Manual Chapter : Common elements for policy enforcement

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common elements for policy enforcement

  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    .
    The Policies List screen opens.
  2. Click the name of the security policy you want to work on.
    The Policy Summary opens.
  3. From the list, select
    Advanced
    .
  4. On the Main tab, click
    Security
    Application Security
    Policy
    Policy Properties
    .
    The Policy Properties screen for the current edited policy opens.
  5. On the Main tab, click
    Policy Enforcement
    Data Plane Listeners
    .
    The Date Plane Listeners screen opens.
  6. On the Main tab, click
    Subscriber Management
    Control Plane Listeners
    .
    The Control Plane Listeners page opens.
  7. On the Main tab, click
    Subscriber Management
    Profiles
    DHCPv6
    .
    The DHCPv6 page opens.
  8. On the Main tab, click
    Subscriber Management
    Profiles
    RADIUS AAA
    .
    The Listeners screen opens.
  9. On the Main tab, click
    Subscriber Management
    Control Plane Listeners
    .
    The Control Plane Listeners screen opens.
  10. On the Main tab, click
    Traffic Intelligence
    Applications
    Application List
    .
    The Applications screen displays a list of the supported classification categories.
  11. On the Main tab, click
    Traffic Intelligence
    Presets
    .
    The Presets screen displays a list of the supported classification categories.
  12. On the Main tab, click
    Traffic Intelligence
    Categories
    Category List
    .
  13. Click
    Create
    .
    The New URL Category screen opens.
  14. On the Main tab, click
    Traffic Intelligence
    Categories
    Feed Lists
    .
    The URL DB feed list screen opens.
  15. Click
    Create
    .
    The New Feed List screen opens.
  16. On the Main tab, click
    Traffic Intelligence
    Policies
    .
    The Policy list opens.
  17. Click
    Create
    .
    The New Policy screen opens.
  18. In the
    Name
    field, type a unique name for the URL feed list.
  19. In the
    State
    field, select
    Enabled
    from the drop-down list to enable the feed.
  20. In the
    Name
    field, type a unique name for the URL category policy.
  21. In the
    Description
    field, type optional descriptive text for the URL feed list.
  22. In the
    Description
    field, type optional descriptive text for the URL category policy.
  23. In the Feed List area, select the feed list that you created to attach to the policy.
  24. In the
    Category ID
    field, select a category name from the drop-down list.
  25. In the
    Poll Interval
    field, type the time interval in hours at which the url needs to be polled.
  26. In the URL DB Location area, select the appropriate option for URL DB location.
    Option
    Description
    File
    Click the
    Browse
    button, and select the
    customdb
    file. The
    customdb
    file should be present on your machine and not present on the BIG-IP system. The
    customdb
    file is a CSV file of the format: URL/IPv4 [,cat1] [,cat2]...
    The non-IP URL should have an IANA-registered top level domain.
    For example, sample lines of a
    customdb
    entry are:
    weather.gov, 28678 pconline.com.cn, 28679 kannadaprabha.com, 28680 yandex.ru, 28677, 28676, 28681 pitt.edu,28682
    Entries in feed lists must consist of all lowercase characters. Also, any entry of the form www.
    tld
    or www.
    domain
    .com will not match.
    FTP
    Type the ftp location and the
    User
    and
    Password
    .
    HTTP
    Type the HTTP location and the
    User
    and
    Password
    .
    HTTPS
    Type the HTTPS location and the
    User
    and
    Password
    .
  27. Click
    Finished
    .
    The Policy Enforcement Manager creates a URL feed list.
  28. To view the applications in each category, click the
    +
    icon next to the category.
  29. Click
    Update
    to save any changes.
  30. From the Subscriber Discovery Virtuals area, select the protocol used to configure the virtual server (
    RADIUS
    ,
    DHCPv4
    , or
    DHCPv6
    ).
  31. From the Subscriber Discovery Virtuals area, select
    RADIUS
    , and click
    Add
    .
    The New RADIUS Discovery Virtual screen opens.
  32. From the AAA Virtuals area, click
    Add
    .
    The New RADIUS AAA Virtual screen opens.
  33. From the
    Mode
    list, select
    RADIUS
    from the profiles list, and click
    Add
    .
    The New RADIUS Discovery Virtual screen opens.
  34. Select
    DHCPv4
    from the profiles list, and click
    Add
    .
    The New DHCPv4 Discovery Virtual screen opens.
  35. Select
    DHCPv6
    from the profiles list, and click
    Add
    .
    The New DHCPv6 Discovery Virtual screen opens.
  36. Click
    Add
    .
    The New Virtual Group screen opens.
  37. Click
    Upload
    .
  38. In the
    Name
    field, type a unique name for the listener.
  39. In the
    Name
    field, type a unique name for the RADIUS discovery virtual.
  40. In the
    Name
    field, type a unique name for the RADIUS AAA virtual.
  41. From the
    Mode
    list, select the
    Authentication
    or
    Accounting
    to specify the type of RADIUS virtual you are creating.
  42. For the
    Secret
    setting, select the
    Custom
    check box to enable this option. Type the shared secret of the RADIUS server used for authentication or accounting.
  43. For the
    Password
    setting, select the
    Custom
    check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  44. In the
    Name Prefix
    field, type a unique name for the listener.
  45. In the
    Description
    field, type a description of the listener.
  46. In the
    Destination Address
    field, type the IP address of the virtual server. For example,
    10.0.0.1
    or
    10.0.0.0/24
    .
    When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    You can use a catch-all virtual server (
    0.0.0.0
    ) to specify all traffic that is delivered to the BIG-IP system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.
    The system will create a virtual server using the address or network you specify.
  47. In the
    Destination Address
    field, type the IP address of the virtual server. For example,
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    .
    For DHCPv6 discovery virtual, the source and destination should be any (::/0).
    The system will create a virtual server using the address or network you specify.
  48. For the
    Service Port
    setting, type or select the service port for the virtual server.
  49. For the
    Source
    setting, type the IP address or network from which the virtual server will accept traffic.
  50. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  51. For the
    DHCP Mode
    setting, select
    Relay
    or
    Forward
    to specify the mode in which the DHCP client requests are sent.
  52. For the
    Pool Member Configuration
    setting, add the DHCP virtual servers that are to be members of the pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
  53. For the
    Pool Member Configuration
    setting, add the RADIUS discovery virtual servers that are to be members of the pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
  54. For the
    Pool Member Configuration
    setting, add the RADIUS AAA virtual servers that are to be members of the pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
    You can use port 1812 for RADIUS authentication and port 1813 for RADIUS accounting.
  55. For the
    Pool Member Configuration
    setting, add the RADIUS AAA virtual servers that are to be members of the pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
  56. From the
    Subscriber Discovery
    list, select
    Enabled
    . Then, for the
    Subscriber ID Format
    setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    Relay Agent Option: Suboption ID 1
    Uses the relay agent first option suboption ID.
    Relay Agent Option: Suboption ID 1 + <Separator> + Suboption ID 2
    Uses the relay agent first and second suboption IDs.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1
    Uses the MAC Address and the relay agent first suboption ID.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1 <Separator> + Suboption ID 2
    Uses the relay agent first option suboption ID.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  57. From the
    Authentication Settings
    list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
    list. Select the
    User Name Format
    you want to implement.
    The
    User Name Format
    has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  58. From the
    Subscriber Discovery
    list, select
    Enabled
    . Then, for the
    Subscriber ID Format
    setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    MAC Address + <Separator> + Option 37
    Uses the MAC address and the remote ID relay agent option.
    MAC Address + <Separator>+ Option 37 <Separator> + Option 38
    Uses the MAC address, the remote ID relay agent option and the subscriber ID option.
    MAC Address + <Separator> + Option 38
    Uses the MAC address and the subscriber ID option.
    Option 37
    Uses the remote ID relay agent option.
    Option 37 <Separator> + Option 38:
    Uses the remote ID relay agent option and the subscriber ID option.
    Option 38
    Uses the subscriber ID option.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  59. From the
    Authentication Settings
    list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
    list. Select the
    User Name Format
    you want to implement.
    The
    User Name Format
    has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  60. From the
    Protocol
    list, select the protocol of the traffic for which to deploy enforcement policies (
    TCP
    ,
    UDP
    , or
    TCP and UDP
    ).
    The system will create a virtual server for each protocol specified.
  61. To use network address translation, from the
    Source Address Translation
    list, select
    Auto Map
    .
    The system treats all of the self IP addresses as translation addresses.
  62. For the
    VLANs and Tunnels
    setting, move the VLANs and tunnels that you want to monitor from the
    Available
    list to the
    Selected
    list.
  63. For the
    Policy
    setting, move the classification policies from
    Available
    list to the
    Selected
    list, to create a new preset.
  64. Click
    Data Plane
    .
    The Data Plane screen opens.
  65. Click
    Add Group
    .
    The New Virtual Group screen opens.
  66. Subscriber provisioning using RADIUS is enabled by default. If your system is using RADIUS for snooping subscriber identity, you need to specify VLANs and tunnels. If you are not using RADIUS, you need to disable it.
    • For the
      VLANs and Tunnels
      setting, move the VLANs and tunnels that you want to monitor for RADIUS traffic from the
      Available
      list to the
      Selected
      list.
    • If you do not want to use RADIUS, from the
      Subscriber Identity Collection
      list, select
      Disabled
      .
  67. For subscriber provisioning using RADIUS, ensure that
    Subscriber Identity Collection
    is set to
    RADIUS
    .
  68. For the
    VLANs and Tunnels
    setting, move the VLANs and tunnels that you want to monitor for RADIUS traffic from the
    Available
    list to the
    Selected
    list.
  69. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For
      Global Policy
      , move policies to apply to all subscribers to
      High Precedence
      or
      Low Precedence
      .
      For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
    2. For
      Unknown Subscriber Policy
      , move policies to use if the subscriber is unknown to
      Selected
      .
    The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  70. To connect to a PCRF, from the
    Diameter Endpoint
    list, select
    Enabled
    and select
    Gx
    or
    Sd
    from the
    Supported Apps
    options.
  71. To connect to a PCRF, from the
    Diameter Endpoint Provisioning
    list, select
    Gy
    from the
    Supported Apps
    options.
  72. In the
    Product Name
    field, type the product name which is used to communicate with the PCRF.
  73. In the
    Product Name
    field, type the product name which is used to communicate with the OCS.
  74. In the Policy Provisioning and Online Charging Virtuals area, click
    Add
    .
    The New Configure Diameter Endpoint Provisioning and Online Charging screen opens.
  75. In the
    Origin Host
    field, type the fully qualified domain name of the PCRF or external policy server, for example,
    ocs.xnet.com
    .
  76. In the
    Origin Host
    field, type the fully qualified domain name of the OCS, for example,
    ocs.xnet.com
    .
  77. In the
    Origin Realm
    field, type the realm name or network in which the PCRF resides, for example,
    xnet.com
    .
  78. In the
    Origin Realm
    field, type the realm name or network in which the OCS resides, for example,
    xnet.com
    .
  79. In the
    Destination Host
    field, type the destination host name of the OCS, for example,
    ocsdest.net.com
    .
  80. In the
    Destination Host
    field, type the destination host name of the PCRF or external policy server, for example,
    pcrfdest.net.com
    .
  81. In the
    Destination Realm
    field, type the realm name or network of the PCRF, for example,
    net.com
    .
  82. In the
    Destination Realm
    field, type the realm name or network of the OCS, for example,
    net.com
    .
  83. For the
    Pool Member Configuration
    setting, add the PCRF servers that are to be members of the Gx endpoint pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
  84. For the
    Pool Member Configuration
    setting, add the OCS servers that are to be members of the Gy endpoint pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
  85. In the
    Message Retransmit Delay
    field, type the number of milliseconds to wait before retransmitting unanswered messages in case of failure from the BIG-IP system to the PCRF over the Gx interface. The default value is
    1500
    .
  86. In the
    Message Retransmit Delay
    field, type the number of milliseconds to wait before retransmitting unanswered messages in case of failure from the BIG-IP system to the OCS over the Gy interface. The default value is
    1500
    .
  87. In the
    Message Max Retransmit
    field, type the maximum number of times that messages can be retransmitted from the BIG-IP system to the PCRF. The default value is
    2
    .
  88. In the
    Message Max Retransmit
    field, type the maximum number of times that messages can be retransmitted from the BIG-IP system to the OCS. The default value is
    2
    .
  89. In the
    Fatal Grace Time
    field, type the time period in seconds that a diameter connection can remain disconnected before the system terminates all sessions associated with that diameter endpoint. The default value is
    500
    .
  90. Click
    Finished
    .
    The Policy Enforcement Manager creates a listener.
  91. Click
    Finished
    .
    The Policy Enforcement Manager creates a RADIUS virtual server, and displays in the subscriber discovery list.
  92. Click
    Finished
    .
    The Policy Enforcement Manager creates a RADIUS AAA virtual server, and displays in the authentication virtuals list.
  93. On the Main tab, click
    Policy Enforcement
    Forwarding
    Endpoints
    .
    The Endpoints screen opens.
  94. On the Main tab, click
    Policy Enforcement
    Forwarding
    Service Chains
    .
    The Service Chains screen opens.
  95. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  96. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  97. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  98. In the
    Name
    field, type a name for the rule.
  99. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  100. In the
    Precedence
    field, type an integer that indicates the high precedence for the rule in relation to the other rules. Number
    1
    has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    TCL filter creation action should have high precedence.
  101. In the
    Precedence
    field, type an integer that indicates the high precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
  102. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  103. Click the Custom tab.
    The Custom Criteria setting opens.
  104. From the
    Usage Reporting
    list, select
    Enabled
    .
  105. From the
    QoE Reporting
    list, select
    Enabled
    .
  106. In the
    QoE Destination
    setting, from the
    HSL
    list, select the name of the publisher that specifies the server or pool of remote HSL servers to send the logs and select the format script of the report from the
    Format Script
    list.
    If you are using a formatted destination, select the publisher that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  107. From the
    Device and Tethering Detection
    list, in the
    Tethering Detection
    setting, select
    Enabled
    .
    If you enable tethering, classification is disabled for the policy rule.
  108. From the
    Device and Tethering Detection
    list, in the
    Device Type OS Detection
    setting, select
    Enabled
    .
    If you enable device detection, al the filters are disabled for the policy rule.
    When the custom TACDB file is generated, it is stored at the location
    /var/local/pem/dtos/
    .
  109. From the
    Quota
    list, select
    Create
    .
  110. In the Gate area, for
    Gate Status
    , select
    Enabled
    .
    Options provide several ways to forward the traffic.
  111. In the Forwarding area, for
    HTTP Redirect
    , select
    Enabled
    , and type the URL.
  112. From the Forwarding list, select an option where you would like to forward the traffic.
    Options
    Description
    Route to Network
    The traffic flow is forwarded to the default destination.
    Forwarding to Endpoint
    The flow is steered to a different destination and you can select one of the endpoints.
    Forward to ICAP virtual Server
    The flow is forwarded to the ICAP virtual server.
  113. From the
    Forwarding Fallback Action
    list, select
    Drop
    or
    Continue
    to specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
  114. From the
    ICAP Virtual Server
    list, select an internal virtual server that you have created, or click
    Create
    to create a new internal virtual server.
  115. From the
    ICAP Type
    list, select an ICAP adaptation type.
    • Select
      Request
      to send a portion of the request to the ICAP server.
    • Select
      Response
      to receive a portion of the response from the ICAP server.
    • Select
      Request
      and
      Response
      to have both types of adaptation.
  116. From the
    Service Chain
    list, select
    Create
    to direct traffic to more than one location (such as value-added services).
  117. For
    Gate Status
    , select
    Enabled
    .
    If you select
    Disabled
    , then the corresponding traffic will be dropped.
    Forwarding and QoS options are displayed.
  118. From the
    Modify Header
    list, select
    Enabled
    , to modify the HTTP request header.
    More modify header configuration options display.
  119. From the
    Insert Content
    list, select
    Enabled
    , to modify the content insertion.
    The BIG-IP system does not allow matching tags that are inserted, by insert action, on a given flow.
    More content insertion configuration options display.
  120. To insert content, select the action you want to implement.
    • From the
      Position
      list, select
      Before
      to prepend (opening and closing) the HTTP tag. Specify the tag name from the
      HTTP Tag
      list.
    • From the
      Position
      list, select
      After
      to append (opening and closing) the HTTP tag. Specify the tag name from the
      HTTP Tag
      list.
  121. In the
    Type
    field, type the string that defines the content, or the TCL script, which can be later attached to a policy enforcement rule.
    HTTP::header replace Server \"Nginx\"
    There can be two iRule events:
    • PEM_POLICY
      is triggered when a policy evaluation occurs.
    • RULE_INIT
      runs the first time the iRule is loaded or has changed.
    The two new PEM iRule commands are
    PEM::policy initial
    and
    PEM::policy name
    . You can select the
    Wrap Text
    check box to wrap the definition text, and select the
    Extend Text Area
    check box to increase the field space of format scripts.
  122. From the
    Frequency
    list, select a frequency type.
    • Select
      Always
      to insert content in each transaction.
    • Select
      Once
      to insert content once per action.
    • Select
      Once Every
      to insert content once per designated time period, in seconds.
  123. To modify the HTTP request header, select the action you want to implement.
    • Select
      Insert String Value
      to insert a stringvalue that you have specified before.
    • Select
      Insert Value from Script
      to specify that the BIG-IP system can insert value received from the TCL expression.
    • Select
      Remove
      to remove the string value that you previously created.
  124. To redirect traffic to a URL, for
    HTTP Redirect
    , select
    Enabled
    , and type the URL.
  125. To direct traffic to specific location, from the
    Forwarding
    list, select an option where you would like to forward the traffic.
  126. To direct traffic to more than one location (such as value-added services), from the
    Service Chain
    list, select the name of a service chain that you previously created.
  127. To set DSCP bits on the downlink traffic, for
    IP Marking (DSCP)
    , select
    Specify
    , and type a value between
    0
    and
    63
    , inclusive.
    The traffic that matches this rule is marked with this value.
  128. To apply rate control to downlink traffic, in the
    Bandwidth Controller
    setting, select the name of a bandwidth control policy.
    You can assign any previously created static or dynamic bandwidth control policies. However, F5 does not recommend using the
    default-bwc-policy
    , which the system provides, nor the
    dynamic_spm_bwc_policy
    , which you can create to enforce dynamic QoS settings provisioned by the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, or any combination of these.
  129. To apply bandwidth policy, for rate control to downlink traffic, in the
    Bandwidth Controller
    setting, select the name of a bandwidth control policy.
    You can assign any previously created static or dynamic bandwidth control policies. However, F5 does not recommend using the
    default-bwc-policy
    , which the system provides, nor the
    dynamic_spm_bwc_policy
    , which you can create to enforce dynamic QoS settings provisioned by the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, or any combination of these.
  130. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
    enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  131. From the
    Congestion Detection
    list, select
    Enable
    , to congestion detection in the Radio Access Network.
    1. In the
      Threshold
      field, type the lower threshold bandwidth for a session. The default value is
      1000kbs
      .
    2. For
      Destination
      list, select the publisher name from the HSL publisher drop-down list.
    The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions.
  132. From the
    Rating group
    list, in the
    Quota
    setting, select the prior configured rating group or create a new rating group. This specifies what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
  133. From the
    Gate Status
    list, select
    Disable
    , to block the traffic for a subscriber who is tethering.
    If you disable
    Gate Status
    , the traffic is blocked.
  134. On the Main tab, click
    Policy Enforcement
    Rating Groups
    .
    The Rating Groups List screen opens.
  135. Click
    Create
    .
    The New Rating Group screen opens.
  136. In the
    Name
    field, type a name for the rating group.
  137. In the
    Description
    field, type optional descriptive text for the rating group.
  138. On the Main tab, click
    Policy Enforcement
    Subscribers
    .
    The Subscribers screen opens.
  139. On the Main tab, click
    Policy Enforcement
    Subscribers
    Activity Log
    Configuration
    .
    The Configuration screen opens.
  140. Click
    Create
    .
    The New Subscriber screen opens.
  141. Click
    Create
    .
    The New Application screen opens.
  142. Click
    Create
    .
    The New Presets screen opens.
  143. Select a URL category.
    The URL Properties screen opens.
  144. From the
    Type
    list, select
    Category
    .
  145. From the
    Type
    list, select
    Application
    .
  146. In the
    Name
    field, type a name for the classification category.
  147. In the
    Description
    field, type optional descriptive text for the classification presets.
  148. In the
    Category ID
    field, type an identifier for this category, a unique number.
  149. In the
    Application ID
    field, type an identifier for this application, a unique number in the range between
    8192
    and
    16383
    .
  150. For the
    State
    setting, select the appropriate value from the list.
    • If you want the system to recognize this classification, select
      Enabled
      .
    • If you do not need this classification, select
      Disabled
      .
  151. In the
    iRule Event
    field, select the appropriate setting.
    • To trigger an iRule event for this category of traffic, select
      Enabled
      . You can then create an iRule that performs an action on this type of traffic.
    • If you do not need to trigger an iRule event for this category of traffic, select
      Disabled
      .
    CLASSIFICATION::DETECTED
    is the only event that is supported.
  152. For the
    Application List
    setting, move applications that you want to associate with this category from the
    Unknown
    list to the
    Selected
    list.
    If the applications are not listed yet, you can associate the applications with the category when you create them.
  153. For the
    Policies
    setting, move policies that you want to associate with this category from the
    Disabled
    list to the
    Disabled
    list.
    If the applications are not listed yet, you can associate the applications with the category when you create them.
  154. From the
    Category
    list, select the category into which to place this application.
  155. Click
    Finished
    .
  156. On the Main tab, click
    Policy Enforcement
    Global
    Options
    .
    The Global Options screen opens.
  157. On the Main tab, click
    Policy Enforcement
    Global Options
    TAC DB
    .
    The TAC DB screen opens.
  158. In the Custom TAC DB Configuration area, for the
    Priority
    setting, select
    High
    or
    Low
    from the drop-down menu to specify that if the Custom TAC DB is built-in.
  159. In the TAC DB setting, for the
    Name
    field, type a name for the custom TAC DB.
  160. In the TAC DB setting, for the
    Upload New From
    drop-down menu, select
    File
    to choose a file with TAC code information that is located on your client machine or
    Location
    to set the URL location of the TAC DB. The URL can be, HTTP, HTTPS, FTP, SFTP or file on BIG-IP file system.
    If you choose
    Location
    , additional fields in TAC DB setting appear.
  161. In the TAC DB setting, for the
    Description
    field, type the description for this custom TAC DB.
  162. In the TAC DB setting, for the
    TAC DB Location
    , type the URL location where the TAC DB file is stored.
  163. In the TAC DB setting, for the
    Username
    field, type the username for access to the custom TAC DB information.
  164. In the TAC DB setting, for the
    Password
    field, type the password to access the custom TAC DB information.
  165. In the Sync Mode setting, select
    Automatic
    to automatically upload files from the location and specify how often the polling interval can be configured in weeks. Select
    Manual
    to manually synchronize the files.
  166. In the Policy Options area, specify (in seconds) the
    Policy Re-evaluation Interval
    at which the policy re-evaluation is triggered, to evaluate the flow policy again.
    The re-valuation interval is only for active flows.
    For example, a subscriber is provisioned over Gx which has a policy to allow Netflix with some bandwidth. The subscriber is able to watch a movie using the Netflix service. However, consider that the PCRF installs a policy for this subscriber to block Netflix over the Gx interface. Then, while the subscriber is viewing the content, the Netflix content is blocked for the subscriber after the configured re-evaluation interval.
  167. In the RADIUS Options area, for the
    Re-Transmit Timeout
    setting, select
    Enabled
    and specify the time in seconds. If you select
    Disabled
    , each RADIUS message is handled as a new message and this might lead to deletion and creation of sessions even though the radius massage is a duplicate.
    This is the timeout after which the RADIUS message is considered as a new message, by the BIG-IP system.
  168. In the RADIUS Options area, for the
    Clear Sessions upon NAS Reboot
    setting, select
    Enabled
    to remove all the PEM sessions that are associated with the NAS-IP-Address received in the RADIUS Acct-ON or Acc-OFF request packet.
  169. In the Quota Management Options area, for the
    Default Rating Group
    setting, select
    Create
    to create a new rating group for quota management.
    This takes you to the
    Policy Enforcement
    Rating Groups
    New Rating Group
    screen. Click
    Policy Enforcement
    Options
    to go back to options screen.
  170. In the Statistics Options area, for the
    Analytics Mode
    setting, select
    Enabled
    to use analytics reporting. Select the external logging such as HSL endpoint in the
    External Log Publisher
    setting.
    This generates Application Visibility and Reporting (AVR) PEM reports, in a timely manner through graphs.
  171. From the
    Subscriber Aware
    list, select
    Enabled
    to display the statistics per subscriber.
    This generates Application Visibility and Reporting (AVR) PEM reports, in a timely manner through graphs.
  172. For the
    Content Insertion Options
    setting, in the
    Throttling
    fields, type the time used to set the maximum wait time before Policy Enforcement Manager applies the insert action again on the same subscriber.
    The insert actions do not conflict with each other.
  173. On the Main tab, click
    Policy Enforcement
    Reporting
    .
  174. Click
    Create
    .
    The Format Scripts screen opens.
  175. In the
    Name
    field, type a name for the custom format script.
  176. In the
    Description
    field, type a description of the format script.
  177. In the
    Definition
    field, specify the format script that defines the log messages you want.
    return "return "( report-id: [PEM::session stats reported dtos report-id], record-type: [PEM::session stats reported dtos record-type], report-version: [PEM::session stats reported dtos report-version], timestamp: [PEM::session stats reported dtos timestamp], timestamp-milliseconds: [PEM::session stats reported dtos timestamp-milliseconds], subscriber-id: [PEM::session stats reported dtos subscriber-id], subscriber-id-type: [PEM::session stats reported dtos subscriber-id-type], subscriber-imeisv: [PEM::session stats reported dtos subscriber-imeisv], device-name: [PEM::session stats reported dtos device-name], device-os: [PEM::session stats reported dtos device-os], user-agent-os: [PEM::session stats reported dtos user-agent-os], tcp-os: [PEM::session stats reported dtos tcp-os], ttl: [PEM::session stats reported dtos ttl], source-port: [PEM::session stats reported dtos source-port], tcp-header-length: [PEM::session stats reported dtos tcp-header-length], tcp-scaling: [PEM::session stats reported dtos tcp-scaling], tcp-window-size: [PEM::session stats reported dtos tcp-window-size], record-reason: [PEM::session stats reported dtos record-reason] operating-system-detected: [PEM::session stats reported dtos operating-system-detected] )"
    The iRule expression is in square brackets. You can select the
    Wrap Text
    check box to wrap the definition text, and select the
    Extend Text Area
    check box to increase the field space of format scripts.
  178. On the Main tab, click
    Policy Enforcement
    Policies
    iRules
    .
  179. Click
    Create
    .
    The New iRule screen opens.
  180. In the
    Name
    field, type a name for the new iRule.
  181. In the
    Description
    field, type a description of the new iRule.
  182. In the
    iRule Expression
    field, specify the TCL syntax that defines a custom iRule action, which can be later attached to a policy enforcement rule.
    when PEM_POLICY { if {[PEM::policy initial]} { /* Commands to run during the first time the policy is evaluated. */ } else { /* Commands to run during policy re-evaluation. */ } /* Commands to run during policy eval and re-eval time. */ }
    There can be two iRule events:
    • PEM_POLICY
      is triggered when a policy evaluation occurs.
    • RULE_INIT
      runs the first time the iRule is loaded or has changed.
    The two new PEM iRule commands are
    PEM::policy initial
    and
    PEM::policy name
    . You can select the
    Wrap Text
    check box to wrap the definition text, and select the
    Extend Text Area
    check box to increase the field space of format scripts.
  183. In the
    iRule Expression
    field, specify the TCL syntax that defines a custom iRule action, which can be later attached to a policy enforcement rule.
    PEM::session info tethering detected [IP::client_addr] = = {1}
    The expression in the example evaluates to true, if a subscriber is tethering. You can select the
    Wrap Text
    check box to wrap the definition text, and select the
    Extend Text Area
    check box to increase the field space of format scripts.
  184. Click
    Finished
    .
    The Policy Enforcement Manager creates a new iRule, and displays the iRule list.
  185. To configure the RADIUS Message, click
    Create & Add RADIUS Message
    .
    The Policy Enforcement Manager creates a new RADIUS message page, where you can configure the AVP List.
  186. In the
    Name
    field, type a name for the service chain.
  187. On the Main tab, click
    Policy Enforcement
    Profiles
    .
    The Policy Enforcement screen opens.
  188. Click
    Create
    .
    The New PEM Profile screen opens.
  189. In the
    Name
    field, type a unique name of the policy enforcement profile.
  190. In the Optimization area, for the
    Connection Optimization
    setting,
    Enabled
    is the default selection. This indicates that the fast PEM optimization is enabled. To change the setting, select
    Custom
    check box and select
    Disabled
    .
  191. In the
    Allow Reclassification
    list,
    Enabled
    is the default selection.
  192. In the
    Flow Bundling
    list,
    Enabled
    is the default selection.
  193. In the
    Cache Results
    list,
    Enabled
    is the default selection.
  194. In the Optimization area, for the
    Connection Optimization
    setting, select
    Disabled
    . This indicates that the fast PEM optimization is not enabled.
  195. From the
    Fast L4 Virtual Server
    list, select the Fast L4 virtual server previously configured. The Fast L4 virtual server is a server with an HTTP profile, protocol TCP, and protocol profile Fast L4.
  196. Click
    Finished
    .
    The Policy Enforcement Manager creates a policy enforcement profile with Fast L4.
  197. From the PEM profile list, select a Fast L4 profile that you have created, or click
    Create
    to create a new Fast L4 profile.
  198. On the Main tab, click
    Subscriber Management
    Profiles
    Protocol
    RADIUS
    .
    The Configuration screen opens.
  199. Click
    Create
    .
    The New RADIUS Profile screen opens.
  200. In the
    Name
    field, type a unique name for the profile.
  201. In the
    Description
    field, type optional descriptive text for the profile.
  202. From the
    Subscriber ID Type
    list, select an option which the identifier represents when the subscriber session is created.
    Options
    Subscriber ID Type
    E164
    A number that defines the format of an MSISDN international phone number (up to 15 digits).
    NAI
    A fully qualified network name that identifies a subscriber and the home network to which the subscriber belongs.
    IMSI
    A globally unique code number, that identifies a GSM, UMTS, or LTE mobile phone user.
    Private
    The subscriber ID type is private for the given deployment.
  203. From the
    Subscriber ID List
    list, in the
    Subscriber ID Name
    setting, type the subscriber ID name.
    Enabled
    .
  204. From the
    Subscriber ID List
    list, in the
    Order
    setting, type the order of RADIUS AVPs when constructing the subscriber ID.
  205. From the
    Subscriber ID List
    list, in the
    RADIUS AVP
    setting, select the value of RADIUS AVP which you have used to create the subscriber ID.
  206. From the
    Subscriber ID List
    list, in the
    Prefix
    setting, type the suffix string to be added to THE extracted subscriber ID attribute that is specified in the RADIUS AVP for the subscriber session created.
  207. From the
    Subscriber ID List
    list, in the
    Suffix
    setting, type the suffix string when constructing subscriber ID with the value of the RADIUS AVP.
  208. From the
    Direction
    list, in the
    AVP List
    setting, select
    Any
    ,
    In
    or
    Out
    to process the radius message in both ingress and egress, ingress or egress direction respectively.
  209. From the Message Type list, select an option which the identifier represents when the subscriber session is created.
    Options
    Message Type
    Accounting Request Start
    The Account Status Type AVP is set to 1 (Start).
    Accounting Request Stop
    The Account Status Type AVP is set to 2 (Stop).
    Accounting Request Interim Update
    The Account Status Type AVP is set to 3 (Interim-Update).
  210. To apply mapping between RADIUS AVPs and PEM subscriber attributes configure the actions you want to implement.
    • In the
      AVP
      field, type the name of the application service to which the AVP belongs.
    • In the
      Default
      field, type the default value that is used in the subscriber session, if the RADIUS message is not present.
    • From the
      Ingress
      list, select the
      Import
      option for the RADIUS AVP to be parsed and the value to be stored in the subscriber attribute. The default value is
      None
      .
    • From the
      RADIUS AVP
      list, select the name of the RADIUS AVP. The default value is
      None
      .
    • From the
      Subscriber Attribute
      list, select the name of the subscriber session attribute to be mapped to RADIUS AVP. The default value is
      None
      .
  211. On the Main tab, click
    Subscriber Management
    Profiles
    Protocol
    Gx
    .
    The Configuration screen opens.
  212. Click
    Create
    .
    The New Diameter Profile screen opens.
  213. In the
    Name
    field, type a unique name for the profile.
  214. In the
    Description
    field, type optional descriptive text for the profile.
  215. From the
    Diameter AVP
    list, in the
    Subscriber ID
    setting, select the Diameter AVP.
  216. From the
    Type AVP
    list, in the
    Subscriber ID
    setting, select the AVP that is specified in message that should be matched.
  217. To configure the Diameter Message, click
    Create & Add Diameter Message
    .
    The Policy Enforcement Manager creates a new Diameter protocol profile message.
  218. From the Message Type list, select the message type.
  219. From the
    AVP List
    setting, apply mapping of Diameter AVPs to subscriber session attribute for specific Gx message, by configuring the following:
    • In the
      AVP Name
      field, type the name of the application service to which the AVP belongs.
    • In the
      Default
      field, type the diameter AVP default value.
    • From the
      Protected Flag
      list, select
      Enabled
      to choose the value of the protected flag, in the diameter AVP, when the message is inserted. This flag only applies to diameter AVP in outgoing message.
      The parent AVP inherits flags of child AVPs.
    • From the
      Mandatory Flag
      list, select
      Enabled
      to choose the value of the mandatory flag, in the diameter AVP, when the message is inserted. This flag only applies to diameter AVP in outgoing message.
    • From the
      Vendor-Specific Flag
      list, select
      Enabled
      to choose the value of the vendor-specific flag, in the diameter AVP, when the message is inserted. This flag only applies to diameter AVP in outgoing message.
    • From the
      Diameter AVP
      list, select the name of a configured diameter AVP. The default value is
      None
      .
    • In the
      Parent Label
      field, type the name of a parent label which groups AVPs that can be combined.
      The AVPs with the same parent-label are combined in the same grouped AVP.
    • From the
      Subscriber Attribute
      list, select the name of a configured subscriber session attribute. The default value is
      None
      .
    • From the
      Include Interim Message
      list, select
      Enabled
      for the AVP to be included in the interim-message (ccr-u only) updates which are generated if there is any change related to session parameters.
      This flag only applies to Diameter AVP in outgoing message.
    • From the
      Include Reporting Message
      list, select
      Enabled
      for the AVP to be included in the reporting message (ccr-u only) updates which are generated for reporting usage information.
      This flag only applies to Diameter AVP in outgoing message.
  220. In the
    Name
    field, type a unique name for the profile.
  221. In the
    Description
    field, type optional descriptive text for the profile.
  222. From the
    Import
    list, select
    Enabled
    for the subscriber attribute to be imported (parsed) from the incoming messages. The default value is
    None
    .
  223. From the
    Export
    list, select
    Enabled
    for the subscriber attribute to be exported (inserted) to the outgoing messages. The default value is
    Enabled
    .
  224. From the
    Well Known Attribute ID
    list, select an option for an identifier of a well-known (built-in) subscriber attribute.
    The system provides a special handling for well-known subscriber attributes. Session reporting records have the most well-known attributes by default.
  225. On the Main tab, click
    Subscriber Management
    Profiles
    Protocols
    Subscriber Attributes
    .
    The Subscriber Attributes screen opens.
  226. Click
    Create
    .
    The Subscriber Attribute Properties screen opens.
  227. On the Main tab, click
    Subscriber Management
    Profiles
    Protocols
    RADIUS AVP
    .
    The RADIUS AVP screen opens.
  228. From the
    Data Type
    list, select an option for the data type of the RADIUS AVP.
    Options
    Data Type
    3GPP RAT Type
    The value format to be encoded or decoded as the 3GPP-RAT-Type defined in 3GPP TS 29.061.
    3GPP User Location Information
    The value format to be encoded or decoded as the 3GPP-User-Location-Info defined in 3GPP TS 29.061.
    IP Address
    The Account Status Type AVP is set to 3 (Interim-Update).
    IPv4 Address
    The IPv4 address in network byte order.
    IPv6 Address
    The IPv6 address in network byte order.
    Integer
    The 32-bit unsigned integer in network byte order.
    Octet
    The TF-8 text [RFC3629], totaling 253 octets or less in length.
    String
    The binary data, totaling 253 octets or less in length. This includes the opaque encapsulation of data structures defined outside of RADIUS.
    Time
    The 32-bit unsigned value in network byte order and in seconds since 00:00:00 UTC, January 1, 1970.
  229. In the
    Minimum Length
    field, type the minimum data length of the RADIUS AVP. The default value is
    0
    .
  230. In the
    Maximum Length
    field, type the maximum data length of the RADIUS AVP. The default value is
    0
    .
  231. In the
    Vendor ID Length
    field, type the vendor ID of the RADIUS VSA. Type the default value is
    1045
    .
  232. In the
    Vendor Type
    field, type the vendor type of the RADIUS VSA. The default value is
    20
    .
  233. In the
    Type
    field, type of the RADIUS AVP. The default value is
    26
    .
  234. On the Main tab, click
    Subscriber Management
    Profiles
    Protocols
    Diameter AVP
    .
    The Diameter AVP screen opens.
  235. Click
    Create
    .
    The Diameter AVP Properties screen opens.
  236. From the
    Parent AVP
    list, select
    None
    for name of the parent AVP, if it is in a grouped AVP.
  237. In the
    AVP Code
    field, type the AVP code of the diameter AVP.
  238. From the
    Data Type
    list, select the data type of the diameter AVP. The default value is
    Octet String
    .
  239. In the
    Length
    field, type the data length of the diameter AVP.
  240. In the
    Vendor ID
    field, type the vendor ID of the diameter Vendor Specific Attribute (VSA).
  241. In the Flow Management Options area, for the
    Terminate On Session Delete
    setting, select
    Enabled
    to terminate flows when session is deleted. The default value is
    Disabled
    .
  242. Click
    Create
    .
    The New Subscriber Management Profile screen opens.