Manual Chapter : Enforcing Policy and Classification on IP Protocols

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Enforcing Policy and Classification on IP Protocols

About enforcing policy and classification on IP protocols

The BIG-IP system now provides classification and policy enforcement on all non-TCP and non-UDP traffic, which includes IPsec traffic. The Policy Enforcement Manager is able to classify and enforce any action on virtually any type of IP traffic. This enables detection of IPsec, ICMP, GRE, and other IP protocols (especially tunneling) for the service providers. For IPsec, Encapsulating Security Payloads (ESP) and Authentication Headers (AH) protocols are used, in both tunnel and transport modes.
A bottom hudfilter forwards non-TCP and non-UDP traffic for both classification and policy enforcement.
HTTP redirect is not supported. Based on the protocol, not all actions work and some traffic is not steered.
You can use SNAT, only when you forward ICMP and ICMPv6 traffic.

Creating Any IP profiles for PEM

Before you create multiple Any IP profiles, you must create a listener in Policy Enforcement Manager (PEM), which creates a virtual server with Any IP profile.
You can create a new Any IP profile through local traffic management in PEM.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    Any IP
    .
    The Any IP screen opens.
  2. Click
    Create
    .
    The New Any IP Profile screen opens.
  3. From the
    Parent Profile
    list, select the default
    ipother
    or any other Any IP profile, from where the new profile can inherit the settings.
    You will see multiple Any IP profiles in the list only if you have created the profiles earlier.
  4. To specify the idle timeout, click
    Custom
    , select
    Specify
    , and type a value (in seconds). The idle time out specifies the number of seconds for which a connection is idle before the connection is eligible for deletion.
  5. Click
    Finished
    .
Now you have created a new Any IP profile. You can view non-TCP and UDP traffic that passes through the BIG-IP system (
Statistics
Classification
Statistics
).

Updating Any IP profile

If you have created other Any IP profile and you want to attach this profile to the Any IP traffic, then you can attach the profile through local traffic management in Policy Enforcement Manager (PEM).
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    Virtual Server List
    .
    The Virtual Server List screen opens.
  2. Select any virtual server.
    The virtual server properties screen opens.
  3. From the
    Protocol
    list, select
    *All Protocols
    .
    Any IP profile settings displays.
  4. From the
    Any IP Profile
    list, select the default setting
    ipother
    , or any other Any IP profile from where the new profile can inherit the settings.
    You will see multiple Any IP profiles from the list only if you have created the profiles earlier.
  5. Click
    Update
    .
Now you have updated the Any IP profile and attached it to the Any IP traffic.

IPOther filter for current PEM actions

The policy actions configured in the Policy Enforcement Manager can support non-TCP and non-UDP traffic flows. This table contains the information that highlights the actions supported for non-TCP and non-UDP traffic.
Action
All non-TCP and non-UDP flows
Forwarding
Only non-tunnel protocols.
ICMP traffic can be steered.
Service-chain
Only non-tunnel protocols.
ICMP traffic can be steered.
Cloning
Yes
BWC (both directions)
Yes
L2 QoS markings (both directions)
Yes
Flow Reporting
Yes
Session Reporting
Yes
Gate status drop
Yes
Quota
Yes
HTTP-redirect
No
Modify HTTP headers
No
iRules
CLIENT_DATA and CLIENT_ACCEPTED iRules only (like UDP filter).