F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP PEM
  4. BIG-IP Policy Enforcement Manager: Implementations
  5. Configuring PEM with Local Traffic Policies
Manual Chapter : Configuring PEM with Local Traffic Policies

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Creating local traffic policy rules for PEM

Classification signatures are added as rules in the local traffic policy. The classification signatures can be used for many standard categories and applications. In addition, you can create custom categories and applications. The BIG-IP system automatically creates a local traffic policy that is attached to a virtual server. However, when you use Policy Enforcement Manager (PEM), you can create a policy attached to a virtual server and then the BIG-IP system creates a local traffic policy. You can add an HTTP profile and classification profile in the virtual server. The local traffic policy forms a logical link between the local traffic components and the policy.

When you create a listener, a local traffic policy is attached to the listener HTTP virtual server. If you want to create custom application signatures for certain types of traffic, you can use the local traffic policy to do that, and define the policies that allow you to classify traffic. Some policies can behave like application signatures. An application signature is a signature that is assigned to an application (for example, HTTP traffic).

Local traffic policies can include multiple rules. Each rule defines the signature and consists of a condition. Actions are to be performed if the condition holds. Multiple signatures can be assigned to one policy, so you can create a local traffic policy that works with PEM and includes multiple rules that do different things depending on the conditions you set up. In this type of traffic policy, each rule must include one of these PEM actions:

  • Enable PEM.
  • Attach an application or category ID that you created.
Note: The BIG-IP system does not allow you to attach two classification local traffic policies to the same virtual server.

Task Summary

Modifying local traffic policy rules for PEM

Before you modify rules on existing policies, you must set up an application or category (Policy Enforcement > Classification.
You can add rules to define conditions and run specific actions for different types of application traffic in Policy Enforcement Manager (PEM). For example, if you create an application signature for company A and want to send traffic from company A's website, you can perform actions, such as bandwidth control and disable Gate status from PEM. This is a rule that can be assigned to an existing policy.
  1. On the Main tab, click Local Traffic > Policies. For more information about local traffic policies, refer to BIG-IP Local Traffic Manager: Implementations. The Policy List screen opens.
  2. Click _sys_CEC_video_policy.
    Important: _sys_CEC_video_policy is the default local traffic policy that is important for classification; F5 recommends that you keep the policy.
    The Policy List screen opens.
  3. Click Add. The New Rule screen opens.
  4. In the Rule Name field, type a unique name for the policy, for example companyA.
  5. In the Rule properties area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
    1. From the Operand list, select http-host.
    2. From the Event list, select request.
    3. From the Selector list, select all.
    4. From the Condition list, select ends-with.
    5. Type the value; for example, companyA.com.
    6. Click Add.
  6. In the Actions setting, define the action to apply to the traffic. Specify these values and use the default values for the remainder:
    1. From the Target list, select pem.
      Note: You can specify the application you created; in this example, it is companyA.
      Event is set to request and Action is set to classify. For Parameters, select application and specify the application /common/companyA; click Add.
    2. In the Actions area, click Add.
  7. Click Finished to add the rule to the local traffic policy.
  8. Verify that the rule is added to the policy (Local Traffic > Policies > _sys_CEC_video_policy) and scroll down to view the list of rules. You should be able to view the rule you just created.
Now you have added a new rule to the existing policy. When you send traffic that matches the rule you defined, you should be able to see the application or category you have configured. You can view the classified traffic, as well (Statistics > Classification > Statistics).

Creating local traffic policy rules for PEM

You can create a new policy with rules in Policy Enforcement Manager (PEM).
  1. On the Main tab, click Local Traffic > Policies.
    Important: _sys_CEC_video_policy is the default local traffic policy that is important for classification; F5 recommends that you keep the policy.
    The Policy List screen opens.
  2. Click Create. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy, for example f5.
  4. From the Strategy list, select first-match.
  5. For the Requires setting, select http in the Available list, and move it to the Selected list using the Move button.
  6. For the Controls setting, select classification in the Available list, and move it to the Selected list using the Move button.
  7. Click Finished to add a new policy. The Policy List screen opens.
  8. Click the new policy created. In this example, it is f5.com.
  9. Click Add.
  10. In the Rule Name field, type the name f5_web.
  11. In the Rule properties area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
    1. From the Operand list, select http-host.
    2. From the Event list, select request.
    3. From the Selector list, select all.
    4. From the Condition list, select ends-with.
    5. Type the value; for example, f5.com.
    6. Click Add.
  12. In the Actions setting, define the action to apply to the traffic. Specify these values and use the default values for the remainder:
    1. From the Target list, select pem.
      Note: You can specify the application created (Policy Enforcement > Classification); in this example, it is f5.
      Event is set to request, Action is set to classify. For Parameters, select application and specify the application /common/f5.
    2. Click Add.
    3. In the Actions area, click Add.
  13. Click Finished to add the rule to the local traffic policy.
  14. Verify that the policy is added to the virtual servers (Local Traffic > Virtual Servers) and click the HTTP virtual server that you created. The Virtual Server List screen opens.
  15. Click Resources. The listener screen opens.
  16. In the Policies area, click the Manage button. The screen for the HTTP virtual server opens.
  17. For the Policies setting, select the new policy that you created, f5.com, from the Available list, and move it to the Enabled list using the Move button.
  18. Click Finished.
Now you have created a new policy with an HTTP-based signature (f5.com). You can view traffic for f5.com (Statistics > Classification > Statistics ), and also verify the rule created, by browsing to f5.com through the BIG-IP system.

Creating a virtual server for SSL traffic policy enforcement

The BIG-IP system allows SSL pass through mode to collect certificate information. You have to define a virtual server that references SSL pool and classifies SSL traffic for policy enforcement.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Network, and type 0.0.0.0 in the Address field and 0.0.0.0 in the Mask field.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the Classification list, select Enabled on, for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
  8. From the Policy Enforcement Profile list, select the name of the Policy Enforcement Profile that you previously created.
  9. Click Finished.
  10. From the Default Persistence Profile list, select ssl. This implements simple persistence, using the default ssl profile.
  11. In the Policies area, click the Manage button.
  12. For the Policies setting, from the Available list, select the name of the iRule that you want to assign, and use the buttons to move the name into the Enabled list.
You have created a virtual server for SSL traffic. The virtual server that references SSL pools appears in the Virtual Servers list.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information