  • The tenant2 tenant includes a virtual server named service and the default Traffic Log profile.

Note: This example does not include real certificates, so if you post the following declaration, you will receive an invalid certificate error. Replace the values of certificate and privateKey with your own certificates.

{
    "class": "ADC",
    "schemaVersion": "3.8.0",
    "id": "Traffic_Log_Profile",
    "Sample_profile_04": {
        "class": "Tenant",
        "app": {
            "class": "Application",
            "trafLogProf": {
                "class": "Traffic_Log_Profile",
                "parentProfile": {
                	"use": "trafLog"
                },
                "requestSettings": {
                    "requestErrorLoggingEnabled": true,
                    "proxyCloseOnErrorEnabled": true,
                    "proxyRespondOnLoggingErrorEnabled": true,
                    "requestErrorProtocol": "mds-tcp",
                    "requestProtocol": "mds-tcp",
                    "requestEnabled": true,
                    "proxyResponse": "Proxy Response",
                    "requestErrorPool": {
                        "use": "thePool"
                    },
                    "requestErrorTemplate": "ERR TEMPLATE:",
                    "requestPool": {
                        "use": "thePool"
                    },
                    "requestTemplate": "REQ TEMP"
                },
                "responseSettings": {
                    "byDefaultEnabled": false,
                    "responseErrorLoggingEnabled": true,
                    "responseErrorProtocol": "mds-tcp",
                    "responseProtocol": "mds-tcp",
                    "responseEnabled": true,
                    "responseErrorPool": {
                        "use": "thePool"
                    },
                    "responseErrorTemplate": "ERROR: ",
                    "responsePool": {
                        "use": "thePool"
                    },
                    "responseTemplate": "TEMPLATE"
                }
            },
            "thePool": {
                "class": "Pool"
            },
            "trafLog": {
                "class": "Traffic_Log_Profile"
            }
        }
    },
    "tenant2": {
        "class": "Tenant",
        "app2": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualAddresses": ["1.1.1.1"],
                "virtualPort": 23,
                "profileTrafficLog": {
                    "use": "trafLogProf2"
                }
            },
            "trafLogProf2": {
                "class": "Traffic_Log_Profile"
            }
        }
    }
}

Back to top

6: Using a WebSocket profile in a declaration

This example shows how you can use a WebSocket profile in a declaration. When you assign a WebSocket profile to a virtual server, the virtual server informs clients that a WebSocket virtual server is available to respond to WebSocket requests. WebSocket frames that contain payload data are masked with a 32-bit key. You can determine what the BIG-IP system does with this key by specifying one of the following values: preserve, remask, selective, unmask. For detailed information on the WebSocket profile, see Websocket documentation and HTTP Profile class in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_05.
  • An HTTP service (virtual server) named service.
  • An HTTP profile that includes WebSocket properties.
{
    "class": "ADC",
    "schemaVersion": "3.8.0",
    "id": "TEST_Websocket_Profile",
    "remark": "Test Websocket profiles",
    "Sample_profile_05": {
        "class": "Tenant",
        "TEST_Websocket_Profile": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualPort": 80,
                "virtualAddresses": ["1.2.3.4"],
                "profileHTTP": {
                    "use": "httpProfile"
                }
            },
            "httpProfile": {
                "class": "HTTP_Profile",
                "webSocketsEnabled": true,
                "webSocketMasking": "preserve"
            }
        }
    }
}

Back to top

7: Using a Rewrite profile in a declaration

This example shows how you can use a Rewrite profile in a declaration. With a Rewrite profile, the BIG-IP system can perform URI scheme, host, port, and path modifications as HTTP traffic passes through the system. For detailed information, see Rewrite profile documentation and Rewrite profile in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_06.
  • A Generic service (virtual server) named virtualServer.
  • A Rewrite profile named rewriteProf that includes a number of properties (see Rewrite profile in the Schema Reference for details and usage).
{
    "class": "ADC",
    "updateMode": "selective",
    "schemaVersion": "3.0.0",
    "id": "TEST_Rewrite_Profile",
    "Sample_profile_06": {
        "class": "Tenant",
        "TEST_Rewrite_Profile": {
            "class": "Application",
            "virtualServer": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.1.1.2"   
                ],
                "virtualPort":  80,
                "profileRewrite": {
                    "use": "rewriteProf"
                }
            },
            "rewriteProf": {
                "class": "Rewrite_Profile",
                "bypassList": [
                    "https://www.google.com",
                    "http://www.a.uri.com"
                ],
                "clientCachingType": "no-cache",
                "javaCaFile": {
                    "bigip": "/Common/default.crt"
                },
                "certificate": "cert_and_key",
                "javaSignKeyPassphrase": {
                    "ciphertext": "ZjVmNQ==",
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
                    "ignoreChanges": true
                },
                "locationSpecificEnabled": true,
                "requestSettings": {
                    "insertXforwardedForEnabled": false,
                    "insertXforwardedHostEnabled": true,
                    "insertXforwardedProtoEnabled": true,
                    "rewriteHeadersEnabled": false
                },
                "responseSettings": {
                    "rewriteContentEnabled": false,
                    "rewriteHeadersEnabled": false
                },
                "rewriteList": [
                    "https://www.example.com",
                    "https://www.rewritethis.net"
                ],
                "rewriteMode": "uri-translation",
                "setCookieRules": [
                    {
                        "client": {
                            "domain": "clientDomain1",
                            "path": "/"
                        },
                        "server": {
                            "domain": "serverDomain1",
                            "path": "/"
                        }
                    },
                    {
                        "client": {
                            "domain": "clientDomain2",
                            "path": "/"
                        },
                        "server": {
                            "domain": "serverDomain2",
                            "path": "/"
                        }
                    }
                ],
                "splitTunnelingEnabled": true,
                "uriRules": [
                    {
                        "type": "response",
                        "client": {
                            "path": "/",
                            "host": "www.google.com",
                            "scheme": "https",
                            "port": "100"
                        },
                        "server": {
                            "path": "/",
                            "host": "www.example.com",
                            "scheme": "http",
                            "port": "80"
                        }
                    },
                    {
                        "type": "request",
                        "client": {
                            "path": "/"
                        },
                        "server": {
                            "path": "/"
                        }
                    }
                ]
            },
            "cert_and_key": {
                "class": "Certificate",
                "remark": "in practice not using a passphrase is not recommended",
                "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
                "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
            }
        }
    }
}

Back to top

8: Using a DoS profile in a declaration

This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see DoS Protection and Protocol Firewall Implementations (pdf). Also see the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_01.
  • A DoS profile with blacklisted and whitelisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "Sample_dos_01": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "blacklistedGeolocations": ["Timor-Leste", "Cocos (Keeling) Islands"],
            "whitelistedGeolocations": ["Bonaire, Saint Eustatius and Saba", "Cote D'Ivoire"],
            "captchaResponse": {
              "first": "Are you a robot&quest;<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
              "failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
            },
            "heavyURLProtection": {
              "automaticDetectionEnabled": true,
              "detectionThreshold": 16,
              "excludeList": ["example.com"],
              "protectList": [{
                  "url": "www.google.com",
                  "threshold": 0
                }
              ]
            },
            "triggerIRule": true,
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "profileAcceleration": {
              "bigip": "/Common/full-acceleration"
            },
            "botDefense": {
              "mode": "during-attacks",
              "blockSuspiscousBrowsers": true,
              "issueCaptchaChallenge": true,
              "gracePeriod": 4000,
              "crossDomainRequests": "validate-bulk",
              "siteDomains": ["www.google.com"],
              "externalDomains": ["www.yahoo.com"],
              "urlWhitelist": ["www.bing.com"]
            },
            "botSignatures": {
              "checkingEnabled": true,
              "blockedCategories": [{
                  "bigip": "/Common/Search Engine"
                }
              ],
              "reportedCategories": [{
                  "bigip": "/Common/Crawler"
                }
              ]
            },
            "rateBasedDetection": {
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "stressBasedDetection": {
              "badActor": {
                "detectionEnabled": false,
                "mitigationMode": "none",
                "signatureDetectionEnabled": false,
                "useApprovedSignaturesOnly": false
              },
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "heavyURLProtectionEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "recordTraffic": {
              "maximumDuration": 10,
              "maximumSize": 10,
              "recordTrafficEnabled": false,
              "repetitionInterval": 10
            }
          },
          "network": {
            "dynamicSignatures": {
              "detectionMode": "enabled",
              "mitigationMode": "medium",
              "scrubbingEnabled": true,
              "scrubbingCategory": {
                "bigip": "/Common/attacked_ips"
              },
              "scrubbingDuration": 60
            },
            "vectors": [{
                "type": "hop-cnt-low",
                "state": "learn-only",
                "thresholdMode": "manual",
                "rateThreshold": 40000,
                "rateIncreaseThreshold": 600,
                "rateLimit": 1000000,
                "simulateAutoThresholdEnabled": true,
                "badActorSettings": {
                  "enabled": true,
                  "sourceDetectionThreshold": 0,
                  "sourceMitigationThreshold": 0
                },
                "autoBlacklistSettings": {
                  "enabled": true,
                  "category": {
                    "bigip": "/Common/botnets"
                  },
                  "attackDetectionTime": 1,
                  "categoryDuration": 60,
                  "externalAdvertisementEnabled": true
                }
              }
            ]
          },
          "protocolDNS": {
            "vectors": [{
                "type": "ptr",
                "state": "mitigate",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 0,
                "autoAttackCeiling": 0
              }
            ]
          },
          "protocolSIP": {
            "vectors": [{
                "type": "cancel",
                "state": "disabled",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 4294967295,
                "autoAttackCeiling": 4294967295,
                "rateIncreaseThreshold": 4294967295
              }
            ]
          },
          "whitelist": {
            "use": "addressList"
          },
          "applicationWhitelist": {
            "use": "addressListHTTP"
          }
        },
        "addressList": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.10"]
        },
        "addressListHTTP": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.11"]
        }
      }
    }
  }

Back to top

9: Using a DoS profile for Mobile Defense

This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_02.
  • A DoS profile with mobile defense enabled.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "Sample_dos_02": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "mobileDefense": {
              "enabled": true,
              "allowAndroidPublishers": [{
                  "bigip": "/Common/default.crt"
                }
              ],
              "allowAndroidRootedDevice": true,
              "allowIosPackageNames": ["theName"],
              "allowJailbrokenDevices": true,
              "allowEmulators": true,
              "clientSideChallengeMode": "challenge"
            }
          }
        }
      }
    }
  }
  

Back to top

10: Using a HTTP Acceleration profile in a declaration

This example shows how you can use a Web (HTTP) Acceleration profile in a declaration, which helps speed your HTTP traffic. For detailed information, see Web Acceleration profile and HTTP Acceleration Profile class in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_profile_06.
  • A Generic service (virtual server) named http_accel.
  • A Web Acceleration profile named testItem that includes a number of properties (see HTTP Acceleration Profile class in the Schema Reference for details and usage).
{
    "class":"ADC",
    "schemaVersion":"3.8.0",
    "id":"TEST_HTTP_Acceleration_Profile",
    "Sample_profile_06":{
        "class":"Tenant",
        "Application":{
            "class":"Application",
            "template":"generic",
            "http_accel": {
                "class": "Service_HTTP",
                "virtualPort": 80,
                "virtualAddresses": [
                    "1.2.3.4"
                ],
                "profileHTTPAcceleration": {
                    "use": "testItem"
                }
            },
            "testItem": {
                "class": "HTTP_Acceleration_Profile",
                "parentProfile": {
                    "use": "accel"
                },
                "agingRate": 5,
                "ignoreHeaders": "none",
                "insertAgeHeaderEnabled": false,
                "maximumAge": 100000,
                "maximumEntries": 200000,
                "maximumObjectSize": 300000,
                "minimumObjectSize": 1000,
                "cacheSize": 200,
                "uriExcludeList": [
                    "."
                ],
                "uriIncludeList": [
                    "www.google.com"
                ],
                "uriIncludeOverrideList": [
                    "1.1.2.2",
                    "1.2.3.4"
                ],
                "uriPinnedList": [
                    "///"
                ],
                "metadataMaxSize": 30
            },
            "accel": {
                "class": "HTTP_Acceleration_Profile"
            }
        }
    }
}

Back to top

11: Using a Security log profile with Application Security

This example shows how you can use a BIG-IP ASM Security Logging profile with application security in a declaration (you must have ASM licensed and provisioned to use this profile). Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. For more information on ASM logging profiles, see ASM Logging Profiles section of the ASM documentation., and Security Log Profile class in the Schema Reference for AS3 usage options and information.

There are two declarations in this example, one that uses local storage for the logs, and one that uses remote storage.

..local:

Local storage

This declaration creates a security log profile that uses local storage (for the remote storage example, click ref:remote). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Local.
  • A Security Log Profile named secLogLocal with Application Security enabled which stores logs locally.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile_local",
    "Security_Log_local": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogLocal": {
                "class": "Security_Log_Profile",
                "application": {
                    "storageFilter": {
                        "logicalOperation": "and",
                        "requestType": "all",
                        "responseCodes": [
                            "100",
                            "200",
                            "300",
                            "400"
                        ],
                        "protocols": [
                            "https",
                            "ws"
                        ],
                        "httpMethods": [
                            "ACL",
                            "GET",
                            "POLL",
                            "POST"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-headers",
                            "value": "The header string to search for"
                        },
                        "loginResults": [
                            "login-result-successful",
                            "login-result-failed"
                        ]
                    },
                    "guaranteeLoggingEnabled": true,
                    "guaranteeResponseLoggingEnabled": true,
                    "maxHeaderSize": 200,
                    "maxQuerySize": 1040,
                    "maxRequestSize": 900,
                    "responseLogging": "all"
                }
            }
        }
    }
}

..remote:

Remote storage

This declaration creates a security log profile that uses remote storage (for the local storage example, click ref:local). This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Security_Log_Remote.
  • A Security Log Profile named secLogRemote with Application Security enabled, which sends logs to a remote logging server on port 9876.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Security_Log_Profile",
    "Security_Log_Remote": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "secLogRemote": {
                "class": "Security_Log_Profile",
                "application": {
                    "facility": "local3",
                    "storageFilter": {
                        "requestType": "illegal-including-staged-signatures",
                        "responseCodes": [
                            "404",
                            "201"
                        ],
                        "protocols": [
                            "http"
                        ],
                        "httpMethods": [
                            "PATCH",
                            "DELETE"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-request",
                            "value": "The new value"
                        },
                        "loginResults": [
                            "login-result-unknown"
                        ]
                    },
                    "storageFormat": {
                        "fields": [
                            "attack_type",
                            "avr_id",
                            "headers",
                            "is_truncated"
                        ],
                        "delimiter": "."
                    },
                    "localStorage": false,
                    "maxEntryLength": "10k",
                    "protocol": "udp",
                    "remoteStorage": "remote",
                    "reportAnomaliesEnabled": true,
                    "servers": [
                        {
                            "address": "9.8.7.6",
                            "port": "9876"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

12: Using a Stream profile in a declaration

This example shows how you can use a Stream profile in a declaration. With a Stream profile, the BIG-IP system performs a search and replace procedure for all occurrences of a string in a data stream, such as a TCP connection. For detailed information, see Overview of the Stream profile and < a href="https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#stream-profile" target="_blank">Stream Profile in the Schema Reference for usage and options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Stream_tenant.
  • An HTTP service (virtual server) named Stream_service on port 100.
  • A Stream profile named Stream_profile that includes a number of properties (see < a href="https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#stream-profile" target="_blank">Stream Profile in the Schema Reference for details and usage). This declaration also includes a default stream profile that is not referenced by the virtual server.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "Stream_Profile",
    "Stream_tenant": {
        "class": "Tenant",
        "Stream_app": {
            "class": "Application",
            "Stream_service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "5.4.3.2"
                ],
                "virtualPort": 100,
                "profileStream": {
                    "use": "testStream"
                }
            },
            "testStream": {
                "class": "Stream_Profile",
                "remark": "Description",
                "parentProfile": {
                    "use": "streamProfile"
                },
                "chunkingEnabled": true,
                "chunkSize": 10000,
                "source": "The source",
                "target": "The target"
            },
            "streamProfile": {
                "class": "Stream_Profile"
            }
        }
    }
}

Back to top

13: Creating an FTP profile in a declaration

This example shows how you can create an FTP profile in a declaration (example (#4) showed how to use an existing FTP profile). See FTP_Profile in the Schema Reference for more usage options and information.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named TEST_FTP_Profile.
  • A FTP profile named sampleFTPprofile
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "FTP_Profile",
    "TEST_FTP_Profile": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "sampleFTPprofile": {
                "class": "FTP_Profile",
                "remark": "description",
                "port": 300,
                "ftpsMode": "require",
                "enforceTlsSessionReuseEnabled": true,
                "activeModeEnabled": false,
                "securityEnabled": true,
                "translateExtendedEnabled": false,
                "inheritParentProfileEnabled": true
        }
    }
}
}

Back to top

14: Referencing existing iRules LX Profiles

This example shows how you can reference an existing iRules LX profile in a BIG-IP virtual server. An iRules LX profile is a method to associate an LX Plugin to a virtual server. See the BIG-IP documentation for more information on iRules LX profiles.

There are a few things to note about iRules LX profiles:

  • You must be using BIG-IP (TMOS) v13.0 or later.
  • You must provision the iRules Language Extensions (iRulesLX).
  • AS3 cannot yet create iRules LX Profiles, but can reference them.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_ILX_Profile.
  • A virtual service named exampleVS
  • A profileILX property referencing an existing iRules LX profile on the target BIG-IP.
    {
    "class": "ADC",
    "schemaVersion": "3.12.0",
    "id": "Service_TCP",
    "controls": {
        "class": "Controls",
        "trace": true,
        "logLevel": "debug"
    },
    "Example_ILX_Profile": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleVS": {
                "class": "Service_TCP",
                "remark": "description",
                "virtualPort": 123,
                "virtualAddresses": [
                    "192.0.2.10"
                ],
                "profileILX": {
                    "bigip": "/Common/iRulesProfile"
                }
            }
        }
    }
}

Back to top

15: Using the HTTP/2 profile in a declaration

This example shows how you can create an HTTP/2 profile in a declaration.

See Overview of HTTP/2 profile, and HTTP2_Profile in the Schema Reference for more usage options and information.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_ILX_Profile.
  • A virtual service named exampleVS
  • A profileILX property referencing an existing iRules LX profile on the target BIG-IP.
    {
    "class": "ADC",
    "schemaVersion": "3.12.0",
    "id": "Service_TCP",
    "controls": {
        "class": "Controls",
        "trace": true,
        "logLevel": "debug"
    },
    "Example_ILX_Profile": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "exampleVS": {
                "class": "Service_TCP",
                "remark": "description",
                "virtualPort": 123,
                "virtualAddresses": [
                    "192.0.2.10"
                ],
                "profileILX": {
                    "bigip": "/Common/iRulesProfile"
                }
            }
        }
    }
}

Back to top

16: Referencing an existing RTSP profile in a declaration

This example shows how you can reference an RTSP profile that exists on the BIG-IP system in your declarations. For information on RTSP, see RFC 2326; for information on the RTSP profile, see the RTSP documentation. You can also see Pointer_RTSP_Profile and Service_TCP in the Schema Reference for usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named example_RTSP.
  • A virtual service named RTSP_vs which includes the profileRTSP property referencing an existing RTSP profile on the target BIG-IP.
{
    "class": "ADC",
    "schemaVersion": "3.14.0",
    "id": "Service_TCP",
    "example_RTSP": {
        "class": "Tenant",
        "App1": {
            "class": "Application",
            "RTSP_vs": {
                "class": "Service_TCP",
                "virtualPort": 8080,
                "virtualAddresses": [
                    "1.1.1.10"
                ],
                "profileRTSP": {
                    "bigip": "/Common/rtsp"
                }
            }
        }
    }
}

Back to top

17: Creating a TCP Analytics profile in a declaration

This example shows how you can use the Application Visibility and Reporting (AVR, or Analytics) module in a declaration as a TCP analytics profile (for an HTTP Analytics profile, see 1: Creating an HTTP Analytics profile in a declaration). The Analytics profile is a set of definitions that determines the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application.

For detailed information on AVR and the Analytics profile, see TCP Analytics Profile class in the Schema Reference for information and usage options for using these features in your AS3 declarations, and the BIG-IP Analytics: Implementations guide.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named TcpAnalytics.
  • A TCP service (virtual server) named serviceHttp.
  • A TCP analytics profile in the virtual service named myAnalyticsTcp for collecting statistics. See TCP Analytics Profile class in the schema reference and for details on the options.
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
      "class": "ADC",
      "schemaVersion": "3.14.0",
      "label": "TCP Analytics Example",
      "remark": "Service_TCP with TCP Analytics",
      "TcpAnalytics": {
        "class": "Tenant",
        "tcpAnalytics": {
          "class": "Application",
          "service": {
            "class": "Service_TCP",
            "virtualAddresses": [
              "10.0.5.10"
            ],
            "virtualPort": 1344,
            "pool": "svc_pool",
            "profileAnalyticsTcp": { "use": "myAnalyticsTcp" }
          },
          "myAnalyticsTcp": {
              "class": "Analytics_TCP_Profile",
              "collectedStatsInternalLogging": true,
              "collectedStatsExternalLogging": true,
              "externalLoggingPublisher": { "bigip": "/Common/local-db-publisher" },
              "collectedByClientSide": true,
              "collectedByServerSide": true,
              "collectRemoteHostIp": true,
              "collectRemoteHostSubnet": true,
              "collectNexthop": true,
              "collectContinent": true,
              "collectCountry": true,
              "collectRegion": true,
              "collectCity": true,
              "collectPostCode": true
          },
          "svc_pool": {
            "class": "Pool",
            "members": [{
              "servicePort": 1344,
              "serverAddresses": [
                "192.0.5.10",
                "192.0.5.11"
              ]
            }]
          }
        }
      }
    }
}

Back to top

18: Referencing a PPTP profile in a declaration

This example shows how you can reference an existing PPTP profile in a declaration. The PPTP (point-to-point tunneling protocol) profile enables you to configure the BIG-IP system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. The PPTP protocol is described in RFC 2637.

Important

You cannot combine or use the PPTP Profile with another profile other than a TCP Profile. The PPTP Profile must be used separately and independently.

For detailed information on the PPTP profile, see PPTP in the TMSH reference and PPTP in CGNAT documentation.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_pptp_profile.
  • An TCP service (virtual server) named service, which references an existing PPTP profile on the BIG-IP system.
{
  "class": "ADC",
  "schemaVersion": "3.15.0",
  "label": "PPTP_profile_existing",
  "remark": "PPTP_profile_existing",
  "Sample_pptp_profile": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_TCP",
        "virtualAddresses": [
          "192.0.2.107"
        ],
        "virtualPort": 8181,
        "snat": "auto",
        "profilePPTP": {
          "bigip": "/Common/pptp"
        }
      }
    }
  }
}

Back to top

19: Configuring SCTP services and referencing SCTP profiles in a declaration

This example shows how you can reference existing SCTP profiles in an AS3 declaration. It also shows the new Service_SCTP class, which creates a virtual service that uses the SCTP protocol. For information on BIG-IP and the SCTP profile, see SCTP Profile Type in the product manual. For AS3, see Service_SCTP for detailed information and usage for the SCTP Class, and Pointer_SCTP_Profile for the SCTP profile.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_sctp_01.
  • An application named mySCTP that uses the sctp template.
  • A virtual service named service that uses Service_SCTP, and references an existing SCTP profile on the BIG-IP system.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.15.0",
    "id": "service-sctp",
    "label": "Sample Service_SCTP",
    "remark": "Simple SCTP application reference",
    "Sample_sctp_01": {
      "class": "Tenant",
      "mySCTP": {
        "class": "Application",
        "service": {
          "class": "Service_SCTP",
          "virtualAddresses": [
            "10.0.1.10"
          ],
          "virtualPort": 132,
          "profileSCTP": {
            "bigip": "/Common/sctp"
          }
        }
      }
    }
  }
}

Back to top

20: Referencing Request and Response Adapt profiles in a declaration

This example shows how you can reference an existing Request and Response Adapt profiles in a declaration. These profiles are a part of the BIG-IP content adaptation feature for adapting HTTP requests and responses.

For detailed information on the Adapt profiles, see Overview: Configuring HTTP Request Adaptation and Pointer Request Adapt profile in the schema reference for usage guidance.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_adapt_profile.
  • A HTTP service (virtual server) named service, which references existing Request and Response Adapt profiles on the BIG-IP system.
{
  "class": "ADC",
  "schemaVersion": "3.15.0",
  "label": "Adapt_profile_existing",
  "remark": "Adapt_profile_existing",
  "Sample_adapt_profile": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "service": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.2.107"
        ],
        "virtualPort": 8181,
        "snat": "auto",
        "profileRequestAdapt": {
          "bigip": "/Common/requestadapt"
        },
        "profileResponseAdapt": {
          "bigip": "/Common/responseadapt"
        }
      }
    }
  }
}

Back to top

21: Creating Request and Response Adapt profiles in a declaration

This example shows how you can create Request and Response Adapt profiles in a declaration. These profiles are a part of the BIG-IP content adaptation feature for adapting HTTP requests and responses.

For detailed information on the Adapt profiles, see Overview: Configuring HTTP Request Adaptation and Pointer Request Adapt profile in the schema reference for usage guidance.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named tenant.
  • A HTTP service (virtual server) named service, which references Request and Response Adapt profiles in the declaration.
  • An Adapt request profile named adaptRequestProfile which points to an internal service.
  • An Adapt response profile named adaptResponseProfile which points to the same internal service.
  • An internal TCP virtual server named internalService.
{
    "class": "ADC",
    "schemaVersion": "3.15.0",
    "id": "123456",
    "tenant": {
        "class": "Tenant",
        "appAdapt": {
            "class": "Application",
            "service": {
            	"class": "Service_HTTP",
            	"virtualPort": 80,
            	"virtualAddresses": ["10.10.10.10"],
            	"profileRequestAdapt": {
            		"use": "adaptRequestProfile"
            	},
            	"profileResponseAdapt": {
            		"use": "adaptResponseProfile"
            	}
            },
            "adaptRequestProfile": {
            	"class": "Adapt_Profile",
            	"messageType": "request",
            	"enableHttpAdaptation": false,
            	"previewSize": 2048,
            	"serviceDownAction": "reset",
            	"timeout": 1000,
            	"allowHTTP10": true,
            	"internalService": {
            		"use": "internalService"
            	}
            },
            "adaptResponseProfile": {
            	"class": "Adapt_Profile",
            	"messageType": "response",
            	"enableHttpAdaptation": false,
            	"previewSize": 2048,
            	"serviceDownAction": "reset",
            	"timeout": 1000,
            	"allowHTTP10": true,
            	"internalService": {
            		"use": "internalService"
            	}
            },
            "internalService": {
            	"class": "Service_TCP",
            	"virtualType": "internal"
            }
        }
    }
}

Back to top

22: Referencing existing ICAP profiles in a declaration

This example shows how you can reference an existing ICAP (Internet Content Adaptation Protocol) profile in a declaration. You can use an ICAP profile when you want to use the BIG-IP content adaptation feature for adapting HTTP requests and responses. This feature allows a BIG-IP virtual server to conditionally forward HTTP requests and HTTP responses to a pool of ICAP servers for modification, before sending a request to a web server or returning a response to the client system. For more information on using the ICAP profile, see the BIG-IP documentation.

Important

ICAP profile must use TCP services and is only supported in Service_TCP.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_ICAP_profile.
  • An application named TCP_Service that uses the tcp template.
  • A virtual service named service that references an existing ICAP profile on the BIG-IP system.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "label": "ICAP_profile_existing",
    "remark": "ICAP_profile_existing",
    "Sample_ICAP_profile": {
        "class": "Tenant",
        "TCP_Service": {
            "class": "Application",
            "service": {
                "class": "Service_TCP",
                "virtualPort": 8181,
                "virtualAddresses": [
                    "192.0.2.100"
                ],
                "profileICAP": {
                    "bigip": "/Common/icap"
                }
            }
        }
    }
}

Back to top

23: Creating ICAP profiles in a declaration

This example shows how you can create an ICAP profile in a declaration. You can use an ICAP profile when you want to use the BIG-IP content adaptation feature for adapting HTTP requests and responses. For more information on using the ICAP profile, see the example above, and BIG-IP documentation.

Important

ICAP profile must use TCP services and is only supported in Service_TCP.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_ICAP_profile.
  • An application named icapApp.
  • A virtual service named service that references an ICAP profile in the declaration.
  • An ICAP profile named icapProfile
{
    "class": "ADC",
    "schemaVersion": "3.15.0",
    "id": "ICAP_Profile",
    "Sample_ICAP_Profile": {
        "class": "Tenant",
        "icapApp": {
            "class": "Application",
            "service": {
                "class": "Service_TCP",
                "virtualType": "internal",
                "sourceAddress": "192.0.2.0/24",
                "profileICAP": {
                    "use": "icapProfile"
                }
            },
            "icapProfile": {
                "class": "ICAP_Profile",
                "uri": "icap://${SERVER_IP}:${SERVER_PORT}/videoOptimization",
                "fromHeader": "admin@example.com",
                "hostHeader": "www.example.com",
                "refererHeader": "http://www.example.com/video/resource.html",
                "userAgentHeader": "CERN-LineMode/2.15 libwww/2.17b3",
                "previewLength": 100
            }
        }
    }
}

Back to top

24: Configuring an ingress HTTP/2 profile in an HTTPS service

This example shows how you can configure a separate HTTP/2 profile for ingress (client-side) traffic on an HTTPS service (only). Prior to version 3.20, you could not specify a specific profile for ingress traffic.

HTTP/2 is a major revision to the HTTP protocol, offering both speed and efficiency benefits. See K04412053: Overview of the BIG-IP HTTP/2 profile for a detailed explanation of HTTP/2 profiles on the BIG-IP and an overview of the benefits of HTTP/2.

See Service_HTTPS_profileHTTP2, HTTP2_Profile, and Service_HTTPS in the Schema Reference for more detail on AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named TENANT_1.
  • An Application named APPLICATION_1
  • An HTTP2_Profile named http2profile
  • A Client SSL profile (TLS_Server in AS3) named webtls that references the certificate and key later in the declaration.
  • A virtual server named service that references the HTTP/2 profile and specifies ingress.
{
    "class": "ADC",
    "schemaVersion": "3.20.0",
    "TENANT_1": {
        "class": "Tenant",
        "APPLICATION_1": {
            "class": "Application",
            "http2profile": {
                "class": "HTTP2_Profile",
                "enforceTlsRequirements": false
            },
            "webtls": {
                "class": "TLS_Server",
                "certificates": [
                    {
                        "certificate": "webcert"
                    }
                ],
                "renegotiationEnabled": false
            },
            "service": {
                "class": "Service_HTTPS",
                "profileHTTP2": {
                	"ingress": {
                		"use": "http2profile"	
                	}
                },
                "serverTLS": "webtls",
                "virtualAddresses": [
                    "10.0.1.10"
                ]
            },
            "webcert": {
                "class": "Certificate",
                "certificate": { "bigip": "/Common/default.crt" },
                "privateKey": { "bigip": "/Common/default.key" }
            }
        }
    }
}

Back to top

24: Configuring a Fast L4 profile in a declaration

This example shows how you can configure a Fast L4 profile in a BIG-IP declaration. While configuring a Fast L4 Profile has been available in previous versions, AS3 3.23 adds support for the keepAliveInterval property.

The keepAliveInterval property allows you to specify the keep-alive probe interval, in seconds. The default is 0, which disables the keep-alive probe.

See L4_Profile in the Schema Reference for more detail on AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AS3_Tenant.
  • An Application named AS3_App
  • A Fast L4 Profile named l4Profile, which includes the keep alive interval set to 600 seconds.
{
    "class": "ADC",
    "schemaVersion": "3.23.0",
    "id": "TEST_L4_Profile",
    "remark": "Test L4 profiles",
    "L4_Tenant": {
        "class": "Tenant",
        "L4_App ": {
            "class": "Application",
            "service": {
                "class": "Service_HTTP",
                "virtualPort": 80,
                "virtualAddresses": ["1.2.3.4"],
                "profileL4": {
                    "use": "l4Profile"
                }
            },
            "l4Profile": {
                "class": "L4_Profile",
                "clientTimeout": 60,
                "idleTimeout": 600,
                "keepAliveInterval": 600,
                "looseClose": true,
                "looseInitialization": true,
                "maxSegmentSize": 4096,
                "resetOnTimeout": false,
                "tcpCloseTimeout": 43200,
                "tcpHandshakeTimeout": 43200
            }
        }
    }
}

Back to top

Back to top

25: Referencing an existing NTLM profile in a declaration

This example shows how you can reference an NTLM profile that exists on the BIG-IP system (including the system-supplied default NTLM profile) in declarations for HTTP and HTTPS services. The BIG-IP NTLM profile optimizes network performance when the system is processing NT LAN Manager traffic.

Important

To reference an NTLM profile, you must also include a Multplex_Profile profile (known as a OneConnect profile on the BIG-IP) for the declaration to succeed.

When both an NTLM profile and a OneConnect profile are associated with a virtual server, the BIG-IP can take advantage of server-side connection pooling for NTLM connections. See the BIG-IP documentation for more information on NTLM and OneConnect profiles.

See Service_HTTP amd Service_HTTPS in the Schema Reference for more detail on AS3 usage.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_NTLM.
  • An Application named NTLM_App
  • A virtual server named NTLMvs which references the default NTLM profile on the BIG-IP system.
  • A OneConnect (multiplex) profile named testMux, which required when referencing an NTLM profile.
{
    "class": "ADC",
    "schemaVersion": "3.23.0",
    "id": "Service_HTTP",
    "Example_NTLM": {
        "class": "Tenant",
        "NTLM_App": {
            "class": "Application",
            "NTLMvs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "10.10.20.20"
                ],
                "profileNTLM": {
                    "bigip": "/Common/ntlm"
                },
                "profileMultiplex": {
                    "use": "testMux"
                }
            },
            "testMux": {
                "class": "Multiplex_Profile",
                "maxConnections": 5000,
                "maxConnectionAge": 3600,
                "maxConnectionReuse": 20000,
                "idleTimeoutOverride": 900,
                "connectionLimitEnforcement": "idle",
                "sharePools": true
            }
        }
    }
}

Back to top