Manual Chapter : Common Elements for Profiles Tasks

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0

BIG-IP Analytics

  • 15.0.0

BIG-IP AFM

  • 15.0.0

BIG-IP PEM

  • 15.0.0

BIG-IP ASM

  • 15.0.0

BIG-IP AAM

  • 15.0.0

BIG-IP APM

  • 15.0.0

BIG-IP LTM

  • 15.0.0
Manual Chapter

Common Elements for Profiles Tasks

  1. On the Main tab, click
    Local Traffic
    Profiles
    .
  2. On the menu bar, expand or click a profile category and choose the type of profile you want to create.
  3. In the name column, click the system-supplied
    dns
    profile.
    The DNS properties list screen opens.
  4. In the name column, click the system-supplied
    dns
    profile.
    The DNS properties list screen opens.
  5. From the
    Response Cache
    list, select
    Enabled
    .
  6. In the Hardware Acceleration area, from the
    Protocol Validation
    list, select
    Enabled
    .
  7. Click
    Update
    .
  8. On the Main tab, click
    Local Traffic
    Profiles
    Databases
    MS SQL
    .
    The MS SQL Profiles list screen opens.
  9. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  10. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP
    .
    The HTTP profile list screen opens.
  11. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTPS
    .
    The SMTPS profile list screen opens.
  12. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Rewrite
    .
    The Rewrite profile list appears.
  13. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP Compression
    .
    The HTTP Compression profile list screen opens.
  14. On the Main tab, click
    Acceleration
    Profiles
    HTTP Compression
    .
    The HTTP Compression profile list screen opens.
  15. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Web Acceleration
    .
    The Web Acceleration profile list screen opens.
  16. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FTP
    .
    The FTP profile list screen opens.
  17. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DNS
    .
    The DNS profile list screen opens.
  18. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS profile list screen opens.
  19. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    or
    Local Traffic
    Profiles
    Services
    DNS
    .
    The DNS profile list screen opens.
  20. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS list screen opens.
  21. In the Name column, click the name of the profile you want to modify.
  22. On the Main tab, click
    Local Traffic
    Profiles
    Services
    IIOP
    .
    The IIOP profile list screen opens.
  23. On the Main tab, click
    Local Traffic
    Profiles
    Services
    RTSP
    .
    The RTSP profile list screen opens.
  24. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Diameter
    .
    The Diameter profile list screen opens.
  25. On the Main tab, click
    Local Traffic
    Profiles
    Services
    RADIUS
    .
    The RADIUS profile list screen opens.
  26. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTP
    .
    The SMTP profile list screen opens.
  27. On the Main tab, click
    Local Traffic
    Profiles
    Services
    iSession
    .
    The iSession profile list screen opens.
  28. On the Main tab, click
    Local Traffic
    Profiles
    Services
    CIFS
    .
    The Profiles list screen opens.
  29. On the Main tab, click
    Local Traffic
    Profiles
    Services
    MAPI
    .
    The MAPI profile list screen opens.
  30. On the Main tab, click
    Local Traffic
    Profiles
    Services
    XML
    .
    The XML profile list screen opens.
  31. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP/2
    .
    The HTTP/2 profile list screen opens.
  32. On the Main tab, click
    Acceleration
    Profiles
    HTTP/2
    .
    The HTTP/2 profile list screen opens.
  33. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SPDY
    .
    The SPDY profile list screen opens.
  34. On the Main tab, click
    Acceleration
    Profiles
    SPDY
    .
    The SPDY profile list screen opens.
  35. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FIX
    .
    The FIX profile list screen opens.
  36. On the Main tab, click
    Local Traffic
    Profiles
    Services
    IPsecALG
    .
    The IPsecALG profile list screen opens.
  37. On the Main tab, click
    Local Traffic
    Profiles
    Persistence
    .
    The Persistence profile list screen opens.
  38. In the Name column, click the name of the relevant persistence profile.
  39. For the
    Mirror Persistence
    setting, select the check box.
  40. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    Fast L4
    .
    The Fast L4 screen opens.
  41. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    Fast HTTP
    .
    The Fast HTTP profile list screen opens.
  42. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    HTTP Class
    .
    The HTTP Class profile list screen opens.
  43. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    TCP
    .
    The TCP profile list screen opens.
  44. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SIP (legacy)
    .
    The SIP profile list screen opens.
  45. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    UDP
    .
    The UDP profile list screen opens.
  46. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    SCTP
    .
    The SCTP profile list screen opens.
  47. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  48. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  49. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    or
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Client SSL or Server SSL profile list screen opens.
  50. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    OCSP Stapling
    .
    The OCSP Stapling list screen opens.
  51. Scroll down to
    Handshake Timeout
    and select the
    Custom
    check box.
    Additional settings become available.
  52. To limit the timeout to a number of seconds, select
    Specify
    from the list, and type the required number in the
    seconds
    field.
    In the list, the value
    Indefinite
    specifies that the system continue trying to establish a connection for an unlimited time. If you select
    Indefinite
    , the
    seconds
    field is no longer available.
  53. On the Main tab, click
    Local Traffic
    Profiles
    Authentication
    Profiles
    .
    The Profiles list screen opens.
  54. On the Main tab, click
    Local Traffic
    Profiles
    Other
    Request Logging
    .
    The Request Logging profile list screen opens.
  55. On the Main tab, click
    Local Traffic
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  56. On the Main tab, click
    DNS
    Delivery
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  57. On the Main tab, click
    DNS
    Delivery
    Profiles
    Other
    DNS Logging
    or
    Local Traffic
    Profiles
    Other
    DNS Logging
    .
    The DNS Logging profile list screen opens.
  58. On the Main tab, click
    Local Traffic
    Profiles
    Other
    OneConnect
    .
    The OneConnect profile list screen opens.
  59. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Client
    .
    The SplitSession Client profile list screen opens.
  60. On the Main tab, click
    Local Traffic
    Profiles
    Other
    SplitSession Server
    .
    The SplitSession Server profile list screen opens.
  61. On the Main tab, click
    Local Traffic
    Profiles
    Other
    HTTP Proxy Connect
    .
    The
    HTTP Proxy Connect
    profile list screen opens.
  62. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Client LDAP
    .
    The Client LDAP list screen opens.
  63. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Server LDAP
    .
    The Server LDAP list screen opens.
  64. On the Main tab, click
    Local Traffic
    Profiles
    Analytics
    HTTP Analytics
    .
    If
    Analytics
    is not listed, this indicates that Application Visibility and Reporting (AVR) is not provisioned, or you do not have rights to create profiles.
    The HTTP Analytics screen opens.
  65. In the Logging and Reporting area, select the
    AVR Statistics Sample Rate
    check box.
    The
    Enabled 1/ 1 queries sampled
    field displays.
  66. In the
    Enabled 1/ 1 queries sample
    field, change the
    1
    to the number of queries from which the system takes one sample.
    0
    No DNS requests are stored in the Analytics database.
    1
    All DNS requests are stored in the Analytics database.
    n>1
    Every nth DNS request is stored in the Analytics database.
  67. For the
    Statistics Logging Type
    setting, click
    External
    .
  68. From the
    Publisher
    list, select the publisher that contains the destination to which you want the BIG-IP system to send the statistics.
  69. For the
    Statistics Logging Type
    setting, verify that
    Internal
    is selected. If it is not, select it.
    Selecting
    Internal
    causes the system to store statistics locally, and you can view the charts on the system by starting at the Main tab, and clicking
    Statistics
    Analytics
    .
  70. For the
    Transaction Sampling Ratio
    setting, specify whether the system learns information from every transaction (specify
    all
    ), or performs traffic sampling (specify
    1 of every n
    transactions).
    A high sampling rate (such as
    99
    ) results in less precise statistical data but improves system performance. Adjust the sampling ratio according to expected TPS and quantity of entities.
    You can change this setting only on the default Analytics profile.
  71. In the Associated Virtual Servers area, specify the virtual servers for which to capture application statistics:
    1. For the
      Virtual Servers
      setting, click
      Add
      .
    2. From the Select Virtual Server popup that opens, select the virtual servers to include and then click
      Done
      .
    Only virtual servers previously configured with an HTTP profile display in the list (because the data being collected applies to HTTP traffic). Also, you can assign only one HTTP Analytics profile to a virtual server; therefore, the list displays only virtual servers that have not been assigned an Analytics profile.
    Special considerations apply if using Analytics on a BIG-IP system with both Application Security Manager and Access Policy Manager, where security settings (in Portal Access webtop or an iRule) redirect traffic from one virtual server to another. In this case, you need to attach the HTTP Analytics profile to the second virtual server to ensure that the charts show accurate statistics.
  72. Specify the virtual servers for which to capture traffic:
    1. In the
      Virtual Servers
      setting, click
      Add
      .
    2. From the Select Virtual Server list that displays, select the virtual servers and click
      Done
      .
    Only previously configured virtual servers display in the list.
  73. In the Statistics Gathering Configuration area, for
    Collected Metrics
    , select additional statistics you want the system to collect from the requests:
    Option
    Description
    Max TPS and Throughput
    Collects and logs statistics regarding the maximum number of transactions occurring per second (TPS) and the amount of traffic moving through the system.
    Maximum request and response throughput is collected and recorded separately. Each value is then displayed separately when you drill down into details of Transaction Outcomes (
    Statistics
    Analytics
    Overview
    ).
    HTTP Timing (RTT, TTFB, Duration)
    Collects and logs statistics regarding the HTTP request and response times, including round-trip time, time to first byte and overall transaction duration time.
    Page Load Time
    Collects and logs statistics regarding the time it takes an application user to get a complete response from the application, including network latency and completed page processing.
    End-user response times and latencies can vary significantly based on geographic location and connection types.
    User Sessions
    Collects and logs statistics regarding the number of unique user sessions. For
    Timeout
    , select the allowed minutes of user inactivity before the system considers the session to be over.
    For
    Cookie Secure Attribute
    , specify whether to secure session cookies:
    • Always
      , the secure attribute is always added to the session cookie.
    • Never
      , the secure attribute is never added to the session cookie.
    • Only SSL
      , the secure attribute is added to the session cookie only when the virtual server has a client SSL profile (the default value).
    By default, the system collects many metrics, including TPS, throughput, server latency, response time, network latency. You can select the metrics here, in addition to the ones already collected, once the Analytics profile is attached to one or more virtual servers.
  74. In the Statistics Gathering Configuration area, for
    Collected Entities
    , select additional entities to collect statistics for each request.
    By default, the system collects many entity statistics, including virtual servers, pool members, browser names, operating system, and so on. You can select the ones here in addition to the ones already collected once the Analytics profile is attached to one or more virtual servers.
    When you select
    URLs
    ,
    Countries
    ,
    Client IP Addresses
    or
    Client Subnets
    you have additional options configure specific statistics filtering options.
    Option
    Description
    URLs
    Saves the URLs that were requested.
    Countries
    Saves the name of the country where the request came from, and is based on the client IP address criteria.
    Client IP Addresses
    Saves the IP address where the request originated. The address saved also depends on whether the request has an XFF (X-forwarded-for) header and whether the HTTP profile accepts XFF headers.
    Client Subnets
    Saves statistics for predefined client subnets. Client subnets can be added in the Subnets area of the default HTTP Analytics profile.
    Response Codes
    Saves HTTP response codes that the server returned in response to requests.
    User Agents
    Saves information about browsers making the request.
    Methods
    Saves HTTP methods in requests.
    OS and Browsers
    Saves information about the operating system and browser making the request.
  75. In the Statistics Gathering Configuration area, for
    Collect URLs
    , you can configure whether the system collects traffic from all or from specific URLs.
    1. Select
      All
      to collect traffic from all URLs.
      By default, the system collects traffic from all URLs, when you select
      URLs
      from the
      Collected Entities
      list.
    2. Select
      Only
      to collect traffic from specific URLs.
    3. Specify the URLs for which to capture traffic and click
      Add
      . You can add up to 10 URLs to the list.
      If you select
      Only
      and leave the list empty, the system collects traffic data from all URLs.
  76. In the Statistics Gathering Configuration area, for
    Collect Countries
    , you can configure whether the system collects traffic from all or from specific countries.
    1. Select
      All
      to collect traffic from all countries.
      By default, the system collects traffic from all countries, when you select
      Countries
      from the
      Collected Entities
      list.
    2. Select
      Only
      to collect traffic from specific countries.
    3. Specify the countries for which to capture traffic. Select from the Available Countries list and use the arrow keys to move each country to the Selected Countries list. You can add up to 10 countries to the Selected list.
      If you select
      Only
      and leave the list empty, the system collects traffic data from all countries.
  77. In the Statistics Gathering Configuration area, for
    Collect Client IP Addresses
    , you can configure whether the system collects traffic from all or from specific client IPs.
    1. Select
      All
      to collect traffic from all client IP addresses.
      By default, the system collects traffic from all client IPs, when you select
      Client IP Addresses
      from the
      Collected Entities
      list.
    2. Select
      Only
      to collect traffic from specific client IP addresses.
    3. Specify the client IP addresses for which to capture traffic and click
      Add
      . You can add up to client IP addresses to the list.
      If you select
      Only
      and leave the list empty, the system collects traffic data from all client IP addresses.
  78. In the Statistics Gathering Configuration area, for
    Collect Client Subnets
    , you can configure whether the system collects traffic from all or from specific client subnet IPs.
    1. Select
      All
      to collect traffic from all subnets.
      By default, the system collects traffic from all subnets, when you select
      Client Subnets
      from the
      Collected Entities
      list.
    2. Select
      Only
      to collect traffic from specific subnets.
    3. Specify the subnet IPs for which to capture traffic and click
      Add
      . You can add up to 10 subnet IPs to the list.
      You can filter the listed subnets by one type of IP protocol. Adding both IPv4 and IPv6 protocols results in an error.
      If you select
      Only
      and leave the list empty, the system collects traffic data from all subnets.
  79. If one of the
    Traffic Capturing Logging Type
    check boxes is selected, in the Capture Filter area, adjust the settings to specify criteria to determine what application traffic to capture.
    You can use the captured information for troubleshooting purposes.
  80. If you want the system to send email notifications, review the
    SMTP Configuration
    field to ensure that a configuration is specified and not the value
    None
    .
    You can configure SMTP only in the default Analytics profile. If it is not configured, you can save the profile and edit the default profile where you can select an existing SMTP configuration or create a new one. (If you click the
    analytics
    link without saving the new profile you are working on, you will lose the unsaved changes.)
  81. For the
    Notification Type
    setting, select how you want the system to send alerts and notifications.
    Syslog
    Select
    Syslog
    if you want the system to send notification and alert messages to the local log system. You can view the messages on the
    System
    Logs
    Local Traffic
    screen.
    SNMP
    Select
    SNMP
    if you want the system to send notification and alert messages as SNMP traps. You can create the trap by clicking
    Configuration can be found here
    (
    System
    SNMP
    Traps
    Destination
    ). Enabling SNMP automatically sets up Syslog notifications, too.
    E-mail
    Select
    E-mail
    if you want the system to send notification and alert messages to email addresses. Type each email address in the
    Notification E-Mails
    field, and click
    Add
    to create the list. This option requires that the default analytics profile includes an SMTP configuration.
    When you select a notification type, the screen displays the Alerts and Notifications Configuration area, where you can indicate the criteria for alerts and notifications.
  82. Click
    Create
    .
    The Create New Logging Profile screen opens.
  83. Click
    Create New Profile
    .
    The Create New Profile Rewrite pop-up screen opens.
  84. Click
    Create
    .
    The New Authentication Profile screen opens.
  85. Click
    Create
    .
    The New Fast L4 profile screen opens.
  86. Click
    Create
    .
    The New DNS Profile screen opens.
  87. Click
    Create
    .
    The New DNS Logging profile screen opens.
  88. Click
    Create
    .
    The New HTTP Compression profile screen opens.
  89. Click
    Create
    .
    The New Diameter profile screen opens.
  90. Click
    Create
    .
    The New HTTP Profile screen opens.
  91. Click
    Create
    .
    The New FTP Profile screen opens.
  92. Click
    Create
    .
    The New SCTP Profile screen opens.
  93. Click
    Create
    .
    The New SMTP Profile screen opens.
  94. Click
    Create
    .
    The New SMTPS Profile screen opens.
  95. Click
    Create
    .
    The New HTTP Class Profile screen opens.
  96. Click
    Create
    .
    The New Web Acceleration Profile screen opens.
  97. Click
    Create
    .
    The New HTTP Analytics profile screen opens.
  98. Click
    Create
    .
    The New Server SSL Profile screen opens.
  99. Click
    Create
    .
    The New Client SSL Profile screen opens.
  100. Click
    Create
    .
    The New Client LDAP Profile screen opens.
  101. Click
    Create
    .
    The New Server LDAP Profile screen opens.
  102. Click
    Create
    .
    The New Request Logging Profile screen opens.
  103. Click
    Create
    .
    The New Persistence Profile screen opens.
  104. Click
    Create
    .
    The New HTTP/2 Profile screen opens.
  105. Click
    Create
    .
    The New SPDY Profile screen opens.
  106. Click
    Create
    .
    The New FIX Profile screen opens.
  107. Click
    Create
    .
    The New GTP Profile screen opens.
  108. Click
    Create
    .
    The New OneConnect Profile screen opens.
  109. Click
    Create
    .
    The New MS SQL Profile screen opens.
  110. Click
    Create
    .
    The New SplitSession Client Profile screen opens.
  111. Click
    Create
    .
    The New SplitSession Server Profile screen opens.
  112. Click
    Create
    .
    The New HTTP Proxy Connect Profile screen opens.
  113. Click
    Create
    .
    The new OCSP Stapling Profile screen opens.
  114. Click
    Create
    .
  115. Click
    Finished
    .
  116. Click
    Update
    .
  117. Click
    Delete
    .
  118. Click the name of a profile.
  119. In the
    Name
    field, type a unique name for the profile.
  120. From the
    Parent Profile
    list, retain the default value,
    clientldap
    .
  121. From the
    Parent Profile
    list, retain the default value,
    serverldap
    .
  122. From the
    Parent Profile
    list, retain the default value or select another existing profile of the same type.
  123. From the
    Parent Profile
    list, select the profile from which you want to inherit settings.
    The default profile is often used as the parent profile.
    The new profile inherits the values from the parent profile. If the parent is changed, the inherited values in the new profile also change.
  124. On the Main tab, click
    Local Traffic
    Profiles
    Message Routing
    SIP
    .
    The SIP transport config list screen opens.
  125. On the menu bar, click
    Router Profiles
    .
    The Router Profiles list screen opens.
  126. Click
    Create
    .
    The New SIP Router Profile screen opens.
  127. In the
    Name
    field, type a unique name for the SIP router profile.
  128. From the
    Operation Mode
    list, select
    Load Balancing
    .
  129. In the
    Maximum Pending Messages
    field, type ...
  130. In the
    Maximum Pending Bytes
    field, type ...
  131. For the
    Static Routes
    setting, move routes that define how the BIG-IP system load balances SIP traffic from the
    Available
    list to the
    Selected
    list.
  132. In the
    Transaction Timeout (seconds)
    field, type the number of seconds...
  133. On the menu bar, click
    Session Profiles
    .
    The Session Profiles list screen opens.
  134. Click
    Create
    .
    The New SIP Session Profile screen opens.
  135. In the
    Name
    field, type a unique name for the SIP session profile.
  136. In the
    Maximum Message Size (bytes)
    field, type ...
  137. In the
    Maximum Message Header Count
    field, type ...
  138. In the
    Custom Via
    field, type ...
  139. From the
    Persist Key
    list, select the value the system uses for persistence of a SIP session. The options are:
    Option
    Description
    Call-ID
    The system uses the value in the Call-ID header field in the SIP message.
    Custom
    The system uses the value of a custom key specified in an iRule.
    Src-Addr
    The system uses the originating IP address in the SIP message.
  140. From the
    Persist Type
    list, select one of these options:
    Option
    Description
    Session
    Persistence is enabled.
    None
    Persistence is disabled.
  141. In the
    Persist Timeout (seconds)
    field, type the number of seconds before a SIP session persistence record expires.
  142. In the
    Profile Name
    field, type a unique name for the Analytics profile.
  143. In the General Properties area, name the profile
    dns_express
    .
  144. In the General Properties area, name the profile
    dns_zxfr_dnssec
    .
  145. In the General Properties area, name the profile
    dns_zxfr
    .
  146. In the
    Profile Name
    field, type a unique name for the Security Logging Profile.
  147. In the
    Profile Name
    field, type a unique name for the profile.
  148. In the General Properties area, from the
    Parent Profile
    list, accept the default
    dns
    profile.
  149. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DHCPv4
    .
  150. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DHCPv6
    .
  151. On the Main tab, click
    Local Traffic
    Profiles
    Policy Enforcement
    RADIUS AAA
    .
  152. Click
    Create
    .
    The New DHCPv4 Profile screen opens.
  153. Click
    Create
    .
    The New DHCPv6 Profile screen opens.
  154. Click
    Create
    .
    The New Radius Profile screen opens.
  155. In the
    Name
    field, type a unique name for the profile.
  156. From the
    Parent Profile
    list, select the default
    dhcpv4
    profile.
  157. From the
    Parent Profile
    list, select the default
    dhcpv6
    profile.
  158. From the
    Parent Profile
    list, select the default
    radiusaaa
    profile.
  159. Select the
    Custom
    check box.
  160. In the Protocol and Proxy Settings Features area, make a selection from the
    DHCP Mode
    list.
    Option
    Description
    Relay
    When in relay mode, a virtual server relays Dynamic Host Control Protocol (DHCP) client requests and applies unicast IP addresses as the relayed message destination.
    Forward
    When in forward mode, a virtual server forwards Dynamic Host Control Protocol (DHCP), and does not modify, client requests for an IP address to one or more DHCP servers.
  161. For the
    Idle Timeout
    setting, type the number of seconds that a BIG-IP DHCP connection is idle before the connection is eligible for deletion.
  162. For the
    Max Hops
    setting, select the
    Custom
    check box to enable this option. Type the maximum expected number of relay agents that the messages should pass through, before reaching the DHCPv4 server.
  163. For the
    Default TTL
    setting, select the
    Custom
    check box to enable this option. Type the time to live (TTL) value that you want to set for each outgoing DHCP packet.
  164. For the
    TTL Decrement Amount
    setting, select the
    Custom
    check box to enable this option. Type the amount that the DHCP virtual will use to decrement the TTL for each outgoing DHCP packet.
  165. For the
    Default Lease Time
    setting, select the
    Custom
    check box to enable this option. Type the time, in seconds, of the default value of the DHCPv4 lease time.
  166. For the
    Transaction Timeout
    setting, select the
    Custom
    check box to enable this option. Type the number of seconds, taken to internally process the messages.
  167. For the
    Transaction Timeout
    setting, select the
    Custom
    check box to enable this option. Type the number, in seconds, of the time taken for server to respond.
  168. If you want the DHCP module to insert option 82, for the
    Insert Relay Agent ID (Option 82)
    setting, select the
    Custom
    check box.
  169. If you want the DHCP module to insert option 37, for the
    Insert Remote ID (Option 37)
    setting, select the
    Custom
    check box .
  170. If you want the DHCP module to insert option 38, for the
    Insert Remote ID (Option 38)
    setting, select the
    Custom
    check box to enable this option .
  171. If you want the DHCP relay agent to remove option 82 from the server to client traffic, for the
    Remove Relay Agent ID From Client Messages
    setting, select the
    Custom
    check box to enable this option.
  172. If you want the DHCP relay agent to remove option 37 from the server to client traffic, for the
    Remove Subscriber Agent ID From Client Messages
    setting, select the
    Custom
    check box.
  173. If you want the DHCP module to remove option 38 from the server to client traffic, for the
    Remove Relay Agent ID From Client Messages
    setting, select the
    Custom
    check box.
  174. From the
    Subscriber Discovery
    list, select
    Enabled
    . Then, for the
    Subscriber ID Format
    setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    Relay Agent Option: Suboption ID 1
    Uses the relay agent first option suboption ID.
    Relay Agent Option: Suboption ID 1 + <Separator> + Suboption ID 2
    Uses the relay agent first and second suboption IDs.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1
    Uses the MAC Address and the relay agent first suboption ID.
    MAC Address + <Separator> + Relay Agent Option: Suboption ID 1 <Separator> + Suboption ID 2
    Uses the relay agent first option suboption ID.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  175. From the
    Authentication Settings
    list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
    list. Select the
    User Name Format
    you want to implement.
    The
    User Name Format
    has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  176. From the
    Subscriber Discovery
    list, select
    Enabled
    . Then, for the
    Subscriber ID Format
    setting, select the format you want to implement.
    Format
    Description
    MAC Address
    Uses the subscriber ID as the MAC address through which the subscriber ID goes through.
    MAC Address + <Separator> + Option 37
    Uses the MAC address and the remote ID relay agent option.
    MAC Address + <Separator>+ Option 37 <Separator> + Option 38
    Uses the MAC address, the remote ID relay agent option and the subscriber ID option.
    MAC Address + <Separator> + Option 38
    Uses the MAC address and the subscriber ID option.
    Option 37
    Uses the remote ID relay agent option.
    Option 37 <Separator> + Option 38:
    Uses the remote ID relay agent option and the subscriber ID option.
    Option 38
    Uses the subscriber ID option.
    TCL Expression
    Uses the TCL expression to format the subscriber ID.
  177. From the
    Authentication Settings
    list, select
    Enabled
    . Then, select the virtual server name from the
    Authentication Virtual
    list. Select the
    User Name Format
    you want to implement.
    The
    User Name Format
    has the same options as the
    Subscriber ID Format
    , in the Subscriber Discovery setting.
  178. For the
    Secret
    setting, select the
    Custom
    check box to enable this option. Type the shared secret of the RADIUS server used for authentication.
  179. For the
    Password
    setting, select the
    Custom
    check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  180. For the
    Retransmission Timeout
    setting, select the
    Custom
    check box to enable this option. Type the number of seconds to wait before resending authentication or accounting messages to the RADIUS server.
  181. From the
    Parent Profile
    list, select the default
    ftp
    profile.
  182. From the
    Parent Profile
    list, select a parent profile.
  183. For the
    Inherit Parent Profile
    setting, select the check box.
    This optimizes data channel traffic.
  184. Select the
    Custom
    check box.
  185. If you want to disable IPv6 translation, in the Settings area, clear the
    Translate Extended
    check box.
  186. Retain the
    Data Port
    setting default value of
    20
    .
  187. To enable FTP security checks, select the
    Protocol Security
    check box.
    The Protocol Security tab opens.
  188. In the
    Out Streams
    field, type a value for the number of outbound streams.
    Ensure that this value equals the value requested by the servers when the server-side connection is established.
    A value of
    2
    , or greater, enables SCTP multistreaming functionality.
  189. In the
    In Streams
    field, type a value for the number of inbound streams.
    Ensure that this value equals the value requested by the servers when the server-side connection is established.
    A value of
    2
    , or greater, enables SCTP multistreaming functionality.
  190. Configure the client-side multihoming settings.
    1. From the
      Client Side Multi-homing
      list, select
      Enabled
      to enable SCTP multihoming for clients.
      When enabled, this setting enables SCTP clients to connect to a virtual server over multiple IP interfaces.
      The
      Secondary Addresses
      setting appears.
    2. For the
      Secondary Addresses
      setting, in the
      Destination Address
      field, type a valid destination address for any virtual server that uses this SCTP profile.
    3. Click
      Add
      .
      Repeat the addition of each destination address that you want to provide to SCTP clients.
  191. From the
    Server Side Multi-homing
    list, select
    Enabled
    to enable SCTP multihoming for servers.
  192. From the
    Parent Profile
    list, select the existing SMTP profile from which you want the new profile to inherit settings. The default is
    smtp
    .
  193. Select the
    Protocol Security
    check box to enable SMTP security checks.
  194. From the
    Parent Profile
    list, select a profile from which the new profile inherits properties.
  195. For the
    Parent Profile
    setting, confirm that
    ssl
    appears.
  196. Select the
    Custom
    check box.
  197. Select the
    Custom
    check box.
  198. Select the
    Custom
    check box.
  199. Next to
    Settings
    , select the
    Custom
    check box.
  200. Next to
    Log Settings
    , select the
    Custom
    check box.
  201. From the
    Configuration
    list, select
    Advanced
    .
  202. Select the
    Custom
    check box.
    The settings become available for change.
  203. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  204. From the
    Certificate
    list, select the name of an SSL certificate on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  205. From the
    Key
    list, select the name of an SSL key on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  206. In the
    Pass Phrase
    field, select a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  207. From the
    Chain
    list, select the name of an SSL chain on the BIG-IP system.
  208. Select the
    Custom
    check box for
    Server Authentication
    .
  209. Modify the settings, as required.
  210. Modify other settings, as required.
  211. Configure all other profile settings as needed.
  212. For the
    Proxy SSL
    setting, select the check box.
  213. Select the
    Custom
    check box for the Request Settings area.
  214. Select the
    Custom
    check box for the Response Settings area.
  215. Select the check box for the applicable profile.
  216. In the
    Profile Name
    field, type a unique name for the MS SQL profile, for example,
    mssql_user_access
    .
  217. In the
    Profile Name
    field, type a unique name for the MS SQL profile, for example,
    mssql_command_access
    .
  218. From the
    Read/Write Split
    list, select
    By Command
    .
  219. From the
    Read/Write Split
    list, select
    By User
    .
  220. From the
    Read Pool
    list, select the pool of MS SQL database servers to which the system sends read-only requests.
  221. From the
    Write Pool
    list, select the pool of MS SQL database servers to which the system sends write requests.
  222. In the
    Write Persist Timer
    field, type the number of milliseconds, after a connection has switched to the write pool, that the connection continues to persist to the write pool.
    Use the value
    -1
    to persist the connection to the write pool for the duration of the connection.
    If you set this to a value other than
    -1
    , the value must be greater than the amount of time required for the primary and secondary database servers to synchronize with one another.
  223. From the
    Users Can Write By Default
    list, select
    Yes
    to give write access to all users, except those in the
    Read-Only Users
    list.
  224. From the
    Users Can Write By Default
    list, select
    No
    to give write access only to users in the
    Write-Enabled Users
    list.
  225. In the
    Read-Only Users
    area, add users to whom you want to provide read-only access to the database.
  226. In the
    Write-Enabled Users
    area, add users to whom you want to provide write access to the database.
  227. In the DNS Traffic area, from the
    DNS Security
    list, select
    Enabled
    .
  228. In the DNS Traffic area, from the
    DNS Security Profile Name
    list, select the name of the DNS firewall profile.
  229. In the Denial of Service Protection area, from the
    Rapid Response Mode
    list, select
    Disabled
    , until a DNS flood attack occurs. At that time, enable this setting, and select an action from the
    Rapid Response Last Action
    list.
    When you enable this setting, all other DNS features are disabled, except DNS Express.
  230. In the Denial of Service Protection area, from the
    Rapid Response Mode
    list, select
    Enabled
    .
    Enable this setting after a DNS flood attack occurs. When you enable it, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the
    Rapid Response Last Action
    is set to
    Allow
    .
  231. In the Denial of Service Protection area, from the
    Rapid Response Last Action
    list, select an option to protect your network:
    Option
    Description
    Allow
    BIG-IP system sends non-matching DNS queries along the regular packet processing path
    Drop
    BIG-IP system drops the message without sending a response to the client. This is the default value.
    No Error
    BIG-IP system returns NOERROR response to the client..
    NX Domain
    BIG-IP system returns non-existent name response to the client.
    Refuse
    BIG-IP system returns REFUSED response to the client.
    Truncate
    BIG-IP system truncates the response to the client.
  232. In the DNS Features area, from the
    GSLB
    list, accept the default value
    Enabled
    .
  233. In the DNS Features area, from the
    GSLB
    list, select
    Disabled
    .
  234. In the DNS Features area, from the
    DNS IPv6 to IPv4
    list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses.
    Option
    Description
    Disabled
    The BIG-IP system does not map IPv4 addresses to IPv6 addresses.
    Immediate
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
    Secondary
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
    v4 Only
    The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client.
    Select this option only if you know that all your DNS servers are IPv4 only servers.
    If you selected
    Immediate
    ,
    Secondary
    , or
    V4 Only
    two new fields display.
  235. From the
    DNS IPv6 to IPv4
    list, specify how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses.
    Option
    Description
    Disabled
    The BIG-IP system does not map IPv4 addresses to IPv6 addresses.
    Immediate
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
    Secondary
    The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
    v4 Only
    The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client.
    Select this option only if you know that all your DNS servers are IPv4 only servers.
    If you selected
    Immediate
    ,
    Secondary
    , or
    V4 Only
    , two new fields display.
  236. In the DNS Features area, in the
    IPv6 to IPv4 Prefix
    field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request.
  237. In the
    IPv6 to IPv4 Prefix
    field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request.
  238. In the DNS Features area, from the
    IPv6 to IPv4 Additional Section Rewrite
    list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses.
    Option
    Description
    Disabled
    The BIG-IP system does not perform additional rewrite.
    v4 Only
    The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client.
    v6 Only
    The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client.
    Any
    The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.
  239. From the
    IPv6 to IPv4 Additional Section Rewrite
    list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses.
    Option
    Description
    Disabled
    The BIG-IP system does not perform additional rewrite.
    v4 Only
    The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client.
    v6 Only
    The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client.
    Any
    The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.
  240. In the DNS Features area, from the
    DNS Express
    list, retain the default value
    Enabled
    .
  241. In the DNS Features area, from the
    DNS Express
    list, select
    Disabled
    .
  242. In the DNS Features area, from the
    DNSSEC
    list, select
    Enabled
    .
  243. In the DNS Features area, from the
    DNSSEC
    list, select
    Disabled
    .
  244. In the DNS Traffic area, from the
    Zone Transfer
    list, select
    Enabled
    .
  245. In the DNS Features area, from the
    Unhandled Query Actions
    list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone.
    Option
    Description
    Allow
    The BIG-IP system forwards the query to a DNS server or a member of a pool of DNS servers. Note that if the pool is not associated with a listener and the
    Use BIND Server on BIG-IP
    option is set to
    enabled
    , queries are forwarded to the local BIND server. (Allow is the default value.)
    Drop
    The BIG-IP system does not respond to the query.
    Reject
    The BIG-IP system returns the query with the REFUSED return code.
    Hint
    The BIG-IP system returns the query with a list of root name servers.
    No Error
    The BIG-IP system returns the query with the NOERROR return code.
  246. In the DNS Features area, from the
    Unhandled Query Actions
    list, select
    Allow
    .
    The BIG-IP system forwards zone transfer requests to a DNS server or a member of a pool of DNS servers.
  247. In the DNS Features area, from the
    Use BIND Server on BIG-IP
    list, select
    Enabled
    .
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP DNS.
  248. From the
    Use BIND Server on BIG-IP
    list, select
    Enabled
    .
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP DNS.
  249. In the DNS Features area, from the
    Use BIND Server on BIG-IP
    list, select
    Disabled
    .
  250. In the DNS Features area, make a selection from the
    Use BIND Server on BIG-IP
    list.
    Option
    Description
    Enabled
    Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on the BIG-IP DNS.
    Disabled
    Disable this setting when you want the system to forward non-wide IP queries to a DNS server behind BIG-IP DNS.
  251. In the DNS Features area, make a selection from the
    Recursion Desired
    list.
    Option
    Description
    Enabled
    BIG-IP accepts DNS queries with the recursion bit set.
    Disabled
    BIG-IP does not accept DNS queries with the recursion bit set. When you configure BIG-IP to be an authoritative nameserver for an external web site, disable this option as a security measure to prevent denial of service attacks.
  252. In the DNS Features area, make a selection from the
    DNS Cache
    list.
    When you enable the
    DNS Cache
    option, you must also select a name from the
    DNS Cache Name
    list.
    Option
    Description
    Enabled
    Enable this setting when you want to cache the DNS responses handled by the virtual servers associated with this profile.
    Disabled
    Disable this setting when you want to debug the system. When you disable this setting, the profile retains the association with the DNS cache in the
    DNS Cache Name
    field, but the system does not cache DNS responses.
  253. From the
    Rate Limiting
    list, select
    Enabled
    .
    When you enable this setting, you must also select a profile from the
    Rate Limiting Profile
    list.
  254. From the
    Rate Limiting Profile
    list, select a profile based on your rate limited license.
  255. In the DNS Features area, from the
    DNS Cache
    list, select
    Enabled
    .
    When you enable the
    DNS Cache
    option, you must also select a DNS cache from the
    DNS Cache Name
    list.
  256. In the DNS Features area, from the
    DNS Cache
    list, select
    Disabled
    .
  257. In the DNS Features area, from the
    DNS Cache Name
    list, select the DNS cache that you want to associate with this profile.
    You can associate a DNS cache with a profile, even when the
    DNS Cache
    option, is
    Disabled
    .
  258. In the Logging and Reporting area, from the
    Logging
    list, select
    Enabled
    .
  259. In the Logging and Reporting area, from the
    Logging
    list, select
    Disabled
    .
  260. In the Logging and Reporting area, from the
    Profile
    list, select a custom DNS Logging profile.
  261. In the Log Settings area, from the
    Logging Profile
    list, select a custom Logging profile.
  262. In the DNS Security area, from the
    Publisher
    list, select a destination to which the BIG-IP system sends DNS log entries.
  263. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends log entries.
    You can specify publishers for other DoS types in the same profile, for example, for DNS, Network, or Application DoS Protection.
  264. If you want the BIG-IP system to log all DNS queries, for the
    Log Queries
    setting, ensure that the
    Enabled
    check box is selected.
  265. If you want the BIG-IP system to log all DNS responses, for the
    Log Responses
    setting, select the
    Enabled
    check box.
  266. If you want the BIG-IP system to include the query ID sent by the client in the log messages, for the
    Include Query ID
    setting, select the
    Enabled
    check box.
  267. For
    Actions
    , select the
    Custom
    check box.
    The settings in the
    Actions
    area become available for configuring.
  268. From the
    Hosts
    list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  269. From the
    URI Paths
    list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  270. From the
    Headers
    list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  271. From the
    Cookies
    list, select and configure one of the following options, as applicable:
    • Match All
    • Match Only
  272. From the
    Send To
    list, select and configure one of the following options, as applicable:
    • None
    • Pool
    • Redirect to
  273. From the
    Application Acceleration Manager
    list, select
    Accelerate
    .
    Configuring the
    HTTP Class
    profile to accelerate traffic with the Application Acceleration Manager overrides
    Web Acceleration
    profile settings on the virtual server.
  274. In the
    WebAccelerator
    list, select
    Bypass
    .
    Configuring the
    HTTP Class
    profile to bypass the
    Web Application
    application overrides
    Web Acceleration
    profile settings on the virtual server.
  275. From the
    Parent Profile
    list, select one of the following profiles:
    • httpcompression
      .
    • wan-optimized-compression
      .
  276. From the
    HTTP Compression Profile
    list, select one of the following profiles:
    • httpcompression
    • wan-optimized-compression
    • A customized profile
  277. For the
    File Types
    setting, specify whether you want to create a list of allowed or disallowed file types:
    • To create a list of file types that are permitted in requests, select
      Define Allowed
      .
    • To create a list of file types not permitted, select
      Define Disallowed
      .
  278. For the
    File Types
    setting, specify the file types to allow or disallow in a request:
    • Select file types from the
      Available
      list, and move them to the
      Allowed
      or
      Disallowed
      list.
    • Add a new file type: type the name in the
      File Type
      field, click
      Add
      to add it to the
      Available
      list, and move it to the list.
    If the profile is case-sensitive, the file types are case-sensitive. For example,
    jsp
    and
    JSP
    > will be treated as separate file types.
  279. From the
    Web Acceleration Profile
    list, select one of the following profiles:
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  280. From the
    Web Acceleration Profile
    list, select one of the following profiles with an enabled application:
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  281. From the
    Request Logging
    list, select
    Enabled
    .
  282. In the
    Template
    field, type the request logging parameters for the entries that you want to include in the log file.
  283. From the
    HSL Protocol
    list, select a high-speed logging protocol.
  284. From the
    Pool Name
    list, select the pool that includes the log server as a pool member.
  285. You can also configure the error response settings.
    1. From the
      Respond On Error
      list, select
      Enabled
      .
    2. In the
      Error Response
      field, type the error response strings that you want to include in the log file.
      These strings must be well-formed for the protocol serving the strings.
    3. Select the
      Close On Error
      check box to drop the request and close the connection if logging fails.
  286. You can also configure the logging request errors settings.
    1. From the
      Log Logging Errors
      list, select
      Enabled
      .
    2. In the
      Error Template
      field, type the request logging parameters for the entries that you want to include in the log file.
    3. From the
      HSL Error Protocol
      list, select a high-speed logging error protocol.
    4. From the
      Error Pool Name
      list, select a pool that includes the node for the error logging server as a pool member.
  287. From the
    HSL Pool
    list, select the name of the remote pool of servers to which you want the BIG-IP system to send DNS log entries.
  288. In the Response Settings area, from the
    Response Logging
    list, select
    Enabled
    .
  289. Select the
    Log By Default
    check box.
    The
    Log By Default
    check box is selected by default.
  290. In the
    Template
    field, type the response logging parameters for the entries that you want to include in the log file.
  291. From the
    HSL Protocol
    list, select a high-speed logging protocol.
  292. From the
    Pool Name
    list, select the pool that includes the node log server as a pool member.
  293. Configure the logging request error settings.
    1. From the
      Log Logging Errors
      list, select
      Enabled
      .
    2. In the
      Error Template
      field, type the response logging parameters for the entries that you want to include in the log file.
    3. From the
      HSL Error Protocol
      list, select a high-speed logging error protocol.
    4. From the
      Error Pool Name
      list, select a pool that includes the node for the error log server as a pool member.
  294. For the
    WA Applications
    setting, select an application in the
    Available
    list and click
    Enable
    .
    The application is listed in the
    Enabled
    list.
  295. For the
    WA Applications
    setting, select an application in the
    Enabled
    list and click
    Disable
    .
    The Application Acceleration Manager application is listed in the
    Disabled
    list.
  296. On the Main tab, click
    Local Traffic
    Profiles
    Classification
    .
    The Classification screen opens.
  297. Scroll down to the Enforcement area.
  298. From the
    Allow Truncated Redirect
    list, select
    Enabled
    to forward HTTP traffic with missing trailing carriage returns to the client.
  299. In the
    Maximum Header Size
    field, type a size, in bytes, for the maximum acceptable size of a header.
  300. From the
    Oversize Client Header
    list, select
    Pass Through
    to pass through traffic to the server when the
    Maximum Header Size
    value is exceeded by the client.
  301. From the
    Oversize Server Header
    list, select
    Pass Through
    to pass through traffic to the client when the
    Maximum Header Size
    value is exceeded by the server.
  302. In the
    Maximum Header Count
    field, type a maximum number of headers for the system to support.
  303. From the
    Excess Client Headers
    list, select
    Pass Through
    to pass through traffic to the server when the
    Maximum Header Count
    value is exceeded by the client.
  304. From the
    Excess Server Headers
    list, select
    Pass Through
    to pass through traffic to the client when the
    Maximum Header Count
    is exceeded by the server.
  305. From the
    Pipeline Action
    list, select one of the following settings.
    Allow
    Default. Enables clients to make requests, even when prior requests have not received a response. Destination servers must include support for pipelining.
    Reject
    Rejects the request.
    Pass Through
    Provides identical functionality as the
    Allow
    setting, until a pipelined request is received, whereupon pass-through functionality becomes active. This setting works around clients and servers that break standard HTTP request-response connection handling.
  306. From the
    Unknown Method
    list, select one of the following settings.
    Allow
    Default. Allows the HTTP filter to process an unknown HTTP method.
    Reject
    Rejects HTTP traffic that includes an unknown HTTP method.
    Pass Through
    Passes through HTTP traffic that includes an unknown HTTP method.
  307. Configure the list of known methods in the
    Known Method
    list.
    Add a method to the
    Enabled Methods
    list.
    1. In the
      Add user defined method
      field, type the name of a method.
    2. Click
      Add
      . The method appears in the
      Enabled Methods
      list.
    Delete a method from the
    Enabled Methods
    list.
    1. Select a method in the
      Enabled Methods
      list.
    2. Click
      Delete
      .
    If you delete a known method from the
    Enabled Methods
    list, the BIG-IP system applies the
    Unknown Method
    setting to manage that traffic.
    Deleting a standard method, such as
    HEAD
    or
    CONNECT
    , causes BIG-IP functionality that depends on detecting that method to fail to work correctly.
  308. From the
    Polling Interval
    list, select
    Specify
    , and type the maximum interval in seconds between polling by the s Flow agent of this profile.
  309. From the
    Sampling Rate
    list, select
    Specify
    , and type the ratio of packets observed at the virtual server associated with this profile to the samples you want the BIG-IP system to generate.
    For example, a sampling rate of 2000 specifies that one sample will be randomly generated for every 2000 packets observed.
  310. Select the
    Protocol Security
    check box.
  311. In the HTTP, FTP, and SMTP Security area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log HTTP, FTP, and SMTP Security events.
  312. In the HTTP, FTP, and SMTP Security area, from the
    Publisher
    list, select
    local-db-publisher
    .
  313. In the DNS Security area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log DNS Security events.
  314. In the DNS Security area, from the
    Publisher
    list, select
    local-db-publisher
    .
  315. Select the
    Log Dropped Requests
    check box, to enable the BIG-IP system to log dropped DNS requests.
  316. Select the
    Log Filtered Dropped Requests
    check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  317. Select the
    Log Malformed Requests
    check box to enable the BIG-IP system to log malformed DNS requests.
  318. Select the
    Log Rejected Requests
    check box to enable the BIG-IP system to log rejected DNS requests.
  319. Select the
    Log Malicious Requests
    check box to enable the BIG-IP system to log malicious DNS requests.
  320. From the
    Storage Format
    list, select how the BIG-IP system formats the log.
    Option
    Description
    None
    Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:
    "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  321. Select the
    Network Firewall
    check box.
  322. In the Network Firewall area, from the
    Publisher
    list, select the publisher the BIG-IP system uses to log Network Firewall events.
  323. In the Network Firewall area, from the
    Publisher
    list, select the IPFIX publisher the BIG-IP system uses to log Network Firewall events.
  324. Select
    Blocked Logging
    to guarantee logging of firewall events when logging traffic load is heavy, even to the detriment of system performance.
  325. Set an
    Aggregate Rate Limit
    to define a rate limit for all combined network firewall log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  326. In the Network Firewall area, from the
    Publisher
    list, select
    local-db-publisher
    .
  327. For the
    Log Rule Matches
    setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option
    Enables or disables logging of packets that match ACL rules configured with:
    Accept
    action=Accept
    Drop
    action=Drop
    Reject
    action=Reject
    When an option is selected, you can configure a rate limit for log messages of that type.
  328. Select the
    Log IP Errors
    check box, to enable logging of IP error packets.
    When this setting is enabled, you can configure a rate limit for log messages of this type.
  329. Select the
    Log TCP Errors
    check box, to enable logging of TCP error packets.
    When this is enabled, you can configure a rate limit for log messages of this type.
  330. Select the
    Log TCP Events
    check box, to enable logging of open and close of TCP sessions.
    When this is enabled, you can configure a rate limit for log messages of this type.
  331. In the IP Intelligence area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.
    The IP Address Intelligence feature must be enabled and licensed.
  332. Set an
    Aggregate Rate Limit
    to define a rate limit for all combined IP Intelligence log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  333. In the IP Intelligence area, from the
    Publisher
    list, select
    local-db-publisher
    .
    The IP Address Intelligence feature must be enabled and licensed.
  334. Enable the
    Log Translation Fields
    setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
  335. Enable the
    Always Log Region
    setting to log the geographic location when a geolocation event causes a network firewall event.
  336. Enable the
    Log Translation Fields
    setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
  337. Enable the
    Log Geolocation IP Address
    setting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
  338. In the Traffic Statistics area, from the
    Publisher
    list, select
    local-db-publisher
    .
  339. In the Traffic Statistics area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log traffic statistics.
  340. For the
    Log Timer Events
    setting, enable
    Active Flows
    to log the number of active flows each second.
  341. For the
    Log Timer Events
    setting, enable
    Reaped Flows
    to log the number of reaped flows, or connections that are not established because of system resource usage levels.
  342. For the
    Log Timer Events
    setting, enable
    Missed Flows
    to log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
  343. For the
    Log Timer Events
    setting, enable
    SYN Cookie (White-listed Clients)
    to log the number of SYN cookie clients whitelisted each second.
  344. In the Logging Profile Properties, select the
    DoS Protection
    check box.
    The DoS Protection tab opens.
  345. In the DNS DoS Protection area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  346. In the SIP DoS Protection area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log SIP DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for DNS or Application DoS Protection.
  347. On the Main tab, click
    Local Traffic
    Profiles
    Services
    ICAP
    .
  348. Click
    Create
    .
  349. On the right side of the screen, select the
    Custom
    check box.
  350. On the right side of the screen, select the
    Custom
    check box.
  351. In the
    Name
    field, type a unique name for the profile.
  352. For the
    Parent Profile
    setting, retain the default value,
    icap
    .
  353. In the
    URI
    field, type a URI in this format:
    icap://hostname:port/path
    .
    For example, using macro expansion, you can set the
    URI
    value to:
    icap://${SERVER_IP}:${SERVER_PORT}/virusScan
    .
  354. In the
    URI
    field, type a URI in this format:
    icap://hostname:port/path
    .
    For example, using macro expansion, you can set the
    URI
    value to:
    icap://${SERVER_IP}:${SERVER_PORT}/videoOptimization
  355. In the
    Preview Length
    field, type a length or retain the default value
    0
    .
    This value defines the amount of the HTTP request or response that the BIG-IP system offers to the ICAP server when sending the request or response to the server for adaptation. This value should not exceed the length of the preview that the ICAP server has indicated it will accept.
  356. In the
    Header From
    field, type a value for the
    From:
    ICAP header.
  357. In the
    Host
    field, type a value for the
    Host:
    ICAP header.
  358. In the
    Referer
    field, type a value for the
    Referer:
    ICAP header.
  359. In the
    User Agent
    field, type a value for the
    User-Agent:
    ICAP header.
  360. Click
    Finished
    .
  361. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Request Adapt
    .
  362. Click
    Create
    .
  363. On the right-side of the screen, clear the
    Custom
    check box.
  364. In the
    Name
    field, type a unique name for the profile.
  365. For the
    Parent Profile
    setting, retain the default value,
    requestadapt
    .
  366. For the
    Enabled
    setting, retain the default value,
    Enabled
    .
    When you set this value to
    Enabled
    , the BIG-IP system forwards HTTP requests to the specified internal virtual server for adaptation.
  367. From the
    Internal Virtual Name
    list, select the name of the internal virtual server that you previously created for forwarding HTTP requests to the pool of iCAP servers.
  368. In the
    Preview Size
    field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
    disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
  369. In the
    Timeout
    field, type a numeric value, in seconds.
    If the internal virtual server does not return a result within the specified time, a timeout error occurs. To disable the timeout, use the value
    0
    .
  370. From the
    Service Down Action
    list, select an action for the BIG-IP system to take if the internal virtual server returns an error:
    • Select
      Ignore
      to instruct the BIG-IP system to ignore the error and send the unmodified HTTP request to an HTTP server in the HTTP server pool.
    • Select
      Drop
      to instruct the BIG-IP system to drop the connection.
    • Select
      Reset
      to instruct the BIG-IP system to reset the connection.
  371. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Response Adapt
    .
  372. Click
    Create
    .
  373. On the right-side of the screen, select the
    Custom
    check box.
  374. In the
    Name
    field, type a unique name for the profile.
  375. For the
    Parent Profile
    setting, retain the default value,
    responseadapt
    .
  376. For the
    Enabled
    setting, retain the default value,
    Enabled
    .
    When you set this value to
    Enabled
    , the BIG-IP system forwards HTTP responses to the specified internal virtual server for adaptation.
  377. From the
    Internal Virtual Name
    list, select the name of the internal virtual server that you previously created for forwarding HTTP responses to the pool of iCAP servers.
  378. In the
    Preview Size
    field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
    disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
  379. In the
    Timeout
    field, type a numeric value.
    If the internal virtual server does not return a result within the specified time, a timeout error occurs. To disable the timeout, use the value
    0
    .
  380. From the
    Service Down Action
    list, select an action for the BIG-IP system to take if the internal virtual server returns an error:
    • Select
      Ignore
      to instruct the BIG-IP system to ignore the error and send the unmodified HTTP response to an HTTP server in the HTTP server pool.
    • Select
      Drop
      to instruct the BIG-IP system to drop the connection.
    • Select
      Reset
      to instruct the BIG-IP system to reset the connection.
  381. Set the
    PVA Acceleration
    field to
    Guaranteed
    .
  382. Select the
    Loose Close
    check box only for a one-arm virtual server configuration.
  383. Set the
    TCP Close Timeout
    setting, according to the type of traffic that the virtual server will process.
  384. If you plan to use
    Late Binding
    and either of the
    Loose Initiation
    and
    Loose Close
    check boxes are enabled, clear them both.
    The
    Late Binding
    feature examines the first few packets in the FIX stream, and the
    Loose Initiation
    feature makes it possible to skip those packets without any examination.
  385. The
    Late Binding
    feature makes it possible to choose a server pool based on data in the FIX header. An iRule in the virtual server parses the FIX header and selects the server pool. Select the check box to enable
    Late Binding
    .
    1. You can allow the iRule to explicitly determine when the flow is released from Layer 7 down to Layer 4. The iRule code can then perform additional computation before binding the connection to Layer 4. Enable this by selecting the
      Explicit Flow Migration
      check box. When this feature is enabled, the flow is not released to Layer 4 until the iRule invokes the
      BIGTCP::release_flow
      command.
      By default, this is disabled and the flow drops down to Layer 4 immediately after the connection to the server is established.
    2. Use the
      Client Timeout
      field to determine how much time to allow for any client to send the first 2144 bytes of Layer 7information. In normal cases, this amount of data arrives immediately.
    3. From the
      Timeout Recovery
      list, select an action that the profile should take in case of timeout. Select
      Disconnect
      to drop the connection summarily, or select
      Fallback
      to process the packet without parsing the Layer 7 fields. The fallback option sends any timed-out connection to the Virtual Server's default pool.
  386. For the
    Session Ticket
    setting, select or clear the check box:
    • Selecting the check box causes the BIG-IP system to use session tickets as a way to improve SSL performance.
    • Clearing the check box prevents the BIG-IP system from using session tickets.
  387. In the
    Profile Name
    field, type a name, such as
    my_rewrite_profile
    .
  388. From the
    Rewrite Mode
    list, select
    URI Translation
    .
  389. From the
    Parent Profile
    list, select
    rewrite
    .
  390. On the left pane, click
    Settings
    .
    A list of request and response settings appears on the Settings tab.
  391. In the Settings box, select or clear the appropriate check boxes.
    Using the check boxes, you can rewrite and insert headers into HTTP requests, as well as rewrite headers and content in HTTP responses.
  392. On the left pane, click
    URI Rules
    .
    An empty text box appears for displaying client-server URI mappings that you specify.
  393. In the URI Rules box, click
    Add
    .
    This displays the Create New Rewrite URI box.
  394. From the
    URI Type
    list, select a URI type.
  395. Click
    Update
    .
  396. Click
    Add
    .
  397. Click
    Add
    again.
  398. From the
    Rule Type
    list, select
    Both
    .
  399. In the
    Client URI
    box, type a client path, such as
    /sales/
    .
  400. In the
    Server URI
    box, type a server URI, such as
    http://appserver1.siterequest.com/sales/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  401. In the
    Client URI
    field, type a client path, such as
    /marketing/
    .
  402. In the
    Server URI
    field, type a server URI, such as
    http://appserver2.siterequest.com/marketing/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  403. Click
    OK
    .
    This displays a mapping of the specified client path to the associated server scheme, host, and path.
  404. In the
    Server URI
    field, type a server URI, such as
    http://appserver2.siterequest.com/sales/
    .
  405. Click
    OK
    .
  406. In the
    Name
    column, locate the Rewrite profile that you created previously and select the adjacent check box.
  407. Click the
    Edit
    button.
  408. On the Settings tab, .
    A list of settings appears.
  409. On the Main tab, click
    Local Traffic
    Profiles
    Content
    HTML
    .
  410. In the
    Profile Name
    field, type a name, such as
    my_html_profile
    .
  411. From the
    Parent Profile
    list, select
    /Common/html
    .
  412. On the left pane, click
    HTML Rules
    .
  413. Click the
    Create New
    button.
  414. Click the
    Create New Profile
    button.
  415. On the
    Create New
    button, click the right arrow.
  416. Select
    Remove Tag
    .
    The Create New Remove Tag Rule box appears.
  417. In the
    Rule Name
    field, type a name, such as
    my_remove_img_tag_rule
    .
  418. Optionally, in the
    Description
    field, type a description of the rule, such as
    Removes the img tag with the src attribute
    .
  419. On the left pane, click
    Content Settings
    .
    This displays the Content Selection Type box.
  420. In the
    Type
    box, specify the type of content you want the HTML rule to act on.
    A typical type of content to specify is
    text/html
    .
  421. On the left pane, click
    Match Settings
    .
  422. In the
    Match Tag Name
    field, type the name of the tag that you want to remove from the HTML content.
    An example of a tag to specify is the HTML
    img
    tag.
  423. In the
    Match Attribute Name
    field, type the name of the attribute associated with the tag that you specified for removal.
    An example of an attribute to specify is the
    src
    attribute for the
    img
    tag.
  424. In the
    Available Rules
    list, locate the HTML rule that you want to enable, and select the adjacent check box.
  425. Using the Move button, move the selected HTML rule to the
    Selected Rules
    list.
  426. If the access policy uses On-Demand certificate authentication, perform these substeps:
    1. From the
      Configuration
      list, select
      Advanced
      .
      Additional settings display.
    2. Select the
      Custom
      check box for
      Configuration
      .
      The settings become available.
    3. In the
      Ciphers
      field, type the name of a NATIVE cipher.
      The list of supported NATIVE ciphers includes these:
      • RC4-MD5
      • RC4-SHA
      • AES128-SHA
      • AES256-SHA
      • DES-CBC3-SHA
      • DES-CBC-SHA
      • EXP1024-RC4-MD5
      • EXP1024-RC4-SHA
      • EXP1024-DES-CBC-SHA
      • EXP-RC4-MD5
      • EXP-DES-CBC-SHA
      • NULL-MD5
      • NULL-SHA
  427. Scroll down to the Client Authentication area.
  428. From the
    SSL Forward Proxy
    list, select
    Enabled
    .
  429. In the SSL Forward Proxy area, select the
    Custom
    check box.
  430. From the
    SSL Forward Proxy Bypass
    list, select
    Enabled
    .
    When assigned to a virtual server, a client SSL profile and a server SSL profile both must specify the same value for this setting. You cannot change this setting in either profile while assigned to a virtual server. To change the
    SSL Forward Proxy Bypass
    setting, you can create new profiles and add them to the virtual server, or detach the profiles from the virtual server, update them, and assign them to the virtual server again.
    Additional settings display.
  431. From the
    Bypass Default Action
    list, select
    Intercept
    or
    Bypass
    .
    The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.
    If you select
    Bypass
    and do not specify any additional settings, you introduce a security risk to your system.
  432. If you want to cache certificates by IP address and port number, select the
    Cache Certificate by Addr-Port
    check box.
  433. From the
    Report Log Publisher
    list, select the publisher for error messages and status reports.
  434. From the
    Message Log Publisher
    list, select the publisher for message logging.
  435. In the
    Rate Sample Interval
    field, type the sample interval, in seconds, for the message rate.
  436. From the
    Error Action
    list, select one of the following settings.
    • Don't Forward
      (default) to drop a message with errors and not forward it.
    • Drop Connection
      to disconnect the connection.
  437. Select the
    Quick Parsing
    check box to parse the basic standard fields, and validate the message length and checksum.
  438. Select the
    Response Parsing
    check box to parse the messages from the FIX server, applying the same parser configuration and error handling for the server as for the client.
  439. Select the
    Fully Parse Logon Message
    check box to fully parse the logon message, instead of using quick parsing.
  440. From the
    Sender and Tag Substitution Data Group Mapping
    list, select one of the following settings.
    Setting
    Description
    Not Configured
    (default)
    Disables the tag substitution map between sender ID and tag substitution data group.
    Specify
    Provides the
    Mapping List
    settings for you to configure as required.
    1. In the
      Sender
      field, type a sender ID that represents the identity of the firm sending the message.
      Example:
      client1
    2. In the
      Data Group
      field, type a tag substitution data group.
      Example:
      FIX_tag_map
    3. Click
      Add
      .
  441. Configure the
    Mapping List
    settings, as required.
    1. In the
      Sender
      field, type a sender ID that represents the identity of the firm sending the message.
    2. In the
      Data Group
      field, type a tag substitution data group.
    3. Click
      Add
      .
  442. In the
    Ingress Maximum
    field, type the maximum number of messages that can be held in the GTP ingress queue.
  443. From the
    STARTTLS Activation Mode
    list, select
    Require
    .
  444. From the
    STARTTLS Activation Mode
    list, select a value:
    Value
    Description
    Allow
    This value activates STARTTLS encryption for any client-side traffic that allows, but does not require, STARTTLS encryption.
    Require
    This value activates STARTTLS encryption for any client-side traffic that requires STARTTLS encryption. All messages sent to the BIG-IP system prior to STARTTLS activation are rejected with a message stating that a stronger authentication mechanism is required.
    None
    This value refrains from activating STARTTLS encryption for client-side traffic. Note if you select this value, that you optionally can create an iRule that identifies client-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  445. From the
    STARTTLS Activation Mode
    list, select a value:
    Value
    Description
    Allow
    This value activates STARTTLS encryption for server-side traffic that allows, but does not require, STARTTLS encryption. In this case, the BIG-IP system only activates STARTTLS for server-side traffic when the BIG-IP system has activated STARTTLS on the client side and the client has acknowledged the activation.
    Require
    This value activates STARTTLS encryption for any server-side traffic that requires STARTTLS encryption. In this case, the BIG-IP system activates STARTTLS when a successful connection is made.
    None
    This value refrains from activating STARTTLS encryption for server-side traffic. Note that if you select this value, you can optionally create an iRule that identifies server-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  446. Using the
    Certificate Key Chain
    setting, specify both an ECDSA and an RSA certificate key chain:
    1. From the
      Certificate
      list, select the name of a certificate with a key of type ECDSA.
    2. From the
      Key
      list, select the name of an ECDSA key.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
    4. Click
      Add
      .
    5. Repeat this process and specify an RSA certificate key chain.
  447. For the
    Certificate Key Chain
    setting, click
    Add
    .
    1. From the
      Certificate
      list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
      list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  448. For the
    Certificate Key Chain
    setting, click
    Add
    .
    1. From the
      Certificate
      list, select the name of a certificate with a key of type ECDSA.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
      list, select the name of an ECDSA key.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  449. Click
    Add
    and repeat the process for all certificate key chains that you want to specify. At a minimum, you must specify an RSA certificate key chain.
    Sample configuration with three key types specified
    Sample configuration with three key types specified
    The result is that all specified key chains appear in the text box.
  450. For the
    OCSP Stapling
    setting, select the check box.
    This setting is optional. To enable OCSP stapling, you must first create an OCSP Stapling profile.
  451. Using the
    Certificate Key Chain
    setting, specify a certificate key chain:
    1. From the
      Certificate
      list, select a certificate name.
      This is the name of an RSA certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, you can specify the name of an existing certificate,
      default
      .
    2. From the
      Key
      list, select a key name.
      This is the name of an RSA key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, you can specify the name of an existing key,
      default
      .
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to the SSL certificate/key pair.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
      The result is that the specified key chain appears in the text box.
  452. From the
    Configuration
    list, select
    Advanced
    .
  453. For the
    Ciphers
    setting, click
    Cipher Group
    , and from the list, choose a cipher group.
  454. For the
    Ciphers
    setting, specify a cipher group or cipher string by choosing one of these options.
    If you specified an ECDSA certificate key chain in the
    Certificate Key Chain
    setting, you must include the cipher string
    ECDHE_ECDSA
    in the cipher group or cipher string that you specify in the
    Ciphers
    setting. (At a minimum, you should specify a cipher group or string such as
    DEFAULT:ECDHE_ECDSA
    .) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option
    Description
    Cipher Group
    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the
    Ciphers
    setting where we've selected a custom cipher group that we created earlier.
    Cipher String
    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
    • Always append ciphers to the
      DEFAULT
      cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword
      HIGH
      . To do this, just include both
      !ADH
      and
      :HIGH
      in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses
      Forward Privacy
      , which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like
      ssldump
      won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including
      !EXPORT
      in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include
      :!SSLv3
      in any cipher string you type.
    Here's an example of the
    Ciphers
    setting where we have opted to manually type the cipher string
    DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH
    :
  455. For the
    Ciphers
    setting, click
    Cipher Group
    and from the list, select a custom cipher group.
    This shows a custom cipher group selected for the
    Ciphers
    setting:
  456. For the
    Ciphers
    setting, click
    Cipher Group
    and from the list, select a cipher group.
  457. To specify DHE ciphers:
    1. From the
      Configuration
      list, select
      Advanced
      .
    2. For the
      Ciphers
      setting, click
      Cipher String
      and type
      DHE:DHE_DSS
      .
  458. To specify ECDHE ciphers:
    1. From the
      Configuration
      list, select
      Advanced
      .
    2. In the
      Ciphers
      field, type
      ECDHE
      .
  459. Configure all profile settings as needed.
  460. Click
    Finished
    .
  461. From the
    Persistence Type
    list, select
    SSL
    .
  462. Configure settings as needed.
  463. From the
    General Properties
    list, select
    Advanced
    .
  464. In the
    Name
    field, type a unique name for the OCSP stapling profile.
  465. In the
    Proxy Server Pool/DNS Resolver
    field, select the proxy server pool/DNS resolver used for fetching the OCSP response.
  466. For the
    Use Proxy Server
    check box, select one of the following options:
    Option
    Description
    Select
    If you want the BIG-IP system to use the
    Proxy Server Pool
    . Use when there are one or more servers that can proxy an HTTP request to an external server and fetch the response.
    Clear (default)
    If you want to use the
    DNS Resolver
    . Use when the OCSP responder can be reached on one of the BIG-IP interfaces.
  467. In the
    Trusted Certificate Authorities
    field, select the name of the file containing a trusted Certificate Authority (CA) certificate used to sign the responder's certificate.
  468. In the
    Trusted Responders
    field, select the name of a certificate to use to verify the response from the OCSP responder.
  469. In the
    Responder URL
    field, type the name of a URL that will override the OCSP responder URL obtained from the certificate's AIA extension. This must be an HTTP or HTTPS-based URL.
  470. In the
    Signer Certificate
    field, select a certificate corresponding to the key used for signing the OCSP request.
  471. In the
    Signer Key
    field, select a key to use to sign an OCSP request.
  472. In the
    Signer Key Passphrase
    field, type the passphrase of the key used to sign an OCSP request.
  473. In the
    Sign Hash
    field, select the hash algorithm used to sign an OCSP request. The default is
    SHA256
    .
    This is not the algorithm used in the certificate itself. It is what the OCSP responder will use when validating the request.
  474. In the
    Timeout
    field, type a time interval for the BIG-IP system to wait before dropping the connection to the OCSP responder.
  475. In the
    Clock Skew
    field, type a value for the maximum tolerable absolute difference between the clocks of the responder and the BIG-IP system.
  476. In the
    Status Age
    field, type a value for the maximum allowed lag time in the OCSP response that the BIG-IP system accepts. If you type
    0
    , the validation is skipped. The default value is
    86400
    .
  477. In the
    Cache Timeout
    field, select a value that specifies the lifetime of the OCSP response. The default is
    Indefinite
    , indicating that the response validity period takes precedence.
  478. In the
    Cache Error Timeout
    field, type a value for how long a BIG-IP system will cache an error response.
  479. In the
    Options
    field, if necessary, select the
    Strict Responder Certificate Checking
    check box for the system to check the responder's certificate for the OCSP signing extension.
  480. Click
    Create
    .
    The New SIP Profile screen opens.
  481. Select the
    SIP Firewall
    check box.
    When enabled, the SIP Security settings configured in the protection profile apply to the protected object that use this profile.
  482. If you want to enable optional subscriber ID logging:
    1. Select the
      Network Address Translation
      check box.
    2. Then in the Network Address Translation area, select the
      Log Subscriber ID
      check box.
    3. Click
      Network Firewall
      .
  483. In the Logging Profile Properties area, select the
    Network Firewall
    check box.
  484. Select the
    Network Firewall
    check box.
  485. On the Main tab, click
    Local Traffic
    Profiles
    Message Routing
    MQTT
    .
    The MQTT list screen opens.
  486. Click
    Create
    .
    The New MQTT Session profile screen opens.
  487. In the
    Name
    field, type a unique name for the MQTT session profile.
  488. From the
    Parent Profile
    list, select a profile from which the new profile inherits properties.
  489. From the
    Parent Profile
    ,
    Client ID Prefix
    , and
    Keepalive Interval
    lists, retain the default settings.
  490. For the
    Keepalive Interval
    setting, retain the default, or type a value for the
    MQTT CONNECT
    message on the server-side connection.
    The default is
    60
    seconds.
  491. Click
    Transport Config
    .
    The Transport Config list screen opens.
  492. Click
    Peers
    .
    The Peers list screen opens.
  493. Click
    Static Routes
    .
    The Static Routes list screen opens.
  494. On the menu bar, click
    Router Profiles
    .
    The Router Profiles list screen opens.
  495. Click
    Create
    .
    The New Transport Config screen opens.
  496. Click
    Create
    .
    The New Peer screen opens.
  497. Click
    Create
    .
    The New Route screen opens.
  498. Click
    Create
    .
    The New MQTT Router Profile screen opens.
  499. In the
    Name
    field, type a unique name for the Transport Config profile.
  500. In the
    Name
    field, type a unique name for the Peer profile.
  501. In the
    Name
    field, type a unique name for the Route profile.
  502. In the
    Name
    field, type a unique name for the Router profile.
  503. For the
    Profiles
    setting, select the profile(s) you want from the
    Available
    list, and move it to the
    Selected
    field.
  504. In the Settings area, for the
    Client ID Prefix
    field, type a prefix to add to the
    client-id
    for the server-side connection.
  505. For the
    iRules
    setting, select the name of the server-side iRule from the
    Available
    list, and move it to the
    Selected
    list.
  506. If you want to use peered client-side and server-side connections, select the
    Peered Session Mode
    check box.
    The default is not to use peered connection (the checkbox is cleared); the BIG-IP system uses the MQTT message routing.
  507. In the
    Proxy Topic Prefix
    field, type a prefix to add to the MQTT topics sent on the server-side connection.
  508. From the
    Client Will Handling Mode
    list:
    • To disable forwarding of the client will message, select
      Ignore
      .
    • To control the
      will
      action for the ungraceful shutdown of the client-side connection, retain the default.
    The default is
    Send-Local-Copy
    .
  509. From the
    Server Will Handling Mode
    list:
    • To exclude the server side connection, select
      Ignore
      .
    • To control the
      will
      action for the ungraceful shutdown of the server-side connection, retain the default.
    The default is
    Copy-From-Client
    .
  510. Retain the default settings for the remaining settings in the Configuration area.
  511. From the
    Pool
    list, select the name of the pool you created previously.
  512. From the
    Transport Config
    list, select the name of the Transport Config you created previously.
  513. From the
    Virtual Server
    list, select the name of the virtual server you created previously.
  514. From the
    Peer
    list, select the name of a peer you created previously.
  515. From the
    Static Route
    list, select the name of a static route you created previously.
  516. Click
    Finished
    .
    The screen refreshes, and you see the new Transport Config profile in the Transport Config list.
  517. Click
    Finished
    .
    The screen refreshes, and you see the new MQTT session profile in the MQTT list.
  518. Click
    Finished
    .
    The screen refreshes, and you see the new Peer profile in the Peers list.
  519. Click
    Finished
    .
    The screen refreshes, and you see the new Route profile in the Static Routes list.
  520. Click
    Finished
    .
    The screen refreshes, and you see the new Route profile in the Static Routes list.