Using Conditions in Rules

When selecting a new rule Condition, we recommend you follow these tips:

• When you select Client IP Geolocation or Server IP Geolocation, select either Country Code, Country Name, Continent, or State from the first dropdown list. Select is or is not from the second dropdown list. Next, select either Static Value or Datagroup from the third dropdown list. If you select Static Value, the name or abbreviation you enter (i.e. US) must be a letter (a-z, A-Z). Number combinations are not allowed. If you select Datagroup, select an option from the list.
• When you select Category Lookup (HTTP Connect) condition, also add the L7 Protocol Lookup (TCP) condition.
• When you select L7 Protocol Lookup (UDP) condition, do not add the Category Lookup (SNI), Category Lookup (HTTP Connect), SSL Check, or URL Match conditions.
• For Client IP Subnet Match or Server IP Subnet Match, select the is or is not match condition for an IP subnet match.
• For Client Port Match or Server Port Match, select either Static Value/Datagroup or Range from the Value Source list. If you select Static Value/Datagroup, select the is or is not match condition and then type to add Ports or select from the list. If you select Range, enter the ‘From’ port number (between 1-65535) first and then enter the ‘To’ port number (between 2-65535) second.
• When you select URL Match, select the is or is not match condition and then select a condition value and enter a pattern. The available condition values are: Equals, SubString, Prefix Match, Suffix Match, Glob Match. Once a pattern is entered, you must click that condition value to add it to the list.
• For IP Protocol, select the is or is not match condition, and then select either TCP or UDP as condition value.
• For L7 Protocol Lookup (either TCP or UDP), select is or is not match condition, and then type to add protocols or select from the list. You may click on as many different protocols as needed to add to the selected condition. For TCP, the available protocols are DNS, FTP, FTPS, HTTP, HTTP CONNECT, HTTP2, HTTPS, IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, SSH, telnet. For UDP, you may select from QUIC and DNS.
• If you decide to use “SSL Proxy Action: Bypass” for the Server Name (TLS Client Hello) Condition, and if the Rule precedes other conditions that require a server side SSL connection, then the SSL Bypass action is taken immediately without triggering a server-side handshake. In such cases, SSL Orchestrator/BIG-IP will not validate the Server Name in the TLS Client Hello to that of Server Certificate Subject CN or SAN. Choose Static Value or Datagroup from the drop-down. If you choose Static Value, select the match condition from the drop-down next to it and enter the server name. If you choose Datagroup, select the match condition and datagroup name from the drop-down fields.
• To allow SSL traffic to bypass without triggering the TLS handshake, you can now select “SSL Proxy Action: Bypass (Client Hello)” for all conditions except Category Lookup (All) and Server Certificate (*). Configuring a rule with Allow for Bypass (Client Hello) enables the Bypass on SSL Client Hello setting in the SSL Bypass Set action in the deployed policy. If a rule contains an SSL condition with “SSL Proxy Action: Bypass”, no subsequent rule can have the Bypass on SSL Client Hello enabled.

Note: A URLF license is not required to use Custom Categories when creating a new URL category.

Note: When you use SSL Orchestrator to provision and deploy an L3 Outbound or L3 Explicit Proxy configuration, and then use BIG-IP Access to configure a custom category, the custom category is supported for the hostname only (with no URLDB or SWG). Therefore, the URL should be configured with the hostname only (for example, http://www.f5.com/). In case of a full URL configuration (http://www.f5.com/services/), the category lookup will result in an uncategorized category (id# 153).

Parent topic: Security policies