Appendix A: Schema Reference

This page is a reference for the objects you can use in your Declarations for AS3. For more information on BIG-IP objects and terminology, see the BIG-IP documentation at https://support.f5.com/csp/home.

ADC

A declarative configuration for an ADC such as F5 BIG-IP

Properties:

Name (Type) Default Values Description
class (string)
“ADC” Indicates this JSON document is an ADC declaration
Common (object)
Special tenant Common holds objects other tenants can share
constants (object)
Declaration metadata and/or named values for (re-)use by declaration objects
controls (object)
Options to control configuration process
id (string)
format: f5long-id Unique identifier for this declaration (max 255 printable chars with no spaces, quotation marks, angle brackets, nor backslashes)
label (string)
format: f5label Optional friendly name for this declaration
remark (string)
format: f5remark Arbitrary (brief) text pertaining to this declaration (optional)
schemaVersion (string)
“3.8.0”, “3.7.0”, “3.6.0”, “3.5.0”, “3.4.0”, “3.3.0”, “3.2.0”, “3.1.0”, “3.0.0” Version of ADC Declaration schema this declaration uses
scratch (string)
Holds some system data during declaration processing
target (object)
Trusted BIG-IP or SSG target for config when configuring with BIG-IQ
updateMode (string) “selective” “complete”, “selective” When set to ‘selective’ (default) AS3 does not modify Tenants not referenced in the declaration. Otherwise (‘complete’) AS3 removes unreferenced Tenants.

Analytics_Profile

Analytics profile with configurable options

Properties:

Name (Type) Default Values Description
capturedTrafficExternalLogging (boolean) false true, false Specifies that the system captures a portion of the applicaiton traffic which can then be viewed on the System >> Logs >> Captured Transactions screen
capturedTrafficInternalLogging (boolean) false true, false Specifies that the system captures a portion of the application traffic and sends it to a remote server
class (string)
“Analytics_Profile”
collectClientSideStatistics (boolean) false true, false Specifies that the system collects statistics regarding the HTTP request and response times
collectedStatsExternalLogging (boolean) false true, false Specifies that statistics logs are stored on a remote server
collectedStatsInternalLogging (boolean) true true, false Specifies that statistics logs are stored in the system
collectGeo (boolean) false true, false Specifies that the system collects statistics of the names of the countries from which that traffic was sent
collectIp (boolean) false true, false Specifies that the system collects statistics of the IP addresses of where the traffic came from
collectMaxTpsAndThroughput (boolean) false true, false Specifies that the system collects statistics for the maximum number of transactions per second, and the maximum amount of traffic moving through the system, both request and response throughput values
collectMethod (boolean) true true, false Specifies that the system collects statistics about the distribution of HTTP methods found in requests
collectOsAndBrowser (boolean) true true, false Specifies that the system collect statistics about the OSs and Browsers used to send requests
collectPageLoadTime (boolean) false true, false Specifies that the system collects statistics of the round-trip latency between client end-users and the servers
collectResponseCode (boolean) true true, false Specifies that the system collects statistics about the distribution of HTTP response codes returned by the servers
collectSubnet (boolean) false true, false Specifies that the system collects statistics of client subnets
collectUrl (boolean) false true, false Specifies that the system collects statistics of requested URLs
collectUserAgent (boolean) false true, false Specifies that the system collects statistics about browsers used to send traffic
collectUserSession (boolean) false true, false Specifies that the system collects statistics of the number of unique user sessions in the application traffic, as determined by the value of the configured HTTP cookies found in the requests
countriesForStatCollection (array)
Specifies the countries for collecting statistics
externalLoggingPublisher (Pointer_Log_Publisher)
label (Label)
notificationByEmail (boolean) false true, false Specifies that the system sends notifications by e-mail
notificationBySnmp (boolean) false true, false Specifies that the system sends notifications as SNMP traps
notificationBySyslog (boolean) false true, false Specifies that the system sends notifications to the syslog
notificationEmailAddresses (array)
format: email The e-mail addresses of a recipient to whom the system should send email notifications
publishIruleStatistics (boolean) false true, false Specifies that the system collects and displays statistics according to the expressions written in an iRule
remark (Remark)
sessionCookieSecurity (string) “ssl-only” “always-secure”, “never-secure”, “ssl-only” Specify whether to secure session cookies
sessionTimeoutMinutes (integer) 5 [5, 60] The number of minutes of user non-activity ot allow before the system considers the session to be over
subnetsForStatCollection (array)
format: f5ip Specifies the requested subnets for collecting statistics
urlsForStatCollection (array)
Specifies the requested URLs for collecting statistics

Application

Application declaration master schema

Properties:

Name (Type) Default Values Description
class (string)
“Application”
constants (Constants)
enable (boolean) true true, false Application handles traffic only when enabled (default)
label (Label)
remark (Remark)
schemaOverlay (string)
BIG-IQ name for a supplemental validation schema is applied to the Application class definition before the main AS3 schema
serviceMain (reference)
Primary service of the application
template (string)
Each application type has certain required and default elements and selects appropriate setup of various ADC/Security features

Application_Shared

Special application Shared holds objects other applications can share

Properties:

Name (Type) Default Values Description
class (string)
“Application”
constants (Constants)
enable (boolean) true true, false If declared, you must enable the Shared Application
label (Label)
remark (Remark)
schemaOverlay (string)
BIG-IQ name for a supplemental validation schema is applied to the Application class definition before the main AS3 schema
serviceMain (reference)
Primary service of the application
template (string)
“shared” Shared Application template is always generic

AS3

AS3 request body

Properties:

Name (Type) Default Values Description
action (string) “deploy” “deploy”, “dry-run”, “patch”, “redeploy”, “retrieve”, “remove” Indicates desired action: ‘deploy’ means deploy the included declaration to targetHost; ‘dry-run’ does NOT deploy the declaration but does do everything short of changing targetHost’s configuration; ‘patch’ modifies the declaration based on the provided set of commands and then deploys the updated declaration; ‘redeploy’ causes an old declaration from targetHost’s declaration history to be re-deployed (property redeployAge (default 0) selects the old declaration, and note redeployUpdateMode as well); ‘retrieve’ returns a copy of a previously-deployed declaration; ‘remove’ deletes the declaration or declaration component.
class (string)
“AS3” Indicates the structure of this request
declaration (object)
Declaration to deploy to targetHost
historyLimit (number) 4
This value (default 4) limits the number of previously-deployed declarations saved on targetHost for review using GET and for use with POST action=redeploy and redeployAge=N. The limit includes the current and immediately-previous declarations so may not be less than two
logLevel (string) “warning” “emergency”, “alert”, “critical”, “error”, “warning”, “notice”, “info”, “debug” Controls level of detail in logs using RFC 5424 severity levels (default is ‘warning’). Portions of declaration may use different logLevels
patchBody (array)
An array containing the patch operations to apply on the declaration
persist (boolean) true true, false When true (default) make the whole working configuration persistent on targetHost after (and only if) this request deploys any changes. If false, leave the working configuration in memory only (if targetHost restart, you may lose the configuration from memory)
redeployAge (integer) 0 [-infinity, 15] For action=redeploy (only), chooses which old declaration to deploy again. Value 0 (default) means re-deploy the most recent declaration (the one which set the current configuration of targetHost– useful to erase changes introduced by manual configuration). Value 1 means re-deploy the declaration prior to the most-recent one, etc. Note that whenever re-deploying an old declaration causes ADC configuration changes, that declaration becomes the current declaration (age 0) and the ages of all other declarations in the history increase (0 => 1, 1 => 2, u.s.w.)
redeployUpdateMode (string) “original” “original”, “complete”, “selective” Value ‘original’ (default) means re-deploy the chosen declaration using its original updateMode (which if not explicitly specified in that declaration will default to ‘selective’). Otherwise, forces the updateMode for re-deployment to ‘complete’ or ‘selective’ as specified. Remember, ‘selective’ updates do not affect Tenants not explicitly named. To simply roll-back the targetHost configuration to the state it had immediately after deploying some earlier declaration, put ‘complete’ here (that will remove Tenants created later than the redeployAge declaration). To use action=redeploy as a simple roll-back facility, always deploy (updateMode=)complete declarations.
resourceTimeout (integer) 5 [1, 900] Maximum delay allowed while communicating with URL resources (seconds, default 5)
retrieveAge (integer | string) 0 [-infinity, infinity], regex: ^list$ Use this property with action=retrieve. You can usually get a copy of the declaration most recently deployed to targetHost, and often copies of previously-deployed declarations are also available. Value 0 (default) means ‘the last-deployed declaration,’ value 1 means ‘the declaration previous to 0’ and so-forth. To get a list of available declarations, set value ‘list’
syncToGroup (string) “”
Name (like /Common/my_dg) of the config-sync group TO which the system should synchronize the targetHost configuration after (and only if) this request deploys any changes. When empty (default) this request will not affect config-sync at all. Leave undefined or empty whenever you use auto-sync or manage configuration synchronization separately
targetHost (string) “localhost”
Hostname or IP address of ADC to which request applies (default localhost)
targetPassphrase (string)
regex: ^.{0,254}$ Passphrase for targetUsername account. This is generally not required to configure ‘localhost’ and is not required when you populate targetTokens
targetPort (integer) 0 [-infinity, 65535] TCP port number of management service on targetHost; default 0 means auto-discover
targetTimeout (integer) 150 [1, 900] Maximum delay allowed while communicating with targetHost device (seconds, default 150)
targetTokens (object)
One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘MF6APSRUYKTMSDBEOOEWLCNSO2’) you want to send with queries to the targetHost management service as authentication/authorization tokens
targetUsername (string)
regex: ^[^:]{0,254}$ Username of principal authorized to modify configuration of targetHost (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of AS3. It is also not required for any targetHost if you populate targetTokens
trace (boolean) false true, false If true, AS3 creates a detailed trace of the configuration process for subsequent analysis (default false). May be overridden on a per-Declaration and/or per-Tenant basis. Warning: trace files may contain sensitive configuration data

Bandwidth_Control_Policy

Create a listener to specify how to handle traffic for policy enforcement

Properties:

Name (Type) Default Values Description
categories (reference)
This specifies the categories under policy. Note: policy need to be enabled as dynamic to configure categories. Up to a maximum of 32 categories can be configured. All the categories under the dynamic policy share the bandwidth as specified for the category, up to a maximum of maxUserBandwidth.
class (string)
“Bandwidth_Control_Policy”
dynamicControlEnabled (boolean) false true, false Specifies whether the policy is a static or dynamic policy. When enabled, the policy is dynamic, and additional settings are available. A dynamic policy enforces the specified maximum user rate and flow fairness for all traffic associated with the policy and for each session. The default is disabled, which indicates a static policy. A static policy enforces the maximum rate for combined traffic and does not guarantee fairness bandwidth for each session.
label (Label)
loggingEnabled (boolean) false true, false Specifies whether the system measures bandwidth on all future instances of this bandwidth control policy. When enabled, the system measures bandwidth and sends it to the log publisher specified by the logPublisher setting. You can override this setting using iRules. For example, if you want measurement on only some instances, keep this setting disabled, and use iRules to enable measurement on specific instances.
logPeriod (integer) 2048 [-infinity, 18446744073709552000] Specifies the frequency, in milliseconds, with which the system generates bandwidth measurement logs
logPublisher (Pointer_Log_Publisher)
markIP (string | integer) “pass-through” “pass-through”, [-infinity, 63] Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.
markL2 (string | integer) “pass-through” “pass-through”, [-infinity, 7] Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.
maxBandwidth (integer)
[-infinity, 18446744073709552000] Specifies the maximum amount of bandwidth that traffic associated with the bandwidth control policy can use. The range is from 1 Mbps to 320 Gbps (between 1000000 bps and 320000000000 bps.
maxBandwidthUnit (string) “Mbps” “bps”, “Kbps”, “Mbps”, “Gbps” Specifies the units used by the maxBandwidth property
maxUserBandwidth (integer) 0 [-infinity, 18446744073709552000] Specifies the maximum amount of bandwidth that each session associated with the bandwidth control policy can use. The range is from 5 Kbps to 2 Gbps. Note: For FTP traffic, the throughput is roughly half of this setting, because the FTP protocol creates two connections per user: a control connection and a data connection.
maxUserBandwidthUnit (string) “Mbps” “bps”, “Kbps”, “Mbps”, “Gbps” Specifies the units used by the maxUserBandwidth property
maxUserPPS (integer) 0 [-infinity, 18446744073709552000] Specifies the limiter in packets per second that traffic is allowed per instance. It functions as a DoS limiter without fair share allocation. The system applies whichever value is lower, between this value and the specified Maximum Rate Per User. When both values are specified, both must pass for packets to go through. You can specify the rate in packets per second (PPS), kilo packets per second (KPPS), mega packets per second (MPPS), or giga packets per second (GPPS). The default value is 0 (not configured).
maxUserPPSUnit (string) “Mpps” “bpps”, “Kpps”, “Mpps”, “Gpps” Specifies the units used by the maxUserBandwidthPPS property
remark (Remark)

Bandwidth_Control_Policy_Category

Create a listener to specify how to handle traffic for policy enforcement

Properties:

Name (Type) Default Values Description
markIP (string | integer) “pass-through” “pass-through”, [-infinity, 63] Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.
markL2 (string | integer) “pass-through” “pass-through”, [-infinity, 7] Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is “pass-through”, which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.
maxBandwidth (integer)
[-infinity, 18446744073709552000] Specifies the maximum bandwidth that this category of traffic can use when associated with this bandwidth control policy. The range is from 5 kbps to the value set for Maximum Rate Per User.
maxBandwidthUnit (string) “Mbps” “bps”, “Kbps”, “Mbps”, “Gbps”, “%” Specifies the units used by the maxBandwidth property
remark (Remark)

CA_Bundle

Bundle of one or more PKI Certificate-Authority certificates

Properties:

Name (Type) Default Values Description
bundle (reference)
Reference to a CA bundle
class (string)
“CA_Bundle”
label (Label)
remark (Remark)

Certificate

PKI certificate with optional private-key and/or chain, optional OCSP stapler

Properties:

Name (Type) Default Values Description
certificate (reference)
X.509 public-key certificate
chainCA (reference)
Bundle of one or more CA certificates in trust-chain from root CA to certificate (optional)
class (string)
“Certificate”
label (Label)
passphrase (object)
If supplied, used to decrypt privateKey at runtime (optional)
pkcs12 (object)
The pkcs12 value which may be a url to fetch the binary file from or base64 encoded string
pkcs12Options (object)
Options for importing PKCS12 file
privateKey (reference)
Private key matching certificate’s public key (optional)
remark (Remark)
staplerOCSP (object)
AS3 pointer to OCSP Stapler declaration (optional)

Classification_Profile

Configures a classification profile

Properties:

Name (Type) Default Values Description
appDetectionEnabled (boolean) true true, false Enables/disables Application Detection feature
class (string)
“Classification_Profile”
iRuleEventEnabled (boolean) false true, false Enables/disables CLASSIFICATION_DETECTED iRule event generation
label (Label)
logPublisher (Pointer_Log_Publisher)
logUnclassifiedDomain (boolean) false true, false Enables/disables unclassified domain logging
parentProfile (reference) {“bigip”:”/Common/classification”}
Specifies the name of the object to inherit the settings from
preset (reference) {“bigip”:”/Common/ce”}
remark (Remark)
statisticsCollectionEnabled (boolean) false true, false Enables/disables statistics collection
statisticsPublisher (Pointer_Log_Publisher)
urlCategorizationEnabled (boolean) false true, false Enables/disables URL Categorization feature

Controls

Options to control configuration process

Properties:

Name (Type) Default Values Description
class (string) “Controls” “Controls”
fortune (boolean) false true, false If true, AS3 will activate Zoltar mode and read you your fortune
logLevel (string) “error” “emergency”, “alert”, “critical”, “error”, “warning”, “notice”, “info”, “debug” Controls the amount of detail in logs produced while configuring this Tenant (default is whole-declaration Controls/logLevel value)
trace (boolean) false true, false If true, AS3 creates a detailed trace of the configuration process for this Tenant for subsequent analysis (default is whole-declaration Controls/trace value). Warning: trace files may contain sensitive configuration data

Data_Group

Configures a data group object which contains list of data

Properties:

Name (Type) Default Values Description
class (string)
“Data_Group”
dataGroupFile (Pointer_Data_Group_File)
externalFilePath (string)
Specifies the location (URI) from where the records will be copied
ignoreChanges (boolean) false true, false If false (default), the system updates data group in every AS3 declaration deployment. If true, AS3 creates the data group on first deployment, and leaves it untouched afterwards
keyDataType (string)
“integer”, “ip”, “string” Specifies the type of record keys the data group contains. If string, the value will be escaped by default
label (Label)
records (array)
List of records
remark (Remark)
separator (string) “:=”
Specifies the character(s) that separate the record key and value
storageType (string) “internal” “internal”, “external” Toggles whether the data group is internal or external

Data_Group_Records_Base

Configures data group records to store

Properties:

Name (Type) Default Values Description
records (array)
List of records

Data_Group_Records_Integer

A specialization of Data_Group_Records_Base where all items in the records property must be integers.

Properties:

Name (Type) Default Values Description
records (array)
List of records

Data_Group_Records_IP

A specialization of Data_Group_Records_Base where all items in the records property must be IP addresses.

Properties:

Name (Type) Default Values Description
records (array)
List of records

Data_Group_Records_String

A specialization of Data_Group_Records_Base where all items in the records property must be strings.

Properties:

Name (Type) Default Values Description
records (array)
List of records

DNS_Nameserver

Configures a DNS nameserver

Properties:

Name (Type) Default Values Description
address (string) “127.0.0.1” format: f5ip Specifies the IP address on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages
class (string)
“DNS_Nameserver”
label (Label)
port (integer) 53 [-infinity, 65535] Specifies the service port on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages
remark (Remark)
routeDomain (Pointer_Route_Domain)
tsigKey (Pointer_DNS_TSIG_Key)

DNS_Profile

Configures a Domain Name System (DNS) profile

Properties:

Name (Type) Default Values Description
cache (Pointer_DNS_Cache)
cacheEnabled (boolean) false true, false Specifies whether the system caches DNS responses
class (string)
“DNS_Profile”
dns64AdditionalSectionRewrite (string) “disabled” “disabled”, “v6-only”, “v4-only”, “any” Select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses
dns64Mode (string) “disabled” “disabled”, “secondary”, “immediate”, “v4-only” Specifies handling of AAAA and A DNS queries and responses
dns64Prefix (string) “0:0:0:0:0:0:0:0”
Specifies the prefix to use for the IPv6-formatted IP addresses that the system converts to IPv4-formatted IP addresses
dnsExpressEnabled (boolean) true true, false Specifies whether the DNS Express engine is enabled. The DNS Express engine receives zone transfers from the authoritative DNS server for the zone. If the Zone Transfer setting is also enabled on this profile, the DNS Express engine also responds to zone transfer requests made by the nameservers configured as zone transfer clients for the DNS Express zone.
dnssecEnabled (boolean) true true, false Specifies whether the system signs responses with DNSSEC keys and replies to DNSSEC specific queries (e.g., DNSKEY query type)
globalServerLoadBalancingEnabled (boolean) true true, false Specifies whether the system uses Global Traffic Manager to manage the response
hardwareQueryValidationEnabled (boolean) false true, false On supported platforms, indicates whether the hardware will accelerate query validation
hardwareResponseCacheEnabled (boolean) false true, false On supported platforms, indicates whether the hardware will cache responses
label (Label)
localBindServerEnabled (boolean) true true, false Specifies whether the system forwards non-wide IP queries to the local BIND server on the BIG-IP system. For best performance, disable this setting when using a DNS cache.
loggingEnabled (boolean) true true, false Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option.
loggingProfile (Pointer_DNS_Logging_Profile)
parentProfile (reference)
Specifies the name of the object to inherit the settings from
rapidResponseEnabled (boolean) false true, false When enabled, if the query name matches a GTM wide IP name and GTM is enabled on this profile, the DNS query will bypass Rapid Response. Note: This setting is supported only on physical BIG-IP hardware because it needs a High-Speed Bridge (HSB) to work. When using BIG-IP Virtual Edition, however, the system does not prevent you from selecting an action, even though the setting is ignored.
rapidResponseLastAction (string) “drop” “allow”, “drop”, “noerror”, “nxdomain”, “refuse”, “truncate” Specifies what action the system takes when Rapid Response Mode is enabled and the incoming DNS query does not match a DNS Express Zone
recursionDesiredEnabled (boolean) true true, false Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option.
remark (Remark)
securityEnabled (boolean) true true, false Specifies whether DNS firewall capability is enabled.
securityProfile (Pointer_DNS_Security_Profile)
statisticsSampleRate (integer) 0 [-infinity, 4294967295] Sets AVR DNS statistics sampling rate. A value of 0 (zero) means that no query will be sent to the analytics database. A value of 1 means that every query will be sent. A value of n means that every nth query will be sent, and that the analytics database will count that query n times. When sampling rate is greater than one, the statistics will be inaccurate if the traffic volume is low. However, when the traffic volume is high, the system performance will benefit from sampling and the inaccuracy will be negligible. DNS statistics contain query name, query type, virtual server IP and client IP.
unhandledQueryAction (string) “allow” “allow”, “drop”, “hint”, “noerror”, “reject” Specifies whether the system uses the local BIND server on the BIG-IP system
zoneTransferEnabled (boolean) false true, false Specifies whether the system answers zone transfer requests for a DNS zone created on the system. The DNS Express and Zone Transfer settings on a DNS profile affect how the system responds to zone transfer requests.

DNS_TSIG_Key

Configures a TSIG key

Properties:

Name (Type) Default Values Description
algorithm (string)
“hmacmd5”, “hmacsha1”, “hmacsha256” Specifies the algorithm the system uses to authenticate AXFR zone transfer requests as coming from an approved DNS nameserver, or to authenticate AXFR zone transfers as coming from an approved back-end DNS authoritative server. The algorithm involves a cryptographic hash function in combination with a secret, which is specified in the Secret field. The default is HMAC MD5 (the Hash-based Message Authentication Code MD5).
class (string)
“DNS_TSIG_Key”
label (Label)
remark (Remark)
secret (object)
Specifies the secret used with the algorithm in the verification process. The secret must be generated by a third-party tool such as BIND’s keygen utility; the BIG-IP system does not generate the TSIG key secret.

DNS_Zone

Configures a DNS zone

Properties:

Name (Type) Default Values Description
class (string)
“DNS_Zone”
dnsExpress (DNS_Zone_DNS_Express)
label (Label)
remark (Remark)
responsePolicyEnabled (boolean) false true, false Specifies if this is a response policy zone. If this is set to yes, this zone may be assigned as an RPZ to a DNS Cache
serverTsigKey (Pointer_DNS_TSIG_Key)
transferClients (array)
Specifies the DNS nameservers to which the system sends NOTIFY messages. The system allows only the DNS nameservers in the Active column to initiate AXFR zone transfers for this DNS zone.

DNS_Zone_DNS_Express

Configure zone DNS Express settings

Properties:

Name (Type) Default Values Description
allowNotifyFrom (array)
format: f5ip Specifies the IP addresses from which the system accepts NOTIFY messages for this DNS Express zone
enabled (boolean) true true, false Specifies whether DNS Express is enabled to process queries for this zone
nameserver (reference)
Specifies the back-end authoritative DNS server from which the BIG-IP system receives AXFR zone transfers for the DNS Express zone. The options are None and user-defined nameservers.
notifyAction (string)
“consume”, “bypass”, “repeat” Specifies the action the system takes when a NOTIFY message is received for this DNS Express zone. NOTIFY responses are assumed to be sent by the authoritative nameserver for the zone, except when the action is Consume, and then DNS Express generates the response. Note: If a TSIG key is configured for the zone, the signature is only validated for Consume and Repeat actions.
verifyNotifyTsig (boolean) true true, false Specifies whether the system verifies the identity of the authoritative nameserver that sends updated information for this DNS Express zone

DOS_Auto_Blacklist_Settings

Adds the source IP address to the blacklist category assigned to the Denial-of-Service (DoS) vector

Properties:

Name (Type) Default Values Description
attackDetectionTime (integer) 60 [1, 4294967295] Specifies the time in seconds before a vector is blacklisted
category (reference) {“bigip”:”/Common/denial_of_service”}
Specifies the blacklist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and blacklist publisher settings.
categoryDuration (integer) 14400 [60, 4294967295] Specifies the time in seconds before the blacklist entry is removed
enabled (boolean) false true, false Specifies if automatic blacklist management should be used
externalAdvertisementEnabled (boolean) false true, false Specifies that addresses that are identified for blacklisting are advertised to BGP routers, as configured per blacklist category in Blacklist Publisher

DOS_Bad_Actor_Detection_Settings

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Properties:

Name (Type) Default Values Description
enabled (boolean) false true, false Specifies that Bad Actor detection is enabled
sourceDetectionThreshold (integer) 4294967295 [-infinity, 4294967295] Specifies the number of packets per second to identify an IP address as a bad actor. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
sourceMitigationThreshold (integer) 4294967295 [-infinity, 4294967295] Specifies the rate limit applied to a source IP that is identified as a bad actor. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647

DOS_DNS_Vector

Protocol DNS Denial-of-Service (DoS) vector

Properties:

Name (Type) Default Values Description
autoAttackCeiling (integer) 4294967295 [-infinity, 4294967295] Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor (integer) 100 [-infinity, 4294967295] Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
autoBlacklistSettings (reference) {}
badActorSettings (reference) {}
rateIncreaseThreshold (integer) 500 [-infinity, 4294967295] Specify percent of rate increase the system must discover in traffic in order to detect this attack. BIG-IP version 13.1.x clamps this value to a maximum of 2147483647
rateLimit (integer) 4294967295 [-infinity, 4294967295] Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
rateThreshold (integer) 4294967295 [-infinity, 4294967295] Specify how many packets per second the system must discover in traffic in order to detect this attack. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
simulateAutoThresholdEnabled (boolean) false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state (string) “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode (string) “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type (string)
“a”, “aaaa”, “any”, “axfr”, “cname”, “ixfr”, “mx”, “ns”, “other”, “ptr”, “soa”, “srv”, “txt”, “malformed” Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_Network_Vector

Network Denial-of-Service (DoS) vector

Properties:

Name (Type) Default Values Description
autoAttackCeiling (integer) 4294967295 [-infinity, 4294967295] Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor (integer) 100 [-infinity, 4294967295] Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
autoBlacklistSettings (reference) {}
badActorSettings (reference) {}
rateIncreaseThreshold (integer) 500 [-infinity, 4294967295] Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit (integer) 4294967295 [-infinity, 4294967295] Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
rateThreshold (integer) 4294967295 [-infinity, 4294967295] Specify how many packets per second the system must discover in traffic in order to detect this attack. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
simulateAutoThresholdEnabled (boolean) false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state (string) “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode (string) “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type (string)
“ext-hdr-too-large”, “hop-cnt-low”, “host-unreachable”, “icmpv4-flood”, “icmpv6-flood”, “icmp-frag”, “ip-frag-flood”, “ip-opt-frames”, “ipv6-ext-hdr-frames”, “ipv6-frag-flood”, “opt-present-with-illegal-len”, “sweep”, “tcp-half-open”, “tcp-opt-overruns-tcp-hdr”, “tcp-psh-flood”, “tcp-rst-flood”, “tcp-syn-flood”, “tcp-synack-flood”, “tcp-syn-oversize”, “tcp-bad-urg”, “tcp-window-size”, “tidcmp”, “too-many-ext-hdrs”, “udp-flood”, “unk-tcp-opt-type” Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_Profile

Configures a Denial of Service (DOS) profile

Properties:

Name (Type) Default Values Description
application (reference)
Application security sub-profile
applicationWhitelist (reference)
Specifies the IP addresses and subnets whitelist configuration for Application Security (Overrides the global whitelist)
class (string)
“DOS_Profile”
label (Label)
network (reference)
Network security sub-profile
protocolDNS (reference)
DNS protocol security sub-profile
protocolSIP (reference)
SIP protocol security sub-profile
remark (Remark)
whitelist (reference)
Specifies the default whitelist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention.

DOS_Profile_Application

Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.

Properties:

Name (Type) Default Values Description
blacklistedGeolocations (array)
Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
botDefense (reference) {}
This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.
botSignatures (reference) {}
This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms
captchaResponse (reference) {}
heavyURLProtection (reference) {}
Configure Heavy URL include list, automatic detection, and exclude list
mobileDefense (reference) {}
This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled
profileAcceleration (reference)
Select a TCP fastL4 profile to be used as a fast-path for acceleration
rateBasedDetection (reference) {}
Configures the detection of DoS attacks based on high volume of incoming traffic
recordTraffic (reference) {}
This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.
remoteTriggeredBlackHoleDuration (integer) 0 [-infinity, 4294967295] Specifies the BGP route advertisment duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole.
scrubbingDuration (integer) 0 [-infinity, 4294967295] Specifies the BGP route advertisment duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing.
singlePageApplicationEnabled (boolean) false true, false Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload
stressBasedDetection (reference) {}
Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it.
triggerIRule (boolean) false true, false Specifies that the system activates an Application DoS iRule event
whitelistedGeolocations (array)
Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack

DOS_Profile_Application_Bot_Defense

We provide defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL whitelist.

This method is intended to complement, not replace, the other mitigation methods.

Properties:

Name (Type) Default Values Description
blockSuspiscousBrowsers (boolean) true true, false Detect and block requests from highly suspiscious browsers
crossDomainRequests (string) “allow-all” “allow-all”, “validate-bulk”, “validate-upon-request” Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain.
externalDomains (array)
Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge.
gracePeriod (integer) 300 [-infinity, 4294967295] The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency.
issueCaptchaChallenge (boolean) true true, false Issue CAPTCHA challenges to moderately suspiscious browsers
mode (string) “off” “off”, “during-attacks”, “always” Specifies the conditions under which bots are detected and blocked
siteDomains (array)
Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain
urlWhitelist (array)
Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile_Application_Bot_Signatures

This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.

Properties:

Name (Type) Default Values Description
blockedCategories (array)
The system blocks and reports requests that match signatures in this list of categories
checkingEnabled (boolean) false true, false Specifies that the system uses signatures to check whether a bot is benign or malicious
disabledSignatures (array)
A list of signatures that the system ignores when it matches requests with configured bot signatures
reportedCategories (array)
The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile_Application_Captcha

Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.

Properties:

Name (Type) Default Values Description
failure (string)
regex: .{0,65520} Specifies the content that the system displays to a user after the user fails to correctly answer a CAPTCHA
first (string)
regex: .{0,65520} Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile_Application_Detection_Device

Specifies the criteria that determines when the system treats a device as an attacker

Properties:

Name (Type) Default Values Description
captchaChallengeEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps (integer) 5000 [-infinity, 4294967295] Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
maximumTps (integer) 200 [-infinity, 4294967295] The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps (integer) 5 [-infinity, 4294967295] Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumTps (integer) 40 [-infinity, 4294967295] The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies reate limiting to the traffic
rateLimitingMode (string) “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate (integer) 500 [-infinity, 4294967295] The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Geolocation

Specifies the criteria that determines when the system treats a geolocation as an attacker

Properties:

Name (Type) Default Values Description
captchaChallengeEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps (integer) 20000 [-infinity, 4294967295] Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumAutoTps (integer) 50 [-infinity, 4294967295] Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumShare (integer) 10 [-infinity, 4294967295] The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies reate limiting to the traffic
rateLimitingMode (string) “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate (integer) 500 [-infinity, 4294967295] The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_IP

Specifies the criteria that determines when the system treats a source IP address as an attacker

Properties:

Name (Type) Default Values Description
captchaChallengeEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps (integer) 5000 [-infinity, 4294967295] Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
maximumTps (integer) 200 [-infinity, 4294967295] The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps (integer) 5 [-infinity, 4294967295] Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumTps (integer) 40 [-infinity, 4294967295] The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled (boolean) true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies reate limiting to the traffic
rateLimitingMode (string) “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate (integer) 500 [-infinity, 4294967295] The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Site

Specifies the criteria that determines when the system treats a site as an attacker

Properties:

Name (Type) Default Values Description
captchaChallengeEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps (integer) 20000 [-infinity, 4294967295] Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
maximumTps (integer) 10000 [-infinity, 4294967295] The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps (integer) 5 [-infinity, 4294967295] Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumTps (integer) 2000 [-infinity, 4294967295] The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies reate limiting to the traffic
tpsIncreaseRate (integer) 500 [-infinity, 4294967295] The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_URL

Specifies the criteria that determines when the system treats a URL as an attacker

Properties:

Name (Type) Default Values Description
captchaChallengeEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled (boolean) false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled (boolean) true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps (integer) 5000 [-infinity, 4294967295] Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
maximumTps (integer) 1000 [-infinity, 4294967295] The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps (integer) 5 [-infinity, 4294967295] Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacaking entity
minimumTps (integer) 200 [-infinity, 4294967295] The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled (boolean) true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies reate limiting to the traffic
tpsIncreaseRate (integer) 500 [-infinity, 4294967295] The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Heavy_URL

Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Properties:

Name (Type) Default Values Description
automaticDetectionEnabled (boolean) true true, false Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold (integer) 1000 [16, 4294967295] Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList (array)
URLs that the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList (array)
URLs that you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile_Application_Mobile_Defense

When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Properties:

Name (Type) Default Values Description
allowAndroidPublishers (array)
Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice (boolean) false true, false Select to allow traffic from rooted Android devices
allowEmulators (boolean) false true, false Select to allow traffic from applications run on emulators
allowIosPackageNames (array)
Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices (boolean) false true, false Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode (string) “pass” “pass”, “challenge” Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled (boolean) false true, false When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile_Application_Rate_Based_Detection

Configure the system to prevent DoS attacks based on the client side transactions per second(TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

Properties:

Name (Type) Default Values Description
deEscalationPeriod (integer) 7200 [-infinity, 86400] When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID (reference) {}
escalationPeriod (integer) 120 [1, 3600] Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation (reference) {}
operationMode (string) “off” “off”, “transparent”, “blocking” Specifies how the system reacts when it detects an attack
site (reference) {}
sourceIP (reference) {}
thresholdsMode (string) “manual” “manual”, “automatic” Specifies what type of thresholds to use
url (reference) {}

DOS_Profile_Application_Stress_Based_Detection

Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Properties:

Name (Type) Default Values Description
badActor (reference) {}
deEscalationPeriod (integer) 7200 [-infinity, 86400] When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID (reference) {}
escalationPeriod (integer) 120 [1, 3600] Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation (reference) {}
operationMode (string) “off” “off”, “transparent”, “blocking” Specifies how the system reacts when it detects an attack
site (reference) {}
sourceIP (reference) {}
thresholdsMode (string) “manual” “manual”, “automatic” Specifies what type of thresholds to use
url (reference) {}

DOS_Profile_Application_Stress_Based_Detection_Bad_Actor

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation optoins are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the servers health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the servers health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Properties:

Name (Type) Default Values Description
detectionEnabled (boolean) false true, false Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode (string) “none” “none”, “conservative”, “standard”, “aggressive” Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled (boolean) false true, false Enables request signature detection
useApprovedSignaturesOnly (boolean) false true, false Limits request signature detection to approved signatures only

DOS_Profile_Application_TCP_Dump

Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Properties:

Name (Type) Default Values Description
maximumDuration (integer) 30 [-infinity, 4294967295] Configures the maximum time for each TCP dump recording cycle
maximumSize (integer) 10 [-infinity, 4294967295] Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled (boolean) false true, false Enables the recording of traffic during attacks
repetitionInterval (reference) 120
Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile_Network

No description provided

Properties:

Name (Type) Default Values Description
dynamicSignatures (reference) {}
vectors (array)
A list of configured network DoS vectors

DOS_Profile_Network_Dynamic_Signatures

No description provided

Properties:

Name (Type) Default Values Description
detectionMode (string) “disabled” “disabled”, “learn-only”, “enabled” Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode (string) “none” “none”, “low”, “medium”, “high” Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory (reference)
Specifies the IP intelligence blacklist category to which scrubbed IPs are sent
scrubbingDuration (integer) 500 [60, 4294967295] Specify the duration in seconds for which an IP address is added to the blacklist category
scrubbingEnabled (boolean) false true, false Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile_Protocol_DNS

No description provided

Properties:

Name (Type) Default Values Description
vectors (array)
A list of configured DNS DoS vectors

DOS_Profile_Protocol_SIP

No description provided

Properties:

Name (Type) Default Values Description
vectors (array)
A list of configured SIP DoS vectors

DOS_SIP_Vector

Protocol SIP Denial-of-Service (DoS) vector

Properties:

Name (Type) Default Values Description
autoAttackCeiling (integer) 4294967295 [-infinity, 4294967295] Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor (integer) 100 [-infinity, 4294967295] Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
autoBlacklistSettings (reference) {}
badActorSettings (reference) {}
rateIncreaseThreshold (integer) 500 [-infinity, 4294967295] Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit (integer) 4294967295 [-infinity, 4294967295] Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
rateThreshold (integer) 4294967295 [-infinity, 4294967295] Specify how many packets per second the system must discover in traffic in order to detect this attack. BIG-IP versions below 13.1.0 clamp this value to a maximum of 2147483647
simulateAutoThresholdEnabled (boolean) false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state (string) “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode (string) “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type (string)
“ack”, “cancel”, “message”, “options”, “prack”, “register”, “bye”, “invite”, “notify”, “other”, “publish”, “subscribe”, “uri-limit”, “malformed” Specifies the name of the DoS attack vector whose thresholds you are configuring

Endpoint_Policy

Policy to manage connections based on metadata and content

Properties:

Name (Type) Default Values Description
class (string)
“Endpoint_Policy”
customStrategy (string | object)
-, - AS3 pointer to custom strategy declaration
label (Label)
remark (Remark)
rules (array)
List of policy rules, order is significant
strategy (string) “best-match” “all-match”, “best-match”, “first-match”, “custom” Rule-matching strategy; value ‘custom’ means AS3 requires a custom strategy (default is best-match)

Endpoint_Policy_Rule

A rule for an Endpoint policy that describes actions to perform on traffic matching given conditions

Properties:

Name (Type) Default Values Description
actions (array)  
Specifies the actions for the rule to execute
conditions (array)  
Specifies the conditions for the rule to apply
name (string)
format: f5name Name of the endpoint policy rule

Endpoint_Strategy

Strategy for evaluation of an Endpoint policy

Properties:

Name (Type) Default Values Description
class (string)
“Endpoint_Strategy”
label (Label)
matchMethod (string)
“all-match”, “best-match”, “first-match” Specifies the match method
operands (array)
Specifies the attribute for the rule to match. Sometimes this represents a specific value (for example, http-method or http-status), but frequently the operand needs a specific Selector to identify an instance (for example, http-header needs a Selectorname parameter).
remark (Remark)

Enforcement_Diameter_Endpoint_Profile

Create a listener to specify how to handle traffic for policy enforcement

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Diameter_Endpoint_Profile”
destinationHost (string)
Specifies the destination host name of the PCRF or external policy server, for example, pcrfdest.net.com
destinationRealm (string)
Specifies the realm name or network of the PCRF, for example, net.com
fatalGraceTime (integer) 500 [-infinity, infinity] Specifies the time period in seconds that a diameter (PCRF) connection can be disconnected before the system clears all subscriber session information associated with that diameter endpoint. If the connection is re-established within the fatal grace time period, session information is not cleared. A value of 0 means if the PCRF is disconnected, session information is cleared immediately.
label (Label)
messageMaxRetransmits (integer) 2 [-infinity, infinity] Specifies the maximum number of times that messages can be retransmitted from the BIG-IP system to the PCRF
messageRetransmitDelay (integer) 1500 [-infinity, infinity] Specifies the number of milliseconds to wait before retransmitting unanswered messages in case of failure from the BIG-IP system to the PCRF over the Gx interface
originHost (string)
Specifies the host name of the PCRF or external policy server, for example, pcrf.xnet.com
originRealm (string)
Specifies the realm name or network in which the PCRF resides, for example, xnet.com
parentProfile (reference) {“bigip”:”/Common/diameter-endpoint”}
Specifies the name of the object to inherit the settings from
productName (string) “BIG-IP”
Specifies the value of the string used in the product name attribute value pair (AVP), in capabilities exchange message in the diameter when communicating with the PCRF
protocolProfileGx (reference)
Specifies the protocol profile to be used when you enable subscriber discovery. The PEM protocol profile defines mapping of Diameter Gx AVPs to subscriber ID and other PEM subscriber session attributes.
supportedApps (array)
“Gx”, “Gy”, “Sd” Specifies the diameter endpoint you would like to provision. You can select Gx, Gy or SD. Gx and SD are mutually exclusive.

Enforcement_Format_Script

Specifies a script using TCL syntax that defines a custom format for HSL reporting applied in an enforcement policy rule. The format and fields available differ depending on whether you are using session-based or flow-based reporting in the rule.

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Format_Script”
definition (string)
TCL script text
label (Label)
remark (Remark)

Enforcement_Forwarding_Endpoint

Configures an forwarding endpoint to specify PEM policy forwarding actions

Properties:

Name (Type) Default Values Description
addressTranslationEnabled (boolean) false true, false Specifies, when enabled, that the system translates the original destination address of the virtual server. When disabled, specifies that the system uses the address without translation.
class (string)
“Enforcement_Forwarding_Endpoint”
defaultPersistenceType (string) “disabled” “destination-ip”, “disabled”, “hash”, “source-ip” Specifies a persistence method for the pool member selection. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type.
fallbackPersistenceType (string) “disabled” “destination-ip”, “disabled”, “source-ip” Specifies the fallback persistance method that is applied when default persistence fails. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type.
label (Label)
persistenceHashSettings (Enforcement_Forwarding_Endpoint_Hash_Settings)
pool (Pointer_Pool)
portTranslationEnabled (boolean) false true, false Specifies, when enabled, that the system translates the original destination port. When disabled, specifies that the system uses the original destination port without translation.
remark (Remark)
SNATPool (Pointer_SNAT_Pool)
sourcePortAction (string) “preserve” “change”, “preserve”, “preserve-strict” Specifies whether the system preserves the source port of the connection

Enforcement_Forwarding_Endpoint_Hash_Settings

Specifies the settings for the hash persistence method

Properties:

Name (Type) Default Values Description
length (reference) 1024
Specifies the length of the source string used to calculate the hash value
offset (reference) 0
Specifies the offset, in bytes, from start of the source string to calculate the hash value
tclScript (string)
The results from this TCL script are used to calculate the hash value. If no script is specified, the URI is used instead.

Enforcement_Interception_Endpoint

Configures an interception endpoint to clone all traffic

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Interception_Endpoint”
label (Label)
persistence (string) “disabled” “destination-ip”, “source-ip”, “disabled” Specifies the persistence that is based on either the source or destination IP addresses only
pool (Pointer_Pool)

Enforcement_Listener

Configures an enforcement data plane listener

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Listener”
enforcementProfile (Pointer_Enforcement_Profile)
label (Label)
remark (Remark)
services (array)
A set of virtual servers
subscriberManagementProfile (Pointer_Enforcement_Subscriber_Management_Profile)

Enforcement_Policy

Configures policies for the Policy Enforcement Manager (PEM)

Properties:

Name (Type) Default Values Description
allTransactions (boolean) false true, false Specifies, when set to true, that the system enables policy enforcement for each http transaction. When set to false, the system allows only policy enforcement of the first http transaction.
class (string)
“Enforcement_Policy”
enable (boolean) true true, false Specifies the current status of the policy
label (Label)
remark (Remark)
rules (array)
Enforcement policy rules

Enforcement_Profile

Configures a subscriber policy manager profile

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Profile”
connectionOptimizationEnabled (boolean) true true, false Specifies whether connection optimization is enabled or not
connectionOptimizationService (Pointer_Service)
label (Label)
parentProfile (reference) {“bigip”:”/Common/spm”}
Specifies the name of the object to inherit the settings from
policiesGlobalHighPrecedence (array)
Adds, deletes, or replaces a set of the policies
policiesGlobalLowPrecedence (array)
Adds, deletes, or replaces a set of the policies
policiesUnknownSubscribers (array)
Adds, deletes, or replaces a set of the policies
remark (Remark)

Enforcement_Radius_AAA_Profile

Configures a radius AAA profile

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Radius_AAA_Profile”
label (Label)
parentProfile (reference) {“bigip”:”/Common/radiusaaa”}
Specifies the name of the object to inherit the settings from
password (object)
The password of the RADIUS AAA profile for RADIUS server authentication
remark (Remark)
retransmissionTimeout (integer)
[-infinity, 60] The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server
sharedSecret (object)
Specifies the shared secret of the RADIUS server used for aunthentication or accounting
transactionTimeout (integer)
[5, 300] The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server

Enforcement_Rule

A rule to match traffic flows and apply actions

Properties:

Name (Type) Default Values Description
classificationFilters (array)
Classification filters to apply to the traffic
dscpMarkingDownlink (string | integer) “pass-through” “pass-through”, [-infinity, 63] Specifies whether to set DSCP bits in the IP header of outgoing traffic to the subscriber
dscpMarkingUplink (string | integer) “pass-through” “pass-through”, [-infinity, 63] Specifies whether to set DSCP bits in the IP header of outgoing traffic to the network
DTOSTethering (reference) {}
flowInfoFilters (array)
Flow information filters to apply to the traffic
forwarding (Enforcement_Rule_Forwarding)
gateStatusEnabled (boolean) true true, false Specifies, when set to true, that the traffic can pass through the system without being changed. Select false to drop traffic that this rule applies to.
insertContent (Enforcement_Rule_Insert_Content)
interceptionEndpoint (Pointer_Enforcement_Interception_Endpoint)
iRule (Pointer_Enforcement_iRule)
l2MarkingDownlink (string | integer) “pass-through” “pass-through”, [-infinity, 7] Set Layer-2 Quality of Service Marking in downlink traffic that matches a rule. Setting a L2 QoS Marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule.
l2MarkingUplink (string | integer) “pass-through” “pass-through”, [-infinity, 7] Set Layer-2 Quality of Service Marking in uplink traffic that matches a rule. Setting a L2 QoS marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule.
modifyHttpHeader (Enforcement_Rule_Modify_HTTP_Header)
name (string)
The name of the policy rule.
precedence (integer)
[1, 4294967295] Specifies an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence (lower numbers) are evaluated before other rules with lower precedence (higher numbers).
qoeReporting (Enforcement_Rule_Report_Destination_HSL)
qosBandwidthControllerDownlink (Enforcement_Rule_QOS)
qosBandwidthControllerUplink (Enforcement_Rule_QOS)
quota (Enforcement_Rule_Quota)
ranCongestion (Enforcement_Rule_Ran_Congestion)
serviceChain (Pointer_Enforcement_Service_Chain_Endpoint)
tclFilter (string)
Specifies the tcl expression which uses iRule commands to filter the packet. It is a match if tclFilter returns TRUE/1 or nomatch if FALSE/0.
tcpAnalyticsEnabled (boolean) false true, false Specifies the action to enable tcp analytics when the traffic flow matches the rule matching criteria
tcpOptimizationDownlink (Pointer_TCP_Profile)
tcpOptimizationUplink (Pointer_TCP_Profile)
urlCategorizationFilters (array)
URL categorization filters to apply to the traffic
usageReporting (Enforcement_Rule_Usage_Reporting)

Enforcement_Rule_Classification_Filter

Defines the category or application (Layer 7) conditions that the traffic must meet (or not meet) for this enforcement policy rule to apply

Properties:

Name (Type) Default Values Description
application (Pointer_Classification_Application)
category (Pointer_Classification_Category)
invertMatch (boolean) false true, false Specifies that a traffic flow should not match the condition
name (string)
The name of the classification filter.

Enforcement_Rule_DTOS_Tethering

Specifies options for device type, operating system, and tethering detection

Properties:

Name (Type) Default Values Description
detectDtos (boolean) false true, false Specifies the detection of the subscriber’s device and the operating system
detectTethering (boolean) false true, false Specifies if you want to enable detection of tethering
reportDestinationHsl (Enforcement_Rule_Report_Destination_HSL)

Enforcement_Rule_Flow_Filter

Defines the flow conditions (Layer 4) that the traffic must meet (or not meet) for this enforcement policy rule to apply

Properties:

Name (Type) Default Values Description
destinationAddress (string) “0.0.0.0/0”
Matches traffic going to a destination address or network
destinationPort (integer) 0 [-infinity, 65535] Matches traffic headed to a destination port
dscpMarking (reference) “disabled”
Matches incoming traffic based on a value in the DSCP field in the IP header
invertMatch (boolean) false true, false Specifies that a traffic flow should not match the condition
ipAddressType (string) “any” “any”, “ipv4”, “ipv6” Specifies the IP address type that this rule applies to
name (string)
The name of the flow filter.
protocol (string) “any” “any”, “tcp”, “udp” Specifies the protocol of the traffic to which the rule applies
sourceAddress (string) “0.0.0.0/32”
Matches traffic coming from a source address or network
sourcePort (integer) 0 [-infinity, 65535] Matches traffic coming from a source port
sourceVlan (reference)
Matches incoming traffic from a VLAN

Enforcement_Rule_Forwarding

Manages the forwarding action and its attributes

Properties:

Name (Type) Default Values Description
endpoint (Pointer_Enforcement_Forwarding_Endpoint)
fallbackAction (string) “drop” “continue”, “drop” Specifies if the connection can remain unchanged or should be dropped if the forwarding action fails for any reason
icapService (reference)
ICAP service to route to
icapType (string)
“request”, “response”, “both” Specifies the ICAP adaptation type
redirectUrl (string)
Specifies that traffic affected by this rule should be redirected to the specified URL
type (string)
“icap”, “endpoint”, “route-to-network”, “http” Specifies the type of forwarding action

Enforcement_Rule_Forwarding_Endpoint

Specifies that the flow steers to a different destination

Properties:

Name (Type) Default Values Description
endpoint (Pointer_Enforcement_Forwarding_Endpoint)

Enforcement_Rule_Forwarding_HTTP

Specifies that traffic affected by this rule should be redirected to the specified URL

Properties:

Name (Type) Default Values Description
redirectUrl (string)
Specifies that traffic affected by this rule should be redirected to the specified URL

Enforcement_Rule_Forwarding_ICAP

Specifies that the flow forwards to the ICAP virtual server

Properties:

Name (Type) Default Values Description
icapService (reference)
ICAP service to route to
icapType (string)
“request”, “response”, “both” Specifies the ICAP adaptation type

Enforcement_Rule_Forwarding_Route_To_Network

Specifies that the system forwards the flow to the default destination

No properties

Enforcement_Rule_Insert_Content

Specifies the action to insert content into the webpage

Properties:

Name (Type) Default Values Description
duration (integer)
[1, 4294967295] Specifies the periodicity of the insert action in seconds
frequency (string) “always” “always”, “once”, “once-every” Specifies the number of content insertion actions per transaction
position (string) “append” “append”, “prepend” Specifies position with respect to the configured tagName
tagName (string)
Specifies the tag name to which the content is either appended or prepended
valueContent (string)
Specifies the value content to be inserted into the webpage
valueType (string) “string” “string”, “tcl-snippet” Specifies the type of content format used in the valueContent option

Enforcement_Rule_Modify_HTTP_Header

Specifies the action to modify the HTTP header when the traffic flow matches the rule matching criteria

Properties:

Name (Type) Default Values Description
headerName (string)
Specifies the HTTP header name used by the operation option to modify the HTTP header
operation (string)
“insert”, “remove” Specifies the operation used to modify the HTTP header
valueContent (string)
Specifies the HTTP header value content used by the insert operation to modify the HTTP header
valueType (string) “string” “string”, “tcl-snippet” Specifies the type of content format used in the valueContent option

Enforcement_Rule_QOS

Specifies a previously configured bandwidth control policy to apply to traffic that matches this rule

Properties:

Name (Type) Default Values Description
category (string)
Specifies a category of traffic within the bandwidth control policy to which to apply the rule. This option provides more specific rate control to a certain type of traffic. The category must be defined in the selected bandwidth control policy.
policy (Pointer_Bandwidth_Control_Policy)

Enforcement_Rule_Quota

Specify quota management options

Properties:

Name (Type) Default Values Description
ratingGroup (Pointer_Enforcement_Rating_Group)
reportingLevel (string) “rating-group” “rating-group”, “service-id” Specifies the quota reporting level

Enforcement_Rule_Ran_Congestion

Detect congestion in the Radio Access Network

Properties:

Name (Type) Default Values Description
reportDestinationHsl (Enforcement_Rule_Report_Destination_HSL)
threshold (integer) 1000 [-infinity, 2147483647] Specifies lower threshold bandwidth (in kbps) for a sesion to be marked as congested

Enforcement_Rule_Report_Destination_HSL

Specifies report destination and format

Properties:

Name (Type) Default Values Description
formatScript (Pointer_Enforcement_Format_Script)
highSpeedLogPublisher (Pointer_Log_Publisher)

Enforcement_Rule_URL_Categorization_Filter

Defines the category of URL, which provides information about the content type requested by the subscriber

Properties:

Name (Type) Default Values Description
category (reference)
Specifies which type of URL category you want the rule to affect
invertMatch (boolean) false true, false Specifies that a traffic flow should not match the condition
name (string)
The name of the URL categorization filter.

Enforcement_Rule_Usage_Gx

Sends usage monitoring data to a PCRF over a Gx interface

Properties:

Name (Type) Default Values Description
applicationReportingEnabled (boolean) false true, false Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected
monitoringKey (string)
Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule

Enforcement_Rule_Usage_Hsl

Sends reporting data to remote HSL servers

Properties:

Name (Type) Default Values Description
flowReportingFields (array)
“application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “flow-end-milli-seconds”, “flow-end-seconds”, “flow-start-milli-seconds”, “flow-start-seconds”, “observation-time-seconds”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “timestamp-msec”, “total-transactions”, “uplink-volume”, “url-category-id”, “vlan-id” Specifies the flow fields and their order based on which messages should be published
formatScript (Pointer_Enforcement_Format_Script)
publisher (Pointer_Log_Publisher)
sessionReportingFields (array)
“3gpp-parameters”, “application-id”, “called-station-id”, “calling-station-id”, “concurrent-flows”, “downlink-volume”, “duration-seconds”, “last-record-sent”, “new-flows”, “observation-time-seconds”, “record-reason”, “record-type”, “report-id”, “report-version”, “subscriber-id”, “subscriber-id-type”, “successful-transactions”, “terminated-flows”, “timestamp-msec”, “total-transactions”, “uplink-volume” Specifies the session fields and their order based on which messages should be published
transactionReportingFields (array)
“application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “http-hostname”, “http-hostname-truncated”, “http-response-code”, “http-url”, “http-url-truncated”, “http-user-agent”, “http-user-agent-truncated”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “skipped-transactions”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “transaction-classification-result”, “transaction-end-milli-seconds”, “transaction-end-seconds”, “transaction-number”, “transaction-start-milli-seconds”, “transaction-start-seconds”, “uplink-volume”, “url-category-id”, “vlan-id” Specifies the transaction fields and their order based on which messages should be published

Enforcement_Rule_Usage_Radius

Specifies a RADIUS internal virtual server as a reporting destination

Properties:

Name (Type) Default Values Description
radiusAAAService (Pointer_Service)

Enforcement_Rule_Usage_Reporting

Send reporting data concerning traffic affected by this rule to either an external analytics system or to a PCRF over a Gx interface

Properties:

Name (Type) Default Values Description
applicationReportingEnabled (boolean) false true, false Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected
destination (string)
“gx”, “sd”, “hsl”, “radius-accounting” Specifies where to send the usage monitoring data
flowReportingFields (array)
“application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “flow-end-milli-seconds”, “flow-end-seconds”, “flow-start-milli-seconds”, “flow-start-seconds”, “observation-time-seconds”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “timestamp-msec”, “total-transactions”, “uplink-volume”, “url-category-id”, “vlan-id” Specifies the flow fields and their order based on which messages should be published
formatScript (Pointer_Enforcement_Format_Script)
granularity (string) “session” “flow”, “session”, “transaction” Specifies the type of reporting will be generated when the policy applies
interval (integer) 0 [-infinity, infinity] Specifies the time interval in seconds the report will be generated. A value of 0 indicates this feature is disabled.
monitoringKey (string)
Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule
publisher (Pointer_Log_Publisher)
radiusAAAService (Pointer_Service)
sessionReportingFields (array)
“3gpp-parameters”, “application-id”, “called-station-id”, “calling-station-id”, “concurrent-flows”, “downlink-volume”, “duration-seconds”, “last-record-sent”, “new-flows”, “observation-time-seconds”, “record-reason”, “record-type”, “report-id”, “report-version”, “subscriber-id”, “subscriber-id-type”, “successful-transactions”, “terminated-flows”, “timestamp-msec”, “total-transactions”, “uplink-volume” Specifies the session fields and their order based on which messages should be published
transaction (Enforcement_Rule_Usage_Reporting_Transaction)
transactionReportingFields (array)
“application-id”, “destination-ip”, “destination-transport-port”, “downlink-volume”, “http-hostname”, “http-hostname-truncated”, “http-response-code”, “http-url”, “http-url-truncated”, “http-user-agent”, “http-user-agent-truncated”, “protocol-identifier”, “record-type”, “report-id”, “report-version”, “route-domain”, “skipped-transactions”, “source-ip”, “source-transport-port”, “subscriber-id”, “subscriber-id-type”, “transaction-classification-result”, “transaction-end-milli-seconds”, “transaction-end-seconds”, “transaction-number”, “transaction-start-milli-seconds”, “transaction-start-seconds”, “uplink-volume”, “url-category-id”, “vlan-id” Specifies the transaction fields and their order based on which messages should be published
volume (Enforcement_Rule_Usage_Reporting_Volume)

Enforcement_Rule_Usage_Reporting_Transaction

Specifies policy enforcement configuration on transaction report for each HTTP transaction

Properties:

Name (Type) Default Values Description
hostname (integer) 0 [-infinity, 65535] Specifies the maximum HTTP hostname string length option to include in the HTTP transaction report
uri (integer) 256 [-infinity, 65535] Specifies the maximum HTTP URI string length option to include in the HTTP transaction report
userAgent (integer) 0 [-infinity, 65535] Specifies the maximum HTTP user agent string length to include in the HTTP transaction report

Enforcement_Rule_Usage_Reporting_Volume

Configures volume threshold settings

Properties:

Name (Type) Default Values Description
downlink (integer) 0 [-infinity, infinity] Send reporting data if the number of octets to the client exceeds the threshold. A value of 0 indicates this feature is disabled.
total (integer) 0 [-infinity, infinity] Send reporting data if the total number of octets both to and from the client exceeds the threshold. A value of 0 indicates this feature is disabled.
uplink (integer) 0 [-infinity, infinity] Send reporting data if the number of octets from the client exceeds the threshold. A value of 0 indicates this feature is disabled.

Enforcement_Rule_Usage_Sd

Sends usage monitoring data to a PCRF over a Sd interface

Properties:

Name (Type) Default Values Description
applicationReportingEnabled (boolean) false true, false Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected
monitoringKey (string)
Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule

Enforcement_Service_Chain_Endpoint

Configures service chain endpoint definitions for the Policy Enforcement Manager (PEM)

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Service_Chain_Endpoint”
label (Label)
remark (Remark)
serviceEndpoints (array)
Specifies a list of forwarding endpoints that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can provide value-added services. Traffic goes to the endpoints in the order in which they are listed.

Enforcement_Service_Chain_Endpoint_Service_Endpoint

Configures an individual service chain endpoint

Properties:

Name (Type) Default Values Description
forwardingEndpoint (Pointer_Enforcement_Forwarding_Endpoint)
internalService (reference)
Specifies the internal ICAP virtual server
internalServiceICAPType (string)
“request”, “response”, “both”, “none” Specifies the ICAP adaptation type. Select “request” to send only HTTP requests to ICAP server. Select “response” to send only HTTP responses to ICAP server. Select “both” to have both requests and responses.
name (string)
Specify the name of the service endpoint where the traffic is going to
serviceOption (string) “mandatory” “mandatory”, “optional” Specifies the service option in case the service endpoint is not accessible through the network, for forwarding endpoint. For ICAP service endpoint, the service endpoint works as a fallback action for non-HTTP traffic. Select “optional” if you want to skip the service endpoint. Select “mandatory” if you want all traffic flows dropped.
sourceVLAN (Pointer_VLAN)
steeringPolicy (Pointer_Enforcement_Policy)

Enforcement_Subscriber_Management_Profile

Configures a subscriber management profile

Properties:

Name (Type) Default Values Description
class (string)
“Enforcement_Subscriber_Management_Profile”
dhcpLeaseQuery (Enforcement_Subscriber_Management_Profile_DHCP)
label (Label)
parentProfile (reference) {“bigip”:”/Common/subscriber-mgmt”}
Specifies the name of the object to inherit the settings from
remark (Remark)
serverSideSessionsEnabled (boolean) true true, false Specifies that the session is created based on server side IP when the server side traffic comes and is enabled

Enforcement_Subscriber_Management_Profile_DHCP

Configures DHCP lease query settings for a subscriber management profile

Properties:

Name (Type) Default Values Description
enabled (boolean) true true, false Specifies that the subscriber management settings use DHCP lease query to communicate with DHCP servers to obtain DHCP lease information for the unknown IP address and creates a new policy enforcement session using the lease information received
service (Pointer_Service)

Enum_Continent_Code_Alpha_2

Enum values for Alpha-2 continent codes based on ISO 3166. Use two dashes (–) if Unknown

Type string with possible values: “–”, “AF”, “AN”, “AS”, “EU”, “NA”, “OC”, “SA”

Enum_Country_Analytics

Enum values for Analytics_Profile

Type string with possible values: “Afghanistan”, “Aland Islands”, “Albania”, “Algeria”, “American Samoa”, “Andorra”, “Angola”, “Anguilla”, “Anonymous Proxy”, “Antarctica”, “Antigua and Barbuda”, “Argentina”, “Armenia”, “Aruba”, “Asia/Pacific Region”, “Australia”, “Austria”, “Azerbaijan”, “Bahamas”, “Bahrain”, “Bangladesh”, “Barbados”, “Belarus”, “Belgium”, “Belize”, “Benin”, “Bermuda”, “Bhutan”, “Bolivia”, “Bonaire, Saint Eustatius and Saba”, “Bosnia and Herzegovina”, “Botswana”, “Bouvet Island”, “Brazil”, “British Indian Ocean Territory”, “Brunei Darussalam”, “Bulgaria”, “Burkina Faso”, “Burundi”, “Cambodia”, “Cameroon”, “Canada”, “Cape Verde”, “Cayman Islands”, “Central African Republic”, “Chad”, “Chile”, “China”, “Christmas Island”, “Cocos (Keeling) Islands”, “Colombia”, “Comoros”, “Congo”, “Congo, The Democratic Republic of the”, “Cook Islands”, “Costa Rica”, “Cote D’Ivoire”, “Croatia”, “Cuba”, “Cyprus”, “Czech Republic”, “Denmark”, “Djibouti”, “Dominica”, “Dominican Republic”, “Ecuador”, “Egypt”, “El Salvador”, “Equatorial Guinea”, “Eritrea”, “Estonia”, “Ethiopia”, “Europe”, “Falkland Islands (Malvinas)”, “Faroe Islands”, “Fiji”, “Finland”, “France”, “France, Metropolitan”, “French Guiana”, “French Polynesia”, “French Southern Territories”, “Gabon”, “Gambia”, “Georgia”, “Germany”, “Ghana”, “Gibraltar”, “Greece”, “Greenland”, “Grenada”, “Guadeloupe”, “Guam”, “Guatemala”, “Guernsey”, “Guinea”, “Guinea-Bissau”, “Guyana”, “Haiti”, “Heard Island and McDonald Islands”, “Holy See (Vatican City State)”, “Honduras”, “Hong Kong”, “Hungary”, “Iceland”, “India”, “Indonesia”, “Iran, Islamic Republic of”, “Iraq”, “Ireland”, “Isle of Man”, “Israel”, “Italy”, “Jamaica”, “Japan”, “Jersey”, “Jordan”, “Kazakhstan”, “Kenya”, “Kiribati”, “Korea, Democratic People’s Republic of”, “Korea, Republic of”, “Kuwait”, “Kyrgyzstan”, “Lao People’s Democratic Republic”, “Latvia”, “Lebanon”, “Lesotho”, “Liberia”, “Libyan Arab Jamahiriya”, “Liechtenstein”, “Lithuania”, “Luxembourg”, “Macau”, “Macedonia”, “Madagascar”, “Malawi”, “Malaysia”, “Maldives”, “Mali”, “Malta”, “Marshall Islands”, “Martinique”, “Mauritania”, “Mauritius”, “Mayotte”, “Mexico”, “Micronesia, Federated States of”, “Moldova, Republic of”, “Monaco”, “Mongolia”, “Montenegro”, “Montserrat”, “Morocco”, “Mozambique”, “Myanmar”, “Namibia”, “Nauru”, “Nepal”, “Netherlands”, “Netherlands Antilles”, “New Caledonia”, “New Zealand”, “Nicaragua”, “Niger”, “Nigeria”, “Niue”, “Norfolk Island”, “Northern Mariana Islands”, “Norway”, “Oman”, “Other”, “Pakistan”, “Palau”, “Palestinian Territory”, “Panama”, “Papua New Guinea”, “Paraguay”, “Peru”, “Philippines”, “Pitcairn Islands”, “Poland”, “Portugal”, “Puerto Rico”, “Qatar”, “Reunion”, “Romania”, “Russian Federation”, “Rwanda”, “Saint Barthelemy”, “Saint Helena”, “Saint Kitts and Nevis”, “Saint Lucia”, “Saint Martin”, “Saint Pierre and Miquelon”, “Saint Vincent and the Grenadines”, “Samoa”, “San Marino”, “Sao Tome and Principe”, “Satellite Provider”, “Saudi Arabia”, “Senegal”, “Serbia”, “Seychelles”, “Sierra Leone”, “Singapore”, “Slovakia”, “Slovenia”, “Solomon Islands”, “Somalia”, “South Africa”, “South Georgia and the South Sandwich Islands”, “Spain”, “Sri Lanka”, “Sudan”, “Suriname”, “Svalbard and Jan Mayen”, “Swaziland”, “Sweden”, “Switzerland”, “Syrian Arab Republic”, “Taiwan”, “Tajikistan”, “Tanzania, United Republic of”, “Thailand”, “Timor-Leste”, “Togo”, “Tokelau”, “Tonga”, “Trinidad and Tobago”, “Tunisia”, “Turkey”, “Turkmenistan”, “Turks and Caicos Islands”, “Tuvalu”, “Uganda”, “Ukraine”, “United Arab Emirates”, “United Kingdom”, “United States”, “United States Minor Outlying Islands”, “Unknown”, “Uruguay”, “Uzbekistan”, “Vanuatu”, “Venezuela”, “Vietnam”, “Virgin Islands, British”, “Virgin Islands, U.S.”, “Wallis and Futuna”, “Western Sahara”, “Yemen”, “Zambia”, “Zimbabwe”

Enum_Country_Code_Alpha_2

Enum values for Alpha-2 country codes based on ISO 3166. Use two dashes (–) if Unknown

Type string with possible values: “–”, “A1”, “A2”, “AD”, “AE”, “AF”, “AG”, “AI”, “AL”, “AM”, “AN”, “AO”, “AP”, “AQ”, “AR”, “AS”, “AT”, “AU”, “AW”, “AX”, “AZ”, “BA”, “BB”, “BD”, “BE”, “BF”, “BG”, “BH”, “BI”, “BJ”, “BL”, “BM”, “BN”, “BO”, “BQ”, “BR”, “BS”, “BT”, “BV”, “BW”, “BY”, “BZ”, “CA”, “CC”, “CD”, “CF”, “CG”, “CH”, “CI”, “CK”, “CL”, “CM”, “CN”, “CO”, “CR”, “CU”, “CV”, “CX”, “CY”, “CZ”, “DE”, “DJ”, “DK”, “DM”, “DO”, “DZ”, “EC”, “EE”, “EG”, “EH”, “ER”, “ES”, “ET”, “EU”, “FI”, “FJ”, “FK”, “FM”, “FO”, “FR”, “FX”, “GA”, “GB”, “GD”, “GE”, “GF”, “GG”, “GH”, “GI”, “GL”, “GM”, “GN”, “GP”, “GQ”, “GR”, “GS”, “GT”, “GU”, “GW”, “GY”, “HK”, “HM”, “HN”, “HR”, “HT”, “HU”, “ID”, “IE”, “IL”, “IM”, “IN”, “IO”, “IQ”, “IR”, “IS”, “IT”, “JE”, “JM”, “JO”, “JP”, “KE”, “KG”, “KH”, “KI”, “KM”, “KN”, “KP”, “KR”, “KW”, “KY”, “KZ”, “LA”, “LB”, “LC”, “LI”, “LK”, “LR”, “LS”, “LT”, “LU”, “LV”, “LY”, “MA”, “MC”, “MD”, “ME”, “MF”, “MG”, “MH”, “MK”, “ML”, “MM”, “MN”, “MO”, “MP”, “MQ”, “MR”, “MS”, “MT”, “MU”, “MV”, “MW”, “MX”, “MY”, “MZ”, “NA”, “NC”, “NE”, “NF”, “NG”, “NI”, “NL”, “NO”, “NP”, “NR”, “NU”, “NZ”, “O1”, “OM”, “PA”, “PE”, “PF”, “PG”, “PH”, “PK”, “PL”, “PM”, “PN”, “PR”, “PS”, “PT”, “PW”, “PY”, “QA”, “RE”, “RO”, “RS”, “RU”, “RW”, “SA”, “SB”, “SC”, “SD”, “SE”, “SG”, “SH”, “SI”, “SJ”, “SK”, “SL”, “SM”, “SN”, “SO”, “SR”, “ST”, “SV”, “SY”, “SZ”, “TC”, “TD”, “TF”, “TG”, “TH”, “TJ”, “TK”, “TL”, “TM”, “TN”, “TO”, “TR”, “TT”, “TV”, “TW”, “TZ”, “UA”, “UG”, “UM”, “US”, “UY”, “UZ”, “VA”, “VC”, “VE”, “VG”, “VI”, “VN”, “VU”, “WF”, “WS”, “YE”, “YT”, “ZA”, “ZM”, “ZW”

Enum_ISP

Enum values for Internet Service Providers (ISP)

Type string with possible values: “AOL”, “BeijingCNC”, “ChinaEducationNetwork”, “ChinaMobilNetwork”, “ChinaRailwayTelcom”, “ChinaTelecom”, “ChinaUnicom”, “CNC”, “Comcast”, “Earthlink”, “ShanghaiCNC”, “ShanghaiTelecom”

Firewall_Address_List

Declares an address-list for use by firewall rules. An address list is a list of IP-address prefixes to compare against the source-IP address and/or destination-IP address in an IP packet

Properties:

Name (Type) Default Values Description
addresses (array)
A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation.
addressLists (array)
A list of other address lists (each by AS3 pointer or BIG-IP pathname).
class (string)
“Firewall_Address_List”
fqdns (array)
A list of fully qualified domain names.
geo (array)
A list of geographic locations (for example, US:Washington).
label (Label)
remark (Remark)

Firewall_Policy

Configures firewall policy

Properties:

Name (Type) Default Values Description
class (string)
“Firewall_Policy”
label (Label)
remark (Remark)
rules (array)
-, - A list of firewall policy rules

Firewall_Port_List

Declares a port-list for use by firewall rules. A firewall rule can match a packet’s source port or destination port against one of the ports in a port list, and can take some action (such as ACCEPT or DROP) for a matching packet.

Properties:

Name (Type) Default Values Description
class (string)
“Firewall_Port_List”
label (Label)
portLists (array)
A list of other port lists (each by AS3 pointer or BIG-IP pathname).
ports (array)
[-infinity, infinity] A list of ports and port ranges (for example, 80, “8080-8090”).
remark (Remark)

Firewall_Rule

Declares a network firewall rule.

Properties:

Name (Type) Default Values Description
action (string)
“accept”, “drop” Specifies the action that the firewall rule will take on matching packets.
destination (Firewall_Rule_Destination)
iRule (object)
Specifies the name of the iRule (by AS3 pointer or BIG-IP pathname) that the system will trigger when a packet matches the firewall rule.
iRuleSampleRate (integer)
[-infinity, infinity] Specifies the rate at which the system will trigger the specified iRule when a packet matches this firewall rule. The default value is 1 and causes the system to trigger the iRule for every packet that matches. A value of 0 disables iRule triggering.
label (Label)
loggingEnabled (boolean) false true, false Specifies whether the system enables or disables logging for the firewall rule.
name (string)
The name of the firewall rule.
protocol (string) “any” “any”, “tcp”, “udp” Specifies the protocol to which the firewall rule applies
remark (Remark)
source (Firewall_Rule_Source)

Firewall_Rule_Destination

Declares the packet destinations to which the network firewall rule applies.

Properties:

Name (Type) Default Values Description
addressLists (array)
A list of address lists (each by AS3 pointer or BIG-IP pathname).
portLists (array)
A list of port lists (each by AS3 pointer or BIG-IP pathname).

Firewall_Rule_List

Declares a list of network firewall rules. You can reuse a rule list in multiple firewalls, such as the firewalls for self IPs, routing domains, and the global firewall.

Properties:

Name (Type) Default Values Description
class (string)
“Firewall_Rule_List”
label (Label)
remark (Remark)
rules (array)
A list of network firewall rules.

Firewall_Rule_Source

Declares the packet sources to which the network firewall rule applies.

Properties:

Name (Type) Default Values Description
addressLists (array)
A list of address lists (each by AS3 pointer or BIG-IP pathname).
portLists (array)
A list of port lists (each by AS3 pointer or BIG-IP pathname).

FIX_Profile

Configures a Financial Information eXchange Protocol (FIX) profile

Properties:

Name (Type) Default Values Description
class (string)
“FIX_Profile”
errorAction (string) “dont-forward” “dont-forward”, “drop-connection” Specifies the error handling method
fullLogonParsingEnabled (boolean) true true, false Enables or disables logon message as always fully parsed. Other messages are parsed according to the configuration of Quick Parsing
label (Label)
messageLogPublisher (reference)
Specifies the publisher for message logging
parentProfile (reference) {“bigip”:”/Common/fix”}
Specifies the name of the profile object to inherit the settings from
quickParsingEnabled (boolean) false true, false Enables or disables quick parsing which parses the basic standard fields and validates message length and checksum
remark (Remark)
reportLogPublisher (reference)
Specifies the publisher for error messages and status reports
responseParsingEnabled (boolean) false true, false Enables or disables response parsing which parses the messages from the FIX server. Applies the same parser configuration and error handling at server side as at client side. If not enabled, server side messages are directly passed through
senderTagMappingList (array)
Specifies the mappings between sender ID and tag substitution data group.
statisticsSampleInterval (integer) 20 [10, 4294967295] Specifies the sample interval of the message rate in seconds

GSLB_Data_Center

Declares a GSLB Data Center configuration

Properties:

Name (Type) Default Values Description
class (string)
“GSLB_Data_Center”
contact (string)
Specifies the name of the administrator or the name of the department that manages the data center
enabled (boolean) true true, false Specifies whether the data center is enabled or disabled
label (Label)
location (string)
Specifies the location of the data center
proberFallback (string) “any-available” “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available
proberPool (Pointer_GSLB_Prober_Pool)
proberPreferred (string) “inside-datacenter” “inside-datacenter”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor
remark (Remark)

GSLB_Domain

Configures GSLB (Global Server Load Balancing) settings for a domain.

Properties:

Name (Type) Default Values Description
aliases (array)
List of alternate domain names. Each may include wildcard characters.
class (string)
“GSLB_Domain”
domainName (string)
The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration
enabled (boolean) true true, false When true (default), the system can use the domain and its resources for load balancing requests
label (Label)
lastResortPool (Pointer_GSLB_Pool)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
lastResortPoolType (string)
“A”, “AAAA”, “CNAME”, “MX” This is used to specify the type of pool being used for the lastResortPool
poolLbMode (string) “round-robin” “global-availability”, “ratio”, “round-robin”, “topology” Specifies the load balancing method used to select a pool in this domain
pools (array)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
poolsCname (array)
Specifies the cname pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain

GSLB_Domain_A

Configures GSLB (Global Server Load Balancing) settings for A domain.

Properties:

Name (Type) Default Values Description
aliases (array)
List of alternate domain names. Each may include wildcard characters.
class (string)
“GSLB_Domain”
domainName (string)
The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration
enabled (boolean) true true, false When true (default), the system can use the domain and its resources for load balancing requests
label (Label)
lastResortPool (Pointer_GSLB_Pool)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
lastResortPoolType (string)
“A”, “AAAA”, “CNAME”, “MX” This is used to specify the type of pool being used for the lastResortPool
poolLbMode (string) “round-robin” “global-availability”, “ratio”, “round-robin”, “topology” Specifies the load balancing method used to select a pool in this domain
pools (array)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
poolsCname (array)
Specifies the cname pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain

GSLB_Domain_AAAA

Configures GSLB (Global Server Load Balancing) settings for AAAA domain.

Properties:

Name (Type) Default Values Description
aliases (array)
List of alternate domain names. Each may include wildcard characters.
class (string)
“GSLB_Domain”
domainName (string)
The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration
enabled (boolean) true true, false When true (default), the system can use the domain and its resources for load balancing requests
label (Label)
lastResortPool (Pointer_GSLB_Pool)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
lastResortPoolType (string)
“A”, “AAAA”, “CNAME”, “MX” This is used to specify the type of pool being used for the lastResortPool
poolLbMode (string) “round-robin” “global-availability”, “ratio”, “round-robin”, “topology” Specifies the load balancing method used to select a pool in this domain
pools (array)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
poolsCname (array)
Specifies the cname pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain

GSLB_Domain_CNAME

Configures GSLB (Global Server Load Balancing) settings for CNAME domain.

Properties:

Name (Type) Default Values Description
aliases (array)
List of alternate domain names. Each may include wildcard characters.
class (string)
“GSLB_Domain”
domainName (string)
The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration
enabled (boolean) true true, false When true (default), the system can use the domain and its resources for load balancing requests
label (Label)
lastResortPool (Pointer_GSLB_Pool)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
lastResortPoolType (string)
“A”, “AAAA”, “CNAME”, “MX” This is used to specify the type of pool being used for the lastResortPool
poolLbMode (string) “round-robin” “global-availability”, “ratio”, “round-robin”, “topology” Specifies the load balancing method used to select a pool in this domain
pools (array)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
poolsCname (array)
Specifies the cname pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain

GSLB_Domain_MX

Configures GSLB (Global Server Load Balancing) settings for MX domain.

Properties:

Name (Type) Default Values Description
aliases (array)
List of alternate domain names. Each may include wildcard characters.
class (string)
“GSLB_Domain”
domainName (string)
The name of the domain for the site content you are load balancing. If you have many domains, you can use two different wildcard characters, * and ?, to represent one or more characters in the domain alias, which reduces the number of aliases you have to add to the configuration
enabled (boolean) true true, false When true (default), the system can use the domain and its resources for load balancing requests
label (Label)
lastResortPool (Pointer_GSLB_Pool)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
lastResortPoolType (string)
“A”, “AAAA”, “CNAME”, “MX” This is used to specify the type of pool being used for the lastResortPool
poolLbMode (string) “round-robin” “global-availability”, “ratio”, “round-robin”, “topology” Specifies the load balancing method used to select a pool in this domain
pools (array)
Specifies the pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
poolsCname (array)
Specifies the cname pools that this domain uses for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain

GSLB_Monitor

Declares a monitor that verifies the availability and/or performance status of a particular protocol, service or application

Properties:

Name (Type) Default Values Description
ciphers (string) “DEFAULT”
Ciphersuite selection string
class (string)
“GSLB_Monitor”
clientCertificate (string)
AS3 pointer to client Certificate declaration, for TLS authentication (optional)
debugEnabled (boolean) false true, false When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled)
ignoreDownResponseEnabled (boolean) false true, false Specifies whether the monitor immediately marks an object down when it receives a down response. If enabled, the monitor ignores the down response for the duration of timeout. The default is false (disabled)
interval (integer) 30 [-infinity, 86399] Specifies, in seconds, the frequency at which the system issues the monitor check when either the resource is down or the status of the resource is unknown
label (Label)
monitorType (string)
“http”, “https”, “gateway-icmp”, “tcp”, “udp” Specifies the type of monitor
probeAttempts (integer) 3 [-infinity, infinity] Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable
probeInterval (integer) 1 [-infinity, infinity] Specifies the frequency at which the BIG-IP system probes the host server
probeTimeout (integer) 5 [-infinity, infinity] Specifies the number of seconds after which the system times out the probe request to the system
receive (string) “HTTP/1.”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
remark (Remark)
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “HEAD / HTTP/1.0rnrn”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
target (string) :
Specifies the IP address and service port of the resource that is the destination of this monitor. Format is ip:port
timeout (integer) 120 [-infinity, 86400] Specifies the number of seconds the target has in which to respond to the monitor request
transparent (boolean) false true, false Enables monitoring of pool members through firewalls. The default value is false (disabled)

GSLB_Monitor_HTTP

Additional Monitor class properties available when monitorType = http

Properties:

Name (Type) Default Values Description
receive (string) “HTTP/1.”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “HEAD / HTTP/1.0rnrn”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only

GSLB_Monitor_HTTPS

Additional Monitor class properties available when monitorType = https

Properties:

Name (Type) Default Values Description
ciphers (string) “DEFAULT”
Ciphersuite selection string
clientCertificate (string)
AS3 pointer to client Certificate declaration, for TLS authentication (optional)
receive (string) “HTTP/1.”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “HEAD / HTTP/1.0rnrn”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only

GSLB_Monitor_ICMP

Additional Monitor class properties available when monitorType = gateway-icmp

Properties:

Name (Type) Default Values Description
probeAttempts (integer) 3 [-infinity, infinity] Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable
probeInterval (integer) 1 [-infinity, infinity] Specifies the frequency at which the BIG-IP system probes the host server

GSLB_Monitor_TCP

Additional Monitor class properties available when monitorType = tcp

Properties:

Name (Type) Default Values Description
receive (string) “”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only

GSLB_Monitor_UDP

Additional Monitor class properties available when monitorType = udp

Properties:

Name (Type) Default Values Description
debugEnabled (boolean) false true, false When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled)
probeAttempts (integer) 3 [-infinity, infinity] Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable
probeInterval (integer) 1 [-infinity, infinity] Specifies the frequency at which the BIG-IP system probes the host server
receive (string) “”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “default send string”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only

GSLB_Pool

Declares a pool to use for load balancing

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
class (string)
“GSLB_Pool”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for this pool. The default value is false (disabled)
enabled (boolean) true true, false Specifies whether the pool and its resources are available for load balancing
fallbackIP (string)
format: f5ip Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a Fallback load balancing method
label (Label)
lbModeAlternate (string) “round-robin” “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Alternate Load Balancing mode
lbModeFallback (string) “return-to-dns” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Fallback Load Balancing mode
lbModePreferred (string) “round-robin” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” Preferred Load Balancing mode
manualResumeEnabled (boolean) false true, false Specifies, whether you must manually restart a pool member that goes down
maxAnswersReturned (integer) 1 [1, 500] Specifies the maximum number of available virtual servers that the system lists in a response
members (array)
Specifies the members of this pool
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this pool for load balancing
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled)
qosHitRatio (integer) 5 [-infinity, infinity] Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode
qosHops (integer) 0 [-infinity, infinity] Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode
qosKbps (integer) 3 [-infinity, infinity] Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode
qosLinkCapacity (integer) 30 [-infinity, infinity] Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode
qosPacketRate (integer) 1 [-infinity, infinity] Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode
qosRoundTripTime (integer) 50 [-infinity, infinity] Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode
qosTopology (integer) 0 [-infinity, infinity] Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerCapacity (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerScore (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain
ttl (integer) 30 [-infinity, 4294967295] Specifies the number of seconds that the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again
verifyMemberEnabled (boolean) true true, false Specifie that the system verifies the availability of the pool members before sending a connection to those resources

GSLB_Pool_A

Pointer to a Pool A object

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
class (string)
“GSLB_Pool”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for this pool. The default value is false (disabled)
enabled (boolean) true true, false Specifies whether the pool and its resources are available for load balancing
fallbackIP (string)
format: f5ip Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a Fallback load balancing method
label (Label)
lbModeAlternate (string) “round-robin” “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Alternate Load Balancing mode
lbModeFallback (string) “return-to-dns” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Fallback Load Balancing mode
lbModePreferred (string) “round-robin” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” Preferred Load Balancing mode
manualResumeEnabled (boolean) false true, false Specifies, whether you must manually restart a pool member that goes down
maxAnswersReturned (integer) 1 [1, 500] Specifies the maximum number of available virtual servers that the system lists in a response
members (array)
Specifies the members of this pool
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this pool for load balancing
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled)
qosHitRatio (integer) 5 [-infinity, infinity] Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode
qosHops (integer) 0 [-infinity, infinity] Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode
qosKbps (integer) 3 [-infinity, infinity] Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode
qosLinkCapacity (integer) 30 [-infinity, infinity] Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode
qosPacketRate (integer) 1 [-infinity, infinity] Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode
qosRoundTripTime (integer) 50 [-infinity, infinity] Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode
qosTopology (integer) 0 [-infinity, infinity] Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerCapacity (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerScore (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain
ttl (integer) 30 [-infinity, 4294967295] Specifies the number of seconds that the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again
verifyMemberEnabled (boolean) true true, false Specifie that the system verifies the availability of the pool members before sending a connection to those resources

GSLB_Pool_AAAA

Pointer to a Pool AAAA object

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
class (string)
“GSLB_Pool”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for this pool. The default value is false (disabled)
enabled (boolean) true true, false Specifies whether the pool and its resources are available for load balancing
fallbackIP (string)
format: f5ip Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a Fallback load balancing method
label (Label)
lbModeAlternate (string) “round-robin” “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Alternate Load Balancing mode
lbModeFallback (string) “return-to-dns” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Fallback Load Balancing mode
lbModePreferred (string) “round-robin” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” Preferred Load Balancing mode
manualResumeEnabled (boolean) false true, false Specifies, whether you must manually restart a pool member that goes down
maxAnswersReturned (integer) 1 [1, 500] Specifies the maximum number of available virtual servers that the system lists in a response
members (array)
Specifies the members of this pool
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this pool for load balancing
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled)
qosHitRatio (integer) 5 [-infinity, infinity] Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode
qosHops (integer) 0 [-infinity, infinity] Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode
qosKbps (integer) 3 [-infinity, infinity] Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode
qosLinkCapacity (integer) 30 [-infinity, infinity] Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode
qosPacketRate (integer) 1 [-infinity, infinity] Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode
qosRoundTripTime (integer) 50 [-infinity, infinity] Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode
qosTopology (integer) 0 [-infinity, infinity] Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerCapacity (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerScore (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain
ttl (integer) 30 [-infinity, 4294967295] Specifies the number of seconds that the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again
verifyMemberEnabled (boolean) true true, false Specifie that the system verifies the availability of the pool members before sending a connection to those resources

GSLB_Pool_CNAME

Pointer to a Pool CNAME object

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
class (string)
“GSLB_Pool”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for this pool. The default value is false (disabled)
enabled (boolean) true true, false Specifies whether the pool and its resources are available for load balancing
fallbackIP (string)
format: f5ip Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a Fallback load balancing method
label (Label)
lbModeAlternate (string) “round-robin” “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Alternate Load Balancing mode
lbModeFallback (string) “return-to-dns” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Fallback Load Balancing mode
lbModePreferred (string) “round-robin” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” Preferred Load Balancing mode
manualResumeEnabled (boolean) false true, false Specifies, whether you must manually restart a pool member that goes down
maxAnswersReturned (integer) 1 [1, 500] Specifies the maximum number of available virtual servers that the system lists in a response
members (array)
Specifies the members of this pool
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this pool for load balancing
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled)
qosHitRatio (integer) 5 [-infinity, infinity] Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode
qosHops (integer) 0 [-infinity, infinity] Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode
qosKbps (integer) 3 [-infinity, infinity] Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode
qosLinkCapacity (integer) 30 [-infinity, infinity] Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode
qosPacketRate (integer) 1 [-infinity, infinity] Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode
qosRoundTripTime (integer) 50 [-infinity, infinity] Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode
qosTopology (integer) 0 [-infinity, infinity] Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerCapacity (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerScore (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain
ttl (integer) 30 [-infinity, 4294967295] Specifies the number of seconds that the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again
verifyMemberEnabled (boolean) true true, false Specifie that the system verifies the availability of the pool members before sending a connection to those resources

GSLB_Pool_Member_A

Declares member of the GSLB pool

Properties:

Name (Type) Default Values Description
label (Label)
ratio (integer) 1 [-infinity, 65535] Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing
remark (Remark)
server (Pointer_GSLB_Server)
virtualServer (string)
TODO

GSLB_Pool_Member_AAAA

Declares member of the GSLB pool

Properties:

Name (Type) Default Values Description
label (Label)
ratio (integer) 1 [-infinity, 65535] Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing
remark (Remark)
server (Pointer_GSLB_Server)
virtualServer (string)
TODO

GSLB_Pool_Member_CNAME

Declares member of the GSLB pool

Properties:

Name (Type) Default Values Description
domainName (reference)
Specifies the domain name for this pool member
isDomainNameStatic (boolean) false true, false Specifies that the member’s name specifies a static domain name rather than a name linked to a domain defined on the system. This might be required if the target domainName is not owned by the organization or configured on the BIG-IP. One side-effect of using a static target is that the member is always considered available for load balancing. The default is (false) disabled
label (Label)
ratio (integer) 1 [-infinity, 65535] Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing
remark (Remark)

GSLB_Pool_Member_MX

Declares member of the GSLB pool

Properties:

Name (Type) Default Values Description
domainName (reference)
Specifies the domain name for this pool member
label (Label)
priority (integer) 10 [-infinity, 65535] Specifies the MX resource record priority
ratio (integer) 1 [-infinity, 65535] Specifies the ratio weight assigned to the pool member. This weight determines the frequency at which the pool member is selected for load balancing
remark (Remark)

GSLB_Pool_MX

Pointer to a Pool MX object

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] The maximum allowable data throughput rate, in bits per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
class (string)
“GSLB_Pool”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers in the pool. If the current connections exceed this value, the system marks the pool as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for this pool. The default value is false (disabled)
enabled (boolean) true true, false Specifies whether the pool and its resources are available for load balancing
fallbackIP (string)
format: f5ip Specifies the IP address of the server to which the system directs requests when it cannot use one of its pools to do so. Note that the system uses the fallback IP only if you select a Fallback load balancing method
label (Label)
lbModeAlternate (string) “round-robin” “drop-packet”, “fallback-ip”, “global-availability”, “packet-rate”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Alternate Load Balancing mode
lbModeFallback (string) “return-to-dns” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score”, “none” Fallback Load Balancing mode
lbModePreferred (string) “round-robin” “completion-rate”, “cpu”, “drop-packet”, “fallback-ip”, “fewest-hops”, “global-availability”, “kilobytes-per-second”, “least-connections”, “lowest-round-trip-time”, “packet-rate”, “quality-of-service”, “ratio”, “return-to-dns”, “round-robin”, “static-persistence”, “topology”, “virtual-server-capacity”, “virtual-server-score” Preferred Load Balancing mode
manualResumeEnabled (boolean) false true, false Specifies, whether you must manually restart a pool member that goes down
maxAnswersReturned (integer) 1 [1, 500] Specifies the maximum number of available virtual servers that the system lists in a response
members (array)
Specifies the members of this pool
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this pool for load balancing
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers in the pool. If the network traffic volume exceeds this value, the system marks the pool as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for this pool. The default value is false (disabled)
qosHitRatio (integer) 5 [-infinity, infinity] Assigns a weight to the Hit Ratio performance factor for the Quality of Service dynamic load balancing mode
qosHops (integer) 0 [-infinity, infinity] Assigns a weight to the Hops performance factor for the Quality of Service dynamic load balancing mode
qosKbps (integer) 3 [-infinity, infinity] Assigns a weight to the Kilobytes per Second performance factor for the Quality of Service dynamic load balancing mode
qosLinkCapacity (integer) 30 [-infinity, infinity] Assigns a weight to the Link Capacity performance factor for the Quality of Service dynamic load balancing mode
qosPacketRate (integer) 1 [-infinity, infinity] Assigns a weight to the Packet Rate performance factor for the Quality of Service dynamic load balancing mode
qosRoundTripTime (integer) 50 [-infinity, infinity] Assigns a weight to the Round Trip Time performance factor for the Quality of Service dynamic load balancing mode
qosTopology (integer) 0 [-infinity, infinity] Assigns a weight to the Topology performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerCapacity (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server performance factor for the Quality of Service dynamic load balancing mode
qosVirtualServerScore (integer) 0 [-infinity, infinity] Assigns a weight to the Virtual Server Score performance factor for the Quality of Service dynamic load balancing mode
remark (Remark)
resourceRecordType (string)
“A”, “AAAA”, “CNAME”, “MX” Specifies the type of resource records for this domain
ttl (integer) 30 [-infinity, 4294967295] Specifies the number of seconds that the IP address, once found, is valid. Once the time-to-live (TTL) expires, the client has to request the IP address resolution again
verifyMemberEnabled (boolean) true true, false Specifie that the system verifies the availability of the pool members before sending a connection to those resources

GSLB_Prober_Pool

Declares a pool of bigip devices that will monitor server resources for health and performance. Note: Prober pools are not used by the bigip monitor

Properties:

Name (Type) Default Values Description
class (string)
“GSLB_Prober_Pool”
enabled (boolean) true true, false Specifies whether this pool is available for conducting probes
label (Label)
lbMode (string)
“global-availability”, “round-robin” Specifies the load balancing mode that the system uses to select the members of this pool
members (array)
Specifies the members of the prober pool

GSLB_Prober_Pool_Member

Declares member of the GSLB prober pool

Properties:

Name (Type) Default Values Description
enabled (boolean) true true, false Specifies whether the server can be used as a member of a prober pool
memberOrder (integer) 0 [-infinity, 65535] Specifies the order in which this server appears in the prober pool

GSLB_Server

Declares a GSLB server object which contains configuration for a load balancer or a host server

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [-infinity, infinity] Specifies the maximum allowable data throughput rate, in bits per second, for the virtual servers on the server. If the network traffic volume exceeds this limit, the system marks the server as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for the virtual servers on the server. The default value is false (disabled)
class (string)
“GSLB_Server”
connectionsLimit (integer) 0 [-infinity, infinity] The number of current connections allowed for the virtual servers on the server. If the current connections exceed this value, the system marks the server as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for the virtual servers on the server. The default value is false (disabled)
cpuUsageLimit (integer)
[-infinity, infinity] Specifies the percent of CPU usage. If percent of CPU usage goes above the limit, the system marks the server as unavailable
cpuUsageLimitEnabled (boolean)
true, false Enables or disables the CPU Usage limit option for this pool. The default value is false (disabled)
dataCenter (Pointer_GSLB_Data_Center)
devices (array)
Specifies the actual device(s) that are represented by this server object
enabled (boolean) true true, false Specifies whether the server is enabled or disabled
label (Label)
memoryLimit (integer)
[-infinity, infinity] Specifies the available memory in kilobytes required by the virtual servers on the server. If available memory falls below this limit, the system marks the server as unavailable
memoryLimitEnabled (boolean)
true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
monitors (array) [object Object]
Specifies the health monitors that the system uses to determine whether it can use this server for load balancing
pathProbeEnabled (boolean)
true, false Specifies whether this BIG-IP device will be used to conduct a path probe before traffic will be delegated to it. The default value is (true) enabled
ppsLimit (integer) 0 [-infinity, infinity] The maximum allowable data transfer rate, in packets per second, for the virtual servers on the server. If the network traffic volume exceeds this value, the system marks the server as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for the virtual servers on the server. The default value is false (disabled)
proberFallback (string) “inherit” “inherit”, “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available
proberPool (Pointer_GSLB_Prober_Pool)
proberPreferred (string) “inherit” “inherit”, “inside-datacenter”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor
remark (Remark)
serverType (string) “bigip” “bigip”, “generic-host” Specifies the server type. The server type determines the metrics that the system can collect from the server
serviceCheckProbeEnabled (boolean)
true, false Specifies whether this BIG-IP device will be used to conduct a service check probe before traffic will be delegated to it. The default value is (true) enabled
snmpProbeEnabled (boolean)
true, false Specifies whether this BIG-IP device will be used to conduct a SNMP probe before traffic will be delegated to it. The default value is (true) enabled
virtualServers (array)
Specifies the virtual server(s) that are resources on this server object

GSLB_Server_Device

Configures a device for the GSLB Server

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip Specifies an external (public) address for the device. If BIG-IP DNS configuration synchronization is enabled and all existing addresses for a device are being replaced, new addresses should be added and synchronized before old addresses are removed, otherwise the changes may fail to synchronize. Alternatively, the address configuration changes can be performed on each BIG-IP DNS system
addressTranslation (string)
format: f5ip Specifies the internal (private) address that corresponds to the external address
label (Label)
remark (Remark)

GSLB_Topology_Condition

No description provided

Properties:

Name (Type) Default Values Description
matchOperator (string) “equals” “equals”, “not-equals” Specifies the operation to perform a match. Default value is equals (matches)
matchType (string)
“continent”, “country”, “datacenter”, “geoip-isp”, “isp”, “pool”, “region”, “state”, “subnet” Specifies the type/category of match to perform
matchValue (reference)
Specifies the value to match

GSLB_Topology_Record

No description provided

Properties:

Name (Type) Default Values Description
destination (reference)
Specifies where the system directs the incoming DNS request
source (reference)
Specifies the origination section of the topology record, the local DNS
weight (integer) 1 [-infinity, infinity] Specifies the weight for the topology record. The system load balances to the server object and DNS that matches the record with the highest topology weight

GSLB_Topology_Records

Defines GSLB Topology records

Properties:

Name (Type) Default Values Description
class (string)
“GSLB_Topology_Records”
label (Label)
longestMatchEnabled (boolean) true true, false Enables the algorithm that requires the system to evaluate all records in the topology statement and use the record that most completely matches the source IP address of the name resolution request. If true, the order of the records as they appear in the array will not be preserved
records (array)
Specifies the actual device(s) that are represented by this server object

GSLB_Topology_Region

Defines a GSLB Topology region

Properties:

Name (Type) Default Values Description
class (string)
“GSLB_Topology_Region”
label (Label)
members (array)
Configures the list of members for this region
remark (Remark)

GSLB_Virtual_Server

GSLB virtual server

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip Format of address for virtual server (such as IPv4)
addressTranslation (string)
format: f5ip Specifies the public address that this virtual server translates into when the GSLB provider communicates between the network and the Internet. The default value is disabled
addressTranslationPort (integer)
[1, 65535] L4 port for service (like 443 for HTTPS)
enabled (boolean) true true, false Specifies whether the virtual server is enabled or disabled
label (Label)
monitors (array)
Specifies the health monitors that the system uses to determine whether it can use this linked virtual server for load balancing
port (integer)
[1, 65535] L4 port for service (like 443 for HTTPS)
remark (Remark)

HTTP_Compress

HTTP Compression profile with configurable options

Properties:

Name (Type) Default Values Description
allowHTTP10 (boolean) false true, false If true, AS3 may compress HTTP/1.0 responses (default false)
bufferSize (integer) 4096 [256, 32768] Maximum number of response octets to buffer before deciding whether to apply compression (default 4096)
class (string)
“HTTP_Compress”
contentTypeExcludes (array)
regex: ^[^x00-x1fx22x7f-xff]+$ List of response Content-Type values which AS3 should not compress. Values are regular expressions that match Content-Type strings
contentTypeIncludes (array) text/, application/(xml|x-javascript) regex: ^[^x00-x1fx22x7f-xff]+$ List of response Content-Type values which AS3 should compress. Values are regular expressions that match Content-Type strings
cpuSaver (boolean) true true, false If true (default), system will reduce compression rate when CPU utilization exceeds cpuSaverHigh threshold and increase it when CPU utilization falls below cpuSaverLow threshold
cpuSaverHigh (integer) 90 [15, 99] CPU utilization percentage (default 90) above which AS3 should moderate compression
cpuSaverLow (integer) 75 [10, 95] CPU utilization percentage (default 75) below which the system returns compression to normal
gzipLevel (integer) 1 [1, 9] Compression level (default 1); higher values produce greater compression but use more CPU cycles
gzipMemory (integer) 8 [1, 256] Compression memory allocation in kilobytes (default 8), should be a power of two
gzipWindowSize (integer) 16 [1, 128] Compression window size in kilobytes (default 16), should be a power of two
keepAcceptEncoding (boolean) false true, false If true, pool member may compress responses; if false (default) ADC will compress responses. Set to true when pool member stores/caches pre-compressed responses
label (Label)
minimumSize (integer) 1024 [128, 131072] AS3 will not compress responses of fewer octets than this (default 1024)
preferMethod (string) “gzip” “gzip”, “deflate” Select preferred compression method (default gzip, strongly recommended)
remark (Remark)
selective (boolean) false true, false If true, AS3 will only compress a response when an iRule attached to the virtual server requests it (default is false, meaning AS3 will compress responses which meet the criteria in this profile)
uriExcludes (array)
regex: ^[^x00-x1fx7f-xff]+$ List of request URI’s for which AS3 should not compress responses. Values are regular expressions that match request URI strings
uriIncludes (array)
regex: ^[^x00-x1fx7f-xff]+$ List of request URI’s for which AS3 should compress responses. Values are regular expressions that match URI strings
varyHeader (boolean) true true, false If true (default), a Vary header will appear in compressed responses

HTTP_Profile

HTTP profile with configurable options

Properties:

Name (Type) Default Values Description
allowedResponseHeaders (array)
regex: ^[^x00-x20x22:x5cx7f-xff]{1,128}$ By default AS3 passes HTTP headers in responses from pool members to clients unaltered. You may list names of allowed response headers here and AS3 removes any you do not list from responses.
badRequestMessage (string) “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>”
Message returned to client when proxy request is erroneous. May include iRules TCL expressions
badResponseMessage (string) “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>”
Message returned to client when response to proxy request is erroneous. May include iRules TCL expressions
class (string)
“HTTP_Profile”
connectErrorMessage (string) “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>”
Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions
cookiePassphrase (object)
Used to create secret key for cookie encryption (when missing, AS3 uses a system-generated key)
defaultConnectAction (string) “deny” “deny”, “allow” By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services
dnsErrorMessage (string) “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>”
Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions
doNotProxyHosts (array) none
When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests
encryptCookies (array)
regex: ^[^x00-x20x22=x5cx7f-xff]+$ List cookies to encrypt en-route to the client and decrypt en-route to a pool member
excessClientHeaders (string) “pass-through” “pass-through”, “reject” When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
excessServerHeaders (string) “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
fallbackRedirect (string)
Domain name (or IP address) of service (if any) to which AS3 should redirect a request when no pool member is responsive or selected pool member returns a fallbackStatusCode
fallbackStatusCodes (array)
[100, 999] When a pool member responds to a request with one of these HTTP status codes (for example, 500), redirect the client to the fallbackRedirect
hstsIncludeSubdomains (boolean) true true, false If true then HSTS headers (see hstsInsert) will tell clients to apply HSTS settings to the hostnames of this service and all their possible subdomains. Warning: an incorrect value here can make multiple websites unreachable, not just this service
hstsInsert (boolean) false true, false If true, insert HSTS (HTTP Strict Transport Security) headers into responses sent to clients (default false). Warning: misconfiguration of HSTS can make a website unreachable
hstsPeriod (integer) 7862400 [-infinity, 31557600] If hstsInsert is true, this value tells each client how long (in seconds; default 7862400 equals 91 days) to wait before refreshing HSTS settings for this service. Warning: once a client receives erroneous HSTS settings it will ignore any attempt to correct them until this period has expired
hstsPreload (boolean) false true, false If true, include the domain for the web site associated with this HTTP profile in the browser’s preload list. This forces the client to send packets over SSL/TLS.
insertHeader (object)
You may insert one header into each request before AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy
ipv6 (boolean) false true, false Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6.
knownMethods (array) CONNECT, DELETE, GET, HEAD, LOCK, OPTIONS, POST, PROPFIND, PUT, TRACE, UNLOCK regex: ^[A-Z0-9]{1,32}$ List of HTTP request methods AS3 should recognize as normal. Any method not in this list will provoke the ‘unknownMethodAction’ action
label (Label)
maxHeaderCount (integer) 64 [1, 1024] When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxHeaderSize (integer) 32768 [9, 262144] When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxRequests (integer) 0 [-infinity, 2147483647] When AS3 has processed more than this number of requests through a connection, the system closes it. Default 0 means permit unlimited requests
multiplexTransformations (boolean) true true, false If true (default), AS3 adjusts request headers to work properly when the virtual server uses a Multiplex profile
otherXFF (array)
regex: ^[^x00-x20x22:x5cx7f-xff]{1,128}$ Names of request headers to treat as equivalent to X-Forwarded-For (see trustXFF)
oversizeClientHeaders (string) “pass-through” “pass-through”, “reject” When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
oversizeServerHeaders (string) “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
pipelineAction (string) “allow” “allow”, “reject”, “pass-through” Default ‘allow’ means clients may pipeline HTTP/1.1 requests to pool members which support pipelining. Otherwise, ‘reject’ prevents pipelining, and ‘pass-through’ causes the connection to switch to pass-through mode when the system detects pipelining
proxyType (string) “reverse” “reverse”, “transparent”, “explicit” Default value ‘reverse’ is usually appropriate. You may use ‘transparent’ when virtual server will handle a mix of HTTP and non-HTTP traffic. You may use ‘explicit’ when clients will ask ADC to proxy connections to arbitrary remote services
remark (Remark)
requestChunking (string) “preserve” “selective”, “preserve”, “rechunk” Controls handling of HTTP payload chunking in requests from clients (default is ‘preserve’)
resolver (object)
AS3 pointer to DNS resolver used to resolve hostnames in client requests
responseChunking (string) “selective” “selective”, “preserve”, “unchunk”, “rechunk” Controls handling of HTTP payload chunking in responses from pool members (default ‘selective’ adapts to most situations)
rewriteRedirects (string) “none” “none”, “all”, “matching”, “addresses” In selected Location-header values (default none) of redirect responses from pool members, change protocol HTTP to HTTPS before passing redirects to clients
routeDomain (integer) 0 [-infinity, 65535] Proxy requests will leave the ADC from a Self IP in this route domain (default 0)
serverHeaderValue (string) “BigIP”
Server header value to place in responses generated by the ADC itself (not obtained from a pool member)
truncatedRedirects (boolean) false true, false If false (default) elide malformed redirects from pool members, otherwise pass them to client
trustXFF (boolean) false true, false If true, WAF (ASM) and AVR may trust X-Forwarded-For headers found in incoming requests and report statistics using client IP addresses appearing in them (default false). Use this feature only when you control upstream gateway(s)
tunnelName (string) “http-tunnel”
Name of tunnel used for outbound CONNECT requests (default ‘http-tunnel’)
unknownMethodAction (string) “allow” “allow”, “reject”, “pass-through” Default ‘allow’ means clients may make HTTP requests using unknown methods. Otherwise, ‘reject’ means to discard any unknown-method request and reject the client connection, and ‘pass-through’ causes the connection to switch to pass-through mode upon the first unknown-method request
viaHost (string)
Hostname to place in Via header when viaRequest or viaResponse is ‘append’
viaRequest (string) “remove” “append”, “preserve”, “remove” Controls treatment of Via: headers in requests from clients. When set to ‘append’ AS3 requires viaHost
viaResponse (string) “remove” “append”, “preserve”, “remove” Controls treatment of Via: headers in responses from pool members. When set to ‘append’ AS3 requires viaHost
whiteOutHeader (string)
regex: ^[^x00-x20x22:x5cx7f-xff]{1,128}$ You may name one request header you want whited-out of each request before AS3 sends it to a pool member. To remove more than a single named header, use an iRule or an Endpoint policy. (Whiting-out a header leaves its name but replaces its value in the request with space characters (ASCII 0x20) to avoid changing the length of the headers.)
xForwardedFor (boolean) true true, false If true, insert an X-Forwarded-For header carrying the client IP address into each HTTP request sent to a pool member (default false)

HTTP_Profile_Explicit

Extra HTTP profile configurable options when proxyType is ‘explicit’

Properties:

Name (Type) Default Values Description
badRequestMessage (string) “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>”
Message returned to client when proxy request is erroneous. May include iRules TCL expressions
badResponseMessage (string) “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>”
Message returned to client when response to proxy request is erroneous. May include iRules TCL expressions
connectErrorMessage (string) “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>”
Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions
defaultConnectAction (string) “deny” “deny”, “allow” By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services
dnsErrorMessage (string) “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>”
Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions
doNotProxyHosts (array) none
When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests
ipv6 (boolean) false true, false Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6.
maxHeaderCount (integer) 64 [1, 1024] When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxHeaderSize (integer) 32768 [9, 262144] When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection
resolver (object)
AS3 pointer to DNS resolver used to resolve hostnames in client requests
routeDomain (integer) 0 [-infinity, 65535] Proxy requests will leave the ADC from a Self IP in this route domain (default 0)
truncatedRedirects (boolean) false true, false If false (default) elide malformed redirects from pool members, otherwise pass them to client
tunnelName (string) “http-tunnel”
Name of tunnel used for outbound CONNECT requests (default ‘http-tunnel’)

HTTP_Profile_Reverse

Extra HTTP profile configurable options when proxyType is ‘reverse’

Properties:

Name (Type) Default Values Description
maxHeaderCount (integer) 64 [1, 1024] When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxHeaderSize (integer) 32768 [9, 262144] When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection
truncatedRedirects (boolean) false true, false If false (default) elide malformed redirects from pool members, otherwise pass them to client

HTTP_Profile_Transparent

Extra HTTP profile configurable options when proxyType is ‘transparent’

Properties:

Name (Type) Default Values Description
excessClientHeaders (string) “pass-through” “pass-through”, “reject” When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
excessServerHeaders (string) “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
maxHeaderCount (integer) 32 [1, 1024] When the number of headers in a request or response exceeds this value (default 32), take the excessX…Headers action
maxHeaderSize (integer) 16384 [9, 262144] When the total size in octets of the headers of request or response exceeds this value (default 16384), take the oversizeX…Headers action
oversizeClientHeaders (string) “pass-through” “pass-through”, “reject” When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
oversizeServerHeaders (string) “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
truncatedRedirects (boolean) true true, false If true (default) pass malformed redirects to client

IP_Other_Profile

Configures a generic IP profile for non-TCP and non-UDP traffic

Properties:

Name (Type) Default Values Description
class (string)
“IP_Other_Profile”
idleTimeout (string | integer) 60 “indefinite”, “immediate”, [-infinity, 4294967295] Specifies the number of seconds a connection can be idle before the connection is eligible for deletion
label (Label)
parentProfile (reference) {“bigip”:”/Common/ipother”}
Specifies the name of the object to inherit the settings from
remark (Remark)

iRule

An iRule

Properties:

Name (Type) Default Values Description
class (string)
“iRule”
expand (boolean) true true, false If true (default), expand backquoted variables in iRule
iRule (reference)
Reference to an iRule
label (Label)
remark (Remark)

JWE

A value in a cryptogram which is a Flattened JWE JSON Serialization object. If ‘miniJWE’ is true then enc=(none|f5sv) only (in JOSE header)

Properties:

Name (Type) Default Values Description
ciphertext (string)
format: f5base64 Put base64url(data_value) here
ignoreChanges (boolean) false true, false If false (default), the system updates the ciphertext in every AS3 declaration deployment. If true, AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards
miniJWE (boolean) true true, false If true (default), object is an f5 mini-JWE
protected (string) “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” format: f5base64 JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64url-encoded into ‘ciphertext’). If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram

L4_Profile

Configures a Fast Layer 4 profile

Properties:

Name (Type) Default Values Description
class (string)
“L4_Profile”
clientTimeout (integer) 30 [-1, 86400] Number of seconds allowed for a client to transmit enough data to select a server when you have late binding enabled. Value -1 means indefinite (not recommended)
idleTimeout (integer) 300 [-infinity, infinity] Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite
label (Label)
looseClose (boolean) false true, false When true, system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server (default false).
looseInitialization (boolean) false true, false When true, system initializes a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation (default false).
maxSegmentSize (integer) 0 [-infinity, infinity] Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice
remark (Remark)
resetOnTimeout (boolean) true true, false If true (default), connections which time out will be reset (that is, the system sends an RST packet to the peer) before the system expunges them
tcpCloseTimeout (integer) 5 [-1, 86400] Specifies an TCP close timeout in seconds. Value -1 means indefinite (not recommended)
tcpHandshakeTimeout (integer) 5 [-1, 86400] Specifies a TCP handshake timeout in seconds. The default value is 5 seconds. Value -1 means indefinite (not recommended)

Log_Destination

Configures a log destination

Properties:

Name (Type) Default Values Description
class (string)
“Log_Destination”
defaultFacility (string) “local0” “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” Specifies the facility given to log messages received that do not already have a facility listed
defaultSeverity (string) “info” “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warn” Specifies the severity given to log messages received that do not already have a severity listed
distribution (string) “adaptive” “adaptive”, “balanced”, “replicated” Specifies the distribution method used to send messages to pool members
format (string) “rfc3164” “legacy-bigip”, “rfc3164”, “rfc5424” Specifies the method to use to format the logs
label (Label)
pool (Pointer_Pool)
protocol (string) “tcp” “tcp”, “udp” Specifies the protocol for the system to use to send logs to the pool
remark (Remark)
remoteHighSpeedLog (object)
Specifies a remote high-speed log destination, which the system uses to forward the logs to a pool of remote log servers
type (string)
“remote-syslog”, “remote-high-speed-log” The type of the log destination

Log_Destination_Remote_High_Speed_Log

Sends received messages to a specified pool

Properties:

Name (Type) Default Values Description
distribution (string) “adaptive” “adaptive”, “balanced”, “replicated” Specifies the distribution method used to send messages to pool members
pool (Pointer_Pool)
protocol (string) “tcp” “tcp”, “udp” Specifies the protocol for the system to use to send logs to the pool

Log_Destination_Remote_Syslog

Configures Remote Syslog destinations to format log messages into Syslog format and forward them to a Remote High-Speed Log destination

Properties:

Name (Type) Default Values Description
defaultFacility (string) “local0” “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” Specifies the facility given to log messages received that do not already have a facility listed
defaultSeverity (string) “info” “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warn” Specifies the severity given to log messages received that do not already have a severity listed
format (string) “rfc3164” “legacy-bigip”, “rfc3164”, “rfc5424” Specifies the method to use to format the logs
remoteHighSpeedLog (object)
Specifies a remote high-speed log destination, which the system uses to forward the logs to a pool of remote log servers

Log_Publisher

Configures lists of destinations for the common logging interface

Properties:

Name (Type) Default Values Description
class (string)
“Log_Publisher”
destinations (array)
specify log destinations for this log publisher to use
label (Label)
remark (Remark)

Metadata

Useful datapoints for tracking, tagging, and organizing declarations.

No properties

Monitor

Declares a (possibly complex) monitor

Properties:

Name (Type) Default Values Description
acceptRCODE (string) “no-error” “anything”, “no-error” Specifies the RCODE required in the response for an up status — Note: This property is available only when monitorType is NOT ‘tcp’
adaptive (boolean) false true, false If true, use adaptive probe timing — Note: This property is available only when monitorType is NOT ‘tcp’
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds — Note: This property is available only when monitorType is NOT ‘tcp’
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage — Note: This property is available only when monitorType is NOT ‘tcp’
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage — Note: This property is available only when monitorType is NOT ‘tcp’
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds — Note: This property is available only when monitorType is NOT ‘tcp’
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds) — Note: This property is available only when monitorType is NOT ‘tcp’
answerContains (string) “query-type” “any-type”, “anything”, “query-type” Specifies the type of DNS query that the monitor sends — Note: This property is available only when monitorType is NOT ‘tcp’
arguments (string) “”
Arguments to specified external monitor (will be backquote-expanded)
base (string)
Specifies the location in the LDAP tree from which the monitor starts the health check — Note: This property is available only when monitorType is NOT ‘tcp’
chaseReferrals (boolean) true true, false Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed — Note: This property is available only when monitorType is NOT ‘tcp’
ciphers (string) “DEFAULT”
Ciphersuite selection string — Note: This property is available only when monitorType is NOT ‘tcp’
class (string)
“Monitor”
clientCertificate (string)
AS3 pointer to client Certificate declaration, for TLS authentication (optional) — Note: This property is available only when monitorType is NOT ‘tcp’
codesDown (array)
[-infinity, infinity] List of status codes meaning service is down (0 matches any code) — Note: This property is available only when monitorType is NOT ‘tcp’
codesUp (array)
[-infinity, infinity] List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code) — Note: This property is available only when monitorType is NOT ‘tcp’
domain (string) “” format: hostname Mail domain to check, if any (backquote-expanded) — Note: This property is available only when monitorType is NOT ‘tcp’
dscp (integer) 0 [-infinity, 63] Value for IP DSCP (ex-TOS) field (default 0)
expand (boolean) true true, false If true (default), expand backquoted variables in script
filter (string)
Specifies an LDAP key which the monitor searches — Note: This property is available only when monitorType is NOT ‘tcp’
headers (string) “”
SIP headers to send in probes (if any)–separate by newlines (backquote-expanded) — Note: This property is available only when monitorType is NOT ‘tcp’
interval (integer) 5 [-infinity, 3600] Poll interval (seconds)
label (Label)
mandatoryAttributes (boolean) false true, false Specifies whether the target must include attributes in its response to be considered up — Note: This property is available only when monitorType is NOT ‘tcp’
monitorType (string)
“dns”, “external”, “http”, “https”, “icmp”, “ldap”, “radius”, “sip”, “smtp”, “tcp”, “tcp-half-open”, “udp” You may customize each monitor type
nasIpAddress (string)
format: f5ip Specifies the networks access server’s IP address (NAS IP address) for a RADIUS monitor — Note: This property is available only when monitorType is NOT ‘tcp’
passphrase (object)
Passphrase if any for query authentication — Note: This property is available only when monitorType is NOT ‘tcp’
pathname (string)
Full (Linux) pathname of existing external monitor (will be backquote-expanded)
protocol (string) “udp” “sips”, “tcp”, “tls”, “udp” SIP transport protocol — Note: This property is available only when monitorType is NOT ‘tcp’
queryName (string)
Specifies a query name for the monitor to use in a DNS query — Note: This property is available only when monitorType is NOT ‘tcp’
queryType (string) “a” “a”, “aaaa” Specifies the type of DNS query that the monitor sends. — Note: This property is available only when monitorType is NOT ‘tcp’
receive (string)
Mark node up upon receipt of this (backquote-expanded) string — Note: This property is available only when monitorType is NOT ‘tcp’
receiveDown (string) “”
Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true) — Note: This property is available only when monitorType is NOT ‘tcp’
remark (Remark)
request (string) “”
SIP request to send in probes (default empty) — Note: This property is available only when monitorType is NOT ‘tcp’
reverse (boolean) false true, false If true, mark node down upon receipt of ‘receive’ string — Note: This property is available only when monitorType is NOT ‘tcp’
script (reference)
Bash(1) script which implements external monitor
secret (object)
Specifies the secret the monitor needs to access the resource — Note: This property is available only when monitorType is NOT ‘tcp’
security (string) “none” “none”, “ssl”, “tls” Specifies the secure protocol type for communications with the target — Note: This property is available only when monitorType is NOT ‘tcp’
send (string)
Send this (backquote-expanded) string to node — Note: This property is available only when monitorType is NOT ‘tcp’
targetAddress (string) “” format: f5ip IP address monitor should probe; if empty (default) then pool member address
targetPort (integer) 0 [-infinity, 65535] L4 port (if any) monitor should probe; if 0 (default) then pool member port
timeout (integer) 16 [-infinity, 900] Time limit for node to respond (seconds)
timeUntilUp (integer) 0 [-infinity, 1800] Delay between successful probe and sending traffic to node (seconds)
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false) — Note: This property is available only when monitorType is NOT ‘tcp’
upInterval (integer) 0 [-infinity, 3600] Poll interval when service is already up (seconds)
username (string)
Username if any for query authentication — Note: This property is available only when monitorType is NOT ‘tcp’

Monitor_DNS

Additional Monitor class properties available when monitorType = dns

Properties:

Name (Type) Default Values Description
acceptRCODE (string) “no-error” “anything”, “no-error” Specifies the RCODE required in the response for an up status
adaptive (boolean) false true, false If true, use adaptive probe timing
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds)
answerContains (string) “query-type” “any-type”, “anything”, “query-type” Specifies the type of DNS query that the monitor sends
queryName (string)
Specifies a query name for the monitor to use in a DNS query
queryType (string) “a” “a”, “aaaa” Specifies the type of DNS query that the monitor sends.
receive (string)
IP address that the monitor uses from the resource records sections of the DNS response
reverse (boolean) false true, false If true, mark node down upon receipt of ‘receive’ string
targetAddress (reference)
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)

Monitor_External

Additional Monitor class properties available when monitorType = external

Properties:

Name (Type) Default Values Description
arguments (string) “”
Arguments to specified external monitor (will be backquote-expanded)
expand (boolean) true true, false If true (default), expand backquoted variables in script
pathname (string)
Full (Linux) pathname of existing external monitor (will be backquote-expanded)
script (reference)
Bash(1) script which implements external monitor

Monitor_HTTP

Additional Monitor class properties available when monitorType = http or https

Properties:

Name (Type) Default Values Description
adaptive (boolean) false true, false If true, use adaptive probe timing
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds)
dscp (integer) 0 [-infinity, 63] Value for IP DSCP (ex-TOS) field (default 0)
passphrase (object)
Passphrase if any for query authentication
receive (string) “HTTP/1.”
Mark node up upon receipt of this (backquote-expanded) string
receiveDown (string) “”
Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true)
reverse (boolean) false true, false If true, mark node down upon receipt of ‘receive’ string
send (string) “HEAD / HTTP/1.0rnrn”
Send this (backquote-expanded) string to query node
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)
username (string)
Username if any for query authentication

Monitor_HTTPS

Additional Monitor class properties available when monitorType = https

Properties:

Name (Type) Default Values Description
adaptive (boolean) false true, false If true, use adaptive probe timing
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds)
ciphers (string) “DEFAULT”
Ciphersuite selection string
clientCertificate (string)
AS3 pointer to client Certificate declaration, for TLS authentication (optional)
dscp (integer) 0 [-infinity, 63] Value for IP DSCP (ex-TOS) field (default 0)
passphrase (object)
Passphrase if any for query authentication
receive (string) “HTTP/1.”
Mark node up upon receipt of this (backquote-expanded) string
receiveDown (string) “”
Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true)
reverse (boolean) false true, false If true, mark node down upon receipt of ‘receive’ string
send (string) “HEAD / HTTP/1.0rnrn”
Send this (backquote-expanded) string to query node
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)
username (string)
Username if any for query authentication

Monitor_ICMP

Additional Monitor class properties available when monitorType = icmp

Properties:

Name (Type) Default Values Description
adaptive (boolean) false true, false If true, use adaptive probe timing
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds)
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)

Monitor_LDAP

Additional Monitor class properties available when monitorType = smtp

Properties:

Name (Type) Default Values Description
base (string)
Specifies the location in the LDAP tree from which the monitor starts the health check
chaseReferrals (boolean) true true, false Specifies, whether, upon receipt of an LDAP referral entry, the referral is followed
filter (string)
Specifies an LDAP key which the monitor searches
mandatoryAttributes (boolean) false true, false Specifies whether the target must include attributes in its response to be considered up
passphrase (object)
Passphrase if any for query authentication
security (string) “none” “none”, “ssl”, “tls” Specifies the secure protocol type for communications with the target
username (string)
Username if any for query authentication

Monitor_RADIUS

Additional Monitor class properties available when monitorType = radius

Properties:

Name (Type) Default Values Description
nasIpAddress (string)
format: f5ip Specifies the networks access server’s IP address (NAS IP address) for a RADIUS monitor
passphrase (object)
Specifies the password, if the monitored target requires authentication
secret (object)
Specifies the secret the monitor needs to access the resource
username (string)
Specifies the user name, if the monitor target requires authentication

Monitor_Send_Recv

Additional Monitor class properties available when monitorType = tcp or udp

Properties:

Name (Type) Default Values Description
adaptive (boolean) false true, false If true, use adaptive probe timing
adaptiveDivergenceMilliseconds (integer) 500 [1, 10000] Probe fails if response latency exceeds mean by this number of milliseconds
adaptiveDivergencePercentage (integer) 100 [1, 500] Probe fails if response latency exceeds mean by this percentage
adaptiveDivergenceType (string) “relative” “absolute”, “relative” Adaptive divergence, ‘absolute’ selects milliseconds, ‘relative’ (default) selects percentage
adaptiveLimitMilliseconds (integer) 1000 [1, 10000] Probe fails if response latency exceeds this number of milliseconds
adaptiveWindow (integer) 180 [60, 1800] Time window over which the system samples latency (seconds)
receive (string)
Mark node up upon receipt of this (backquote-expanded) string
receiveDown (string) “”
Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when ‘reverse’ is true)
reverse (boolean) false true, false If true, mark node down upon receipt of ‘receive’ string
send (string)
Send this (backquote-expanded) string to node
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)

Monitor_SIP

Additional Monitor class properties available when monitorType = sip

Properties:

Name (Type) Default Values Description
ciphers (string) “DEFAULT”
Ciphersuite selection string
clientCertificate (string)
AS3 pointer to client Certificate declaration, for TLS authentication (optional)
codesDown (array)
[-infinity, infinity] List of status codes meaning service is down (0 matches any code)
codesUp (array)
[-infinity, infinity] List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code)
headers (string) “”
SIP headers to send in probes (if any)–separate by newlines (backquote-expanded)
protocol (string) “udp” “sips”, “tcp”, “tls”, “udp” SIP transport protocol
request (string) “”
SIP request to send in probes (default empty)

Monitor_SMTP

Additional Monitor class properties available when monitorType = smtp

Properties:

Name (Type) Default Values Description
domain (string) “” format: hostname Mail domain to check, if any (backquote-expanded)

Monitor_TCP_Half_Open

Additional Monitor class properties available when monitorType = tcp-half-open

Properties:

Name (Type) Default Values Description
transparent (boolean) false true, false If true, treat pool member address as gateway to server (node) (default false)

NAT_Policy

Configures network address translation policy

Properties:

Name (Type) Default Values Description
class (string)
“NAT_Policy”
label (Label)
remark (Remark)
rules (array)
A list of NAT rules

NAT_Rule

Network address translation rule

Properties:

Name (Type) Default Values Description
destination (NAT_Rule_Destination)
label (Label)
name (string)
NAT rule name
protocol (string) “any” “any”, “tcp”, “udp” Specifies the IP protocol against which the packet will be compared
remark (Remark)
source (NAT_Rule_Source)
sourceTranslation (object)
AS3 pointer to NAT source translation declaration

NAT_Rule_Destination

Network address translation destination configuration

Properties:

Name (Type) Default Values Description
addressLists (array)
A list of address lists (each by AS3 pointer or BIG-IP pathname)
portLists (array)
A list of port lists (each by AS3 pointer or BIG-IP pathname)

NAT_Rule_Source

Network address translation source configuration

Properties:

Name (Type) Default Values Description
addressLists (array)
A list of address lists (each by AS3 pointer or BIG-IP pathname)
portLists (array)
A list of port lists (each by AS3 pointer or BIG-IP pathname)

NAT_Source_Translation

Configures a Security network address translation source translation object

Properties:

Name (Type) Default Values Description
addresses (array)
Specifies addresses on which source translation is performed
allowEgressInterfaces (array)
Specifies the egress interfaces (tunnels and VLANs) on which source translation is allowed
class (string)
“NAT_Source_Translation”
clientConnectionLimit (integer)
[-infinity, 2147483647] Maximum number of simultaneous translated connections a client or subscriber is allowed to have
disallowEgressInterfaces (array)
Specifies the egress interfaces (tunnels and VLANs) on which source translation is not allowed
hairpinModeEnabled (boolean)
true, false Enables or disables hairpinning for incoming connections to active translation end-points
inboundMode (string)
“endpoint-independent-filtering”, “explicit”, “none” Specifies the persistence settings for NAT translation entries
label (Label)
mapping (NAT_Source_Translation_Mapping)
patMode (string)
“napt”, “deterministic”, “pba” Specifies whether the translation address mapping is performed in Network Address Port Translation mode, Deterministic mode, or in Port Block Allocation mode
portBlockAllocation (NAT_Source_Translation_PortBlockAllocation)
ports (array)
[-infinity, 65535] Specifies source ports and port ranges on which source translation is performed
remark (Remark)
routeAdvertisement (boolean) false true, false Specifies that the traffic is advertised to dynamic routing protocols configured in the route domain
type (string)
“dynamic-pat”, “static-nat”, “static-pat” Specifies the type of source translation item

NAT_Source_Translation_Mapping

Configure the mapping settings for translation entries. It is the preservation of a public-side IP address for a client from session to session. Only available if type is dynamic-pat.

Properties:

Name (Type) Default Values Description
mode (string) “address-pooling-paired” “address-pooling-paired”, “endpoint-independent-mapping”, “none” Specifies the mapping mode for translation entries
timeout (integer) 300 [-infinity, 2147483647] Specifies the timeout (in seconds) for address and port mapping

NAT_Source_Translation_PortBlockAllocation

Configure the port block allocation

Properties:

Name (Type) Default Values Description
blockIdleTimeout (integer) 3600 [-infinity, 2147483647] Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out
blockLifetime (integer) 0 [-infinity, 2147483647] Specifies the lifetime in seconds of a block of ports
blockSize (integer) 64 [-infinity, 2147483647] Specifies the nmber of ports per block. Each block is assigned to one client. A client can use all ports in a block multiplied by the number of blocks, up to the connection limit, if one is set
clientBlockLimit (integer) 1 [-infinity, 2147483647] Specifies the number of blocks that can be assigned to a client
zombieTimeout (integer) 0 [-infinity, 2147483647] Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections

Persist

Declares a persistence method

Properties:

Name (Type) Default Values Description
addressMask (string)
format: f5ip Optional mask selects portion of address used by simple persistence (if omitted the system uses all address bits)
alwaysSet (boolean) false true, false If true, set cookie with every HTTP response (default false)
bufferLimit (integer) 0 [-infinity, 65535] Number of octets to buffer while pattern-matching
class (string)
“Persist”
cookieMethod (string) “insert” “insert”, “hash”, “passive”, “rewrite” Selects cookie processing method (default is insert)
cookieName (string) “” regex: ^[0-9A-Za-z.~#$%^&*_-]{0,64}$ Cookie name (for method ‘insert’, default (empty-string) yields system-generated name)
count (integer) 0 [-infinity, 65535] Number of octets in cookie value to hash; 0 (default) means all
duration (integer) 0 [-infinity, 604800] Lifetime of persistence record (seconds, default 0 means indefinite)
encrypt (boolean) false true, false If true, prevent disclosure of (or tampering with) ADC info in cookie (default false, to reduce latency)
endPattern (string) “”
Regular expression which matches end of data to hash; default “” averts matching
hashAlgorithm (string) “default” “carp”, “default” Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm.
hashCount (integer) 0 [-infinity, 4096] Number of octets in cookie value to hash; 0 (default) means all — Note: This property is available only when cookieMethod is NOT ‘insert’
header (string)
Suggested values include: Call-ID, To, From, SIP-ETag, and Subject
httpOnly (boolean) true true, false If true (default) the system sets the HTTPOnly flag
iRule (string | object)
-, - AS3 pointer to iRule if any (declared separately)
label (Label)
matchAcrossPools (boolean) false true, false Specifies that the system can use any pool that contains this persistence record
matchAcrossVirtualAddresses (boolean) false true, false Specifies that all persistent connections from the same client IP address go to the same node
matchAcrossVirtualPorts (boolean) false true, false Specifies that all persistent connections from a client IP address that go to the same virtual IP address also go to the same node
mirror (boolean) false true, false If true, try to maintain persistence even after HA failover of ADC (default false)
overrideConnectionLimit (boolean) false true, false If true, do not enforce pool member connection limit for persisted connections (default false)
passphrase (object)
Used to create secret key for cookie encryption
persistenceMethod (string)
“cookie”, “destination-address”, “hash”, “msrdp”, “sip-info”, “source-address”, “tls-session-id”, “universal” You may customize each basic persistence method
remark (Remark)
secure (boolean) true true, false If true (default) the system sets the Secure (TLS) flag
sessionBroker (boolean) true true, false If true (default), the system will persist the client to the server chosen by session broker
startAt (integer) 0 [-infinity, 4096] Index of first octet in cookie value to hash — Note: This property is available only when cookieMethod is NOT ‘insert’
startPattern (string) “”
Regular expression which matches start of data to hash; default “” averts matching
ttl (integer) 0 [-infinity, 604800] Requested cookie lifetime (seconds, default 0 means session cookie)

Persist_Addr

Configures an address affinity persistence profile

Properties:

Name (Type) Default Values Description
addressMask (string)
format: f5ip Optional mask selects portion of address used by simple persistence (if omitted the system uses all address bits)
duration (integer) 180 [-infinity, 604800] Lifetime of persistence record (seconds, default 180)
hashAlgorithm (string) “default” “carp”, “default” Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm.

Persist_Hash

Configures a hash persistence profile

Properties:

Name (Type) Default Values Description
bufferLimit (integer) 0 [-infinity, 65535] Number of octets to buffer while pattern-matching
count (integer) 0 [-infinity, 65535] Number of octets in cookie value to hash; 0 (default) means all
duration (integer) 180 [-infinity, 604800] Lifetime of persistence record (seconds, default 180)
endPattern (string) “”
Regular expression which matches end of data to hash; default “” averts matching
hashAlgorithm (string) “default” “carp”, “default” Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm.
iRule (string | object)
-, - AS3 pointer to iRule if any (declared separately)
startAt (integer) 0 [-infinity, 65535] Index of first octet in packet to hash
startPattern (string) “”
Regular expression which matches start of data to hash; default “” averts matching

Persist_MSRDP

Configures a Microsoft(r) Remote Display Protocol (MSRDP) persistence profile

Properties:

Name (Type) Default Values Description
duration (integer) 300 [-infinity, 604800] Lifetime of persistence record (seconds, default 300)
sessionBroker (boolean) true true, false If true (default), the system will persist the client to the server chosen by session broker

Persist_SIP

Configures a Session Initiation Protocol (SIP) persistence profile

Properties:

Name (Type) Default Values Description
duration (integer) 180 [-infinity, 604800] Lifetime of persistence record (seconds, default 180)
header (string)
Suggested values include: Call-ID, To, From, SIP-ETag, and Subject

Persist_TLS_Session

Configures a Secure Socket Layer (SSL) persistence profile

Properties:

Name (Type) Default Values Description
duration (integer) 300 [-infinity, 604800] Lifetime of persistence record (seconds, default 300)

Persist_UIE

Configures a universal persistence profile

Properties:

Name (Type) Default Values Description
duration (integer) 180 [-infinity, 604800] Lifetime of persistence record (seconds, default 180)
iRule (string | object)
-, - AS3 pointer to required iRule (declared separately)

Pointer_Analytics_Profile

Reference to a Analytics_Profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP Analytics_Profile
use (string)
AS3 pointer to Analytics_Profile declaration

Pointer_Bandwidth_Control_Policy

Reference to a bandwidth control policy

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP bandwidth control policy
use (string)
AS3 pointer to bandwidth control policy declaration

Pointer_Blacklist_Category

Reference to a blacklist category

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP blacklist category

Pointer_Bot_Signature

Reference to a bot signature

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP bot signature

Pointer_Bot_Signature_Category

Reference to a bot signature category

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP bot signature category

Pointer_Classification_Application

Reference to a application classification

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP application classification

Pointer_Classification_Category

Reference to a category classification

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP category classification

Pointer_Classification_Preset

Reference to a classification preset

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP classification preset

Pointer_Classification_Profile

Reference to a classification profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP classification profile
use (string)
AS3 pointer to classification profile declaration

Pointer_Data_Group_File

Reference to a Data Group File

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP Data Group File

Pointer_DNS_Cache

Reference to a DNS cache

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS cache

Pointer_DNS_Listener

Reference to a DNS Listener

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS Listener
use (string)
AS3 pointer to DNS Listener declaration

Pointer_DNS_Logging_Profile

Reference to a DNS logging profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS logging profile

Pointer_DNS_Nameserver

Reference to a DNS nameserver

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS nameserver
use (string)
AS3 pointer to DNS nameserver declaration

Pointer_DNS_Profile

Reference to a DNS profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS profile
use (string)
AS3 pointer to DNS profile declaration

Pointer_DNS_Security_Profile

Reference to a DNS security profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS security profile

Pointer_DNS_TSIG_Key

Reference to a DNS TSIG key

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS TSIG key
use (string)
AS3 pointer to DNS TSIG key declaration

Pointer_DNS_Zone

Reference to a DNS zone

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DNS zone
use (string)
AS3 pointer to DNS zone declaration

Pointer_DOS_Profile

Reference to a DOS Profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP DOS Profile
use (string)
AS3 pointer to DOS Profile declaration

Pointer_Endpoint_Policy

Reference to an Endpoint Policy

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP LTM policy

Pointer_Enforcement_Diameter_Endpoint_Profile

Reference to a enforcement profile diameter endpoint

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP enforcement profile diameter endpoint
use (string)
AS3 pointer to enforcement profile diameter endpoint declaration

Pointer_Enforcement_Format_Script

Reference to a format script

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP format script
use (string)
AS3 pointer to format script declaration

Pointer_Enforcement_Forwarding_Endpoint

Reference to a forwarding endpoint

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP forwarding endpoint
use (string)
AS3 pointer to forwarding endpoint declaration

Pointer_Enforcement_Interception_Endpoint

Reference to a interception endpoint

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP interception endpoint
use (string)
AS3 pointer to interception endpoint declaration

Pointer_Enforcement_iRule

Reference to a enforcement iRule

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP PEM iRule

Pointer_Enforcement_Policy

Reference to a enforcement policy

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP PEM policy
use (string)
AS3 pointer to enforcement policy declaration

Pointer_Enforcement_Profile

Reference to a enforcement profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP PEM spm policy
use (string)
AS3 pointer to enforcement profile declaration

Pointer_Enforcement_Profile_Gx

Reference to a enforcement profile gx

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP enforcement profile gx

Pointer_Enforcement_Protocol_Profile_Radius

Reference to a radius protocol profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP radius protocol profile

Pointer_Enforcement_Radius_AAA_Profile

Reference to a enforcement profile radius aaa

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP enforcement profile radius aaa
use (string)
AS3 pointer to enforcement profile radius aaa declaration

Pointer_Enforcement_Rating_Group

Reference to a quota rating group

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP quota rating group

Pointer_Enforcement_Service_Chain_Endpoint

Reference to a service chain endpoint

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP service chain endpoint
use (string)
AS3 pointer to service chain endpoint declaration

Pointer_Enforcement_Subscriber_Management_Profile

Reference to a enforcement subscriber management profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP PEM subscriber-mgmt policy
use (string)
AS3 pointer to enforcement subscriber management profile declaration

Pointer_Firewall_Address_List

Reference to a firewall address list

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP firewall address list
use (string)
AS3 pointer to firewall address list declaration

Pointer_Firewall_Rule_List

Reference to a firewall rule list

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP firewall rule list
use (string)
AS3 pointer to firewall rule list declaration

Pointer_FIX_Profile

Reference to a FIX profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP FIX profile
use (string)
AS3 pointer to FIX profile declaration

Pointer_GSLB_Data_Center

Reference to a GSLB data center

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB data center
use (string)
AS3 pointer to GSLB data center declaration

Pointer_GSLB_Domain_A

Reference to a GSLB domain

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB domain
use (string)
AS3 pointer to GSLB domain declaration

Pointer_GSLB_Domain_AAAA

Reference to a GSLB domain

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB domain
use (string)
AS3 pointer to GSLB domain declaration

Pointer_GSLB_Domain_CNAME

Reference to a GSLB domain

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB domain
use (string)
AS3 pointer to GSLB domain declaration

Pointer_GSLB_Domain_MX

Reference to a GSLB domain

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB domain
use (string)
AS3 pointer to GSLB domain declaration

Pointer_GSLB_Monitor

Reference to a GSLB monitor

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB monitor
use (string)
AS3 pointer to GSLB monitor declaration

Pointer_GSLB_Pool

Reference to a GSLB pool

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool
use (string)
AS3 pointer to GSLB pool declaration

Pointer_GSLB_Pool_A

Reference to a GSLB pool A

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool A
use (string)
AS3 pointer to GSLB pool A declaration

Pointer_GSLB_Pool_AAAA

Reference to a GSLB pool AAAA

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool AAAA
use (string)
AS3 pointer to GSLB pool AAAA declaration

Pointer_GSLB_Pool_CNAME

Reference to a GSLB pool CNAME

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool CNAME
use (string)
AS3 pointer to GSLB pool CNAME declaration

Pointer_GSLB_Pool_Member_A

Reference to a GSLB pool member

Properties:

Name (Type) Default Values Description
use (string)
AS3 pointer to GSLB pool member declaration

Pointer_GSLB_Pool_Member_AAAA

Reference to a GSLB pool member

Properties:

Name (Type) Default Values Description
use (string)
AS3 pointer to GSLB pool member declaration

Pointer_GSLB_Pool_Member_CNAME

Reference to a GSLB pool member

Properties:

Name (Type) Default Values Description
use (string)
AS3 pointer to GSLB pool member declaration

Pointer_GSLB_Pool_Member_MX

Reference to a GSLB pool member

Properties:

Name (Type) Default Values Description
use (string)
AS3 pointer to GSLB pool member declaration

Pointer_GSLB_Pool_MX

Reference to a GSLB pool MX

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool MX
use (string)
AS3 pointer to GSLB pool MX declaration

Pointer_GSLB_Prober_Pool

Reference to a GSLB pool

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool
use (string)
AS3 pointer to GSLB pool declaration

Pointer_GSLB_Prober_Pool_Member

Reference to a GSLB pool

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB pool
use (string)
AS3 pointer to GSLB pool declaration

Pointer_GSLB_Server

Reference to a GSLB server

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB server
use (string)
AS3 pointer to GSLB server declaration

Pointer_GSLB_Server_Device

Reference to a GSLB server device

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB server device
use (string)
AS3 pointer to GSLB server device declaration

Pointer_GSLB_Topology_Region

Reference to a GSLB Topology Region

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP GSLB Topology Region
use (string)
AS3 pointer to GSLB Topology Region declaration

Pointer_GSLB_Virtual_Server

Reference to a GSLB virtual server

Properties:

Name (Type) Default Values Description
use (string)
AS3 pointer to GSLB virtual server declaration

Pointer_IP_Other_Profile

Reference to a ipother profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP ipother profile
use (string)
AS3 pointer to ipother profile declaration

Pointer_L4_Profile

Reference to a fast L4 profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP fast L4 profile
use (string)
AS3 pointer to fast L4 profile declaration

Pointer_Log_Publisher

Reference to a log publisher

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP log publisher
use (string)
AS3 pointer to log publisher declaration

Pointer_Persist

Reference to a persistence profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP persistence profile
use (string)
AS3 pointer to persistence profile declaration

Pointer_Pool

Reference to a pool

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP pool
use (string)
AS3 pointer to pool declaration

Pointer_Radius_Profile

Reference to a radius profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP radius profile
use (string)
AS3 pointer to radius profile declaration

Pointer_Route_Domain

Reference to a route domain

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP route domain

Pointer_Service

Reference to a service

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP virtual server
use (string)
AS3 pointer to service declaration

Pointer_SNAT_Pool

Reference to a snat pool

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP snat pool
use (string)
AS3 pointer to snat pool declaration

Pointer_SSL_Certificate

Reference to a SSL certificate

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP SSL certificate

Pointer_TCP_Profile

Reference to a TCP profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP TCP profile
use (string)
AS3 pointer to TCP profile declaration

Pointer_UDP_Profile

Reference to a UDP profile

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP UDP profile
use (string)
AS3 pointer to UDP profile declaration

Pointer_VLAN

Reference to a VLAN

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP VLAN

Pointer_WAF_Policy

Reference to a WAF policy

Properties:

Name (Type) Default Values Description
bigip (string)
format: f5bigip Pathname of existing BIG-IP WAF policy
use (string)
AS3 pointer to WAF policy declaration

Policy_Action

LTM policy action

Properties:

Name (Type) Default Values Description
enabled (boolean) true true, false Enable encrypted connections to backend servers
event (string) “request” “client-accepted”, “proxy-request”, “request” When to run this event in the request-response cycle
insert (object)
Insert HTTP header into request or response
location (string)
The new URL for which the system will send a redirect response; you can use a Tcl command substitution for this field
policy (Pointer_WAF_Policy)
remove (object)
Remove HTTP header from request or response
replace (object)
Replace HTTP header in request or response
select (reference)
Select appropriate location for forwarding the connection based on specified parameters
type (string)
“httpCookie”, “httpHeader”, “httpRedirect”, “httpUri”, “waf”, “forward”, “drop”, “clientSsl” Selects the LTM policy action this object describes

Policy_Action_Client_SSL

Enable or disable encrypted connections to backend servers

Properties:

Name (Type) Default Values Description
enabled (boolean) true true, false Enable encrypted connections to backend servers
event (string) “client-accepted” “client-accepted”, “proxy-request”, “request”, “proxy-connect”, “proxy-response”, “server-connected” When to run this event in the request-response cycle

Policy_Action_Drop

Reset connection

Properties:

Name (Type) Default Values Description
event (string) “ssl-client-hello” “ssl-client-hello”, “request” When to run this event in the request-response cycle

Policy_Action_Forward

Controls where the system forwards a connection

Properties:

Name (Type) Default Values Description
event (string) “ssl-client-hello” “ssl-client-hello”, “request” When to run this event in the request-response cycle
select (reference)
Select appropriate location for forwarding the connection based on specified parameters

Policy_Action_Forward_Select

Select appropriate location for forwarding the connection based on specified parameters

Properties:

Name (Type) Default Values Description
pool (Pointer_Pool)
service (Pointer_Service)

Policy_Action_HTTP_Header

Modify HTTP header in request or response

Properties:

Name (Type) Default Values Description
event (string) “request” “request”, “response” When to run this event in the request-response cycle
insert (object)
Insert HTTP header into request or response
remove (object)
Remove HTTP header from request or response
replace (object)
Replace HTTP header in request or response

Policy_Action_HTTP_Redirect

Redirect an HTTP request to a different URL

Properties:

Name (Type) Default Values Description
event (string) “proxy-request” “proxy-request”, “request”, “response” When to run this event in the request-response cycle
location (string)
The new URL for which the system will send a redirect response; you can use a Tcl command substitution for this field

Policy_Action_HTTP_URI

Modify the request’s URI, path, or query string

Properties:

Name (Type) Default Values Description
event (string) “request” “request” When to run this event in the request-response cycle
replace (object)
Replace URI, path, or query string in request

Policy_Action_WAF

Control web security

Properties:

Name (Type) Default Values Description
event (string) “request” “client-accepted”, “proxy-request”, “request” When to run this event in the request-response cycle
policy (Pointer_WAF_Policy)

Policy_Compare_Number

Perform a comparison against number values

Properties:

Name (Type) Default Values Description
operand (string) “equals” “equals”, “less”, “greater”, “less-or-equal”, “greater-or-equal” Specifies the comparison that the system should perform with values
values (array)
[-infinity, infinity] A list of numbers to do comparisons against

Policy_Compare_String

Perform a comparison against string values

Properties:

Name (Type) Default Values Description
caseSensitive (boolean) false true, false Specifies if the comparison the system should perform with case sensitivity
operand (string) “equals” “equals”, “starts-with”, “ends-with”, “contains” Specifies the comparison that the system should perform with values
values (array)
A list of strings to do comparisons against

Policy_Condition

LTM policy condition

Properties:

Name (Type) Default Values Description
all (reference)
Match on the full URI
event (string) “request” “request” When to evaluate this condition in the request-response cycle
extension (reference)
Match on the file extension in the URI (e.g. jpg, html, cgi)
host (reference)
Match on the hostname in the URI
index (integer)
[1, infinity] The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left
name (string)
Specify the name of the particular query parameter whose value you want to use
normalized (boolean) “false” true, false Normalizes the result to a canonical form to allow consistent comparisons
path (reference)
Match on the URI path
pathSegment (reference)
Match a part of the URI path by a numeric index
port (reference)
Match on the port number in the URI
queryParameter (reference)
Match value of the named query parameter from the query string
queryString (reference)
Match against text in the query string
scheme (reference)
Match on the scheme (e.g. http, https, ftp, file)
type (string)
“httpHeader”, “httpUri”, “httpCookie” Selects the LTM policy condition this object describes
unnamedQueryParameter (reference)
Match the value of a query parameter by a numeric index instead of by name

Policy_Condition_HTTP_Header

Match against any HTTP header

Properties:

Name (Type) Default Values Description
all (reference)
Match on the full HTTP header
event (string) “proxy-request” “proxy-request”, “request”, “proxy-connect”, “proxy-response”, “response” When to evaluate this condition in the request-response cycle
name (string)
Specify the name of the particular HTTP header whose value you want to use

Policy_Condition_HTTP_URI

Inspect the URI on a request and match on various parts or the entire URI

Properties:

Name (Type) Default Values Description
all (reference)
Match on the full URI
event (string) “request” “request” When to evaluate this condition in the request-response cycle
extension (reference)
Match on the file extension in the URI (e.g. jpg, html, cgi)
host (reference)
Match on the hostname in the URI
index (integer)
[1, infinity] The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left
name (string)
Specify the name of the particular query parameter whose value you want to use
normalized (boolean) “false” true, false Normalizes the result to a canonical form to allow consistent comparisons
path (reference)
Match on the URI path
pathSegment (reference)
Match a part of the URI path by a numeric index
port (reference)
Match on the port number in the URI
queryParameter (reference)
Match value of the named query parameter from the query string
queryString (reference)
Match against text in the query string
scheme (reference)
Match on the scheme (e.g. http, https, ftp, file)
unnamedQueryParameter (reference)
Match the value of a query parameter by a numeric index instead of by name

Pool

Declares a service pool

Properties:

Name (Type) Default Values Description
class (string)
“Pool”
label (Label)
loadBalancingMode (string) “round-robin” “dynamic-ratio-member”, “dynamic-ratio-node”, “fastest-app-response”, “fastest-node”, “least-connections-member”, “least-connections-node”, “least-sessions”, “observed-member”, “observed-node”, “predictive-member”, “predictive-node”, “ratio-least-connections-member”, “ratio-least-connections-node”, “ratio-member”, “ratio-node”, “ratio-session”, “round-robin”, “weighted-least-connections-member”, “weighted-least-connections-node” Load-balancing mode
members (array)
Set of Pool members
minimumMembersActive (integer) 1 [-infinity, 65535] Pool is down when fewer than this number of members are up
minimumMonitors (integer)
[-infinity, 63] Member is down when fewer than minimum monitors report it healthy
monitors (array)
List of health monitors (each by name or AS3 pointer)
remark (Remark)
reselectTries (integer) 0 [-infinity, 65535] Maximum number of attempts to find a responsive member for a connection
serviceDownAction (string) “none” “drop”, “none”, “reselect”, “reset” Specifies connection handling when member is non-responsive
slowRampTime (integer) 10 [-infinity, 900] AS3 slowly the connection rate to a newly-active member slowly during this interval (seconds)

Pool_Member

Declares a service-pool member

Properties:

Name (Type) Default Values Description
accessKeyId (string)
Information for discovering AWS nodes that are not in the same region as your BigIP (also requires the secretAccessKey field
addressDiscovery (string) “static” “static”, “fqdn”, “aws”, “gce”, “azure”, “consul” Selects how server (node) addresses are discovered
addressFamily (string) “IPv4” “IPv4”, “IPv6” Selects IPv4/6 and DNS A/AAAA RR’s
addressRealm (string)
“public”, “private” Specifies whether to look for public or private ip addresses
adminState (string) “enable” “enable”, “disable”, “offline” Setting adminState to enable will create the node in an operational state. Set to disable to disallow new connections but allow existing connections to drain. Set to offline to force immediate termination of all connections.
apiAccessKey (reference)
Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format.
applicationId (string)
Azure registered application ID (AKA client ID)
autoPopulate (boolean) false true, false If true use multiple server (node) addresses when available, otherwise use only one
bigip (string)
format: f5bigip If defined, pathname of existing BIG-IP node
connectionLimit (integer) 0 [-infinity, 2147483647] Maximum concurrent connections to member
credentialUpdate (boolean) false true, false Specifies whether you are updating your credentials
directoryId (string)
Azure Active Directory ID (AKA tenant ID)
downInterval (integer) 5 [-infinity, infinity] DNS retry interval after resolution failure (seconds)
dynamicRatio (integer) 1 [-infinity, 100] Specifies a range of numbers that you want the system to use in conjunction with the ratio load balancing method
enable (boolean) true true, false Maps to BIG-IP pool member state
encodedCredentials (reference)
Base 64 encoded service account credentials JSON
encodedToken (reference)
Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format.
externalId (string)
External Id
hostname (string)
format: hostname
minimumMonitors (integer)
[-infinity, 63] Member is down when fewer than minimum monitors report it healthy
monitors (array)
List of monitors (each by name or AS3 pointer)
priorityGroup (integer) 0 [-infinity, 65535] Specifies the priority group within the pool for this pool member
queryInterval (integer) 0 [-infinity, infinity] Normal DNS query interval (seconds, default 0 means RR TTL)
rateLimit (integer) -1 [-1, 2147483647] Value zero prevents use of member
ratio (integer) 1 [-infinity, 100] Specifies the weight of the pool member for load balancing purposes
region (string) “”
Empty string (default) means region in which ADC is running
remark (Remark)
resourceGroup (string)
Azure Resource Group name
roleARN (string)
Assume a role (also requires the externalId field)
secretAccessKey (reference)
Will be stored in the declaration as an encrypted string
serverAddresses (array)
format: f5ip Static IP addresses of servers (nodes)
servicePort (integer)
[-infinity, 65535] Service L4 port (optional port-discovery may override)
shareNodes (boolean) false true, false If enabled, nodes are created in /Common instead of the tenant’s partition
subscriptionId (string)
Azure subscription ID
tagKey (string)
The tag key associated with the node to add to this pool
tagValue (string)
The tag value associated with the node to add to this pool
undetectableAction (string) “remove” “disable”, “remove” Action to take when node cannot be detected
updateInterval (integer) 60 [1, 3600] Server-discovery update interval (seconds)
uri (string)
The location of the node data

Radius_Profile

Configures a RADIUS profile for network traffic load balancing

Properties:

Name (Type) Default Values Description
class (string)
“Radius_Profile”
label (Label)
parentProfile (reference) {“bigip”:”/Common/radiusLB”}
Specifies the name of the object to inherit the settings from
persistAttribute (reference) “none”
Specifies the name of the RADIUS attribute on which traffic persists. Acceptable values are ASCII strings from section 5 of RFC 2865 or numeric codes (1-255). A value of none indicates that persistence is disabled.
protocolProfile (reference) {“bigip”:”/Common/_sys_radius_proto_imsi”}
remark (Remark)
subscriberDiscoveryEnabled (boolean) true true, false Specifies whether to enable PEM subscriber discovery based on the content of RADIUS packets

Secret

A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL

Properties:

Name (Type) Default Values Description
allowReuse (boolean)
true, false If true, other declaration objects may reuse this value
ciphertext (string)
format: f5base64 Put base64url(data_value) here
ignoreChanges (boolean) false true, false If false (default), the system updates the ciphertext in every AS3 declaration deployment. If true, AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards
miniJWE (boolean) true true, false If true (default), object is an f5 mini-JWE
protected (string) “eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0” format: f5base64 JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0’, use with secret simply base64url-encoded into ‘ciphertext’). If you see ‘protected’=’eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0’, ‘ciphertext’ contains base64url-encoded SecureVault cryptogram
reuseFrom (string)
AS3 pointer to another JWE cryptogram in this declaration to copy
url (string)
format: url URL from which secret should be fetched

Security_Log_Profile

Configures a Security log profile

Properties:

Name (Type) Default Values Description
botDefense (Security_Log_Profile_Bot_Defense)
class (string)
“Security_Log_Profile”
classification (Security_Log_Profile_Classification)
dosApplication (Security_Log_Profile_Dos_Application)
dosNetwork (Security_Log_Profile_Dos_Network)
ipIntelligence (Security_Log_Profile_Ip_Intelligence)
label (Label)
nat (Security_Log_Profile_Nat)
network (Security_Log_Profile_Network)
protocolDns (Security_Log_Profile_Protocol_Dns)
protocolDnsDos (Security_Log_Profile_Protocol_Dns_Dos)
protocolSip (Security_Log_Profile_Protocol_Sip)
protocolSipDos (Security_Log_Profile_Protocol_Sip_Dos)
protocolTransfer (Security_Log_Profile_Protocol_Transfer)
remark (Remark)
sshProxy (Security_Log_Profile_Ssh_Proxy)

Security_Log_Profile_Bot_Defense

Specifies, when enabled, that the system logs events from the Proactive Bot Defense mechanism. Depending on settings, the system logs Illegal requests, Legal requests and BIGIP Challenges.

Properties:

Name (Type) Default Values Description
localPublisher (reference)
Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination)
logBotSignatureMatchedRequests (boolean) false true, false This option enables or disables the logging of reported bot signature requests
logCaptchaChallengedRequests (boolean) false true, false This option enables or disables the logging of captcha challenged requests
logChallengedRequests (boolean) false true, false This option enables or disables the logging of challenged requests
logIllegalRequests (boolean) true true, false This option enables or disables the logging of illegal requests
logLegalRequests (boolean) false true, false This option enables or disables the logging of legal requests
remotePublisher (reference)
Enables selecting a Log Publisher that has Splunk enabled

Security_Log_Profile_Classification

Specifies, when enabled, that the system logs events from the Classification engine.

Properties:

Name (Type) Default Values Description
logAllMatches (boolean) “false” true, false This option enables or disables the logging of all matches
publisher (object)
Specifies where the system sends log messages

Security_Log_Profile_Dos_Application

Specifies, when enabled, that the system logs detected application DoS attacks

Properties:

Name (Type) Default Values Description
localPublisher (object)
Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)
remotePublisher (object)
Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)

Security_Log_Profile_Dos_Network

Specifies, when enabled, that the system logs detected network DoS attacks

Properties:

Name (Type) Default Values Description
publisher (object)
Specifies the name of the log publisher used for logging Network DoS events

Security_Log_Profile_Ip_Intelligence

Specifies, when enabled, that the system logs IP Intelligence events

Properties:

Name (Type) Default Values Description
logTranslationFields (boolean) “false” true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher (object)
Specifies the name of the log publisher used for logging IP Intelligence events
rateLimitAggregate (integer) 4294967295 [-infinity, infinity] Defines a rate limit for all combined IP intelligence log messages per second

Security_Log_Profile_Nat

Specifies, when enabled, that the system logs Firewall NAT events

Properties:

Name (Type) Default Values Description
formatEndInboundSession (Security_Log_Profile_Nat_Storage_Format)
formatEndOutboundSession (Security_Log_Profile_Nat_Storage_Format)
formatErrors (Security_Log_Profile_Nat_Storage_Format)
formatQuotaExceeded (Security_Log_Profile_Nat_Storage_Format)
formatStartInboundSession (Security_Log_Profile_Nat_Storage_Format)
formatStartOutboundSession (Security_Log_Profile_Nat_Storage_Format)
logEndInboundSession (boolean) false true, false Generates event log entries at the end of the incoming connection event for a translated endpoint. Triggered when the system frees the inbound session.
logEndOutboundSession (boolean) false true, false Generates event log entries at end of translation event for a NAT client. Triggered when the system frees the outbound session.
logErrors (boolean) false true, false Generates event log entries when a NAT translation errors occur
logQuotaExceeded (boolean) false true, false Generates event log entries when a NAT client exceeds allocated resources
logStartInboundSession (boolean) false true, false Generates event log entries at the start of the incoming connection event for a translated endpoint. Triggered when the system creates the inbound session.
logStartOutboundSession (boolean) false true, false Generates event log entries at start of the translation event for a NAT client. Triggered when the system creates the outbound session.
logSubscriberId (boolean) false true, false Logs the subscriber ID associated with a subscriber IP address
publisher (object)
Specifies the name of the log publisher used for logging Network Address Translation events
rateLimitAggregate (integer) 4294967295 [-infinity, infinity] This option sets the aggregate rate for all the Firewall NAT log events that the system can log per second
rateLimitEndInboundSession (integer) 4294967295 [-infinity, infinity] This option rate limits the end inbound session log events per second
rateLimitEndOutboundSession (integer) 4294967295 [-infinity, infinity] This option rate limits the end outbound session log events per second
rateLimitErrors (integer) 4294967295 [-infinity, infinity] This option rate limits the errors the system logs per second
rateLimitQuotaExceeded (integer) 4294967295 [-infinity, infinity] This option rate limits the quota exceeded log events per second
rateLimitStartInboundSession (integer) 4294967295 [-infinity, infinity] This option rate limits the start inbound session log events per second
rateLimitStartOutboundSession (integer) 4294967295 [-infinity, infinity] This option rate limits the start outbound session log events per second

Security_Log_Profile_Nat_Storage_Format

Specifies the format type for log messages

Properties:

Name (Type) Default Values Description
delimiter (string) “.”
Specifies a field delimiter in the predefined storage format
fields (array)
“context-name”, “duration”, “route-domain”, “sub-id”, “translated-dest-port”, “translated-src-port”, “dest-ip”, “event-name”, “src-ip”, “timestamp”, “translated-route-domain”, “dest-port”, “protocol”, “src-port”, “translated-dest-ip”, “translated-src-ip” Replaces a set of fields in the predefined storage format

Security_Log_Profile_Network

Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall

Properties:

Name (Type) Default Values Description
alwaysLogRegion (boolean) false true, false Specifies, when enabled, that when a geolocation event causes a network firewall event, the system logs the associated IP address
logIpErrors (boolean) false true, false Specifies, when enabled, that the system logs IP error packets
logRuleMatchAccepts (boolean) false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept
logRuleMatchDrops (boolean) false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop
logRuleMatchRejects (boolean) false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject
logTcpErrors (boolean) false true, false Specifies, when enabled, that the system logs TCP error packets
logTcpEvents (boolean) false true, false Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions)
logTranslationFields (boolean) false true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher (object)
Specifies the name of the log publisher used for logging Network events
rateLimitAggregate (integer) 4294967295 [-infinity, infinity] This option sets the aggregate rate limit that applies to any network logging message
rateLimitIpErrors (integer) 4294967295 [-infinity, infinity] This option enables or disables the logging of IP error packets
rateLimitRuleMatchAccepts (integer) 4294967295 [-infinity, infinity] This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchDrops (integer) 4294967295 [-infinity, infinity] This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchRejects (integer) 4294967295 [-infinity, infinity] This option sets rate limits for the logging of packets that match ACL rules configured with action = Reject
rateLimitTcpErrors (integer) 4294967295 [-infinity, infinity] This option sets rate limits for the logging of TCP error packets
rateLimitTcpEvents (integer) 4294967295 [-infinity, infinity] This option sets rate limits for the logging of TCP events on client side
storageFormat (reference)
Specifies the format type for log messages

Security_Log_Profile_Protocol_Dns

Specifies, when enabled, that the system logs DNS security events

Properties:

Name (Type) Default Values Description
logDroppedRequests (boolean) false true, false Specifies, when enabled, that the system logs dropped DNS requests
logFilteredDroppedRequests (boolean) false true, false Specifies, when enabled, that the system logs DNS requests dropped due to DNS query/header-opcode filtering. The system does not log DNS requests dropped due to errors in the way the system processes DNS packets.
logMalformedRequests (boolean) false true, false Specifies, when enabled, that the system logs malformed DNS requests
logMaliciousRequests (boolean) false true, false Specifies, when enabled, that the system logs malicious DNS requests
logRejectedRequests (boolean) false true, false Specifies, when enabled, that the system logs rejected DNS requests
publisher (object)
Specifies the name of the log publisher used for logging DNS security events
storageFormat (reference)
Specifies the format type for log messages

Security_Log_Profile_Protocol_Dns_Dos

Specifies, when enabled, that the system logs detected DNS DoS attacks

Properties:

Name (Type) Default Values Description
publisher (object)
Specifies the name of the log publisher used for logging DNS DoS events

Security_Log_Profile_Protocol_Sip

Specifies, when enabled, that the system logs SIP protocol security events

Properties:

Name (Type) Default Values Description
logDroppedRequests (boolean) false true, false Specifies, when enabled, that the system logs dropped requests
logGlobalFailures (boolean) false true, false Specifies, when enabled, that the system logs global failures
logMalformedRequests (boolean) false true, false Specifies, when enabled, that the system logs malformed requests
logRedirectedResponses (boolean) false true, false Specifies, when enabled, that the system logs redirection responses
logRequestFailures (boolean) false true, false Specifies, when enabled, that the system logs request failures
logServerErrors (boolean) false true, false Specifies, when enabled, that the system logs server errors
publisher (object)
Specifies the name of the log publisher used for logging SIP protocol security events
storageFormat (reference)
Specifies the format type for log messages

Security_Log_Profile_Protocol_Sip_Dos

Specifies, when enabled, that the system logs detected SIP DoS attacks

Properties:

Name (Type) Default Values Description
publisher (object)
Specifies the name of the log publisher used for logging SIP DoS events

Security_Log_Profile_Protocol_Transfer

Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events

Properties:

Name (Type) Default Values Description
publisher (object)
Specifies where the system sends log messages

Security_Log_Profile_Ssh_Proxy

Specifies, when enabled, that the system logs SSH Proxy events

Properties:

Name (Type) Default Values Description
logAllowedChannelAction (boolean) false true, false Specifies, when enabled, that the system logs allowed channel actions
logClientAuthFail (boolean) false true, false Specifies the name of the log publisher used for logging SSH Proxy events
logClientAuthPartial (boolean) false true, false Specifies, when enabled, that the system logs client auth partial events
logClientAuthSuccess (boolean) false true, false Specifies, when enabled, that the system logs client auth success events
logDisallowedChannelAction (boolean) false true, false Specifies, when enabled, that the system logs disallowed channel actions
logNonSshTraffic (boolean) false true, false Specifies, when enabled, that the system logs non-SSH traffic events
logServerAuthFail (boolean) false true, false Specifies, when enabled, that the system logs server auth failure events
logServerAuthPartial (boolean) false true, false Specifies, when enabled, that the system logs server auth partial events
logServerAuthSuccess (boolean) false true, false Specifies, when enabled, that the system logs server auth failure events
logSshTimeout (boolean) false true, false Specifies, when enabled, that the system logs SSH timeouts
publisher (object)
Specifies the name of the log publisher used for logging SSH Proxy events

Sender_Tag_Mapping

Establishes a mapping between a sender value and data group containing tag substitution values

Properties:

Name (Type) Default Values Description
senderId (string)
Specifies sender ID value
tagDataGroup (object)
-, - Specifies tag substitution data group

Service_Address

Service IP address definition (BIG-IP virtual-address)

Properties:

Name (Type) Default Values Description
arpEnabled (boolean) true true, false If true (default), the system services ARP requests on this address
class (string)
“Service_Address”
icmpEcho (string) “enable” “enable”, “disable”, “selective” If true (default), the system answers ICMP echo requests on this address
label (Label)
remark (Remark)
routeAdvertisement (string) “disable” “enable”, “disable”, “selective”, “always”, “any”, “all” If true, the route is advertised
spanningEnabled (boolean) false true, false Enable all BIG-IP systems in device group to listen for and process traffic on the same virtual address
trafficGroup (string) “default”
Specifies the traffic group which the Service_Address belongs.
virtualAddress (string)
format: f5ip The virtual IP address

Service_Discovery_AWS

No description provided

Properties:

Name (Type) Default Values Description
accessKeyId (string)
Information for discovering AWS nodes that are not in the same region as your BigIP (also requires the secretAccessKey field
addressRealm (string)
“public”, “private” Specifies whether to look for public or private ip addresses
credentialUpdate (boolean) false true, false Specifies whether you are updating your credentials
externalId (string)
External Id
minimumMonitors (reference) 1
region (string) “”
Empty string (default) means region in which ADC is running
roleARN (string)
Assume a role (also requires the externalId field)
secretAccessKey (reference)
Will be stored in the declaration as an encrypted string
tagKey (string)
The tag key associated with the node to add to this pool
tagValue (string)
The tag value associated with the node to add to this pool
undetectableAction (string) “remove” “disable”, “remove” Action to take when node cannot be detected

Service_Discovery_Azure

No description provided

Properties:

Name (Type) Default Values Description
addressRealm (string)
“public”, “private” Specifies whether to look for public or private ip addresses
apiAccessKey (reference)
Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format.
applicationId (string)
Azure registered application ID (AKA client ID)
credentialUpdate (boolean) false true, false Specifies whether you are updating your credentials
directoryId (string)
Azure Active Directory ID (AKA tenant ID)
minimumMonitors (reference) 1
resourceGroup (string)
Azure Resource Group name
subscriptionId (string)
Azure subscription ID
tagKey (string)
The tag key associated with the node to add to this pool
tagValue (string)
The tag value associated with the node to add to this pool
undetectableAction (string) “remove” “disable”, “remove” Action to take when node cannot be detected

Service_Discovery_Consul

No description provided

Properties:

Name (Type) Default Values Description
credentialUpdate (boolean) false true, false Specifies whether you are updating your credentials
encodedToken (reference)
Base 64 encoded bearer token to make requests to the Consul API. Will be stored in the declaration in an encrypted format.
minimumMonitors (reference) 1
undetectableAction (string) “remove” “disable”, “remove” Action to take when node cannot be detected
uri (string)
The location of the node data

Service_Discovery_GCE

No description provided

Properties:

Name (Type) Default Values Description
addressRealm (string)
“public”, “private” Specifies whether to look for public or private ip addresses
credentialUpdate (boolean) false true, false Specifies whether you are updating your credentials
encodedCredentials (reference)
Base 64 encoded service account credentials JSON
minimumMonitors (reference) 1
region (string)
Empty string (default) means region in which ADC is running
tagKey (string)
The tag key associated with the node to add to this pool
tagValue (string)
The tag value associated with the node to add to this pool
undetectableAction (string) “remove” “disable”, “remove” Action to take when node cannot be detected

Service_Generic

Declares a generic virtual server

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_Generic”
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (reference) “any”
The L4 protocol type for this virtual server
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array)
List of persistence methods (each by name or AS3 pointer). Element 0 is primary (default) persistence method
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileFIX (Pointer_FIX_Profile)
profileIPOther (reference) {“bigip”:”/Common/ipother”}
profileL4 (string) “basic” “basic”, - L4 profile; name of built-in or else AS3 pointer
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer)
[-infinity, 65535] virtual server port

Service_HTTP

HTTP virtual server

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_HTTP”
clientTLS (string | object)
-, - AS3 pointer to TLS Client declaration
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (string) “tcp” “tcp” For TCP virtual server, Layer 4 protocol must be TCP
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array) cookie
Default ‘cookie’ is generally good
policyEndpoint (array)
-, - AS3 pointer to Endpoint policy declaration
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyIAM (object)
AS3 pointer to IAM (APM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
policyWAF (Pointer_WAF_Policy)
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileAnalytics (Pointer_Analytics_Profile)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileFIX (Pointer_FIX_Profile)
profileHTTP (string | object) “basic” “basic”, - HTTP profile; name of built-in or else AS3 pointer
profileHTTPAcceleration (string | object)
“basic”, - Web acceleration profile; name of built-in or else AS3 pointer
profileHTTPCompression (string | object)
“basic”, “wan”, - HTTP compression profile; name of built-in or else AS3 pointer
profileIPOther (Pointer_IP_Other_Profile)
profileMultiplex (string | object)
“basic”, - Multiplex (OneConnect) profile; name of built-in or else AS3 pointer
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
profileTCP (string | object) “normal” “normal”, “lan”, “wan”, “mobile”, - TCP profile; name of built-in or else AS3 pointer
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
serverTLS (string | object)
-, - AS3 pointer to TLS Server declaration
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer) 80 [-infinity, infinity] Default 80 is well-known HTTP port

Service_HTTPS

HTTPS (HTTP+TLS) virtual server

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_HTTPS”
clientTLS (string | object)
-, - AS3 pointer to TLS Client declaration
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (string) “tcp” “tcp” For TCP virtual server, Layer 4 protocol must be TCP
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array) cookie
Default ‘cookie’ is generally good
policyEndpoint (array)
-, - AS3 pointer to Endpoint policy declaration
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyIAM (object)
AS3 pointer to IAM (APM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
policyWAF (Pointer_WAF_Policy)
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileAnalytics (Pointer_Analytics_Profile)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileFIX (Pointer_FIX_Profile)
profileHTTP (string | object) “basic” “basic”, - HTTP profile; name of built-in or else AS3 pointer
profileHTTPAcceleration (string | object)
“basic”, - Web acceleration profile; name of built-in or else AS3 pointer
profileHTTPCompression (string | object)
“basic”, “wan”, - HTTP compression profile; name of built-in or else AS3 pointer
profileIPOther (Pointer_IP_Other_Profile)
profileMultiplex (string | object)
“basic”, - Multiplex (OneConnect) profile; name of built-in or else AS3 pointer
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
profileTCP (string | object) “normal” “normal”, “lan”, “wan”, “mobile”, - TCP profile; name of built-in or else AS3 pointer
redirect80 (boolean) true true, false If true, AS3 redirects HTTP traffic to any virtualAddress on port 80 to virtualPort
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
serverTLS (string | object)
-, - AS3 pointer to TLS Server declaration
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer) 443 [-infinity, infinity] Default 443 is well-known HTTPS port

Service_L4

Declares a L4 (FastL4) virtual server

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_L4”
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (string) “tcp” “any”, “tcp”, “udp”, “3pc”, “a/n”, “ah”, “argus”, “aris”, “ax.25”, “bbn-rcc”, “bna”, “br-sat-mon”, “cbt”, “cftp”, “chaos”, “compaq-peer”, “cphb”, “cpnx”, “crdup”, “crtp”, “dccp”, “dcn”, “ddp”, “ddx”, “dgp”, “dsr”, “egp”, “eigrp”, “emcon”, “encap”, “esp”, “etherip”, “fc”, “fire”, “ggp”, “gmtp”, “gre”, “hip”, “hmp”, “hopopt”, “i-nlsp”, “iatp”, “icmp”, “idpr”, “idpr-cmtp”, “idrp”, “ifmp”, “igmp”, “igp”, “il”, “ip”, “ipcomp”, “ipcv”, “ipencap”, “ipip”, “iplt”, “ippc”, “ipv6”, “ipv6-auth”, “ipv6-crypt”, “ipv6-frag”, “ipv6-icmp”, “ipv6-nonxt”, “ipv6-opts”, “ipv6-route”, “ipx-in-ip”, “irtp”, “isis”, “iso-ip”, “iso-tp4”, “kryptolan”, “l2tp”, “larp”, “leaf-1”, “leaf-2”, “manet”, “merit-inp”, “mfe-nsp”, “micp”, “mobile”, “mpls-in-ip”, “mtp”, “mux”, “narp”, “netblt”, “nsfnet-igp”, “nvp”, “ospf”, “pgm”, “pim”, “pipe”, “pnni”, “prm”, “ptp”, “pup”, “pvp”, “qnx”, “rdp”, “rsvp”, “rsvp-e2e-ignore”, “rvd”, “sat-expak”, “sat-mon”, “scc-sp”, “scps”, “sctp”, “sdrp”, “secure-vmtp”, “shim6”, “skip”, “sm”, “smp”, “snp”, “sprite-rpc”, “sps”, “srp”, “sscopmce”, “st”, “stp”, “sun-nd”, “swipe”, “tcf”, “tlsp”, “tp++”, “trunk-1”, “trunk-2”, “ttp”, “udplite”, “uti”, “vines”, “visa”, “vmtp”, “vrrp”, “wb-expak”, “wb-mon”, “wesp”, “wsn”, “xnet”, “xns-idp”, “xtp” The L4 protocol type for this virtual server
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array) source-address
Default ‘source-address’ is generally good
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileFIX (Pointer_FIX_Profile)
profileIPOther (Pointer_IP_Other_Profile)
profileL4 (string) “basic” “basic”, - L4 profile; name of built-in or else AS3 pointer
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer)
[-infinity, 65535] virtual server port

Service_TCP

Declares a TCP virtual server (w/optional TLS)

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_TCP”
clientTLS (string | object)
-, - AS3 pointer to TLS Client declaration
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (string) “tcp” “tcp” For TCP virtual server, Layer 4 protocol must be TCP
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array) source-address
Default ‘source-address’ is generally good
policyEndpoint (array)
-, - AS3 pointer to Endpoint policy declaration
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileFIX (Pointer_FIX_Profile)
profileIPOther (Pointer_IP_Other_Profile)
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
profileTCP (string | object) “normal” “normal”, “lan”, “wan”, “mobile”, - TCP profile; name of built-in or else AS3 pointer
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
serverTLS (string | object)
-, - AS3 pointer to TLS Server declaration
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer)
[-infinity, 65535] virtual server TCP port

Service_UDP

Declares a UDP virtual server (w/optional (D)TLS)

Properties:

Name (Type) Default Values Description
addressStatus (boolean) true true, false Specifies whether the virtual server will contribute to the operational status of the associated virtual address
allowVlans (array)
Names of existing VLANs to add to this virtual server to allow.
class (string)
“Service_UDP”
clientTLS (string | object)
-, - AS3 pointer to TLS Client declaration
enable (boolean) true true, false Virtual server handles traffic only when enabled (default)
fallbackPersistenceMethod (Basic_Persist)
iRules (array)
-, - List iRules for this virtual server (order is significant)
label (Label)
lastHop (string | object) “default” “default”, “auto”, “disable”, - Name of built-in last-hop method or AS3 pointer to last-hop pool (default ‘default’ means use system setting)
layer4 (string) “udp” “udp” For UDP virtual server, Layer 4 protocol must be UDP
maxConnections (integer) 0 [-infinity, infinity] Specifies the maximum number of concurrent connections you want to allow for the virtual server
metadata (Metadata)
mirroring (string) “none” “none”, “L4” Controls connection-mirroring for high-availability
persistenceMethods (array) source-address
Default ‘source-address’ is generally good
policyEndpoint (array)
-, - AS3 pointer to Endpoint policy declaration
policyFirewallEnforced (object)
AS3 pointer to firewall (ASM) policy declaration
policyFirewallStaged (object)
AS3 pointer to firewall (ASM) policy declaration
policyNAT (object)
AS3 pointer to NAT policy declaration
pool (string | object)
-, - AS3 pointer to pool if any (declared separately)
profileClassification (Pointer_Classification_Profile)
profileDiameterEndpoint (Pointer_Enforcement_Diameter_Endpoint_Profile)
profileDNS (Pointer_DNS_Profile)
profileDOS (Pointer_DOS_Profile)
profileEnforcement (Pointer_Enforcement_Profile)
profileIPOther (Pointer_IP_Other_Profile)
profileRADIUS (Pointer_Radius_Profile)
profileSubscriberManagement (Pointer_Enforcement_Subscriber_Management_Profile)
profileUDP (string) “normal” “normal”, - UDP profile; name of built-in or else AS3 pointer
rejectVlans (array)
Names of existing VLANs to add to this virtual server to reject.
remark (Remark)
securityLogProfiles (array)
Specifies the log profile applied to the virtual server
serverTLS (string | object)
-, - AS3 pointer to TLS Server declaration
snat (string | object) “auto” “none”, “self”, “auto”, - Name of built-in SNAT method or AS3 pointer to SNAT pool. If ‘self’, the system uses the virtual-server address as SNAT address
translateClientPort (boolean) false true, false If true, hide client’s port number from server (default false)
translateServerAddress (boolean) true true, false If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)
translateServerPort (boolean) true true, false If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)
virtualAddresses (array)
format: f5ip, format: f5ip, - Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]
virtualPort (integer)
[-infinity, 65535] Virtual server UDP port

SNAT_Pool

Declares a list of SNAT addresses

Properties:

Name (Type) Default Values Description
class (string)
“SNAT_Pool”
label (Label)
remark (Remark)
snatAddresses (array)
format: f5ip List of SNAT addresses– may include both IPv4 and IPv6

TCP_Profile

Configures a Transmission Control Protocol (TCP) profile

Properties:

Name (Type) Default Values Description
abc (boolean) true true, false If true (default), AS3 adjusts the congestion window per rfc3465
ackOnPush (boolean) true true, false If true (default), the system immediately acknowledges segments with the PSH flag set
autoProxyBufferSize (boolean) true true, false If true (default), AS3 adjusts the proxy buffer size automatically to optimize throughput
autoReceiveWindowSize (boolean) true true, false If true (default), AS3 adjusts the receive window size automatically to optimize throughput
autoSendBufferSize (boolean) true true, false If true (default), AS3 adjusts the send buffer size automatically to optimize throughput
class (string)
“TCP_Profile”
closeWaitTimeout (integer) 5 [-1, 3600] Number of seconds (default 5) connection will remain in LAST-ACK state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout
congestionControl (string) “woodside” “cdg”, “chd”, “cubic”, “high-speed”, “illinois”, “new-reno”, “none”, “reno”, “scalable”, “vegas”, “westwood”, “woodside” Selects TCP congestion-control algorithm (default ‘woodside’)
congestionMetricsCache (boolean) true true, false If true (default), the system may cache congestion metrics to inform the congestion control algorithm
congestionMetricsCacheTimeout (integer) 0 [-infinity, 1000] Number of seconds for which entries in the congestion metrics cache are valid (default 0 means use system default)
deferredAccept (boolean) false true, false If true, ADC will defer allocating resources to a connection until some payload data has arrived from the client (default false). This may help minimize the impact of certain DoS attacks but adds undesirable latency under normal conditions. Note: ‘deferredAccept’ is incompatible with server-speaks-first application protocols
delayedAcks (boolean) true true, false If true (default), the system may coalesce multiple adjacent ACK responses
delayWindowControl (boolean) false true, false If true, AS3 uses queueing delay as well as packet loss to estimate congestion (default false)
dsack (boolean) false true, false If true, AS3 uses rfc2883 duplicate selective-acknowledgements extension (default false). Do not enable this option unless you are certain all peers support D-SACK
earlyRetransmit (boolean) true true, false If true (default), AS3 uses rfc5827 Early Retransmit recovery
ecn (boolean) true true, false If true (default), AS3 may send explicit congestion notification (ECN) flags (CWR, ECE) to peers
enhancedLossRecovery (boolean) true true, false If true (default), AS3 uses Selective ACK data to increase throughput
fastOpen (boolean) true true, false If true (default), the system can use the TCP Fast Open protocol extension to reduce latency by sending payload data with initial SYN
fastOpenCookieExpiration (integer) 21600 [1, 1000000] Sets maximum lifetime in seconds (default 21600 = six hours) of TCP Fast Open cookies
finWait2Timeout (integer) 300 [-1, 3600] Number of seconds (default 300) connection will remain in LAST-ACK state before closing. Value -1 means indefinite, limited by maximum retransmission timeout
finWaitTimeout (integer) 5 [-1, 3600] Number of seconds (default 5) connection will remain in FIN-WAIT-1 or closing state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout
idleTimeout (integer) 300 [-infinity, infinity] Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite
initCwnd (integer) 16 [-infinity, 64] Sets the initial congestion-window size (default 16) in multiples of MSS (not in octets)
initRwnd (integer) 16 [-infinity, 64] Sets the initial receive-window size (default 16) in multiples of MSS (not in octets)
ipDfMode (string) “pmtu” “clear”, “pmtu”, “preserve”, “set” Controls DF (Don’t Fragment) flag in outgoing packets. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received packets. Value ‘set’ forces DF true in all outgoing packets. Value ‘clear’ forces DF false in all outgoing packets
ipTosToClient (integer | string) 0 [-infinity, 252], regex: ^(pass-through|mimic)$ Specifies the IP DSCP/TOS value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP per rfc2474 (and the system uses the rightmost two bits for congestion signaling when ‘ecn’ is true). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four to obtain the proper ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection)
keepAliveInterval (integer) 1800 [1, 86400] Number of seconds (default 1800) between keep-alive probes
label (Label)
limitedTransmit (boolean) true true, false When true (default), the system can use rfc3042 limited transmit recovery scheme
linkQosToClient (integer | string) 0 [-infinity, 7], regex: ^pass-through$ Specifies the Layer-2 QOS code in packets sent to clients (default 0). Ethernet-type networks recognize codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value
maxRetrans (integer) 8 [-infinity, 12] Sets maximum number of times the system may retransmit a segment (default 8)
maxSegmentSize (integer) 0 [-infinity, infinity] Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice
md5Signature (boolean) false true, false If true, the system signs TCP headers using MD5 per rfc2385 (default false)
md5SignaturePassphrase (object)
Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true
minimumRto (integer) 1000 [1, 5000] Minimum retransmission timeout in milliseconds (default 1000)
mptcp (string) “disable” “disable”, “enable”, “passthrough” Value ‘disable’ (default) excludes use of Multipath TCP (MPTCP) through virtual server. Value ‘enable’ means virtual server will accept and participate in MPTCP connections. Value ‘passthrough’ means MPTCP packets may pass through virtual server
mptcpCsum (boolean) false true, false If true, the system calculates MPTCP checksums (default false)
mptcpCsumVerify (boolean) false true, false If true, the system verifies MPTCP checksums (default false)
mptcpFallback (string) “reset” “accept”, “active-accept”, “reset”, “retransmit” Selects action on fallback from MPTCP to ordinary TCP
mptcpFastJoin (boolean) false true, false If true, the system may send data with MP_JOIN SYN packet, reducing connection latency (default false)
mptcpIdleTimeout (integer) 300 [1, 86400] Number of seconds (default 300) connection may remain idle before it becomes eligible for deletion
mptcpJoinMax (integer) 5 [1, 20] Limit on number of subflows which the system may add to the MPTCP connection (default 5)
mptcpMakeAfterBreak (boolean) false true, false If true, the system can add additional subflows during the ‘mptcpTimeout’ period, even if the ADC is not currently handling an active connection (default false)
mptcpNoJoinDssAck (boolean) false true, false If true, no DSS option will sent with MP_JOIN ACK packet (default false)
mptcpRetransmitMin (integer) 1000 [1, 5000] Minimum value in milliseconds (default 1000) of MPTCP retransmission timer
mptcpRtoMax (integer) 5 [1, 20] Maximum number of retransmission timeouts which may occur before the system declares a subflow dead
mptcpSubflowMax (integer) 6 [1, 20] Maximum number of subflows per connection (default 6)
mptcpTimeout (integer) 3600 [60, 3600] Number of seconds (default 3600) after which the system may expunge an MPTCP session with no active flow
nagle (string) “auto” “disable”, “enable”, “auto” Value ‘enable’ means to use Nagle’s algorithm to minimize the transmission of short TCP segments (note: Nagle’s algorithm yields undesirable results with many application protocols). Value ‘auto’ (default) means the ADC will choose automatically whether to enable Nagle’s algorithm. Value ‘disable’ averts application of Nagle’s algorithm
pktLossIgnoreBurst (integer) 0 [-infinity, 32] Modulates use of congestion control when losing multiple packets. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion
pktLossIgnoreRate (integer) 0 [-infinity, 1000000] Sets threshold of packet loss rate (lost-packets/million-packets) above which the system performs congestion control. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion
proxyBufferHigh (integer) 262144 [64, 33554432] The system closes the receive window when the number of octets in proxy buffer rises above this value
proxyBufferLow (integer) 196608 [64, 33554432] The system opens the receive window when the number of octets in proxy buffer falls below this value
proxyMSS (boolean) true true, false If true (default), the MSS value advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints
proxyOptions (boolean) false true, false If true, TCP options such as timestamp advertised on the server side will match those negotiated with client (default false)
pushFlag (string) “auto” “auto”, “default”, “none”, “one” Controls when ADC sets PSH flag in outbound TCP segments. Limiting the sending of segments with PSH improves performance. Value ‘auto’ (recommended) sets PSH according to a system algorithm optimal in most cases. Value ‘default’ (not recommended) sets the PUSH flag in every segment which happens to empty the send buffer. Value ‘none’ prevents use of the PSH flag, and ‘one’ means the system sets PSH only when FIN is, at the end of a connection
ratePace (boolean) true true, false If true (default), system will automatically pace rate of data transmission to optimize throughput
ratePaceMaxRate (integer) 0 [-infinity, 4294967295] Limit maximum data-transmission rate in octets/second to this value when ‘ratePace’ is true. Default 0 means choose maximum rate automatically
receiveWindowSize (integer) 131072 [64, 33554432] Maximum size of receive window (octets, default 131072)
remark (Remark)
resetOnTimeout (boolean) true true, false If true (default), connections which time out will be reset (that is, the system will send an RST packet to the peer) before the system expunges them. Value false is not recommended
retransmitThreshold (integer) 3 [-infinity, 12] Specifies the number of duplicate ACKs to start fast recovery
selectiveAcks (boolean) true true, false If true (default), the system negotiates rfc2018 Selective Acknowledgements with peers
selectiveNack (boolean) false true, false If true, the system negotiates Selective Negative Acknowledgements with peers (default false)
sendBufferSize (integer) 262144 [64, 33554432] Maximum size of send buffer (octets, default 262144)
slowStart (boolean) true true, false If true (default), AS3 adjusts the initial window size per rfc3390. This generally makes connections start more quickly, NOT more slowly
synCookieEnable (boolean) true true, false If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks)
synCookieWhitelist (boolean) false true, false If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds (default false)
synMaxRetrans (integer) 3 [-infinity, 12] Maximum number of times the system retransmits a SYN when it does not receive a SYN+ACK (default 3)
synRtoBase (integer) 3000 [-infinity, 5000] Number of milliseconds (default 3000) to which the system initially sets the SYN retransmission timer. The system adjusts the timer after each retransmission to implement binary-exponential-backoff
tailLossProbe (boolean) true true, false If true (default), the system uses the Tail Loss Probe scheme to reduce retransmission timeouts
tcpOptions (array)
Selects which TCP Option values the system captures for reference by iRules
timestamps (boolean) true true, false If true (default and recommended), AS3 enables rfc1323 timestamps
timeWaitRecycle (boolean) true true, false If true (default), the system reuses connection resources immediately when it receives a SYN during the TIME-WAIT period
timeWaitTimeout (integer) 2000 [-1, 600000] Number of milliseconds (default 2,000) connection will remain in TIME-WAIT state before closing. Value -1 means indefinite
ttlIPv4 (integer) 255 [1, 255] TTL the system sets in outgoing IPv4 packets
ttlIPv6 (integer) 64 [1, 255] TTL the system sets in outgoing IPv6 packets
ttlMode (string) “proxy” “decrement”, “preserve”, “proxy”, “set” Controls IP TTL in outgoing packets. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ (default) forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received packet. Value ‘decrement’ sets TTL to one less than received packet’s TTL
verifiedAccept (boolean) false true, false If true, the system must establish a server-side connection before a it accepts a corresponding client-side connection (default false). Value ‘true’ is incompatible with iRules
zeroWindowTimeout (integer) 20000 [-1, 86400000] Number of milliseconds (default 20,000) connection will persist with window-size of zero (effective timeout is value rounded up to the nearest multiple of 5000). Value -1 means indefinite

Tenant

Declares a Tenant

Properties:

Name (Type) Default Values Description
class (string)
“Tenant”
constants (Constants)
controls (Controls)
defaultRouteDomain (integer) 0 [-infinity, 65535] Selects the default route domain for IP traffic to and from this Tenant’s application resources (note: affects declared IP addresses which do not include a %RD route-domain specifier). You must choose an existing route domain–this option cannot create one. Route domain 0 (default) is always available
enable (boolean) true true, false Tenant handles traffic only when enabled (default)
label (Label)
optimisticLockKey (string) “”
When you deploy a declaration with a non-empty ‘key’ value here, that activates an optimistic lock on changes to this Tenant. If the key in your declaration does not match the key AS3 computes for the most-recent previous declaration, then AS3 will NOT update this Tenant and will return an error code. To use optimistic locking, first retrieve a declaration using option ‘opLocks=true’ to get the current per-Tenant keys. Make any changes you desire, then deploy your updated declaration. Deployment of each Tenant with a key will succeed only if that Tenant has not been modified since the time you retrieved the declaration. (To overwrite all previous changes to a Tenant simply do NOT include any opportunistic-lock key for that Tenant when you deploy a declaration. That is the default.) Note that only keys computed by AS3 may be used here– you cannot generate your own.
remark (Remark)
Shared (Application_Shared)
verifiers (object)
Data (in ‘key’:’value’ properties) used to verify automated tests. Ordinary declarations do not need this

TLS_Client

TLS client parameters (connections leaving ADC)

Properties:

Name (Type) Default Values Description
ciphers (string) “DEFAULT”
Ciphersuite selection string
class (string)
“TLS_Client”
clientCertificate (string)
AS3 pointer to client Certificate declaration (optional)
ignoreExpired (boolean) false true, false If false (default) drop connections with expired server certificates
ignoreUntrusted (boolean) false true, false If false (default) drop connections with untrusted server certificates
label (Label)
remark (Remark)
sendSNI (string) “none” format: hostname FQDN to send in SNI (optional)
serverName (string) “none” format: hostname FQDN which server certificate must match (optional)
sessionTickets (boolean) false true, false If false (default) do not use rfc5077 session tickets
trustCA (string)
“generic”, - CA’s trusted to validate server certificate; ‘generic’ (default) or else AS3 pointer to declaration of CA Bundle
validateCertificate (boolean) false true, false If false (default) accept any cert from server, else validate server cert against trusted CA bundle

TLS_Server

TLS server parameters (connections arriving to ADC)

Properties:

Name (Type) Default Values Description
authenticationFrequency (string) “one-time” “one-time”, “every-time” Client certificate authentication frequency
authenticationInviteCA (string | object)
-, - AS3 pointer to declaration of CA Bundle used to invite client certificates
authenticationMode (string) “ignore” “ignore”, “request”, “require” Client certificate authentication mode
authenticationTrustCA (string | object)
-, - AS3 pointer to declaration of CA Bundle used to validate client certificates
certificates (array)
Primary and (optional) additional certificates (order is significant, element 0 is primary cert)
ciphers (string) “DEFAULT”
Ciphersuite selection string
class (string)
“TLS_Server”
label (Label)
remark (Remark)
requireSNI (boolean) false true, false When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client

UDP_Profile

Configures a User Datagram Protocol (UDP) profile

Properties:

Name (Type) Default Values Description
allowNoPayload (boolean) false true, false When true, forward UDP datagrams with empty payloads (default false)
bufferMaxBytes (integer) 655350 [65535, 16777215] Limit to number of octets which the system may buffer for a UDP flow (default 655350)
bufferMaxPackets (integer) 0 [-infinity, 255] Limit to number of packets which the system may buffer for a UDP flow (default 0)
class (string)
“UDP_Profile”
datagramLoadBalancing (boolean) false true, false When true, process UDP datagrams independently, without recognizing flows (default false)
idleTimeout (integer) 60 [-1, 86400] Number of seconds (default 60) flow may remain idle before it becomes eligible for deletion. Value 0 allows system to recover per-flow resources whenever convenient (always safe with UDP). Value -1 means indefinite (not recommended)
ipDfMode (string) “pmtu” “clear”, “pmtu”, “preserve”, “set” Controls DF (Don’t Fragment) flag in outgoing datagrams. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received datagram. Value ‘set’ forces DF true in all outgoing datagrams. Value ‘clear’ forces DF false in all outgoing datagrams
ipTosToClient (integer | string) 0 [-infinity, 252], regex: ^(pass-through|mimic)$ Specifies the IP TOS/DSCP value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP code per rfc2474 (and the rightmost two bits reserved). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four, to obtain the ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection)
label (Label)
linkQosToClient (integer | string) 0 [-infinity, 7], regex: ^pass-through$ Specifies the Layer-2 QOS value in packets sent to clients (default 0). Ethernet-type networks recognize numeric codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value
proxyMSS (boolean) false true, false When true, MSS advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints (default false)
remark (Remark)
ttlIPv4 (integer) 255 [1, 255] TTL the system sets in outgoing IPv4 datagrams
ttlIPv6 (integer) 64 [1, 255] TTL the system sets in outgoing IPv6 datagrams
ttlMode (string) “proxy” “decrement”, “preserve”, “proxy”, “set” Controls IP TTL in outgoing datagrams. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received datagram. Value ‘decrement’ sets TTL to one less than received datagrams’s TTL
useChecksum (boolean) false true, false When true, system will validate UDP checksums for IPv4 datagrams (default false). Checksums are always validated for IPv6

WAF_Policy

A Web Application Firewall Policy

Properties:

Name (Type) Default Values Description
class (string)
“WAF_Policy”
file (string)
The absolute file path for the ASM policy stored on the BIG-IP
ignoreChanges (boolean) false true, false If false (default), the system updates the policy in every AS3 declaration deployment. If true, AS3 creates the policy on first deployment, and leaves it untouched afterwards
label (Label)
remark (Remark)
url (string)
The URL to pull the ASM policy from