Using Conditions in Rules

When you select

Client IP Geolocation

or

Server IP Geolocation

, select either

Country Code

,

Country Name

,

Continent

, or

State

from the first dropdown list. Select

is

or

is not

from the second dropdown list. Next, select either

Static Value

or

Datagroup

from the third dropdown list. If you select

Static Value

, the name or abbreviation you enter (i.e. US) must be a letter (a-z, A-Z). Number combinations are not allowed. If you select

Datagroup

, select an option from the list.

When you select

Category Lookup (HTTP Connect)

condition, also add the

L7 Protocol Lookup (TCP)

condition.

When you select

L7 Protocol Lookup (UDP)

condition, do not add the

Category Lookup (SNI)

,

Category Lookup (HTTP Connect)

,

SSL Check

, or

URL Match

conditions.

For

Client IP Subnet Match

or

Server IP Subnet Match

, select the

is

or

is not

match condition for an IP subnet match.

For

Client Port Match

or

Server Port Match

, select either

Static Value/Datagroup

or

Range

from the

Value Source

list. If you select

Static Value/Datagroup

, select the

is

or

is not

match condition and then type to add

Ports

or select from the list. If you select

Range

, enter the 'From' port number (between 1-65535) first and then enter the 'To' port number (between 2-65535) second.

When you select

URL Match

, select the

is

or

is not

match condition and then select a condition value and enter a pattern. The available condition values are:

Equals

,

SubString

,

Prefix Match

,

Suffix Match

,

Glob Match

. Once a pattern is entered, you must click that condition value to add it to the list.

For

IP Protocol

, select the

is

or

is not

match condition, and then select either

TCP

or

UDP

as condition value.

For

L7 Protocol Lookup

(either

TCP

or

UDP

), select

is

or

is not

match condition, and then type to add protocols or select from the list. You may click on as many different protocols as needed to add to the selected condition. For

TCP

, the available protocols are

DNS

,

FTP

,

FTPS

,

HTTP

,

HTTP CONNECT

,

HTTP2

,

HTTPS

,

IMAP

,

IMAPS

,

POP3

,

POP3S

,

SMTP

,

SMTPS

,

SSH

,

telnet

. For

UDP

, you may select from

QUIC

and

DNS

.

If you decide to use "SSL Proxy Action: Bypass" for the

Server Name (TLS Client Hello)

Condition, and if the Rule precedes other conditions that require a server side SSL connection, then the SSL Bypass action is taken immediately without triggering a server-side handshake. In such cases, SSL Orchestrator/BIG-IP will not validate the Server Name in the TLS Client Hello to that of Server Certificate Subject CN or SAN. Choose

Static Value

or

Datagroup

from the drop-down. If you choose

Static Value

, select the match condition from the drop-down next to it and enter the server name. If you choose

Datagroup

, select the match condition and datagroup name from the drop-down fields.

To allow SSL traffic to bypass without triggering the TLS handshake, you can now select "SSL Proxy Action: Bypass (Client Hello)" for all conditions except

Category Lookup (All)

and

Server Certificate (*)

. Configuring a rule with

Allow

for Bypass (Client Hello) enables the

Bypass on SSL Client Hello

setting in the

SSL Bypass Set

action in the deployed policy. If a rule contains an SSL condition with "SSL Proxy Action: Bypass", no subsequent rule can have the Bypass on SSL Client Hello enabled.