Applies To:Show Versions
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Configuring PEM with Local Traffic Policies
Overview: Creating local traffic policy rules for PEM
About strategies for local traffic policy matching
all-match strategystarts the actions for all rules in the Rules list that match.
In an all-match strategy, when multiple rules match, but specify conflicting actions, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
best-match strategyselects and starts the actions of the rule in the Rules list with the best match, as determined by the following factors.
In a best-match strategy, when multiple rules match and specify an action, conflicting or otherwise, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
first-match strategystarts the actions for the first rule in the Rules list that matches.
About creating custom
local traffic policy rules for CE profile
Creating custom local traffic policy for PEM
- On the Main tab, click.For more information about local traffic policies, refer toBIG-IP Local Traffic Manager: Implementations.The Policy List screen opens.
- Clickcreate.The New Policy List screen opens.
- In thePolicy Namefield, type a unique name for the policy, for examplecompanyA.
- In theDescriptionfield, type descriptive text that identifies the policy definition.
- From theStrategylist, select the action that is executed when there are multiple rules that match.RuleDescriptionAllUses the first or best strategy to resolve the conflict of rule match.BestApplies the actions of the rule specified in the list of defined strategies for the associated policy.FirstApplies the actions of only the first rule. This implies that the rule with the lowest ordinal,highest priority or first in the list is executed.
- From theTypelist, select theCE Profileto create a custom signature.
- ClickCreate Policyto create a policy that manages traffic assigned to a virtual server.
- Click the down arrow for Save Draft. SelectSave Draft Policyto save the policy as a draft orSave and Publish policyto publish a policy and assign it to a virtual server.You should be able to create a rule for the Draft Policies list.
- Click the name of the draft policy you just created.The Draft Policy screen opens.
- From theRuleslist, selectCreate.The New Rule screen opens.
- In theNamefield, type a unique name for the rule.
- In theDescriptionfield, type descriptive text that identifies the rule definition.
- InMatch all of the following conditions, click+and specify the conditions.For example, selectClient SSL,cipher,containsand typeCOMPAT:AES128-GCM-SHA256,request
- InDo the following when the traffic is matched, click+and specify the actions:For example, selectEnable,cache, atrequest.
Creating custom local traffic policy rules for PEM
- On the Main tab, click.The Strategy List screen opens.
- ClickCreate.The New Strategy List screen opens.
- In theNamefield, type a unique name for the strategy definition.
- In the Operands area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
- From theOperandlist, selecthttp-host.
- From theEventlist, selectrequest.
- From theSelectorlist, selectall.
- From theConditionlist, selectends-with.
- Type the value; for example,f5.com.
Creating a virtual server for SSL traffic policy enforcement
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For a network, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From the Classification list, selectEnabled, for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
- From thePolicy Enforcement Profilelist, select the name of the policy enforcement profile that you previously created.
- From theDefault Persistence Profilelist, selectssl.This implements simple persistence, using the default ssl profile.
- In the Policies area, click theManagebutton.
- For thePoliciessetting, from theAvailablelist, select the name of the iRule that you want to assign, and use the buttons to move the name into theEnabledlist.