Appendix A: Schema Reference¶
This page is a reference for the objects you can use in your Declarations for AS3. For more information on BIG-IP objects and terminology, see the BIG-IP documentation at https://my.f5.com/manage/s/.
Access_Profile¶
Configures an Access Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Access_Profile” | ||
| enable (boolean) | false | true, false | Apply the profile after updating it. If false (default), the system only updates the profile. Also note ‘ignoreChanges’. |
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the profile in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the profile on first deployment, and leaves it untouched afterwards. However, if enable is set to true, the policy will be applied even if ignoreChanges is true |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| ssloCreated (boolean) | false | true, false | Set to true if the profile was created by SSL Orchestrator. If true the non-configurable Kerberos Request-Based Authentication (/Common/rba) and WebSSO (/Common/websso) profiles will not be attached to Services when this profile is attached |
| url (Resource_URL) | The URL to pull the Access Profile from |
Adapt_Profile¶
Configures a request or response Adapt profile or both
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowHTTP10 (boolean) | false | true, false | Specifies whether to forward HTTP 1.0 requests/responses |
| class (string) | “Adapt_Profile” | ||
| enableHttpAdaptation (boolean) | true | true, false | Enable or disable the adaptation of HTTP requests/responses. They will be forwarded to the internal service |
| internalService (Pointer_Service) | Specifies the name of the internal service to use for adapting the request/response | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| messageType (string) | “response”, “request”, “request-and-response” | The type of Adapt profile. Use both to create a request and response profile with the same property values | |
| previewSize (integer) | 1024 | [0, 4294967295] | Specifies the maximum size of the preview buffer |
| serviceDownAction (string) | “ignore” | “ignore”, “reset”, “drop” | Specifies the action to take if the internal service doesn’t exist or is down |
| timeout (integer) | 0 | [0, 4294967295] | Specifies how long in miliseconds to wait for the internal service before a timeout error will occur |
ADC¶
A declarative configuration for an ADC such as F5 BIG-IP
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| $schema (string) | format: uri | URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example) | |
| class (string) | “ADC” | Indicates this JSON document is an ADC declaration | |
| Common (ADC_Common) | Special tenant Common holds objects other tenants can share | ||
| constants (ADC_constants) | Declaration metadata and/or named values for (re-)use by declaration objects | ||
| controls (Controls) | |||
| id (string) | regex: ^[^x00-x20x22’<>x5c^`|x7f]*$ | Unique identifier for this declaration (max 255 printable chars with no spaces, quotation marks, angle brackets, nor backslashes) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| schemaVersion (string) | Version of ADC Declaration schema this declaration uses | ||
| scratch (string) | Holds some system data during declaration processing | ||
| target (ADC_target) | Trusted target for config when configuring with BIG-IQ | ||
| updateMode (string) | “selective” | “complete”, “selective” | When set to ‘selective’ (default) BIG-IP AS3 does not modify Tenants not referenced in the declaration. Otherwise (‘complete’) BIG-IP AS3 removes unreferenced Tenants. |
ADC_Common¶
ADC Common possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Tenant” | “Tenant” | |
| constants (Constants) | |||
| controls (Controls) | |||
| enable (boolean) | true, false | If declared, you must enable the Common tenant | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| optimisticLockKey (string) | “” | Note: The optimisticLockKey does NOT work when using per-app. When you deploy a declaration with a non-empty ‘key’ value here, that activates an optimistic lock on changes to this Tenant. If the key in your declaration does not match the key BIG-IP AS3 computes for the most-recent previous declaration, then BIG-IP AS3 will NOT update this Tenant and will return an error code. To use optimistic locking, first retrieve a declaration using option ‘showHash=true’ to get the current per-Tenant keys. Make any changes you desire, then deploy your updated declaration. Deployment of each Tenant with a key will succeed only if that Tenant has not been modified since the time you retrieved the declaration. (To overwrite all previous changes to a Tenant simply do NOT include any opportunistic-lock key for that Tenant when you deploy a declaration. That is the default.) Note that only keys computed by BIG-IP AS3 may be used here– you cannot generate your own. If ‘showHash=true’ is used on a POST then the optimisticLockKey will be shown as a part of the output (This helps to avoid the need to do a GET request). | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| Shared (Application_Shared) | |||
| verifiers (object) | Data (in ‘key’:’value’ properties) used to verify automated tests. Ordinary declarations do not need this |
ADC_constants¶
ADC constants possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Constants” | “Constants” | |
| timestamp (string) | format: date-time | Date+time (this version of) declaration was created (optional but recommended) | |
| version (number | string) | Version number of declaration; update when you change contents but not ID (optional but recommended) |
ADC_target¶
ADC target possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | IP address of managed device to be configured | |
| hostname (string) | Host name of managed device to be configured |
Address_Discovery¶
Sharable Pool Member information
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| accessKeyId (string) | Information for discovering AWS nodes that are not in the same region as your BIG-IP (also requires the secretAccessKey field | ||
| addressDiscovery (string) | “static”, “fqdn”, “event”, “aws”, “gce”, “azure”, “consul” | Selects how server (node) addresses are discovered | |
| addressFamily (string) | “IPv4” | “IPv4”, “IPv6” | Selects IPv4/6 and DNS A/AAAA RR’s |
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| apiAccessKey (string | Secret) | Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format. | ||
| applicationId (string) | Azure registered application ID (AKA client ID) | ||
| autoPopulate (boolean) | false | true, false | If true use multiple server (node) addresses when available, otherwise use only one |
| class (string) | “Address_Discovery” | ||
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| directoryId (string) | Azure Active Directory ID (AKA tenant ID) | ||
| downInterval (integer) | 5 | [0, infinity] | DNS retry interval after resolution failure (seconds) |
| encodedCredentials (string | Secret) | Base 64 encoded service account credentials JSON | ||
| encodedToken (string | Secret) | Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format. | ||
| environment (string) | “Azure” | Azure environment name. Required if environment should not be determined by instance metadata. | |
| externalId (string) | External Id | ||
| fqdnPrefix (string) | “” | String to prepend onto the hostname to create the node name | |
| hostname (string) | format: hostname | ||
| jmesPathQuery (string) | Custom JMESPath Query | ||
| minimumMonitors (reference) | 1 | ||
| projectId (string) | For Google Cloud Engine (GCE) only: The ID of the project in which the members are located | ||
| queryInterval (integer) | 0 | [0, infinity] | Normal DNS query interval (seconds, default 0 means RR TTL) |
| region (string) | “” | Empty string (default) means region in which ADC is running | |
| rejectUnauthorized (boolean) | true | true, false | If true, the server certificate is verified against the list of supplied/default CAs when making requests to the Consul API. |
| resourceGroup (string) | Azure Resource Group name | ||
| resourceId (string) | ID of resource to find nodes by. | ||
| resourceType (string) | “tag”, “scaleSet” | Type of resource identified by resourceId. This can be used in place of tagKey/tagValue. | |
| roleARN (string) | Assume a role (also requires the externalId field) | ||
| secretAccessKey (string | Secret) | Will be stored in the declaration as an encrypted string | ||
| serverAddresses (array<string>) | format: f5ip | Static IP addresses of servers (nodes). Shorthand for ‘servers’ where you only want to specify the address property. | |
| servers (array<Address_Discovery_servers>) | Same as serverAddresses, but allowing for further specification of each node. | ||
| shareNodes (boolean) | false | true, false | If enabled, nodes are created in /Common instead of the tenant’s partition |
| subscriptionId (string) | Azure subscription ID | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| trustCA (Pointer_CA_Bundle) | CA Bundle to validate server certificates | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| updateInterval (integer) | 60 | [1, 3600] | Server-discovery update interval (seconds) |
| uri (string) | The location of the node data | ||
| useManagedIdentity (boolean) | false | true, false | Use Azure managed identity rather than directoryId, applicationId, and apiAccessKey |
Address_Discovery_servers¶
Address_Discovery servers possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Static IP address for this server (node) | |
| name (string) | regex: ^[A-Za-z][0-9A-Za-z_.-]*$ |
Address_Discovery_Common¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| accessKeyId (string) | Information for discovering AWS nodes that are not in the same region as your BIG-IP (also requires the secretAccessKey field | ||
| addressDiscovery (reference) | |||
| addressFamily (string) | “IPv4” | “IPv4”, “IPv6” | Selects IPv4/6 and DNS A/AAAA RR’s |
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| apiAccessKey (string | Secret) | Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format. | ||
| applicationId (string) | Azure registered application ID (AKA client ID) | ||
| autoPopulate (boolean) | false | true, false | If true use multiple server (node) addresses when available, otherwise use only one |
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| directoryId (string) | Azure Active Directory ID (AKA tenant ID) | ||
| downInterval (integer) | 5 | [0, infinity] | DNS retry interval after resolution failure (seconds) |
| encodedCredentials (string | Secret) | Base 64 encoded service account credentials JSON | ||
| encodedToken (string | Secret) | Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format. | ||
| environment (string) | “Azure” | Azure environment name. Required if environment should not be determined by instance metadata. | |
| externalId (string) | External Id | ||
| fqdnPrefix (string) | “” | String to prepend onto the hostname to create the node name | |
| hostname (string) | format: hostname | ||
| jmesPathQuery (string) | Custom JMESPath Query | ||
| minimumMonitors (reference) | 1 | ||
| projectId (string) | For Google Cloud Engine (GCE) only: The ID of the project in which the members are located | ||
| queryInterval (integer) | 0 | [0, infinity] | Normal DNS query interval (seconds, default 0 means RR TTL) |
| region (string) | “” | Empty string (default) means region in which ADC is running | |
| rejectUnauthorized (boolean) | true | true, false | If true, the server certificate is verified against the list of supplied/default CAs when making requests to the Consul API. |
| resourceGroup (string) | Azure Resource Group name | ||
| resourceId (string) | ID of resource to find nodes by. | ||
| resourceType (string) | “tag”, “scaleSet” | Type of resource identified by resourceId. This can be used in place of tagKey/tagValue. | |
| roleARN (string) | Assume a role (also requires the externalId field) | ||
| secretAccessKey (string | Secret) | Will be stored in the declaration as an encrypted string | ||
| serverAddresses (array<string>) | format: f5ip | Static IP addresses of servers (nodes). Shorthand for ‘servers’ where you only want to specify the address property. | |
| servers (array<Address_Discovery_Common_servers>) | Same as serverAddresses, but allowing for further specification of each node. | ||
| subscriptionId (string) | Azure subscription ID | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| trustCA (Pointer_CA_Bundle) | CA Bundle to validate server certificates | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| updateInterval (integer) | 60 | [1, 3600] | Server-discovery update interval (seconds) |
| uri (string) | The location of the node data | ||
| useManagedIdentity (boolean) | false | true, false | Use Azure managed identity rather than directoryId, applicationId, and apiAccessKey |
Address_Discovery_Common_servers¶
Address_Discovery_Common servers possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Static IP address for this server (node) | |
| name (string) | regex: ^[A-Za-z][0-9A-Za-z_.-]*$ |
ALG_Log_Profile¶
Configures an application layer gateway log profle
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “ALG_Log_Profile” | ||
| csvFormat (boolean) | false | true, false | Generate entries in comma-separated-values (csv) format |
| endControlChannel (ALG_Log_Profile_endControlChannel) | {“action”:”enabled”,”includeDestination”:false} | Event for end of control channel connection | |
| endDataChannel (ALG_Log_Profile_endDataChannel) | {“action”:”enabled”,”includeDestination”:false} | Event for end of data channel connection | |
| inboundTransaction (ALG_Log_Profile_inboundTransaction) | {“action”:”disabled”} | Generates event log entries of SIP messages. Triggered by inbound connection to the BIG-IP system | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| startControlChannel (ALG_Log_Profile_startControlChannel) | {“action”:”disabled”,”includeDestination”:false} | Event for start of control channel connection | |
| startDataChannel (ALG_Log_Profile_startDataChannel) | {“action”:”disabled”,”includeDestination”:false} | Event for start of data channel connection |
ALG_Log_Profile_endControlChannel¶
ALG_Log_Profile endControlChannel possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “enabled” | “enabled”, “disabled”, “backup-allocation-only” | Specify the logging action to be taken when a particular event is encountered. If ‘enabled’ logging is enabled for the event, regardless of how the flow is created. If ‘disabled’ logging is disabled for the event. If ‘backup-allocation-only’ logging is enabled for the event when the ALG is proxy with a LSN, and translation is taken from the backup pool member only. |
| includeDestination (boolean) | false | true, false | Include destination address/port in the log message |
ALG_Log_Profile_endDataChannel¶
ALG_Log_Profile endDataChannel possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “enabled” | “enabled”, “disabled”, “backup-allocation-only” | Specify the logging action to be taken when a particular event is encountered. If ‘enabled’ logging is enabled for the event, regardless of how the flow is created. If ‘disabled’ logging is disabled for the event. If ‘backup-allocation-only’ logging is enabled for the event when the ALG is proxy with a LSN, and translation is taken from the backup pool member only. |
| includeDestination (boolean) | false | true, false | Include destination address/port in the log message |
ALG_Log_Profile_inboundTransaction¶
ALG_Log_Profile inboundTransaction possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “disabled” | “enabled”, “disabled” | Specify the logging action to be taken when a particular event is encountered. If ‘enabled’ logging is enabled for the event, regardless of how the flow is created. If ‘disabled’ logging is disabled for the event. Inbound transaction log entry could contain both incoming and outgoing messages. |
ALG_Log_Profile_startControlChannel¶
ALG_Log_Profile startControlChannel possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “disabled” | “enabled”, “disabled”, “backup-allocation-only” | Specify the logging action to be taken when a particular event is encountered. If ‘enabled’ logging is enabled for the event, regardless of how the flow is created. If ‘disabled’ logging is disabled for the event. If ‘backup-allocation-only’ logging is enabled for the event when the ALG is proxy with a LSN, and translation is taken from the backup pool member only. |
| includeDestination (boolean) | false | true, false | Include destination address/port in the log message |
ALG_Log_Profile_startDataChannel¶
ALG_Log_Profile startDataChannel possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “disabled” | “enabled”, “disabled”, “backup-allocation-only” | Specify the logging action to be taken when a particular event is encountered. If ‘enabled’ logging is enabled for the event, regardless of how the flow is created. If ‘disabled’ logging is disabled for the event. If ‘backup-allocation-only’ logging is enabled for the event when the ALG is proxy with a LSN, and translation is taken from the backup pool member only. |
| includeDestination (boolean) | false | true, false | Include destination address/port in the log message |
Analytics_Profile¶
HTTP Analytics profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| capturedTrafficExternalLogging (boolean) | false | true, false | Specifies that the system captures a portion of the application traffic which can then be viewed on the System >> Logs >> Captured Transactions screen |
| capturedTrafficInternalLogging (boolean) | false | true, false | Specifies that the system captures a portion of the application traffic and sends it to a remote server |
| captureFilter (Capture_Filter) | {} | ||
| class (string) | “Analytics_Profile” | ||
| collectClientSideStatistics (boolean) | false | true, false | Specifies that the system collects statistics regarding the HTTP request and response times |
| collectedStatsExternalLogging (boolean) | false | true, false | Specifies that statistics logs are stored on a remote server |
| collectedStatsInternalLogging (boolean) | true | true, false | Specifies that statistics logs are stored in the system |
| collectGeo (boolean) | false | true, false | Specifies that the system collects statistics of the names of the countries from which that traffic was sent |
| collectIp (boolean) | false | true, false | Specifies that the system collects statistics of the IP addresses of where the traffic came from |
| collectMaxTpsAndThroughput (boolean) | false | true, false | Specifies that the system collects statistics for the maximum number of transactions per second, and the maximum amount of traffic moving through the system, both request and response throughput values |
| collectMethod (boolean) | true | true, false | Specifies that the system collects statistics about the distribution of HTTP methods found in requests |
| collectOsAndBrowser (boolean) | true | true, false | Specifies that the system collect statistics about the OSs and Browsers used to send requests |
| collectPageLoadTime (boolean) | false | true, false | Specifies that the system collects statistics of the round-trip latency between client end-users and the servers |
| collectResponseCode (boolean) | true | true, false | Specifies that the system collects statistics about the distribution of HTTP response codes returned by the servers |
| collectSubnet (boolean) | false | true, false | Specifies that the system collects statistics of client subnets |
| collectUrl (boolean) | false | true, false | Specifies that the system collects statistics of requested URLs |
| collectUserAgent (boolean) | false | true, false | Specifies that the system collects statistics about browsers used to send traffic |
| collectUserSession (boolean) | false | true, false | Specifies that the system collects statistics of the number of unique user sessions in the application traffic, as determined by the value of the configured HTTP cookies found in the requests |
| countriesForStatCollection (array<Enum_Country_Analytics>) | Specifies the countries for collecting statistics | ||
| externalLoggingPublisher (Pointer_Log_Publisher) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| notificationByEmail (boolean) | false | true, false | Specifies that the system sends notifications by e-mail |
| notificationBySnmp (boolean) | false | true, false | Specifies that the system sends notifications as SNMP traps |
| notificationBySyslog (boolean) | false | true, false | Specifies that the system sends notifications to the syslog |
| notificationEmailAddresses (array<string>) | format: email | The e-mail addresses of a recipient to whom the system should send email notifications | |
| publishIruleStatistics (boolean) | false | true, false | Specifies that the system collects and displays statistics according to the expressions written in an iRule |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| sessionCookieSecurity (string) | “ssl-only” | “ssl-only”, “always-secure”, “never-secure” | Specify whether to secure session cookies |
| sessionTimeoutMinutes (integer) | 5 | [5, 60] | The number of minutes of user non-activity ot allow before the system considers the session to be over |
| subnetsForStatCollection (array<string>) | format: f5ip | Specifies the requested subnets for collecting statistics | |
| urlsForStatCollection (array<string>) | Specifies the requested URLs for collecting statistics |
Analytics_TCP_Profile¶
TCP Analytics profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Analytics_TCP_Profile” | ||
| collectCity (boolean) | false | true, false | Specifies that the system saves the name of the city with which traffic was exchanged |
| collectContinent (boolean) | true | true, false | Specifies that the system saves the name of the continent with which traffic was exchanged |
| collectCountry (boolean) | true | true, false | Specifies that the system saves the name of the country with which traffic was exchanged |
| collectedByClientSide (boolean) | true | true, false | Specifies that system collects statistics on the client side |
| collectedByServerSide (boolean) | true | true, false | Specifies that system collects statistics on the server side |
| collectedStatsExternalLogging (boolean) | false | true, false | Specifies that statistics logs are stored on a remote server |
| collectedStatsInternalLogging (boolean) | true | true, false | Specifies that statistics logs are stored in the system |
| collectNexthop (boolean) | false | true, false | Specifies that the system saves the address to which the traffic is being routed |
| collectPostCode (boolean) | false | true, false | Specifies that the system saves the name of the postcode with which traffic was exchanged |
| collectRegion (boolean) | true | true, false | Specifies that the system saves the name of the region with which traffic was exchanged |
| collectRemoteHostIp (boolean) | false | true, false | Specifies that the system collects IP addresses with which traffic was exchanged |
| collectRemoteHostSubnet (boolean) | true | true, false | Specifies that the system saves the address of the subnet with which traffic was exchanged |
| externalLoggingPublisher (Pointer_Log_Publisher) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Application¶
Application declaration main schema
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Application” | ||
| constants (Constants) | |||
| enable (boolean) | true | true, false | Application handles traffic only when enabled (default) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| schemaOverlay (string) | BIG-IQ name for a supplemental validation schema is applied to the Application class definition before the main BIG-IP AS3 schema | ||
| serviceMain (reference) | Primary service of the application | ||
| template (string) | “generic” | Each application type has certain required and default elements and selects appropriate setup of various ADC/Security features |
AS3¶
A body with AS3 Class
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| $schema (string) | format: uri | URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example) | |
| action (string) | “deploy” | “deploy”, “dry-run”, “patch”, “redeploy”, “retrieve”, “remove” | Indicates desired action: ‘deploy’ means deploy the included declaration to targetHost; ‘dry-run’ does NOT deploy the declaration but does do everything short of changing targetHost’s configuration; ‘patch’ modifies the declaration based on the provided set of commands and then deploys the updated declaration; ‘redeploy’ causes an old declaration from targetHost’s declaration history to be re-deployed (property redeployAge (default 0) selects the old declaration, and note redeployUpdateMode as well); ‘retrieve’ returns a copy of a previously-deployed declaration; ‘remove’ deletes the declaration or declaration component. |
| class (string) | “AS3” | Indicates a BIG-IP AS3 request | |
| declaration (ADC) | |||
| historyLimit (number) | 4 | This value (default 4) limits the number of previously-deployed declarations saved on targetHost for review using GET and for use with POST action=redeploy and redeployAge=N. The limit includes the current and immediately-previous declarations so may not be less than two | |
| logLevel (string) | “warning” | “emergency”, “alert”, “critical”, “error”, “warning”, “notice”, “info”, “debug” | Controls level of detail in logs using RFC 5424 severity levels (default is ‘warning’). Portions of declaration may use different logLevels |
| patchBody (AS3_Patch_Body) | |||
| persist (boolean) | true | true, false | When true (default) make the whole working configuration persistent on targetHost after (and only if) this request deploys any changes. If false, leave the working configuration in memory only (if targetHost restart, you may lose the configuration from memory) |
| redeployAge (integer) | 0 | [0, 15] | For action=redeploy (only), chooses which old declaration to deploy again. Value 0 (default) means re-deploy the most recent declaration (the one which set the current configuration of targetHost– useful to erase changes introduced by manual configuration). Value 1 means re-deploy the declaration prior to the most-recent one, etc. Note that whenever re-deploying an old declaration causes ADC configuration changes, that declaration becomes the current declaration (age 0) and the ages of all other declarations in the history increase (0 => 1, 1 => 2, u.s.w.) |
| redeployUpdateMode (string) | “original” | “original”, “complete”, “selective” | Value ‘original’ (default) means re-deploy the chosen declaration using its original updateMode (which if not explicitly specified in that declaration will default to ‘selective’). Otherwise, forces the updateMode for re-deployment to ‘complete’ or ‘selective’ as specified. Remember, ‘selective’ updates do not affect Tenants not explicitly named. To simply roll-back the targetHost configuration to the state it had immediately after deploying some earlier declaration, put ‘complete’ here (that will remove Tenants created later than the redeployAge declaration). To use action=redeploy as a simple roll-back facility, always deploy (updateMode=)complete declarations. |
| resourceTimeout (integer) | 5 | [1, 900] | Maximum delay allowed while communicating with URL resources (seconds, default 5) |
| retrieveAge (integer | string) | 0 | Use this property with action=retrieve. You can usually get a copy of the declaration most recently deployed to targetHost, and often copies of previously-deployed declarations are also available. Value 0 (default) means ‘the last-deployed declaration,’ value 1 means ‘the declaration previous to 0’ and so-forth. To get a list of available declarations, set value ‘list’ | |
| syncToGroup (string) | “” | Name (like /Common/my_dg) of the config-sync group TO which the system should synchronize the targetHost configuration after (and only if) this request deploys any changes. When empty (default) this request will not affect config-sync at all. Leave undefined or empty whenever you use auto-sync or manage configuration synchronization separately | |
| targetHost (string) | “localhost” | Hostname or IP address of ADC to which request applies (default localhost) | |
| targetPassphrase (string) | Passphrase for targetUsername account. This is generally not required to configure ‘localhost’ and is not required when you populate targetTokens | ||
| targetPort (integer) | 0 | [0, 65535] | TCP port number of management service on targetHost; default 0 means auto-discover |
| targetTimeout (integer) | 150 | [1, 900] | Maximum delay allowed while communicating with targetHost device (seconds, default 150) |
| targetTokens (AS3_targetTokens) | One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABC123’) you want to send with queries to the targetHost management service as authentication/authorization tokens | ||
| targetUsername (string) | regex: ^[^:]*$ | Username of principal authorized to modify configuration of targetHost (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of BIG-IP AS3. It is also not required for any targetHost if you populate targetTokens | |
| trace (boolean) | false | true, false | If true, BIG-IP AS3 creates a detailed trace of the configuration process for subsequent analysis (default false). May be overridden on a per-Declaration and/or per-Tenant basis. Warning: trace files may contain sensitive configuration data |
AS3_targetTokens¶
AS3 targetTokens possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ^[^x00-x20:x7f-xff]{1,254}$ (string) | regex: ^[^x00-x1fx7f-xff]*$ |
AS3_Patch_Body¶
An array containing the patch operations to apply on the declaration
For item definition, see type (AS3_Patch_Item)
AS3_Patch_Item¶
Defines a PATCH operation to perform
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| op (string) | Operation to perform | ||
| path (string) | Declaration Object Path relative to URI on which the operation is to be performed | ||
| target (AS3_Patch_Item_target) | Optional target device (only applies when configuring with certain hosts such as BIG-IQ) | ||
| value (string | number | boolean | object | array) | true, false | Value to use for the operation |
AS3_Patch_Item_target¶
AS3_Patch_Item target possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | IP address of managed device to be configured | |
| hostname (string) | Host name of managed device to be configured |
Bandwidth_Control_Policy¶
Create a listener to specify how to handle traffic for policy enforcement
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| categories (Bandwidth_Control_Policy_Category) | This specifies the categories under policy. Note: policy need to be enabled as dynamic to configure categories. Up to a maximum of 32 categories can be configured. All the categories under the dynamic policy share the bandwidth as specified for the category, up to a maximum of maxUserBandwidth. | ||
| class (string) | “Bandwidth_Control_Policy” | ||
| dynamicControlEnabled (boolean) | false | true, false | Specifies whether the policy is a static or dynamic policy. When enabled, the policy is dynamic, and additional settings are available. A dynamic policy enforces the specified maximum user rate and flow fairness for all traffic associated with the policy and for each session. The default is disabled, which indicates a static policy. A static policy enforces the maximum rate for combined traffic and does not guarantee fairness bandwidth for each session. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| loggingEnabled (boolean) | false | true, false | Specifies whether the system measures bandwidth on all future instances of this bandwidth control policy. When enabled, the system measures bandwidth and sends it to the log publisher specified by the logPublisher setting. You can override this setting using iRules. For example, if you want measurement on only some instances, keep this setting disabled, and use iRules to enable measurement on specific instances. |
| logPeriod (integer) | 2048 | [0, 18446744073709552000] | Specifies the frequency, in milliseconds, with which the system generates bandwidth measurement logs |
| logPublisher (Pointer_Log_Publisher) | |||
| markIP (string | integer) | “pass-through” | “pass-through”, [0, 63] | Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process. |
| markL2 (string | integer) | “pass-through” | “pass-through”, [0, 7] | Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process. |
| maxBandwidth (integer) | [0, 18446744073709552000] | Specifies the maximum amount of bandwidth that traffic associated with the bandwidth control policy can use. The range is from 1 Mbps to 320 Gbps (between 1000000 bps and 320000000000 bps. | |
| maxBandwidthUnit (string) | “Mbps” | “bps”, “Kbps”, “Mbps”, “Gbps” | Specifies the units used by the maxBandwidth property |
| maxUserBandwidth (integer) | 0 | [0, 18446744073709552000] | Specifies the maximum amount of bandwidth that each session associated with the bandwidth control policy can use. The range is from 5 Kbps to 2 Gbps. Note: For FTP traffic, the throughput is roughly half of this setting, because the FTP protocol creates two connections per user: a control connection and a data connection. |
| maxUserBandwidthUnit (string) | “Mbps” | “bps”, “Kbps”, “Mbps”, “Gbps” | Specifies the units used by the maxUserBandwidth property |
| maxUserPPS (integer) | 0 | [0, 18446744073709552000] | Specifies the limiter in packets per second that traffic is allowed per instance. It functions as a DoS limiter without fair share allocation. The system applies whichever value is lower, between this value and the specified Maximum Rate Per User. When both values are specified, both must pass for packets to go through. You can specify the rate in packets per second (PPS), kilo packets per second (KPPS), mega packets per second (MPPS), or giga packets per second (GPPS). The default value is 0 (not configured). |
| maxUserPPSUnit (string) | “Mpps” | “bpps”, “Kpps”, “Mpps”, “Gpps” | Specifies the units used by the maxUserBandwidthPPS property |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Bandwidth_Control_Policy_Category¶
Create a listener to specify how to handle traffic for policy enforcement
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| markIP (string | integer) | “pass-through” | “pass-through”, [0, 63] | Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process. |
| markL2 (string | integer) | “pass-through” | “pass-through”, [0, 7] | Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process. |
| maxBandwidth (integer) | [0, 18446744073709552000] | Specifies the maximum bandwidth that this category of traffic can use when associated with this bandwidth control policy. The range is from 5 kbps to the value set for Maximum Rate Per User. | |
| maxBandwidthUnit (string) | “Mbps” | “bps”, “Kbps”, “Mbps”, “Gbps”, “%” | Specifies the units used by the maxBandwidth property |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Basic_Auth¶
Describes the basic authentication to access a resource
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| method (string) | “basic” | Specifies the authentication method | |
| passphrase (Property_Passphrase | reference) | Specifies the password for authentication | ||
| username (string) | Specifies the user name for authentication |
Bearer_Token¶
Describes using a bearer token to access a resource
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| method (string) | “bearer-token” | Specifies the authentication method | |
| token (string | Bearer_Token_token) | Specifies the bearer token |
Bearer_Token_token¶
Bearer_Token token possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
CA_Bundle¶
Bundle of one or more PKI Certificate-Authority certificates
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bundle (Pointer_F5_String_Or_BIGIP | reference | reference) | Reference to a CA bundle or string of PEM encoded certificates | ||
| class (string) | “CA_Bundle” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Capture_Filter¶
Criteria determining when the system captures a portion of the application traffic
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| capturedProtocols (string) | “all” | “all”, “http”, “https” | Specifies whether the system captures traffic data that is sent using any protocol, or a specific type of protocol |
| capturedReadyForJsInjection (string) | “disabled” | “disabled”, “enabled” | Specifies whether the system captures all traffic data from all transactions or only from transactions that qualify for JavaScript injection |
| clientIps (array<string>) | format: f5ip | Specifies the client IP addresses to collect stats for. If none are specified, then all will be collected | |
| dosActivity (string) | “any” | “any”, “mitigated-by-dosl7” | Specifies whether the system captures traffic data mitigated by the DoS Layer 7 Enforcer, or traffic regardless of DoS activity |
| methods (array<string>) | Specifies whether the system captures traffic data based on the HTTP method that was requested. If none are specified then all will be collected | ||
| nodeAddresses (array<string>) | Specifies whether the system captures traffic data sent from/to all nodes, or only from/to specific nodes. If none are specified then all will be collected | ||
| requestCapturedParts (string) | “none” | “all”, “body”, “headers”, “none” | Specifies which parts of the request data the system captures |
| requestContentFilterSearchPart (string) | “none” | “all”, “headers”, “body”, “none”, “uri” | Specifies the part of the request that should be filtered by the search string |
| requestContentFilterSearchString (string) | Specifies the string the request should be searched for | ||
| responseCapturedParts (string) | “none” | “all”, “body”, “headers”, “none” | Specifies which parts of the response data the system captures |
| responseCodes (array<integer>) | [100, 999] | Specifies whether the system captures traffic data based on the HTTP response status codes that the requests return. If none are specified then all will be collected | |
| responseContentFilterSearchPart (string) | “none” | “all”, “body”, “headers”, “none” | Specifies the part of the response that should be filtered by the search string |
| responseContentFilterSearchString (string) | Specifies the string the response should be searched for | ||
| urlFilterType (string) | “all” | “all”, “black-list”, “white-list” | Specifies how the URL path prefixes are interpreted |
| urlPathPrefixes (array<string>) | Specifies URLs the filter type is to be applied to. If none are specified then all will be collected | ||
| userAgentSubstrings (array<string>) | Specifies whether the system captures traffic sent from all browsers, or only traffic sent from a specific browser | ||
| virtualServers (array<string>) | Specifies whether the system captures traffic data sent from/to all virtual servers, or only from/to specific virtual servers. If none are specified then all will be collected |
Certificate¶
Configures a Certificate
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| certificate (Pointer_System_All_Or_F5_String | reference | reference) | X.509 public-key certificate | ||
| chainCA (Certificate_chainCA | string) | Bundle of one or more CA certificates in trust-chain from root CA to certificate (optional) | ||
| class (string) | “Certificate” | ||
| issuerCertificate (Certificate_issuerCertificate) | Specifies the name of the issuer certificate for this certificate | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| passphrase (Certificate_passphrase) | If supplied, used to decrypt privateKey at runtime (optional) | ||
| pkcs12 (Pointer_F5_String_Or_BIGIP | reference | reference) | The pkcs12 value which may be a url to fetch the binary file from or base64 encoded string | ||
| pkcs12Options (Certificate_pkcs12Options) | Options for importing PKCS12 file | ||
| privateKey (Pointer_System_All_Or_F5_String | reference | reference) | Private key matching certificate’s public key (optional) | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| staplerOCSP (Pointer_Certificate_Validator_OCSP) | BIG-IP AS3 pointer to OCSP Stapler declaration (optional) |
Certificate_chainCA¶
Certificate chainCA possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base64 (Property_Base64) | |||
| bigip (string) | Path to BIG-IP object | ||
| copyFrom (Pointer_Copy_From) | |||
| text (Property_Text) | |||
| url (Resource_URL) | |||
| use (Property_Use | reference) |
Certificate_issuerCertificate¶
Certificate issuerCertificate possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SSL certificate | |
| use (string) | BIG-IP AS3 pointer to SSL certificate declaration |
Certificate_passphrase¶
Certificate passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Certificate_pkcs12Options¶
Certificate pkcs12Options possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ignoreChanges (boolean) | false | true, false | Key has to be decrypted and re-encrypted as part of extraction, resulting in a diff. Set to true to exclude the pkcs12 object for subsequent deployments. |
| internalOnly (array<string | number | boolean | object | array>) | true, false | BIG-IP AS3 uses this property internally. Any values supplied here will be ignored | |
| keyImportFormat (string) | “pkcs8” | “pkcs8”, “openssl-legacy” | Determines the format in which the private key is saved. Default is PKCS#8. |
Certificate_Validator_OCSP¶
OCSP validator for certificates
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Certificate_Validator_OCSP” | ||
| dnsResolver (Pointer_DNS_Resolver) | BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in client requests | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| responderUrl (string) | Specifies the absolute URL that overrides the OCSP responder URL obtained from the certificate’s AIA extension(s). This should be a HTTP based URL. | ||
| signingCertificate (Pointer_SSL_Certificate) | Specifies the certificate object to use for OCSP responders that require the request to be signed | ||
| signingHashAlgorithm (string) | “sha256” | “sha1”, “sha256” | Specifies a hash algorithm used to sign an OCSP request |
| timeout (integer) | 8 | [1, 300] | Specifies the time interval (in seconds) that the BIG-IP waits for before ending the connection to the OCSP responder. The default value is 8 |
Cipher_Group¶
Configures a Cipher Group
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowCipherRules (array<Pointer_Cipher_Rule>) | [object Object] | Allow the following Cipher Rules. | |
| class (string) | “Cipher_Group” | ||
| excludeCipherRules (array<Pointer_Cipher_Rule>) | Exclude the following Cipher_Rules from the Allowed list. | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| order (string) | “default” | “default”, “speed”, “strength”, “fips”, “hardware” | Configure the order of the specified Cipher Rules. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| requireCipherRules (array<Pointer_Cipher_Rule>) | Restrict the Allowed list to the following Cipher_Rules. |
Cipher_Rule¶
Configures a cipher rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| cipherSuites (array<string>) | Specifies the cipher suites | ||
| class (string) | “Cipher_Rule” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| namedGroups (array<string>) | “DEFAULT”, “P256”, “P384”, “X25519” | Specifies the Elliptic Curve Diffie Hellman key agreement algorithms used to negotiate SSL/TLS connections. namedGroups are only supported on BIG-IP 14.0 and later. | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| signatureAlgorithms (array<string>) | “DEFAULT”, “DSA-SHA1”, “DSA-SHA256”, “DSA-SHA384”, “DSA-SHA512”, “ECDSA-SHA1”, “ECDSA-SHA256”, “ECDSA-SHA384”, “ECDSA-SHA512”, “RSA-PKCS1-SHA1”, “RSA-PKCS1-SHA256”, “RSA-PKCS1-SHA384”, “RSA-PKCS1-SHA512”, “RSA-PSS-SHA256”, “RSA-PSS-SHA384”, “RSA-PSS-SHA512” | Specifies the digital signature algorithms used for authentication. signatureAlgorithms are only supported on BIG-IP 14.0 and later. |
Classification_Profile¶
Configures a classification profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| appDetectionEnabled (boolean) | true | true, false | Enables/disables Application Detection feature |
| class (string) | “Classification_Profile” | ||
| iRuleEventEnabled (boolean) | false | true, false | Enables/disables CLASSIFICATION_DETECTED iRule event generation |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| logPublisher (Pointer_Log_Publisher) | |||
| logUnclassifiedDomain (boolean) | false | true, false | Enables/disables unclassified domain logging |
| parentProfile (Pointer_Classification_Profile) | {“bigip”:”/Common/classification”} | Specifies the name of the object to inherit the settings from | |
| preset (Pointer_Classification_Preset) | {“bigip”:”/Common/ce”} | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| statisticsCollectionEnabled (boolean) | false | true, false | Enables/disables statistics collection |
| statisticsPublisher (Pointer_Log_Publisher) | |||
| urlCategorizationEnabled (boolean) | false | true, false | Enables/disables URL Categorization feature |
Clone_Pools¶
Specifies a pool that the virtual server uses to replicate either client or server traffic
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| egress (Pointer_Pool) | Egress (server-side context) clone pool | ||
| ingress (Pointer_Pool) | Ingress (client-side context) clone pool |
Controls¶
Optional controls configuration
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| archiveId (number | string) | Read-only property present when you GET a declaration from configuration system. Archived versions of declaration are identified by a combination of ‘id’ and ‘archiveId’ | ||
| archiveTimestamp (string) | format: date-time | Read-only property present when you GET a declaration from configuration system. Indicates when this version (see archiveId) of declaration was archived | |
| class (string) | “Controls” | “Controls” | |
| dryRun (boolean) | false | true, false | Boolean that indicates if this declaration will be run as a dry-run. If true, the declaration will NOT make any changes to the system, but will respond with whether or not it would. |
| fortune (boolean) | true, false | If true, BIG-IP AS3 will activate Zoltar mode and read you your fortune | |
| logLevel (string) | “error” | “emergency”, “alert”, “critical”, “error”, “warning”, “notice”, “info”, “debug” | Controls the amount of detail in logs produced while configuring this Tenant (default is whole-declaration Controls/logLevel value) |
| trace (boolean) | false | true, false | If true, BIG-IP AS3 creates a detailed trace of the configuration process for this Tenant for subsequent analysis (default is whole-declaration Controls/trace value). Warning: trace files may contain sensitive configuration data |
| traceResponse (boolean) | false | true, false | If true, the response will contain the trace files |
| userAgent (string) | User Agent information to include in TEEM report |
Data_Group¶
Configures a data group object which contains list of data
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Data_Group” | ||
| dataGroupFile (Pointer_Data_Group_File) | |||
| externalFilePath (Resource_URL | reference) | Specifies the location (URI) from where the records will be copied | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates data group in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the data group on first deployment, and leaves it untouched afterwards |
| keyDataType (string) | “integer”, “ip”, “string” | Specifies the type of record keys the data group contains. If string, the value will be escaped by default | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| records (array<Data_Group_records>) | List of records | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| separator (string) | “:=” | Specifies the character(s) that separate the record key and value | |
| storageType (string) | “internal” | “internal”, “external” | Toggles whether the data group is internal or external |
Data_Group_records¶
Data_Group records possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| value (string) | Value to store |
Data_Group_Records_Base¶
Configures data group records to store
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| records (array<Data_Group_Records_Base_records>) | List of records |
Data_Group_Records_Base_records¶
Data_Group_Records_Base records possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| value (string) | Value to store |
Data_Group_Records_Integer¶
A specialization of Data_Group_Records_Base where all items in the records property must be integers.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| records (array<Data_Group_Records_Integer_records>) | List of records |
Data_Group_Records_Integer_records¶
Data_Group_Records_Integer records possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| value (string) | Value to store |
Data_Group_Records_IP¶
A specialization of Data_Group_Records_Base where all items in the records property must be IP addresses.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| records (array<Data_Group_Records_IP_records>) | List of records |
Data_Group_Records_IP_records¶
Data_Group_Records_IP records possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| value (string) | Value to store |
Data_Group_Records_String¶
A specialization of Data_Group_Records_Base where all items in the records property must be strings.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| records (array<Data_Group_Records_String_records>) | List of records |
Data_Group_Records_String_records¶
Data_Group_Records_String records possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| value (string) | Value to store |
Datagroup_Value¶
Reference to a data-group containing the values
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Data-Group | |
| use (string) | BIG-IP AS3 pointer to Data_Group |
DNS_Cache¶
Configures a DNS cache
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowedQueryTime (integer) | 200 | [0, 4294967295] | The time allowed for a query to stay in the queue before replaced by a new query when the number of concurrent distinct queries exceeds the limit. The default value is 200 milliseconds. |
| answerDefaultZones (boolean) | false | true, false | Specifies whether the system answers DNS queries for the default zones localhost, reverse 127.0.0.1 and ::1, and AS112 |
| class (string) | “DNS_Cache” | ||
| forwardZones (DNS_Cache_forwardZones | DNS_Zone_Forward) | Manage the set of Forward Zones used by this DNS Cache | ||
| ignoreCd (boolean) | false | true, false | Ignore client queries setting of checking-disabled. Perform validation anyway and only return secure answers. The default value is no |
| keyCacheSize (integer) | 1048576 | [0, 4294967295] | Number of bytes allocated for the DNSKEY cache. The default value is 1m |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| localZones (DNS_Cache_localZones | DNS_Zone_Local) | Configures resource records that a DNS cache uses to resolve matching DNS queries with authoritative DNS responses | ||
| maxConcurrentQueries (integer) | 1024 | [0, 4294967295] | Maximum number of concurrent queries used by the resolver. The default value is 1024 |
| maxConcurrentTcp (integer) | 20 | [0, 4294967295] | Maximum number of concurrent TCP flows used by the resolver. The default value is 20 |
| maxConcurrentUdp (integer) | 8192 | [0, 4294967295] | Maximum number of concurrent UDP flows used by the resolver. The default value is 8192 |
| messageCacheSize (integer) | 1048576 | [0, 4294967295] | Specifies the maximum size of the message cache in bytes |
| msgCacheSize (integer) | 1048576 | [0, 4294967295] | Number of bytes allocated for the message cache. The default value is 1m |
| nameserverCacheCount (integer) | 16536 | [0, 4294967295] | Number of DNS nameservers to cache. The default value is 16k |
| prefetchKey (boolean) | true | true, false | Fetch DNSKEY early in validation process. The default value is yes |
| randomizeQueryNameCase (boolean) | true | true, false | Enables resolver to randomize the case of query names. The default value is yes |
| recordCacheSize (integer) | 10485760 | [1, 4294967295] | Specifies the maximum size of the resource record (RR) cache in bytes |
| recordRotationMethod (string) | “none” | “none”, “query-id” | Specifies the resource record rotation method used within cached responses |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rootHints (array<string>) | List of IP addresses to use for root name servers. Defaults are known Internet root servers. | ||
| routeDomain (Pointer_Route_Domain) | {“bigip”:”/Common/0”} | ||
| trustAnchors (array<string>) | List of DNSKEY or DS resource records used to establish DNSSEC validator trust. Specified in string form (e.g. dig or drill format). The default is none | ||
| type (string) | “transparent”, “resolver”, “validating-resolver” | Type of DNS cache | |
| unwantedQueryReplyThreshold (integer) | 0 | [0, 4294967295] | The threshold count of unsolicited query replies which triggers an alert (potential DOS attack underway). The default value is 0 (or off) |
| useIpv4 (boolean) | true | true, false | Enables resolver to issue IPv4 queries. The default value is yes |
| useIpv6 (boolean) | true | true, false | Enables resolver to issue IPv6 queries. The default value is yes |
| useTcp (boolean) | true | true, false | Enables resolver to issue tcp queries. The default value is yes |
| useUdp (boolean) | true | true, false | Enables resolver to issue udp queries. The default value is yes |
DNS_Cache_Resolver¶
DNS Cache with recursive resolver
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowedQueryTime (integer) | 200 | [0, 4294967295] | The time allowed for a query to stay in the queue before replaced by a new query when the number of concurrent distinct queries exceeds the limit. The default value is 200 milliseconds. |
| answerDefaultZones (boolean) | false | true, false | Specifies whether the system answers DNS queries for the default zones localhost, reverse 127.0.0.1 and ::1, and AS112 |
| forwardZones (DNS_Cache_Resolver_forwardZones | DNS_Zone_Forward) | Manage the set of Forward Zones used by this DNS Cache | ||
| localZones (DNS_Cache_Resolver_localZones | DNS_Zone_Local) | Configures resource records that a DNS cache uses to resolve matching DNS queries with authoritative DNS responses | ||
| maxConcurrentQueries (integer) | 1024 | [0, 4294967295] | Maximum number of concurrent queries used by the resolver. The default value is 1024 |
| maxConcurrentTcp (integer) | 20 | [0, 4294967295] | Maximum number of concurrent TCP flows used by the resolver. The default value is 20 |
| maxConcurrentUdp (integer) | 8192 | [0, 4294967295] | Maximum number of concurrent UDP flows used by the resolver. The default value is 8192 |
| msgCacheSize (integer) | 1048576 | [0, 4294967295] | Number of bytes allocated for the message cache. The default value is 1m |
| nameserverCacheCount (integer) | 16536 | [0, 4294967295] | Number of DNS nameservers to cache. The default value is 16k |
| randomizeQueryNameCase (boolean) | true | true, false | Enables resolver to randomize the case of query names. The default value is yes |
| recordCacheSize (integer) | 10485760 | [0, 4294967295] | Number of bytes allocated for the resource record set cache. The default value is 10m |
| recordRotationMethod (string) | “none” | “none”, “query-id” | Select which resource record set rotation method should be used on cache responses |
| rootHints (array<string>) | List of IP addresses to use for root name servers. Defaults are known Internet root servers. | ||
| routeDomain (Pointer_Route_Domain) | {“bigip”:”/Common/0”} | ||
| unwantedQueryReplyThreshold (integer) | 0 | [0, 4294967295] | The threshold count of unsolicited query replies which triggers an alert (potential DOS attack underway). The default value is 0 (or off) |
| useIpv4 (boolean) | true | true, false | Enables resolver to issue IPv4 queries. The default value is yes |
| useIpv6 (boolean) | true | true, false | Enables resolver to issue IPv6 queries. The default value is yes |
| useTcp (boolean) | true | true, false | Enables resolver to issue tcp queries. The default value is yes |
| useUdp (boolean) | true | true, false | Enables resolver to issue udp queries. The default value is yes |
DNS_Cache_Transparent¶
Properties for a DNS transparent cache
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| answerDefaultZones (boolean) | false | true, false | Specifies whether the system answers DNS queries for the default zones localhost, reverse 127.0.0.1 and ::1, and AS112 |
| localZones (DNS_Cache_Transparent_localZones | DNS_Zone_Local) | Configures resource records that a DNS cache uses to resolve matching DNS queries with authoritative DNS responses | ||
| messageCacheSize (integer) | 1048576 | [0, 4294967295] | Specifies the maximum size of the message cache in bytes |
| recordCacheSize (integer) | 10485760 | [1, 4294967295] | Specifies the maximum size of the resource record (RR) cache in bytes |
| recordRotationMethod (string) | “none” | “none”, “query-id” | Specifies the resource record rotation method used within cached responses |
DNS_Cache_Validating_Resolver¶
DNS Cache with recursive resolver and DNSSEC validation
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowedQueryTime (integer) | 200 | [0, 4294967295] | The time allowed for a query to stay in the queue before replaced by a new query when the number of concurrent distinct queries exceeds the limit. The default value is 200 milliseconds. |
| answerDefaultZones (boolean) | false | true, false | Specifies whether the system answers DNS queries for the default zones localhost, reverse 127.0.0.1 and ::1, and AS112 |
| forwardZones (DNS_Cache_Validating_Resolver_forwardZones | DNS_Zone_Forward) | Manage the set of Forward Zones used by this DNS Cache | ||
| ignoreCd (boolean) | false | true, false | Ignore client queries setting of checking-disabled. Perform validation anyway and only return secure answers. The default value is no |
| keyCacheSize (integer) | 1048576 | [0, 4294967295] | Number of bytes allocated for the DNSKEY cache. The default value is 1m |
| localZones (DNS_Cache_Validating_Resolver_localZones | DNS_Zone_Local) | Configures resource records that a DNS cache uses to resolve matching DNS queries with authoritative DNS responses | ||
| maxConcurrentQueries (integer) | 1024 | [0, 4294967295] | Maximum number of concurrent queries used by the resolver. The default value is 1024 |
| maxConcurrentTcp (integer) | 20 | [0, 4294967295] | Maximum number of concurrent TCP flows used by the resolver. The default value is 20 |
| maxConcurrentUdp (integer) | 8192 | [0, 4294967295] | Maximum number of concurrent UDP flows used by the resolver. The default value is 8192 |
| msgCacheSize (integer) | 1048576 | [0, 4294967295] | Number of bytes allocated for the message cache. The default value is 1m |
| nameserverCacheCount (integer) | 16536 | [0, 4294967295] | Number of DNS nameservers to cache. The default value is 16k |
| prefetchKey (boolean) | true | true, false | Fetch DNSKEY early in validation process. The default value is yes |
| randomizeQueryNameCase (boolean) | true | true, false | Enables resolver to randomize the case of query names. The default value is yes |
| recordCacheSize (integer) | 10485760 | [0, 4294967295] | Number of bytes allocated for the resource record set cache. The default value is 10m |
| recordRotationMethod (string) | “none” | “none”, “query-id” | Select which resource record set rotation method should be used on cache responses |
| rootHints (array<string>) | List of IP addresses to use for root name servers. Defaults are known Internet root servers. | ||
| routeDomain (Pointer_Route_Domain) | {“bigip”:”/Common/0”} | ||
| trustAnchors (array<string>) | List of DNSKEY or DS resource records used to establish DNSSEC validator trust. Specified in string form (e.g. dig or drill format). The default is none | ||
| unwantedQueryReplyThreshold (integer) | 0 | [0, 4294967295] | The threshold count of unsolicited query replies which triggers an alert (potential DOS attack underway). The default value is 0 (or off) |
| useIpv4 (boolean) | true | true, false | Enables resolver to issue IPv4 queries. The default value is yes |
| useIpv6 (boolean) | true | true, false | Enables resolver to issue IPv6 queries. The default value is yes |
| useTcp (boolean) | true | true, false | Enables resolver to issue tcp queries. The default value is yes |
| useUdp (boolean) | true | true, false | Enables resolver to issue udp queries. The default value is yes |
DNS_Logging_Profile¶
Configures a Domain Name System (DNS) logging profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “DNS_Logging_Profile” | ||
| includeCompleteAnswer (boolean) | true | true, false | Specifies whether the system logs the complete answer from the query |
| includeQueryId (boolean) | false | true, false | Specifies whether the system logs the ID of the query |
| includeSource (boolean) | true | true, false | Specifies whether the system logs the source (the BIG-IP system that receives the packet) |
| includeTimestamp (boolean) | true | true, false | Specifies whether the system logs the timestamp of when the query was created |
| includeView (boolean) | true | true, false | Specifies whether the system includes the view in the log |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| logPublisher (Pointer_Log_Publisher) | |||
| logQueriesEnabled (boolean) | true | true, false | Specifies whether the system logs queries |
| logResponsesEnabled (boolean) | false | true, false | Specifies whether the systems logs responses |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
DNS_Nameserver¶
Configures a DNS nameserver
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | “127.0.0.1” | format: f5ip | Specifies the IP address on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages |
| class (string) | “DNS_Nameserver” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| port (integer) | 53 | [0, 65535] | Specifies the service port on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages |
| routeDomain (Pointer_Route_Domain) | {“bigip”:”/Common/0”} | ||
| tsigKey (Pointer_DNS_TSIG_Key) |
DNS_Profile¶
Configures a Domain Name System (DNS) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| cache (Pointer_DNS_Cache) | |||
| cacheEnabled (boolean) | false | true, false | Specifies whether the system caches DNS responses |
| class (string) | “DNS_Profile” | ||
| dns64AdditionalSectionRewrite (string) | “disabled” | “disabled”, “v6-only”, “v4-only”, “any” | Select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses |
| dns64Mode (string) | “disabled” | “disabled”, “secondary”, “immediate”, “v4-only” | Specifies handling of AAAA and A DNS queries and responses |
| dns64Prefix (string) | “0:0:0:0:0:0:0:0” | Specifies the prefix to use for the IPv6-formatted IP addresses that the system converts to IPv4-formatted IP addresses | |
| dnsExpressEnabled (boolean) | true | true, false | Specifies whether the DNS Express engine is enabled. The DNS Express engine receives zone transfers from the authoritative DNS server for the zone. If the Zone Transfer setting is also enabled on this profile, the DNS Express engine also responds to zone transfer requests made by the nameservers configured as zone transfer clients for the DNS Express zone. |
| dnssecEnabled (boolean) | true | true, false | Specifies whether the system signs responses with DNSSEC keys and replies to DNSSEC specific queries (e.g., DNSKEY query type) |
| globalServerLoadBalancingEnabled (boolean) | true | true, false | Specifies whether the system uses Global Traffic Manager to manage the response |
| hardwareQueryValidationEnabled (boolean) | false | true, false | On supported platforms, indicates whether the hardware will accelerate query validation |
| hardwareResponseCacheEnabled (boolean) | false | true, false | On supported platforms, indicates whether the hardware will cache responses |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| localBindServerEnabled (boolean) | true | true, false | Specifies whether the system forwards non-wide IP queries to the local BIND server on the BIG-IP system. For best performance, disable this setting when using a DNS cache. |
| loggingEnabled (boolean) | true | true, false | Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option. |
| loggingProfile (Pointer_DNS_Logging_Profile) | |||
| parentProfile (Pointer_DNS_Profile) | {“bigip”:”/Common/dns”} | Specifies the name of the object to inherit the settings from | |
| rapidResponseEnabled (boolean) | false | true, false | When enabled, if the query name matches a GTM wide IP name and GTM is enabled on this profile, the DNS query will bypass Rapid Response. Note: This setting is supported only on physical BIG-IP hardware because it needs a High-Speed Bridge (HSB) to work. When using BIG-IP Virtual Edition, however, the system does not prevent you from selecting an action, even though the setting is ignored. |
| rapidResponseLastAction (string) | “drop” | “allow”, “drop”, “noerror”, “nxdomain”, “refuse”, “truncate” | Specifies what action the system takes when Rapid Response Mode is enabled and the incoming DNS query does not match a DNS Express Zone |
| recursionDesiredEnabled (boolean) | true | true, false | Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityEnabled (boolean) | true | true, false | Specifies whether DNS firewall capability is enabled. |
| securityProfile (Pointer_DNS_Security_Profile) | |||
| statisticsSampleRate (integer) | 0 | [0, 4294967295] | Sets AVR DNS statistics sampling rate. A value of 0 (zero) means that no query will be sent to the analytics database. A value of 1 means that every query will be sent. A value of n means that every nth query will be sent, and that the analytics database will count that query n times. When sampling rate is greater than one, the statistics will be inaccurate if the traffic volume is low. However, when the traffic volume is high, the system performance will benefit from sampling and the inaccuracy will be negligible. DNS statistics contain query name, query type, virtual server IP and client IP. |
| unhandledQueryAction (string) | “allow” | “allow”, “drop”, “hint”, “noerror”, “reject” | Specifies whether the system uses the local BIND server on the BIG-IP system |
| zoneTransferEnabled (boolean) | false | true, false | Specifies whether the system answers zone transfer requests for a DNS zone created on the system. The DNS Express and Zone Transfer settings on a DNS profile affect how the system responds to zone transfer requests. |
DNS_TSIG_Key¶
Configures a TSIG key
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| algorithm (string) | “hmacmd5” | “hmacmd5”, “hmacsha1”, “hmacsha256” | Specifies the algorithm the system uses to authenticate AXFR zone transfer requests as coming from an approved DNS nameserver, or to authenticate AXFR zone transfers as coming from an approved back-end DNS authoritative server. The algorithm involves a cryptographic hash function in combination with a secret, which is specified in the Secret field. The default is HMAC MD5 (the Hash-based Message Authentication Code MD5). |
| class (string) | “DNS_TSIG_Key” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| secret (DNS_TSIG_Key_secret) | Specifies the secret used with the algorithm in the verification process. The secret must be generated by a third-party tool such as BIND’s keygen utility; the BIG-IP system does not generate the TSIG key secret. |
DNS_TSIG_Key_secret¶
DNS_TSIG_Key secret possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
DNS_Zone¶
Configures a DNS zone
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “DNS_Zone” | ||
| dnsExpress (DNS_Zone_DNS_Express) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| responsePolicyEnabled (boolean) | false | true, false | Specifies if this is a response policy zone. If this is set to yes, this zone may be assigned as an RPZ to a DNS Cache |
| serverTsigKey (Pointer_DNS_TSIG_Key) | |||
| transferClients (array<Pointer_DNS_Nameserver>) | Specifies the DNS nameservers to which the system sends NOTIFY messages. The system allows only the DNS nameservers in the Active column to initiate AXFR zone transfers for this DNS zone. |
DNS_Zone_DNS_Express¶
Configure zone DNS Express settings
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowNotifyFrom (array<string>) | format: f5ip | Specifies the IP addresses from which the system accepts NOTIFY messages for this DNS Express zone | |
| enabled (boolean) | true | true, false | Specifies whether DNS Express is enabled to process queries for this zone |
| nameserver (Pointer_DNS_Nameserver) | Specifies the back-end authoritative DNS server from which the BIG-IP system receives AXFR zone transfers for the DNS Express zone. The options are None and user-defined nameservers. | ||
| notifyAction (string) | “consume” | “consume”, “bypass”, “repeat” | Specifies the action the system takes when a NOTIFY message is received for this DNS Express zone. NOTIFY responses are assumed to be sent by the authoritative nameserver for the zone, except when the action is Consume, and then DNS Express generates the response. Note: If a TSIG key is configured for the zone, the signature is only validated for Consume and Repeat actions. |
| verifyNotifyTsig (boolean) | true | true, false | Specifies whether the system verifies the identity of the authoritative nameserver that sends updated information for this DNS Express zone |
DNS_Zone_Forward¶
Manage the set of Forward Zones used by DNS Cache
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| nameservers (array<string>) | An array of nameservers and ports |
DNS_Zone_Local¶
Configures resource records that a DNS cache uses to resolve matching DNS queries with authoritative DNS responses
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| records (array<string>) | A or AAAA record entry | ||
| type (string) | “transparent” | “deny”, “redirect”, “refuse”, “static”, “transparent”, “type-transparent” | Describes how the cache handles a non-matching query for the local zone |
DOS_Auto_Denylist_Settings¶
Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attackDetectionTime (integer) | 60 | [1, 4294967295] | Specifies the time in seconds before a vector is denylisted |
| category (Pointer_Denylist_Category) | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. | |
| categoryDuration (integer) | 14400 | [60, 4294967295] | Specifies the time in seconds before the denylist entry is removed |
| enabled (boolean) | false | true, false | Specifies if automatic denylist management should be used |
| externalAdvertisementEnabled (boolean) | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_Bad_Actor_Detection_Settings¶
Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| enabled (boolean) | false | true, false | Specifies that Bad Actor detection is enabled |
| sourceDetectionThreshold (integer) | 4294967295 | [0, 4294967295] | Specifies the number of packets per second to identify an IP address as a bad actor |
| sourceMitigationThreshold (integer) | 4294967295 | [0, 4294967295] | Specifies the rate limit applied to a source IP that is identified as a bad actor |
DOS_DNS_Vector¶
Protocol DNS Denial-of-Service (DoS) vector
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| autoAttackCeiling (integer) | 4294967295 | [0, 4294967295] | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
| autoAttackFloor (integer) | 100 | [0, 4294967295] | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
| autoBlacklistSettings (DOS_Auto_Denylist_Settings) | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings. | |
| autoDenylistSettings (DOS_Auto_Denylist_Settings) | |||
| badActorSettings (DOS_Bad_Actor_Detection_Settings) | {} | ||
| rateIncreaseThreshold (integer) | 500 | [0, 4294967295] | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
| rateLimit (integer) | 4294967295 | [0, 4294967295] | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
| rateThreshold (integer) | 4294967295 | [0, 4294967295] | Specify how many packets per second the system must discover in traffic in order to detect this attack |
| simulateAutoThresholdEnabled (boolean) | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
| state (string) | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
| thresholdMode (string) | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
| type (string) | “a”, “aaaa”, “any”, “axfr”, “cname”, “ixfr”, “mx”, “ns”, “nxdomain”, “other”, “ptr”, “qdcount”, “soa”, “srv”, “txt”, “malformed” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
DOS_Network_Vector¶
Network Denial-of-Service (DoS) vector
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| autoAttackCeiling (integer) | 4294967295 | [0, 4294967295] | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
| autoAttackFloor (integer) | 100 | [0, 4294967295] | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
| autoBlacklistSettings (DOS_Auto_Denylist_Settings) | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings. | |
| autoDenylistSettings (DOS_Auto_Denylist_Settings) | |||
| badActorSettings (DOS_Bad_Actor_Detection_Settings) | {} | ||
| rateIncreaseThreshold (integer) | 500 | [0, 4294967295] | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
| rateLimit (integer) | 4294967295 | [0, 4294967295] | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
| rateThreshold (integer) | 4294967295 | [0, 4294967295] | Specify how many packets per second the system must discover in traffic in order to detect this attack |
| simulateAutoThresholdEnabled (boolean) | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
| state (string) | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
| thresholdMode (string) | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
| type (string) | “ext-hdr-too-large”, “hop-cnt-low”, “host-unreachable”, “icmpv4-flood”, “icmpv6-flood”, “icmp-frag”, “ip-frag-flood”, “ip-low-ttl”, “ip-opt-frames”, “ipv6-ext-hdr-frames”, “ipv6-frag-flood”, “non-tcp-connection”, “opt-present-with-illegal-len”, “sweep”, “tcp-half-open”, “tcp-opt-overruns-tcp-hdr”, “tcp-psh-flood”, “tcp-rst-flood”, “tcp-syn-flood”, “tcp-synack-flood”, “tcp-syn-oversize”, “tcp-bad-urg”, “tcp-window-size”, “tidcmp”, “too-many-ext-hdrs”, “udp-flood”, “unk-tcp-opt-type” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
DOS_Profile¶
Configures a Denial of Service (DOS) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowlist (Pointer_Address_List) | Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. | ||
| application (reference | DOS_Profile_Application) | Application security sub-profile | ||
| applicationAllowlist (reference | Pointer_Address_List) | Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) | ||
| applicationWhitelist (reference | Pointer_Address_List) | Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) | ||
| class (string) | “DOS_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| network (reference | DOS_Profile_Network) | Network security sub-profile | ||
| protocolDNS (reference | DOS_Profile_Protocol_DNS) | DNS protocol security sub-profile | ||
| protocolSIP (reference | DOS_Profile_Protocol_SIP) | SIP protocol security sub-profile | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| whitelist (Pointer_Address_List) | Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. |
DOS_Profile_Application¶
Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowlistedGeolocations (array<string>) | Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack | ||
| blacklistedGeolocations (array<string>) | Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack | ||
| botDefense (DOS_Profile_Application_Bot_Defense) | {} | This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. | |
| botSignatures (DOS_Profile_Application_Bot_Signatures) | {} | This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms | |
| captchaResponse (DOS_Profile_Application_Captcha) | {} | ||
| denylistedGeolocations (array<string>) | Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack | ||
| heavyURLProtection (DOS_Profile_Application_Heavy_URL) | {} | Configure Heavy URL include list, automatic detection, and exclude list | |
| mobileDefense (DOS_Profile_Application_Mobile_Defense) | {} | This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled | |
| profileAcceleration (Pointer_L4_Profile) | Select a TCP fastL4 profile to be used as a fast-path for acceleration | ||
| rateBasedDetection (DOS_Profile_Application_Rate_Based_Detection) | {} | Configures the detection of DoS attacks based on high volume of incoming traffic | |
| recordTraffic (DOS_Profile_Application_TCP_Dump) | {} | This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. | |
| remoteTriggeredBlackHoleDuration (integer) | [0, 4294967295] | Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled. | |
| scrubbingDuration (integer) | [0, 4294967295] | Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled. | |
| singlePageApplicationEnabled (boolean) | false | true, false | Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above. |
| stressBasedDetection (DOS_Profile_Application_Stress_Based_Detection) | {} | Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. | |
| triggerIRule (boolean) | false | true, false | Specifies that the system activates an Application DoS iRule event |
| whitelistedGeolocations (array<string>) | Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack |
DOS_Profile_Application_Bot_Defense¶
BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
This method is intended to complement, not replace, the other mitigation methods.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| blockSuspiscousBrowsers (boolean) | true | true, false | Detect and block requests from highly suspicious browsers |
| crossDomainRequests (string) | “allow-all” | “allow-all”, “validate-bulk”, “validate-upon-request” | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. |
| externalDomains (array<string>) | Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above. | ||
| gracePeriod (integer) | 300 | [0, 4294967295] | The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above. |
| issueCaptchaChallenge (boolean) | true | true, false | Issue CAPTCHA challenges to moderately suspicious browsers |
| mode (string) | “off” | “off”, “during-attacks”, “always” | Specifies the conditions under which bots are detected and blocked |
| siteDomains (array<string>) | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. | ||
| urlAllowlist (array<string>) | Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation | ||
| urlWhitelist (array<string>) | Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation |
DOS_Profile_Application_Bot_Signatures¶
This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| blockedCategories (array<Pointer_Bot_Signature_Category>) | The system blocks and reports requests that match signatures in this list of categories | ||
| checkingEnabled (boolean) | false | true, false | Specifies the system uses signatures to check whether a bot is benign or malicious |
| disabledSignatures (array<Pointer_Bot_Signature>) | A list of signatures the system ignores when it matches requests with configured bot signatures | ||
| reportedCategories (array<Pointer_Bot_Signature_Category>) | The system logs requests that match signatures in this list of categories and counts them in the DoS reports |
DOS_Profile_Application_Captcha¶
Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| failure (string) | Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA | ||
| first (string) | Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA |
DOS_Profile_Application_Detection_Device¶
Specifies the criteria that determines when the system treats a device as an attacker
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| captchaChallengeEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
| clientSideDefenseEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
| maximumAutoTps (integer) | 5000 | [0, 4294967295] | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| maximumTps (integer) | 200 | [0, 4294967295] | The maximum number of transactions per second before a source is always considered an attacking entity |
| minimumAutoTps (integer) | 5 | [0, 4294967295] | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumTps (integer) | 40 | [0, 4294967295] | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
| rateLimitingEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
| rateLimitingMode (string) | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
| tpsIncreaseRate (integer) | 500 | [0, 4294967295] | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_Geolocation¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| captchaChallengeEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
| clientSideDefenseEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
| maximumAutoTps (integer) | 20000 | [0, 4294967295] | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumAutoTps (integer) | 50 | [0, 4294967295] | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumShare (integer) | 10 | [0, 4294967295] | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
| rateLimitingEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
| rateLimitingMode (string) | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
| shareIncreaseRate (integer) | 500 | [0, 4294967295] | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_IP¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| captchaChallengeEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
| clientSideDefenseEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
| maximumAutoTps (integer) | 5000 | [0, 4294967295] | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| maximumTps (integer) | 200 | [0, 4294967295] | The maximum number of transactions per second before a source is always considered an attacking entity |
| minimumAutoTps (integer) | 5 | [0, 4294967295] | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumTps (integer) | 40 | [0, 4294967295] | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
| rateLimitingEnabled (boolean) | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
| rateLimitingMode (string) | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
| tpsIncreaseRate (integer) | 500 | [0, 4294967295] | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_Site¶
Specifies the criteria that determines when the system treats a site as an attacker
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| captchaChallengeEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
| clientSideDefenseEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
| maximumAutoTps (integer) | 20000 | [0, 4294967295] | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| maximumTps (integer) | 10000 | [0, 4294967295] | The maximum number of transactions per second before a source is always considered an attacking entity |
| minimumAutoTps (integer) | 5 | [0, 4294967295] | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumTps (integer) | 2000 | [0, 4294967295] | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
| rateLimitingEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
| tpsIncreaseRate (integer) | 500 | [0, 4294967295] | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_URL¶
Specifies the criteria that determines when the system treats a URL as an attacker
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| captchaChallengeEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
| clientSideDefenseEnabled (boolean) | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
| heavyURLProtectionEnabled (boolean) | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
| maximumAutoTps (integer) | 5000 | [0, 4294967295] | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| maximumTps (integer) | 1000 | [0, 4294967295] | The maximum number of transactions per second before a source is always considered an attacking entity |
| minimumAutoTps (integer) | 5 | [0, 4294967295] | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
| minimumTps (integer) | 200 | [0, 4294967295] | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
| rateLimitingEnabled (boolean) | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
| tpsIncreaseRate (integer) | 500 | [0, 4294967295] | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Heavy_URL¶
Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| automaticDetectionEnabled (boolean) | true | true, false | Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site |
| detectionThreshold (integer) | 1000 | [16, 4294967295] | Specifies the latency threshold for automatic heavy URL detection (in milliseconds) |
| excludeList (array<string>) | URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards. | ||
| protectList (array<DOS_Profile_Application_Heavy_URL_protectList>) | URLs you expect to be heavy even if the system does not automatically detect them as being heavy |
DOS_Profile_Application_Heavy_URL_protectList¶
DOS_Profile_Application_Heavy_URL protectList possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| threshold (integer) | [0, 4294967295] | Threshold for detection in requests per second | |
| url (string) | URL to protect |
DOS_Profile_Application_Mobile_Defense¶
When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowAndroidPublishers (array<Pointer_SSL_Certificate>) | Publisher certificates to allow. All others are blocked. An empty list allows all publishers. | ||
| allowAndroidRootedDevice (boolean) | false | true, false | Select to allow traffic from rooted Android devices |
| allowEmulators (boolean) | false | true, false | Select to allow traffic from applications run on emulators |
| allowIosPackageNames (array<string>) | Package names to allow. All others are blocked. An empty list allows all package names. | ||
| allowJailbrokenDevices (boolean) | false | true, false | Select to allow traffic from jailbroken iOS devices |
| clientSideChallengeMode (string) | “pass” | “pass”, “challenge” | Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented |
| enabled (boolean) | false | true, false | When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives. |
DOS_Profile_Application_Rate_Based_Detection¶
Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| deEscalationPeriod (integer) | 7200 | [0, 86400] | When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs. |
| deviceID (DOS_Profile_Application_Detection_Device) | {} | ||
| escalationPeriod (integer) | 120 | [1, 3600] | Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step. |
| geolocation (DOS_Profile_Application_Detection_Geolocation) | {} | ||
| operationMode (string) | “off” | “off”, “transparent”, “blocking” | Specifies how the system reacts when it detects an attack |
| site (DOS_Profile_Application_Detection_Site) | {} | ||
| sourceIP (DOS_Profile_Application_Detection_IP) | {} | ||
| thresholdsMode (string) | “manual” | “manual”, “automatic” | Specifies what type of thresholds to use |
| url (DOS_Profile_Application_Detection_URL) | {} |
DOS_Profile_Application_Stress_Based_Detection¶
Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| badActor (DOS_Profile_Application_Stress_Based_Detection_Bad_Actor) | {} | ||
| deEscalationPeriod (integer) | 7200 | [0, 86400] | When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs. |
| deviceID (DOS_Profile_Application_Detection_Device) | {} | ||
| escalationPeriod (integer) | 120 | [1, 3600] | Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step. |
| geolocation (DOS_Profile_Application_Detection_Geolocation) | {} | ||
| operationMode (string) | “off” | “off”, “transparent”, “blocking” | Specifies how the system reacts when it detects an attack |
| site (DOS_Profile_Application_Detection_Site) | {} | ||
| sourceIP (DOS_Profile_Application_Detection_IP) | {} | ||
| thresholdsMode (string) | “manual” | “manual”, “automatic” | Specifies what type of thresholds to use |
| url (DOS_Profile_Application_Detection_URL) | {} |
DOS_Profile_Application_Stress_Based_Detection_Bad_Actor¶
Specifies properties of Behavioral Detection in Stress-based anomaly.
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| acceleratedSignaturesEnabled (boolean) | false | true, false | Enables signature detection before the connection establishment |
| detectionEnabled (boolean) | false | true, false | Enables traffic behavior, server’s capacity learning, and anomaly detection |
| mitigationMode (string) | “none” | “none”, “conservative”, “standard”, “aggressive” | Specifies mitigation impact on suspicious bad actors/requests |
| signatureDetectionEnabled (boolean) | false | true, false | Enables request signature detection |
| tlsSignaturesEnabled (boolean) | false | true, false | Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above. |
| useApprovedSignaturesOnly (boolean) | false | true, false | Limits request signature detection to approved signatures only |
DOS_Profile_Application_TCP_Dump¶
Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| maximumDuration (integer) | 30 | [0, 4294967295] | Configures the maximum time for each TCP dump recording cycle |
| maximumSize (integer) | 10 | [0, 4294967295] | Configures the maximum size (in MB) for each TCP dump recording cycle |
| recordTrafficEnabled (boolean) | false | true, false | Enables the recording of traffic during attacks |
| repetitionInterval (string | integer) | 120 | Allow multiple TCP dumps to be recorded during a single DoS attack |
DOS_Profile_Network¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| dynamicSignatures (DOS_Profile_Network_Dynamic_Signatures) | {} | ||
| vectors (array<DOS_Network_Vector>) | A list of configured network DoS vectors |
DOS_Profile_Network_Dynamic_Signatures¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| detectionMode (string) | “disabled” | “disabled”, “learn-only”, “enabled” | Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits. |
| mitigationMode (string) | “none” | “none”, “low”, “medium”, “high” | Specify the mitigation sensitivity for dynamic signatures |
| scrubbingCategory (Pointer_Denylist_Category) | Specifies the IP intelligence denylist category to which scrubbed IPs are sent | ||
| scrubbingDuration (integer) | 500 | [60, 4294967295] | Specify the duration in seconds for which an IP address is added to the denylist category |
| scrubbingEnabled (boolean) | false | true, false | Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category. |
DOS_Profile_Protocol_DNS¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| vectors (array<DOS_DNS_Vector>) | A list of configured DNS DoS vectors |
DOS_Profile_Protocol_SIP¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| vectors (array<DOS_SIP_Vector>) | A list of configured SIP DoS vectors |
DOS_SIP_Vector¶
Protocol SIP Denial-of-Service (DoS) vector
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| autoAttackCeiling (integer) | 4294967295 | [0, 4294967295] | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
| autoAttackFloor (integer) | 100 | [0, 4294967295] | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
| autoBlacklistSettings (DOS_Auto_Denylist_Settings) | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings. | |
| autoDenylistSettings (DOS_Auto_Denylist_Settings) | |||
| badActorSettings (DOS_Bad_Actor_Detection_Settings) | {} | ||
| rateIncreaseThreshold (integer) | 500 | [0, 4294967295] | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
| rateLimit (integer) | 4294967295 | [0, 4294967295] | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
| rateThreshold (integer) | 4294967295 | [0, 4294967295] | Specify how many packets per second the system must discover in traffic in order to detect this attack |
| simulateAutoThresholdEnabled (boolean) | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
| state (string) | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
| thresholdMode (string) | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
| type (string) | “ack”, “cancel”, “message”, “options”, “prack”, “register”, “bye”, “invite”, “notify”, “other”, “publish”, “subscribe”, “uri-limit”, “malformed” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
Endpoint_Policy¶
Policy to manage connections based on metadata and content
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Endpoint_Policy” | ||
| customStrategy (string | Endpoint_Policy_customStrategy) | -, - | BIG-IP AS3 pointer to custom strategy declaration | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<Endpoint_Policy_Rule>) | List of policy rules, order is significant | ||
| strategy (string) | “best-match” | “all-match”, “best-match”, “first-match”, “custom” | Rule-matching strategy; value ‘custom’ means BIG-IP AS3 requires a custom strategy (default is best-match) |
Endpoint_Policy_customStrategy¶
Endpoint_Policy customStrategy possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP LTM strategy |
Endpoint_Policy_Rule¶
A rule for an Endpoint policy that describes actions to perform on traffic matching given conditions
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| actions (array<Policy_Action>) | Specifies the actions for the rule to execute | ||
| conditions (array<Policy_Condition>) | Specifies the conditions for the rule to apply | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| name (string) | regex: ^[a-zA-Z0-9_-.:%]+$ | Name of the endpoint policy rule | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Endpoint_Strategy¶
Strategy for evaluation of an Endpoint policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Endpoint_Strategy” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| matchMethod (string) | “all-match”, “best-match”, “first-match” | Specifies the match method | |
| operands (array<string>) | Specifies the attribute for the rule to match. Sometimes this represents a specific value (for example, http-method or http-status), but frequently the operand needs a specific Selector to identify an instance (for example, http-header needs a Selectorname parameter). | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Enforcement_Diameter_Endpoint_Profile¶
Create a listener to specify how to handle traffic for policy enforcement
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Diameter_Endpoint_Profile” | ||
| destinationHost (string) | Specifies the destination host name of the PCRF or external policy server, for example, pcrfdest.net.com | ||
| destinationRealm (string) | Specifies the realm name or network of the PCRF, for example, net.com | ||
| fatalGraceTime (integer) | 500 | [0, infinity] | Specifies the time period in seconds that a diameter (PCRF) connection can be disconnected before the system clears all subscriber session information associated with that diameter endpoint. If the connection is re-established within the fatal grace time period, session information is not cleared. A value of 0 means if the PCRF is disconnected, session information is cleared immediately. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| messageMaxRetransmits (integer) | 2 | [0, infinity] | Specifies the maximum number of times that messages can be retransmitted from the BIG-IP system to the PCRF |
| messageRetransmitDelay (integer) | 1500 | [0, infinity] | Specifies the number of milliseconds to wait before retransmitting unanswered messages in case of failure from the BIG-IP system to the PCRF over the Gx interface |
| originHost (string) | Specifies the host name of the PCRF or external policy server, for example, pcrf.xnet.com | ||
| originRealm (string) | Specifies the realm name or network in which the PCRF resides, for example, xnet.com | ||
| parentProfile (Pointer_Enforcement_Diameter_Endpoint_Profile) | {“bigip”:”/Common/diameter-endpoint”} | Specifies the name of the object to inherit the settings from | |
| productName (string) | “BIG-IP” | Specifies the value of the string used in the product name attribute value pair (AVP), in capabilities exchange message in the diameter when communicating with the PCRF | |
| protocolProfileGx (Pointer_Enforcement_Profile_Gx) | Specifies the protocol profile to be used when you enable subscriber discovery. The PEM protocol profile defines mapping of Diameter Gx AVPs to subscriber ID and other PEM subscriber session attributes. The default BIG-IP reference values vary between versions. BIGIP versions 14.1 and above begin with ‘sys_diam’ (e.g. _sys_diam_proto_default). | ||
| supportedApps (array<string>) | “Gx”, “Gy”, “Sd” | Specifies the diameter endpoint you would like to provision. You can select Gx, Gy or SD. Gx and SD are mutually exclusive. |
Enforcement_Format_Script¶
Specifies a script using TCL syntax that defines a custom format for HSL reporting applied in an enforcement policy rule. The format and fields available differ depending on whether you are using session-based or flow-based reporting in the rule.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Format_Script” | ||
| definition (string) | TCL script text | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Enforcement_Forwarding_Endpoint¶
Configures an forwarding endpoint to specify PEM policy forwarding actions
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressTranslationEnabled (boolean) | false | true, false | Specifies, when enabled, the system translates the original destination address of the virtual server. When disabled, specifies the system uses the address without translation. |
| class (string) | “Enforcement_Forwarding_Endpoint” | ||
| defaultPersistenceType (string) | “disabled” | “destination-ip”, “disabled”, “hash”, “source-ip” | Specifies a persistence method for the pool member selection. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type. |
| fallbackPersistenceType (string) | “disabled” | “destination-ip”, “disabled”, “source-ip” | Specifies the fallback persistence method that is applied when default persistence fails. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| persistenceHashSettings (Enforcement_Forwarding_Endpoint_Hash_Settings) | {} | ||
| pool (Pointer_Pool) | |||
| portTranslationEnabled (boolean) | false | true, false | Specifies, when enabled, the system translates the original destination port. When disabled, specifies the system uses the original destination port without translation. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| SNATPool (Pointer_SNAT_Pool) | |||
| sourcePortAction (string) | “preserve” | “change”, “preserve”, “preserve-strict” | Specifies whether the system preserves the source port of the connection |
Enforcement_Forwarding_Endpoint_Hash_Settings¶
Specifies the settings for the hash persistence method
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| length (integer) | 1024 | [0, 4294967295] | Specifies the length of the source string used to calculate the hash value |
| offset (integer) | 0 | [0, 4294967295] | Specifies the offset, in bytes, from start of the source string to calculate the hash value |
| tclScript (string) | The results from this TCL script are used to calculate the hash value. If no script is specified, the URI is used instead. |
Enforcement_Interception_Endpoint¶
Configures an interception endpoint to clone all traffic
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Interception_Endpoint” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| persistence (string) | “disabled” | “destination-ip”, “source-ip”, “disabled” | Specifies the persistence that is based on either the source or destination IP addresses only |
| pool (Pointer_Pool) |
Enforcement_iRule¶
Specifies or configures an iRule for use in Enforcement Policies
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_iRule” | ||
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in iRule |
| iRule (IRule_Core) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Enforcement_Listener¶
Configures an enforcement data plane listener
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Listener” | ||
| enforcementProfile (Pointer_Enforcement_Profile) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| services (array<Pointer_Service>) | A set of virtual servers | ||
| subscriberManagementProfile (Pointer_Enforcement_Subscriber_Management_Profile) |
Enforcement_Policy¶
Configures policies for the Policy Enforcement Manager (PEM)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allTransactions (boolean) | false | true, false | Specifies, when set to true, that the system enables policy enforcement for each http transaction. When set to false, the system allows only policy enforcement of the first http transaction. |
| class (string) | “Enforcement_Policy” | ||
| enable (boolean) | true | true, false | Specifies the current status of the policy |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<Enforcement_Rule>) | Enforcement policy rules |
Enforcement_Profile¶
Configures a subscriber policy manager profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Profile” | ||
| connectionOptimizationEnabled (boolean) | true | true, false | Specifies whether connection optimization is enabled or not |
| connectionOptimizationService (Pointer_Service) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Enforcement_Profile) | {“bigip”:”/Common/spm”} | Specifies the name of the object to inherit the settings from | |
| policiesGlobalHighPrecedence (array<Pointer_Enforcement_Policy>) | Adds, deletes, or replaces a set of the policies | ||
| policiesGlobalLowPrecedence (array<Pointer_Enforcement_Policy>) | Adds, deletes, or replaces a set of the policies | ||
| policiesUnknownSubscribers (array<Pointer_Enforcement_Policy>) | Adds, deletes, or replaces a set of the policies | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Enforcement_Radius_AAA_Profile¶
Configures a radius AAA profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Radius_AAA_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Enforcement_Radius_AAA_Profile) | {“bigip”:”/Common/radiusaaa”} | Specifies the name of the object to inherit the settings from | |
| password (Enforcement_Radius_AAA_Profile_password) | The password of the RADIUS AAA profile for RADIUS server authentication | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| retransmissionTimeout (integer) | 5 | [0, 60] | The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server |
| sharedSecret (Enforcement_Radius_AAA_Profile_sharedSecret) | Specifies the shared secret of the RADIUS server used for authentication or accounting | ||
| transactionTimeout (integer) | 30 | [5, 300] | The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server |
Enforcement_Radius_AAA_Profile_password¶
Enforcement_Radius_AAA_Profile password possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Enforcement_Rule¶
A rule to match traffic flows and apply actions
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| classificationFilters (array<Enforcement_Rule_Classification_Filter>) | Classification filters to apply to the traffic | ||
| dscpMarkingDownlink (string | integer) | “pass-through” | “pass-through”, [0, 63] | Specifies whether to set DSCP bits in the IP header of outgoing traffic to the subscriber |
| dscpMarkingUplink (string | integer) | “pass-through” | “pass-through”, [0, 63] | Specifies whether to set DSCP bits in the IP header of outgoing traffic to the network |
| DTOSTethering (Enforcement_Rule_DTOS_Tethering) | {} | ||
| flowInfoFilters (array<Enforcement_Rule_Flow_Filter>) | Flow information filters to apply to the traffic | ||
| forwarding (Enforcement_Rule_Forwarding) | |||
| gateStatusEnabled (boolean) | true | true, false | Specifies, when set to true, that the traffic can pass through the system without being changed. Select false to drop traffic that this rule applies to. |
| insertContent (Enforcement_Rule_Insert_Content) | |||
| interceptionEndpoint (Pointer_Enforcement_Interception_Endpoint) | |||
| iRule (Pointer_Enforcement_iRule) | |||
| l2MarkingDownlink (string | integer) | “pass-through” | “pass-through”, [0, 7] | Set Layer-2 Quality of Service Marking in downlink traffic that matches a rule. Setting a L2 QoS Marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule. |
| l2MarkingUplink (string | integer) | “pass-through” | “pass-through”, [0, 7] | Set Layer-2 Quality of Service Marking in uplink traffic that matches a rule. Setting a L2 QoS marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule. |
| modifyHttpHeader (Enforcement_Rule_Modify_HTTP_Header) | |||
| name (string) | The name of the policy rule. | ||
| precedence (integer) | [1, 4294967295] | Specifies an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence (lower numbers) are evaluated before other rules with lower precedence (higher numbers). | |
| qoeReporting (Enforcement_Rule_Report_Destination_HSL) | |||
| qosBandwidthControllerDownlink (Enforcement_Rule_QOS) | |||
| qosBandwidthControllerUplink (Enforcement_Rule_QOS) | |||
| quota (Enforcement_Rule_Quota) | |||
| ranCongestion (Enforcement_Rule_Ran_Congestion) | |||
| serviceChain (Pointer_Enforcement_Service_Chain_Endpoint) | |||
| tclFilter (string) | Specifies the tcl expression which uses iRule commands to filter the packet. It is a match if tclFilter returns TRUE/1 or nomatch if FALSE/0. | ||
| tcpAnalyticsEnabled (boolean) | false | true, false | Specifies the action to enable tcp analytics when the traffic flow matches the rule matching criteria |
| tcpOptimizationDownlink (Pointer_TCP_Profile) | |||
| tcpOptimizationUplink (Pointer_TCP_Profile) | |||
| urlCategorizationFilters (array<Enforcement_Rule_URL_Categorization_Filter>) | URL categorization filters to apply to the traffic | ||
| usageReporting (Enforcement_Rule_Usage_Reporting) |
Enforcement_Rule_Classification_Filter¶
Defines the category or application (Layer 7) conditions that the traffic must meet (or not meet) for this enforcement policy rule to apply
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| application (Pointer_Classification_Application) | |||
| category (Pointer_Classification_Category) | |||
| invertMatch (boolean) | false | true, false | Specifies that a traffic flow should not match the condition |
| name (string) | The name of the classification filter. |
Enforcement_Rule_DTOS_Tethering¶
Specifies options for device type, operating system, and tethering detection
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| detectDtos (boolean) | false | true, false | Specifies the detection of the subscriber’s device and the operating system |
| detectTethering (boolean) | false | true, false | Specifies if you want to enable detection of tethering |
| reportDestinationHsl (Enforcement_Rule_Report_Destination_HSL) |
Enforcement_Rule_Flow_Filter¶
Defines the flow conditions (Layer 4) that the traffic must meet (or not meet) for this enforcement policy rule to apply
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| destinationAddress (string) | “0.0.0.0/0” | Matches traffic going to a destination address or network | |
| destinationPort (integer) | 0 | [0, 65535] | Matches traffic headed to a destination port |
| dscpMarking (integer | string) | “disabled” | Matches incoming traffic based on a value in the DSCP field in the IP header | |
| invertMatch (boolean) | false | true, false | Specifies that a traffic flow should not match the condition |
| ipAddressType (string) | “any” | “any”, “ipv4”, “ipv6” | Specifies the IP address type that this rule applies to |
| name (string) | The name of the flow filter. | ||
| protocol (string) | “any” | “any”, “tcp”, “udp” | Specifies the protocol of the traffic to which the rule applies |
| sourceAddress (string) | “0.0.0.0/32” | Matches traffic coming from a source address or network | |
| sourcePort (integer) | 0 | [0, 65535] | Matches traffic coming from a source port |
| sourceVlan (Pointer_VLAN) | Matches incoming traffic from a VLAN |
Enforcement_Rule_Forwarding¶
Manages the forwarding action and its attributes
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| endpoint (Pointer_Enforcement_Forwarding_Endpoint) | |||
| fallbackAction (string) | “drop” | “continue”, “drop” | Specifies if the connection can remain unchanged or should be dropped if the forwarding action fails for any reason |
| icapService (Pointer_Service) | ICAP service to route to | ||
| icapType (string) | “request”, “response”, “both” | Specifies the ICAP adaptation type | |
| redirectUrl (string) | Specifies that traffic affected by this rule should be redirected to the specified URL | ||
| type (string) | “icap”, “endpoint”, “route-to-network”, “http” | Specifies the type of forwarding action |
Enforcement_Rule_Forwarding_Endpoint¶
Specifies that the flow steers to a different destination
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| endpoint (Pointer_Enforcement_Forwarding_Endpoint) |
Enforcement_Rule_Forwarding_HTTP¶
Specifies that traffic affected by this rule should be redirected to the specified URL
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| redirectUrl (string) | Specifies that traffic affected by this rule should be redirected to the specified URL |
Enforcement_Rule_Forwarding_ICAP¶
Specifies that the flow forwards to the ICAP virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| icapService (Pointer_Service) | ICAP service to route to | ||
| icapType (string) | “request”, “response”, “both” | Specifies the ICAP adaptation type |
Enforcement_Rule_Forwarding_Route_To_Network¶
Specifies that the system forwards the flow to the default destination
No properties
Enforcement_Rule_Insert_Content¶
Specifies the action to insert content into the webpage
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| duration (integer) | [1, 4294967295] | Specifies the periodicity of the insert action in seconds | |
| frequency (string) | “always” | “always”, “once”, “once-every” | Specifies the number of content insertion actions per transaction |
| position (string) | “append” | “append”, “prepend” | Specifies position with respect to the configured tagName |
| tagName (string) | Specifies the tag name to which the content is either appended or prepended | ||
| valueContent (string) | Specifies the value content to be inserted into the webpage | ||
| valueType (string) | “string” | “string”, “tcl-snippet” | Specifies the type of content format used in the valueContent option |
Enforcement_Rule_Modify_HTTP_Header¶
Specifies the action to modify the HTTP header when the traffic flow matches the rule matching criteria
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| headerName (string) | Specifies the HTTP header name used by the operation option to modify the HTTP header | ||
| operation (string) | “insert”, “remove” | Specifies the operation used to modify the HTTP header | |
| valueContent (string) | Specifies the HTTP header value content used by the insert operation to modify the HTTP header | ||
| valueType (string) | “string” | “string”, “tcl-snippet” | Specifies the type of content format used in the valueContent option |
Enforcement_Rule_QOS¶
Specifies a previously configured bandwidth control policy to apply to traffic that matches this rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| category (string) | Specifies a category of traffic within the bandwidth control policy to which to apply the rule. This option provides more specific rate control to a certain type of traffic. The category must be defined in the selected bandwidth control policy. | ||
| policy (Pointer_Bandwidth_Control_Policy) |
Enforcement_Rule_Quota¶
Specify quota management options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratingGroup (Pointer_Enforcement_Rating_Group) | |||
| reportingLevel (string) | “rating-group” | “rating-group”, “service-id” | Specifies the quota reporting level |
Enforcement_Rule_Ran_Congestion¶
Detect congestion in the Radio Access Network
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| reportDestinationHsl (Enforcement_Rule_Report_Destination_HSL) | |||
| threshold (integer) | 1000 | [0, 2147483647] | Specifies lower threshold bandwidth (in kbps) for a session to be marked as congested |
Enforcement_Rule_Report_Destination_HSL¶
Specifies report destination and format
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| formatScript (Pointer_Enforcement_Format_Script) | |||
| highSpeedLogPublisher (Pointer_Log_Publisher) |
Enforcement_Rule_URL_Categorization_Filter¶
Defines the category of URL, which provides information about the content type requested by the subscriber
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| category (Pointer_Classification_Category) | Specifies which type of URL category you want the rule to affect | ||
| invertMatch (boolean) | false | true, false | Specifies that a traffic flow should not match the condition |
| name (string) | The name of the URL categorization filter. |
Enforcement_Rule_Usage_Gx¶
Sends usage monitoring data to a PCRF over a Gx interface
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| applicationReportingEnabled (boolean) | false | true, false | Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected |
| monitoringKey (string) | Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule |
Enforcement_Rule_Usage_Hsl¶
Sends reporting data to remote HSL servers
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| flowReportingFields (array<string>) | “application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “flow-end-milli-seconds”, “flow-end-seconds”, “flow-start-milli-seconds”, “flow-start-seconds”, “observation-time-seconds”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “timestamp-msec”, “total-transactions”, “uplink-volume”, “url-category-id”, “vlan-id” | Specifies the flow fields and their order based on which messages should be published | |
| formatScript (Pointer_Enforcement_Format_Script) | |||
| publisher (Pointer_Log_Publisher) | |||
| sessionReportingFields (array<string>) | “3gpp-parameters”, “application-id”, “called-station-id”, “calling-station-id”, “concurrent-flows”, “downlink-volume”, “duration-seconds”, “last-record-sent”, “new-flows”, “observation-time-seconds”, “record-reason”, “record-type”, “report-id”, “report-version”, “subscriber-id”, “subscriber-id-type”, “successful-transactions”, “terminated-flows”, “timestamp-msec”, “total-transactions”, “uplink-volume” | Specifies the session fields and their order based on which messages should be published | |
| transactionReportingFields (array<string>) | “application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “http-hostname”, “http-hostname-truncated”, “http-response-code”, “http-url”, “http-url-truncated”, “http-user-agent”, “http-user-agent-truncated”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “skipped-transactions”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “transaction-classification-result”, “transaction-end-milli-seconds”, “transaction-end-seconds”, “transaction-number”, “transaction-start-milli-seconds”, “transaction-start-seconds”, “uplink-volume”, “url-category-id”, “vlan-id” | Specifies the transaction fields and their order based on which messages should be published |
Enforcement_Rule_Usage_Radius¶
Specifies a RADIUS internal virtual server as a reporting destination
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| radiusAAAService (Pointer_Service) |
Enforcement_Rule_Usage_Reporting¶
Send reporting data concerning traffic affected by this rule to either an external analytics system or to a PCRF over a Gx interface
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| applicationReportingEnabled (boolean) | false | true, false | Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected |
| destination (string) | “gx”, “sd”, “hsl”, “radius-accounting” | Specifies where to send the usage monitoring data | |
| flowReportingFields (array<string>) | “application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “flow-end-milli-seconds”, “flow-end-seconds”, “flow-start-milli-seconds”, “flow-start-seconds”, “observation-time-seconds”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “timestamp-msec”, “total-transactions”, “uplink-volume”, “url-category-id”, “vlan-id” | Specifies the flow fields and their order based on which messages should be published | |
| formatScript (Pointer_Enforcement_Format_Script) | |||
| granularity (string) | “session” | “flow”, “session”, “transaction” | Specifies the type of reporting that will be generated when the policy applies |
| interval (integer) | 0 | [0, infinity] | Specifies the time interval when the report will be generated, in seconds. A value of 0 indicates this feature is disabled. |
| monitoringKey (string) | Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule | ||
| publisher (Pointer_Log_Publisher) | |||
| radiusAAAService (Pointer_Service) | |||
| sessionReportingFields (array<string>) | “3gpp-parameters”, “application-id”, “called-station-id”, “calling-station-id”, “concurrent-flows”, “downlink-volume”, “duration-seconds”, “last-record-sent”, “new-flows”, “observation-time-seconds”, “record-reason”, “record-type”, “report-id”, “report-version”, “subscriber-id”, “subscriber-id-type”, “successful-transactions”, “terminated-flows”, “timestamp-msec”, “total-transactions”, “uplink-volume” | Specifies the session fields and their order based on which messages should be published | |
| transaction (Enforcement_Rule_Usage_Reporting_Transaction) | |||
| transactionReportingFields (array<string>) | “application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “http-hostname”, “http-hostname-truncated”, “http-response-code”, “http-url”, “http-url-truncated”, “http-user-agent”, “http-user-agent-truncated”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “skipped-transactions”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “transaction-classification-result”, “transaction-end-milli-seconds”, “transaction-end-seconds”, “transaction-number”, “transaction-start-milli-seconds”, “transaction-start-seconds”, “uplink-volume”, “url-category-id”, “vlan-id” | Specifies the transaction fields and their order based on which messages should be published | |
| volume (Enforcement_Rule_Usage_Reporting_Volume) |
Enforcement_Rule_Usage_Reporting_Transaction¶
Specifies policy enforcement configuration on transaction report for each HTTP transaction
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| hostname (integer) | 0 | [0, 65535] | Specifies the maximum HTTP hostname string length option to include in the HTTP transaction report |
| uri (integer) | 256 | [0, 65535] | Specifies the maximum HTTP URI string length option to include in the HTTP transaction report |
| userAgent (integer) | 0 | [0, 65535] | Specifies the maximum HTTP user agent string length to include in the HTTP transaction report |
Enforcement_Rule_Usage_Reporting_Volume¶
Configures volume threshold settings
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| downlink (integer) | 0 | [0, infinity] | Send reporting data if the number of octets to the client exceeds the threshold. A value of 0 indicates this feature is disabled. |
| total (integer) | 0 | [0, infinity] | Send reporting data if the total number of octets both to and from the client exceeds the threshold. A value of 0 indicates this feature is disabled. |
| uplink (integer) | 0 | [0, infinity] | Send reporting data if the number of octets from the client exceeds the threshold. A value of 0 indicates this feature is disabled. |
Enforcement_Rule_Usage_Sd¶
Sends usage monitoring data to a PCRF over a Sd interface
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| applicationReportingEnabled (boolean) | false | true, false | Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected |
| monitoringKey (string) | Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule |
Enforcement_Service_Chain_Endpoint¶
Configures service chain endpoint definitions for the Policy Enforcement Manager (PEM)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Service_Chain_Endpoint” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| serviceEndpoints (array<Enforcement_Service_Chain_Endpoint_Service_Endpoint>) | Specifies a list of forwarding endpoints that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can provide value-added services. Traffic goes to the endpoints in the order in which they are listed. |
Enforcement_Service_Chain_Endpoint_Service_Endpoint¶
Configures an individual service chain endpoint
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| forwardingEndpoint (Pointer_Enforcement_Forwarding_Endpoint) | |||
| internalService (Pointer_Service) | Specifies the internal ICAP virtual server | ||
| internalServiceICAPType (string) | “request”, “response”, “both”, “none” | Specifies the ICAP adaptation type. Select “request” to send only HTTP requests to ICAP server. Select “response” to send only HTTP responses to ICAP server. Select “both” to have both requests and responses. | |
| name (string) | Specify the name of the service endpoint where the traffic is going to | ||
| serviceOption (string) | “mandatory” | “mandatory”, “optional” | Specifies the service option in case the service endpoint is not accessible through the network, for forwarding endpoint. For ICAP service endpoint, the service endpoint works as a fallback action for non-HTTP traffic. Select “optional” if you want to skip the service endpoint. Select “mandatory” if you want all traffic flows dropped. |
| sourceVLAN (Pointer_VLAN) | |||
| steeringPolicy (Pointer_Enforcement_Policy) |
Enforcement_Subscriber_Management_Profile¶
Configures a subscriber management profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Enforcement_Subscriber_Management_Profile” | ||
| dhcpLeaseQuery (Enforcement_Subscriber_Management_Profile_DHCP) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Enforcement_Subscriber_Management_Profile) | {“bigip”:”/Common/subscriber-mgmt”} | Specifies the name of the object to inherit the settings from | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| serverSideSessionsEnabled (boolean) | true | true, false | Specifies the session is created based on server side IP when the server side traffic comes and is enabled |
Enforcement_Subscriber_Management_Profile_DHCP¶
Configures DHCP lease query settings for a subscriber management profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| enabled (boolean) | true | true, false | Specifies the subscriber management settings use DHCP lease query to communicate with DHCP servers to obtain DHCP lease information for the unknown IP address and creates a new policy enforcement session using the lease information received |
| service (Pointer_Service) |
Enum_Continent_Code_Alpha_2¶
Enum values for Alpha-2 continent codes based on ISO 3166. Use two dashes (–) if Unknown
Type string with possible values: “–”, “AF”, “AN”, “AS”, “EU”, “NA”, “OC”, “SA”
Enum_Country_Analytics¶
Enum values for Analytics_Profile
Type string with possible values: “Afghanistan”, “Aland Islands”, “Albania”, “Algeria”, “American Samoa”, “Andorra”, “Angola”, “Anguilla”, “Anonymous Proxy”, “Antarctica”, “Antigua and Barbuda”, “Argentina”, “Armenia”, “Aruba”, “Asia/Pacific Region”, “Australia”, “Austria”, “Azerbaijan”, “Bahamas”, “Bahrain”, “Bangladesh”, “Barbados”, “Belarus”, “Belgium”, “Belize”, “Benin”, “Bermuda”, “Bhutan”, “Bolivia”, “Bonaire, Saint Eustatius and Saba”, “Bosnia and Herzegovina”, “Botswana”, “Bouvet Island”, “Brazil”, “British Indian Ocean Territory”, “Brunei Darussalam”, “Bulgaria”, “Burkina Faso”, “Burundi”, “Cambodia”, “Cameroon”, “Canada”, “Cape Verde”, “Cayman Islands”, “Central African Republic”, “Chad”, “Chile”, “China”, “Christmas Island”, “Cocos (Keeling) Islands”, “Colombia”, “Comoros”, “Congo”, “Congo, The Democratic Republic of the”, “Cook Islands”, “Costa Rica”, “Cote D’Ivoire”, “Croatia”, “Cuba”, “Cyprus”, “Czech Republic”, “Denmark”, “Djibouti”, “Dominica”, “Dominican Republic”, “Ecuador”, “Egypt”, “El Salvador”, “Equatorial Guinea”, “Eritrea”, “Estonia”, “Ethiopia”, “Europe”, “Falkland Islands (Malvinas)”, “Faroe Islands”, “Fiji”, “Finland”, “France”, “France, Metropolitan”, “French Guiana”, “French Polynesia”, “French Southern Territories”, “Gabon”, “Gambia”, “Georgia”, “Germany”, “Ghana”, “Gibraltar”, “Greece”, “Greenland”, “Grenada”, “Guadeloupe”, “Guam”, “Guatemala”, “Guernsey”, “Guinea”, “Guinea-Bissau”, “Guyana”, “Haiti”, “Heard Island and McDonald Islands”, “Holy See (Vatican City State)”, “Honduras”, “Hong Kong”, “Hungary”, “Iceland”, “India”, “Indonesia”, “Iran, Islamic Republic of”, “Iraq”, “Ireland”, “Isle of Man”, “Israel”, “Italy”, “Jamaica”, “Japan”, “Jersey”, “Jordan”, “Kazakhstan”, “Kenya”, “Kiribati”, “Korea, Democratic People’s Republic of”, “Korea, Republic of”, “Kuwait”, “Kyrgyzstan”, “Lao People’s Democratic Republic”, “Latvia”, “Lebanon”, “Lesotho”, “Liberia”, “Libyan Arab Jamahiriya”, “Liechtenstein”, “Lithuania”, “Luxembourg”, “Macau”, “Macedonia”, “Madagascar”, “Malawi”, “Malaysia”, “Maldives”, “Mali”, “Malta”, “Marshall Islands”, “Martinique”, “Mauritania”, “Mauritius”, “Mayotte”, “Mexico”, “Micronesia, Federated States of”, “Moldova, Republic of”, “Monaco”, “Mongolia”, “Montenegro”, “Montserrat”, “Morocco”, “Mozambique”, “Myanmar”, “Namibia”, “Nauru”, “Nepal”, “Netherlands”, “Netherlands Antilles”, “New Caledonia”, “New Zealand”, “Nicaragua”, “Niger”, “Nigeria”, “Niue”, “Norfolk Island”, “Northern Mariana Islands”, “Norway”, “Oman”, “Other”, “Pakistan”, “Palau”, “Palestinian Territory”, “Panama”, “Papua New Guinea”, “Paraguay”, “Peru”, “Philippines”, “Pitcairn Islands”, “Poland”, “Portugal”, “Puerto Rico”, “Qatar”, “Reunion”, “Romania”, “Russian Federation”, “Rwanda”, “Saint Barthelemy”, “Saint Helena”, “Saint Kitts and Nevis”, “Saint Lucia”, “Saint Martin”, “Saint Pierre and Miquelon”, “Saint Vincent and the Grenadines”, “Samoa”, “San Marino”, “Sao Tome and Principe”, “Satellite Provider”, “Saudi Arabia”, “Senegal”, “Serbia”, “Seychelles”, “Sierra Leone”, “Singapore”, “Slovakia”, “Slovenia”, “Solomon Islands”, “Somalia”, “South Africa”, “South Georgia and the South Sandwich Islands”, “Spain”, “Sri Lanka”, “Sudan”, “Suriname”, “Svalbard and Jan Mayen”, “Swaziland”, “Sweden”, “Switzerland”, “Syrian Arab Republic”, “Taiwan”, “Tajikistan”, “Tanzania, United Republic of”, “Thailand”, “Timor-Leste”, “Togo”, “Tokelau”, “Tonga”, “Trinidad and Tobago”, “Tunisia”, “Turkey”, “Turkmenistan”, “Turks and Caicos Islands”, “Tuvalu”, “Uganda”, “Ukraine”, “United Arab Emirates”, “United Kingdom”, “United States”, “United States Minor Outlying Islands”, “Unknown”, “Uruguay”, “Uzbekistan”, “Vanuatu”, “Venezuela”, “Vietnam”, “Virgin Islands, British”, “Virgin Islands, U.S.”, “Wallis and Futuna”, “Western Sahara”, “Yemen”, “Zambia”, “Zimbabwe”
Enum_Country_Code_Alpha_2¶
Enum values for Alpha-2 country codes based on ISO 3166. Use two dashes (–) if Unknown
Type string with possible values: “–”, “A1”, “A2”, “AD”, “AE”, “AF”, “AG”, “AI”, “AL”, “AM”, “AN”, “AO”, “AP”, “AQ”, “AR”, “AS”, “AT”, “AU”, “AW”, “AX”, “AZ”, “BA”, “BB”, “BD”, “BE”, “BF”, “BG”, “BH”, “BI”, “BJ”, “BL”, “BM”, “BN”, “BO”, “BQ”, “BR”, “BS”, “BT”, “BV”, “BW”, “BY”, “BZ”, “CA”, “CC”, “CD”, “CF”, “CG”, “CH”, “CI”, “CK”, “CL”, “CM”, “CN”, “CO”, “CR”, “CU”, “CV”, “CX”, “CY”, “CZ”, “DE”, “DJ”, “DK”, “DM”, “DO”, “DZ”, “EC”, “EE”, “EG”, “EH”, “ER”, “ES”, “ET”, “EU”, “FI”, “FJ”, “FK”, “FM”, “FO”, “FR”, “FX”, “GA”, “GB”, “GD”, “GE”, “GF”, “GG”, “GH”, “GI”, “GL”, “GM”, “GN”, “GP”, “GQ”, “GR”, “GS”, “GT”, “GU”, “GW”, “GY”, “HK”, “HM”, “HN”, “HR”, “HT”, “HU”, “ID”, “IE”, “IL”, “IM”, “IN”, “IO”, “IQ”, “IR”, “IS”, “IT”, “JE”, “JM”, “JO”, “JP”, “KE”, “KG”, “KH”, “KI”, “KM”, “KN”, “KP”, “KR”, “KW”, “KY”, “KZ”, “LA”, “LB”, “LC”, “LI”, “LK”, “LR”, “LS”, “LT”, “LU”, “LV”, “LY”, “MA”, “MC”, “MD”, “ME”, “MF”, “MG”, “MH”, “MK”, “ML”, “MM”, “MN”, “MO”, “MP”, “MQ”, “MR”, “MS”, “MT”, “MU”, “MV”, “MW”, “MX”, “MY”, “MZ”, “NA”, “NC”, “NE”, “NF”, “NG”, “NI”, “NL”, “NO”, “NP”, “NR”, “NU”, “NZ”, “O1”, “OM”, “PA”, “PE”, “PF”, “PG”, “PH”, “PK”, “PL”, “PM”, “PN”, “PR”, “PS”, “PT”, “PW”, “PY”, “QA”, “RE”, “RO”, “RS”, “RU”, “RW”, “SA”, “SB”, “SC”, “SD”, “SE”, “SG”, “SH”, “SI”, “SJ”, “SK”, “SL”, “SM”, “SN”, “SO”, “SR”, “ST”, “SV”, “SY”, “SZ”, “TC”, “TD”, “TF”, “TG”, “TH”, “TJ”, “TK”, “TL”, “TM”, “TN”, “TO”, “TR”, “TT”, “TV”, “TW”, “TZ”, “UA”, “UG”, “UM”, “US”, “UY”, “UZ”, “VA”, “VC”, “VE”, “VG”, “VI”, “VN”, “VU”, “WF”, “WS”, “YE”, “YT”, “ZA”, “ZM”, “ZW”
Enum_ISP¶
Enum values for Internet Service Providers (ISP)
Type string with possible values: “AOL”, “BeijingCNC”, “ChinaEducationNetwork”, “ChinaMobilNetwork”, “ChinaRailwayTelcom”, “ChinaTelecom”, “ChinaUnicom”, “CNC”, “Comcast”, “Earthlink”, “ShanghaiCNC”, “ShanghaiTelecom”
Enum_Protocols_Idle_Timeout_Policy¶
Enum values for Idle_Timeout_Policy protocols
Type string with possible values: “3pc”, “a/n”, “ah”, “all-other”, “argus”, “aris”, “ax.25”, “bbn-rcc”, “bna”, “br-sat-mon”, “cbt”, “cftp”, “chaos”, “compaq-peer”, “cphb”, “cpnx”, “crdup”, “crtp”, “dccp”, “dcn”, “ddp”, “ddx”, “dgp”, “dsr”, “egp”, “eigrp”, “emcon”, “encap”, “esp”, “etherip”, “fc”, “fire”, “ggp”, “gmtp”, “gre”, “hip”, “hmp”, “hopopt”, “i-nlsp”, “iatp”, “icmp”, “idpr”, “idpr-cmtp”, “idrp”, “ifmp”, “igmp”, “igp”, “il”, “ip”, “ipcomp”, “ipcv”, “ipencap”, “ipip”, “iplt”, “ippc”, “ipv4”, “ipv6”, “ipv6-auth”, “ipv6-crypt”, “ipv6-frag”, “ipv6-icmp”, “ipv6-nonxt”, “ipv6-opts”, “ipv6-route”, “ipx-in-ip”, “irtp”, “isis”, “iso-ip”, “iso-tp4”, “kryptolan”, “l2tp”, “larp”, “leaf-1”, “leaf-2”, “manet”, “merit-inp”, “mfe-nsp”, “micp”, “mobile”, “mobility-header”, “mpls-in-ip”, “mtp”, “mux”, “narp”, “netblt”, “nsfnet-igp”, “nvp”, “ospf”, “pgm”, “pim”, “pipe”, “pnni”, “prm”, “ptp”, “pup”, “pvp”, “qnx”, “rdp”, “rohc”, “rsvp”, “rspv-e2e-ignore”, “rvd”, “sat-expak”, “sat-mon”, “scc-sp”, “scps”, “sctp”, “sdrp”, “secure-vmtp”, “shim6”, “skip”, “sm”, “smp”, “snp”, “sprite-rpc”, “sps”, “srp”, “sscopmce”, “st”, “stp”, “sun-nd”, “swipe”, “tcf”, “tcp”, “tlsp”, “tp++”, “trunk-1”, “trunk-2”, “ttp”, “udp”, “udplite”, “uti”, “vines”, “visa”, “vmtp”, “vrrp”, “wb-expak”, “wb-mon”, “wesp”, “wsn”, “xnet”, “xns-idp”, “xtp”
F5_String¶
The value can be either a string, text property, base64 property, url property, etc.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base64 (Property_Base64) | |||
| copyFrom (Pointer_Copy_From) | |||
| text (Property_Text) | |||
| url (Resource_URL) |
Firewall_Address_List¶
Declares an address-list for use by firewall rules. An address list is a list of IP-address prefixes to compare against the source-IP address and/or destination-IP address in an IP packet
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addresses (array<string | Firewall_Address_List_addresses>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
| addressLists (array<Pointer_Firewall_Address_List>) | A list of other address lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| class (string) | “Firewall_Address_List” | ||
| fqdns (array<string>) | A list of fully qualified domain names. | ||
| geo (array<string>) | A list of geographic locations (for example, US:Washington). | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Firewall_Address_List_addresses¶
Firewall_Address_List addresses possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| accessKeyId (string) | Information for discovering AWS nodes that are not in the same region as your BIG-IP (also requires the secretAccessKey field | ||
| addressDiscovery (string) | “event”, “aws”, “gce”, “azure”, “consul” | Selects how server (node) addresses are discovered | |
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| apiAccessKey (string | Secret) | Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format. | ||
| applicationId (string) | Azure registered application ID (AKA client ID) | ||
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| directoryId (string) | Azure Active Directory ID (AKA tenant ID) | ||
| encodedCredentials (string | Secret) | Base 64 encoded service account credentials JSON | ||
| encodedToken (string | Secret) | Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format. | ||
| environment (string) | “Azure” | Azure environment name. Required if environment should not be determined by instance metadata. | |
| externalId (string) | External Id | ||
| jmesPathQuery (string) | Custom JMESPath Query | ||
| minimumMonitors (integer) | 1 | [-infinity, infinity] | |
| projectId (string) | For Google Cloud Engine (GCE) only: The ID of the project in which the members are located | ||
| region (string) | “” | Empty string (default) means region in which ADC is running | |
| rejectUnauthorized (boolean) | true | true, false | If true, the server certificate is verified against the list of supplied/default CAs when making requests to the Consul API. |
| resourceGroup (string) | Azure Resource Group name | ||
| resourceId (string) | ID of resource to find nodes by. | ||
| resourceType (string) | “tag”, “scaleSet” | Type of resource identified by resourceId. This can be used in place of tagKey/tagValue. | |
| roleARN (string) | Assume a role (also requires the externalId field) | ||
| secretAccessKey (string | Secret) | Will be stored in the declaration as an encrypted string | ||
| subscriptionId (string) | Azure subscription ID | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| trustCA (Pointer_CA_Bundle) | CA Bundle to validate server certificates | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| updateInterval (integer) | 60 | [1, 3600] | Server-discovery update interval (seconds) |
| uri (string) | The location of the node data | ||
| useManagedIdentity (boolean) | false | true, false | Use Azure managed identity rather than directoryId, applicationId, and apiAccessKey |
Firewall_Policy¶
Configures firewall policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Firewall_Policy” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| routeDomainEnforcement (array<Pointer_Route_Domain>) | Specifies Route Domains to enforce this policy on. Rules of this policy will be enforced on the Route Domains. If setting this property, the Firewall_Policy must be defined in /Common/Shared. | ||
| rules (array<Pointer_Firewall_Rule_List | Firewall_Rule>) | -, - | A list of firewall policy rules |
Firewall_Port_List¶
Declares a port-list for use by firewall rules. A firewall rule can match a packet’s source port or destination port against one of the ports in a port list, and can take some action (such as ACCEPT or DROP) for a matching packet.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Firewall_Port_List” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| portLists (array<Firewall_Port_List_portLists>) | A list of other port lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| ports (array<integer | string>) | [-infinity, infinity] | A list of ports and port ranges (for example, 80, “8080-8090”). | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Firewall_Port_List_portLists¶
Firewall_Port_List portLists possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list | |
| use (string) | BIG-IP AS3 pointer to firewall port list declaration |
Firewall_Rule¶
Declares a network firewall rule.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “accept”, “drop”, “accept-decisively”, “reject” | Specifies the action that the firewall rule will take on matching packets. | |
| destination (Firewall_Rule_Destination) | |||
| iRule (Firewall_Rule_iRule) | Specifies the name of the iRule (by BIG-IP AS3 pointer or BIG-IP pathname) that the system will trigger when a packet matches the firewall rule. | ||
| iRuleSampleRate (integer) | [-infinity, infinity] | Specifies the rate at which the system will trigger the specified iRule when a packet matches this firewall rule. The default value is 1 and causes the system to trigger the iRule for every packet that matches. A value of 0 disables iRule triggering. | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| loggingEnabled (boolean) | false | true, false | Specifies whether the system enables or disables logging for the firewall rule. |
| name (string) | The name of the firewall rule. | ||
| protocol (string) | “any” | “3pc”, “a/n”, “ah”, “any”, “argus”, “aris”, “ax.25”, “bbn-rcc”, “bna”, “br-sat-mon”, “cbt”, “cftp”, “chaos”, “compaq-peer”, “cphb”, “cpnx”, “crdup”, “crtp”, “dccp”, “dcn”, “ddp”, “ddx”, “dgp”, “dsr”, “egp”, “eigrp”, “emcon”, “encap”, “esp”, “etherip”, “fc”, “fire”, “ggp”, “gmtp”, “gre”, “hip”, “hmp”, “hopopt”, “i-nlsp”, “iatp”, “icmp”, “idpr”, “idpr-cmtp”, “idrp”, “ifmp”, “igmp”, “igp”, “il”, “ip”, “ipcomp”, “ipcv”, “ipip”, “iplt”, “ippc”, “ipv4”, “ipv6”, “ipv6-auth”, “ipv6-crypt”, “ipv6-frag”, “ipv6-icmp”, “ipv6-nonxt”, “ipv6-opts”, “ipv6-route”, “ipx-in-ip”, “irtp”, “isis”, “iso-ip”, “iso-tp4”, “kryptolan”, “l2tp”, “larp”, “leaf-1”, “leaf-2”, “manet”, “merit-inp”, “mfe-nsp”, “micp”, “mobile”, “mobility-header”, “mpls-in-ip”, “mtp”, “mux”, “narp”, “netblt”, “nsfnet-igp”, “nvp”, “ospf”, “pgm”, “pim”, “pipe”, “pnni”, “prm”, “ptp”, “pup”, “pvp”, “qnx”, “rdp”, “rohc”, “rsvp”, “rsvp-e2e-ignore”, “rvd”, “sat-expak”, “sat-mon”, “scc-sp”, “scps”, “sctp”, “sdrp”, “secure-vmtp”, “shim6”, “skip”, “sm”, “smp”, “snp”, “sprite-rpc”, “sps”, “srp”, “sscopmce”, “st”, “stp”, “sun-nd”, “swipe”, “tcf”, “tcp”, “tlsp”, “tp++”, “trunk-1”, “trunk-2”, “ttp”, “udp”, “udplite”, “uti”, “vines”, “visa”, “vmtp”, “vrrp”, “wb-expak”, “wb-mon”, “wesp”, “wsn”, “xnet”, “xns-idp”, “xtp” | Specifies the protocol to which the firewall rule applies |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| source (Firewall_Rule_Source) |
Firewall_Rule_iRule¶
Firewall_Rule iRule possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule declaration |
Firewall_Rule_Destination¶
Declares the packet destinations to which the network firewall rule applies.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addresses (array<string>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
| addressLists (array<Pointer_Firewall_Address_List>) | A list of address lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| portLists (array<Firewall_Rule_Destination_portLists>) | A list of port lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| ports (array<string>) | A list of ports and port ranges. |
Firewall_Rule_Destination_portLists¶
Firewall_Rule_Destination portLists possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list | |
| use (string) | BIG-IP AS3 pointer to firewall port list declaration |
Firewall_Rule_List¶
Declares a list of network firewall rules. You can reuse a rule list in multiple firewalls, such as the firewalls for self IPs, routing domains, and the global firewall.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Firewall_Rule_List” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<Firewall_Rule>) | A list of network firewall rules. |
Firewall_Rule_Source¶
Declares the packet sources to which the network firewall rule applies.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addresses (array<string>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
| addressLists (array<Pointer_Firewall_Address_List>) | A list of address lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| portLists (array<Firewall_Rule_Source_portLists>) | A list of port lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| ports (array<string>) | A list of ports and port ranges. | ||
| vlans (array<reference>) | A list of VLANs by BIG-IP pathname |
Firewall_Rule_Source_portLists¶
Firewall_Rule_Source portLists possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list | |
| use (string) | BIG-IP AS3 pointer to firewall port list declaration |
FIX_Profile¶
Configures a Financial Information eXchange Protocol (FIX) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “FIX_Profile” | ||
| errorAction (string) | “dont-forward” | “dont-forward”, “drop-connection” | Specifies the error handling method |
| fullLogonParsingEnabled (boolean) | true | true, false | Enables or disables logon message as always fully parsed. Other messages are parsed according to the configuration of Quick Parsing |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| messageLogPublisher (Pointer_Log_Publisher) | Specifies the publisher for message logging | ||
| parentProfile (Pointer_FIX_Profile) | {“bigip”:”/Common/fix”} | Specifies the name of the profile object to inherit the settings from | |
| quickParsingEnabled (boolean) | false | true, false | Enables or disables quick parsing which parses the basic standard fields and validates message length and checksum |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reportLogPublisher (Pointer_Log_Publisher) | Specifies the publisher for error messages and status reports | ||
| responseParsingEnabled (boolean) | false | true, false | Enables or disables response parsing which parses the messages from the FIX server. Applies the same parser configuration and error handling at server side as at client side. If not enabled, server side messages are directly passed through |
| senderTagMappingList (array<Sender_Tag_Mapping>) | Specifies the mappings between sender ID and tag substitution data group. | ||
| statisticsSampleInterval (integer) | 20 | [10, 4294967295] | Specifies the sample interval of the message rate in seconds |
FTP_Profile¶
File Transfer Protocol (FTP) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| activeModeEnabled (boolean) | true | true, false | Specifies if the profile should allow FTP active transfer mode |
| algLogProfile (reference | Pointer_ALG_Log_Profile) | ALG log profile pointer | ||
| class (string) | “FTP_Profile” | ||
| enforceTlsSessionReuseEnabled (boolean) | false | true, false | Enforce data connection to reuse TLS session |
| ftpsMode (string) | “disallow” | “disallow”, “allow”, “require” | Specifies the policy for explicit FTPS negotiation on FTP command channel |
| inheritParentProfileEnabled (boolean) | false | true, false | Specifies if the FTP data channel should inherit the TCP profile used by the control channel |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| logPublisher (reference | Pointer_Log_Publisher) | Log publisher pointer | ||
| port (integer) | 20 | [0, 65535] | Specifies a service for the data channel port used for this profile |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityEnabled (boolean) | false | true, false | Specifies whether to enable or disable secure FTP traffic for the BIG-IP Application Security Manager |
| translateExtendedEnabled (boolean) | true | true, false | Specifies if the profile should automatically translate RFC2428 extended requests EPSV and EPRT to PASV and PORT when communicating with IPv4servers |
GSLB_Data_Center¶
Declares a GSLB Data Center configuration
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “GSLB_Data_Center” | ||
| contact (string) | Specifies the name of the administrator or the name of the department that manages the data center | ||
| enabled (boolean) | true | true, false | Specifies whether the data center is enabled or disabled |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| location (string) | Specifies the location of the data center | ||
| proberFallback (string) | “any-available” | “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available |
| proberPool (Pointer_GSLB_Prober_Pool) | |||
| proberPreferred (string) | “inside-datacenter” | “inside-datacenter”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Domain¶
Configures GSLB (Global Server Load Balancing) settings for a domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_iRules¶
GSLB_Domain iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_pools¶
GSLB_Domain pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_Domain_A¶
Configures GSLB (Global Server Load Balancing) settings for A domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_A_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_A_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_A_iRules¶
GSLB_Domain_A iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_A_pools¶
GSLB_Domain_A pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_Domain_AAAA¶
Configures GSLB (Global Server Load Balancing) settings for AAAA domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_AAAA_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_AAAA_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_AAAA_iRules¶
GSLB_Domain_AAAA iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_AAAA_pools¶
GSLB_Domain_AAAA pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_Domain_CNAME¶
Configures GSLB (Global Server Load Balancing) settings for CNAME domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_CNAME_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_CNAME_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_CNAME_iRules¶
GSLB_Domain_CNAME iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_CNAME_pools¶
GSLB_Domain_CNAME pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_Domain_MX¶
Configures GSLB (Global Server Load Balancing) settings for MX domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_MX_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_MX_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_MX_iRules¶
GSLB_Domain_MX iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_MX_pools¶
GSLB_Domain_MX pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_Domain_NAPTR¶
Configures GSLB (Global Server Load Balancing) settings for NAPTR domain.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aliases (array<string>) | List of alternate domain names. Each may include wildcard characters. | ||
| class (string) | “GSLB_Domain” | ||
| clientSubnetPreferred (boolean) | false | true, false | Specifies that this domain should use the edns0 client subnet option when using topology load balancing. If the query does not contain a client subnet option, the system will fall back to the default option of using the source address. |
| domainName (string) | The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the domain and its resources for load balancing requests |
| failureRcode (string) | “noerror” | “formerr”, “noerror”, “notimpl”, “nxdomain”, “refused”, “servfail” | Specifies the DNS RCODE used when failure-rcode-response is enabled |
| failureRcodeResponse (boolean) | false | true, false | Specifies whether RCODE responses are enabled |
| failureRcodeTtl (integer) | 0 | [0, infinity] | Specifies the negative caching TTL of the SOA for the RCODE response |
| iRules (array<string | GSLB_Domain_NAPTR_iRules>) | -, - | List of GSLB iRules for this GSLB Domain (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastResortPool (Pointer_GSLB_Pool) | Specifies the pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| lastResortPoolType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | This is used to specify the type of pool being used for the lastResortPool | |
| loadBalancingDecisionLogVerbosity (array<string>) | “pool-selection”, “pool-traversal”, “pool-member-selection”, “pool-member-traversal” | Specifies the amount of detail logged when making load balancing decisions. This is used for debugging purposes only. Performance will be affected if any value is set. Please reset after debugging is finished. | |
| persistCidrIpv4 (integer) | 32 | [0, 32] | Specifies a mask used to group IPv4 LDNS addresses. |
| persistCidrIpv6 (integer) | 128 | [0, 128] | Specifies a mask used to group IPv6 LDNS addresses. |
| persistenceEnabled (boolean) | false | true, false | Specifies that when a local DNS server makes repetitive requests on behalf of a client, the system reconnects the client to the same resource as previous requests. Set to true to enable. |
| poolLbMode (string) | “round-robin” | “global-availability”, “ratio”, “round-robin”, “topology” | Specifies the load balancing method used to select a pool in this domain |
| pools (array<GSLB_Domain_NAPTR_pools>) | Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| poolsCname (array<Pointer_GSLB_Pool>) | Specifies the cname pools this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttlPersistence (integer) | 3600 | [0, 4294967295] | Specifies, in seconds, the length of time for which a persistence entry is valid. |
GSLB_Domain_NAPTR_iRules¶
GSLB_Domain_NAPTR iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GTM iRule | |
| use (string) | BIG-IP AS3 pointer to GSLB_iRule (declared separately) |
GSLB_Domain_NAPTR_pools¶
GSLB_Domain_NAPTR pools possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ratio (integer) | 1 | [-infinity, infinity] | Ratio weight assigned to GSLB pool |
| use (string) | BIG-IP AS3 pointer to GSLB Pool declaration |
GSLB_iRule¶
Specifies or configures an iRule for use in GSLB Domains
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “GSLB_iRule” | ||
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in iRule |
| iRule (IRule_Core) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Monitor¶
Declares a monitor that verifies the availability and/or performance status of a particular protocol, service, or application
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aggregateDynamicRatios (string) | “none” | “average-members”, “average-nodes”, “none”, “sum-members”, “sum-nodes” | Specifies how the system combines the module values to create the proportion (score) for the load balancing operation. |
| arguments (string) | “” | Arguments to specified external monitor (will be backquote-expanded) | |
| base (string) | Specifies the location in the LDAP tree from which the monitor starts the health check | ||
| chaseReferrals (boolean) | true | true, false | Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed |
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| class (string) | “GSLB_Monitor” | ||
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| codesDown (array<integer>) | [0, infinity] | List of status codes meaning service is down (0 matches any code) | |
| codesUp (array<integer>) | [0, infinity] | List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code) | |
| count (integer) | 0 | [0, 2147483647] | Number of monitor probes after which the connection to the database will be terminated. Count value of zero indicates that the connection will never be terminated. |
| database (string) | The name of the database with which the monitor attempts to communicate. | ||
| debugEnabled (boolean) | false | true, false | When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled) |
| domain (string) | “” | format: hostname | Mail domain to check, if any (backquote-expanded) |
| environmentVariables (GSLB_Monitor_environmentVariables) | {} | Specifies user defined command line parameters that the external program requires. | |
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in script |
| filter (string) | Specifies an LDAP key which the monitor searches | ||
| headers (string) | “” | SIP headers to send in probes (if any)–separate by newlines (backquote-expanded) | |
| ignoreDownResponseEnabled (boolean) | false | true, false | Specifies whether the monitor immediately marks an object down when it receives a down response. If enabled, the monitor ignores the down response for the duration of timeout. The default is false (disabled) |
| interval (integer) | 30 | [0, 86399] | Specifies, in seconds, the frequency at which the system issues the monitor check when either the resource is down or the status of the resource is unknown |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| mandatoryAttributes (boolean) | false | true, false | Specifies whether the target must include attributes in its response to be considered up |
| monitorType (string) | “http”, “https”, “gateway-icmp”, “tcp-half-open”, “mysql”, “sip”, “ldap”, “smtp”, “tcp”, “udp”, “bigip”, “external” | Specifies the type of monitor | |
| passphrase (GSLB_Monitor_passphrase) | Passphrase if any for query authentication | ||
| pathname (string) | Tmsh object path name of an imported existing external monitor (e.g. /Common/arg_example) | ||
| probeAttempts (integer) | 3 | [0, infinity] | Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable |
| probeInterval (integer) | 1 | [0, infinity] | Specifies the frequency at which the BIG-IP system probes the host server |
| probeTimeout (integer) | 5 | [0, infinity] | Specifies the number of seconds after which the system times out the probe request to the system |
| protocol (string) | “udp” | “sips”, “tcp”, “tls”, “udp” | SIP transport protocol |
| receive (string) | “HTTP/1.” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| receiveColumn (integer) | [1, 4096] | Specifies the column in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Receive properties. | |
| receiveRow (integer) | [1, 65535] | Specifies the row in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Recieve properties. | |
| receiveStatusCodes (array<integer>) | [-infinity, infinity] | Specifies the status codes that the monitor looks for in the returned resource | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| request (string) | “” | SIP request to send in probes (default empty) | |
| reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
| script (F5string | reference | reference) | Bash(1) script which implements external monitor | ||
| security (string) | “none” | “none”, “ssl”, “tls” | Specifies the secure protocol type for communications with the target |
| send (string) | “HEAD / HTTP/1.0rnrn” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| sniServerName (string) | Server Name Indication (SNI) property for HTTPS monitor | ||
| target (string) | “:” | Specifies the IP address and service port of the resource that is the destination of this monitor. Format is ip:port | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 120 | [0, 86400] | Specifies the number of seconds the target has in which to respond to the monitor request |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
GSLB_Monitor_passphrase¶
GSLB_Monitor passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
GSLB_Monitor_BIGIP¶
Additional Monitor class properties available when monitorType = bigip
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| aggregateDynamicRatios (string) | “none” | “average-members”, “average-nodes”, “none”, “sum-members”, “sum-nodes” | Specifies how the system combines the module values to create the proportion (score) for the load balancing operation. |
GSLB_Monitor_External¶
Additional Monitor class properties available when monitorType = external
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| arguments (string) | “” | Arguments to specified external monitor (will be backquote-expanded) | |
| environmentVariables (GSLB_Monitor_External_environmentVariables) | {} | Specifies user defined command line parameters that the external program requires. | |
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in script |
| pathname (string) | Tmsh object path name of an imported existing external monitor (e.g. /Common/arg_example) | ||
| script (F5string | reference | reference) | Bash(1) script which implements external monitor |
GSLB_Monitor_HTTP¶
Additional Monitor class properties available when monitorType = http
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| receive (string) | “HTTP/1.” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| receiveStatusCodes (array<integer>) | [-infinity, infinity] | Specifies the status codes that the monitor looks for in the returned resource | |
| reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
| send (string) | “HEAD / HTTP/1.0rnrn” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Monitor_HTTPS¶
Additional Monitor class properties available when monitorType = https
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| receive (string) | “HTTP/1.” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| receiveStatusCodes (array<integer>) | [-infinity, infinity] | Specifies the status codes that the monitor looks for in the returned resource | |
| reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
| send (string) | “HEAD / HTTP/1.0rnrn” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| sniServerName (string) | Server Name Indication (SNI) property for HTTPS monitor | ||
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Monitor_ICMP¶
Additional Monitor class properties available when monitorType = gateway-icmp
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| probeAttempts (integer) | 3 | [0, infinity] | Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable |
| probeInterval (integer) | 1 | [0, infinity] | Specifies the frequency at which the BIG-IP system probes the host server |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Monitor_LDAP¶
GSLB Monitor LDAP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base (string) | Specifies the location in the LDAP tree from which the monitor starts the health check | ||
| chaseReferrals (boolean) | true | true, false | Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed |
| filter (string) | Specifies an LDAP key which the monitor searches | ||
| mandatoryAttributes (boolean) | false | true, false | Specifies whether the target must include attributes in its response to be considered up |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (GSLB_Monitor_LDAP_passphrase) | Passphrase if any for query authentication | ||
| security (string) | “none” | “none”, “ssl”, “tls” | Specifies the secure protocol type for communications with the target |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
GSLB_Monitor_LDAP_passphrase¶
GSLB_Monitor_LDAP passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
GSLB_Monitor_MySQL¶
GSLB Monitor MySQL definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| count (integer) | 0 | [0, 2147483647] | Number of monitor probes after which the connection to the database will be terminated. Count value of zero indicates that the connection will never be terminated. |
| database (string) | The name of the database with which the monitor attempts to communicate. | ||
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (GSLB_Monitor_MySQL_passphrase) | Passphrase if any for query authentication | ||
| receive (string) | Mark node up upon receipt of this (backquote-expanded) string | ||
| receiveColumn (integer) | [1, 4096] | Specifies the column in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Receive properties. | |
| receiveRow (integer) | [1, 65535] | Specifies the row in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Recieve properties. | |
| send (string) | Send this (backquote-expanded) string to query node | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
GSLB_Monitor_MySQL_passphrase¶
GSLB_Monitor_MySQL passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
GSLB_Monitor_SIP¶
GSLB Monitor SIP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| codesDown (array<integer>) | [0, infinity] | List of status codes meaning service is down (0 matches any code) | |
| codesUp (array<integer>) | [0, infinity] | List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code) | |
| headers (string) | “” | SIP headers to send in probes (if any)–separate by newlines (backquote-expanded) | |
| monitorType (string) | Specifies the type of monitor | ||
| protocol (string) | “udp” | “sips”, “tcp”, “tls”, “udp” | SIP transport protocol |
| request (string) | “” | SIP request to send in probes (default empty) | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
GSLB_Monitor_SMTP¶
GSLB Monitor SMTP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domain (string) | “” | format: hostname | Mail domain to check, if any (backquote-expanded) |
| monitorType (string) | Specifies the type of monitor | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
GSLB_Monitor_TCP¶
Additional Monitor class properties available when monitorType = tcp
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| receive (string) | “” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
| send (string) | “” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Monitor_TCP_Half_Open¶
Additional Monitor class properties available when monitorType = tcp-half-open
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| probeAttempts (integer) | 3 | [0, infinity] | Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable |
| probeInterval (integer) | 1 | [0, infinity] | Specifies the frequency at which the BIG-IP system probes the host server |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Monitor_UDP¶
Additional Monitor class properties available when monitorType = udp
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| debugEnabled (boolean) | false | true, false | When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled) |
| probeAttempts (integer) | 3 | [0, infinity] | Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable |
| probeInterval (integer) | 1 | [0, infinity] | Specifies the frequency at which the BIG-IP system probes the host server |
| receive (string) | “” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
| send (string) | “default send string” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
| transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLB_Pool¶
Declares a pool to use for load balancing
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
| class (string) | “GSLB_Pool” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for this pool. The default value is false (disabled) |
| dynamicRatioEnabled (boolean) | false | true, false | Specifies whether the system applies a dynamic ratio to the load balancing algorithms for this pool. When enabled, the system treats QOS scores as ratios, and it uses each server or virtual server in proportion to the ratio determined by the QOS calculation. |
| enabled (boolean) | true | true, false | Specifies whether the pool and its resources are available for load balancing |
| fallbackIP (string) | format: f5ip | Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a fallback load balancing method | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbModeAlternate (string) | “round-robin” | “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Alternate Load Balancing mode |
| lbModeFallback (string) | “return-to-dns” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Fallback Load Balancing mode |
| lbModePreferred (string) | “round-robin” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” | Preferred Load Balancing mode |
| manualResumeEnabled (boolean) | false | true, false | Specifies whether you must manually restart a pool member that goes down |
| maxAnswersReturned (integer) | 1 | [1, 500] | Specifies the maximum number of available virtual servers that the system lists in a response |
| members (array<GSLB_Pool_Member_MX>) | Specifies the members of this pool | ||
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this pool for load balancing | ||
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled) |
| qosHitRatio (integer) | 5 | [0, infinity] | Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode |
| qosHops (integer) | 0 | [0, infinity] | Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode |
| qosKbps (integer) | 3 | [0, infinity] | Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode |
| qosLinkCapacity (integer) | 30 | [0, infinity] | Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode |
| qosPacketRate (integer) | 1 | [0, infinity] | Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode |
| qosRoundTripTime (integer) | 50 | [0, infinity] | Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode |
| qosTopology (integer) | 0 | [0, infinity] | Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerCapacity (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerScore (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttl (integer) | 30 | [0, 4294967295] | Specifies the number of seconds the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again |
| verifyMemberEnabled (boolean) | true | true, false | Specifies the system verifies the availability of the pool members before sending a connection to those resources |
GSLB_Pool_A¶
Pointer to a Pool A object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
| class (string) | “GSLB_Pool” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for this pool. The default value is false (disabled) |
| dynamicRatioEnabled (boolean) | false | true, false | Specifies whether the system applies a dynamic ratio to the load balancing algorithms for this pool. When enabled, the system treats QOS scores as ratios, and it uses each server or virtual server in proportion to the ratio determined by the QOS calculation. |
| enabled (boolean) | true | true, false | Specifies whether the pool and its resources are available for load balancing |
| fallbackIP (string) | format: f5ip | Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a fallback load balancing method | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbModeAlternate (string) | “round-robin” | “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Alternate Load Balancing mode |
| lbModeFallback (string) | “return-to-dns” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Fallback Load Balancing mode |
| lbModePreferred (string) | “round-robin” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” | Preferred Load Balancing mode |
| manualResumeEnabled (boolean) | false | true, false | Specifies whether you must manually restart a pool member that goes down |
| maxAnswersReturned (integer) | 1 | [1, 500] | Specifies the maximum number of available virtual servers that the system lists in a response |
| members (array<GSLB_Pool_Member_MX>) | Specifies the members of this pool | ||
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this pool for load balancing | ||
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled) |
| qosHitRatio (integer) | 5 | [0, infinity] | Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode |
| qosHops (integer) | 0 | [0, infinity] | Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode |
| qosKbps (integer) | 3 | [0, infinity] | Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode |
| qosLinkCapacity (integer) | 30 | [0, infinity] | Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode |
| qosPacketRate (integer) | 1 | [0, infinity] | Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode |
| qosRoundTripTime (integer) | 50 | [0, infinity] | Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode |
| qosTopology (integer) | 0 | [0, infinity] | Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerCapacity (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerScore (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttl (integer) | 30 | [0, 4294967295] | Specifies the number of seconds the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again |
| verifyMemberEnabled (boolean) | true | true, false | Specifies the system verifies the availability of the pool members before sending a connection to those resources |
GSLB_Pool_AAAA¶
Pointer to a Pool AAAA object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
| class (string) | “GSLB_Pool” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for this pool. The default value is false (disabled) |
| dynamicRatioEnabled (boolean) | false | true, false | Specifies whether the system applies a dynamic ratio to the load balancing algorithms for this pool. When enabled, the system treats QOS scores as ratios, and it uses each server or virtual server in proportion to the ratio determined by the QOS calculation. |
| enabled (boolean) | true | true, false | Specifies whether the pool and its resources are available for load balancing |
| fallbackIP (string) | format: f5ip | Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a fallback load balancing method | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbModeAlternate (string) | “round-robin” | “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Alternate Load Balancing mode |
| lbModeFallback (string) | “return-to-dns” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Fallback Load Balancing mode |
| lbModePreferred (string) | “round-robin” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” | Preferred Load Balancing mode |
| manualResumeEnabled (boolean) | false | true, false | Specifies whether you must manually restart a pool member that goes down |
| maxAnswersReturned (integer) | 1 | [1, 500] | Specifies the maximum number of available virtual servers that the system lists in a response |
| members (array<GSLB_Pool_Member_MX>) | Specifies the members of this pool | ||
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this pool for load balancing | ||
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled) |
| qosHitRatio (integer) | 5 | [0, infinity] | Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode |
| qosHops (integer) | 0 | [0, infinity] | Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode |
| qosKbps (integer) | 3 | [0, infinity] | Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode |
| qosLinkCapacity (integer) | 30 | [0, infinity] | Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode |
| qosPacketRate (integer) | 1 | [0, infinity] | Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode |
| qosRoundTripTime (integer) | 50 | [0, infinity] | Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode |
| qosTopology (integer) | 0 | [0, infinity] | Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerCapacity (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerScore (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttl (integer) | 30 | [0, 4294967295] | Specifies the number of seconds the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again |
| verifyMemberEnabled (boolean) | true | true, false | Specifies the system verifies the availability of the pool members before sending a connection to those resources |
GSLB_Pool_CNAME¶
Pointer to a Pool CNAME object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
| class (string) | “GSLB_Pool” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for this pool. The default value is false (disabled) |
| dynamicRatioEnabled (boolean) | false | true, false | Specifies whether the system applies a dynamic ratio to the load balancing algorithms for this pool. When enabled, the system treats QOS scores as ratios, and it uses each server or virtual server in proportion to the ratio determined by the QOS calculation. |
| enabled (boolean) | true | true, false | Specifies whether the pool and its resources are available for load balancing |
| fallbackIP (string) | format: f5ip | Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a fallback load balancing method | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbModeAlternate (string) | “round-robin” | “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Alternate Load Balancing mode |
| lbModeFallback (string) | “return-to-dns” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Fallback Load Balancing mode |
| lbModePreferred (string) | “round-robin” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” | Preferred Load Balancing mode |
| manualResumeEnabled (boolean) | false | true, false | Specifies whether you must manually restart a pool member that goes down |
| maxAnswersReturned (integer) | 1 | [1, 500] | Specifies the maximum number of available virtual servers that the system lists in a response |
| members (array<GSLB_Pool_Member_MX>) | Specifies the members of this pool | ||
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this pool for load balancing | ||
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled) |
| qosHitRatio (integer) | 5 | [0, infinity] | Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode |
| qosHops (integer) | 0 | [0, infinity] | Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode |
| qosKbps (integer) | 3 | [0, infinity] | Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode |
| qosLinkCapacity (integer) | 30 | [0, infinity] | Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode |
| qosPacketRate (integer) | 1 | [0, infinity] | Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode |
| qosRoundTripTime (integer) | 50 | [0, infinity] | Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode |
| qosTopology (integer) | 0 | [0, infinity] | Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerCapacity (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerScore (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttl (integer) | 30 | [0, 4294967295] | Specifies the number of seconds the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again |
| verifyMemberEnabled (boolean) | true | true, false | Specifies the system verifies the availability of the pool members before sending a connection to those resources |
GSLB_Pool_Member_A¶
Declares member of the GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| dependsOn (string | array) | Specifies the name of the virtual server on which this pool member depends. | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the pool member and its resources for load balancing requests |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| memberOrder (integer) | 0 | [0, 65535] | Specifies the order in which this server appears in the pool |
| ratio (integer) | 1 | [0, 65535] | Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| server (Pointer_GSLB_Server) | |||
| virtualServer (string | Pointer_Service) | Specifies that the Global Traffic Manager assigns connection requests to virtual servers based on a user-defined ranking system. |
GSLB_Pool_Member_AAAA¶
Declares member of the GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| dependsOn (string | array) | Specifies the name of the virtual server on which this pool member depends. | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the pool member and its resources for load balancing requests |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ratio (integer) | 1 | [0, 65535] | Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| server (Pointer_GSLB_Server) | |||
| virtualServer (string | Pointer_Service) | Specifies that the Global Traffic Manager assigns connection requests to virtual servers based on a user-defined ranking system. |
GSLB_Pool_Member_CNAME¶
Declares member of the GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domainName (string | Pointer_GSLB_Domain_A | Pointer_GSLB_Domain_AAAA | Pointer_GSLB_Domain_CNAME | Pointer_GSLB_Domain_MX | Pointer_GSLB_Domain_NAPTR) | Specifies the domain name for this pool member | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the pool member and its resources for load balancing requests |
| isDomainNameStatic (boolean) | false | true, false | Specifies that the member’s name specifies a static domain name rather than a name linked to a domain defined on the system. This might be required if the target domainName is not owned by the organization or configured on the BIG-IP. One side-effect of using a static target is that the member is always considered available for load balancing. The default is (false) disabled |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ratio (integer) | 1 | [0, 65535] | Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Pool_Member_MX¶
Declares member of the GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domainName (Pointer_GSLB_Domain_A | Pointer_GSLB_Domain_AAAA) | Specifies the domain name for this pool member | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the pool member and its resources for load balancing requests |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| priority (integer) | 10 | [0, 65535] | Specifies the MX resource record priority |
| ratio (integer) | 1 | [0, 65535] | Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Pool_Member_NAPTR¶
Declares member of the GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domainName (Pointer_GSLB_Domain_A | Pointer_GSLB_Domain_AAAA) | Specifies the domain name for this pool member | ||
| enabled (boolean) | true | true, false | When true (default), the system can use the pool member and its resources for load balancing requests |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| order (integer) | 10 | [0, 65535] | Specifies the response resource record’s order RDATA field value when this member is picked. |
| preference (integer) | 0 | [0, 65535] | Specifies the response resource record’s preference RDATA field value when this member is picked. |
| ratio (integer) | 1 | [0, 65535] | Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| service (string) | Specifies the response resource record’s service RDATA field value when this member is picked. |
GSLB_Pool_MX¶
Pointer to a Pool MX object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
| class (string) | “GSLB_Pool” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for this pool. The default value is false (disabled) |
| dynamicRatioEnabled (boolean) | false | true, false | Specifies whether the system applies a dynamic ratio to the load balancing algorithms for this pool. When enabled, the system treats QOS scores as ratios, and it uses each server or virtual server in proportion to the ratio determined by the QOS calculation. |
| enabled (boolean) | true | true, false | Specifies whether the pool and its resources are available for load balancing |
| fallbackIP (string) | format: f5ip | Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a fallback load balancing method | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbModeAlternate (string) | “round-robin” | “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Alternate Load Balancing mode |
| lbModeFallback (string) | “return-to-dns” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” | Fallback Load Balancing mode |
| lbModePreferred (string) | “round-robin” | “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” | Preferred Load Balancing mode |
| manualResumeEnabled (boolean) | false | true, false | Specifies whether you must manually restart a pool member that goes down |
| maxAnswersReturned (integer) | 1 | [1, 500] | Specifies the maximum number of available virtual servers that the system lists in a response |
| members (array<GSLB_Pool_Member_MX>) | Specifies the members of this pool | ||
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this pool for load balancing | ||
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled) |
| qosHitRatio (integer) | 5 | [0, infinity] | Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode |
| qosHops (integer) | 0 | [0, infinity] | Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode |
| qosKbps (integer) | 3 | [0, infinity] | Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode |
| qosLinkCapacity (integer) | 30 | [0, infinity] | Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode |
| qosPacketRate (integer) | 1 | [0, infinity] | Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode |
| qosRoundTripTime (integer) | 50 | [0, infinity] | Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode |
| qosTopology (integer) | 0 | [0, infinity] | Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerCapacity (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode |
| qosVirtualServerScore (integer) | 0 | [0, infinity] | Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceRecordType (string) | “A”, “AAAA”, “CNAME”, “MX”, “NAPTR” | Specifies the type of resource records for this domain | |
| ttl (integer) | 30 | [0, 4294967295] | Specifies the number of seconds the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again |
| verifyMemberEnabled (boolean) | true | true, false | Specifies the system verifies the availability of the pool members before sending a connection to those resources |
GSLB_Prober_Pool¶
Declares a pool of BIG-IP devices that will monitor server resources for health and performance. Note: Prober pools are not used by the bigip monitor
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “GSLB_Prober_Pool” | ||
| enabled (boolean) | true | true, false | Specifies whether this pool is available for conducting probes |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lbMode (string) | “global-availability”, “round-robin” | Specifies the load balancing mode the system uses to select the members of this pool | |
| members (array<GSLB_Prober_Pool_Member>) | Specifies the members of the prober pool |
GSLB_Prober_Pool_Member¶
Declares member of the GSLB prober pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| enabled (boolean) | true | true, false | Specifies whether the server can be used as a member of a prober pool |
| memberOrder (integer) | 0 | [0, 65535] | Specifies the order in which this server appears in the prober pool |
GSLB_Server¶
Declares a GSLB server object which contains configuration for a load balancer or a host server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bpsLimit (integer) | 0 | [0, infinity] | Specifies the maximum allowable data throughput rate, in bits per second, for the virtual servers on the server. If the network traffic volume exceeds this limit, the system marks the server as unavailable |
| bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for the virtual servers on the server. The default value is false (disabled) |
| class (string) | “GSLB_Server” | ||
| connectionsLimit (integer) | 0 | [0, infinity] | The number of current connections allowed for the virtual servers on the server. If the current connections exceed this value, the system marks the server as unavailable |
| connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for the virtual servers on the server. The default value is false (disabled) |
| cpuUsageLimit (integer) | [0, infinity] | Specifies the percent of CPU usage. If percent of CPU usage goes above the limit, the system marks the server as unavailable | |
| cpuUsageLimitEnabled (boolean) | true, false | Enables or disables the CPU Usage limit option for this pool. The default value is false (disabled) | |
| dataCenter (Pointer_GSLB_Data_Center) | |||
| devices (array<GSLB_Server_Device>) | Specifies the actual device(s) that are represented by this server object | ||
| enabled (boolean) | true | true, false | Specifies whether the server is enabled or disabled |
| exposeRouteDomainsEnabled (boolean) | false | true, false | Allows virtual servers from all route domains to be auto-discovered. The default setting is false |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| memoryLimit (integer) | [0, infinity] | Specifies the available memory in kilobytes required by the virtual servers on the server. If available memory falls below this limit, the system marks the server as unavailable | |
| memoryLimitEnabled (boolean) | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) | |
| minimumMonitors (integer) | [1, 63] | Member is down when fewer than minimum monitors report it healthy. | |
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors the system uses to determine whether it can use this server for load balancing | ||
| pathProbeEnabled (boolean) | true, false | Specifies whether this BIG-IP device will be used to conduct a path probe before traffic will be delegated to it. The default value is (true) enabled | |
| ppsLimit (integer) | 0 | [0, infinity] | The maximum allowable data transfer rate, in packets per second, for the virtual servers on the server. If the network traffic volume exceeds this value, the system marks the server as unavailable |
| ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for the virtual servers on the server. The default value is false (disabled) |
| proberFallback (string) | “inherit” | “inherit”, “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available |
| proberPool (Pointer_GSLB_Prober_Pool) | |||
| proberPreferred (string) | “inherit” | “inherit”, “inside-datacenter”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| serverType (string) | “bigip” | “bigip”, “generic-host” | Specifies the server type. The server type determines the metrics that the system can collect from the server |
| serviceCheckProbeEnabled (boolean) | true, false | Specifies whether this BIG-IP device will be used to conduct a service check probe before traffic will be delegated to it. The default value is (true) enabled | |
| snmpProbeEnabled (boolean) | true, false | Specifies whether this BIG-IP device will be used to conduct a SNMP probe before traffic will be delegated to it. The default value is (true) enabled | |
| virtualServerDiscoveryMode (string) | “disabled” | “disabled”, “enabled”, “enabled-no-delete” | Specifies virtual server auto-discovery settings. Use ‘enabled’ (add, modify, delete), ‘enabled-no-delete’ (add, modify) or the default ‘disabled’ (manual configuration) |
| virtualServers (array<GSLB_Virtual_Server>) | Specifies the virtual server(s) that are resources on this server object |
GSLB_Server_Device¶
Configures a device for the GSLB Server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Specifies an external (public) address for the device. If BIG-IP DNS configuration synchronization is enabled and all existing addresses for a device are being replaced, new addresses should be added and synchronized before old addresses are removed, otherwise the changes may fail to synchronize. Alternatively, the address configuration changes can be performed on each BIG-IP DNS system | |
| addressTranslation (string) | format: f5ip | Specifies the internal (private) address that corresponds to the external address | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Topology_Condition¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| matchOperator (string) | “equals” | “equals”, “not-equals” | Specifies the operation to perform a match. Default value is equals (matches) |
| matchType (string) | “continent”, “country”, “datacenter”, “geoip-isp”, “isp”, “pool”, “region”, “state”, “subnet” | Specifies the type/category of match to perform | |
| matchValue (string | GSLB_Topology_Condition_matchValue) | Specifies the value to match |
GSLB_Topology_Record¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| destination (GSLB_Topology_Condition) | Specifies where the system directs the incoming DNS request | ||
| source (GSLB_Topology_Condition) | Specifies the origination section of the topology record, the local DNS | ||
| weight (integer) | 1 | [0, 4294967295] | Specifies the weight for the topology record. The system load balances to the server object and DNS that matches the record with the highest topology weight |
GSLB_Topology_Records¶
Defines GSLB Topology records
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “GSLB_Topology_Records” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| longestMatchEnabled (boolean) | true | true, false | Enables the algorithm that requires the system to evaluate all records in the topology statement and use the record that most completely matches the source IP address of the name resolution request. If true, the order of the records as they appear in the array will not be preserved |
| records (array<GSLB_Topology_Record>) | Specifies the actual device(s) that are represented by this server object |
GSLB_Topology_Region¶
Defines a GSLB Topology region
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “GSLB_Topology_Region” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| members (array<GSLB_Topology_Condition>) | Configures the list of members for this region | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
GSLB_Virtual_Server¶
GSLB virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Format of address for virtual server (such as IPv4) | |
| addressTranslation (string) | format: f5ip | Specifies the public address that this virtual server translates into when the GSLB provider communicates between the network and the Internet. The default value is disabled | |
| addressTranslationPort (integer) | 0 | [0, 65535] | L4 port for service (like 443 for HTTPS) |
| enabled (boolean) | true | true, false | Specifies whether the virtual server is enabled or disabled |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| minimumMonitors (integer) | [1, 63] | Member is down when fewer than minimum monitors report it healthy. | |
| monitors (array<Pointer_GSLB_Monitor>) | Specifies the health monitors that the system uses to determine whether it can use this linked virtual server for load balancing | ||
| name (string) | Specifies the name of the Virtual Server | ||
| port (integer) | [0, 65535] | L4 port for service (like 443 for HTTPS) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
HTML_Profile¶
HTML profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “HTML_Profile” | ||
| contentDetectionEnabled (boolean) | false | true, false | Scans initial HTTP payload to look for HTML signatures and enables HTML profile if HTML-like patterns are detected |
| contentSelection (array<string>) | text/html, text/xhtml | Matches content-type from response header against a list of the content-types and enables HTML profile if a match is found | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<Pointer_HTML_Rule>) | HTML Rules followed by the profile |
HTML_Rule¶
HTML Rule with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of the attribute to be removed | ||
| class (string) | “HTML_Rule” | ||
| content (string) | HTML content to append to tag delimiter | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| match (HTML_Rule_match) | Properties the rule is to match | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| ruleType (string) | “comment-raise-event”, “comment-remove”, “tag-append-html”, “tag-prepend-html”, “tag-raise-event”, “tag-remove”, “tag-remove-attribute” | Type of rule |
HTML_Rule_match¶
HTML_Rule match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_Match_Attribute_Optional¶
Matches on the specified tag name, attribute name, and attribute value. Attribute name and value are optional.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| match (HTML_Rule_Match_Attribute_Optional_match) | Properties the rule is to match |
HTML_Rule_Match_Attribute_Optional_match¶
HTML_Rule_Match_Attribute_Optional match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_Match_Attribute_Required¶
Matches on the specified tag name, attribute name, and attribute value. Attribute name and value are required.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| match (HTML_Rule_Match_Attribute_Required_match) | Properties the rule is to match |
HTML_Rule_Match_Attribute_Required_match¶
HTML_Rule_Match_Attribute_Required match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_TagAppendHTML¶
Matches on the specified tag name and optional attribute name and attribute value, and then appends the specified HTML content to the tag delimiter.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| content (string) | HTML content to append to tag delimiter | ||
| match (HTML_Rule_TagAppendHTML_match) | Properties the rule is to match |
HTML_Rule_TagAppendHTML_match¶
HTML_Rule_TagAppendHTML match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_TagPrependHTML¶
Matches on the specified tag name and optional attribute name and attribute value, and then prepends the specified HTML content to the tag delimiter.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| content (string) | HTML content to prepend to tag delimiter | ||
| match (HTML_Rule_TagPrependHTML_match) | Properties the rule is to match |
HTML_Rule_TagPrependHTML_match¶
HTML_Rule_TagPrependHTML match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_TagRaiseEvent¶
Matches on the specified tag name and optional attribute name and attribute value, and then raises an event.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| match (HTML_Rule_TagRaiseEvent_match) | Properties the rule is to match |
HTML_Rule_TagRaiseEvent_match¶
HTML_Rule_TagRaiseEvent match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_TagRemove¶
Matches on the specified tag name and optional attribute name and attribute value, and then removes the tag.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| match (HTML_Rule_TagRemove_match) | Properties the rule is to match |
HTML_Rule_TagRemove_match¶
HTML_Rule_TagRemove match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTML_Rule_TagRemoveAttribute¶
Matches on the specified tag name, attribute name, and attribute value, and then removes a specified attribute. Tag name, attribute name, and value are required.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of the attribute to be removed | ||
| match (HTML_Rule_TagRemoveAttribute_match) | Properties the rule is to match |
HTML_Rule_TagRemoveAttribute_match¶
HTML_Rule_TagRemoveAttribute match possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| attributeName (string) | Name of attribute | ||
| attributeValue (string) | Value of attribute | ||
| tagName (string) | Name of tag |
HTTP_Acceleration_Profile¶
HTTP acceleration profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| agingRate (integer) | 9 | [0, 10] | Rate at which a cache entry ages |
| cacheSize (integer) | 100 | [0, 4294967295] | The maximum size (in megabytes) for the cache. |
| class (string) | “HTTP_Acceleration_Profile” | ||
| ignoreHeaders (string) | “all” | “none”, “max-age”, “all” | Which cache disabling headers will be ignored by the system |
| insertAgeHeaderEnabled (boolean) | true | true, false | Age and date headers are inserted into the response when enabled |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| maximumAge (integer) | 3600 | [0, 4294967295] | How long (in seconds) the system will consider the cached content valid |
| maximumEntries (integer) | 10000 | [0, 4294967295] | The maximum number of entries that can reside in the cache |
| maximumObjectSize (integer) | 50000 | [0, 4294967295] | The largest object (in bytes) that the system will cache |
| metadataMaxSize (integer) | 25 | [0, 4294967295] | The maximum size (in megabytes) of the metadata cache |
| minimumObjectSize (integer) | 500 | [0, 4294967295] | The smallest object (in bytes) that the system will cache |
| parentProfile (Pointer_HTTP_Acceleration_Profile) | {“bigip”:”/Common/webacceleration”} | The profile that this profile inherits values from | |
| uriExcludeList (array<string>) | A list of URIs that will be excluded from the cache | ||
| uriIncludeList (array<string>) | A list of URIs that will be cacheable | ||
| uriIncludeOverrideList (array<string>) | A list of URIs that should be cached even though they may normally not be due to existing constraints | ||
| uriPinnedList (array<string>) | A list of URIs that are kept in the cache regardless of maxAge or expiry settings |
HTTP_Compress¶
HTTP Compression profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowHTTP10 (boolean) | false | true, false | Specifies whether to forward HTTP 1.0 requests/responses (default false) |
| bufferSize (integer) | 4096 | [256, 4294967295] | Maximum number of response octets to buffer before deciding whether to apply compression (default 4096) |
| class (string) | “HTTP_Compress” | ||
| contentTypeExcludes (array<string>) | regex: ^[^x00-x1fx22x7f-xff]+$ | List of response Content-Type values which BIG-IP AS3 should not compress. Values are regular expressions that match Content-Type strings | |
| contentTypeIncludes (array<string>) | text/, application/(xml|x-javascript) | regex: ^[^x00-x1fx22x7f-xff]+$ | List of response Content-Type values which BIG-IP AS3 should compress. Values are regular expressions that match Content-Type strings |
| cpuSaver (boolean) | true | true, false | If true (default), system will reduce compression rate when CPU utilization exceeds cpuSaverHigh threshold and increase it when CPU utilization falls below cpuSaverLow threshold |
| cpuSaverHigh (integer) | 90 | [15, 99] | CPU utilization percentage (default 90) above which BIG-IP AS3 should moderate compression |
| cpuSaverLow (integer) | 75 | [10, 95] | CPU utilization percentage (default 75) below which the system returns compression to normal |
| gzipLevel (integer) | 1 | [1, 9] | Compression level (default 1); higher values produce greater compression but use more CPU cycles |
| gzipMemory (integer) | 8 | [1, 256] | Compression memory allocation in kilobytes (default 8), should be a power of two |
| gzipWindowSize (integer) | 16 | [1, 128] | Compression window size in kilobytes (default 16), should be a power of two |
| keepAcceptEncoding (boolean) | false | true, false | Specifies that the system does not remove the Accept-Encoding header from an HTTP request (default false) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| minimumSize (integer) | 1024 | [128, 131072] | BIG-IP AS3 will not compress responses of fewer octets than this (default 1024) |
| preferMethod (string) | “gzip” | “gzip”, “deflate” | Select preferred compression method (default gzip, strongly recommended) |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| selective (boolean) | false | true, false | If true, BIG-IP AS3 will only compress a response when an iRule attached to the virtual server requests it (default is false, meaning BIG-IP AS3 will compress responses which meet the criteria in this profile) |
| uriExcludes (array<string>) | regex: ^[^x00-x1fx7f-xff]+$ | List of request URI’s for which BIG-IP AS3 should not compress responses. Values are regular expressions that match request URI strings | |
| uriIncludes (array<string>) | regex: ^[^x00-x1fx7f-xff]+$ | List of request URI’s for which BIG-IP AS3 should compress responses. Values are regular expressions that match URI strings | |
| varyHeader (boolean) | true | true, false | If true (default), a Vary header will appear in compressed responses |
HTTP_Profile¶
HTTP profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowBlankSpaceAfterHeaderName (boolean) | false | true, false | Specifies whether to allow blank space in an HTTP header between the header name and the separator colon in an HTTP request or response. Requires TMOS version 16.1 or newer. |
| allowedResponseHeaders (array<string>) | regex: ^[^x00-x20x22:x5cx7f-xff]+$ | By default BIG-IP AS3 passes HTTP headers in responses from pool members to clients unaltered. You may list names of allowed response headers here and BIG-IP AS3 removes any you do not list from responses. | |
| badRequestMessage (string) | “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>” | Message returned to client when proxy request is erroneous. May include iRules TCL expressions | |
| badResponseMessage (string) | “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>” | Message returned to client when proxy request is erroneous. May include iRules TCL expressions | |
| class (string) | “HTTP_Profile” | ||
| connectErrorMessage (string) | “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>” | Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions | |
| cookiePassphrase (HTTP_Profile_cookiePassphrase) | Used to create secret key for cookie encryption (when missing, BIG-IP AS3 uses a system-generated key) | ||
| defaultConnectAction (string) | “deny” | “deny”, “allow” | By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services |
| dnsErrorMessage (string) | “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>” | Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions | |
| doNotProxyHosts (array<string>) | none | When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests | |
| encryptCookies (array<string>) | regex: ^[^x00-x20x22=x5cx7f-xff]+$ | List cookies to encrypt en-route to the client and decrypt en-route to a pool member | |
| enforceRFCCompliance (boolean) | false | true, false | BIG-IP LTM performs basic RFC compliance checks as described in the latest RFC for the HTTP protocol. If a client request fails these checks, then the connection is reset. Requires TMOS version 15.0 or newer. |
| excessClientHeaders (string) | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| excessServerHeaders (string) | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| fallbackRedirect (string) | Domain name (or IP address) of service (if any) to which BIG-IP AS3 should redirect a request when no pool member is responsive or selected pool member returns a fallbackStatusCode | ||
| fallbackStatusCodes (array<integer>) | [100, 999] | When a pool member responds to a request with one of these HTTP status codes (for example, 500), redirect the client to the fallbackRedirect | |
| hstsIncludeSubdomains (boolean) | true | true, false | If true then HSTS headers (see hstsInsert) will tell clients to apply HSTS settings to the hostnames of this service and all their possible subdomains. Warning: an incorrect value here can make multiple websites unreachable, not just this service |
| hstsInsert (boolean) | false | true, false | If true, insert HSTS (HTTP Strict Transport Security) headers into responses sent to clients (default false). Warning: misconfiguration of HSTS can make a website unreachable |
| hstsPeriod (integer) | 7862400 | [0, 4294967295] | If hstsInsert is true, this value tells each client how long (in seconds; default 7862400 equals 91 days) to wait before refreshing HSTS settings for this service. Warning: once a client receives erroneous HSTS settings it will ignore any attempt to correct them until this period has expired |
| hstsPreload (boolean) | false | true, false | If true, include the domain for the web site associated with this HTTP profile in the browser’s preload list. This forces the client to send packets over SSL/TLS. |
| insertHeader (HTTP_Profile_insertHeader) | You may insert one header into each request before BIG-IP AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy | ||
| ipv6 (boolean) | false | true, false | Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6. |
| knownMethods (array<string>) | CONNECT, DELETE, GET, HEAD, LOCK, OPTIONS, POST, PROPFIND, PUT, TRACE, UNLOCK | regex: ^[A-Z0-9]+$ | List of HTTP request methods BIG-IP AS3 should recognize as normal. Any method not in this list will provoke the ‘unknownMethodAction’ action |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| maxHeaderCount (integer) | 64 | [1, 1024] | When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxHeaderSize (integer) | 32768 | [9, 262144] | When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxRequests (integer) | 0 | [0, 2147483647] | When BIG-IP AS3 has processed more than this number of requests through a connection, the system closes it. Default 0 means permit unlimited requests |
| multiplexStatusReuse (string) | “200 206” | regex: ^([24]dds?)+$ | Specifies what status codes will reuse connections from Multiplex. Default value is 200 206. |
| multiplexTransformations (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts request headers to work properly when the virtual server uses a Multiplex profile |
| otherXFF (array<string>) | regex: ^[^x00-x20x22:x5cx7f-xff]+$ | Names of request headers to treat as equivalent to X-Forwarded-For (see trustXFF) | |
| oversizeClientHeaders (string) | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| oversizeServerHeaders (string) | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| pipelineAction (string) | “allow” | “allow”, “reject”, “pass-through” | Default ‘allow’ means clients may pipeline HTTP/1.1 requests to pool members which support pipelining. Otherwise, ‘reject’ prevents pipelining, and ‘pass-through’ causes the connection to switch to pass-through mode when the system detects pipelining |
| profileWebSocket (Pointer_WebSocket_Profile) | Deprecated. Specifies the WebSocket profile that will be used on Services alongside this HTTP profile. When the ‘profileWebSocket’ property is used on a Service, it will supersede this property. | ||
| proxyConnectEnabled (boolean) | false | true, false | Determines if a proxy connection profile will be created |
| proxyType (string) | “reverse” | “reverse”, “transparent”, “explicit” | Default value ‘reverse’ is usually appropriate. You may use ‘transparent’ when virtual server will handle a mix of HTTP and non-HTTP traffic. You may use ‘explicit’ when clients will ask ADC to proxy connections to arbitrary remote services |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| requestChunking (string) | “preserve” | “selective”, “preserve”, “rechunk”, “sustain” | Controls handling of HTTP payload chunking in requests from clients (default is ‘preserve’). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer and ‘sustain’ will be translated to ‘preserve’ on older TMOS versions. |
| resolver (HTTP_Profile_resolver) | BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in client requests | ||
| responseChunking (string) | “selective” | “selective”, “preserve”, “unchunk”, “rechunk”, “sustain” | Controls handling of HTTP payload chunking in responses from pool members (default ‘selective’ adapts to most situations). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer and ‘sustain’ will be translated to ‘selective’ on older TMOS versions. |
| rewriteRedirects (string) | “none” | “none”, “all”, “matching”, “addresses” | In selected Location-header values (default none) of redirect responses from pool members, change protocol HTTP to HTTPS before passing redirects to clients |
| routeDomain (integer | string) | 0 | Proxy requests will leave the ADC from a Self IP in this route domain (default 0) | |
| serverHeaderValue (string) | “BigIP” | Server header value to place in responses generated by the ADC itself (not obtained from a pool member) | |
| truncatedRedirects (boolean) | false | true, false | If false (default) elide malformed redirects from pool members, otherwise pass them to client |
| trustXFF (boolean) | false | true, false | If true, WAF (ASM) and AVR may trust X-Forwarded-For headers found in incoming requests and report statistics using client IP addresses appearing in them (default false). Use this feature only when you control upstream gateway(s) |
| tunnelName (string) | “http-tunnel” | Name of tunnel used for outbound CONNECT requests | |
| unknownMethodAction (string) | “allow” | “allow”, “reject”, “pass-through” | Default ‘allow’ means clients may make HTTP requests using unknown methods. Otherwise, ‘reject’ means to discard any unknown-method request and reject the client connection, and ‘pass-through’ causes the connection to switch to pass-through mode upon the first unknown-method request |
| viaHost (string) | Hostname to place in Via header when viaRequest or viaResponse is ‘append’ | ||
| viaRequest (string) | “remove” | “append”, “preserve”, “remove” | Controls treatment of Via: headers in requests from clients. When set to ‘append’ BIG-IP AS3 requires viaHost |
| viaResponse (string) | “remove” | “append”, “preserve”, “remove” | Controls treatment of Via: headers in responses from pool members. When set to ‘append’ BIG-IP AS3 requires viaHost |
| webSocketMasking (string) | “unmask” | “preserve”, “remask”, “selective”, “unmask” | Deprecated. WebSocket stream data is always masked from client to ADC and from ADC to server. Default value ‘unmask’ makes stream data passing through visible to ADC security policy and/or iRules attached to the service. ‘selective’ unmasks stream data only when a security policy is attached. ‘preserve’ passes data through masked (unreadable by security policy). ‘remask’ causes different masking keys to be used on client and server sides. When specified the property ‘profileWebSocket’ supersedes this property. |
| webSocketsEnabled (boolean) | false | true, false | Deprecated. When true, allow clients to initiate WebSocket connections (default false). When specified the property ‘profileWebSocket’ supersedes this property. |
| whiteOutHeader (string) | regex: ^[^x00-x20x22:x5cx7f-xff]+$ | You may name one request header you want whited-out of each request before BIG-IP AS3 sends it to a pool member. To remove more than a single named header, use an iRule or an Endpoint policy. (Whiting-out a header leaves its name but replaces its value in the request with space characters (ASCII 0x20) to avoid changing the length of the headers.) | |
| xForwardedFor (boolean) | true | true, false | If true, insert an X-Forwarded-For header carrying the client IP address into each HTTP request sent to a pool member (default true) |
HTTP_Profile_cookiePassphrase¶
HTTP_Profile cookiePassphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
HTTP_Profile_insertHeader¶
HTTP_Profile insertHeader possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | regex: ^[^x00-x20x22:x5cx7f-xff]+$ | Name of the HTTP header to insert | |
| value (string) | regex: ^[^x00-x1fx7f-xff]*$ | Value of the HTTP header to insert |
HTTP_Profile_resolver¶
HTTP_Profile resolver possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP net DNS resolver |
HTTP_Profile_Explicit¶
Extra HTTP profile configurable options when proxyType is ‘explicit’
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| badRequestMessage (string) | “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>” | Message returned to client when proxy request is erroneous. May include iRules TCL expressions | |
| badResponseMessage (string) | “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>” | Message returned to client when proxy request is erroneous. May include iRules TCL expressions | |
| connectErrorMessage (string) | “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>” | Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions | |
| defaultConnectAction (string) | “deny” | “deny”, “allow” | By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services |
| dnsErrorMessage (string) | “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>” | Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions | |
| doNotProxyHosts (array<string>) | none | When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests | |
| ipv6 (boolean) | false | true, false | Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6. |
| maxHeaderCount (integer) | 64 | [1, 1024] | When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxHeaderSize (integer) | 32768 | [9, 262144] | When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| resolver (HTTP_Profile_Explicit_resolver) | BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in client requests | ||
| routeDomain (integer | string) | 0 | Proxy requests will leave the ADC from a Self IP in this route domain (default 0) | |
| truncatedRedirects (boolean) | false | true, false | If false (default) elide malformed redirects from pool members, otherwise pass them to client |
| tunnelName (string) | “http-tunnel” | Name of tunnel used for outbound CONNECT requests |
HTTP_Profile_Explicit_resolver¶
HTTP_Profile_Explicit resolver possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP net DNS resolver |
HTTP_Profile_Reverse¶
Extra HTTP profile configurable options when proxyType is ‘reverse’
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| maxHeaderCount (integer) | 64 | [1, 1024] | When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxHeaderSize (integer) | 32768 | [9, 262144] | When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| truncatedRedirects (boolean) | false | true, false | If false (default) elide malformed redirects from pool members, otherwise pass them to client |
HTTP_Profile_Transparent¶
Extra HTTP profile configurable options when proxyType is ‘transparent’
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| excessClientHeaders (string) | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| excessServerHeaders (string) | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| maxHeaderCount (integer) | 32 | [1, 1024] | When the number of headers in a request or response exceeds this value (default 32), take the excessX…Headers action |
| maxHeaderSize (integer) | 16384 | [9, 262144] | When the total size in octets of the headers of request or response exceeds this value (default 16384), take the oversizeX…Headers action |
| oversizeClientHeaders (string) | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| oversizeServerHeaders (string) | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| truncatedRedirects (boolean) | true | true, false | If true (default) pass malformed redirects to client |
HTTP2_Profile¶
Profile to enable HTTP2
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| activationMode (string) | “alpn” | “alpn”, “always” | This setting specifies the condition that will cause the BIG-IP system to handle an incoming connection as an HTTP/2 connection. |
| class (string) | “HTTP2_Profile” | ||
| concurrentStreamsPerConnection (integer) | 10 | [1, 256] | The number of concurrent connections to allow on a single HTTP/2 connection. |
| connectionIdleTimeout (integer) | 300 | [1, 4294967295] | The number of seconds that a HTTP/2 connection is left open idly before it is closed. |
| enforceTlsRequirements (boolean) | true | true, false | Enable or disable enforcement of TLS requirements. |
| frameSize (integer) | 2048 | [1024, 16384] | The size of the data frames, in bytes, that the HTTP/2 protocol sends to the client. |
| headerTableSize (integer) | 4096 | [0, 65535] | The size of the header table, in KB, for the HTTP headers that the HTTP/2 protocol compresses to save bandwidth. |
| includeContentLength (boolean) | false | true, false | Enable to include content-length in HTTP/2 headers. |
| insertHeader (boolean) | false | true, false | This setting specifies whether the BIG-IP system should add an HTTP header to the HTTP request to show that the request was received over HTTP/2. |
| insertHeaderName (string) | “X-HTTP2” | This setting specifies the name of the header that the BIG-IP system will add to the HTTP request when the Insert Header is enabled. | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| receiveWindow (integer) | 32 | [16, 128] | The flow-control size for upload streams, in KB. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| writeSize (integer) | 16384 | [2048, 32768] | The total size of combined data frames, in bytes, that the HTTP/2 protocol sends in a single write function. |
ICAP_Profile¶
Configures an ICAP profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “ICAP_Profile” | ||
| fromHeader (string) | Specifies the ‘From’ attribute to use in the ICAP header | ||
| hostHeader (string) | Specifies the ‘Host’ attribute to use in the ICAP header | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| previewLength (integer) | 0 | [0, 4294967295] | Specifies the length of the preview in the transaction |
| refererHeader (string) | Specifies the ‘Referer’ attribute to use in the ICAP header | ||
| uri (string) | Specifies the absolute URI that contains both the complete hostname and the path of the resource to use in the ICAP header. Macro expansion is supported for all attribute values in the ICAP header (e.g. icap://${SERVER_IP}:${SERVER_PORT}/videoOptimization) | ||
| userAgentHeader (string) | Specifies the ‘User-Agent’ attribute to use in the ICAP header |
Idle_Timeout_Policy¶
Destination port based idle timeout policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Idle_Timeout_Policy” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<Idle_Timeout_Rule>) | List of idle timeout rules |
Idle_Timeout_Rule¶
Idle timeout rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| destinationPorts (array<integer | string>) | [-infinity, infinity] | List of ports, port ranges (for example, 80, “8080-8090”), or “all-other”. | |
| idleTimeout (integer | string) | “unspecified” | [-infinity, infinity] | Idle timeout in seconds |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| name (string) | regex: ^[A-Za-z_][0-9A-Za-z_/-]*$ | Idle timeout rule name | |
| protocol (string) | “all-other” | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
iFile¶
An iFile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “iFile” | ||
| iFile (F5string | reference) | Reference to an iFile | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Include¶
Defines inclusion of one part of the schema into another
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another |
IP_Other_Profile¶
Configures a generic IP profile for non-TCP and non-UDP traffic
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “IP_Other_Profile” | ||
| idleTimeout (integer | integer | string) | 60 | [0, 4294967295], “indefinite”, “immediate” | Specifies the number of seconds a connection can be idle before the connection is eligible for deletion |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_IP_Other_Profile) | {“bigip”:”/Common/ipother”} | Specifies the name of the object to inherit the settings from | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
IRule¶
iRule definition with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “iRule” | ||
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in iRule |
| iRule (IRule_Core) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
JWE¶
A value in a cryptogram which is a Flattened JWE JSON Serialization object. If ‘miniJWE’ is true then enc=(none|f5sv) only (in JOSE header)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). |
L4_Profile¶
Configures a Fast Layer 4 profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “L4_Profile” | ||
| clientTimeout (integer) | 30 | [-1, 86400] | Number of seconds allowed for a client to transmit enough data to select a server when you have late binding enabled. Value -1 means indefinite (not recommended) |
| idleTimeout (integer) | 300 | [-infinity, infinity] | Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite |
| keepAliveInterval (integer) | 0 | [0, 4294967295] | Number of seconds between keep-alive probes. A value of 0 seconds disables the feature. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| looseClose (Property_Loose_Close) | false | ||
| looseInitialization (Property_Loose_Initialization) | false | ||
| maxSegmentSize (integer) | 0 | [-infinity, infinity] | Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice |
| pvaAcceleration (Property_PVA_Acceleration) | “full” | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resetOnTimeout (Property_Reset_On_Timeout) | true | ||
| synCookieAllowlist (boolean) | false | true, false | Specifies whether or not to use a SYN Cookie Allowlist when doing software SYN Cookies. This means not doing a SYN Cookie for the same src IP address if it has been done already in the previous tm.flowstate.timeout (30) seconds. The default value is disabled. |
| synCookieEnable (boolean) | true | true, false | Enables syn-cookies capability on this virtual server. If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks) |
| tcpCloseTimeout (Property_TCP_Close_Timeout) | 5 | ||
| tcpHandshakeTimeout (Property_TCP_Handshake_Timeout) | 5 |
Log_Destination¶
Configures a log destination
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Specifies the IP address that will receive messages from the specified local Log Destination | |
| class (string) | “Log_Destination” | ||
| defaultFacility (string) | “local0” | “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” | Specifies the facility given to log messages received that do not already have a facility listed |
| defaultSeverity (string) | “info” | “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warn” | Specifies the severity given to log messages received that do not already have a severity listed |
| distribution (string) | “adaptive” | “adaptive”, “balanced”, “replicated” | Specifies the distribution method used to send messages to pool members |
| format (string) | “rfc3164” | “legacy-bigip”, “rfc3164”, “rfc5424” | Specifies the method to use to format the logs |
| forwardTo (Pointer_Log_Destination) | Specifies the log destination to which logs are forwarded | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| pool (Pointer_Pool) | |||
| port (integer) | [0, 65535] | Specifies the port of the IP address that will receive messages from the specified local Log Destination | |
| protocol (string) | “tcp” | “tcp”, “udp” | Specifies the protocol for the system to use to send logs to the specified location |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| remoteHighSpeedLog (Pointer_BIGIP_Or_Use | Log_Destination_remoteHighSpeedLog) | Specifies a remote high-speed log destination, which the system uses to forward the logs to a pool of remote log servers | ||
| type (string) | “management-port”, “remote-high-speed-log”, “remote-syslog”, “splunk” | The type of the log destination |
Log_Destination_remoteHighSpeedLog¶
Log_Destination remoteHighSpeedLog possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Log_Destination_Management_Port¶
Sends received messages to a specified IP address and port through the management interface
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Specifies the IP address that will receive messages from the specified local Log Destination | |
| port (integer) | [0, 65535] | Specifies the port of the IP address that will receive messages from the specified local Log Destination | |
| protocol (string) | “tcp” | “tcp”, “udp” | Specifies the protocol for the system to use to send logs to the specified location |
Log_Destination_Remote_High_Speed_Log¶
Sends received messages to a specified pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| distribution (string) | “adaptive” | “adaptive”, “balanced”, “replicated” | Specifies the distribution method used to send messages to pool members |
| pool (Pointer_Pool) | |||
| protocol (string) | “tcp” | “tcp”, “udp” | Specifies the protocol for the system to use to send logs to the pool |
Log_Destination_Remote_Syslog¶
Configures Remote Syslog destinations to format log messages into Syslog format and forward them to a Remote High-Speed Log destination
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| defaultFacility (string) | “local0” | “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” | Specifies the facility given to log messages received that do not already have a facility listed |
| defaultSeverity (string) | “info” | “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warn” | Specifies the severity given to log messages received that do not already have a severity listed |
| format (string) | “rfc3164” | “legacy-bigip”, “rfc3164”, “rfc5424” | Specifies the method to use to format the logs |
| remoteHighSpeedLog (Pointer_BIGIP_Or_Use | Log_Destination_Remote_Syslog_remoteHighSpeedLog) | Specifies a remote high-speed log destination, which the system uses to forward the logs to a pool of remote log servers |
Log_Destination_Remote_Syslog_remoteHighSpeedLog¶
Log_Destination_Remote_Syslog remoteHighSpeedLog possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Log_Destination_Splunk¶
Configures Splunk formatting destinations to format incoming log messages into Splunk format
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| forwardTo (Pointer_Log_Destination) | Specifies the log destination to which logs are forwarded |
Log_Publisher¶
Configures lists of destinations for the common logging interface
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Log_Publisher” | ||
| destinations (array<Pointer_Log_Destination>) | specify log destinations for this log publisher to use | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Monitor¶
Declares a (possibly complex) monitor
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| acceptRCODE (string) | “no-error” | “anything”, “no-error” | Specifies the RCODE required in the response for an up status |
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [60, 1800] | Time window over which the system samples latency (seconds) |
| answerContains (string) | “query-type” | “any-type”, “anything”, “query-type” | Specifies the type of DNS query that the monitor sends |
| arguments (string) | “” | Arguments to specified external monitor (will be backquote-expanded) | |
| base (string) | Specifies the location in the LDAP tree from which the monitor starts the health check | ||
| chaseReferrals (boolean) | true | true, false | Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed |
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| class (string) | “Monitor” | ||
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| clientTLS (Pointer_TLS_Client) | BIG-IP AS3 pointer to client TLS Profile | ||
| codesDown (array<integer>) | [0, infinity] | List of status codes meaning service is down (0 matches any code) | |
| codesUp (array<integer>) | [0, infinity] | List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code) | |
| count (integer) | 0 | [0, 2147483647] | Number of monitor probes after which the connection to the database will be terminated. Count value of zero indicates that the connection will never be terminated. |
| database (string) | The name of the database with which the monitor attempts to communicate. | ||
| domain (string) | “” | format: hostname | Mail domain to check, if any (backquote-expanded) |
| dscp (integer) | 0 | [0, 63] | Value for IP DSCP (ex-TOS) field (default 0) |
| environmentVariables (Monitor_environmentVariables) | {} | Specifies user defined command line parameters that the external program requires. | |
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in script |
| failureInterval (integer) | 30 | [2, 1000] | Specifies an interval, in seconds. If the number of failures specified in the failures option occurs within this interval, the system marks the pool member as being unavailable. |
| failures (integer) | 3 | [0, 1000] | Specifies the number of failures that the system allows to occur, within the time period specified in the failureInterval property, before marking a pool member unavailable. The multiple tmm processes use a per-process number to calculate failures, depending on the specified load. For example, for the Round Robin load balancing method, if there are N tmm processes and M pool members, and the Failures property is set to L, then up to N*M*L+1 failures can occur before the system marks the node as down. Specifying a value of 0 disables this option. A failure can be either a failure to connect or a failure of the pool member to respond within the time specified in the responseTime property. |
| filename (string) | Specifies the full path and file name of the file that the system attempts to download. The health check is successful if the system can download the file. | ||
| filter (string) | Specifies an LDAP key which the monitor searches | ||
| headers (string) | “” | SIP headers to send in probes (if any)–separate by newlines (backquote-expanded) | |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| mandatoryAttributes (boolean) | false | true, false | Specifies whether the target must include attributes in its response to be considered up |
| mode (string) | “passive” | “passive”, “port” | Specifies the data transfer process (DTP) mode. The default value is passive. |
| monitorType (string) | “dns”, “external”, “ftp”, “http”, “https”, “http2”, “icmp”, “inband”, “ldap”, “mysql”, “postgresql”, “radius”, “sip”, “smtp”, “tcp”, “tcp-half-open”, “udp” | Specifies the type of monitor | |
| nasIpAddress (string) | format: f5ip | Specifies the networks access server’s IP address (NAS IP address) for a RADIUS monitor | |
| passphrase (Monitor_passphrase) | Passphrase if any for query authentication | ||
| pathname (string) | Tmsh object path name of an imported existing external monitor (e.g. /Common/arg_example) | ||
| protocol (string) | “udp” | “sips”, “tcp”, “tls”, “udp” | SIP transport protocol |
| queryName (string) | Specifies a query name for the monitor to use in a DNS query | ||
| queryType (string) | “a” | “a”, “aaaa” | Specifies the type of DNS query that the monitor sends. |
| receive (string) | IP address that the monitor uses from the resource records sections of the DNS response | ||
| receiveColumn (integer) | [1, 4096] | Specifies the column in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Receive properties. | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| receiveRow (integer) | [1, 65535] | Specifies the row in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Recieve properties. | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| request (string) | “” | SIP request to send in probes (default empty) | |
| responseTime (integer) | 10 | [0, 5000] | Specifies an amount of time, in seconds. If the pool member does not respond with data after the specified amount of time has passed, the number of failures in this interval increments by 1. Specifying a value of 0 disables this option. |
| retryTime (integer) | 300 | [0, 5000] | Specifies the amount of time in seconds after the pool member has been marked unavailable before the system retries to connect to the pool member. Specifying a value of 0 disables this option. |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| script (F5_String | reference | reference) | Bash(1) script which implements external monitor | ||
| secret (Monitor_secret) | Specifies the secret the monitor needs to access the resource | ||
| security (string) | “none” | “none”, “ssl”, “tls” | Specifies the secure protocol type for communications with the target |
| send (string) | “HEAD / HTTP/1.0rnrn” | Send this (backquote-expanded) string to query node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_passphrase¶
Monitor passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_secret¶
Monitor secret possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_DNS¶
Additional Monitor class properties available when monitorType = dns
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| acceptRCODE (string) | “no-error” | “anything”, “no-error” | Specifies the RCODE required in the response for an up status |
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [60, 1800] | Time window over which the system samples latency (seconds) |
| answerContains (string) | “query-type” | “any-type”, “anything”, “query-type” | Specifies the type of DNS query that the monitor sends |
| class (string) | “Monitor” | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| queryName (string) | Specifies a query name for the monitor to use in a DNS query | ||
| queryType (string) | “a” | “a”, “aaaa” | Specifies the type of DNS query that the monitor sends. |
| receive (string) | IP address that the monitor uses from the resource records sections of the DNS response | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_External¶
Monitor External definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| arguments (string) | “” | Arguments to specified external monitor (will be backquote-expanded) | |
| class (string) | “Monitor” | ||
| environmentVariables (Monitor_External_environmentVariables) | {} | Specifies user defined command line parameters that the external program requires. | |
| expand (boolean) | true | true, false | If true (default), expand backquoted variables in script |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| pathname (string) | Tmsh object path name of an imported existing external monitor (e.g. /Common/arg_example) | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| script (F5_String | reference | reference) | Bash(1) script which implements external monitor | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_FTP¶
Monitor FTP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| filename (string) | Specifies the full path and file name of the file that the system attempts to download. The health check is successful if the system can download the file. | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| mode (string) | “passive” | “passive”, “port” | Specifies the data transfer process (DTP) mode. The default value is passive. |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Monitor_FTP_passphrase) | Passphrase if any for query authentication | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_FTP_passphrase¶
Monitor_FTP passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_HTTP¶
Monitor HTTP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [1, 1800] | Time window over which the system samples latency (seconds) |
| class (string) | “Monitor” | ||
| dscp (integer) | 0 | [0, 63] | Value for IP DSCP (ex-TOS) field (default 0) |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Property_Passphrase | Monitor_HTTP_passphrase) | |||
| receive (string) | “HTTP/1.” | Mark node up upon receipt of this (backquote-expanded) string | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| send (string) | “HEAD / HTTP/1.0rnrn” | Send this (backquote-expanded) string to query node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_HTTP_passphrase¶
Monitor_HTTP passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_HTTP2¶
Monitor HTTP2 definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [1, 1800] | Time window over which the system samples latency (seconds) |
| class (string) | “Monitor” | ||
| clientTLS (Monitor_HTTP2_clientTLS) | BIG-IP AS3 pointer to client TLS Profile | ||
| dscp (integer) | 0 | [0, 63] | Value for IP DSCP (ex-TOS) field (default 0) |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Property_Passphrase | Monitor_HTTP2_passphrase) | |||
| receive (string) | “HTTP/2.” | Mark node up upon receipt of this (backquote-expanded) string | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| send (string) | “GET /rnrn” | Send this (backquote-expanded) string to query node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_HTTP2_clientTLS¶
Monitor_HTTP2 clientTLS possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TLS Client | |
| use (string) | AS3 pointer to TLS Client declaration |
Monitor_HTTP2_passphrase¶
Monitor_HTTP2 passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_HTTPS¶
Monitor HTTPS definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [1, 1800] | Time window over which the system samples latency (seconds) |
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| class (string) | “Monitor” | ||
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| clientTLS (Pointer_TLS_Client) | BIG-IP AS3 pointer to client TLS Profile | ||
| dscp (integer) | 0 | [0, 63] | Value for IP DSCP (ex-TOS) field (default 0) |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Property_Passphrase | Monitor_HTTPS_passphrase) | |||
| receive (string) | “HTTP/1.” | Mark node up upon receipt of this (backquote-expanded) string | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| send (string) | “HEAD / HTTP/1.0rnrn” | Send this (backquote-expanded) string to query node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_HTTPS_passphrase¶
Monitor_HTTPS passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_ICMP¶
Monitor ICMP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [5, 1800] | Time window over which the system samples latency (seconds) |
| class (string) | “Monitor” | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_Inband¶
Monitor Inband definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| failureInterval (integer) | 30 | [2, 1000] | Specifies an interval, in seconds. If the number of failures specified in the failures option occurs within this interval, the system marks the pool member as being unavailable. |
| failures (integer) | 3 | [0, 1000] | Specifies the number of failures that the system allows to occur, within the time period specified in the failureInterval property, before marking a pool member unavailable. The multiple tmm processes use a per-process number to calculate failures, depending on the specified load. For example, for the Round Robin load balancing method, if there are N tmm processes and M pool members, and the Failures property is set to L, then up to N*M*L+1 failures can occur before the system marks the node as down. Specifying a value of 0 disables this option. A failure can be either a failure to connect or a failure of the pool member to respond within the time specified in the responseTime property. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| responseTime (integer) | 10 | [0, 5000] | Specifies an amount of time, in seconds. If the pool member does not respond with data after the specified amount of time has passed, the number of failures in this interval increments by 1. Specifying a value of 0 disables this option. |
| retryTime (integer) | 300 | [0, 5000] | Specifies the amount of time in seconds after the pool member has been marked unavailable before the system retries to connect to the pool member. Specifying a value of 0 disables this option. |
Monitor_LDAP¶
Monitor LDAP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base (string) | Specifies the location in the LDAP tree from which the monitor starts the health check | ||
| chaseReferrals (boolean) | true | true, false | Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed |
| class (string) | “Monitor” | ||
| filter (string) | Specifies an LDAP key which the monitor searches | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| mandatoryAttributes (boolean) | false | true, false | Specifies whether the target must include attributes in its response to be considered up |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Monitor_LDAP_passphrase) | Passphrase if any for query authentication | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| security (string) | “none” | “none”, “ssl”, “tls” | Specifies the secure protocol type for communications with the target |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_LDAP_passphrase¶
Monitor_LDAP passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_MySQL¶
Monitor MySQL definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| count (integer) | 0 | [0, 2147483647] | Number of monitor probes after which the connection to the database will be terminated. Count value of zero indicates that the connection will never be terminated. |
| database (string) | The name of the database with which the monitor attempts to communicate. | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Monitor_MySQL_passphrase) | Passphrase if any for query authentication | ||
| receive (string) | Mark node up upon receipt of this (backquote-expanded) string | ||
| receiveColumn (integer) | [1, 4096] | Specifies the column in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Receive properties. | |
| receiveRow (integer) | [1, 65535] | Specifies the row in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Recieve properties. | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| send (string) | Send this (backquote-expanded) string to query node | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_MySQL_passphrase¶
Monitor_MySQL passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_PostgreSQL¶
Monitor PostgreSQL definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| count (integer) | 0 | [0, 2147483647] | Number of monitor probes after which the connection to the database will be terminated. Count value of zero indicates that the connection will never be terminated. |
| database (string) | The name of the database with which the monitor attempts to communicate. | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| passphrase (Monitor_PostgreSQL_passphrase) | Passphrase if any for query authentication | ||
| receive (string) | Mark node up upon receipt of this (backquote-expanded) string | ||
| receiveColumn (integer) | [1, 1600] | Specifies the column in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Receive properties. | |
| receiveRow (integer) | [1, 4294967294] | Specifies the row in the database where the system expects the specified Receive String to be located. Specify this property only if you configure the Send and Recieve properties. | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| send (string) | Send this (backquote-expanded) string to query node | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Username if any for query authentication |
Monitor_PostgreSQL_passphrase¶
Monitor_PostgreSQL passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_RADIUS¶
Monitor RADIUS definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| nasIpAddress (string) | format: f5ip | Specifies the networks access server’s IP address (NAS IP address) for a RADIUS monitor | |
| passphrase (Monitor_RADIUS_passphrase) | Passphrase if any for query authentication | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| secret (Monitor_RADIUS_secret) | Specifies the secret the monitor needs to access the resource | ||
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
| username (string) | Specifies the user name, if the monitor target requires authentication |
Monitor_RADIUS_passphrase¶
Monitor_RADIUS passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_RADIUS_secret¶
Monitor_RADIUS secret possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Monitor_SIP¶
Monitor SIP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
| class (string) | “Monitor” | ||
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration, for TLS authentication (optional) | ||
| codesDown (array<integer>) | [0, infinity] | List of status codes meaning service is down (0 matches any code) | |
| codesUp (array<integer>) | [0, infinity] | List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code) | |
| headers (string) | “” | SIP headers to send in probes (if any)–separate by newlines (backquote-expanded) | |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| protocol (string) | “udp” | “sips”, “tcp”, “tls”, “udp” | SIP transport protocol |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| request (string) | “” | SIP request to send in probes (default empty) | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_SMTP¶
Monitor SMTP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| domain (string) | “” | format: hostname | Mail domain to check, if any (backquote-expanded) |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_TCP¶
Monitor TCP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [5, 1800] | Time window over which the system samples latency (seconds) |
| class (string) | “Monitor” | ||
| dscp (integer) | 0 | [0, 63] | Value for IP DSCP (ex-TOS) field (default 0) |
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| receive (string) | “none” | Mark node up upon receipt of this (backquote-expanded) string | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| send (string) | “none” | Send this (backquote-expanded) string to query node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_TCP_Half_Open¶
Monitor properties available when monitorType = tcp-half-open
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Monitor” | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Monitor_UDP¶
Monitor UDP definition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| adaptive (boolean) | false | true, false | If true, use adaptive probe timing |
| adaptiveDivergenceMilliseconds (integer) | 500 | [1, 10000] | Probe fails if response latency exceeds mean by this number of milliseconds |
| adaptiveDivergencePercentage (integer) | 100 | [1, 500] | Probe fails if response latency exceeds mean by this percentage |
| adaptiveDivergenceType (string) | “relative” | “absolute”, “relative” | Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage |
| adaptiveLimitMilliseconds (integer) | 1000 | [1, 10000] | Probe fails if response latency exceeds this number of milliseconds |
| adaptiveWindow (integer) | 180 | [60, 1800] | Time window over which the system samples latency (seconds) |
| class (string) | “Monitor” | ||
| interval (integer) | 5 | [0, 3600] | Poll interval (seconds) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| monitorType (string) | Specifies the type of monitor | ||
| receive (string) | “none” | Mark node up upon receipt of this (backquote-expanded) string | |
| receiveDown (string) | “” | Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reverse (boolean) | false | true, false | If true, mark node down upon receipt of ‘receive’ string |
| send (string) | “default send string” | Send this (backquote-expanded) string to node | |
| targetAddress (string) | “” | format: f5ip | IP address monitor should probe; if empty (default) then pool member address |
| targetPort (integer) | 0 | [0, 65535] | L4 port (if any) monitor should probe; if 0 (default) then pool member port |
| timeout (integer) | 16 | [0, 900] | Time limit for node to respond (seconds) |
| timeUntilUp (integer) | 0 | [0, 1800] | Delay between successful probe and sending traffic to node (seconds) |
| transparent (boolean) | false | true, false | If true, treat pool member address as gateway to server (node) (default false) |
| upInterval (integer) | 0 | [0, 3600] | Poll interval when service is already up (seconds) |
Multiplex_Profile¶
Multiplex (OneConnect) profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Multiplex_Profile” | ||
| connectionLimitEnforcement (string) | “none” | “none”, “idle”, “strict” | When the limit is ‘none’, simultaneous in-flight requests and responses over TCP connections to a pool member are counted toward the limit. When the limit is ‘idle’, idle connections will be dropped as the TCP connection limit is reached. When the limit is ‘strict’, idle connections will prevent new TCP connections from being made until they expire (not recommended). |
| idleTimeoutOverride (integer) | 0 | [0, infinity] | Specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| maxConnectionAge (integer) | 86400 | [0, infinity] | Specifies the maximum age, in number of seconds, of a connection in the connection reuse pool. |
| maxConnectionReuse (integer) | 1000 | [0, infinity] | Specifies the maximum number of times that a server connection can be reused. |
| maxConnections (integer) | 10000 | [0, infinity] | Specifies the maximum number of connections that the system holds in the connection reuse pool. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| sharePools (boolean) | false | true, false | Indicates that TCP connections for the current pool may be shared among similar virtual servers using the same pool. |
| sourceMask (string) | format: f5ip | Idle connection re-use applies to connections whose source address matches this mask |
NAT_Policy¶
Configures network address translation policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “NAT_Policy” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| rules (array<NAT_Rule>) | A list of NAT rules |
NAT_Rule¶
Network address translation rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| destination (NAT_Rule_Destination) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| name (string) | NAT rule name | ||
| protocol (string) | “any” | “any”, “tcp”, “udp” | Specifies the IP protocol against which the packet will be compared |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfile (Pointer_Security_Log_Profile) | |||
| source (NAT_Rule_Source) | |||
| sourceTranslation (Pointer_NAT_Source_Translation) |
NAT_Rule_Destination¶
Network address translation destination configuration
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressLists (array<Pointer_Firewall_Address_List>) | A list of address lists (each by BIG-IP AS3 pointer or BIG-IP pathname) | ||
| portLists (array<NAT_Rule_Destination_portLists>) | A list of port lists (each by BIG-IP AS3 pointer or BIG-IP pathname) |
NAT_Rule_Destination_portLists¶
NAT_Rule_Destination portLists possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list | |
| use (string) | BIG-IP AS3 pointer to firewall port list declaration |
NAT_Rule_Source¶
Network address translation source configuration
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressLists (array<Pointer_Firewall_Address_List>) | A list of address lists (each by BIG-IP AS3 pointer or BIG-IP pathname) | ||
| portLists (array<NAT_Rule_Source_portLists>) | A list of port lists (each by BIG-IP AS3 pointer or BIG-IP pathname) |
NAT_Rule_Source_portLists¶
NAT_Rule_Source portLists possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list | |
| use (string) | BIG-IP AS3 pointer to firewall port list declaration |
NAT_Source_Translation¶
Configures a Security network address translation source translation object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addresses (array<string>) | Specifies addresses on which source translation is performed | ||
| allowEgressInterfaces (array<Pointer_Tunnel>) | Specifies the egress interfaces (tunnels and VLANs) on which source translation is allowed | ||
| class (string) | “NAT_Source_Translation” | ||
| clientConnectionLimit (integer) | [0, 2147483647] | Maximum number of simultaneous translated connections a client or subscriber is allowed to have | |
| disallowEgressInterfaces (array<Pointer_Tunnel>) | Specifies the egress interfaces (tunnels and VLANs) on which source translation is not allowed | ||
| excludeAddresses (array<string | Pointer_Firewall_Address_List>) | Specifies the set of addresses excluded from translation IP addresses available in the pool. This property is available on BIGIP 14.1 and above. | ||
| hairpinModeEnabled (boolean) | true, false | Enables or disables hairpinning for incoming connections to active translation end-points | |
| inboundMode (string) | “endpoint-independent-filtering”, “explicit”, “none” | Specifies the persistence settings for NAT translation entries | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| mapping (NAT_Source_Translation_Mapping) | |||
| patMode (string) | “napt”, “deterministic”, “pba” | Specifies whether the translation address mapping is performed in Network Address Port Translation mode, Deterministic mode, or in Port Block Allocation mode | |
| portBlockAllocation (NAT_Source_Translation_PortBlockAllocation) | |||
| ports (array<integer | string>) | [0, 65535] | Specifies source ports and port ranges on which source translation is performed | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| routeAdvertisement (boolean) | false | true, false | Specifies that the traffic is advertised to dynamic routing protocols configured in the route domain |
| type (string) | “dynamic-pat”, “static-nat”, “static-pat” | Specifies the type of source translation item |
NAT_Source_Translation_Mapping¶
Configure the mapping settings for translation entries. It is the preservation of a public-side IP address for a client from session to session. Only available if type is dynamic-pat.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| mode (string) | “address-pooling-paired” | “address-pooling-paired”, “endpoint-independent-mapping”, “none” | Specifies the mapping mode for translation entries |
| timeout (integer) | 300 | [0, 2147483647] | Specifies the timeout (in seconds) for address and port mapping |
NAT_Source_Translation_PortBlockAllocation¶
Configure the port block allocation
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| blockIdleTimeout (integer) | 3600 | [0, 2147483647] | Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out |
| blockLifetime (integer) | 0 | [0, 2147483647] | Specifies the lifetime in seconds of a block of ports |
| blockSize (integer) | 64 | [0, 2147483647] | Specifies the number of ports per block. Each block is assigned to one client. A client can use all ports in a block multiplied by the number of blocks, up to the connection limit, if one is set |
| clientBlockLimit (integer) | 1 | [0, 2147483647] | Specifies the number of blocks that can be assigned to a client |
| zombieTimeout (integer) | 0 | [0, 2147483647] | Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections |
Net_Address_List¶
You can use the address-list component to define reusable lists of addresses. This property requires a BIG-IP version of 14.1 or higher.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addresses (array<string>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
| addressLists (array<Pointer_Net_Address_List>) | A list of other address lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| class (string) | “Net_Address_List” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Net_Port_List¶
You can use the port-list component to define reusable lists of ports. This property requires a BIG-IP version of 14.1 or higher.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Net_Port_List” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| portLists (array<Pointer_Net_Port_List>) | A list of other port lists (each by BIG-IP AS3 pointer or BIG-IP pathname). | ||
| ports (array<integer | string>) | [-infinity, infinity] | A list of ports and port ranges (for example, 80, “8080-8090”). | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Per_Request_Access_Policy¶
Configures a Per Flow Request Access Policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Per_Request_Access_Policy” | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the profile in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the profile on first deployment, and leaves it untouched afterwards |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| url (Resource_URL) | The URL to pull the policy from |
Persist¶
Declares a persistence method
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressMask (string) | format: f5ip | Optional mask selects portion of address used by simple persistence (if omitted the system uses all address bits) | |
| alwaysSet (boolean) | false | true, false | If true, set cookie with every HTTP response (default false) |
| bufferLimit (integer) | 0 | [0, 65535] | Number of octets to buffer while pattern-matching |
| class (string) | “Persist” | ||
| cookieMethod (string) | “insert” | “insert”, “hash”, “passive”, “rewrite” | Selects cookie processing method (default is insert) |
| cookieName (string) | “” | regex: ^[0-9A-Za-z.~#$%^&*_-]*$ | Cookie name (for method ‘insert’, default (empty-string) yields system-generated name) |
| count (integer) | 0 | [0, 65535] | Number of octets in cookie value to hash; 0 (default) means all |
| duration (integer) | 0 | [0, 604800] | Lifetime of persistence record (seconds, default 0 means indefinite) |
| encrypt (boolean) | false | true, false | If true, prevent disclosure of (or tampering with) ADC info in cookie (default false, to reduce latency) |
| endPattern (string) | “” | Regular expression which matches end of data to hash; default “” averts matching | |
| hashAlgorithm (string) | “default” | “carp”, “default” | Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm. |
| hashCount (integer) | 0 | [0, 4096] | Number of octets in cookie value to hash; 0 (default) means all — Note: This property is available only when cookieMethod is NOT ‘insert’ — |
| header (string) | Suggested values include: Call-ID, To, From, SIP-ETag, and Subject | ||
| httpOnly (boolean) | true | true, false | If true (default) the system sets the HTTPOnly flag |
| iRule (string | Persist_iRule) | -, - | BIG-IP AS3 pointer to iRule if any (declared separately) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| matchAcrossPools (boolean) | false | true, false | Specifies that the system can use any pool that contains this persistence record |
| matchAcrossVirtualAddresses (boolean) | false | true, false | Specifies that all persistent connections from the same client IP address go to the same node |
| matchAcrossVirtualPorts (boolean) | false | true, false | Specifies that all persistent connections from a client IP address that go to the same virtual IP address also go to the same node |
| mirror (boolean) | false | true, false | If true, try to maintain persistence even after HA failover of ADC (default false) |
| overrideConnectionLimit (boolean) | false | true, false | If true, do not enforce pool member connection limit for persisted connections (default false) |
| passphrase (Persist_passphrase) | Used to create secret key for cookie encryption | ||
| persistenceMethod (string) | “cookie”, “destination-address”, “hash”, “msrdp”, “sip-info”, “source-address”, “tls-session-id”, “universal” | You may customize each basic persistence method | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| secure (boolean) | true | true, false | If true (default) the system sets the Secure (TLS) flag |
| sessionBroker (boolean) | true | true, false | If true (default), the system will persist the client to the server chosen by session broker |
| startAt (integer) | 0 | [0, 4096] | Index of first octet in cookie value to hash — Note: This property is available only when cookieMethod is NOT ‘insert’ — |
| startPattern (string) | “” | Regular expression which matches start of data to hash; default “” averts matching | |
| ttl (integer) | 0 | [0, 604800] | Requested cookie lifetime (seconds, default 0 means session cookie) |
Persist_iRule¶
Persist iRule possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Persist_passphrase¶
Persist passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Persist_Addr¶
Configures an address affinity persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressMask (string) | format: f5ip | Optional mask selects portion of address used by simple persistence (if omitted the system uses all address bits) | |
| duration (integer) | 180 | [0, 604800] | Lifetime of persistence record (seconds, default 180) |
| hashAlgorithm (string) | “default” | “carp”, “default” | Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm. |
Persist_Cookie¶
Configures a cookie persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| alwaysSet (boolean) | false | true, false | If true, set cookie with every HTTP response (default false) |
| cookieMethod (string) | “insert” | “insert”, “hash”, “passive”, “rewrite” | Selects cookie processing method (default is insert) |
| cookieName (string) | “” | regex: ^[0-9A-Za-z.~#$%^&*_-]*$ | Cookie name (for method ‘insert’, default (empty-string) yields system-generated name) |
| duration (integer) | 0 | [0, 604800] | Lifetime of persistence record (seconds, default 0 means indefinite) |
| encrypt (boolean) | false | true, false | If true, prevent disclosure of (or tampering with) ADC info in cookie (default false, to reduce latency) |
| hashCount (integer) | 0 | [0, 4096] | Number of octets in cookie value to hash; 0 (default) means all — Note: This property is available only when cookieMethod is NOT ‘insert’ — |
| httpOnly (boolean) | true | true, false | If true (default) the system sets the HTTPOnly flag |
| passphrase (Persist_Cookie_passphrase) | Used to create secret key for cookie encryption | ||
| secure (boolean) | true | true, false | If true (default) the system sets the Secure (TLS) flag |
| startAt (integer) | 0 | [0, 4096] | Index of first octet in cookie value to hash — Note: This property is available only when cookieMethod is NOT ‘insert’ — |
| ttl (integer) | 0 | [0, 604800] | Requested cookie lifetime (seconds, default 0 means session cookie) |
Persist_Cookie_passphrase¶
Persist_Cookie passphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Persist_Hash¶
Configures a hash persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bufferLimit (integer) | 0 | [0, 65535] | Number of octets to buffer while pattern-matching |
| count (integer) | 0 | [0, 65535] | Number of octets in cookie value to hash; 0 (default) means all |
| duration (integer) | 180 | [0, 604800] | Lifetime of persistence record (seconds, default 180) |
| endPattern (string) | “” | Regular expression which matches end of data to hash; default “” averts matching | |
| hashAlgorithm (string) | “default” | “carp”, “default” | Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm. |
| iRule (string | Persist_Hash_iRule) | -, - | BIG-IP AS3 pointer to iRule if any (declared separately) | |
| startAt (integer) | 0 | [0, 65535] | Index of first octet in packet to hash |
| startPattern (string) | “” | Regular expression which matches start of data to hash; default “” averts matching |
Persist_Hash_iRule¶
Persist_Hash iRule possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Persist_MSRDP¶
Configures a Microsoft(r) Remote Display Protocol (MSRDP) persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| duration (integer) | 300 | [0, 604800] | Lifetime of persistence record (seconds, default 300) |
| sessionBroker (boolean) | true | true, false | If true (default), the system will persist the client to the server chosen by session broker |
Persist_SIP¶
Configures a Session Initiation Protocol (SIP) persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| duration (integer) | 180 | [0, 604800] | Lifetime of persistence record (seconds, default 180) |
| header (string) | Suggested values include: Call-ID, To, From, SIP-ETag, and Subject |
Persist_TLS_Session¶
Configures a Secure Socket Layer (SSL) persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| duration (integer) | 300 | [0, 604800] | Lifetime of persistence record (seconds, default 300) |
Persist_UIE¶
Configures a universal persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| duration (integer) | 180 | [0, 604800] | Lifetime of persistence record (seconds, default 180) |
| iRule (string | Persist_UIE_iRule) | -, - | BIG-IP AS3 pointer to required iRule (declared separately) |
Persist_UIE_iRule¶
Persist_UIE iRule possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule |
Ping_Access_Agent_Properties¶
Ping access agent properties used for ping access
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Ping_Access_Agent_Properties” | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ping access agent properties in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the properties on first deployment, and leaves it untouched afterwards |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| propertiesData (F5string) | |||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Ping_Access_Profile¶
Ping access profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Ping_Access_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| pingAccessProperties (Ping_Access_Profile_pingAccessProperties) | Specifies the name of the Ping Access Properties (by BIG-IP AS3 pointer or BIG-IP pathname) | ||
| pool (Ping_Access_Profile_pool) | Specifies the name of the Pool (by BIG-IP AS3 pointer or BIG-IP pathname) | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| serversslProfile (Ping_Access_Profile_serversslProfile) | Specifies the name of the server ssl profile (by BIG-IP AS3 pointer or BIG-IP pathname) | ||
| useHTTPS (boolean) | false | true, false | If true, use server SSL profile else ignore |
Ping_Access_Profile_pingAccessProperties¶
Ping_Access_Profile pingAccessProperties possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Ping Access Properties | |
| use (string) | BIG-IP AS3 pointer to Ping Access Properties |
Ping_Access_Profile_pool¶
Ping_Access_Profile pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Pool | |
| use (string) | BIG-IP AS3 pointer to Pool declaration |
Ping_Access_Profile_serversslProfile¶
Ping_Access_Profile serversslProfile possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP server ssl profile | |
| use (string) | BIG-IP AS3 pointer to server ssl profile |
Pointer_Access_Profile¶
Reference to a Access Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Access Profile | |
| use (string) | AS3 pointer to Access Profile declaration |
Pointer_Access_Profile_Ping¶
Reference to a Access Profile Ping
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Access Profile Ping | |
| use (string) | AS3 pointer to Access Profile Ping declaration |
Pointer_Address_Discovery¶
Reference to a Address Discovery
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| use (string) | AS3 pointer to Address Discovery declaration |
Pointer_Address_List¶
Reference to a firewall address list or net address list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall address list or net address list | |
| use (string) | AS3 pointer to firewall address list or net address list declaration |
Pointer_ALG_Log_Profile¶
Reference to a application layer gateway log profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP application layer gateway log profile | |
| use (string) | AS3 pointer to application layer gateway log profile declaration |
Pointer_Analytics_Profile¶
Reference to a Analytics_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Analytics_Profile | |
| use (string) | AS3 pointer to Analytics_Profile declaration |
Pointer_Analytics_TCP_Profile¶
Reference to a Analytics_TCP_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Analytics_TCP_Profile | |
| use (string) | AS3 pointer to Analytics_TCP_Profile declaration |
Pointer_API_Protection_Profile¶
Reference to a API_Protection_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP API_Protection_Profile |
Pointer_Bandwidth_Control_Policy¶
Reference to a bandwidth control policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP bandwidth control policy | |
| use (string) | AS3 pointer to bandwidth control policy declaration |
Pointer_BIGIP¶
Reference for a BIG-IP object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object |
Pointer_BIGIP_Or_Use¶
Reference for a BIG-IP or Use object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_Bot_Defense_Profile¶
Reference to a bot defense profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP bot defense profile |
Pointer_Bot_Signature¶
Reference to a bot signature
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP bot signature |
Pointer_Bot_Signature_Category¶
Reference to a bot signature category
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP bot signature category |
Pointer_CA_Bundle¶
Reference to a Ca Bundle
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Ca Bundle | |
| use (Property_Use | reference) |
Pointer_Certificate_Validator_OCSP¶
Reference to a OCSP Cert Validator
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP OCSP Cert Validator | |
| use (string) | BIG-IP AS3 pointer to OCSP Cert Validator declaration |
Pointer_Cipher_Group¶
Reference to a cipher group
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP cipher group | |
| use (string) | AS3 pointer to cipher group declaration |
Pointer_Cipher_Rule¶
Reference to a cipher rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP cipher rule | |
| use (string) | AS3 pointer to cipher rule declaration |
Pointer_Classification_Application¶
Reference to a application classification
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP application classification |
Pointer_Classification_Category¶
Reference to a category classification
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP category classification |
Pointer_Classification_Preset¶
Reference to a classification preset
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP classification preset |
Pointer_Classification_Profile¶
Reference to a classification profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP classification profile | |
| use (string) | AS3 pointer to classification profile declaration |
Pointer_Connectivity_Profile¶
Reference to a Connectivity Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Connectivity Profile |
Pointer_Data_Group¶
Reference to a Data Group
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Data Group | |
| use (string) | AS3 pointer to Data Group declaration |
Pointer_Data_Group_File¶
Reference to a Data Group File
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Data Group File |
Pointer_Denylist_Category¶
Reference to a denylist category
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP denylist category |
Pointer_DNS_Cache¶
Reference to a DNS cache
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS cache | |
| use (string) | AS3 pointer to DNS cache declaration |
Pointer_DNS_Listener¶
Reference to a DNS Listener
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS Listener | |
| use (string) | AS3 pointer to DNS Listener declaration |
Pointer_DNS_Logging_Profile¶
Reference to a DNS logging profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS logging profile | |
| use (string) | AS3 pointer to DNS logging profile declaration |
Pointer_DNS_Nameserver¶
Reference to a DNS nameserver
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS nameserver | |
| use (string) | AS3 pointer to DNS nameserver declaration |
Pointer_DNS_Profile¶
Reference to a DNS profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS profile | |
| use (string) | AS3 pointer to DNS profile declaration |
Pointer_DNS_Resolver¶
Reference to a DNS resolver
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS resolver |
Pointer_DNS_Security_Profile¶
Reference to a DNS security profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS security profile |
Pointer_DNS_TSIG_Key¶
Reference to a DNS TSIG key
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS TSIG key | |
| use (string) | AS3 pointer to DNS TSIG key declaration |
Pointer_DNS_Zone¶
Reference to a DNS zone
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DNS zone | |
| use (string) | AS3 pointer to DNS zone declaration |
Pointer_DOS_Profile¶
Reference to a DOS Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP DOS Profile | |
| use (string) | AS3 pointer to DOS Profile declaration |
Pointer_Endpoint_Policy¶
No description provided
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP endpoint policy | |
| use (string) | AS3 pointer to endpoint policy declaration |
Pointer_Enforcement_Diameter_Endpoint_Profile¶
Reference to a enforcement profile diameter endpoint
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP enforcement profile diameter endpoint | |
| use (string) | AS3 pointer to enforcement profile diameter endpoint declaration |
Pointer_Enforcement_Format_Script¶
Reference to a format script
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP format script | |
| use (string) | AS3 pointer to format script declaration |
Pointer_Enforcement_Forwarding_Endpoint¶
Reference to a forwarding endpoint
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP forwarding endpoint | |
| use (string) | AS3 pointer to forwarding endpoint declaration |
Pointer_Enforcement_Interception_Endpoint¶
Reference to a interception endpoint
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP interception endpoint | |
| use (string) | AS3 pointer to interception endpoint declaration |
Pointer_Enforcement_iRule¶
Reference to a enforcement iRule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP PEM iRule | |
| use (string) | AS3 pointer to enforcement iRule declaration |
Pointer_Enforcement_Policy¶
Reference to a enforcement policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP PEM policy | |
| use (string) | AS3 pointer to enforcement policy declaration |
Pointer_Enforcement_Profile¶
Reference to a enforcement profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP PEM spm policy | |
| use (string) | AS3 pointer to enforcement profile declaration |
Pointer_Enforcement_Profile_Gx¶
Reference to a enforcement profile gx
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP enforcement profile gx |
Pointer_Enforcement_Protocol_Profile_Radius¶
Reference to a radius protocol profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP radius protocol profile |
Pointer_Enforcement_Radius_AAA_Profile¶
Reference to a enforcement profile radius aaa
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP enforcement profile radius aaa | |
| use (string) | AS3 pointer to enforcement profile radius aaa declaration |
Pointer_Enforcement_Rating_Group¶
Reference to a quota rating group
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP quota rating group |
Pointer_Enforcement_Service_Chain_Endpoint¶
Reference to a service chain endpoint
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP service chain endpoint | |
| use (string) | AS3 pointer to service chain endpoint declaration |
Pointer_Enforcement_Subscriber_Management_Profile¶
Reference to a enforcement subscriber management profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP PEM subscriber-mgmt policy | |
| use (string) | AS3 pointer to enforcement subscriber management profile declaration |
Pointer_Existing_TLS_Client_Profile¶
Reference to a TLS Client profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TLS Client profile |
Pointer_Existing_TLS_Server_Profile¶
Reference to a TLS Server profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TLS Server profile |
Pointer_F5_String_Or_BIGIP¶
Reference for a property or BIG-IP object
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base64 (Property_Base64) | |||
| bigip (string) | Path to BIG-IP object | ||
| copyFrom (Pointer_Copy_From) | |||
| text (Property_Text) | |||
| url (Resource_URL) |
Pointer_Firewall_Address_List¶
Reference to a firewall address list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall address list | |
| use (string) | AS3 pointer to firewall address list declaration |
Pointer_Firewall_Policy¶
Reference to a firewall (AFM) policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall (AFM) policy | |
| use (string) | AS3 pointer to firewall (AFM) policy declaration |
Pointer_Firewall_Port_List¶
Reference to a firewall port list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| use (string) | AS3 pointer to firewall port list declaration |
Pointer_Firewall_Rule_List¶
Reference to a firewall rule list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall rule list | |
| use (string) | AS3 pointer to firewall rule list declaration |
Pointer_FIX_Profile¶
Reference to a FIX profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP FIX profile | |
| use (string) | AS3 pointer to FIX profile declaration |
Pointer_FPS_Profile¶
Reference to a FPS Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP FPS Profile |
Pointer_FTP_Profile¶
Reference to a FTP protocol profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP FTP protocol profile | |
| use (string) | AS3 pointer to FTP protocol profile declaration |
Pointer_GSLB_Data_Center¶
Reference to a GSLB data center
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB data center | |
| use (string) | AS3 pointer to GSLB data center declaration |
Pointer_GSLB_Domain_A¶
Reference to a GSLB domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB domain | |
| use (string) | AS3 pointer to GSLB domain declaration |
Pointer_GSLB_Domain_AAAA¶
Reference to a GSLB domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB domain | |
| use (string) | AS3 pointer to GSLB domain declaration |
Pointer_GSLB_Domain_CNAME¶
Reference to a GSLB domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB domain | |
| use (string) | AS3 pointer to GSLB domain declaration |
Pointer_GSLB_Domain_MX¶
Reference to a GSLB domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB domain | |
| use (string) | AS3 pointer to GSLB domain declaration |
Pointer_GSLB_Domain_NAPTR¶
Reference to a GSLB domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB domain | |
| use (string) | AS3 pointer to GSLB domain declaration |
Pointer_GSLB_Monitor¶
Reference to a GSLB monitor
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB monitor | |
| use (string) | AS3 pointer to GSLB monitor declaration |
Pointer_GSLB_Pool¶
Reference to a GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB pool | |
| use (string) | AS3 pointer to GSLB pool declaration |
Pointer_GSLB_Prober_Pool¶
Reference to a GSLB pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB pool | |
| use (string) | AS3 pointer to GSLB pool declaration |
Pointer_GSLB_Server¶
Reference to a GSLB server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB server | |
| use (string) | AS3 pointer to GSLB server declaration |
Pointer_GSLB_Server_Device¶
Reference to a GSLB server device
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB server device | |
| use (string) | AS3 pointer to GSLB server device declaration |
Pointer_GSLB_Topology_Region¶
Reference to a GSLB Topology Region
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP GSLB Topology Region | |
| use (string) | AS3 pointer to GSLB Topology Region declaration |
Pointer_GSLB_Virtual_Server¶
Reference to a GSLB virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| use (string) | AS3 pointer to GSLB virtual server declaration |
Pointer_HTML_Profile¶
Reference to a HTML_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTML_Profile | |
| use (string) | AS3 pointer to HTML_Profile declaration |
Pointer_HTML_Rule¶
Reference to a HTML_Rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTML_Rule | |
| use (string) | AS3 pointer to HTML_Rule declaration |
Pointer_HTTP_Acceleration_Profile¶
Reference to a HTTP Acceleration Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTTP Acceleration Profile | |
| use (string) | AS3 pointer to HTTP Acceleration Profile declaration |
Pointer_HTTP_Profile¶
Reference to a HTTP Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_HTTP2_Profile¶
Reference to a HTTP/2 Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTTP/2 Profile | |
| use (string) | AS3 pointer to HTTP/2 Profile declaration |
Pointer_ICAP_Profile¶
Reference to a ICAP Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP ICAP Profile | |
| use (string) | AS3 pointer to ICAP Profile declaration |
Pointer_Idle_Timeout_Policy¶
Reference to a idle timeout policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP idle timeout policy | |
| use (string) | AS3 pointer to idle timeout policy declaration |
Pointer_ILX_Profile¶
Reference to a iRules LX Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRules LX Profile |
Pointer_Integrated_Bot_Defense_Profile¶
Reference to a Integrated Bot Defense Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Integrated Bot Defense Profile |
Pointer_IP_Intelligence_Policy¶
Reference to a IP Intelligence Policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP IP Intelligence Policy |
Pointer_IP_Other_Profile¶
Reference to a ipother profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP ipother profile | |
| use (string) | AS3 pointer to ipother profile declaration |
Pointer_L4_Profile¶
Reference to a fast L4 profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_Log_Destination¶
Reference to a log destination
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_Log_Publisher¶
Reference to a log publisher
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_Monitor¶
Name or path to monitor
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP monitor | |
| use (Property_Use | string) |
Pointer_Multiplex_Profile¶
Reference to a Multiplex profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Multiplex profile | |
| use (string) | AS3 pointer to Multiplex profile declaration |
Pointer_NAT_Source_Translation¶
Reference to a NAT Source Translation
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT Source Translation | |
| use (string) | AS3 pointer to NAT Source Translation declaration |
Pointer_Net_Address_List¶
Reference to a net address list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP net address list | |
| use (string) | AS3 pointer to net address list declaration |
Pointer_Net_Port_List¶
Reference to a net port list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP net port list | |
| use (string) | AS3 pointer to net port list declaration |
Pointer_NTLM_Profile¶
Reference to a NT LAN Manager profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NT LAN Manager profile |
Pointer_Per_Request_Access_Policy¶
Reference to a Per Request Access Policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Per Request Access Policy | |
| use (string) | AS3 pointer to Per Request Access Policy declaration |
Pointer_Persist¶
Reference to a persistence profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP persistence profile | |
| use (string) | AS3 pointer to persistence profile declaration |
Pointer_Persist_Profile¶
Reference to a Persist Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Persist Profile | |
| use (string) | AS3 pointer to Persist Profile declaration |
Pointer_Pool¶
Reference to a pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object | ||
| use (Property_Use) |
Pointer_Port_List¶
Reference to a firewall port list or net port list
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP firewall port list or net port list | |
| use (string) | AS3 pointer to firewall port list or net port list declaration |
Pointer_PPTP_Profile¶
Reference to a PPTP_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP PPTP_Profile |
Pointer_Protocol_Inspection_Profile¶
Reference to a Protocol Inspection Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Protocol Inspection Profile | |
| use (string) | AS3 pointer to Protocol Inspection Profile declaration |
Pointer_Radius_Profile¶
Reference to a radius profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP radius profile | |
| use (string) | AS3 pointer to radius profile declaration |
Pointer_Request_Adapt_Profile¶
Reference to a Request Adapt Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Request Adapt Profile | |
| use (string) | AS3 pointer to Request Adapt Profile declaration |
Pointer_Response_Adapt_Profile¶
Reference to a Response Adapt Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Response Adapt Profile | |
| use (string) | AS3 pointer to Response Adapt Profile declaration |
Pointer_Rewrite_Profile¶
Reference to a Rewrite Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Rewrite Profile | |
| use (string) | AS3 pointer to Rewrite Profile declaration |
Pointer_Route_Domain¶
Reference to a route domain
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP route domain |
Pointer_RTSP_Profile¶
Reference to a Real Time Streaming Protocol Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Real Time Streaming Protocol Profile | |
| use (string) | AS3 pointer to Real Time Streaming Protocol Profile declaration |
Pointer_SCTP_Profile¶
Reference to a SCTP Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SCTP Profile |
Pointer_Security_Log_Profile¶
Reference to a Security Log Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Security Log Profile | |
| use (string) | AS3 pointer to Security Log Profile declaration |
Pointer_Service¶
Reference to a service
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP virtual server | |
| use (string) | AS3 pointer to service declaration |
Pointer_Service_Address¶
Reference to a Service Address
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Service Address | |
| use (string) | AS3 pointer to Service Address declaration |
Pointer_SIP_Profile¶
Reference to a SIP profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SIP profile |
Pointer_SNAT_Pool¶
Reference to a snat pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP snat pool | |
| use (string) | AS3 pointer to snat pool declaration |
Pointer_SNAT_Translation¶
Reference to a snat translation
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP snat translation | |
| use (string) | AS3 pointer to snat translation declaration |
Pointer_SOCKS_Profile¶
Reference to a SOCKS profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SOCKS profile | |
| use (string) | AS3 pointer to SOCKS profile declaration |
Pointer_SSH_Proxy_Profile¶
Reference to a SSH proxy profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SSH proxy profile | |
| use (string) | AS3 pointer to SSH proxy profile declaration |
Pointer_SSL_Certificate¶
Reference to a SSL certificate
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SSL certificate | |
| use (string) | BIG-IP AS3 pointer to SSL certificate declaration |
Pointer_SSL_CRL_File¶
Reference to a SSL CRL file
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SSL CRL file |
Pointer_Statistics_Profile¶
Reference to a Statistics Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Statistics Profile | |
| use (string) | AS3 pointer to Statistics Profile declaration |
Pointer_Stream_Profile¶
Reference to a stream profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP stream profile | |
| use (string) | AS3 pointer to stream profile declaration |
Pointer_System_All¶
All system reference pointers valid for the runtime (bigip, cm, etc.)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | Path to BIG-IP object |
Pointer_System_All_Or_F5_String¶
System reference pointers (all valid for the runtime) or F5 string
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| base64 (Property_Base64) | |||
| bigip (string) | Path to BIG-IP object | ||
| copyFrom (Pointer_Copy_From) | |||
| text (Property_Text) | |||
| url (Resource_URL) |
Pointer_TCP_Profile¶
Reference to a TCP profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TCP profile | |
| use (string) | AS3 pointer to TCP profile declaration |
Pointer_TFTP_Profile¶
Reference to a TFTP profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TFTP profile | |
| use (string) | AS3 pointer to TFTP profile declaration |
Pointer_TLS_Client¶
Reference to a TLS Client
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TLS Client | |
| use (string) | AS3 pointer to TLS Client declaration |
Pointer_TLS_Server¶
Reference to a TLS Server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TLS Server | |
| use (string) | AS3 pointer to TLS Server declaration |
Pointer_Traffic_Log_Profile¶
Reference to a traffic log profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP Request Logging Profile | |
| use (string) | AS3 pointer to traffic log profile declaration |
Pointer_Tunnel¶
Reference to a network tunnel
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP network tunnel |
Pointer_UDP_Profile¶
Reference to a UDP profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP UDP profile | |
| use (string) | AS3 pointer to UDP profile declaration |
Pointer_Use¶
Reference for use property
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| use (Property_Use) |
Pointer_VDI_Profile¶
Reference to a VDI profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP VDI profile |
Pointer_VLAN¶
Reference to a VLAN
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP VLAN |
Pointer_WAF_Policy¶
Reference to a WAF policy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP WAF policy | |
| use (string) | AS3 pointer to WAF policy declaration |
Pointer_WebSocket_Profile¶
Reference to a WebSocket Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP WebSocket Profile | |
| use (string) | AS3 pointer to WebSocket Profile declaration |
Policy_Action¶
LTM policy action
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| carp (Policy_Action_carp) | Persist the connection using Cache Array Routing Protocol (CARP) algorithm | ||
| code (integer) | [300, 399] | HTTP status code for the redirect. Note: code is only supported in TMOS version 14.0+. | |
| cookieHash (Policy_Action_cookieHash) | Persist the connection using cookie hash | ||
| cookieInsert (Policy_Action_cookieInsert) | Persist the connection using cookie insertion | ||
| cookiePassive (Policy_Action_cookiePassive) | Persist the connection using cookie passive | ||
| cookieRewrite (Policy_Action_cookieRewrite) | Persist the connection using cookie rewrite | ||
| destinationAddress (Policy_Action_destinationAddress) | Persist the connection based on the destination IP address | ||
| disable (Policy_Action_disable) | Disable persistence. When specifying set this property to an empty object (disable: {}). | ||
| enabled (boolean) | true | true, false | Enable BIG-IP’s HTTP filter processing |
| event (string) | “request” | “client-accepted”, “proxy-request”, “request”, “response”, “server-connected” | When to run this event in the request-response cycle |
| hash (Policy_Action_hash) | Persist the connection using the hash of a key | ||
| insert (Policy_Action_insert) | Insert HTTP header into request or response | ||
| location (string) | The new URL for which the system will send a redirect response; you can use a Tcl command substitution for this field | ||
| policy (Pointer_WAF_Policy) | |||
| profile (Pointer_Bot_Defense_Profile) | |||
| remove (Policy_Action_remove) | Remove HTTP header from request or response | ||
| replace (Policy_Action_replace) | Replace HTTP header in request or response | ||
| select (Policy_Action_Forward_Select) | Select appropriate location for forwarding the connection based on specified parameters | ||
| setVariable (Policy_Action_setVariable) | Set a Tcl variable in the runtime environment | ||
| sourceAddress (Policy_Action_sourceAddress) | Persist the connection based on the source IP address | ||
| type (string) | “http”, “httpCookie”, “httpHeader”, “httpRedirect”, “httpUri”, “botDefense”, “waf”, “forward”, “drop”, “clientSsl”, “persist”, “tcl”, “log” | Selects the LTM policy action this object describes | |
| universal (Policy_Action_universal) | Persist the connection using a user-defined key | ||
| write (Policy_Action_write) | Write a message to the system log files |
Policy_Action_carp¶
Policy_Action carp possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_cookieHash¶
Policy_Action cookieHash possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| length (integer) | [0, 65535] | Substring length | |
| name (string) | Name of cookie | ||
| offset (integer) | [0, 65535] | Offset into hash | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_cookieInsert¶
Policy_Action cookieInsert possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expiry (string) | Expiration duration expressed as [Nd][HH:MM[:SS]] | ||
| name (string) | Name of cookie |
Policy_Action_cookiePassive¶
Policy_Action cookiePassive possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of cookie |
Policy_Action_cookieRewrite¶
Policy_Action cookieRewrite possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expiry (string) | Expiration duration expressed as [Nd][HH:MM[:SS]] | ||
| name (string) | Name of cookie |
Policy_Action_destinationAddress¶
Policy_Action destinationAddress possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| netmask (string) | format: f5ip | Network mask | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_hash¶
Policy_Action hash possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_insert¶
Policy_Action insert possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header | ||
| value (string) | New value for HTTP header; you can use a Tcl command substitution for this field |
Policy_Action_remove¶
Policy_Action remove possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header |
Policy_Action_replace¶
Policy_Action replace possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header | ||
| value (string) | New value for HTTP header; you can use a Tcl command substitution for this field |
Policy_Action_setVariable¶
Policy_Action setVariable possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expression (string) | Tcl expression to evaluate | ||
| name (string) | Name of variable |
Policy_Action_sourceAddress¶
Policy_Action sourceAddress possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| netmask (string) | format: f5ip | Network mask | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_universal¶
Policy_Action universal possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_write¶
Policy_Action write possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| facility (string) | “local0” | “authpriv”, “cron”, “daemon”, “ftp”, “kern”, “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7”, “lpr”, “mail”, “news”, “security”, “user”, “uucp” | Standard syslog facility associated with the message |
| ipAddress (string) | format: f5ip | The IP address of the remote syslog server | |
| message (string) | The message to write to the system log. Can also be a Tcl command substitution | ||
| port (integer) | 0 | [0, 65535] | The port number of the remote syslog server |
| priority (string) | “info” | “crit”, “debug”, “error”, “info”, “notice”, “warning” | Standard syslog priority associated with the message |
Policy_Action_Bot_Defense¶
Enable or disable Unified Bot Defense processing
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “client-accepted”, “proxy-request”, “request” | When to run this event in the request-response cycle |
| profile (Pointer_Bot_Defense_Profile) |
Policy_Action_Client_SSL¶
Enable or disable encrypted connections to backend servers
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| enabled (boolean) | true | true, false | Enable encrypted connections to backend servers |
| event (string) | “client-accepted” | “client-accepted”, “proxy-request”, “request”, “proxy-connect”, “proxy-response”, “server-connected” | When to run this event in the request-response cycle |
Policy_Action_Drop¶
Reset connection
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “ssl-client-hello” | “proxy-request”, “request”, “ssl-client-hello”, “client-accepted” | When to run this event in the request-response cycle |
Policy_Action_Forward¶
Controls where the system forwards a connection
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “ssl-client-hello” | “client-accepted”, “ssl-client-hello”, “request” | When to run this event in the request-response cycle |
| select (Policy_Action_Forward_Select) | Select appropriate location for forwarding the connection based on specified parameters |
Policy_Action_Forward_Select¶
Select appropriate location for forwarding the connection based on specified parameters
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| pool (Pointer_Pool) | |||
| service (Pointer_Service) | |||
| snat (string) | “disable”, “automap” | Controls SNAT Automap |
Policy_Action_HTTP¶
Provides the ability to enable or disable BIG-IP’s HTTP filter processing
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| enabled (boolean) | true | true, false | Enable BIG-IP’s HTTP filter processing |
| event (string) | “request” | “client-accepted”, “proxy-request”, “request”, “response”, “server-connected” | When to run this event in the request-response cycle |
Policy_Action_HTTP_Cookie¶
Modify the request’s “Cookie:” header
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “request” | When to run this event in the request-response cycle |
| insert (Policy_Action_HTTP_Cookie_insert) | Insert HTTP “Cookie:” header into request | ||
| remove (Policy_Action_HTTP_Cookie_remove) | Remove HTTP “Cookie:” header from request |
Policy_Action_HTTP_Cookie_insert¶
Policy_Action_HTTP_Cookie insert possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP cookie | ||
| value (string) | New value for HTTP cookie; you can use a Tcl command substitution for this field |
Policy_Action_HTTP_Cookie_remove¶
Policy_Action_HTTP_Cookie remove possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP cookie |
Policy_Action_HTTP_Header¶
Modify HTTP header in request or response
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “request”, “response” | When to run this event in the request-response cycle |
| insert (Policy_Action_HTTP_Header_insert) | Insert HTTP header into request or response | ||
| remove (Policy_Action_HTTP_Header_remove) | Remove HTTP header from request or response | ||
| replace (Policy_Action_HTTP_Header_replace) | Replace HTTP header in request or response |
Policy_Action_HTTP_Header_insert¶
Policy_Action_HTTP_Header insert possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header | ||
| value (string) | New value for HTTP header; you can use a Tcl command substitution for this field |
Policy_Action_HTTP_Header_remove¶
Policy_Action_HTTP_Header remove possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header |
Policy_Action_HTTP_Header_replace¶
Policy_Action_HTTP_Header replace possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of HTTP header | ||
| value (string) | New value for HTTP header; you can use a Tcl command substitution for this field |
Policy_Action_HTTP_Redirect¶
Redirect an HTTP request to a different URL
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| code (integer) | [300, 399] | HTTP status code for the redirect. Note: code is only supported in TMOS version 14.0+. | |
| event (string) | “proxy-request” | “proxy-request”, “request”, “response” | When to run this event in the request-response cycle |
| location (string) | The new URL for which the system will send a redirect response; you can use a Tcl command substitution for this field |
Policy_Action_HTTP_URI¶
Modify the request’s URI, path, or query string
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “request” | When to run this event in the request-response cycle |
| replace (Policy_Action_HTTP_URI_replace) | Replace URI, path, or query string in request |
Policy_Action_HTTP_URI_replace¶
Policy_Action_HTTP_URI replace possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| path (string) | New value for path; you can use a Tcl command substitution for this field | ||
| queryString (string) | New value for query string; you can use a Tcl command substitution for this field | ||
| value (string) | New value for URI; you can use a Tcl command substitution for this field |
Policy_Action_Log¶
Writes messages to local or remote system log
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “ssl-client-hello” | “classification-detected”, “client-accepted”, “proxy-connect”, “proxy-request”, “proxy-response”, “request”, “response”, “server-connected”, “ssl-client-hello”, “ssl-client-serverhello-send”, “ssl-server-handshake”, “ssl-server-hello”, “ws-request”, “ws-response” | When to run this event in the request-response cycle |
| write (Policy_Action_Log_write) | Write a message to the system log files |
Policy_Action_Log_write¶
Policy_Action_Log write possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| facility (string) | “local0” | “authpriv”, “cron”, “daemon”, “ftp”, “kern”, “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7”, “lpr”, “mail”, “news”, “security”, “user”, “uucp” | Standard syslog facility associated with the message |
| ipAddress (string) | format: f5ip | The IP address of the remote syslog server | |
| message (string) | The message to write to the system log. Can also be a Tcl command substitution | ||
| port (integer) | 0 | [0, 65535] | The port number of the remote syslog server |
| priority (string) | “info” | “crit”, “debug”, “error”, “info”, “notice”, “warning” | Standard syslog priority associated with the message |
Policy_Action_Persist¶
Control over how a connection is persisted
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| carp (Policy_Action_Persist_carp) | Persist the connection using Cache Array Routing Protocol (CARP) algorithm | ||
| cookieHash (Policy_Action_Persist_cookieHash) | Persist the connection using cookie hash | ||
| cookieInsert (Policy_Action_Persist_cookieInsert) | Persist the connection using cookie insertion | ||
| cookiePassive (Policy_Action_Persist_cookiePassive) | Persist the connection using cookie passive | ||
| cookieRewrite (Policy_Action_Persist_cookieRewrite) | Persist the connection using cookie rewrite | ||
| destinationAddress (Policy_Action_Persist_destinationAddress) | Persist the connection based on the destination IP address | ||
| disable (Policy_Action_Persist_disable) | Disable persistence. When specifying set this property to an empty object (disable: {}). | ||
| event (string) | “client-accepted” | “client-accepted”, “proxy-request”, “request” | When to run this event in the request-response cycle |
| hash (Policy_Action_Persist_hash) | Persist the connection using the hash of a key | ||
| sourceAddress (Policy_Action_Persist_sourceAddress) | Persist the connection based on the source IP address | ||
| universal (Policy_Action_Persist_universal) | Persist the connection using a user-defined key |
Policy_Action_Persist_carp¶
Policy_Action_Persist carp possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_Persist_cookieHash¶
Policy_Action_Persist cookieHash possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| length (integer) | [0, 65535] | Substring length | |
| name (string) | Name of cookie | ||
| offset (integer) | [0, 65535] | Offset into hash | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_Persist_cookieInsert¶
Policy_Action_Persist cookieInsert possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expiry (string) | Expiration duration expressed as [Nd][HH:MM[:SS]] | ||
| name (string) | Name of cookie |
Policy_Action_Persist_cookiePassive¶
Policy_Action_Persist cookiePassive possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | Name of cookie |
Policy_Action_Persist_cookieRewrite¶
Policy_Action_Persist cookieRewrite possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expiry (string) | Expiration duration expressed as [Nd][HH:MM[:SS]] | ||
| name (string) | Name of cookie |
Policy_Action_Persist_destinationAddress¶
Policy_Action_Persist destinationAddress possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| netmask (string) | format: f5ip | Network mask | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_Persist_hash¶
Policy_Action_Persist hash possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_Persist_sourceAddress¶
Policy_Action_Persist sourceAddress possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| netmask (string) | format: f5ip | Network mask | |
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_Persist_universal¶
Policy_Action_Persist universal possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| key (string) | The key to use. Tcl command substitution is allowed | ||
| timeout (integer) | [0, 65535] | Timeout value in seconds |
Policy_Action_TCL¶
Set a Tcl variable in runtime environment
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “proxy-request”, “request”, “response”, “ssl-client-hello”, “ssl-server-hello”, “ssl-server-handshake” | When to run this event in the request-response cycle |
| setVariable (Policy_Action_TCL_setVariable) | Set a Tcl variable in the runtime environment |
Policy_Action_TCL_setVariable¶
Policy_Action_TCL setVariable possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| expression (string) | Tcl expression to evaluate | ||
| name (string) | Name of variable |
Policy_Action_WAF¶
Control web security
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| event (string) | “request” | “client-accepted”, “proxy-request”, “request” | When to run this event in the request-response cycle |
| policy (Pointer_WAF_Policy) |
Policy_Compare_Number¶
Perform a comparison against number values
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| datagroup (Datagroup_Value) | Reference to a data-group containing the values | ||
| operand (string) | “equals” | “equals”, “does-not-equal”, “less”, “greater”, “less-or-equal”, “greater-or-equal” | Specifies the comparison the system should perform with values |
| values (array<integer>) | [-infinity, infinity] | A list of numbers to do comparisons against |
Policy_Compare_String¶
Perform a comparison against string values
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| caseSensitive (boolean) | false | true, false | Specifies if the comparison the system should perform with case sensitivity |
| datagroup (Datagroup_Value) | Reference to a data-group containing the values | ||
| operand (string) | “equals” | “equals”, “does-not-equal”, “starts-with”, “does-not-start-with”, “ends-with”, “does-not-end-with”, “contains”, “does-not-contain”, “exists”, “does-not-exist” | Specifies the comparison the system should perform with values. The operands exists and does-not-exist do not accept values and are available on BIGIP 15.0 and above. |
| values (array<string>) | A list of strings to do comparisons against |
Policy_Condition¶
LTM policy condition
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (Policy_Match_String) | Specify the address to use | ||
| all (Policy_Compare_String) | Match on the full URI | ||
| alpn (Policy_Compare_String) | Server name indication | ||
| code (Policy_Compare_Number) | Match against the numeric HTTP response status code | ||
| continent (Policy_Match_String) | Two-character continent code: AF, AN, AS, OC, EU, NA, SA | ||
| countryCode (Policy_Match_String) | Two-character country code as defined in ISO-3166-2 | ||
| countryName (Policy_Match_String) | Full name of country | ||
| event (string) | “request” | “proxy-request”, “request” | When to evaluate this condition in the request-response cycle |
| extension (Policy_Compare_String) | Match on the file extension in the URI (e.g. jpg, html, cgi) | ||
| host (Policy_Compare_String) | Match on the hostname in the URI | ||
| index (integer) | [1, infinity] | The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left | |
| isp (Policy_Match_String) | Internet Service Provider associated with address | ||
| name (string) | Specify the name of the particular query parameter whose value you want to use | ||
| normalized (boolean) | false | true, false | Normalizes the result to a canonical form to allow consistent comparisons |
| npn (Policy_Compare_String) | Server name indication | ||
| org (Policy_Match_String) | Organization associated with address | ||
| path (Policy_Compare_String) | Match on the URI path | ||
| pathSegment (Policy_Compare_String) | Match a part of the URI path by a numeric index | ||
| port (Policy_Compare_Number) | Match on the port number in the URI | ||
| queryParameter (Policy_Compare_String) | Match value of the named query parameter from the query string | ||
| queryString (Policy_Compare_String) | Match against text in the query string | ||
| regionCode (Policy_Match_String) | Abbreviation of State, Province, or country-specific region | ||
| regionName (Policy_Match_String) | Full name of State, Province, or country-specific region | ||
| scheme (Policy_Compare_String) | Match on the scheme (e.g. http, https, ftp, file) | ||
| serverName (Policy_Compare_String) | Server name indication | ||
| text (Policy_Compare_String) | Match against HTTP response status string, e.g. ‘Authentication Required’ | ||
| type (string) | “geoip”, “httpCookie”, “httpHeader”, “httpHost”, “httpMethod”, “httpStatus”, “httpUri”, “sslExtension”, “tcp” | Selects the LTM policy condition this object describes | |
| unnamedQueryParameter (Policy_Compare_String) | Match the value of a query parameter by a numeric index instead of by name |
Policy_Condition_GeoIP¶
Match against specific GeoIP properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| continent (Policy_Match_String) | Two-character continent code: AF, AN, AS, OC, EU, NA, SA | ||
| countryCode (Policy_Match_String) | Two-character country code as defined in ISO-3166-2 | ||
| countryName (Policy_Match_String) | Full name of country | ||
| event (string) | “request” | “request”, “response”, “client-accepted”, “proxy-connect”, “proxy-request”, “proxy-response”, “server-connected”, “ssl-client-hello”, “ssl-client-serverhello-send”, “ssl-server-handshake”, “ssl-server-hello” | When to evaluate this condition in the request-response cycle |
| isp (Policy_Match_String) | Internet Service Provider associated with address | ||
| org (Policy_Match_String) | Organization associated with address | ||
| regionCode (Policy_Match_String) | Abbreviation of State, Province, or country-specific region | ||
| regionName (Policy_Match_String) | Full name of State, Province, or country-specific region |
Policy_Condition_HTTP_Cookie¶
Inspect an HTTP request Cookie: header
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match on the full HTTP cookie | ||
| event (string) | “proxy-request” | “proxy-request”, “request”, “proxy-connect” | When to evaluate this condition in the request-response cycle |
| name (string) | Specify the name of the particular HTTP cookie whose value you want to use |
Policy_Condition_HTTP_Header¶
Match against any HTTP header
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match on the full HTTP header | ||
| event (string) | “proxy-request” | “proxy-request”, “request”, “proxy-connect”, “proxy-response”, “response” | When to evaluate this condition in the request-response cycle |
| name (string) | Specify the name of the particular HTTP header whose value you want to use |
Policy_Condition_HTTP_Host¶
Match against an HTTP request’s Host header
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match against the full string of the Host header | ||
| event (string) | “proxy-request” | “proxy-request”, “request”, “proxy-connect” | When to evaluate this condition in the request-response cycle |
| host (Policy_Compare_String) | Match against the host of the Host header | ||
| port (Policy_Compare_Number) | Match against the port of the Host header |
Policy_Condition_HTTP_Method¶
Match against any HTTP method
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match on the full HTTP method | ||
| event (string) | “proxy-request” | “proxy-request”, “request” | When to evaluate this condition in the request-response cycle |
Policy_Condition_HTTP_Status¶
Match against an HTTP response’s status
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match against full HTTP status response includeing both code and text | ||
| code (Policy_Compare_Number) | Match against the numeric HTTP response status code | ||
| event (string) | “proxy-response” | “proxy-response”, “response” | When to evaluate this condition in the request-response cycle |
| text (Policy_Compare_String) | Match against HTTP response status string, e.g. ‘Authentication Required’ |
Policy_Condition_HTTP_URI¶
Inspect the URI on a request and match on various parts or the entire URI
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| all (Policy_Compare_String) | Match on the full URI | ||
| event (string) | “request” | “proxy-request”, “request” | When to evaluate this condition in the request-response cycle |
| extension (Policy_Compare_String) | Match on the file extension in the URI (e.g. jpg, html, cgi) | ||
| host (Policy_Compare_String) | Match on the hostname in the URI | ||
| index (integer) | [1, infinity] | The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left | |
| name (string) | Specify the name of the particular query parameter whose value you want to use | ||
| normalized (boolean) | false | true, false | Normalizes the result to a canonical form to allow consistent comparisons |
| path (Policy_Compare_String) | Match on the URI path | ||
| pathSegment (Policy_Compare_String) | Match a part of the URI path by a numeric index | ||
| port (Policy_Compare_Number) | Match on the port number in the URI | ||
| queryParameter (Policy_Compare_String) | Match value of the named query parameter from the query string | ||
| queryString (Policy_Compare_String) | Match against text in the query string | ||
| scheme (Policy_Compare_String) | Match on the scheme (e.g. http, https, ftp, file) | ||
| unnamedQueryParameter (Policy_Compare_String) | Match the value of a query parameter by a numeric index instead of by name |
Policy_Condition_SSL_Extension¶
Inspect SSL extensions being negotiated during HELLO phase
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| alpn (Policy_Compare_String) | Server name indication | ||
| event (string) | “ssl-client-hello” | “ssl-client-hello”, “ssl-server-hello” | When to evaluate this condition in the request-response cycle |
| index (integer) | 0 | [1, infinity] | The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left |
| npn (Policy_Compare_String) | Server name indication | ||
| serverName (Policy_Compare_String) | Server name indication |
Policy_Condition_TCP¶
Match against specific TCP properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (Policy_Match_String) | Specify the address to use | ||
| event (string) | “request” | “request”, “response”, “classification-detected”, “client-accepted”, “proxy-connect”, “proxy-request”, “proxy-response”, “server-connected”, “ssl-client-hello”, “ssl-client-serverhello-send”, “ssl-server-handshake”, “ssl-server-hello”, “ws-request”, “ws-response” | When to evaluate this condition in the request-response cycle |
| port (Policy_Compare_Number) | Specify the port to use |
Policy_Match_String¶
Perform a comparison that either matches or does-not-match
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| datagroup (Datagroup_Value) | Reference to a data-group containing the values | ||
| operand (string) | “matches” | “matches”, “does-not-match” | Specifies the comparison |
| values (array<string>) | A list of strings to compare against |
Pool¶
Declares a service pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowNATEnabled (boolean) | true | true, false | If true (default), NATs are automatically enabled for any connections using this pool. |
| allowSNATEnabled (boolean) | true | true, false | If true (default), SNATs are automatically enabled for any connections using this pool. |
| class (string) | “Pool” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| loadBalancingMode (string) | “round-robin” | “dynamic-ratio-member”, “dynamic-ratio-node”, “fastest-app-response”, “fastest-node”, “least-connections-member”, “least-connections-node”, “least-sessions”, “observed-member”, “observed-node”, “predictive-member”, “predictive-node”, “ratio-least-connections-member”, “ratio-least-connections-node”, “ratio-member”, “ratio-node”, “ratio-session”, “round-robin”, “weighted-least-connections-member”, “weighted-least-connections-node” | Load-balancing mode |
| members (array<Pool_Member>) | Set of Pool members | ||
| metadata (Metadata) | |||
| minimumMembersActive (integer) | 1 | [0, 65535] | Pool is down when fewer than this number of members are up |
| minimumMonitors (string | integer) | Member is down when fewer than minimum monitors report it healthy. Specify ‘all’ to require all monitors to be up. | ||
| monitors (array<reference>) | List of health monitors (each by name or BIG-IP AS3 pointer) | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| reselectTries (integer) | 0 | [0, 65535] | Maximum number of attempts to find a responsive member for a connection |
| serviceDownAction (string) | “none” | “drop”, “none”, “reselect”, “reset” | Specifies connection handling when member is non-responsive |
| slowRampTime (integer) | 10 | [0, 900] | BIG-IP AS3 slowly the connection rate to a newly-active member slowly during this interval (seconds) |
Pool_Member¶
Declares a service-pool member
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| accessKeyId (string) | Information for discovering AWS nodes that are not in the same region as your BIG-IP (also requires the secretAccessKey field | ||
| addressDiscovery (string | Pool_Member_addressDiscovery | string | Pointer_Address_Discovery) | “static” | “static”, “fqdn”, “event”, “aws”, “gce”, “azure”, “consul”, -, “static”, “fqdn”, “event”, “aws”, “gce”, “azure”, “consul”, -, “static”, “fqdn”, “event”, “aws”, “gce”, “azure”, “consul”, -, “static”, “fqdn”, “event”, “aws”, “gce”, “azure”, “consul”, - | Selects how server (node) addresses are discovered |
| addressFamily (string) | “IPv4” | “IPv4”, “IPv6” | Selects IPv4/6 and DNS A/AAAA RR’s |
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| adminState (string) | “enable” | “enable”, “disable”, “offline” | Setting adminState to enable will create the node in an operational state. Set to disable to disallow new connections but allow existing connections to drain. Set to offline to force immediate termination of all connections. |
| apiAccessKey (string | Secret) | Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format. | ||
| applicationId (string) | Azure registered application ID (AKA client ID) | ||
| autoPopulate (boolean) | false | true, false | If true use multiple server (node) addresses when available, otherwise use only one |
| bigip (string) | format: f5bigip | If defined, pathname of existing BIG-IP node | |
| connectionLimit (integer) | 0 | [0, 2147483647] | Maximum concurrent connections to member |
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| directoryId (string) | Azure Active Directory ID (AKA tenant ID) | ||
| downInterval (integer) | 5 | [0, infinity] | DNS retry interval after resolution failure (seconds) |
| dynamicRatio (integer) | 1 | [0, 100] | Specifies a range of numbers that you want the system to use in conjunction with the ratio load balancing method |
| enable (boolean) | true | true, false | Maps to BIG-IP pool member state |
| encodedCredentials (string | Secret) | Base 64 encoded service account credentials JSON | ||
| encodedToken (string | Secret) | Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format. | ||
| environment (string) | “Azure” | Azure environment name. Required if environment should not be determined by instance metadata. | |
| externalId (string) | External Id | ||
| fqdnPrefix (string) | “” | String to prepend onto the hostname to create the node name | |
| hostname (string) | format: hostname | ||
| jmesPathQuery (string) | Custom JMESPath Query | ||
| metadata (Metadata) | |||
| minimumMonitors (string | integer) | Member is down when fewer than minimum monitors report it healthy | ||
| monitors (array<reference>) | List of monitors (each by name or BIG-IP AS3 pointer) | ||
| priorityGroup (integer) | 0 | [0, 65535] | Specifies the priority group within the pool for this pool member |
| projectId (string) | For Google Cloud Engine (GCE) only: The ID of the project in which the members are located | ||
| queryInterval (integer) | 0 | [0, infinity] | Normal DNS query interval (seconds, default 0 means RR TTL) |
| rateLimit (integer) | -1 | [-1, 2147483647] | Value zero prevents use of member |
| ratio (integer) | 1 | [0, 100] | Specifies the weight of the pool member for load balancing purposes |
| region (string) | “” | Empty string (default) means region in which ADC is running | |
| rejectUnauthorized (boolean) | true | true, false | If true, the server certificate is verified against the list of supplied/default CAs when making requests to the Consul API. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resourceGroup (string) | Azure Resource Group name | ||
| resourceId (string) | ID of resource to find nodes by. | ||
| resourceType (string) | “tag”, “scaleSet” | Type of resource identified by resourceId. This can be used in place of tagKey/tagValue. | |
| roleARN (string) | Assume a role (also requires the externalId field) | ||
| routeDomain (integer) | [0, 65534] | The Route Domain to use for the pool member | |
| secretAccessKey (string | Secret) | Will be stored in the declaration as an encrypted string | ||
| serverAddresses (array<string>) | format: f5ip | Static IP addresses of servers (nodes). Shorthand for ‘servers’ where you only want to specify the address property. | |
| servers (array<Pool_Member_servers>) | Same as serverAddresses, but allowing for further specification of each node. | ||
| servicePort (integer) | [0, 65535] | Service L4 port (optional port-discovery may override) | |
| shareNodes (boolean) | false | true, false | If enabled, nodes are created in /Common instead of the tenant’s partition |
| subscriptionId (string) | Azure subscription ID | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| trustCA (Pointer_CA_Bundle) | CA Bundle to validate server certificates | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| updateInterval (integer) | 60 | [1, 3600] | Server-discovery update interval (seconds) |
| uri (string) | The location of the node data | ||
| useManagedIdentity (boolean) | false | true, false | Use Azure managed identity rather than directoryId, applicationId, and apiAccessKey |
Pool_Member_addressDiscovery¶
Pool_Member addressDiscovery possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| use (string) | AS3 pointer to Address Discovery declaration |
Pool_Member_servers¶
Pool_Member servers possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | Static IP address for this server (node) | |
| name (string) | regex: ^[A-Za-z][0-9A-Za-z_.-]*$ |
Property_Loose_Close¶
When true, system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server
No properties
Property_Loose_Initialization¶
When true, system initializes a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation
No properties
Property_Passphrase¶
A passphrase (passphrase property)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Property_PVA_Acceleration¶
Specifies the preferred acceleration mode for the Packet Velocity ASIC (PVA) if the platform supports PVA acceleration. Full - Specifies the system applies full PVA acceleration when possible. Partial - Specifies the system applies partial PVA acceleration. None - Specifies the system does not use PVA acceleration. Dedicated - Unconditionally enables ePVA acceleration for all TCP FastL4 connections. Inactive, but established connections are not removed from the ePVA to guarantee low latency forwarding for future packets.
Type string with possible values: “full”, “partial”, “none”, “dedicated”
Property_TCP_Close_Timeout¶
Specifies a TCP close timeout in seconds. Value -1 means indefinite (not recommended)
No properties
Property_TCP_Handshake_Timeout¶
Specifies a TCP handshake timeout in seconds. Value -1 means indefinite (not recommended)
No properties
Protocol_Inspection_Profile¶
Protocol Inspection Profile used for configurable BIG-IP AFM intrusion prevention
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| autoAddNewInspections (boolean) | false | true, false | Specifies whether new inspections delivered via IPS IM package will be automatically added to this profile |
| autoPublish (boolean) | false | true, false | Specifies whether the inspections will be automatically updated to the suggested action after the staging period |
| class (string) | “Protocol_Inspection_Profile” | ||
| collectAVRStats (boolean) | true | true, false | If true, AVR will collect data from the intrusion prevention profile |
| defaultFromProfile (string) | Specifies the parent profile. If specified, the new profile will be cloned from the parent | ||
| enableComplianceChecks (boolean) | true | true, false | Specifies whether the compliance checks will be enabled for this profile |
| enableSignatureChecks (boolean) | true | true, false | Specifies whether the signature checks will be enabled for this profile |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| services (array<Protocol_Inspection_Profile_services>) | Specifies the services and service checks for this profile |
Protocol_Inspection_Profile_services¶
Protocol_Inspection_Profile services possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| compliance (array<Protocol_Inspection_Profile_Service_Compliance_Check>) | A list of compliance checks to attach to the Protocol Inspection Profile | ||
| ports (array<integer>) | [0, 65535] | List of ports to attach to the service. | |
| signature (array<Protocol_Inspection_Profile_Service_Signature_Check>) | A list of signature checks to attach to the Protocol Inspection Profile | ||
| type (string) | “boxp”, “coap”, “dhcp”, “diameter”, “dns”, “ftp”, “gtp”, “http”, “imap”, “ipsec”, “irc”, “mqtt”, “mysql”, “netbios_ns”, “netbios_ssn”, “nntp”, “oracle”, “other”, “pfcp”, “pop3”, “radius”, “rdp”, “rmi”, “rsh”, “sip”, “smtp”, “snmp”, “ssh”, “ssl”, “sunrpc”, “telnet”, “tftp”, “thrift”, “wins” | The name of the service type |
Protocol_Inspection_Profile_Service_Compliance_Check¶
Defines a compliance check to attach to the Protocol Inspection Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “accept” | “accept”, “drop”, “reject” | Which action to perform on traffic matching the check |
| check (string) | The name of the check | ||
| log (boolean) | true | true, false | Specifies whether to log the check |
| value (string) | Value to use for the check. If a check accepts enumerable values, these should be delimited by spaces. |
Protocol_Inspection_Profile_Service_Signature_Check¶
Defines a signature check to attach to the Protocol Inspection Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| action (string) | “accept” | “accept”, “drop”, “reject” | Which action to perform on traffic matching the check |
| check (string) | The name of the check | ||
| log (boolean) | true | true, false | Specifies whether to log the check |
Radius_Profile¶
Configures a RADIUS profile for network traffic load balancing
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Radius_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Radius_Profile) | {“bigip”:”/Common/radiusLB”} | Specifies the name of the object to inherit the settings from | |
| persistAttribute (integer | string) | “none” | Specifies the name of the RADIUS attribute on which traffic persists. Acceptable values are ASCII strings from section 5 of RFC 2865 or numeric codes (1-255). A value of none indicates that persistence is disabled. | |
| protocolProfile (reference | Pointer_Enforcement_Protocol_Profile_Radius) | {“bigip”:”/Common/_sys_radius_proto_imsi”} | Specifies PEM protocol profile that defines mapping of RADIUS AVPs to subscriber ID and other PEM subscriber session attributes | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| subscriberDiscoveryEnabled (boolean) | true | true, false | Specifies whether to enable PEM subscriber discovery based on the content of RADIUS packets |
Resource_URL¶
The URL for a required resource
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| authentication (Basic_Auth | Bearer_Token) | Authentication to the remote source | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the URL will be fetched in each BIG-IP AS3 declaration deployment. If true, the resource will be created on the first deployment, but not on additional deployments |
| skipCertificateCheck (boolean) | false | true, false | Skip verification of SSL certificates (default false) |
| url (string) | format: uri | URL from which to retrieve value |
Rewrite_Profile¶
Configures a rewrite profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bypassList (array<string>) | List of URIs that are bypassed in a web page when a rewrite mode of portal is used | ||
| certificate (string) | BIG-IP AS3 pointer to client Certificate declaration (optional) | ||
| class (string) | “Rewrite_Profile” | ||
| clientCachingType (string) | “cache-css-js” | “cache-all”, “cache-css-js”, “cache-img-css-js”, “no-cache” | The type of client caching used |
| javaCaFile (Pointer_CA_Bundle) | {“bigip”:”/Common/ca-bundle.crt”} | The CA Bundle used to verify Java applets signature certificates | |
| javaSignKeyPassphrase (Rewrite_Profile_javaSignKeyPassphrase) | Passphrase if any for query authentication | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| locationSpecificEnabled (boolean) | false | true, false | Specifies if this contains an attribute with values specific to the location that the BIG-IP device resides |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| requestSettings (Rewrite_Profile_Request_Settings) | {} | The request settings used for uri-translation | |
| responseSettings (Rewrite_Profile_Response_Settings) | {} | The response settings used for uri-translation | |
| rewriteList (array<string>) | List of URIs that are rewritten inside a web page when a rewrite mode of portal is used | ||
| rewriteMode (string) | “portal” | “portal”, “uri-translation” | The mode of rewriting that is used.uri-translation is a rules-based rewrite mode. portal is for use with Portal Access |
| setCookieRules (array<Rewrite_Profile_Set_Cookie_Rule>) | The rules for rewriting HTTP Set-Cookie headers. Used with a rewrite mode of uri-translation | ||
| splitTunnelingEnabled (boolean) | false | true, false | Determines if the profile provides for split tunneling |
| uriRules (array<Rewrite_Profile_Uri_Rule>) | The rules for rewriting request and response headers and response bodies. Used with a rewrite mode of uri-translation |
Rewrite_Profile_javaSignKeyPassphrase¶
Rewrite_Profile javaSignKeyPassphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Rewrite_Profile_Request_Settings¶
Request settings for Rewrite_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| insertXforwardedForEnabled (boolean) | true | true, false | Determines if X-Forwarded-For header |
| insertXforwardedHostEnabled (boolean) | false | true, false | Determines if X-Forwarded-Proto header |
| insertXforwardedProtoEnabled (boolean) | false | true, false | Determines if X-Forwarded-Host header |
| rewriteHeadersEnabled (boolean) | true | true, false | Determines if request headers are rewritten |
Rewrite_Profile_Response_Settings¶
Response settings for Rewrite_Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| rewriteContentEnabled (boolean) | true | true, false | Determines if response content should be rewritten |
| rewriteHeadersEnabled (boolean) | true | true, false | Determines if response headers should be rewritten |
Rewrite_Profile_Set_Cookie_Rule¶
A Set-Cookie rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| client (Rewrite_Profile_Set_Cookie_Rule_client) | The client domain and path | ||
| server (Rewrite_Profile_Set_Cookie_Rule_server) | The server domain and path |
Rewrite_Profile_Set_Cookie_Rule_client¶
Rewrite_Profile_Set_Cookie_Rule client possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domain (string) | The domain of the client | ||
| path (string) | The path of the client. Must be an absolute directory path |
Rewrite_Profile_Set_Cookie_Rule_server¶
Rewrite_Profile_Set_Cookie_Rule server possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| domain (string) | The domain of the server | ||
| path (string) | The path of the server. Must be an absolute directory path |
Rewrite_Profile_Uri_Rule¶
A URI rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| client (Rewrite_Profile_Uri_Rule_client) | The client URI | ||
| server (Rewrite_Profile_Uri_Rule_server) | The server URI | ||
| type (string) | “both” | “both”, “request”, “response” | The type of rule. request will affect request headers only, response will affect response headers and bodies, and both will do request and response |
Rewrite_Profile_Uri_Rule_client¶
Rewrite_Profile_Uri_Rule client possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| host (string) | The host of the client URI | ||
| path (string) | The path of the client URI. Must be an absolute directory path | ||
| port (string) | The port of the client URI | ||
| scheme (string) | The scheme of the client URI |
Rewrite_Profile_Uri_Rule_server¶
Rewrite_Profile_Uri_Rule server possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| host (string) | The host of the server URI | ||
| path (string) | the path of the server URI. Must be an absolute directory path | ||
| port (string) | The port of the server URI | ||
| scheme (string) | The scheme of the server URI |
RTSP_Profile¶
Real Time Streaming Protocol Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| algLogProfile (reference | Pointer_ALG_Log_Profile) | ALG log profile pointer | ||
| checkSource (boolean) | true | true, false | When true the system uses the source attribute in the transport header to establish the target address of the RTP stream, and before the response is forwarded to the client, updates the value of the source attribute to be the virtual address of the BIG-IP system. When false the system does not change the source attribute. |
| class (string) | “RTSP_Profile” | ||
| idleTimeout (integer | integer | string) | 300 | [0, 4294967295], “indefinite”, “immediate” | The number of seconds that a Real-time Transport Protocol (RTP) connection is idle before the connection is eligible for deletion |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| logPublisher (reference | Pointer_Log_Publisher) | Log publisher pointer | ||
| maxHeaderSize (integer) | 4096 | [0, 4294967295] | The largest RTSP request or response header, in bytes, that the RTSP filter accepts before dropping the connection |
| maxQueuedData (integer) | 32768 | [0, 4294967295] | The maximum amount of data, in bytes, that the RTSP filter buffers before dropping the connection |
| multicastRedirect (boolean) | false | true, false | When enabled, if you are using multicast streams, specifies that the client has permission to supply a different destination IP address for the streamed data |
| proxy (string) | “none” | “external”, “internal”, “none” | Specifies whether the RTSP profile is associated with an RTSP proxy configuration |
| proxyHeader (string) | When set, specifies the name of the header in the RTSP proxy configuration that is passed from the client-side virtual server to the server-side virtual server. Note that the name of the header must begin with X-. To use the proxyHeader option, you must specify a value for the proxy option. Note that the system removes this header from the request prior to sending the request to the server for processing. | ||
| realHTTPPersistence (boolean) | true | true, false | When enabled specifies that the system automatically persists Real Networks-tunneled RTSP data over HTTP, which is over the RTSP port. When disabled, a user can override the default behavior with an iRule. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| RTCPPort (integer) | 0 | [0, 65535] | The number of the port to use for the Real Time Control Protocol (RTCP) service. RTCP allows monitoring of real-time data delivery. |
| RTPPort (integer) | 0 | [0, 65535] | The number of the port to use for the RTP service |
| sessionReconnect (boolean) | false | true, false | When enabled specifies that the system persists a resumed control connection to the correct server. Typical clients do not support this behavior. |
| unicastRedirect (boolean) | false | true, false | When enabled specifies that the client can select the destination port for the streamed data. The destination address for the data is the source of the request. |
Secret¶
A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | true, false | If true, other declaration objects may reuse this value | |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
Secret_Resource_URL¶
Describes the URL to remote resource and optional parameters
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| skipCertificateCheck (boolean) | false | true, false | Skip verification of SSL certificates (default false) |
| url (string) | format: uri | URL from which to retrieve value |
Security_Log_Profile¶
Configures a Security log profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| application (Security_Log_Profile_Application) | |||
| botDefense (Security_Log_Profile_Bot_Defense) | |||
| class (string) | “Security_Log_Profile” | ||
| classification (Security_Log_Profile_Classification) | |||
| dosApplication (Security_Log_Profile_Dos_Application) | |||
| dosNetwork (Security_Log_Profile_Dos_Network) | |||
| ipIntelligence (Security_Log_Profile_Ip_Intelligence) | |||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| nat (Security_Log_Profile_Nat) | |||
| network (Security_Log_Profile_Network) | |||
| protocolDns (Security_Log_Profile_Protocol_Dns) | |||
| protocolDnsDos (Security_Log_Profile_Protocol_Dns_Dos) | |||
| protocolInspection (Security_Log_Profile_Protocol_Inspection) | |||
| protocolSip (Security_Log_Profile_Protocol_Sip) | |||
| protocolSipDos (Security_Log_Profile_Protocol_Sip_Dos) | |||
| protocolTransfer (Security_Log_Profile_Protocol_Transfer) | |||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| sshProxy (Security_Log_Profile_Ssh_Proxy) |
Security_Log_Profile_Application¶
When enabled, specifies the system logs events from applications.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| facility (string) | “local0” | “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” | Specifies the facility category of the logged traffic |
| guaranteeLoggingEnabled (boolean) | false | true, false | Indicates whether to guarantee local logging |
| guaranteeResponseLoggingEnabled (boolean) | false | true, false | Indicates whether to guarantee local response logging. guaranteeLoggingEnabled must be true and responseLogging must be illegal or all |
| localStorage (boolean) | true | true, false | Enables or disabled local storage |
| maxEntryLength (string) | “2k” | “1k”, “2k”, “10k”, “64k” | Specifies the maximum entry length |
| maxHeaderSize (integer) | [1, 2048] | Specifies the maximum headers size | |
| maxQuerySize (integer) | [1, 2048] | Specifies the maximum query string size | |
| maxRequestSize (integer) | [1, 2048] | Specifies the maximum request size | |
| protocol (string) | “tcp” | “udp”, “tcp”, “tcp-rfc3195” | Specifies the protocol supported by the remote server |
| remoteStorage (string) | “remote”, “splunk”, “arcsight”, “bigiq” | Specifies a remote storage type | |
| reportAnomaliesEnabled (boolean) | false | true, false | Indicates whether to report detected anomalies |
| responseLogging (string) | “none” | “none”, “illegal”, “all” | Specifies a response logging type |
| servers (array<Security_Log_Profile_Application_servers>) | Adds, deletes, or replaces a set of remote servers | ||
| storageFilter (Security_Log_Profile_Application_storageFilter) | {} | Adds, deletes, or replaces a set of request filters | |
| storageFormat (string | Security_Log_Profile_Application_storageFormat) | Specifies a storage format |
Security_Log_Profile_Application_servers¶
Security_Log_Profile_Application servers possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | The IP address | ||
| port (string) | The service port |
Security_Log_Profile_Application_storageFilter¶
Security_Log_Profile_Application storageFilter possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| httpMethods (array<string>) | “ACL”, “BDELETE”, “BMOVE”, “BPROPFIND”, “BPROPPATCH”, “CHECKIN”, “CHECKOUT”, “CONNECT”, “COPY”, “DELETE”, “GET”, “HEAD”, “LINK”, “LOCK”, “MERGE”, “MKCOL”, “MKWORKSPACE”, “MOVE”, “NOTIFY”, “OPTIONS”, “PATCH”, “POLL”, “POST”, “PROPFIND”, “PROPPATCH”, “PUT”, “REPORT”, “RPC_IN_DATA”, “RPC_OUT_DATA”, “SEARCH”, “SUBSCRIBE”, “TRACE”, “TRACK”, “UNLINK”, “UNLOCK”, “UNSUBSCRIBE”, “VERSION_CONTROL”, “X-MS-ENUMATTS” | Specifies whether request logging is dependent on the HTTP methods | |
| logicalOperation (string) | “or” | “and”, “or” | Specifies the logical operation on associated filters |
| loginResults (array<string>) | “login-result-successful”, “login-result-failed”, “login-result-unknown” | Specifies whether the request logging is dependent on the login results | |
| protocols (array<string>) | “http”, “https”, “ws”, “wss” | Specifies if request logging is dependent on the protocols | |
| requestContains (object) | Specifies whether the request logging is dependent on s specific string and where to look for that string | ||
| requestType (string) | “illegal” | “all”, “illegal”, “illegal-including-staged-signatures” | Specifies which kind of requests the system or server will log |
| responseCodes (array<string>) | “100”, “101”, “102”, “200”, “201”, “202”, “203”, “204”, “205”, “206”, “207”, “300”, “301”, “302”, “303”, “304”, “305”, “306”, “307”, “400”, “401”, “402”, “403”, “404”, “405”, “406”, “407”, “408”, “409”, “410”, “411”, “412”, “413”, “414”, “415”, “416”, “417”, “422”, “423”, “424”, “500”, “501”, “502”, “503”, “504”, “505”, “507”, “510” | Specifies whether request logging is dependent on the response status codes |
Security_Log_Profile_Application_storageFormat¶
Security_Log_Profile_Application storageFormat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| delimiter (string) | “,” | Specifies a delimiter when predefined storage format | |
| fields (array<string>) | “attack_type”, “avr_id”, “blocking_exception_reason”, “captcha_result”, “client_type”, “date_time”, “dest_ip”, “dest_port”, “device_id”, “fragment”, “geo_location”, “headers”, “http_class_name”, “ip_address_intelligence”, “ip_client”, “ip_with_route_domain”, “is_truncated”, “logic_result”, “management_ip_address”, “management_ip_address_2”, “method”, “mobile_application_name”, “mobile_application_version”, “password”, “policy_apply_date”, “policy_name”, “protocol”, “query_string”, “request”, “request_status”, “response”, “response_code”, “route_domain”, “salt”, “session_id”, “severity”, “sig_ids”, “sig_names”, “sig_set_names”, “slot_number”, “src_port”, “staged_sig_names”, “staged_sig_set_names”, “staged_threat_campaign_names”, “sub_violations”, “support_id”, “threat_campaign_names”, “unit_hostname”, “uri”, “username”, “violation_details”, “violation_rating”, “violations”, “virus_name”, “websocket_direction”, “websocket_message_type”, “x_forwarded_for_header_value” | Replaces a set of fields when predefined storage format. Order is important - the server will display the selected items in the log sequentially according to this |
Security_Log_Profile_Bot_Defense¶
Specifies, when enabled, the system logs events from the Proactive Bot Defense mechanism.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| localPublisher (Pointer_Log_Publisher) | Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination) | ||
| logAlarm (boolean) | false | true, false | This option enables or disables the logging of requests with alarm mitigation. This property is available on BIGIP 14.1 and above. |
| logBlock (boolean) | false | true, false | This option enables or disables the logging of requests with block mitigation. This property is available on BIGIP 14.1 and above. |
| logBotSignatureMatchedRequests (boolean) | false | true, false | This option enables or disables the logging of reported bot signature requests |
| logBrowser (boolean) | false | true, false | This option enables or disables the logging of requests with browser classification. This property is available on BIGIP 14.1 and above. |
| logBrowserVerificationAction (boolean) | false | true, false | This option enables or disables the logging of requests by browser verification action. This property is available on BIGIP 14.1 and above. |
| logCaptcha (boolean) | false | true, false | This option enables or disables the logging of requests with captcha mitigation. This property is available on BIGIP 14.1 and above. |
| logCaptchaChallengedRequests (boolean) | false | true, false | This option enables or disables the logging of captcha challenged requests |
| logChallengedRequests (boolean) | false | true, false | This option enables or disables the logging of challenged requests |
| logChallengeFailureRequest (boolean) | false | true, false | This option enables or disables the logging of requests by challenge failure. This property is available on BIGIP 15.0 and above. |
| logDeviceIdCollectionRequest (boolean) | false | true, false | This option enables or disables the logging of requests by device ID collection. This property is available on BIGIP 14.1 and above. |
| logHoneyPotPage (boolean) | false | true, false | This option enables or disables the logging of requests with honey pot page mitigation. This property is available on BIGIP 15.0 and above. |
| logIllegalRequests (boolean) | true | true, false | This option enables or disables the logging of illegal requests |
| logLegalRequests (boolean) | false | true, false | This option enables or disables the logging of legal requests |
| logMaliciousBot (boolean) | false | true, false | This option enables or disables the logging of requests with malicious bot classification. This property is available on BIGIP 14.1 and above. |
| logMobileApplication (boolean) | false | true, false | This option enables or disables the logging of requests with mobile application classification. This property is available on BIGIP 14.1 and above. |
| logNone (boolean) | false | true, false | This option enables or disables the logging of requests with no mitigation. This property is available on BIGIP 14.1 and above. |
| logRateLimit (boolean) | false | true, false | This option enables or disables the logging of requests with rate limit mitigation. This property is available on BIGIP 14.1 and above. |
| logRedirectToPool (boolean) | false | true, false | This option enables or disables the logging of requests with redirect to pool mitigation. This property is available on BIGIP 15.0 and above. |
| logSuspiciousBrowser (boolean) | false | true, false | This option enables or disables the logging of requests with suspicious browser classification. This property is available on BIGIP 14.1 and above. |
| logTcpReset (boolean) | false | true, false | This option enables or disables the logging of requests with TCP reset mitigation. This property is available on BIGIP 14.1 and above. |
| logTrustedBot (boolean) | false | true, false | This option enables or disables the logging of requests with trusted bot classification. This property is available on BIGIP 14.1 and above. |
| logUnknown (boolean) | true | true, false | This option enables or disables the logging of requests with unknown classification. This property is available on BIGIP 14.1 and above. |
| logUntrustedBot (boolean) | false | true, false | This option enables or disables the logging of requests with untrusted bot classification. This property is available on BIGIP 14.1 and above. |
| remotePublisher (Pointer_Log_Publisher) | Enables selecting a Log Publisher that has Splunk enabled |
Security_Log_Profile_Classification¶
Specifies, when enabled, that the system logs events from the Classification engine.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logAllMatches (boolean) | false | true, false | This option enables or disables the logging of all matches |
| publisher (Security_Log_Profile_Classification_publisher) | Specifies where the system sends log messages |
Security_Log_Profile_Classification_publisher¶
Security_Log_Profile_Classification publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Dos_Application¶
Specifies, when enabled, that the system logs detected application DoS attacks
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| localPublisher (Security_Log_Profile_Dos_Application_localPublisher) | Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination) | ||
| remotePublisher (Security_Log_Profile_Dos_Application_remotePublisher) | Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations) |
Security_Log_Profile_Dos_Application_localPublisher¶
Security_Log_Profile_Dos_Application localPublisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Dos_Application_remotePublisher¶
Security_Log_Profile_Dos_Application remotePublisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Dos_Network¶
Specifies, when enabled, that the system logs detected network DoS attacks
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| publisher (Security_Log_Profile_Dos_Network_publisher) | Specifies the name of the log publisher used for logging Network DoS events |
Security_Log_Profile_Dos_Network_publisher¶
Security_Log_Profile_Dos_Network publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Ip_Intelligence¶
Specifies, when enabled, that the system logs IP Intelligence events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logTranslationFields (boolean) | false | true, false | Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event |
| publisher (Security_Log_Profile_Ip_Intelligence_publisher) | Specifies the name of the log publisher used for logging IP Intelligence events | ||
| rateLimitAggregate (integer) | 4294967295 | [-infinity, infinity] | Defines a rate limit for all combined IP intelligence log messages per second |
Security_Log_Profile_Ip_Intelligence_publisher¶
Security_Log_Profile_Ip_Intelligence publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Nat¶
Specifies, when enabled, that the system logs Firewall NAT events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| formatEndInboundSession (Security_Log_Profile_Nat_Storage_Format) | |||
| formatEndOutboundSession (Security_Log_Profile_Nat_Storage_Format) | |||
| formatErrors (Security_Log_Profile_Nat_Storage_Format) | |||
| formatQuotaExceeded (Security_Log_Profile_Nat_Storage_Format) | |||
| formatStartInboundSession (Security_Log_Profile_Nat_Storage_Format) | |||
| formatStartOutboundSession (Security_Log_Profile_Nat_Storage_Format) | |||
| logEndInboundSession (boolean) | false | true, false | Generates event log entries at the end of the incoming connection event for a translated endpoint. Triggered when the system frees the inbound session. |
| logEndOutboundSession (boolean) | false | true, false | Generates event log entries at end of translation event for a NAT client. Triggered when the system frees the outbound session. |
| logEndOutboundSessionDestination (boolean) | false | true, false | Include destination address and port with log entry for the end of the translation event for a NAT client. This is applicable only if lsn-legacy-mode is enabled |
| logErrors (boolean) | false | true, false | Generates event log entries when a NAT translation errors occur |
| logQuotaExceeded (boolean) | false | true, false | Generates event log entries when a NAT client exceeds allocated resources |
| logStartInboundSession (boolean) | false | true, false | Generates event log entries at the start of the incoming connection event for a translated endpoint. Triggered when the system creates the inbound session. |
| logStartOutboundSession (boolean) | false | true, false | Generates event log entries at start of the translation event for a NAT client. Triggered when the system creates the outbound session. |
| logStartOutboundSessionDestination (boolean) | false | true, false | Include destination address and port with log entry for the start of the translation event for a NAT client. This is applicable only if lsn-legacy-mode is enabled |
| logSubscriberId (boolean) | false | true, false | Logs the subscriber ID associated with a subscriber IP address |
| lsnLegacyMode (boolean) | false | true, false | This option specifies whether translation events (and other NAT events) are logged in existing CGNAT/LSN formats (for backward compatibility with LSN events). |
| publisher (Security_Log_Profile_Nat_publisher) | Specifies the name of the log publisher used for logging Network Address Translation events | ||
| rateLimitAggregate (integer) | 4294967295 | [-infinity, infinity] | This option sets the aggregate rate for all the Firewall NAT log events that the system can log per second |
| rateLimitEndInboundSession (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the end inbound session log events per second |
| rateLimitEndOutboundSession (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the end outbound session log events per second |
| rateLimitErrors (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the errors the system logs per second |
| rateLimitQuotaExceeded (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the quota exceeded log events per second |
| rateLimitStartInboundSession (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the start inbound session log events per second |
| rateLimitStartOutboundSession (integer) | 4294967295 | [-infinity, infinity] | This option rate limits the start outbound session log events per second |
Security_Log_Profile_Nat_publisher¶
Security_Log_Profile_Nat publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Nat_Storage_Format¶
Specifies the format type for log messages
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| delimiter (string) | “.” | Specifies a field delimiter in the predefined storage format | |
| fields (array<string>) | “context-name”, “duration”, “route-domain”, “sub-id”, “translated-dest-port”, “translated-src-port”, “dest-ip”, “event-name”, “src-ip”, “timestamp”, “translated-route-domain”, “dest-port”, “protocol”, “src-port”, “translated-dest-ip”, “translated-src-ip” | Replaces a set of fields in the predefined storage format |
Security_Log_Profile_Network¶
Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| alwaysLogRegion (boolean) | false | true, false | Specifies, when enabled, that when a geolocation event causes a network firewall event, the system logs the associated IP address |
| logIpErrors (boolean) | false | true, false | Specifies, when enabled, that the system logs IP error packets |
| logRuleMatchAccepts (boolean) | false | true, false | Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept |
| logRuleMatchDrops (boolean) | false | true, false | Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop |
| logRuleMatchRejects (boolean) | false | true, false | Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject |
| logTcpErrors (boolean) | false | true, false | Specifies, when enabled, that the system logs TCP error packets |
| logTcpEvents (boolean) | false | true, false | Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions) |
| logTranslationFields (boolean) | false | true, false | Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event |
| publisher (Security_Log_Profile_Network_publisher) | Specifies the name of the log publisher used for logging Network events | ||
| rateLimitAggregate (integer) | 4294967295 | [-infinity, infinity] | This option sets the aggregate rate limit that applies to any network logging message |
| rateLimitIpErrors (integer) | 4294967295 | [-infinity, infinity] | This option enables or disables the logging of IP error packets |
| rateLimitRuleMatchAccepts (integer) | 4294967295 | [-infinity, infinity] | This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively |
| rateLimitRuleMatchDrops (integer) | 4294967295 | [-infinity, infinity] | This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively |
| rateLimitRuleMatchRejects (integer) | 4294967295 | [-infinity, infinity] | This option sets rate limits for the logging of packets that match ACL rules configured with action = Reject |
| rateLimitTcpErrors (integer) | 4294967295 | [-infinity, infinity] | This option sets rate limits for the logging of TCP error packets |
| rateLimitTcpEvents (integer) | 4294967295 | [-infinity, infinity] | This option sets rate limits for the logging of TCP events on client side |
| storageFormat (string | Security_Log_Profile_Network_storageFormat) | Specifies the format type for log messages. If it is a string it is user-defined |
Security_Log_Profile_Network_publisher¶
Security_Log_Profile_Network publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Network_storageFormat¶
Security_Log_Profile_Network storageFormat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| delimiter (string) | “.” | Specifies a field delimiter in the predefined storage format | |
| fields (array<string>) | “acl-policy-name”, “acl-policy-type”, “acl-rule-name”, “action”, “bigip-hostname”, “context-name”, “context-type”, “date-time”, “dest-ip”, “dest-port”, “drop-reason”, “management-ip-address”, “protocol”, “route-domain”, “sa-translation-pool”, “sa-translation-type”, “src-ip”, “src-port”, “translated-dest-ip”, “translated-dest-port”, “translated-ip-protocol”, “translated-route-domain”, “translated-src-ip”, “translated-src-port”, “translated-vlan”, “vlan” | Replaces a set of fields in the predefined storage format |
Security_Log_Profile_Protocol_Dns¶
Specifies, when enabled, that the system logs DNS security events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logDroppedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs dropped DNS requests |
| logFilteredDroppedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs DNS requests dropped due to DNS query/header-opcode filtering. The system does not log DNS requests dropped due to errors in the way the system processes DNS packets. |
| logMalformedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs malformed DNS requests |
| logMaliciousRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs malicious DNS requests |
| logRejectedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs rejected DNS requests |
| publisher (Security_Log_Profile_Protocol_Dns_publisher) | Specifies the name of the log publisher used for logging DNS security events | ||
| storageFormat (string | Security_Log_Profile_Protocol_Dns_storageFormat) | Specifies the format type for log messages |
Security_Log_Profile_Protocol_Dns_publisher¶
Security_Log_Profile_Protocol_Dns publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Protocol_Dns_storageFormat¶
Security_Log_Profile_Protocol_Dns storageFormat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| delimiter (string) | “.” | Specifies a field delimiter in the predefined storage format | |
| fields (array<string>) | “action”, “attack-type”, “context-name”, “date-time”, “dest-ip”, “dest-port”, “dns-query-name”, “dns-query-type”, “src-ip”, “src-port”, “vlan”, “route-domain” | Replaces a set of fields in the predefined storage format |
Security_Log_Profile_Protocol_Dns_Dos¶
Specifies, when enabled, that the system logs detected DNS DoS attacks
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| publisher (Security_Log_Profile_Protocol_Dns_Dos_publisher) | Specifies the name of the log publisher used for logging DNS DoS events |
Security_Log_Profile_Protocol_Dns_Dos_publisher¶
Security_Log_Profile_Protocol_Dns_Dos publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Protocol_Inspection¶
Specifies, when enabled, that the system logs events from the Protocol Inspection engine
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logPacketPayloadEnabled (boolean) | false | true, false | Enable logging of the packet payload for Protocol Inspection events |
| publisher (Pointer_Log_Publisher) |
Security_Log_Profile_Protocol_Sip¶
Specifies, when enabled, that the system logs SIP protocol security events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logDroppedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs dropped requests |
| logGlobalFailures (boolean) | false | true, false | Specifies, when enabled, that the system logs global failures |
| logMalformedRequests (boolean) | false | true, false | Specifies, when enabled, that the system logs malformed requests |
| logRedirectedResponses (boolean) | false | true, false | Specifies, when enabled, that the system logs redirection responses |
| logRequestFailures (boolean) | false | true, false | Specifies, when enabled, that the system logs request failures |
| logServerErrors (boolean) | false | true, false | Specifies, when enabled, that the system logs server errors |
| publisher (Security_Log_Profile_Protocol_Sip_publisher) | Specifies the name of the log publisher used for logging SIP protocol security events | ||
| storageFormat (string | Security_Log_Profile_Protocol_Sip_storageFormat) | Specifies the format type for log messages |
Security_Log_Profile_Protocol_Sip_publisher¶
Security_Log_Profile_Protocol_Sip publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Protocol_Sip_storageFormat¶
Security_Log_Profile_Protocol_Sip storageFormat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| delimiter (string) | “.” | Specifies a field delimiter in the predefined storage format | |
| fields (array<string>) | “action”, “context-name”, “date-time”, “dest-ip”, “dest-port”, “sip-method-type”, “sip-caller”, “sip-callee”, “src-ip”, “src-port”, “vlan”, “route-domain” | Replaces a set of fields in the predefined storage format |
Security_Log_Profile_Protocol_Sip_Dos¶
Specifies, when enabled, that the system logs detected SIP DoS attacks
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| publisher (Security_Log_Profile_Protocol_Sip_Dos_publisher) | Specifies the name of the log publisher used for logging SIP DoS events |
Security_Log_Profile_Protocol_Sip_Dos_publisher¶
Security_Log_Profile_Protocol_Sip_Dos publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Protocol_Transfer¶
Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| publisher (Security_Log_Profile_Protocol_Transfer_publisher) | Specifies where the system sends log messages |
Security_Log_Profile_Protocol_Transfer_publisher¶
Security_Log_Profile_Protocol_Transfer publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Security_Log_Profile_Ssh_Proxy¶
Specifies, when enabled, that the system logs SSH Proxy events
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| logAllowedChannelAction (boolean) | false | true, false | Specifies, when enabled, that the system logs allowed channel actions |
| logClientAuthFail (boolean) | false | true, false | Specifies the name of the log publisher used for logging SSH Proxy events |
| logClientAuthPartial (boolean) | false | true, false | Specifies, when enabled, that the system logs client auth partial events |
| logClientAuthSuccess (boolean) | false | true, false | Specifies, when enabled, that the system logs client auth success events |
| logDisallowedChannelAction (boolean) | false | true, false | Specifies, when enabled, that the system logs disallowed channel actions |
| logNonSshTraffic (boolean) | false | true, false | Specifies, when enabled, that the system logs non-SSH traffic events |
| logServerAuthFail (boolean) | false | true, false | Specifies, when enabled, that the system logs server auth failure events |
| logServerAuthPartial (boolean) | false | true, false | Specifies, when enabled, that the system logs server auth partial events |
| logServerAuthSuccess (boolean) | false | true, false | Specifies, when enabled, that the system logs server auth failure events |
| logSshTimeout (boolean) | false | true, false | Specifies, when enabled, that the system logs SSH timeouts |
| publisher (Security_Log_Profile_Ssh_Proxy_publisher) | Specifies the name of the log publisher used for logging SSH Proxy events |
Security_Log_Profile_Ssh_Proxy_publisher¶
Security_Log_Profile_Ssh_Proxy publisher possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP log publisher | |
| use (string) | BIG-IP AS3 pointer to log publisher declaration |
Sender_Tag_Mapping¶
Establishes a mapping between a sender value and data group containing tag substitution values
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| senderId (string) | Specifies sender ID value | ||
| tagDataGroup (Sender_Tag_Mapping_tagDataGroup) | -, - | Specifies tag substitution data group |
Sender_Tag_Mapping_tagDataGroup¶
Sender_Tag_Mapping tagDataGroup possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP data group | |
| isExternal (reference) | |||
| use (string) | BIG-IP AS3 pointer to data group if any (declared separately) |
Service_Address¶
Service IP address definition (BIG-IP virtual-address). NOTE: When BIG-IP AS3 creates a Service_Address, it is placed in /tenant/serviceAddress (and not /tenant/app/serviceAddress) on the BIG-IP system.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| arpEnabled (boolean) | true | true, false | If true (default), the system services ARP requests on this address |
| autoDelete (boolean) | true | true, false | If this is true, MCPD deletes the virtual address if it is not linked to any virtual. This option applies only to the Common Tenant. |
| class (string) | “Service_Address” | ||
| icmpEcho (string) | “enable” | “enable”, “disable”, “selective” | If true (default), the system answers ICMP echo requests on this address |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| routeAdvertisement (string) | “disable” | “enable”, “disable”, “selective”, “always”, “any”, “all” | If true, the route is advertised |
| serverScope (string) | “any” | “any”, “all”, “none” | Specifies when the virtual address is considered available. When a virtual address is available and Route Advertisement is enabled or selective, the BIG-IP system advertises the route for the virtual address. The default value is ‘any’. ‘any’ When any virtual server is available: Advertises the route when any virtual server is available. ‘all’ When all virtual servers are available: Advertises the route when all virtual servers are available. ‘none’ Always advertises the route regardless of the virtual servers available. |
| spanningEnabled (boolean) | false | true, false | Enable all BIG-IP systems in device group to listen for and process traffic on the same virtual address |
| trafficGroup (string) | “default” | Specifies the traffic group which the Service_Address belongs. | |
| virtualAddress (string) | format: f5ip | The virtual IP address. Defaults to mask /32. |
Service_Discovery_AWS¶
Service Discovery properties for Amazon Web Services (AWS)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| accessKeyId (string) | Information for discovering AWS nodes that are not in the same region as your BIG-IP (also requires the secretAccessKey field | ||
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| externalId (string) | External Id | ||
| minimumMonitors (integer) | 1 | [-infinity, infinity] | |
| region (string) | “” | Empty string (default) means region in which ADC is running | |
| roleARN (string) | Assume a role (also requires the externalId field) | ||
| secretAccessKey (string | Secret) | Will be stored in the declaration as an encrypted string | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
Service_Discovery_Azure¶
Service Discovery properties for Azure
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| apiAccessKey (string | Secret) | Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format. | ||
| applicationId (string) | Azure registered application ID (AKA client ID) | ||
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| directoryId (string) | Azure Active Directory ID (AKA tenant ID) | ||
| environment (string) | “Azure” | Azure environment name. Required if environment should not be determined by instance metadata. | |
| minimumMonitors (integer) | 1 | [-infinity, infinity] | |
| resourceGroup (string) | Azure Resource Group name | ||
| resourceId (string) | ID of resource to find nodes by. | ||
| resourceType (string) | “tag”, “scaleSet” | Type of resource identified by resourceId. This can be used in place of tagKey/tagValue. | |
| subscriptionId (string) | Azure subscription ID | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| useManagedIdentity (boolean) | false | true, false | Use Azure managed identity rather than directoryId, applicationId, and apiAccessKey |
Service_Discovery_Consul¶
Service Discovery properties for Consul
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| encodedToken (string | Secret) | Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format. | ||
| jmesPathQuery (string) | Custom JMESPath Query | ||
| minimumMonitors (integer) | 1 | [-infinity, infinity] | |
| rejectUnauthorized (boolean) | true | true, false | If true, the server certificate is verified against the list of supplied/default CAs when making requests to the Consul API. |
| trustCA (Pointer_CA_Bundle) | CA Bundle to validate server certificates | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
| uri (string) | The location of the node data |
Service_Discovery_GCE¶
Service Discovery properties for Google Compute Engine (GCE)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressRealm (string) | “private” | “public”, “private” | Specifies whether to look for public or private IP addresses |
| credentialUpdate (boolean) | false | true, false | Specifies whether you are updating your credentials |
| encodedCredentials (string | Secret) | Base 64 encoded service account credentials JSON | ||
| minimumMonitors (integer) | 1 | [-infinity, infinity] | |
| projectId (string) | For Google Cloud Engine (GCE) only: The ID of the project in which the members are located | ||
| region (string) | Empty string (default) means region in which ADC is running | ||
| tagKey (string) | The tag key associated with the node to add to this pool | ||
| tagValue (string) | The tag value associated with the node to add to this pool | ||
| undetectableAction (string) | “remove” | “disable”, “remove” | Action to take when node cannot be detected |
Service_Forwarding¶
Attributes of a forwarding virtual server. ARP and ICMP Echo will be disabled on virtualAddresses by default.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_Forwarding” | ||
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| forwardingType (string) | “ip”, “l2” | Controls whether the forwarding service uses IP or L2 forwarding | |
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_Forwarding_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_Forwarding_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “any” | Layer 4 protocol | |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_Forwarding_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| profileClassification (Pointer_Classification_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileL4 (string | Pointer_L4_Profile) | “basic”, - | L4 profile; name of built-in or else BIG-IP AS3 pointer | |
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_Forwarding_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_Forwarding_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | false | true, false | |
| translateServerPort (boolean) | false | true, false | |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. |
Service_Forwarding_iRules¶
Service_Forwarding iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_Forwarding_lastHop¶
Service_Forwarding lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_Forwarding_policyNAT¶
Service_Forwarding policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_Forwarding_securityLogProfiles¶
Service_Forwarding securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_Forwarding_snat¶
Service_Forwarding snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_Generic¶
Declares an ‘Any IP’ (IPOther) virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_Generic” | ||
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_Generic_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_Generic_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “any” | The L4 protocol type for this virtual server | |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | List of persistence methods (each by name or BIG-IP AS3 pointer). Element 0 is primary (default) persistence method. Use ‘persistenceMethods: []’ for no persistence. | ||
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_Generic_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| pool (string | Service_Generic_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileAnalyticsTcp (Pointer_Analytics_TCP_Profile) | |||
| profileClassification (Pointer_Classification_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileFIX (Pointer_FIX_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | {“bigip”:”/Common/ipother”} | ||
| profileL4 (string | Pointer_L4_Profile) | “basic” | “basic”, - | L4 profile; name of built-in or else BIG-IP AS3 pointer |
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_Generic_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_Generic_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. |
Service_Generic_iRules¶
Service_Generic iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_Generic_lastHop¶
Service_Generic lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_Generic_policyNAT¶
Service_Generic policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_Generic_pool¶
Service_Generic pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_Generic_securityLogProfiles¶
Service_Generic securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_Generic_snat¶
Service_Generic snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_HTTP¶
HTTP virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_HTTP” | ||
| clientTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Client declaration | |
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_HTTP_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_HTTP_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “tcp” | “tcp” | For TCP virtual server, Layer 4 protocol must be TCP |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | cookie | Default ‘cookie’ is generally good. Use ‘persistenceMethods: []’ for no persistence. | |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyEndpoint (array | Pointer_Endpoint_Policy) | -, - | BIG-IP AS3 pointer to Endpoint policy declaration | |
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIAM (reference | Pointer_Access_Profile) | BIG-IP AS3 pointer to IAM (APM) policy declaration | ||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_HTTP_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| policyPerRequestAccess (reference | Pointer_Per_Request_Access_Policy) | |||
| policyWAF (Pointer_WAF_Policy) | |||
| pool (string | Service_HTTP_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileAccess (reference | Pointer_Access_Profile) | |||
| profileAnalytics (Pointer_Analytics_Profile) | |||
| profileAnalyticsTcp (Pointer_Analytics_TCP_Profile) | |||
| profileApiProtection (reference | Pointer_API_Protection_Profile) | API protection profile to attach to service. This property is available on BIGIP 14.1 and above. | ||
| profileBotDefense (Pointer_Bot_Defense_Profile) | Attaches a Bot Defense profile to the service. This property is available on BIGIP 14.1 and above. | ||
| profileClassification (Pointer_Classification_Profile) | |||
| profileConnectivity (reference | Pointer_Connectivity_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileDOS (Pointer_DOS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileFIX (Pointer_FIX_Profile) | |||
| profileFPS (reference | Pointer_FPS_Profile) | FPS Profile to attach to service | ||
| profileHTML (Pointer_HTML_Profile) | |||
| profileHTTP (string | Pointer_HTTP_Profile) | “basic” | HTTP profile; name of built-in or else BIG-IP AS3 pointer | |
| profileHTTPAcceleration (string | Pointer_HTTP_Acceleration_Profile) | “basic”, - | Web acceleration profile; name of built-in or else BIG-IP AS3 pointer | |
| profileHTTPCompression (string | Service_HTTP_profileHTTPCompression) | “basic”, “wan”, - | HTTP compression profile; name of built-in or else BIG-IP AS3 pointer | |
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profileMultiplex (string | Pointer_Multiplex_Profile) | “basic”, - | Multiplex (OneConnect) profile; name of built-in or else BIG-IP AS3 pointer | |
| profileNTLM (Pointer_NTLM_Profile) | |||
| profilePingAccess (reference | Pointer_Access_Profile_Ping) | |||
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRequestAdapt (Pointer_Request_Adapt_Profile) | |||
| profileResponseAdapt (Pointer_Response_Adapt_Profile) | |||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileSSHProxy (Pointer_SSH_Proxy_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileStream (Pointer_Stream_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTCP (string | Service_HTTP_profileTCP) | “normal” | “normal”, “lan”, “wan”, “mobile”, - | TCP profile; name of built-in or else BIG-IP AS3 pointer |
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| profileVdi (reference | Pointer_VDI_Profile) | VDI profile to attach to service. | ||
| profileWebSocket (Pointer_WebSocket_Profile) | Attaches a WebSocket profile to the Service. | ||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_HTTP_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serverTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Server declaration | |
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_HTTP_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | 80 | Default 80 is well-known HTTP port. Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | |
| virtualType (string) | “standard” | “standard”, “internal” | Type of the virtual |
Service_HTTP_iRules¶
Service_HTTP iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_HTTP_lastHop¶
Service_HTTP lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_HTTP_policyNAT¶
Service_HTTP policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_HTTP_pool¶
Service_HTTP pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_HTTP_profileHTTPCompression¶
Service_HTTP profileHTTPCompression possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTTP compression profile | |
| use (string) | BIG-IP AS3 pointer to HTTP compression profile declaration |
Service_HTTP_profileTCP¶
Service_HTTP profileTCP possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TCP profile for both ingress and egress | |
| egress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Egress (server-side context) TCP profile | |
| ingress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Ingress (client-side context) TCP profile | |
| use (string) | BIG-IP AS3 pointer to TCP profile declaration for ingress and egress |
Service_HTTP_securityLogProfiles¶
Service_HTTP securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_HTTP_snat¶
Service_HTTP snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_HTTPS¶
HTTPS (HTTP+TLS) virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_HTTPS” | ||
| clientTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Client declaration | |
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_HTTPS_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_HTTPS_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “tcp” | “tcp” | For TCP virtual server, Layer 4 protocol must be TCP |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | cookie | Default ‘cookie’ is generally good. Use ‘persistenceMethods: []’ for no persistence. | |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyEndpoint (array | Pointer_Endpoint_Policy) | -, - | BIG-IP AS3 pointer to Endpoint policy declaration | |
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIAM (reference | Pointer_Access_Profile) | BIG-IP AS3 pointer to IAM (APM) policy declaration | ||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_HTTPS_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| policyPerRequestAccess (reference | Pointer_Per_Request_Access_Policy) | |||
| policyWAF (Pointer_WAF_Policy) | |||
| pool (string | Service_HTTPS_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileAccess (reference | Pointer_Access_Profile) | |||
| profileAnalytics (Pointer_Analytics_Profile) | |||
| profileAnalyticsTcp (Pointer_Analytics_TCP_Profile) | |||
| profileApiProtection (reference | Pointer_API_Protection_Profile) | API protection profile to attach to service. This property is available on BIGIP 14.1 and above. | ||
| profileBotDefense (Pointer_Bot_Defense_Profile) | Attaches a Bot Defense profile to the service. This property is available on BIGIP 14.1 and above. | ||
| profileClassification (Pointer_Classification_Profile) | |||
| profileConnectivity (reference | Pointer_Connectivity_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileDOS (Pointer_DOS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileFIX (Pointer_FIX_Profile) | |||
| profileFPS (reference | Pointer_FPS_Profile) | FPS Profile to attach to service | ||
| profileHTML (Pointer_HTML_Profile) | |||
| profileHTTP (string | Pointer_HTTP_Profile) | “basic” | HTTP profile; name of built-in or else BIG-IP AS3 pointer | |
| profileHTTP2 (string | Service_HTTPS_profileHTTP2) | HTTP/2 profile; name of built-in or else BIG-IP AS3 pointer | ||
| profileHTTPAcceleration (string | Pointer_HTTP_Acceleration_Profile) | “basic”, - | Web acceleration profile; name of built-in or else BIG-IP AS3 pointer | |
| profileHTTPCompression (string | Service_HTTPS_profileHTTPCompression) | “basic”, “wan”, - | HTTP compression profile; name of built-in or else BIG-IP AS3 pointer | |
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profileMultiplex (string | Pointer_Multiplex_Profile) | “basic”, - | Multiplex (OneConnect) profile; name of built-in or else BIG-IP AS3 pointer | |
| profileNTLM (Pointer_NTLM_Profile) | |||
| profilePingAccess (reference | Pointer_Access_Profile_Ping) | |||
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRequestAdapt (Pointer_Request_Adapt_Profile) | |||
| profileResponseAdapt (Pointer_Response_Adapt_Profile) | |||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileSSHProxy (Pointer_SSH_Proxy_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileStream (Pointer_Stream_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTCP (string | Service_HTTPS_profileTCP) | “normal” | “normal”, “lan”, “wan”, “mobile”, - | TCP profile; name of built-in or else BIG-IP AS3 pointer |
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| profileVdi (reference | Pointer_VDI_Profile) | VDI profile to attach to service. | ||
| profileWebSocket (Pointer_WebSocket_Profile) | Attaches a WebSocket profile to the Service. | ||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| redirect80 (boolean) | true | true, false | If true, BIG-IP AS3 redirects HTTP traffic to any virtualAddress on port 80 to virtualPort |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_HTTPS_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serverTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Server declaration | |
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_HTTPS_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | 443 | Default 443 is well-known HTTPS port. Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | |
| virtualType (string) | “standard” | “standard”, “internal” | Type of the virtual |
Service_HTTPS_iRules¶
Service_HTTPS iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_HTTPS_lastHop¶
Service_HTTPS lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_HTTPS_policyNAT¶
Service_HTTPS policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_HTTPS_pool¶
Service_HTTPS pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_HTTPS_profileHTTP2¶
Service_HTTPS profileHTTP2 possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTTP/2 Profile | |
| egress (object) | Egress (server-side context) HTTP2 profile. This property is available on BIGIP 14.1 and above. Note: Ingress and Egress profiles should not be the same. | ||
| ingress (object) | Ingress (client-side context) HTTP2 profile. This property is available on BIGIP 14.1 and above. Note: Ingress and Egress profiles should not be the same. | ||
| use (string) | AS3 pointer to HTTP/2 Profile declaration |
Service_HTTPS_profileHTTPCompression¶
Service_HTTPS profileHTTPCompression possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP HTTP compression profile | |
| use (string) | BIG-IP AS3 pointer to HTTP compression profile declaration |
Service_HTTPS_profileTCP¶
Service_HTTPS profileTCP possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TCP profile for both ingress and egress | |
| egress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Egress (server-side context) TCP profile | |
| ingress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Ingress (client-side context) TCP profile | |
| use (string) | BIG-IP AS3 pointer to TCP profile declaration for ingress and egress |
Service_HTTPS_securityLogProfiles¶
Service_HTTPS securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_HTTPS_snat¶
Service_HTTPS snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_L4¶
Declares a L4 (FastL4) virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_L4” | ||
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_L4_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_L4_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “tcp” | “any”, “tcp”, “udp”, “3pc”, “a/n”, “ah”, “argus”, “aris”, “ax.25”, “bbn-rcc”, “bna”, “br-sat-mon”, “cbt”, “cftp”, “chaos”, “compaq-peer”, “cphb”, “cpnx”, “crdup”, “crtp”, “dccp”, “dcn”, “ddp”, “ddx”, “dgp”, “dsr”, “egp”, “eigrp”, “emcon”, “encap”, “esp”, “etherip”, “fc”, “fire”, “ggp”, “gmtp”, “gre”, “hip”, “hmp”, “hopopt”, “i-nlsp”, “iatp”, “icmp”, “idpr”, “idpr-cmtp”, “idrp”, “ifmp”, “igmp”, “igp”, “il”, “ip”, “ipcomp”, “ipcv”, “ipencap”, “ipip”, “iplt”, “ippc”, “ipv6”, “ipv6-auth”, “ipv6-crypt”, “ipv6-frag”, “ipv6-icmp”, “ipv6-nonxt”, “ipv6-opts”, “ipv6-route”, “ipx-in-ip”, “irtp”, “isis”, “iso-ip”, “iso-tp4”, “kryptolan”, “l2tp”, “larp”, “leaf-1”, “leaf-2”, “manet”, “merit-inp”, “mfe-nsp”, “micp”, “mobile”, “mpls-in-ip”, “mtp”, “mux”, “narp”, “netblt”, “nsfnet-igp”, “nvp”, “ospf”, “pgm”, “pim”, “pipe”, “pnni”, “prm”, “ptp”, “pup”, “pvp”, “qnx”, “rdp”, “rsvp”, “rsvp-e2e-ignore”, “rvd”, “sat-expak”, “sat-mon”, “scc-sp”, “scps”, “sctp”, “sdrp”, “secure-vmtp”, “shim6”, “skip”, “sm”, “smp”, “snp”, “sprite-rpc”, “sps”, “srp”, “sscopmce”, “st”, “stp”, “sun-nd”, “swipe”, “tcf”, “tlsp”, “tp++”, “trunk-1”, “trunk-2”, “ttp”, “udplite”, “uti”, “vines”, “visa”, “vmtp”, “vrrp”, “wb-expak”, “wb-mon”, “wesp”, “wsn”, “xnet”, “xns-idp”, “xtp” | The L4 protocol type for this virtual server |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | source-address | Default ‘source-address’ is generally good. Use ‘persistenceMethods: []’ for no persistence. | |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_L4_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| pool (string | Service_L4_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileAnalyticsTcp (Pointer_Analytics_TCP_Profile) | |||
| profileClassification (Pointer_Classification_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileFIX (Pointer_FIX_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profileL4 (string | Pointer_L4_Profile) | “basic” | “basic”, - | L4 profile; name of built-in or else BIG-IP AS3 pointer |
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_L4_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_L4_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. |
Service_L4_iRules¶
Service_L4 iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_L4_lastHop¶
Service_L4 lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_L4_policyNAT¶
Service_L4 policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_L4_pool¶
Service_L4 pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_L4_securityLogProfiles¶
Service_L4 securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_L4_snat¶
Service_L4 snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_SCTP¶
Declares a SCTP virtual server
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_SCTP” | ||
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_SCTP_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_SCTP_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “sctp” | “sctp” | For SCTP virtual server, Layer 4 protocol must be SCTP |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | List of persistence methods (each by name or BIG-IP AS3 pointer). Element 0 is primary (default) persistence method. Use ‘persistenceMethods: []’ for no persistence. | ||
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_SCTP_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| pool (string | Service_SCTP_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileClassification (Pointer_Classification_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileSCTP (Pointer_SCTP_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_SCTP_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_SCTP_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. |
Service_SCTP_iRules¶
Service_SCTP iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_SCTP_lastHop¶
Service_SCTP lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_SCTP_policyNAT¶
Service_SCTP policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_SCTP_pool¶
Service_SCTP pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_SCTP_securityLogProfiles¶
Service_SCTP securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_SCTP_snat¶
Service_SCTP snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_TCP¶
Declares a TCP virtual server (w/optional TLS)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_TCP” | ||
| clientTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Client declaration | |
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_TCP_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_TCP_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “tcp” | “tcp” | For TCP virtual server, Layer 4 protocol must be TCP |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| mqttEnabled (boolean) | false | true, false | Attaches the MQTT profile /Common/mqtt. MQTT profiles have no configurable properties. |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | source-address | Default ‘source-address’ is generally good. Use ‘persistenceMethods: []’ for no persistence. | |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyEndpoint (array | Pointer_Endpoint_Policy) | -, - | BIG-IP AS3 pointer to Endpoint policy declaration | |
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_TCP_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| pool (string | Service_TCP_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileAnalyticsTcp (Pointer_Analytics_TCP_Profile) | |||
| profileClassification (Pointer_Classification_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileFIX (Pointer_FIX_Profile) | |||
| profileFTP (Pointer_FTP_Profile) | |||
| profileICAP (Pointer_ICAP_Profile) | |||
| profileILX (Pointer_ILX_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profilePPTP (Pointer_PPTP_Profile) | |||
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileRTSP (Pointer_RTSP_Profile) | |||
| profileSIP (Pointer_SIP_Profile) | |||
| profileSOCKS (Pointer_SOCKS_Profile) | |||
| profileSSHProxy (Pointer_SSH_Proxy_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileStream (Pointer_Stream_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTCP (string | Service_TCP_profileTCP) | “normal” | “normal”, “lan”, “wan”, “mobile”, - | TCP profile; name of built-in or else BIG-IP AS3 pointer |
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_TCP_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serverTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Server declaration | |
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_TCP_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualType (string) | “standard” | “standard”, “internal” | Type of the virtual |
Service_TCP_iRules¶
Service_TCP iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_TCP_lastHop¶
Service_TCP lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_TCP_policyNAT¶
Service_TCP policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_TCP_pool¶
Service_TCP pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_TCP_profileTCP¶
Service_TCP profileTCP possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP TCP profile for both ingress and egress | |
| egress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Egress (server-side context) TCP profile | |
| ingress (string | object) | “normal”, “lan”, “wan”, “mobile”, - | Ingress (client-side context) TCP profile | |
| use (string) | BIG-IP AS3 pointer to TCP profile declaration for ingress and egress |
Service_TCP_securityLogProfiles¶
Service_TCP securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_TCP_snat¶
Service_TCP snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
Service_UDP¶
Declares a UDP virtual server (w/optional (D)TLS)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| addressStatus (boolean) | true | true, false | Specifies whether the virtual server will contribute to the operational status of the associated virtual address |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the Service. When set to disable the Service no longer accepts new connection requests, but will allow current connections to finish processing before going to a down state. |
| allowVlans (array<reference>) | Names of existing VLANs to add to this virtual server to allow. | ||
| class (string) | “Service_UDP” | ||
| clientTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Client declaration | |
| clonePools (Clone_Pools) | |||
| enable (boolean) | true | true, false | Virtual server handles traffic only when enabled (default) |
| fallbackPersistenceMethod (Basic_Persist) | |||
| httpMrfRoutingEnabled (boolean) | false | true, false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIGIP 14.1 and above. |
| include (string | array<string>) | Keyword to allow for inclusion of one part of the declaration into another | ||
| ipIntelligencePolicy (reference | Pointer_IP_Intelligence_Policy) | |||
| iRules (array<string | Service_UDP_iRules>) | -, - | List iRules for this virtual server (order is significant) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| lastHop (string | Service_UDP_lastHop) | “default” | “default”, “auto”, “disable”, - | Name of built-in last-hop method or BIG-IP AS3 pointer to last-hop pool (default ‘default’ means use system setting) |
| layer4 (string) | “udp” | “udp” | For UDP virtual server, Layer 4 protocol must be UDP |
| maxConnections (integer) | 0 | [0, infinity] | Specifies the maximum number of concurrent connections you want to allow for the virtual server |
| maximumBandwidth (integer | string) | Specifies the maximum bandwidth allowed, in Mbps. | ||
| metadata (Metadata) | |||
| mirroring (string) | “none” | “none”, “L4” | Controls connection-mirroring for high-availability |
| nat64Enabled (boolean) | false | true, false | If true, translate IPv6 traffic into IPv4 (default false) |
| persistenceMethods (array<Basic_Persist>) | source-address | Default ‘source-address’ is generally good. Use ‘persistenceMethods: []’ for no persistence. | |
| policyBandwidthControl (Pointer_Bandwidth_Control_Policy) | BIG-IP AS3 pointer to Bandwidth Control Policy (policy must be static) | ||
| policyEndpoint (array | Pointer_Endpoint_Policy) | -, - | BIG-IP AS3 pointer to Endpoint policy declaration | |
| policyFirewallEnforced (reference | Pointer_Firewall_Policy) | |||
| policyFirewallStaged (reference | Pointer_Firewall_Policy) | |||
| policyIdleTimeout (Pointer_Idle_Timeout_Policy) | |||
| policyNAT (Service_UDP_policyNAT) | BIG-IP AS3 pointer to NAT policy declaration | ||
| pool (string | Service_UDP_pool) | -, - | BIG-IP AS3 pointer to pool if any (declared separately) | |
| profileClassification (Pointer_Classification_Profile) | |||
| profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile) | |||
| profileDNS (Pointer_DNS_Profile) | |||
| profileEnforcement (Pointer_Enforcement_Profile) | |||
| profileIntegratedBotDefense (Pointer_Integrated_Bot_Defense_Profile) | BIG-IP AS3 pointer to an Integrated Bot Defense Profile. These are only supported in tmos version 17.0+. | ||
| profileIPOther (Pointer_IP_Other_Profile) | |||
| profileProtocolInspection (reference | Pointer_Protocol_Inspection_Profile) | BIG-IP AS3 pointer to Protocol Inspection Profile declaration | ||
| profileRADIUS (Pointer_Radius_Profile) | |||
| profileRewrite (Pointer_Rewrite_Profile) | |||
| profileSIP (Pointer_SIP_Profile) | |||
| profileStatistics (Pointer_Statistics_Profile) | |||
| profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile) | |||
| profileTFTP (Pointer_TFTP_Profile) | |||
| profileTrafficLog (Pointer_Traffic_Log_Profile) | |||
| profileUDP (string) | “normal” | “normal”, - | UDP profile; name of built-in or else BIG-IP AS3 pointer |
| rateLimit (integer) | 0 | [0, infinity] | Specifies the maximum number of connections per second allowed for a virtual server |
| rejectVlans (array<reference>) | Names of existing VLANs to add to this virtual server to reject. | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| securityLogProfiles (array<Service_UDP_securityLogProfiles>) | Specifies the log profile applied to the virtual server | ||
| serverTLS (string) | -, -, - | BIG-IP AS3 pointer to TLS Server declaration | |
| serviceDownImmediateAction (string) | “none” | “none”, “drop”, “reset” | Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client’s SYN packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual server of Standard type and TCP protocol. The default value is none. |
| shareAddresses (boolean) | false | true, false | A user set boolean that indicates whether the virtualAddresses should be added to or checked for /Common instead of the tenant. This value defaults to false, and so will put the virtualAddresses into their tenant. |
| snat (string | Service_UDP_snat) | “auto” | “none”, “self”, “auto”, - | Name of built-in SNAT method or BIG-IP AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address |
| sourceAddress (string | Pointer_Address_List | reference) | Accepts either a string or a reference to an Address_List which contains source addresses from which this virtual will listen. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. If you also include the virtualAddresses property, those addresses cannot include the accept-from-subnet field. | ||
| translateClientPort (boolean | string) | false | true, false | If true, hide client’s port number from server. A value of true is the same as the string ‘change’ while a value of false is the same as the string ‘preserve’. The value ‘preserve-strict’ is the only other allowed value for a string |
| translateServerAddress (boolean) | true | true, false | If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address) |
| translateServerPort (boolean) | true | true, false | If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port) |
| virtualAddresses (array<string> | Pointer_Address_List | reference) | Accepts either an array or a reference to an Address_List which contains destination addresses to which this virtual will listen. To accept connections only from certain subnet(s), replace IP address in the provided array with array [IP-address, accept-from-subnet]. If you do this, you cannot also include the sourceAddress property. IP address in the provided array can also be replaced by a reference to a Service_Address. A reference to an Address_List is only supported on BIG-IP 14.1 and later. If an Address_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualPort (integer | Pointer_Port_List | reference) | Accepts either an integer or a reference to a Firewall_Port_List that contains the ports on which to listen. Firewall_Port_List is only supported on BIG-IP 14.1 and later. If a Firewall_Port_List is provided, BIG-IP AS3 will create a traffic-matching-criteria for the virtual. | ||
| virtualType (string) | “standard” | “standard”, “internal”, “stateless” | Type of the virtual |
Service_UDP_iRules¶
Service_UDP iRules possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP iRule | |
| use (string) | BIG-IP AS3 pointer to iRule (declared separately) |
Service_UDP_lastHop¶
Service_UDP lastHop possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to last-hop pool declaration |
Service_UDP_policyNAT¶
Service_UDP policyNAT possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP NAT policy | |
| use (string) | BIG-IP AS3 pointer to NAT policy declaration |
Service_UDP_pool¶
Service_UDP pool possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP pool | |
| use (string) | BIG-IP AS3 pointer to pool if any (declared separately) |
Service_UDP_securityLogProfiles¶
Service_UDP securityLogProfiles possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP security log profile | |
| use (string) | BIG-IP AS3 pointer to security log profile declaration |
Service_UDP_snat¶
Service_UDP snat possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP SNAT pool | |
| use (string) | BIG-IP AS3 pointer to SNAT pool declaration |
SIP_Profile¶
Configures a profile you can use to manage Session Initiation Protocol (SIP) traffic.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “SIP_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
SNAT_Pool¶
SNAT pool
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “SNAT_Pool” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| snatAddresses (array<string>) | format: f5ip | List of SNAT addresses– may include both IPv4 and IPv6 |
SNAT_Translation¶
Configures explicit secure network address translation (SNAT) address
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| address (string) | format: f5ip | The IP address of the SNAT translation | |
| adminState (string) | “enable” | “enable”, “disable” | Specifies the state of the SNAT translation |
| arpEnabled (boolean) | true | true, false | Specifies that the NAT sends ARP requests |
| class (string) | “SNAT_Translation” | ||
| ipIdleTimeout (integer | string) | “indefinite” | Specifies time in seconds that connections to an IP address initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Specifying ‘indefinite’ prevents the connection from timing out. | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| maxConnections (integer) | 0 | [0, 4294967295] | Specifies a limit on the number of connections a translation address must reach before it no longer initiates a connection. A value of 0 indicates the setting is disabled. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| tcpIdleTimeout (integer | string) | “indefinite” | Specifies time in seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Specifying ‘indefinite’ prevents the connection from timing out. | |
| trafficGroup (string) | “default” | Specifies the traffic group which the SNAT_Translation belongs | |
| udpIdleTimeout (integer | string) | “indefinite” | Specifies time in seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Specifying ‘indefinite’ prevents the connection from timing out. |
SOCKS_Profile¶
Configures a SOCKS (Socket Secure) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “SOCKS_Profile” | ||
| defaultConnectAction (string) | “deny” | “deny”, “allow” | Specifies the behavior of the proxy service for connect requests. If set to ‘deny’, connect requests will only be honored if there is another virtual server listening for the requested outbound connection. If set to ‘allow’ outbound connection will be made ragardless of other virtual servers. |
| ipv6First (boolean) | false | true, false | Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| protocolVersions (array<string>) | socks4, socks4a, socks5 | “socks4”, “socks4a”, “socks5” | Specifies the SOCKS protocol versions that are supported |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resolver (SOCKS_Profile_resolver) | BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in connect requests | ||
| routeDomain (integer | string) | 0 | The route domain that will be used for outbound connect requests | |
| tunnelName (string) | “socks-tunnel” | Name of tunnel used for outbound connect requests |
SOCKS_Profile_resolver¶
SOCKS_Profile resolver possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP net DNS resolver |
SSH_Proxy_Profile¶
SSH Profile used for SSH security
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “SSH_Proxy_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| sshProfileAuthInfo (array<SSH_Proxy_Profile_Auth_Info_Collection>) | Specifies the authentication info of public and private keys for this profile | ||
| sshProfileDefaultActions (SSH_Proxy_Profile_Default_Action_Collection) | {} | Specifies the default action values | |
| sshProfileRuleSet (array<SSH_Proxy_Profile_Rule_Collection>) | The profile’s collection of rules, each rule holds a set of actions | ||
| timeout (integer) | 0 | [-infinity, infinity] | User defined timeout value |
SSH_Proxy_Profile_Auth_Info_Collection¶
A collection of authentication info of public and private keys
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | The name of this set of Authorized Info | ||
| proxyClientAuth (SSH_Proxy_Profile_Proxy_Auth_Info) | |||
| proxyServerAuth (SSH_Proxy_Profile_Proxy_Auth_Info) | |||
| realServerAuth (SSH_Proxy_Profile_Real_Server_Auth_Info) |
SSH_Proxy_Profile_Default_Action¶
The action an SSH Profile will take. The default value is ‘allow’.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| control (string) | “allow” | “allow”, “disallow”, “terminate”, “unspecified” | Indicates the specific action to take |
| log (boolean) | false | true, false | Indicates if a log will be created when the action is taken. The default value is false. |
SSH_Proxy_Profile_Default_Action_Collection¶
A collection of actions for the SSH Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| agentAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| localForwardAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| name (string) | The name of this set of actions | ||
| otherAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| remoteForwardAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| rexecAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| scpDownAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| scpUpAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| sftpDownAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| sftpUpAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| shellAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| subSystemAction (SSH_Proxy_Profile_Default_Action) | {} | ||
| x11ForwardAction (SSH_Proxy_Profile_Default_Action) | {} |
SSH_Proxy_Profile_Proxy_Auth_Info¶
The keys used to authenticate ssh connections between the big-ip and external sources
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| privateKey (SSH_Proxy_Profile_Proxy_Auth_Info_privateKey) | The private key of the authentication algorithm (rsa, dss, etc…) | ||
| publicKey (string) | The public key of the authentication algorithm (rsa, dss, etc…) |
SSH_Proxy_Profile_Proxy_Auth_Info_privateKey¶
SSH_Proxy_Profile_Proxy_Auth_Info privateKey possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
SSH_Proxy_Profile_Real_Server_Auth_Info¶
Public key that can be used to authenticate real host server to the proxy
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| publicKey (string) | The public key of the authentication algorithm (rsa, dss, etc…) |
SSH_Proxy_Profile_Rule_Action¶
The action an SSH Profile Rule will take. The default value is ‘unspecified’.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| control (string) | “unspecified” | “allow”, “disallow”, “terminate”, “unspecified” | Indicates the specific action to take |
| log (boolean) | false | true, false | Indicates if a log will be created when the action is taken. The default value is false. |
SSH_Proxy_Profile_Rule_Action_Collection¶
A collection of actions for the SSH Profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| agentAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| localForwardAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| name (string) | The name of this set of actions | ||
| otherAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| remoteForwardAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| rexecAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| scpDownAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| scpUpAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| sftpDownAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| sftpUpAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| shellAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| subSystemAction (SSH_Proxy_Profile_Rule_Action) | {} | ||
| x11ForwardAction (SSH_Proxy_Profile_Rule_Action) | {} |
SSH_Proxy_Profile_Rule_Collection¶
User defined rule
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| name (string) | The name of this set of rules | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| sshProfileIdGroups (array<string>) | Specifies the rule groups identity | ||
| sshProfileIdUsers (array<string>) | Specifies the rule users identity | ||
| sshProfileRuleActions (SSH_Proxy_Profile_Rule_Action_Collection) | {} | The sets of actions in the rule |
Statistics_Profile¶
User-defined statistics fields. This object assigns field names for up to 32 fields. You can then use these field names from an iRule to record values.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| ^field(3[0-2]|[1-2][0-9]|[1-9])$ (string) | This regular expression represents 32 field properties named ‘field1’ through ‘field32’. | ||
| class (string) | “Statistics_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
Stream_Profile¶
Configures a Stream profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| chunkingEnabled (boolean) | false | true, false | Specifies that incoming data should be parsed in chunks |
| chunkSize (integer) | 4096 | [1024, 65535] | The maximum size that a parsed chunk can be |
| class (string) | “Stream_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Stream_Profile) | {“bigip”:”/Common/stream”} | Specifies the profile that this profile will inherit values from | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| source (string) | Specifies the string to rewrite | ||
| target (string) | Specifies the new string that will replace the source string |
TCP_Profile¶
Configures a Transmission Control Protocol (TCP) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| abc (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts the congestion window per rfc3465 |
| ackOnPush (boolean) | true | true, false | If true (default), the system immediately acknowledges segments with the PSH flag set |
| autoProxyBufferSize (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts the proxy buffer size automatically to optimize throughput |
| autoReceiveWindowSize (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts the receive window size automatically to optimize throughput |
| autoSendBufferSize (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts the send buffer size automatically to optimize throughput |
| class (string) | “TCP_Profile” | ||
| closeWaitTimeout (integer) | 5 | [-1, 3600] | Number of seconds (default 5) connection will remain in LAST-ACK state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout |
| congestionControl (string) | “woodside” | “bbr”, “cdg”, “chd”, “cubic”, “high-speed”, “illinois”, “new-reno”, “none”, “reno”, “scalable”, “vegas”, “westwood”, “woodside” | Selects TCP congestion-control algorithm (default ‘woodside’). The bbr option is available on BIGIP 14.1 and above. |
| congestionMetricsCache (boolean) | true | true, false | If true (default), the system may cache congestion metrics to inform the congestion control algorithm |
| congestionMetricsCacheTimeout (integer) | 0 | [0, 1000] | Number of seconds for which entries in the congestion metrics cache are valid (default 0 means use system default) |
| deferredAccept (boolean) | false | true, false | If true, ADC will defer allocating resources to a connection until some payload data has arrived from the client (default false). This may help minimize the impact of certain DoS attacks but adds undesirable latency under normal conditions. Note: ‘deferredAccept’ is incompatible with server-speaks-first application protocols |
| delayedAcks (boolean) | true | true, false | If true (default), the system may coalesce multiple adjacent ACK responses |
| delayWindowControl (boolean) | false | true, false | If true, BIG-IP AS3 uses queueing delay as well as packet loss to estimate congestion (default false) |
| dsack (boolean) | false | true, false | If true, BIG-IP AS3 uses rfc2883 duplicate selective-acknowledgements extension (default false). Do not enable this option unless you are certain all peers support D-SACK |
| earlyRetransmit (boolean) | true | true, false | If true (default), BIG-IP AS3 uses rfc5827 Early Retransmit recovery |
| ecn (boolean) | true | true, false | If true (default), BIG-IP AS3 may send explicit congestion notification (ECN) flags (CWR, ECE) to peers |
| enhancedLossRecovery (boolean) | true | true, false | If true (default), BIG-IP AS3 uses Selective ACK data to increase throughput |
| fastOpen (boolean) | true | true, false | If true (default), the system can use the TCP Fast Open protocol extension to reduce latency by sending payload data with initial SYN |
| fastOpenCookieExpiration (integer) | 21600 | [1, 1000000] | Sets maximum lifetime in seconds (default 21600 = six hours) of TCP Fast Open cookies |
| finWait2Timeout (integer) | 300 | [-1, 3600] | Number of seconds (default 300) connection will remain in LAST-ACK state before closing. Value -1 means indefinite, limited by maximum retransmission timeout |
| finWaitTimeout (integer) | 5 | [-1, 3600] | Number of seconds (default 5) connection will remain in FIN-WAIT-1 or closing state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout |
| idleTimeout (integer) | 300 | [-infinity, infinity] | Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite |
| initCwnd (integer) | 16 | [0, 64] | Sets the initial congestion-window size (default 16) in multiples of MSS (not in octets) |
| initRwnd (integer) | 16 | [0, 64] | Sets the initial receive-window size (default 16) in multiples of MSS (not in octets) |
| ipDfMode (string) | “pmtu” | “clear”, “pmtu”, “preserve”, “set” | Controls DF (Don’t Fragment) flag in outgoing packets. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received packets. Value ‘set’ forces DF true in all outgoing packets. Value ‘clear’ forces DF false in all outgoing packets |
| ipTosToClient (integer | string) | 0 | Specifies the IP DSCP/TOS value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP per rfc2474 (and the system uses the rightmost two bits for congestion signaling when ‘ecn’ is true). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four to obtain the proper ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection) | |
| keepAliveInterval (integer) | 1800 | [1, 86400] | Number of seconds (default 1800) between keep-alive probes |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| limitedTransmit (boolean) | true | true, false | When true (default), the system can use rfc3042 limited transmit recovery scheme |
| linkQosToClient (integer | string) | 0 | Specifies the Layer-2 QOS code in packets sent to clients (default 0). Ethernet-type networks recognize codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value | |
| maxRetrans (integer) | 8 | [0, 12] | Sets maximum number of times the system may retransmit a segment (default 8) |
| maxSegmentSize (integer) | 0 | [-infinity, infinity] | Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice |
| md5Signature (boolean) | false | true, false | If true, the system signs TCP headers using MD5 per rfc2385 (default false) |
| md5SignaturePassphrase (TCP_Profile_md5SignaturePassphrase) | Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true | ||
| minimumRto (integer) | 1000 | [1, 5000] | Minimum retransmission timeout in milliseconds (default 1000) |
| mptcp (string) | “disable” | “disable”, “enable”, “passthrough” | Value ‘disable’ (default) excludes use of Multipath TCP (MPTCP) through virtual server. Value ‘enable’ means virtual server will accept and participate in MPTCP connections. Value ‘passthrough’ means MPTCP packets may pass through virtual server |
| mptcpCsum (boolean) | false | true, false | If true, the system calculates MPTCP checksums (default false) |
| mptcpCsumVerify (boolean) | false | true, false | If true, the system verifies MPTCP checksums (default false) |
| mptcpFallback (string) | “reset” | “accept”, “active-accept”, “reset”, “retransmit” | Selects action on fallback from MPTCP to ordinary TCP |
| mptcpFastJoin (boolean) | false | true, false | If true, the system may send data with MP_JOIN SYN packet, reducing connection latency (default false) |
| mptcpIdleTimeout (integer) | 300 | [1, 86400] | Number of seconds (default 300) connection may remain idle before it becomes eligible for deletion |
| mptcpJoinMax (integer) | 5 | [1, 20] | Limit on number of subflows which the system may add to the MPTCP connection (default 5) |
| mptcpMakeAfterBreak (boolean) | false | true, false | If true, the system can add additional subflows during the ‘mptcpTimeout’ period, even if the ADC is not currently handling an active connection (default false) |
| mptcpNoJoinDssAck (boolean) | false | true, false | If true, no DSS option will sent with MP_JOIN ACK packet (default false) |
| mptcpRetransmitMin (integer) | 1000 | [1, 5000] | Minimum value in milliseconds (default 1000) of MPTCP retransmission timer |
| mptcpRtoMax (integer) | 5 | [1, 20] | Maximum number of retransmission timeouts which may occur before the system declares a subflow dead |
| mptcpSubflowMax (integer) | 6 | [1, 20] | Maximum number of subflows per connection (default 6) |
| mptcpTimeout (integer) | 3600 | [60, 3600] | Number of seconds (default 3600) after which the system may expunge an MPTCP session with no active flow |
| nagle (string) | “auto” | “disable”, “enable”, “auto” | Value ‘enable’ means to use Nagle’s algorithm to minimize the transmission of short TCP segments (note: Nagle’s algorithm yields undesirable results with many application protocols). Value ‘auto’ (default) means the ADC will choose automatically whether to enable Nagle’s algorithm. Value ‘disable’ averts application of Nagle’s algorithm |
| pktLossIgnoreBurst (integer) | 0 | [0, 32] | Modulates use of congestion control when losing multiple packets. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion |
| pktLossIgnoreRate (integer) | 0 | [0, 1000000] | Sets threshold of packet loss rate (lost-packets/million-packets) above which the system performs congestion control. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion |
| proxyBufferHigh (integer) | 262144 | [64, 33554432] | The system closes the receive window when the number of octets in proxy buffer rises above this value |
| proxyBufferLow (integer) | 196608 | [64, 33554432] | The system opens the receive window when the number of octets in proxy buffer falls below this value |
| proxyMSS (boolean) | true | true, false | If true (default), the MSS value advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints |
| proxyOptions (boolean) | false | true, false | If true, TCP options such as timestamp advertised on the server side will match those negotiated with client (default false) |
| pushFlag (string) | “auto” | “auto”, “default”, “none”, “one” | Controls when ADC sets PSH flag in outbound TCP segments. Limiting the sending of segments with PSH improves performance. Value ‘auto’ (recommended) sets PSH according to a system algorithm optimal in most cases. Value ‘default’ (not recommended) sets the PUSH flag in every segment which happens to empty the send buffer. Value ‘none’ prevents use of the PSH flag, and ‘one’ means the system sets PSH only when FIN is, at the end of a connection |
| ratePace (boolean) | true | true, false | If true (default), system will automatically pace rate of data transmission to optimize throughput |
| ratePaceMaxRate (integer) | 0 | [0, 4294967295] | Limit maximum data-transmission rate in octets/second to this value when ‘ratePace’ is true. Default 0 means choose maximum rate automatically |
| receiveWindowSize (integer) | 131072 | [64, 33554432] | Maximum size of receive window (octets, default 131072) |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resetOnTimeout (boolean) | true | true, false | If true (default), connections which time out will be reset (that is, the system will send an RST packet to the peer) before the system expunges them. Value false is not recommended |
| retransmitThreshold (integer) | 3 | [0, 12] | Specifies the number of duplicate ACKs to start fast recovery |
| selectiveAcks (boolean) | true | true, false | If true (default), the system negotiates rfc2018 Selective Acknowledgements with peers |
| selectiveNack (boolean) | false | true, false | If true, the system negotiates Selective Negative Acknowledgements with peers (default false) |
| sendBufferSize (integer) | 262144 | [64, 33554432] | Maximum size of send buffer (octets, default 262144) |
| slowStart (boolean) | true | true, false | If true (default), BIG-IP AS3 adjusts the initial window size per rfc3390. This generally makes connections start more quickly, NOT more slowly |
| synCookieAllowlist (boolean) | true, false | If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds. | |
| synCookieEnable (boolean) | true | true, false | If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks) |
| synCookieWhitelist (boolean) | false | true, false | Deprecated. Replaced with functionally equivalent synCookieAllowlist. If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds. |
| synMaxRetrans (integer) | 3 | [0, 12] | Maximum number of times the system retransmits a SYN when it does not receive a SYN+ACK (default 3) |
| synRtoBase (integer) | 3000 | [0, 5000] | Number of milliseconds (default 3000) to which the system initially sets the SYN retransmission timer. The system adjusts the timer after each retransmission to implement binary-exponential-backoff |
| tailLossProbe (boolean) | true | true, false | If true (default), the system uses the Tail Loss Probe scheme to reduce retransmission timeouts |
| tcpOptions (array<TCP_Profile_tcpOptions>) | Selects which TCP Option values the system captures for reference by iRules | ||
| timestamps (boolean) | true | true, false | If true (default and recommended), BIG-IP AS3 enables rfc1323 timestamps |
| timeWaitRecycle (boolean) | true | true, false | If true (default), the system reuses connection resources immediately when it receives a SYN during the TIME-WAIT period |
| timeWaitTimeout (integer) | 2000 | [-1, 600000] | Number of milliseconds (default 2,000) connection will remain in TIME-WAIT state before closing. Value -1 means indefinite |
| ttlIPv4 (integer) | 255 | [1, 255] | TTL the system sets in outgoing IPv4 packets |
| ttlIPv6 (integer) | 64 | [1, 255] | TTL the system sets in outgoing IPv6 packets |
| ttlMode (string) | “proxy” | “decrement”, “preserve”, “proxy”, “set” | Controls IP TTL in outgoing packets. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ (default) forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received packet. Value ‘decrement’ sets TTL to one less than received packet’s TTL |
| verifiedAccept (boolean) | false | true, false | If true, the system must establish a server-side connection before a it accepts a corresponding client-side connection (default false). Value ‘true’ is incompatible with iRules |
| zeroWindowTimeout (integer) | 20000 | [-1, 86400000] | Number of milliseconds (default 20,000) connection will persist with window-size of zero (effective timeout is value rounded up to the nearest multiple of 5000). Value -1 means indefinite |
TCP_Profile_md5SignaturePassphrase¶
TCP_Profile md5SignaturePassphrase possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowReuse (boolean) | false | true, false | If true, other declaration objects may reuse this value |
| ciphertext (string) | Put base64url(data_value) here | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the ciphertext in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards |
| miniJWE (boolean) | true | true, false | If true (default), object is an f5 mini-JWE |
| protected (string) | “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” | NOTE: F5 recommends you leave the property protected empty or not modify the default value. This property protected is a marker. Changing this value from the default indicates that your secrets have been encrypted with SecureVault. E.g. default value eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0 becomes `eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0. If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram. JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64 url-encoded into ‘ciphertext’). | |
| reuseFrom (string) | BIG-IP AS3 pointer to another JWE cryptogram in this declaration to copy | ||
| url (Secret_Resource_URL) | URL from which secret should be fetched |
TCP_Profile_tcpOptions¶
TCP_Profile tcpOptions possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| option (integer) | [0, 255] | Specifies the TCP option to capture | |
| when (string) | “first”, “last” | Specifies when to capture the TCP option |
Tenant¶
Declares a Tenant
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Tenant” | ||
| constants (Constants) | |||
| controls (Controls) | |||
| defaultRouteDomain (integer) | 0 | [0, 65535] | Using the route-domain ID, this property selects the default route domain for IP traffic to and from this Tenant’s application resources (note: affects declared IP addresses which do not include a %RD route-domain specifier). You must choose an existing route domain–this option cannot create one. Route domain 0 (default) is always available |
| enable (boolean) | true | true, false | Tenant handles traffic only when enabled (default) |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| optimisticLockKey (string) | “” | Note: The optimisticLockKey does NOT work when using per-app. When you deploy a declaration with a non-empty ‘key’ value here, that activates an optimistic lock on changes to this Tenant. If the key in your declaration does not match the key BIG-IP AS3 computes for the most-recent previous declaration, then BIG-IP AS3 will NOT update this Tenant and will return an error code. To use optimistic locking, first retrieve a declaration using option ‘showHash=true’ to get the current per-Tenant keys. Make any changes you desire, then deploy your updated declaration. Deployment of each Tenant with a key will succeed only if that Tenant has not been modified since the time you retrieved the declaration. (To overwrite all previous changes to a Tenant simply do NOT include any opportunistic-lock key for that Tenant when you deploy a declaration. That is the default.) Note that only keys computed by BIG-IP AS3 may be used here– you cannot generate your own. If ‘showHash=true’ is used on a POST then the optimisticLockKey will be shown as a part of the output (This helps to avoid the need to do a GET request). | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| Shared (Application_Shared) | |||
| useCommonRouteDomainTenant (boolean) | true | true, false | Used to ascertain whether a Route Domain has been created within a custom partition/Tenant or within the /Common partition. |
| verifiers (Tenant_verifiers) | Data (in ‘key’:’value’ properties) used to verify automated tests. Ordinary declarations do not need this |
TFTP_Profile¶
Trivial File Transer Protocol (TFTP) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| algLogProfile (reference | Pointer_ALG_Log_Profile) | ALG log profile pointer | ||
| class (string) | “TFTP_Profile” | ||
| idleTimeout (integer | integer | string) | 30 | [0, 4294967295], “indefinite” | Specifies an idle timeout in seconds. This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| logPublisher (reference | Pointer_Log_Publisher) | Log publisher pointer | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
TLS_Client¶
TLS client parameters (connections leaving ADC)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| alertTimeout (integer | string) | “indefinite” | Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer. | |
| allowExpiredCRL (boolean) | false | true, false | Specifies if the CRL can be used even if it has expired |
| authenticationDepth (integer) | 9 | [1, 15] | Sets the client certificate chain maximum traversal depth. This must be 0 (infinite) or between 1 and 15 inclusive. The default value is 9 |
| authenticationFrequency (string) | “one-time” | “one-time”, “every-time” | Client certificate authentication frequency |
| c3dCertificateAuthority (string) | Pointer to a Certificate class which specifies the Certificate Authority values for C3D | ||
| c3dCertificateExtensions (array<string>) | basic-constraints, extended-key-usage, key-usage, subject-alternative-name | “basic-constraints”, “extended-key-usage”, “key-usage”, “subject-alternative-name” | Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL C3D |
| c3dCertificateLifespan (integer) | 24 | [0, 8760] | Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation |
| c3dEnabled (boolean) | false | true, false | Enables or disables SSL Client certificate constrained delegation (C3D). Using C3D eliminates the need for requiring users to provide credentials twice for certain authentication actions |
| cacheTimeout (integer) | 3600 | [0, 86400] | Sets the cache timeout (in seconds) |
| cipherGroup (Pointer_Cipher_Group) | Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one. | ||
| ciphers (string) | Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one. | ||
| class (string) | “TLS_Client” | ||
| clientCertificate (string) | BIG-IP AS3 pointer to client Certificate declaration (optional) | ||
| crlFile (Pointer_SSL_CRL_File) | Specifies the name of a file containing a list of revoked client certificates | ||
| dataZeroRoundTripTime (boolean) | false | true, false | Specifies if TLSv1.3 should send 0-RTT early data when available. |
| dtls1_2Enabled (boolean) | true | true, false | Allows the DTLS 1.2 protocol. |
| dtlsEnabled (boolean) | true | true, false | Allows the DTLS protocol. |
| forwardProxyBypassEnabled (boolean) | false | true, false | Enables or disables (default) SSL forward proxy bypass |
| forwardProxyEnabled (boolean) | false | true, false | Enables or disables (default) SSL forward proxy |
| handshakeTimeout (integer | string) | 10 | Specifies the handshake timeout in seconds. | |
| ignoreExpired (boolean) | false | true, false | If false (default) drop connections with expired server certificates |
| ignoreUntrusted (boolean) | false | true, false | If false (default) drop connections with untrusted server certificates |
| insertEmptyFragmentsEnabled (boolean) | false | true, false | Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ldapStartTLS (string) | “none”, “allow”, “require” | Creates a client LDAP profile with the specified activation mode STARTTLS. | |
| proxySslEnabled (boolean) | false | true, false | When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption. |
| proxySslPassthroughEnabled (boolean) | false | true, false | When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| renegotiatePeriod (integer | string) | “indefinite” | Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The default value is indefinite, which means that you do not want the system to renegotiate SSL sessions. | |
| renegotiateSize (integer | string) | “indefinite” | Specifies a throughput size, in megabytes, of SSL renegotiation. This option forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. The default value is indefinite, which specifies that you do not want a throughput size. | |
| renegotiationEnabled (boolean) | true | true, false | Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. |
| requireSNI (boolean) | false | true, false | When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client |
| retainCertificateEnabled (boolean) | true | true, false | When enabled, server certificate is retained in SSL session. |
| secureRenegotiation (string) | “require-strict” | “request”, “require”, “require-strict” | Specifies the secure renegotiation mode. When set to require, any connection to an unpatched server will be aborted. For TLS_Client, require and require-strict are the same. When set to request, connections to unpatched servers will be permitted. Setting to request is not recommended as it is subject to active man-in-the-middle attacks. |
| sendSNI (string) | “none” | format: hostname | FQDN to send in SNI (optional) |
| serverName (string) | “none” | format: hostname | FQDN which server certificate must match (optional) |
| sessionTickets (boolean) | false | true, false | If false (default) do not use rfc5077 session tickets |
| singleUseDhEnabled (boolean) | false | true, false | Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used. |
| sniDefault (boolean) | false | true, false | When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. When you have two or more TLS_Server certificates but there is no sniDefault set, by default 1st certificate is set as sniDefault. Otherwise, you can manually set either one of these certificate as default by setting sniDefault = true. The default value is false |
| ssl3Enabled (boolean) | true | true, false | Allow SSL v3 protocol |
| sslEnabled (boolean) | true | true, false | Allow SSL protocol |
| sslSignHash (string) | “any” | “any”, “sha1”, “sha256”, “sha384” | Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
| tls1_0Enabled (boolean) | true | true, false | Allow TLS 1.0 Ciphers. |
| tls1_1Enabled (boolean) | true | true, false | Allow TLS 1.1 Ciphers. |
| tls1_2Enabled (boolean) | true | true, false | Allow TLS 1.2 Ciphers. |
| tls1_3Enabled (boolean) | false | true, false | Allow TLS 1.3 Ciphers. Note: tls1_3Enabled is only supported in tmos version 14.0+. |
| trustCA (string) | “generic”, “none”, - | CA’s trusted to validate server certificate; ‘generic’ (default) or else BIG-IP AS3 pointer to declaration of CA Bundle | |
| uncleanShutdownEnabled (boolean) | true | true, false | When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts. |
| validateCertificate (boolean) | false | true, false | If false (default) accept any cert from server, else validate server cert against trusted CA bundle |
TLS_Server¶
TLS server parameters (connections arriving to ADC)
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| alertTimeout (integer | string) | “indefinite” | Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer. | |
| allowDynamicRecordSizing (boolean) | false | true, false | Enables or disables dynamic application record sizing. |
| allowExpiredCRL (boolean) | false | true, false | Specifies if the CRL can be used even if it has expired |
| authenticationDepth (integer) | 9 | [1, 15] | Sets the server certificate chain maximum traversal depth. This must be 0 (infinite) or between 1 and 15 inclusive. The default value is 9 |
| authenticationFrequency (string) | “one-time” | “one-time”, “every-time” | Server certificate authentication frequency |
| authenticationInviteCA (string | TLS_Server_authenticationInviteCA) | -, - | BIG-IP AS3 pointer to declaration of CA Bundle used to invite client certificates | |
| authenticationMode (string) | “ignore” | “ignore”, “request”, “require” | Client certificate authentication mode |
| authenticationTrustCA (string | TLS_Server_authenticationTrustCA) | -, - | BIG-IP AS3 pointer to declaration of CA Bundle used to validate client certificates | |
| c3dEnabled (boolean) | false | true, false | Enables or disables SSL Client Certificate Constrained Delegation (C3D). The default is false |
| c3dOCSP (Pointer_Certificate_Validator_OCSP) | Specifies SSL Client Certificate Constrained Delegation (C3D) OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status | ||
| c3dOCSPUnknownStatusAction (string) | “drop” | “drop”, “ignore” | Specifies the BIG-IP action when the OCSP returns unknown status. The default is drop |
| cacheCertificateEnabled (boolean) | false | true, false | Enables or disables (default) caching certificates by IP address and port number |
| cacheTimeout (integer) | 3600 | [0, 86400] | Sets the cache timeout (in seconds) |
| certificateExtensions (array<string>) | “authority-key-identifier”, “basic-constraints”, “certificate-policies”, “crl-distribution-points”, “extended-key-usage”, “fresh-crl”, “issuer-alternative-name”, “key-usage”, “subject-alternative-name”, “subject-directory-attribute”, “subject-key-identifier” | Specifies the extensions of the web server certificates to be included in the generated certificates using SSL Forward Proxy. | |
| certificates (array<TLS_Server_certificates>) | Primary and (optional) additional certificates (order is significant, element 0 is primary cert) | ||
| cipherGroup (Pointer_Cipher_Group) | Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one. | ||
| ciphers (string) | Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one. | ||
| class (string) | “TLS_Server” | ||
| crlFile (Pointer_SSL_CRL_File) | Specifies the name of a file containing a list of revoked client certificates | ||
| dataZeroRoundTripTime (string) | “disabled” | “disabled”, “enabled-with-anti-replay”, “enabled-no-anti-replay” | Specifies if TLSv1.3 should accept 0-RTT with early data, with or without anti-replay. To protect against packet replay, F5 recommends that you enable anti-replay. The default value is disabled, which means TLSv1.3 will discard any early data. |
| dtls1_2Enabled (boolean) | true | true, false | Allows the DTLS 1.2 protocol. |
| dtlsEnabled (boolean) | true | true, false | Allows the DTLS protocol. |
| forwardProxyBypassAllowlist (Pointer_Data_Group) | Specifies the data group name of hostname allowlist when both SSL forwardProxyEnabled & forwardProxyBypassEnabled features are set to true. | ||
| forwardProxyBypassEnabled (boolean) | false | true, false | Enables or disables (default) SSL forward proxy bypass |
| forwardProxyEnabled (boolean) | false | true, false | Enables or disables (default) SSL forward proxy |
| handshakeTimeout (integer | string) | 10 | Specifies the handshake timeout in seconds. | |
| insertEmptyFragmentsEnabled (boolean) | false | true, false | Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ldapStartTLS (string) | “none”, “allow”, “require” | Creates a client LDAP profile with the specified activation mode STARTTLS. | |
| namingScheme (string) | “numbered” | “numbered”, “certificate” | Scheme to use when naming generated tmsh configuration |
| nonSslConnectionsEnabled (boolean) | false | true, false | Specifies if non-SSL connections are allowed. |
| notifyCertStatusToVirtualServer (boolean) | false | true, false | Specifies whether to enable certificate status to virtual server. |
| proxySslEnabled (boolean) | false | true, false | When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption. |
| proxySslPassthroughEnabled (boolean) | false | true, false | When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| renegotiateMaxRecordDelay (integer | string) | “indefinite” | Specifies the maximum number of SSL records that the traffic management system can receive before it renegotiates an SSL session. After the system receives this number of SSL records, it closes the connection. This setting applies to client profiles only. | |
| renegotiatePeriod (integer | string) | “indefinite” | Specifies the number of seconds required to renegotiate an SSL session. | |
| renegotiateSize (integer | string) | “indefinite” | Specifies the size of the application data, in megabytes, that is transmitted over the secure channel. If the size of the data is higher than this value, the traffic management system must renegotiate the SSL session. | |
| renegotiationEnabled (boolean) | true | true, false | Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. |
| requireSNI (boolean) | false | true, false | When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client |
| retainCertificateEnabled (boolean) | true | true, false | When enabled, server certificate is retained in SSL session. |
| secureRenegotiation (string) | “require” | “request”, “require”, “require-strict” | Specifies the secure renegotiation mode. When set to require, any client attempting to renegotiate that does not support secure renegotiation will have its connection aborted. When set to require-strict, any client attempting to connect that does not support secure renegotiation will have its initial handshake denied. When set to request, unpatched clients will be permitted to renegotiate. Setting to request is not recommended as it is subject to active man-in-the-middle attacks. |
| singleUseDhEnabled (boolean) | false | true, false | Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used. |
| smtpsStartTLS (string) | “none”, “allow”, “require” | Creates a SMTPS profile with the specified activation mode STARTTTLS. Because HTTP profile is not compatible with SMTPS use with Service_TCP instead of Service_HTTPS. Also incompatible with ldapStartTLS. Use only one of the two. | |
| ssl3Enabled (boolean) | true | true, false | Allow SSL v3 protocol |
| sslEnabled (boolean) | true | true, false | Allow SSL protocol |
| sslSignHash (string) | “any” | “any”, “sha1”, “sha256”, “sha384” | Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
| staplerOCSPEnabled (boolean) | false | true, false | Specifies whether to enable OCSP stapling |
| tls1_0Enabled (boolean) | true | true, false | Allow TLS 1.0 Protocol. |
| tls1_1Enabled (boolean) | true | true, false | Allow TLS 1.1 Protocol. |
| tls1_2Enabled (boolean) | true | true, false | Allow TLS 1.2 Protocol. |
| tls1_3Enabled (boolean) | false | true, false | Allow TLS 1.3 Protocol. Note: tls1_3Enabled is only supported in tmos version 14.0+. |
| uncleanShutdownEnabled (boolean) | true | true, false | When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts. |
TLS_Server_authenticationInviteCA¶
TLS_Server authenticationInviteCA possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP CA bundle |
TLS_Server_authenticationTrustCA¶
TLS_Server authenticationTrustCA possible properties
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| bigip (string) | format: f5bigip | Pathname of existing BIG-IP CA bundle |
TLS_Server_certificates¶
TLS_Server certificates possible properties when object type
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| certificate (string) | BIG-IP AS3 pointer to Certificate declaration | ||
| enabled (boolean) | true | true, false | Enables SSL processing |
| matchToSNI (string) | If value is FQDN (wildcard okay), ignore all names in certificate and select this cert when SNI matches value (or by default) | ||
| proxyCertificate (string) | BIG-IP AS3 pointer to Certificate declaration for SSL forward proxy | ||
| sniDefault (boolean) | false | true, false | When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false |
Traffic_Log_Profile¶
A traffic log profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “Traffic_Log_Profile” | ||
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| parentProfile (Pointer_Traffic_Log_Profile) | {“bigip”:”/Common/request-log”} | Specifies the name of the object to inherit the settings from | |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| requestSettings (Traffic_Log_Profile_Request_Settings) | {} | The request settings for the profile | |
| responseSettings (Traffic_Log_Profile_Response_Settings) | {} | The response settings for the profile |
Traffic_Log_Profile_Request_Settings¶
A traffic log profiles request settings
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| proxyCloseOnErrorEnabled (boolean) | false | true, false | Specifies, if enabled, that the logging profile will close the connection after sending its proxy-response |
| proxyRespondOnLoggingErrorEnabled (boolean) | false | true, false | Specifies that the logging profile respond directly if the logging fails |
| proxyResponse (string) | Specifies the response to send on logging errors | ||
| requestEnabled (boolean) | false | true, false | Enables or disables logging before the response is returned to the client |
| requestErrorLoggingEnabled (boolean) | false | true, false | Enable secondary logging if insufficient bandwidth for primary. Best used to send an alert to a separate destination |
| requestErrorPool (Pointer_Pool) | Specifies the name of the pool from which to select log servers | ||
| requestErrorProtocol (string) | “mds-udp” | “mds-tcp”, “mds-udp” | Specifies the HighSpeedLogging protocol to use when logging |
| requestErrorTemplate (string) | Template to use when generating log messages | ||
| requestPool (Pointer_Pool) | Specifies the name of the pool from which to select log servers | ||
| requestProtocol (string) | “mds-udp” | “mds-tcp”, “mds-udp” | Specifies the HighSpeedLogging protocol to use when logging |
| requestTemplate (string) | Template to use when generating log messages |
Traffic_Log_Profile_Response_Settings¶
A traffic log profiles response settings
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| byDefaultEnabled (boolean) | true | true, false | Default response action and if response logging can be overridden by iRule |
| responseEnabled (boolean) | false | true, false | Enables or disables logging before the response is returned to the client |
| responseErrorLoggingEnabled (boolean) | false | true, false | Enable secondary logging if insufficient bandwidth for primary. Best used to send an alert to a separate destination |
| responseErrorPool (Pointer_Pool) | Specifies the name of the pool from which to select log servers | ||
| responseErrorProtocol (string) | “mds-udp” | “mds-tcp”, “mds-udp” | Specifies the HighSpeedLogging protocol to use when logging |
| responseErrorTemplate (string) | Template to use when generating log messages | ||
| responsePool (Pointer_Pool) | Specifies the name of the pool from which to select log servers | ||
| responseProtocol (string) | “mds-udp” | “mds-tcp”, “mds-udp” | Specifies the HighSpeedLogging protocol to use when logging |
| responseTemplate (string) | Template to use when generating log messages |
UDP_Profile¶
Configures a User Datagram Protocol (UDP) profile
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| allowNoPayload (boolean) | false | true, false | When true, forward UDP datagrams with empty payloads (default false) |
| bufferMaxBytes (integer) | 655350 | [65535, 16777215] | Limit to number of octets which the system may buffer for a UDP flow (default 655350) |
| bufferMaxPackets (integer) | 0 | [0, 255] | Limit to number of packets which the system may buffer for a UDP flow (default 0) |
| class (string) | “UDP_Profile” | ||
| datagramLoadBalancing (boolean) | false | true, false | When true, process UDP datagrams independently, without recognizing flows (default false) |
| idleTimeout (integer) | 60 | [-1, 86400] | Number of seconds (default 60) flow may remain idle before it becomes eligible for deletion. Value 0 allows system to recover per-flow resources whenever convenient (always safe with UDP). Value -1 means indefinite (not recommended) |
| ipDfMode (string) | “pmtu” | “clear”, “pmtu”, “preserve”, “set” | Controls DF (Don’t Fragment) flag in outgoing datagrams. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received datagram. Value ‘set’ forces DF true in all outgoing datagrams. Value ‘clear’ forces DF false in all outgoing datagrams |
| ipTosToClient (integer | string) | 0 | Specifies the IP TOS/DSCP value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP code per rfc2474 (and the rightmost two bits reserved). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four, to obtain the ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection) | |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| linkQosToClient (integer | string) | 0 | Specifies the Layer-2 QOS value in packets sent to clients (default 0). Ethernet-type networks recognize numeric codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value | |
| proxyMSS (boolean) | false | true, false | When true, MSS advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints (default false) |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| ttlIPv4 (integer) | 255 | [1, 255] | TTL the system sets in outgoing IPv4 datagrams |
| ttlIPv6 (integer) | 64 | [1, 255] | TTL the system sets in outgoing IPv6 datagrams |
| ttlMode (string) | “proxy” | “decrement”, “preserve”, “proxy”, “set” | Controls IP TTL in outgoing datagrams. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received datagram. Value ‘decrement’ sets TTL to one less than received datagram’s TTL |
| useChecksum (boolean) | false | true, false | When true, system will validate UDP checksums for IPv4 datagrams (default false). Checksums are always validated for IPv6 |
WAF_Policy¶
A Web Application Firewall Policy. Supports both traditional and advanced WAF policies. Advanced WAF policies require TMOS version 16.0 or newer.
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “WAF_Policy” | ||
| disabledSignatures (array<integer>) | [200000000, 399999999] | Disable various attack signatures by ID. Ignored on Advanced WAF policies | |
| enforcementMode (string) | “blocking”, “transparent” | Overrides the enforcement mode setting of the WAF policy. Ignored on Advanced WAF policies | |
| expand (array<string>) | Performs AS3 string expansion on specified values within the WAF Policy. WAF Policies that are not in JSON format will be ignored | ||
| file (string) | The absolute file path for the ASM policy stored on the BIG-IP | ||
| ignoreChanges (boolean) | false | true, false | If false (default), the system updates the policy in every BIG-IP AS3 declaration deployment. If true, BIG-IP AS3 creates the policy on first deployment, and leaves it untouched afterwards |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| policy (F5string | reference | reference) | Reference to a WAF Policy | ||
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| serverTechnologies (array<string>) | Define server technologies for the WAF Policy, such as Java Servlets or Apache Struts. Ignored on Advanced WAF policies | ||
| url (Resource_URL) | The URL to pull the ASM policy from |
WebSocket_Profile¶
WebSocket profile with configurable options
Properties:
| Name (Type) | Default | Values | Description |
|---|---|---|---|
| class (string) | “WebSocket_Profile” | ||
| compression (boolean) | true | true, false | Available when TMOS version is 16.1 or newer and used when compressMode is ‘typed’. Specifies whether compress will be negotiated with the endpoint. |
| compressMode (string) | “preserved” | “preserved”, “typed” | Available when TMOS version is 16.1 or newer. Specifies the mode that controls what compression operations are performed. Setting ‘masking’ to ‘preserve’ and ‘compressMode’ to ‘typed’ will not be allowed because it results in an invalid configuration. |
| label (string) | regex: ^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$ | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| masking (string) | “selective” | “preserve”, “unmask”, “remask”, “selective” | Specifies the masking operation for WebSocket frames |
| maximumWindowSize (integer) | 10 | [8, 15] | Available when TMOS version is 16.1 or newer and used when compressMode is ‘typed’. Specifies the maximum sliding window for compression negotiated with the endpoint. |
| noDelay (boolean) | true | true, false | Available when TMOS version is 16.1 or newer and used when compressMode is ‘typed’. Specifies whether data should be buffered for efficient compression, or compressed without delay. |
| remark (string) | regex: ^[^x00-x1fx22x5cx7f]*$ | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks |
