Manual Chapter :
Configuring PEM with Local Traffic Policies
Applies To:
Show VersionsBIG-IP LTM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1
BIG-IP PEM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Configuring PEM with Local Traffic Policies
Overview: Creating local traffic policy rules for PEM
When you use Policy Enforcement Manager™ (PEM™), you
can create a policy and attach it to traffic policy presets (ce_pem). In the LTM profiles
classifictaion (classification_pem), the preset should be ce_pem. The virtual server should have
classfication profile and SPM profile.
Local traffic policies can include multiple rules. Each rule defines the signature and consists
of a condition. Actions are to be performed if the condition holds. Multiple signatures can be
assigned to one policy, so you can create a local traffic policy that works with PEM and includes
multiple rules that do different things depending on the conditions you set up. In this type of
CE policy, each rule can include an application or category or both. The application and category can either be custom or defined applications and categories.
Task Summary
About strategies for local traffic policy matching
Each BIG-IP local traffic policy requires a matching strategy to
determine which rule applies if more than one rule matches.
The BIG-IP local traffic policies provide three predefined policy matching strategies: a
first-match, best-match, and all-match strategy. Each policy matching strategy prioritizes rules
according to the rule's position within the Rules list.
As needed, you can create a user-defined best-match strategy to customize the precedence (order
of preference) of added operands and selectors. For example, to meet your preferred operand and
selector combinations, you might create a user-defined best-match strategy that changes the
precedence of added operands and selectors, compared to the predefined best-match strategy.
In a best-match or first-match strategy, a rule without conditions becomes the
default rule, when the rule is the last entry in the Rules list.
Matching strategy |
Description |
---|---|
all-match strategy |
An all-match strategy starts the actions for all rules in the Rules list
that match. In an all-match strategy, when multiple rules match, but
specify conflicting actions, only the action of the best-match rule is implemented. A
best-match rule can be the lowest ordinal, the highest priority, or the first rule that
matches in the Rules list. |
best-match strategy |
A best-match strategy selects and starts the actions of the rule in the
Rules list with the best match, as determined by the following factors.
In a best-match strategy, when multiple rules match and specify an action,
conflicting or otherwise, only the action of the best-match rule is implemented. A
best-match rule can be the lowest ordinal, the highest priority, or the first rule that
matches in the Rules list. |
first-match strategy |
A first-match strategy starts the actions for the first rule in the Rules
list that matches. |
About creating custom
local traffic policy rules for CE profile
Classification signatures are added as rules in the local traffic policy.
The classification signatures can be used for many standard categories and applications. In
addition, you can create custom categories and applications. When you use Policy Enforcement Manager (PEM), you can create a policy and attach it to traffic policy presets (ce_pem). In the LTM
profiles classification (classification_pem), the preset should be ce_pem. The virtual server
should have classification profile and SPM profile.
Local traffic policies can include multiple rules. Each rule defines the
signature and consists of a condition. Actions are to be performed if the condition holds.
Multiple signatures can be assigned to one policy, so you can create a local traffic policy that
works with PEM and includes multiple rules that do different things depending on the conditions
you set up. In this type of CE policy, each rule can include an application or category or both.
The application and category can either be custom or defined applications and categories.
Task Summary
Creating custom local traffic policy for PEM
Before you modify rules on existing policies, you must set up an application or
category (
).You can add rules to define conditions and run specific actions for different types
of application traffic in Policy Enforcement Manager (PEM). For example, if you create an application signature for
company A and want to send traffic from company A's website, you can perform actions,
such as bandwidth control and disable
Gate status
from PEM. This
is a rule that can be assigned to an existing policy.- On the Main tab, click.For more information about local traffic policies, refer toBIG-IP Local Traffic Manager: Implementations.The Policy List screen opens.
- Clickcreate.The New Policy List screen opens.
- In thePolicy Namefield, type a unique name for the policy, for examplecompanyA.
- In theDescriptionfield, type descriptive text that identifies the policy definition.
- From theStrategylist, select the action that is executed when there are multiple rules that match.RuleDescriptionAllUses the first or best strategy to resolve the conflict of rule match.BestApplies the actions of the rule specified in the list of defined strategies for the associated policy.FirstApplies the actions of only the first rule. This implies that the rule with the lowest ordinal,highest priority or first in the list is executed.
- From theTypelist, select theCE Profileto create a custom signature.
- ClickCreate Policyto create a policy that manages traffic assigned to a virtual server.
- Click the down arrow for Save Draft. SelectSave Draft Policyto save the policy as a draft orSave and Publish policyto publish a policy and assign it to a virtual server.You should be able to create a rule for the Draft Policies list.
- Click the name of the draft policy you just created.The Draft Policy screen opens.
- From theRuleslist, selectCreate.The New Rule screen opens.
- In theNamefield, type a unique name for the rule.
- In theDescriptionfield, type descriptive text that identifies the rule definition.
- InMatch all of the following conditions, click+and specify the conditions.For example, selectClient SSL,cipher,containsand typeCOMPAT:AES128-GCM-SHA256,request
- ClickAdd.
- InDo the following when the traffic is matched, click+and specify the actions:For example, selectEnable,cache, atrequest.
- ClickSave.
Now you have added a new rule to the existing policy. When you send traffic that
matches the rule you defined, you should be able to see the application or category you
have configured.
Creating custom local traffic policy rules for PEM
You can create a new strategy for your policy in Policy Enforcement
Manager (PEM).
- On the Main tab, click.The Strategy List screen opens.
- ClickCreate.The New Strategy List screen opens.
- In theNamefield, type a unique name for the strategy definition.
- In the Operands area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
- From theOperandlist, selecthttp-host.
- From theEventlist, selectrequest.
- From theSelectorlist, selectall.
- From theConditionlist, selectends-with.
- Type the value; for example,f5.com.
- ClickFinished.
Now you have created a strategy list and changed how the system processes the
operands by reordering the list of definitions.
Creating a virtual server for SSL traffic policy enforcement
The BIG-IP system allows SSL pass through mode to collect
certificate information. You have to define a virtual server that references SSL pool
and classifies SSL traffic for policy enforcement.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For a network, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From the Classification list, selectEnabled, for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
- From thePolicy Enforcement Profilelist, select the name of the policy enforcement profile that you previously created.
- ClickFinished.
- From theDefault Persistence Profilelist, selectssl.This implements simple persistence, using the default ssl profile.
- In the Policies area, click theManagebutton.
- For thePoliciessetting, from theAvailablelist, select the name of the iRule that you want to assign, and use the buttons to move the name into theEnabledlist.
You have created a virtual server for SSL traffic. The virtual server that
references SSL pools appears in the Virtual Servers list.
Associating a
published local traffic policy with a virtual server
After you publish a local traffic policy, you
associate that published policy with the virtual server created to handle application
traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, clickResources.
- In the Policies area, click theManagebutton.
- For thePoliciessetting, select the local traffic policy you created from theAvailablelist and move it to theEnabledlist.
- ClickFinished.
The published policy is associated with the virtual server.