Manual Chapter : Configuring PEM with Local Traffic Policies

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Configuring PEM with Local Traffic Policies

Overview: Creating local traffic policy rules for PEM

When you use Policy Enforcement Manager (PEM), you can create a policy and attach it to traffic policy presets (ce_pem). In the LTM profiles classifictaion (classification_pem), the preset should be ce_pem. The virtual server should have classfication profile and SPM profile.
Local traffic policies can include multiple rules. Each rule defines the signature and consists of a condition. Actions are to be performed if the condition holds. Multiple signatures can be assigned to one policy, so you can create a local traffic policy that works with PEM and includes multiple rules that do different things depending on the conditions you set up. In this type of CE policy, each rule can include an application or category or both. The application and category can either be custom or defined applications and categories.

Task Summary

About strategies for local traffic policy matching

Each BIG-IP local traffic policy requires a matching strategy to determine which rule applies if more than one rule matches.
The BIG-IP local traffic policies provide three predefined policy matching strategies: a first-match, best-match, and all-match strategy. Each policy matching strategy prioritizes rules according to the rule's position within the Rules list.
As needed, you can create a user-defined best-match strategy to customize the precedence (order of preference) of added operands and selectors. For example, to meet your preferred operand and selector combinations, you might create a user-defined best-match strategy that changes the precedence of added operands and selectors, compared to the predefined best-match strategy.
In a best-match or first-match strategy, a rule without conditions becomes the default rule, when the rule is the last entry in the Rules list.
Policy matching strategies
Matching strategy
Description
all-match strategy
An
all-match strategy
starts the actions for all rules in the Rules list that match.
In an all-match strategy, when multiple rules match, but specify conflicting actions, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
best-match strategy
A
best-match strategy
selects and starts the actions of the rule in the Rules list with the best match, as determined by the following factors.
  1. A best-match strategy selects the rule with the most conditions, ignoring details about the conditions.
  2. If a rule with the most conditions is not determined, then the best-match strategy selects the rule with the highest priority condition types. The best-match strategy sorts the condition types, highest priority first, comparing one at a time until a higher priority is found. For example, a priority sequence of 0,1,3,4,6 wins over 0,1,3,5,7 because 4 is a higher priority than 5.
  3. If a rule with the highest priority condition types is not determined, then the best-match strategy selects the rule with equal match types over other match types, such as starts-with, ends-with, or contains, and processes according to condition type priority.
  4. If a rule of equal match types is not determined, then the best-match strategy uses an ordinal (the precedence of the operand).
In a best-match strategy, when multiple rules match and specify an action, conflicting or otherwise, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
first-match strategy
A
first-match strategy
starts the actions for the first rule in the Rules list that matches.

About creating custom local traffic policy rules for CE profile

Classification signatures are added as rules in the local traffic policy. The classification signatures can be used for many standard categories and applications. In addition, you can create custom categories and applications. When you use Policy Enforcement Manager (PEM), you can create a policy and attach it to traffic policy presets (ce_pem). In the LTM profiles classification (classification_pem), the preset should be ce_pem. The virtual server should have classification profile and SPM profile.
Local traffic policies can include multiple rules. Each rule defines the signature and consists of a condition. Actions are to be performed if the condition holds. Multiple signatures can be assigned to one policy, so you can create a local traffic policy that works with PEM and includes multiple rules that do different things depending on the conditions you set up. In this type of CE policy, each rule can include an application or category or both. The application and category can either be custom or defined applications and categories.

Task Summary

Creating custom local traffic policy for PEM

Before you modify rules on existing policies, you must set up an application or category (
Traffic Intelligence
Classification
).
You can add rules to define conditions and run specific actions for different types of application traffic in Policy Enforcement Manager (PEM). For example, if you create an application signature for company A and want to send traffic from company A's website, you can perform actions, such as bandwidth control and disable
Gate status
from PEM. This is a rule that can be assigned to an existing policy.
  1. On the Main tab, click
    Local Traffic
    Policies
    .
    For more information about local traffic policies, refer to
    BIG-IP Local Traffic Manager: Implementations
    .
    The Policy List screen opens.
  2. Click
    create
    .
    The New Policy List screen opens.
  3. In the
    Policy Name
    field, type a unique name for the policy, for example
    companyA
    .
  4. In the
    Description
    field, type descriptive text that identifies the policy definition.
  5. From the
    Strategy
    list, select the action that is executed when there are multiple rules that match.
    Rule
    Description
    All
    Uses the first or best strategy to resolve the conflict of rule match.
    Best
    Applies the actions of the rule specified in the list of defined strategies for the associated policy.
    First
    Applies the actions of only the first rule. This implies that the rule with the lowest ordinal,highest priority or first in the list is executed.
  6. From the
    Type
    list, select the
    CE Profile
    to create a custom signature.
  7. Click
    Create Policy
    to create a policy that manages traffic assigned to a virtual server.
  8. Click the down arrow for Save Draft. Select
    Save Draft Policy
    to save the policy as a draft or
    Save and Publish policy
    to publish a policy and assign it to a virtual server.
    You should be able to create a rule for the Draft Policies list.
  9. Click the name of the draft policy you just created.
    The Draft Policy screen opens.
  10. From the
    Rules
    list, select
    Create
    .
    The New Rule screen opens.
  11. In the
    Name
    field, type a unique name for the rule.
  12. In the
    Description
    field, type descriptive text that identifies the rule definition.
  13. In
    Match all of the following conditions
    , click
    +
    and specify the conditions.
    For example, select
    Client SSL
    ,
    cipher
    ,
    contains
    and type
    COMPAT:AES128-GCM-SHA256
    ,
    request
  14. Click
    Add
    .
  15. In
    Do the following when the traffic is matched
    , click
    +
    and specify the actions:
    For example, select
    Enable
    ,
    cache
    , at
    request
    .
  16. Click
    Save
    .
Now you have added a new rule to the existing policy. When you send traffic that matches the rule you defined, you should be able to see the application or category you have configured.

Creating custom local traffic policy rules for PEM

You can create a new strategy for your policy in Policy Enforcement Manager (PEM).
  1. On the Main tab, click
    Local Traffic
    Policies
    Strategy List
    .
    The Strategy List screen opens.
  2. Click
    Create
    .
    The New Strategy List screen opens.
  3. In the
    Name
    field, type a unique name for the strategy definition.
  4. In the Operands area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
    1. From the
      Operand
      list, select
      http-host
      .
    2. From the
      Event
      list, select
      request
      .
    3. From the
      Selector
      list, select
      all
      .
    4. From the
      Condition
      list, select
      ends-with
      .
    5. Type the value; for example,
      f5.com
      .
    6. Click
      Finished
      .
Now you have created a strategy list and changed how the system processes the operands by reordering the list of definitions.

Creating a virtual server for SSL traffic policy enforcement

The BIG-IP system allows SSL pass through mode to collect certificate information. You have to define a virtual server that references SSL pool and classifies SSL traffic for policy enforcement.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. For a network, in the
    Destination Address
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. From the Classification list, select
    Enabled
    , for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
  8. From the
    Policy Enforcement Profile
    list, select the name of the policy enforcement profile that you previously created.
  9. Click
    Finished
    .
  10. From the
    Default Persistence Profile
    list, select
    ssl
    .
    This implements simple persistence, using the default ssl profile.
  11. In the Policies area, click the
    Manage
    button.
  12. For the
    Policies
    setting, from the
    Available
    list, select the name of the iRule that you want to assign, and use the buttons to move the name into the
    Enabled
    list.
You have created a virtual server for SSL traffic. The virtual server that references SSL pools appears in the Virtual Servers list.

Associating a published local traffic policy with a virtual server

After you publish a local traffic policy, you associate that published policy with the virtual server created to handle application traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click
    Resources
    .
  4. In the Policies area, click the
    Manage
    button.
  5. For the
    Policies
    setting, select the local traffic policy you created from the
    Available
    list and move it to the
    Enabled
    list.
  6. Click
    Finished
    .
The published policy is associated with the virtual server.