F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Secure Web Gateway
  3. Common Elements for Profiles Tasks
Manual Chapter : Common Elements for Profiles Tasks

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.0.1, 14.0.0
Manual Chapter

Common Elements for Profiles Tasks

  1. On the Main tab, click
    Local Traffic
    Profiles
    .
  2. On the menu bar, expand or click a profile category and choose the type of profile you want to create.
  3. In the name column, click the system-supplied
    dns
     profile.
    The DNS properties list screen opens.
  4. In the name column, click the system-supplied
    dns
     profile.
    The DNS properties list screen opens.
  5. From the
    Response Cache
     list, select
    Enabled
    .
  6. In the Hardware Acceleration area, from the
    Protocol Validation
     list, select
    Enabled
    .
  7. Click
    Update
    .
  8. On the Main tab, click
    Local Traffic
    Profiles
    Databases
    MS SQL
    .
    The MS SQL Profiles list screen opens.
  9. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  10. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP
    .
    The HTTP profile list screen opens.
  11. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTPS
    .
    The SMTPS profile list screen opens.
  12. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Rewrite
    .
    The Rewrite profile list appears.
  13. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP Compression
    .
    The HTTP Compression profile list screen opens.
  14. On the Main tab, click
    Acceleration
    Profiles
    HTTP Compression
    .
    The HTTP Compression profile list screen opens.
  15. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Web Acceleration
    .
    The Web Acceleration profile list screen opens.
  16. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FTP
    .
    The FTP profile list screen opens.
  17. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DNS
    .
    The DNS profile list screen opens.
  18. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS profile list screen opens.
  19. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
     or
    Local Traffic
    Profiles
    Services
    DNS
    .
    The DNS profile list screen opens.
  20. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS list screen opens.
  21. In the Name column, click the name of the profile you want to modify.
  22. On the Main tab, click
    Local Traffic
    Profiles
    Services
    IIOP
    .
    The IIOP profile list screen opens.
  23. On the Main tab, click
    Local Traffic
    Profiles
    Services
    RTSP
    .
    The RTSP profile list screen opens.
  24. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Diameter
    .
    The Diameter profile list screen opens.
  25. On the Main tab, click
    Local Traffic
    Profiles
    Services
    RADIUS
    .
    The RADIUS profile list screen opens.
  26. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTP
    .
    The SMTP profile list screen opens.
  27. On the Main tab, click
    Local Traffic
    Profiles
    Services
    iSession
    .
    The iSession profile list screen opens.
  28. On the Main tab, click
    Local Traffic
    Profiles
    Services
    CIFS
    .
    The Profiles list screen opens.
  29. On the Main tab, click
    Local Traffic
    Profiles
    Services
    MAPI
    .
    The MAPI profile list screen opens.
  30. On the Main tab, click
    Local Traffic
    Profiles
    Services
    XML
    .
    The XML profile list screen opens.
  31. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP/2
    .
    The HTTP/2 profile list screen opens.
  32. On the Main tab, click
    Acceleration
    Profiles
    HTTP/2
    .
    The HTTP/2 profile list screen opens.
  33. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SPDY
    .
    The SPDY profile list screen opens.
  34. On the Main tab, click
    Acceleration
    Profiles
    SPDY
    .
    The SPDY profile list screen opens.
  35. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FIX
    .
    The FIX profile list screen opens.
  36. On the Main tab, click
    Local Traffic
    Profiles
    Services
    IPsecALG
    .
    The IPsecALG profile list screen opens.
  37. On the Main tab, click
    Local Traffic
    Profiles
    Persistence
    .
    The Persistence profile list screen opens.
  38. In the Name column, click the name of the relevant persistence profile.
  39. For the
    Mirror Persistence
     setting, select the check box.
  40. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    Fast L4
    .
    The Fast L4 screen opens.
  41. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    Fast HTTP
    .
    The Fast HTTP profile list screen opens.
  42. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    HTTP Class
    .
    The HTTP Class profile list screen opens.
  43. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    TCP
    .
    The TCP profile list screen opens.
  44. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SIP (legacy)
    .
    The SIP profile list screen opens.
  45. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    UDP
    .
    The UDP profile list screen opens.
  46. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    SCTP
    .
    The SCTP profile list screen opens.
  47. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  48. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  49. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
     or
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Client SSL or Server SSL profile list screen opens.
  50. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    OCSP Stapling
    .
    The OCSP Stapling list screen opens.
  51. Scroll down to
    Handshake Timeout
     and select the
    Custom
     check box.
    Additional settings become available.
  52. To limit the timeout to a number of seconds, select
    Specify
     from the list, and type the required number in the
    seconds
     field.
    In the list, the value
    Indefinite
     specifies that the system continue trying to establish a connection for an unlimited time. If you select
    Indefinite
    , the
    seconds
     field is no longer available.
  53. On the Main tab, click
    Local Traffic
    Profiles
    Authentication
    Profiles
    .
    The Profiles list screen opens.
  54. On the Main tab, click
    Local Traffic
    Profiles
    Other
    Request Logging
    .
    The Request Logging profile list screen opens.
  55. On the Main tab, click
    Local Traffic
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  56. On the Main tab, click
    DNS
    Delivery
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  57. On the Main tab, click
    DNS
    Delivery
    Profiles
    Other
    DNS Logging
     or
    Local Traffic
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  58. On the Main tab, click
    Local Traffic
    Profiles
    Other
    OneConnect
    .
    The OneConnect profile list screen opens.
  59. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Client
    .
    The SplitSession Client profile list screen opens.
  60. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Server
    .
    The SplitSession Server profile list screen opens.
  61. On the Main tab, click
    Local Traffic
    Profiles
    Other
    HTTP Proxy Connect
    .
    The
    HTTP Proxy Connect
     profile list screen opens.
  62. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Client LDAP
    .
    The Client LDAP list screen opens.
  63. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Server LDAP
    .
    The Server LDAP list screen opens.
  64. On the Main tab, click
    Local Traffic
    Profiles
    Analytics
    HTTP Analytics
    .
    If
    Analytics
     is not listed, this indicates that Application Visibility and Reporting (AVR) is not provisioned, or you do not have rights to create profiles.
    The HTTP Analytics screen opens.
  65. In the Logging and Reporting area, select the
    AVR Statistics Sample Rate
     check box.
    The
    Enabled 1/ 1 queries sampled
     field displays.
  66. In the
    Enabled 1/ 1 queries sample
     field, change the
    1
     to the number of queries from which the system takes one sample.
    0
    No DNS requests are stored in the Analytics database.
    1
    All DNS requests are stored in the Analytics database.
    n>1
    Every nth DNS request is stored in the Analytics database.
  67. For the
    Statistics Logging Type
     setting, click
    External
    .
  68. From the
    Publisher
     list, select the publisher that contains the destination to which you want the BIG-IP system to send the statistics.
  69. For the
    Statistics Logging Type
     setting, verify that
    Internal
     is selected. If it is not, select it.
    Selecting
    Internal
     causes the system to store statistics locally, and you can view the charts on the system by starting at the Main tab, and clicking
    Statistics
    Analytics
    .
  70. For the
    Transaction Sampling Ratio
     setting, specify whether the system learns information from every transaction (specify
    all
    ), or performs traffic sampling (specify
    1 of every n
     transactions).
    A high sampling rate (such as
    99
    ) results in less precise statistical data but improves system performance. Adjust the sampling ratio according to expected TPS and quantity of entities.
    You can change this setting only on the default Analytics profile.
  71. In the Associated Virtual Servers area, specify the virtual servers for which to capture application statistics:
    1. For the
      Virtual Servers
       setting, click
      Add
      .
    2. From the Select Virtual Server popup that opens, select the virtual servers to include and then click
      Done
      .
    Only virtual servers previously configured with an HTTP profile display in the list (because the data being collected applies to HTTP traffic). Also, you can assign only one HTTP Analytics profile to a virtual server; therefore, the list displays only virtual servers that have not been assigned an Analytics profile.
    Special considerations apply if using Analytics on a BIG-IP system with both Application Security Manager and Access Policy Manager, where security settings (in Portal Access webtop or an iRule) redirect traffic from one virtual server to another. In this case, you need to attach the HTTP Analytics profile to the second virtual server to ensure that the charts show accurate statistics.
  72. Specify the virtual servers for which to capture traffic:
    1. In the
      Virtual Servers
       setting, click
      Add
      .
    2. From the Select Virtual Server list that displays, select the virtual servers and click
      Done
      .
    Only previously configured virtual servers display in the list.
  73. In the Statistics Gathering Configuration area, for
    Collected Metrics
    , select additional statistics you want the system to collect from the requests:
    Option
    Description
    Max TPS and Throughput
    Collects and logs statistics regarding the maximum number of transactions occurring per second (TPS) and the amount of traffic moving through the system.
    Maximum request and response throughput is collected and recorded separately. Each value is then displayed separately when you drill down into details of Transaction Outcomes (
    Statistics
    Analytics
    Overview
    ).
    HTTP Timing (RTT, TTFB, Duration)
    Collects and logs statistics regarding the HTTP request and response times, including round-trip time, time to first byte and overall transaction duration time.
    Page Load Time
    Collects and logs statistics regarding the time it takes an application user to get a complete response from the application, including network latency and completed page processing.
    End-user response times and latencies can vary significantly based on geographic location and connection types.
    User Sessions
    Collects and logs statistics regarding the number of unique user sessions. For
    Timeout
    , select the allowed minutes of user inactivity before the system considers the session to be over.
    For
    Cookie Secure Attribute
    , specify whether to secure session cookies:
    • Always
      , the secure attribute is always added to the session cookie.
    • Never
      , the secure attribute is never added to the session cookie.
    • Only SSL
      , the secure attribute is added to the session cookie only when the virtual server has a client SSL profile (the default value).
    By default, the system collects many metrics, including TPS, throughput, server latency, response time, network latency. You can select the metrics here, in addition to the ones already collected, once the Analytics profile is attached to one or more virtual servers.
  74. In the Statistics Gathering Configuration area, for
    Collected Entities
    , select additional entities to collect statistics for each request.
    By default, the system collects many entity statistics, including virtual servers, pool members, browser names, operating system, and so on. You can select the ones here in addition to the ones already collected once the Analytics profile is attached to one or more virtual servers.
    When you select
    URLs
    ,
    Countries
    ,
    Client IP Addresses
     or
    Client Subnets
     you have additional options configure specific statistics filtering options.
    Option
    Description
    URLs
    Saves the URLs that were requested.
    Countries
    Saves the name of the country where the request came from, and is based on the client IP address criteria.
    Client IP Addresses
    Saves the IP address where the request originated. The address saved also depends on whether the request has an XFF (X-forwarded-for) header and whether the HTTP profile accepts XFF headers.
    Client Subnets
    Saves statistics for predefined client subnets. Client subnets can be added in the Subnets area of the default HTTP Analytics profile.
    Response Codes
    Saves HTTP response codes that the server returned in response to requests.
    User Agents
    Saves information about browsers making the request.
    Methods
    Saves HTTP methods in requests.
    OS and Browsers
    Saves information about the operating system and browser making the request.
  75. In the Statistics Gathering Configuration area, for
    Collect URLs
    , you can configure whether the system collects traffic from all or from specific URLs.
    1. Select
      All
       to collect traffic from all URLs.
      By default, the system collects traffic from all URLs, when you select
      URLs
       from the
      Collected Entities
       list.
    2. Select
      Only
       to collect traffic from specific URLs.
    3. Specify the URLs for which to capture traffic and click
      Add
      . You can add up to 10 URLs to the list.
      If you select
      Only
       and leave the list empty, the system collects traffic data from all URLs.
  76. In the Statistics Gathering Configuration area, for
    Collect Countries
    , you can configure whether the system collects traffic from all or from specific countries.
    1. Select
      All
       to collect traffic from all countries.
      By default, the system collects traffic from all countries, when you select
      Countries
       from the
      Collected Entities
       list.
    2. Select
      Only
       to collect traffic from specific countries.
    3. Specify the countries for which to capture traffic. Select from the Available Countries list and use the arrow keys to move each country to the Selected Countries list. You can add up to 10 countries to the Selected list.
      If you select
      Only
       and leave the list empty, the system collects traffic data from all countries.
  77. In the Statistics Gathering Configuration area, for
    Collect Client IP Addresses
    , you can configure whether the system collects traffic from all or from specific client IPs.
    1. Select
      All
       to collect traffic from all client IP addresses.
      By default, the system collects traffic from all client IPs, when you select
      Client IP Addresses
       from the
      Collected Entities
       list.
    2. Select
      Only
       to collect traffic from specific client IP addresses.
    3. Specify the client IP addresses for which to capture traffic and click
      Add
      . You can add up to client IP addresses to the list.
      If you select
      Only
       and leave the list empty, the system collects traffic data from all client IP addresses.
  78. In the Statistics Gathering Configuration area, for
    Collect Client Subnets
    , you can configure whether the system collects traffic from all or from specific client subnet IPs.
    1. Select
      All
       to collect traffic from all subnets.
      By default, the system collects traffic from all subnets, when you select
      Client Subnets
       from the
      Collected Entities
       list.
    2. Select
      Only
       to collect traffic from specific subnets.
    3. Specify the subnet IPs for which to capture traffic and click
      Add
      . You can add up to 10 subnet IPs to the list.
      You can filter the listed subnets by one type of IP protocol. Adding both IPv4 and IPv6 protocols results in an error.
      If you select
      Only
       and leave the list empty, the system collects traffic data from all subnets.
  79. If one of the
    Traffic Capturing Logging Type
     check boxes is selected, in the Capture Filter area, adjust the settings to specify criteria to determine what application traffic to capture.
    You can use the captured information for troubleshooting purposes.
  80. If you want the system to send email notifications, review the
    SMTP Configuration
     field to ensure that a configuration is specified and not the value
    None
    .
    You can configure SMTP only in the default Analytics profile. If it is not configured, you can save the profile and edit the default profile where you can select an existing SMTP configuration or create a new one. (If you click the
    analytics
     link without saving the new profile you are working on, you will lose the unsaved changes.)
  81. For the
    Notification Type
     setting, select how you want the system to send alerts and notifications.
    Syslog
    Select
    Syslog
     if you want the system to send notification and alert messages to the local log system. You can view the messages on the
    System
    Logs
    Local Traffic
     screen.
    SNMP
    Select
    SNMP
     if you want the system to send notification and alert messages as SNMP traps. You can create the trap by clicking
    Configuration can be found here
     (
    System
    SNMP
    Traps
    Destination
    ). Enabling SNMP automatically sets up Syslog notifications, too.
    E-mail
    Select
    E-mail
     if you want the system to send notification and alert messages to email addresses. Type each email address in the
    Notification E-Mails
     field, and click
    Add
     to create the list. This option requires that the default analytics profile includes an SMTP configuration.
    When you select a notification type, the screen displays the Alerts and Notifications Configuration area, where you can indicate the criteria for alerts and notifications.
  82. Click
    Create
    .
    The Create New Logging Profile screen opens.
  83. Click
    Create New Profile
    .
    The Create New Profile Rewrite pop-up screen opens.
  84. Click
    Create
    .
    The New Authentication Profile screen opens.
  85. Click
    Create
    .
    The New Fast L4 profile screen opens.
  86. Click
    Create
    .
    The New DNS Profile screen opens.
  87. Click
    Create
    .
    The New DNS Logging profile screen opens.
  88. Click
    Create
    .
    The New HTTP Compression profile screen opens.
  89. Click
    Create
    .
    The New Diameter profile screen opens.
  90. Click
    Create
    .
    The New HTTP Profile screen opens.
  91. Click
    Create
    .
    The New FTP Profile screen opens.
  92. Click
    Create
    .
    The New SCTP Profile screen opens.
  93. Click
    Create
    .
    The New SMTP Profile screen opens.
  94. Click
    Create
    .
    The New SMTPS Profile screen opens.
  95. Click
    Create
    .
    The New HTTP Class Profile screen opens.
  96. Click
    Create
    .
    The New Web Acceleration Profile screen opens.
  97. Click
    Create
    .
    The New HTTP Analytics profile screen opens.
  98. Click
    Create
    .
    The New Server SSL Profile screen opens.
  99. Click
    Create
    .
    The New Client SSL Profile screen opens.
  100. Click
    Create
    .
    The New Client LDAP Profile screen opens.
  101. Click
    Create
    .
    The New Server LDAP Profile screen opens.
  102. Click
    Create
    .
    The New Request Logging Profile screen opens.
  103. Click
    Create
    .
    The New Persistence Profile screen opens.
  104. Click
    Create
    .
    The New HTTP/2 Profile screen opens.
  105. Click
    Create
    .
    The New SPDY Profile screen opens.
  106. Click
    Create
    .
    The New FIX Profile screen opens.
  107. Click
    Create
    .
    The New GTP Profile screen opens.
  108. Click
    Create
    .
    The New OneConnect Profile screen opens.
  109. Click
    Create
    .
    The New MS SQL Profile screen opens.
  110. Click
    Create
    .
    The New SplitSession Client Profile screen opens.
  111. Click
    Create
    .
    The New SplitSession Server Profile screen opens.
  112. Click
    Create
    .
    The New HTTP Proxy Connect Profile screen opens.
  113. Click
    Create
    .
    The new OCSP Stapling Profile screen opens.
  114. Click
    Create
    .
  115. Click
    Finished
    .
  116. Click
    Update
    .
  117. Click
    Delete
    .
  118. Click the name of a profile.
  119. In the
    Name
     field, type a unique name for the profile.
  120. From the
    Parent Profile
     list, retain the default value,
    clientldap
    .
  121. From the
    Parent Profile
     list, retain the default value,
    serverldap
    .
  122. From the
    Parent Profile
     list, retain the default value or select another existing profile of the same type.
  123. From the
    Parent Profile
     list, select the profile from which you want to inherit settings.
    The default profile is often used as the parent profile.
    The new profile inherits the values from the parent profile. If the parent is changed, the inherited values in the new profile also change.
  124. On the Main tab, click
    Local Traffic
    Profiles
    Message Routing
    SIP
    .
    The SIP transport config list screen opens.
  125. On the menu bar, click
    Router Profiles
    .
    The Router Profiles list screen opens.
  126. Click
    Create
    .
    The New SIP Router Profile screen opens.
  127. In the
    Name
     field, type a unique name for the SIP router profile.
  128. From the
    Operation Mode
     list, select
    Load Balancing
    .
  129. In the
    Maximum Pending Messages
     field, type ...
  130. In the
    Maximum Pending Bytes
     field, type ...
  131. For the
    Static Routes
     setting, move routes that define how the BIG-IP system load balances SIP traffic from the
    Available
     list to the
    Selected
     list.
  132. In the
    Transaction Timeout (seconds)
     field, type the number of seconds...
  133. On the menu bar, click
    Session Profiles
    .
    The Session Profiles list screen opens.
  134. Click
    Create
    .
    The New SIP Session Profile screen opens.
  135. In the
    Name
     field, type a unique name for the SIP session profile.
  136. In the
    Maximum Message Size (bytes)
     field, type ...
  137. In the
    Maximum Message Header Count
     field, type ...
  138. In the
    Custom Via
     field, type ...
  139. From the
    Persist Key
     list, select the value the system uses for persistence of a SIP session. The options are:
    Option
    Description
    Call-ID
    The system uses the value in the Call-ID header field in the SIP message.
    Custom
    The system uses the value of a custom key specified in an iRule.
    Src-Addr
    The system uses the originating IP address in the SIP message.
  140. From the
    Persist Type
     list, select one of these options:
    Option
    Description
    Session
    Persistence is enabled.
    None
    Persistence is disabled.
  141. In the
    Persist Timeout (seconds)
     field, type the number of seconds before a SIP session persistence record expires.
  142. In the
    Profile Name
     field, type a unique name for the Analytics profile.
  143. In the General Properties area, name the profile
    dns_express
    .
  144. In the General Properties area, name the profile
    dns_zxfr_dnssec
    .
  145. In the General Properties area, name the profile
    dns_zxfr
    .
  146. In the
    Profile Name
     field, type a unique name for the Security Logging Profile.
  147. In the
    Profile Name
     field, type a unique name for the profile.
  148. In the General Properties area, from the
    Parent Profile
     list, accept the default
    dns
     profile.
  149. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DHCPv4
    .
  150. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DHCPv6
    .
  151. On the Main tab, click
    Local Traffic
    Profiles
    Policy Enforcement
    RADIUS AAA
    .
  152. Click
    Create
    .
    The New DHCPv4 Profile screen opens.
  153. Click
    Create
    .
    The New DHCPv6 Profile screen opens.
  154. Click
    Create
    .
    The New Radius Profile screen opens.
  155. In the
    Name
     field, type a unique name for the profile.
  156. From the
    Parent Profile
     list, select the default
    dhcpv4
     profile.
  157. From the
    Parent Profile
     list, select the default
    dhcpv6
     profile.
  158. From the
    Parent Profile
     list, select the default
    radiusaaa
     profile.
  159. Select the
    Custom
     check box.
  160. In the Protocol and Proxy Settings Features area, make a selection from the
    DHCP Mode
     list.
    Option
    Description
    Relay
    When in relay mode, a virtual server relays Dynamic Host Control Protocol (DHCP) client requests and applies unicast IP addresses as the relayed message destination.
    Forward
    When in forward mode, a virtual server forwards Dynamic Host Control Protocol (DHCP), and does not modify, client requests for an IP address to one or more DHCP servers.
  161. For the
    Idle Timeout
     setting, type the number of seconds that a BIG-IP DHCP connection is idle before the connection is eligible for deletion.
  162. For the
    Max Hops
     setting, select the
    Custom
     check box to enable this option. Type the maximum expected number of relay agents that the messages should pass through, before reaching the DHCPv4 server.
  163. For the
    Default TTL
     setting, select the
    Custom
     check box to enable this option. Type the time to live (TTL) value that you want to set for each outgoing DHCP packet.
  164. For the
    TTL Decrement Amount
     setting, select the
    Custom
     check box to enable this option. Type the amount that the DHCP virtual will use to decrement the TTL for each outgoing DHCP packet.
  165. For the
    Default Lease Time
     setting, select the
    Custom
     check box to enable this option. Type the time, in seconds, of the default value of the DHCPv4 lease time.
  166. For the
    Transaction Timeout
     setting, select the
    Custom
     check box to enable this option. Type the number of seconds, taken to internally process the messages.
  167. For the
    Transaction Timeout
     setting, select the
    Custom
     check box to enable this option. Type the number, in seconds, of the time taken for server to respond.
  168. If you want the DHCP module to insert option 82, for the
    Insert Relay Agent ID (Option 82)
     setting, select the
    Custom
     check box.
  169. If you want the DHCP module to insert option 37, for the
    Insert Remote ID (Option 37)
     setting, select the
    Custom
     check box .
  170. If you want the DHCP module to insert option 38, for the
    Insert Remote ID (Option 38)
     setting, select the
    Custom
     check box to enable this option .
  171. If you want the DHCP relay agent to remove option 82 from the server to client traffic, for the
    Remove Relay Agent ID From Client Messages
     setting, select the
    Custom
     check box to enable this option.
  172. If you want the DHCP relay agent to remove option 37 from the server to client traffic, for the
    Remove Subscriber Agent ID From Client Messages
     setting, select the
    Custom
     check box.
  173. If you want the DHCP module to remove option 38 from the server to client traffic, for the
    Remove Relay Agent ID From Client Messages
     setting, select the
    Custom
     check box.
  174. From the
    Subscriber Discovery
     list, select
    Enabled
    . Then, for the
    Subscriber ID Format
     setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    Relay Agent Option: Suboption ID 1
    Uses the relay agent first option suboption ID.
    Relay Agent Option: Suboption ID 1 + <Separator> + Suboption ID 2
    Uses the relay agent first and second suboption IDs.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1
    Uses the MAC Address and the relay agent first suboption ID.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1 <Separator> + Suboption ID 2
    Uses the relay agent first option suboption ID.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  175. From the
    Authentication Settings
     list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
     list. Select the
    User Name Format
     you want to implement.
    The
    User Name Format
     has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  176. From the
    Subscriber Discovery
     list, select
    Enabled
    . Then, for the
    Subscriber ID Format
     setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    MAC Address + <Separator> + Option 37
    Uses the MAC address and the remote ID relay agent option.
    MAC Address + <Separator>+ Option 37 <Separator> + Option 38
    Uses the MAC address, the remote ID relay agent option and the subscriber ID option.
    MAC Address + <Separator> + Option 38
    Uses the MAC address and the subscriber ID option.
    Option 37
    Uses the remote ID relay agent option.
    Option 37 <Separator> + Option 38:
    Uses the remote ID relay agent option and the subscriber ID option.
    Option 38
    Uses the subscriber ID option.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  177. From the
    Authentication Settings
     list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
     list. Select the
    User Name Format
     you want to implement.
    The
    User Name Format
     has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  178. For the
    Secret
     setting, select the
    Custom
     check box to enable this option. Type the shared secret of the RADIUS server used for authentication.
  179. For the
    Password
     setting, select the
    Custom
     check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  180. For the
    Retransmission Timeout
     setting, select the
    Custom
     check box to enable this option. Type the number of seconds to wait before resending authentication or accounting messages to the RADIUS server.
  181. From the
    Parent Profile
     list, select the default
    ftp
     profile.
  182. From the
    Parent Profile
     list, select a parent profile.
  183. For the
    Inherit Parent Profile
     setting, select the check box.
    This optimizes data channel traffic.
  184. Select the
    Custom
     check box.
  185. If you want to disable IPv6 translation, in the Settings area, clear the
    Translate Extended
     check box.
  186. Retain the
    Data Port
     setting default value of
    20
    .
  187. To enable FTP security checks, select the
    Protocol Security
     check box.
    The Protocol Security tab opens.
  188. In the
    Out Streams
     field, type a value for the number of outbound streams.
    Ensure that this value equals the value requested by the servers when the server-side connection is established.
    A value of
    2
    , or greater, enables SCTP multistreaming functionality.
  189. In the
    In Streams
     field, type a value for the number of inbound streams.
    Ensure that this value equals the value requested by the servers when the server-side connection is established.
    A value of
    2
    , or greater, enables SCTP multistreaming functionality.
  190. Configure the client-side multihoming settings.
    1. From the
      Client Side Multi-homing
       list, select
      Enabled
       to enable SCTP multihoming for clients.
      When enabled, this setting enables SCTP clients to connect to a virtual server over multiple IP interfaces.
      The
      Secondary Addresses
       setting appears.
    2. For the
      Secondary Addresses
       setting, in the
      Destination Address
       field, type a valid destination address for any virtual server that uses this SCTP profile.
    3. Click
      Add
      .
      Repeat the addition of each destination address that you want to provide to SCTP clients.
  191. From the
    Server Side Multi-homing
     list, select
    Enabled
     to enable SCTP multihoming for servers.
  192. From the
    Parent Profile
     list, select the existing SMTP profile from which you want the new profile to inherit settings. The default is
    smtp
    .
  193. Select the
    Protocol Security
     check box to enable SMTP security checks.
  194. From the
    Parent Profile
     list, select a profile from which the new profile inherits properties.
  195. For the
    Parent Profile
     setting, confirm that
    ssl
     appears.
  196. Select the
    Custom
     check box.
  197. Select the
    Custom
     check box.
  198. Select the
    Custom
     check box.
  199. Next to
    Settings
    , select the
    Custom
     check box.
  200. Next to
    Log Settings
    , select the
    Custom
     check box.
  201. From the
    Configuration
     list, select
    Advanced
    .
  202. Select the
    Custom
     check box.
    The settings become available for change.
  203. Next to Client Authentication, select the
    Custom
     check box.
    The settings become available.
  204. From the
    Certificate
     list, select the name of an SSL certificate on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  205. From the
    Key
     list, select the name of an SSL key on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  206. In the
    Pass Phrase
     field, select a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  207. From the
    Chain
     list, select the name of an SSL chain on the BIG-IP system.
  208. Select the
    Custom
     check box for
    Server Authentication
    .
  209. Modify the settings, as required.
  210. Modify other settings, as required.
  211. Configure all other profile settings as needed.
  212. For the
    Proxy SSL
     setting, select the check box.
  213. Select the
    Custom
     check box for the Request Settings area.
  214. Select the
    Custom
     check box for the Response Settings area.
  215. Select the check box for the applicable profile.
  216. In the
    Profile Name
     field, type a unique name for the MS SQL profile, for example,
    mssql_user_access
    .
  217. In the
    Profile Name
     field, type a unique name for the MS SQL profile, for example,
    mssql_command_access
    .
  218. From the
    Read/Write Split
     list, select
    By Command
    .
  219. From the
    Read/Write Split
     list, select
    By User
    .
  220. From the
    Read Pool
     list, select the pool of MS SQL database servers to which the system sends read-only requests.
  221. From the
    Write Pool
     list, select the pool of MS SQL database servers to which the system sends write requests.
  222. In the
    Write Persist Timer
     field, type the number of milliseconds, after a connection has switched to the write pool, that the connection continues to persist to the write pool.
    Use the value
    -1
     to persist the connection to the write pool for the duration of the connection.
    If you set this to a value other than
    -1
    , the value must be greater than the amount of time required for the primary and secondary database servers to synchronize with one another.
  223. From the
    Users Can Write By Default
     list, select
    Yes
     to give write access to all users, except those in the
    Read-Only Users
     list.
  224. From the
    Users Can Write By Default
     list, select
    No
     to give write access only to users in the
    Write-Enabled Users
     list.
  225. In the
    Read-Only Users
     area, add users to whom you want to provide read-only access to the database.
  226. In the
    Write-Enabled Users
     area, add users to whom you want to provide write access to the database.
  227. In the DNS Traffic area, from the
    DNS Security
     list, select
    Enabled
    .
  228. In the DNS Traffic area, from the
    DNS Security Profile Name
     list, select the name of the DNS firewall profile.
  229. In the Denial of Service Protection area, from the
    Rapid Response Mode
     list, select
    Disabled
    , until a DNS flood attack occurs. At that time, enable this setting, and select an action from the
    Rapid Response Last Action
     list.
    When you enable this setting, all other DNS features are disabled, except DNS Express.
  230. In the Denial of Service Protection area, from the
    Rapid Response Mode
     list, select
    Enabled
    .
    Enable this setting after a DNS flood attack occurs. When you enable it, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the
    Rapid Response Last Action
     is set to
    Allow
    .
  231. In the Denial of Service Protection area, from the
    Rapid Response Last Action
     list, select an option to protect your network:
    Option
    Description
    Allow
    BIG-IP system sends non-matching DNS queries along the regular packet processing path
    Drop
    BIG-IP system drops the message without sending a response to the client. This is the default value.
    No Error
    BIG-IP system returns NOERROR response to the client..
    NX Domain
    BIG-IP system returns non-existent name response to the client.
    Refuse
    BIG-IP system returns REFUSED response to the client.
    Truncate
    BIG-IP system truncates the response to the client.
  232. In the DNS Features area, from the
    GSLB
     list, accept the default value
    Enabled
    .
  233. In the DNS Features area, from the
    GSLB
     list, select
    Disabled
    .
  234. In the DNS Features area, from the
    DNS IPv6 to IPv4
     list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses.
    Option
    Description
    Disabled
    The BIG-IP system does not map IPv4 addresses to IPv6 addresses.
    Immediate
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
    Secondary
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
    v4 Only
    The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client.
    Select this option only if you know that all your DNS servers are IPv4 only servers.
    If you selected
    Immediate
    ,
    Secondary
    , or
    V4 Only
     two new fields display.
  235. From the
    DNS IPv6 to IPv4
     list, specify how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses.
    Option
    Description
    Disabled
    The BIG-IP system does not map IPv4 addresses to IPv6 addresses.
    Immediate
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
    Secondary
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
    v4 Only
    The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client.
    Select this option only if you know that all your DNS servers are IPv4 only servers.
    If you selected
    Immediate
    ,
    Secondary
    , or
    V4 Only
    , two new fields display.
  236. In the DNS Features area, in the
    IPv6 to IPv4 Prefix
     field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request.
  237. In the
    IPv6 to IPv4 Prefix
     field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request.
  238. In the DNS Features area, from the
    IPv6 to IPv4 Additional Section Rewrite
     list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses.
    Option
    Description
    Disabled
    The BIG-IP system does not perform additional rewrite.
    v4 Only
    The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client.
    v6 Only
    The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client.
    Any
    The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.
  239. From the
    IPv6 to IPv4 Additional Section Rewrite
     list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses.
    Option
    Description
    Disabled
    The BIG-IP system does not perform additional rewrite.
    v4 Only
    The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client.
    v6 Only
    The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client.
    Any
    The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.
  240. In the DNS Features area, from the
    DNS Express
     list, retain the default value
    Enabled
    .
  241. In the DNS Features area, from the
    DNS Express
     list, select
    Disabled
    .
  242. In the DNS Features area, from the
    DNSSEC
     list, select
    Enabled
    .
  243. In the DNS Features area, from the
    DNSSEC
     list, select
    Disabled
    .
  244. In the DNS Traffic area, from the
    Zone Transfer
     list, select
    Enabled
    .
  245. In the DNS Features area, from the
    Unhandled Query Actions
     list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone.
    Option
    Description
    Allow
    The BIG-IP system forwards the query to a DNS server or a member of a pool of DNS servers. Note that if the pool is not associated with a listener and the
    Use BIND Server on BIG-IP
     option is set to
    enabled
    , queries are forwarded to the local BIND server. (Allow is the default value.)
    Drop
    The BIG-IP system does not respond to the query.
    Reject
    The BIG-IP system returns the query with the REFUSED return code.
    Hint
    The BIG-IP system returns the query with a list of root name servers.
    No Error
    The BIG-IP system returns the query with the NOERROR return code.
  246. In the DNS Features area, from the
    Unhandled Query Actions
     list, select
    Allow
    .
    The BIG-IP system forwards zone transfer requests to a DNS server or a member of a pool of DNS servers.
  247. In the DNS Features area, from the
    Use BIND Server on BIG-IP
     list, select
    Enabled
    .
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP DNS.
  248. From the
    Use BIND Server on BIG-IP
     list, select
    Enabled
    .
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP DNS.
  249. In the DNS Features area, from the
    Use BIND Server on BIG-IP
     list, select
    Disabled
    .
  250. In the DNS Features area, make a selection from the
    Use BIND Server on BIG-IP
     list.
    Option
    Description
    Enabled
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on the BIG-IP DNS.
    Disabled
    Disable this setting when you want the system to forward non-wide IP queries to a DNS server behind BIG-IP DNS.
  251. In the DNS Features area, make a selection from the
    Recursion Desired
     list.
    Option
    Description
    Enabled
    BIG-IP accepts DNS queries with the recursion bit set.
    Disabled
    BIG-IP does not accept DNS queries with the recursion bit set. When you configure BIG-IP to be an authoritative nameserver for an external web site, disable this option as a security measure to prevent denial of service attacks.
  252. In the DNS Features area, make a selection from the
    DNS Cache
     list.
    When you enable the
    DNS Cache
     option, you must also select a name from the
    DNS Cache Name
     list.
    Option
    Description
    Enabled
    Enable this setting when you want to cache the DNS responses handled by the virtual servers associated with this profile.
    Disabled
    Disable this setting when you want to debug the system. When you disable this setting, the profile retains the association with the DNS cache in the
    DNS Cache Name
     field, but the system does not cache DNS responses.
  253. From the
    Rate Limiting
     list, select
    Enabled
    .
    When you enable this setting, you must also select a profile from the
    Rate Limiting Profile
     list.
  254. From the
    Rate Limiting Profile
     list, select a profile based on your rate limited license.
  255. In the DNS Features area, from the
    DNS Cache
     list, select
    Enabled
    .
    When you enable the
    DNS Cache
     option, you must also select a DNS cache from the
    DNS Cache Name
     list.
  256. In the DNS Features area, from the
    DNS Cache
     list, select
    Disabled
    .
  257. In the DNS Features area, from the
    DNS Cache Name
     list, select the DNS cache that you want to associate with this profile.
    You can associate a DNS cache with a profile, even when the
    DNS Cache
     option, is
    Disabled
    .
  258. In the Logging and Reporting area, from the
    Logging
     list, select
    Enabled
    .
  259. In the Logging and Reporting area, from the
    Logging
     list, select
    Disabled
    .
  260. In the Logging and Reporting area, from the
    Profile
     list, select a custom DNS Logging profile.
  261. In the Log Settings area, from the
    Logging Profile
     list, select a custom Logging profile.
  262. In the DNS Security area, from the
    Publisher
     list, select a destination to which the BIG-IP system sends DNS log entries.
  263. From the
    Log Publisher
     list, select a destination to which the BIG-IP system sends log entries.
    You can specify publishers for other DoS types in the same profile, for example, for DNS, Network, or Application DoS Protection.
  264. If you want the BIG-IP system to log all DNS queries, for the
    Log Queries
     setting, ensure that the
    Enabled
     check box is selected.
  265. If you want the BIG-IP system to log all DNS responses, for the
    Log Responses
     setting, select the
    Enabled
     check box.
  266. If you want the BIG-IP system to include the query ID sent by the client in the log messages, for the
    Include Query ID
     setting, select the
    Enabled
     check box.
  267. For
    Actions
    , select the
    Custom
     check box.
    The settings in the
    Actions
     area become available for configuring.
  268. From the
    Hosts
     list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  269. From the
    URI Paths
     list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  270. From the
    Headers
     list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  271. From the
    Cookies
     list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  272. From the
    Send To
     list, select and configure one of the following options, as applicable:
    • None
    • Pool
    • Redirect to
  273. From the
    Application Acceleration Manager
     list, select
    Accelerate
    .
    Configuring the
    HTTP Class
     profile to accelerate traffic with the Application Acceleration Manager overrides
    Web Acceleration
     profile settings on the virtual server.
  274. In the
    WebAccelerator
     list, select
    Bypass
    .
    Configuring the
    HTTP Class
     profile to bypass the
    Web Application
     application overrides
    Web Acceleration
     profile settings on the virtual server.
  275. From the
    Parent Profile
     list, select one of the following profiles:
    • httpcompression
      .
    • wan-optimized-compression
      .
  276. From the
    HTTP Compression Profile
     list, select one of the following profiles:
    • httpcompression
    • wan-optimized-compression
    • A customized profile
  277. For the
    File Types
     setting, specify whether you want to create a list of allowed or disallowed file types:
    • To create a list of file types that are permitted in requests, select
      Define Allowed
      .
    • To create a list of file types not permitted, select
      Define Disallowed
      .
  278. For the
    File Types
     setting, specify the file types to allow or disallow in a request:
    • Select file types from the
      Available
       list, and move them to the
      Allowed
       or
      Disallowed
       list.
    • Add a new file type: type the name in the
      File Type
       field, click
      Add
       to add it to the
      Available
       list, and move it to the list.
    If the profile is case-sensitive, the file types are case-sensitive. For example,
    jsp
     and
    JSP
    > will be treated as separate file types.
  279. From the
    Web Acceleration Profile
     list, select one of the following profiles:
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  280. From the
    Web Acceleration Profile
     list, select one of the following profiles with an enabled application:
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  281. From the
    Request Logging
     list, select
    Enabled
    .
  282. In the
    Template
     field, type the request logging parameters for the entries that you want to include in the log file.
  283. From the
    HSL Protocol
     list, select a high-speed logging protocol.
  284. From the
    Pool Name
     list, select the pool that includes the log server as a pool member.
  285. You can also configure the error response settings.
    1. From the
      Respond On Error
       list, select
      Enabled
      .
    2. In the
      Error Response
       field, type the error response strings that you want to include in the log file.
      These strings must be well-formed for the protocol serving the strings.
    3. Select the
      Close On Error
       check box to drop the request and close the connection if logging fails.
  286. You can also configure the logging request errors settings.
    1. From the
      Log Logging Errors
       list, select
      Enabled
      .
    2. In the
      Error Template
       field, type the request logging parameters for the entries that you want to include in the log file.
    3. From the
      HSL Error Protocol
       list, select a high-speed logging error protocol.
    4. From the
      Error Pool Name
       list, select a pool that includes the node for the error logging server as a pool member.
  287. From the
    HSL Pool
     list, select the name of the remote pool of servers to which you want the BIG-IP system to send DNS log entries.
  288. In the Response Settings area, from the
    Response Logging
     list, select
    Enabled
    .
  289. Select the
    Log By Default
     check box.
    The
    Log By Default
     check box is selected by default.
  290. In the
    Template
     field, type the response logging parameters for the entries that you want to include in the log file.
  291. From the
    HSL Protocol
     list, select a high-speed logging protocol.
  292. From the
    Pool Name
     list, select the pool that includes the node log server as a pool member.
  293. Configure the logging request error settings.
    1. From the
      Log Logging Errors
       list, select
      Enabled
      .
    2. In the
      Error Template
       field, type the response logging parameters for the entries that you want to include in the log file.
    3. From the
      HSL Error Protocol
       list, select a high-speed logging error protocol.
    4. From the
      Error Pool Name
       list, select a pool that includes the node for the error log server as a pool member.
  294. For the
    WA Applications
     setting, select an application in the
    Available
     list and click
    Enable
    .
    The application is listed in the
    Enabled
     list.
  295. For the
    WA Applications
     setting, select an application in the
    Enabled
     list and click
    Disable
    .
    The Application Acceleration Manager application is listed in the
    Disabled
     list.
  296. On the Main tab, click
    Local Traffic
    Profiles
    Classification
    .
    The Classification screen opens.
  297. Scroll down to the Enforcement area.
  298. From the
    Allow Truncated Redirect
     list, select
    Enabled
     to forward HTTP traffic with missing trailing carriage returns to the client.
  299. In the
    Maximum Header Size
     field, type a size, in bytes, for the maximum acceptable size of a header.
  300. From the
    Oversize Client Header
     list, select
    Pass Through
     to pass through traffic to the server when the
    Maximum Header Size
     value is exceeded by the client.
  301. From the
    Oversize Server Header
     list, select
    Pass Through
     to pass through traffic to the client when the
    Maximum Header Size
     value is exceeded by the server.
  302. In the
    Maximum Header Count
     field, type a maximum number of headers for the system to support.
  303. From the
    Excess Client Headers
     list, select
    Pass Through
     to pass through traffic to the server when the
    Maximum Header Count
     value is exceeded by the client.
  304. From the
    Excess Server Headers
     list, select
    Pass Through
     to pass through traffic to the client when the
    Maximum Header Count
     is exceeded by the server.
  305. From the
    Pipeline Action
     list, select one of the following settings.
    Allow
    Default. Enables clients to make requests, even when prior requests have not received a response. Destination servers must include support for pipelining.
    Reject
    Rejects the request.
    Pass Through
    Provides identical functionality as the
    Allow
     setting, until a pipelined request is received, whereupon pass-through functionality becomes active. This setting works around clients and servers that break standard HTTP request-response connection handling.
  306. From the
    Unknown Method
     list, select one of the following settings.
    Allow
    Default. Allows the HTTP filter to process an unknown HTTP method.
    Reject
    Rejects HTTP traffic that includes an unknown HTTP method.
    Pass Through
    Passes through HTTP traffic that includes an unknown HTTP method.
  307. Configure the list of known methods in the
    Known Method
     list.
    Add a method to the
    Enabled Methods
     list.
    1. In the
      Add user defined method
       field, type the name of a method.
    2. Click
      Add
      . The method appears in the
      Enabled Methods
       list.
    Delete a method from the
    Enabled Methods
     list.
    1. Select a method in the
      Enabled Methods
       list.
    2. Click
      Delete
      .
    If you delete a known method from the
    Enabled Methods
     list, the BIG-IP system applies the
    Unknown Method
     setting to manage that traffic.
    Deleting a standard method, such as
    HEAD
     or
    CONNECT
    , causes BIG-IP functionality that depends on detecting that method to fail to work correctly.
  308. From the
    Polling Interval
     list, select
    Specify
    , and type the maximum interval in seconds between polling by the s Flow agent of this profile.
  309. From the
    Sampling Rate
     list, select
    Specify
    , and type the ratio of packets observed at the virtual server associated with this profile to the samples you want the BIG-IP system to generate.
    For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed.
  310. Select the
    Protocol Security
     check box.
  311. In the HTTP, FTP, and SMTP Security area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log HTTP, FTP, and SMTP Security events.
  312. In the HTTP, FTP, and SMTP Security area, from the
    Publisher
     list, select
    local-db-publisher
    .
  313. In the DNS Security area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log DNS Security events.
  314. In the DNS Security area, from the
    Publisher
     list, select
    local-db-publisher
    .
  315. Select the
    Log Dropped Requests
     check box, to enable the BIG-IP system to log dropped DNS requests.
  316. Select the
    Log Filtered Dropped Requests
     check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  317. Select the
    Log Malformed Requests
     check box to enable the BIG-IP system to log malformed DNS requests.
  318. Select the
    Log Rejected Requests
     check box to enable the BIG-IP system to log rejected DNS requests.
  319. Select the
    Log Malicious Requests
     check box to enable the BIG-IP system to log malicious DNS requests.
  320. From the
    Storage Format
     list, select how the BIG-IP system formats the log.
    Option
    Description
    None
    Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:
    "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  321. Select the
    Network Firewall
     check box.
  322. In the Network Firewall area, from the
    Publisher
     list, select the publisher the BIG-IP system uses to log Network Firewall events.
  323. In the Network Firewall area, from the
    Publisher
     list, select the IPFIX publisher the BIG-IP system uses to log Network Firewall events.
  324. Select
    Blocked Logging
     to guarantee logging of firewall events when logging traffic load is heavy, even to the detriment of system performance.
  325. Set an
    Aggregate Rate Limit
     to define a rate limit for all combined network firewall log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  326. In the Network Firewall area, from the
    Publisher
     list, select
    local-db-publisher
    .
  327. For the
    Log Rule Matches
     setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option
    Enables or disables logging of packets that match ACL rules configured with:
    Accept
    action=Accept
    Drop
    action=Drop
    Reject
    action=Reject
    When an option is selected, you can configure a rate limit for log messages of that type.
  328. Select the
    Log IP Errors
     check box, to enable logging of IP error packets.
    When this setting is enabled, you can configure a rate limit for log messages of this type.
  329. Select the
    Log TCP Errors
     check box, to enable logging of TCP error packets.
    When this is enabled, you can configure a rate limit for log messages of this type.
  330. Select the
    Log TCP Events
     check box, to enable logging of open and close of TCP sessions.
    When this is enabled, you can configure a rate limit for log messages of this type.
  331. In the IP Intelligence area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.
    The IP Address Intelligence feature must be enabled and licensed.
  332. Set an
    Aggregate Rate Limit
     to define a rate limit for all combined IP Intelligence log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  333. In the IP Intelligence area, from the
    Publisher
     list, select
    local-db-publisher
    .
    The IP Address Intelligence feature must be enabled and licensed.
  334. Enable the
    Log Translation Fields
     setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
  335. Enable the
    Always Log Region
     setting to log the geographic location when a geolocation event causes a network firewall event.
  336. Enable the
    Log Translation Fields
     setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
  337. Enable the
    Log Geolocation IP Address
     setting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
  338. In the Traffic Statistics area, from the
    Publisher
     list, select
    local-db-publisher
    .
  339. In the Traffic Statistics area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log traffic statistics.
  340. For the
    Log Timer Events
     setting, enable
    Active Flows
     to log the number of active flows each second.
  341. For the
    Log Timer Events
     setting, enable
    Reaped Flows
    to log the number of reaped flows, or connections that are not established because of system resource usage levels.
  342. For the
    Log Timer Events
     setting, enable
    Missed Flows
     to log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
  343. For the
    Log Timer Events
     setting, enable
    SYN Cookie (White-listed Clients)
     to log the number of SYN cookie clients whitelisted each second.
  344. In the Logging Profile Properties, select the
    DoS Protection
     check box.
    The DoS Protection tab opens.
  345. In the DNS DoS Protection area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  346. In the SIP DoS Protection area, from the
    Publisher
     list, select the publisher that the BIG-IP system uses to log SIP DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for DNS or Application DoS Protection.
  347. On the Main tab, click
    Local Traffic
    Profiles
    Services
    ICAP
    .
  348. Click
    Create
    .
  349. On the right side of the screen, select the
    Custom
     check box.
  350. On the right side of the screen, select the
    Custom
     check box.
  351. In the
    Name
     field, type a unique name for the profile.
  352. For the
    Parent Profile
     setting, retain the default value,
    icap
    .
  353. In the
    URI
     field, type a URI in this format:
    icap://hostname:port/path
    .
    For example, using macro expansion, you can set the
    URI
     value to: 
     icap://${SERVER_IP}:${SERVER_PORT}/virusScan
    .
  354. In the
    URI
     field, type a URI in this format:
    icap://hostname:port/path
    .
    For example, using macro expansion, you can set the
    URI
     value to: 
     icap://${SERVER_IP}:${SERVER_PORT}/videoOptimization
  355. In the
    Preview Length
     field, type a length or retain the default value
    0
    .
    This value defines the amount of the HTTP request or response that the BIG-IP system offers to the ICAP server when sending the request or response to the server for adaptation. This value should not exceed the length of the preview that the ICAP server has indicated it will accept.
  356. In the
    Header From
     field, type a value for the
    From:
     ICAP header.
  357. In the
    Host
     field, type a value for the
    Host:
     ICAP header.
  358. In the
    Referer
     field, type a value for the
    Referer:
     ICAP header.
  359. In the
    User Agent
     field, type a value for the
    User-Agent:
     ICAP header.
  360. Click
    Finished
    .
  361. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Request Adapt
    .
  362. Click
    Create
    .
  363. On the right-side of the screen, clear the
    Custom
     check box.
  364. In the
    Name
     field, type a unique name for the profile.
  365. For the
    Parent Profile
     setting, retain the default value,
    requestadapt
    .
  366. For the
    Enabled
     setting, retain the default value,
    Enabled
    .
    When you set this value to
    Enabled
    , the BIG-IP system forwards HTTP requests to the specified internal virtual server for adaptation.
  367. From the
    Internal Virtual Name
     list, select the name of the internal virtual server that you previously created for forwarding HTTP requests to the pool of iCAP servers.
  368. In the
    Preview Size
     field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
     disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
  369. In the
    Timeout
     field, type a numeric value, in seconds.
    If the internal virtual server does not return a result within the specified time, a timeout error occurs. To disable the timeout, use the value
    0
    .
  370. From the
    Service Down Action
     list, select an action for the BIG-IP system to take if the internal virtual server returns an error:
    • Select
      Ignore
       to instruct the BIG-IP system to ignore the error and send the unmodified HTTP request to an HTTP server in the HTTP server pool.
    • Select
      Drop
       to instruct the BIG-IP system to drop the connection.
    • Select
      Reset
       to instruct the BIG-IP system to reset the connection.
  371. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Response Adapt
    .
  372. Click
    Create
    .
  373. On the right-side of the screen, select the
    Custom
     check box.
  374. In the
    Name
     field, type a unique name for the profile.
  375. For the
    Parent Profile
     setting, retain the default value,
    responseadapt
    .
  376. For the
    Enabled
     setting, retain the default value,
    Enabled
    .
    When you set this value to
    Enabled
    , the BIG-IP system forwards HTTP responses to the specified internal virtual server for adaptation.
  377. From the
    Internal Virtual Name
     list, select the name of the internal virtual server that you previously created for forwarding HTTP responses to the pool of iCAP servers.
  378. In the
    Preview Size
     field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
     disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
  379. In the
    Timeout
     field, type a numeric value.
    If the internal virtual server does not return a result within the specified time, a timeout error occurs. To disable the timeout, use the value
    0
    .
  380. From the
    Service Down Action
     list, select an action for the BIG-IP system to take if the internal virtual server returns an error:
    • Select
      Ignore
       to instruct the BIG-IP system to ignore the error and send the unmodified HTTP response to an HTTP server in the HTTP server pool.
    • Select
      Drop
       to instruct the BIG-IP system to drop the connection.
    • Select
      Reset
       to instruct the BIG-IP system to reset the connection.
  381. Set the
    PVA Acceleration
     field to
    Guaranteed
    .
  382. Select the
    Loose Close
     check box only for a one-arm virtual server configuration.
  383. Set the
    TCP Close Timeout
     setting, according to the type of traffic that the virtual server will process.
  384. If you plan to use
    Late Binding
     and either of the
    Loose Initiation
     and
    Loose Close
     check boxes are enabled, clear them both.
    The
    Late Binding
     feature examines the first few packets in the FIX stream, and the
    Loose Initiation
     feature makes it possible to skip those packets without any examination.
  385. The
    Late Binding
     feature makes it possible to choose a server pool based on data in the FIX header. An iRule in the virtual server parses the FIX header and selects the server pool. Select the check box to enable
    Late Binding
    .
    1. You can allow the iRule to explicitly determine when the flow is released from Layer 7 down to Layer 4. The iRule code can then perform additional computation before binding the connection to Layer 4. Enable this by selecting the
      Explicit Flow Migration
       check box. When this feature is enabled, the flow is not released to Layer 4 until the iRule invokes the
      BIGTCP::release_flow
       command.
      By default, this is disabled and the flow drops down to Layer 4 immediately after the connection to the server is established.
    2. Use the
      Client Timeout
       field to determine how much time to allow for any client to send the first 2144 bytes of Layer 7information. In normal cases, this amount of data arrives immediately.
    3. From the
      Timeout Recovery
       list, select an action that the profile should take in case of timeout. Select
      Disconnect
       to drop the connection summarily, or select
      Fallback
       to process the packet without parsing the Layer 7 fields. The fallback option sends any timed-out connection to the Virtual Server's default pool.
  386. For the
    Session Ticket
     setting, select or clear the check box:
    • Selecting the check box causes the BIG-IP system to use session tickets as a way to improve SSL performance.
    • Clearing the check box prevents the BIG-IP system from using session tickets.
  387. In the
    Profile Name
     field, type a name, such as
    my_rewrite_profile
    .
  388. From the
    Rewrite Mode
     list, select
    URI Translation
    .
  389. From the
    Parent Profile
     list, select
    rewrite
    .
  390. On the left pane, click
    Settings
    .
    A list of request and response settings appears on the Settings tab.
  391. In the Settings box, select or clear the appropriate check boxes.
    Using the check boxes, you can rewrite and insert headers into HTTP requests, as well as rewrite headers and content in HTTP responses.
  392. On the left pane, click
    URI Rules
    .
    An empty text box appears for displaying client-server URI mappings that you specify.
  393. In the URI Rules box, click
    Add
    .
    This displays the Create New Rewrite URI box.
  394. From the
    URI Type
     list, select a URI type.
  395. Click
    Update
    .
  396. Click
    Add
    .
  397. Click
    Add
     again.
  398. From the
    Rule Type
     list, select
    Both
    .
  399. In the
    Client URI
     box, type a client path, such as
    /sales/
    .
  400. In the
    Server URI
     box, type a server URI, such as
    http://appserver1.siterequest.com/sales/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  401. In the
    Client URI
     field, type a client path, such as
    /marketing/
    .
  402. In the
    Server URI
     field, type a server URI, such as
    http://appserver2.siterequest.com/marketing/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  403. Click
    OK
    .
    This displays a mapping of the specified client path to the associated server scheme, host, and path.
  404. In the
    Server URI
     field, type a server URI, such as
    http://appserver2.siterequest.com/sales/
    .
  405. Click
    OK
    .
  406. In the
    Name
     column, locate the Rewrite profile that you created previously and select the adjacent check box.
  407. Click the
    Edit
     button.
  408. On the Settings tab, .
    A list of settings appears.
  409. On the Main tab, click
    Local Traffic
    Profiles
    Content
    HTML
    .
  410. In the
    Profile Name
     field, type a name, such as
    my_html_profile
    .
  411. From the
    Parent Profile
     list, select
    /Common/html
    .
  412. On the left pane, click
    HTML Rules
    .
  413. Click the
    Create New
     button.
  414. Click the
    Create New Profile
     button.
  415. On the
    Create New
     button, click the right arrow.
  416. Select
    Remove Tag
    .
    The Create New Remove Tag Rule box appears.
  417. In the
    Rule Name
     field, type a name, such as
    my_remove_img_tag_rule
    .
  418. Optionally, in the
    Description
     field, type a description of the rule, such as
    Removes the img tag with the src attribute
    .
  419. On the left pane, click
    Content Settings
    .
    This displays the Content Selection Type box.
  420. In the
    Type
     box, specify the type of content you want the HTML rule to act on.
    A typical type of content to specify is
    text/html
    .
  421. On the left pane, click
    Match Settings
    .
  422. In the
    Match Tag Name
     field, type the name of the tag that you want to remove from the HTML content.
    An example of a tag to specify is the HTML
    img
     tag.
  423. In the
    Match Attribute Name
     field, type the name of the attribute associated with the tag that you specified for removal.
    An example of an attribute to specify is the
    src
     attribute for the
    img
     tag.
  424. In the
    Available Rules
     list, locate the HTML rule that you want to enable, and select the adjacent check box.
  425. Using the Move button, move the selected HTML rule to the
    Selected Rules
     list.
  426. If the access policy uses On-Demand certificate authentication, perform these substeps:
    1. From the
      Configuration
       list, select
      Advanced
      .
      Additional settings display.
    2. Select the
      Custom
       check box for
      Configuration
      .
      The settings become available.
    3. In the
      Ciphers
       field, type the name of a NATIVE cipher.
      The list of supported NATIVE ciphers includes these:
      • RC4-MD5
      • RC4-SHA
      • AES128-SHA
      • AES256-SHA
      • DES-CBC3-SHA
      • DES-CBC-SHA
      • EXP1024-RC4-MD5
      • EXP1024-RC4-SHA
      • EXP1024-DES-CBC-SHA
      • EXP-RC4-MD5
      • EXP-DES-CBC-SHA
      • NULL-MD5
      • NULL-SHA
  427. Scroll down to the Client Authentication area.
  428. From the
    SSL Forward Proxy
     list, select
    Enabled
    .
  429. In the SSL Forward Proxy area, select the
    Custom
     check box.
  430. From the
    SSL Forward Proxy Bypass
     list, select
    Enabled
    .
    When assigned to a virtual server, a client SSL profile and a server SSL profile both must specify the same value for this setting. You cannot change this setting in either profile while assigned to a virtual server. To change the
    SSL Forward Proxy Bypass
     setting, you can create new profiles and add them to the virtual server, or detach the profiles from the virtual server, update them, and assign them to the virtual server again.
    Additional settings display.
  431. From the
    Bypass Default Action
     list, select
    Intercept
     or
    Bypass
    .
    The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.
    If you select
    Bypass
     and do not specify any additional settings, you introduce a security risk to your system.
  432. If you want to cache certificates by IP address and port number, select the
    Cache Certificate by Addr-Port
     check box.
  433. From the
    Report Log Publisher
     list, select the publisher for error messages and status reports.
  434. From the
    Message Log Publisher
     list, select the publisher for message logging.
  435. In the
    Rate Sample Interval
     field, type the sample interval, in seconds, for the message rate.
  436. From the
    Error Action
     list, select one of the following settings.
    • Don't Forward
       (default) to drop a message with errors and not forward it.
    • Drop Connection
       to disconnect the connection.
  437. Select the
    Quick Parsing
     check box to parse the basic standard fields, and validate the message length and checksum.
  438. Select the
    Response Parsing
     check box to parse the messages from the FIX server, applying the same parser configuration and error handling for the server as for the client.
  439. Select the
    Fully Parse Logon Message
     check box to fully parse the logon message, instead of using quick parsing.
  440. From the
    Sender and Tag Substitution Data Group Mapping
     list, select one of the following settings.
    Setting
    Description
    Not Configured
     (default)
    Disables the tag substitution map between sender ID and tag substitution data group.
    Specify
    Provides the
    Mapping List
     settings for you to configure as required.
    1. In the
      Sender
       field, type a sender ID that represents the identity of the firm sending the message.
      Example:
      client1
    2. In the
      Data Group
       field, type a tag substitution data group.
      Example:
      FIX_tag_map
    3. Click
      Add
      .
  441. Configure the
    Mapping List
     settings, as required.
    1. In the
      Sender
       field, type a sender ID that represents the identity of the firm sending the message.
    2. In the
      Data Group
       field, type a tag substitution data group.
    3. Click
      Add
      .
  442. In the
    Ingress Maximum
     field, type the maximum number of messages that can be held in the GTP ingress queue.
  443. From the
    STARTTLS Activation Mode
     list, select
    Require
    .
  444. From the
    STARTTLS Activation Mode
     list, select a value:
    Value
    Description
    Allow
    This value activates STARTTLS encryption for any client-side traffic that allows, but does not require, STARTTLS encryption.
    Require
    This value activates STARTTLS encryption for any client-side traffic that requires STARTTLS encryption. All messages sent to the BIG-IP system prior to STARTTLS activation are rejected with a message stating that a stronger authentication mechanism is required.
    None
    This value refrains from activating STARTTLS encryption for client-side traffic. Note if you select this value, that you optionally can create an iRule that identifies client-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  445. From the
    STARTTLS Activation Mode
     list, select a value:
    Value
    Description
    Allow
    This value activates STARTTLS encryption for server-side traffic that allows, but does not require, STARTTLS encryption. In this case, the BIG-IP system only activates STARTTLS for server-side traffic when the BIG-IP system has activated STARTTLS on the client side and the client has acknowledged the activation.
    Require
    This value activates STARTTLS encryption for any server-side traffic that requires STARTTLS encryption. In this case, the BIG-IP system activates STARTTLS when a successful connection is made.
    None
    This value refrains from activating STARTTLS encryption for server-side traffic. Note that if you select this value, you can optionally create an iRule that identifies server-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  446. Using the
    Certificate Key Chain
     setting, specify both an ECDSA and an RSA certificate key chain:
    1. From the
      Certificate
       list, select the name of a certificate with a key of type ECDSA.
    2. From the
      Key
       list, select the name of an ECDSA key.
    3. From the
      Chain
       list, select the chain that you want to include in the certificate key chain.
    4. Click
      Add
      .
    5. Repeat this process and specify an RSA certificate key chain.
  447. For the
    Certificate Key Chain
     setting, click
    Add
    .
    1. From the
      Certificate
       list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
       list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
       list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
       field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  448. For the
    Certificate Key Chain
     setting, click
    Add
    .
    1. From the
      Certificate
       list, select the name of a certificate with a key of type ECDSA.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
       list, select the name of an ECDSA key.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
       list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
       field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  449. Click
    Add
     and repeat the process for all certificate key chains that you want to specify. At a minimum, you must specify an RSA certificate key chain.
    Sample configuration with three key types specified
    Sample configuration with three key types specified
    The result is that all specified key chains appear in the text box.
  450. For the
    OCSP Stapling
     setting, select the check box.
    This setting is optional. To enable OCSP stapling, you must first create an OCSP Stapling profile.
  451. Using the
    Certificate Key Chain
     setting, specify a certificate key chain:
    1. From the
      Certificate
       list, select a certificate name.
      This is the name of an RSA certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, you can specify the name of an existing certificate,
      default
      .
    2. From the
      Key
       list, select a key name.
      This is the name of an RSA key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, you can specify the name of an existing key,
      default
      .
    3. From the
      Chain
       list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
       field, type a string that enables access to the SSL certificate/key pair.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
      The result is that the specified key chain appears in the text box.
  452. From the
    Configuration
     list, select
    Advanced
    .
  453. For the
    Ciphers
     setting, click
    Cipher Group
    , and from the list, choose a cipher group.
  454. For the
    Ciphers
     setting, specify a cipher group or cipher string by choosing one of these options.
    If you specified an ECDSA certificate key chain in the
    Certificate Key Chain
     setting, you must include the cipher string
    ECDHE_ECDSA
     in the cipher group or cipher string that you specify in the
    Ciphers
     setting. (At a minimum, you should specify a cipher group or string such as
    DEFAULT:ECDHE_ECDSA
    .) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option
    Description
    Cipher Group
    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the
    Ciphers
     setting where we've selected a custom cipher group that we created earlier.
    Cipher String
    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
    • Always append ciphers to the
      DEFAULT
       cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword
      HIGH
      . To do this, just include both
      !ADH
       and
      :HIGH
       in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses
      Forward Privacy
      , which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like
      ssldump
       won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including
      !EXPORT
       in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include
      :!SSLv3
       in any cipher string you type.
    Here's an example of the
    Ciphers
     setting where we have opted to manually type the cipher string
    DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH
    :
  455. For the
    Ciphers
     setting, click
    Cipher Group
     and from the list, select a custom cipher group.
    This shows a custom cipher group selected for the
    Ciphers
     setting:
  456. For the
    Ciphers
     setting, click
    Cipher Group
     and from the list, select a cipher group.
  457. To specify DHE ciphers:
    1. From the
      Configuration
       list, select
      Advanced
      .
    2. For the
      Ciphers
       setting, click
      Cipher String
       and type
      DHE:DHE_DSS
      .
  458. To specify ECDHE ciphers:
    1. From the
      Configuration
       list, select
      Advanced
      .
    2. In the
      Ciphers
       field, type
      ECDHE
      .
  459. Configure all profile settings as needed.
  460. Click
    Finished
    .
  461. From the
    Persistence Type
     list, select
    SSL
    .
  462. Configure settings as needed.
  463. From the
    General Properties
     list, select
    Advanced
    .
  464. In the
    Name
     field, type a unique name for the OCSP stapling profile.
  465. In the
    Proxy Server Pool/DNS Resolver
     field, select the proxy server pool/DNS resolver used for fetching the OCSP response.
  466. For the
    Use Proxy Server
     check box, select one of the following options:
    Option
    Description
    Select
    If you want the BIG-IP system to use the
    Proxy Server Pool
    . Use when there are one or more servers that can proxy an HTTP request to an external server and fetch the response.
    Clear (default)
    If you want to use the
    DNS Resolver
    . Use when the OCSP responder can be reached on one of the BIG-IP interfaces.
  467. In the
    Trusted Certificate Authorities
     field, select the name of the file containing a trusted Certificate Authority (CA) certificate used to sign the responder's certificate.
  468. In the
    Trusted Responders
     field, select the name of a certificate to use to verify the response from the OCSP responder.
  469. In the
    Responder URL
     field, type the name of a URL that will override the OCSP responder URL obtained from the certificate's AIA extension. This must be an HTTP or HTTPS-based URL.
  470. In the
    Signer Certificate
     field, select a certificate corresponding to the key used for signing the OCSP request.
  471. In the
    Signer Key
     field, select a key to use to sign an OCSP request.
  472. In the
    Signer Key Passphrase
     field, type the passphrase of the key used to sign an OCSP request.
  473. In the
    Sign Hash
     field, select the hash algorithm used to sign an OCSP request. The default is
    SHA256
    .
    This is not the algorithm used in the certificate itself. It is what the OCSP responder will use when validating the request.
  474. In the
    Timeout
     field, type a time interval for the BIG-IP system to wait before dropping the connection to the OCSP responder.
  475. In the
    Clock Skew
     field, type a value for the maximum tolerable absolute difference between the clocks of the responder and the BIG-IP system.
  476. In the
    Status Age
     field, type a value for the maximum allowed lag time in the OCSP response that the BIG-IP system accepts. If you type
    0
    , the validation is skipped. The default value is
    86400
    .
  477. In the
    Cache Timeout
     field, select a value that specifies the lifetime of the OCSP response. The default is
    Indefinite
    , indicating that the response validity period takes precedence.
  478. In the
    Cache Error Timeout
     field, type a value for how long a BIG-IP system will cache an error response.
  479. In the
    Options
     field, if necessary, select the
    Strict Responder Certificate Checking
     check box for the system to check the responder's certificate for the OCSP signing extension.
  480. Click
    Create
    .
    The New SIP Profile screen opens.
  481. Select the
    SIP Firewall
     check box.
    When enabled, the SIP Security settings configured in the protection profile apply to the protected object that use this profile.
  482. If you want to enable optional subscriber ID logging:
    1. Select the
      Network Address Translation
       check box.
    2. Then in the Network Address Translation area, select the
      Log Subscriber ID
       check box.
    3. Click
      Network Firewall
      .
  483. In the Logging Profile Properties area, select the
    Network Firewall
     check box.
  484. Select the
    Network Firewall
     check box.
  485. On the Main tab, click
    Local Traffic
    Profiles
    Message Routing
    MQTT
    .
    The MQTT list screen opens.
  486. Click
    Create
    .
    The New MQTT Session profile screen opens.
  487. In the
    Name
     field, type a unique name for the MQTT session profile.
  488. From the
    Parent Profile
    list, select a profile from which the new profile inherits properties.
  489. From the
    Parent Profile
    ,
    Client ID Prefix
    , and
    Keepalive Interval
     lists, retain the default settings.
  490. For the
    Keepalive Interval
     setting, retain the default, or type a value for the
    MQTT CONNECT
     message on the server-side connection.
    The default is
    60
     seconds.
  491. Click
    Transport Config
    .
    The Transport Config list screen opens.
  492. Click
    Peers
    .
    The Peers list screen opens.
  493. Click
    Static Routes
    .
    The Static Routes list screen opens.
  494. On the menu bar, click
    Router Profiles
    .
    The Router Profiles list screen opens.
  495. Click
    Create
    .
    The New Transport Config screen opens.
  496. Click
    Create
    .
    The New Peer screen opens.
  497. Click
    Create
    .
    The New Route screen opens.
  498. Click
    Create
    .
    The New MQTT Router Profile screen opens.
  499. In the
    Name
     field, type a unique name for the Transport Config profile.
  500. In the
    Name
     field, type a unique name for the Peer profile.
  501. In the
    Name
     field, type a unique name for the Route profile.
  502. In the
    Name
     field, type a unique name for the Router profile.
  503. For the
    Profiles
     setting, select the profile(s) you want from the
    Available
     list, and move it to the
    Selected
     field.
  504. In the Settings area, for the
    Client ID Prefix
     field, type a prefix to add to the
    client-id
     for the server-side connection.
  505. For the
    iRules
     setting, select the name of the server-side iRule from the
    Available
     list, and move it to the
    Selected
     list.
  506. If you want to use peered client-side and server-side connections, select the
    Peered Session Mode
     check box.
    The default is not to use peered connection (the checkbox is cleared); the BIG-IP system uses the MQTT message routing.
  507. In the
    Proxy Topic Prefix
     field, type a prefix to add to the MQTT topics sent on the server-side connection.
  508. From the
    Client Will Handling Mode
     list:
    • To disable forwarding of the client will message, select
      Ignore
      .
    • To control the
      will
       action for the ungraceful shutdown of the client-side connection, retain the default.
    The default is
    Send-Local-Copy
    .
  509. From the
    Server Will Handling Mode
     list:
    • To exclude the server side connection, select
      Ignore
      .
    • To control the
      will
       action for the ungraceful shutdown of the server-side connection, retain the default.
    The default is
    Copy-From-Client
    .
  510. Retain the default settings for the remaining settings in the Configuration area.
  511. From the
    Pool
     list, select the name of the pool you created previously.
  512. From the
    Transport Config
     list, select the name of the Transport Config you created previously.
  513. From the
    Virtual Server
     list, select the name of the virtual server you created previously.
  514. From the
    Peer
     list, select the name of a peer you created previously.
  515. From the
    Static Route
     list, select the name of a static route you created previously.
  516. Click
    Finished
    .
    The screen refreshes, and you see the new Transport Config profile in the Transport Config list.
  517. Click
    Finished
    .
    The screen refreshes, and you see the new MQTT session profile in the MQTT list.
  518. Click
    Finished
    .
    The screen refreshes, and you see the new Peer profile in the Peers list.
  519. Click
    Finished
    .
    The screen refreshes, and you see the new Route profile in the Static Routes list.
  520. Click
    Finished
    .
    The screen refreshes, and you see the new Route profile in the Static Routes list.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information