Manual Chapter : Configuring PEM with Local Traffic Policies

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Creating local traffic policy rules for PEM

When you use Policy Enforcement Manager™ (PEM™), you can create a policy and attach it to traffic policy presets (ce_pem). In the LTM profiles classifictaion (classification_pem), the preset should be ce_pem. The virtual server should have classfication profile and SPM profile.

Local traffic policies can include multiple rules. Each rule defines the signature and consists of a condition. Actions are to be performed if the condition holds. Multiple signatures can be assigned to one policy, so you can create a local traffic policy that works with PEM and includes multiple rules that do different things depending on the conditions you set up. In this type of CE policy, each rule can include an application or category or both. The application and category can either be custom or defined applications and categories.

Task Summary

About strategies for local traffic policy matching

Each BIG-IP® local traffic policy requires a matching strategy to determine which rule applies if more than one rule matches.

The BIG-IP local traffic policies provide three predefined policy matching strategies: a first-match, best-match, and all-match strategy. Each policy matching strategy prioritizes rules according to the rule's position within the Rules list.

As needed, you can create a user-defined best-match strategy to customize the precedence (order of preference) of added operands and selectors. For example, to meet your preferred operand and selector combinations, you might create a user-defined best-match strategy that changes the precedence of added operands and selectors, compared to the predefined best-match strategy.

Note: In a best-match or first-match strategy, a rule without conditions becomes the default rule, when the rule is the last entry in the Rules list.
Table 1. Policy matching strategies
Matching strategy Description
all-match strategy An all-match strategy starts the actions for all rules in the Rules list that match.
Note: In an all-match strategy, when multiple rules match, but specify conflicting actions, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
best-match strategy A best-match strategy selects and starts the actions of the rule in the Rules list with the best match, as determined by the following factors.
  1. A best-match strategy selects the rule with the most conditions, ignoring details about the conditions.
  2. If a rule with the most conditions is not determined, then the best-match strategy selects the rule with the highest priority condition types. The best-match strategy sorts the condition types, highest priority first, comparing one at a time until a higher priority is found. For example, a priority sequence of 0,1,3,4,6 wins over 0,1,3,5,7 because 4 is a higher priority than 5.
  3. If a rule with the highest priority condition types is not determined, then the best-match strategy selects the rule with equal match types over other match types, such as starts-with, ends-with, or contains, and processes according to condition type priority.
  4. If a rule of equal match types is not determined, then the best-match strategy uses an ordinal (the precedence of the operand).
Note: In a best-match strategy, when multiple rules match and specify an action, conflicting or otherwise, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list.
first-match strategy A first-match strategy starts the actions for the first rule in the Rules list that matches.

About creating custom local traffic policy rules for CE profile

Classification signatures are added as rules in the local traffic policy. The classification signatures can be used for many standard categories and applications. In addition, you can create custom categories and applications. When you use Policy Enforcement Manager™ (PEM™), you can create a policy and attach it to traffic policy presets (ce_pem). In the LTM profiles classification (classification_pem), the preset should be ce_pem. The virtual server should have classification profile and SPM profile.

Local traffic policies can include multiple rules. Each rule defines the signature and consists of a condition. Actions are to be performed if the condition holds. Multiple signatures can be assigned to one policy, so you can create a local traffic policy that works with PEM and includes multiple rules that do different things depending on the conditions you set up. In this type of CE policy, each rule can include an application or category or both. The application and category can either be custom or defined applications and categories.

Task Summary

Creating custom local traffic policy for PEM

Before you modify rules on existing policies, you must set up an application or category ( Traffic Intelligence > Classification ).
You can add rules to define conditions and run specific actions for different types of application traffic in Policy Enforcement Manager™ (PEM™). For example, if you create an application signature for company A and want to send traffic from company A's website, you can perform actions, such as bandwidth control and disable Gate status from PEM. This is a rule that can be assigned to an existing policy.
  1. On the Main tab, click Local Traffic > Policies .
    For more information about local traffic policies, refer to BIG-IP® Local Traffic Manager™: Implementations.
    The Policy List screen opens.
  2. Click create.
    The New Policy List screen opens.
  3. In the Policy Name field, type a unique name for the policy, for example companyA.
  4. In the Description field, type descriptive text that identifies the policy definition.
  5. From the Strategy list, select the action that is executed when there are multiple rules that match.
    Rule Description
    All Uses the first or best strategy to resolve the conflict of rule match.
    Best Applies the actions of the rule specified in the list of defined strategies for the associated policy.
    First Applies the actions of only the first rule. This implies that the rule with the lowest ordinal,highest priority or first in the list is executed.
  6. From the Type list, select the Traffic Policy to create a custom signature.
  7. Click Create Policy to create a policy that manages traffic assigned to a virtual server.
  8. Click the down arrow for Save Draft. Select Save Draft Policy to save the policy as a draft or Save and Publish policy to publish a policy and assign it to a virtual server.
    You should be able to create a rule for the Draft Policies list.
  9. Click the name of the draft policy you just created.
    The Draft Policy screen opens.
  10. From the Rules list, select Create.
    The New Rule screen opens.
  11. In the Name field, type a unique name for the rule.
  12. In the Description field, type descriptive text that identifies the rule definition.
  13. In Match all of the following conditions, click + and specify the conditions.
    For example, select Client SSL, cipher, contains and type COMPAT:AES128-GCM-SHA256, request
  14. Click Add.
  15. In Do the following when the traffic is matched, click + and specify the actions:
    For example, select Enable, cache, at request.
  16. Click Save.
Now you have added a new rule to the existing policy. When you send traffic that matches the rule you defined, you should be able to see the application or category you have configured.

Creating custom local traffic policy rules for PEM

You can create a new strategy for your policy in Policy Enforcement Manager™ (PEM™).
  1. On the Main tab, click Local Traffic > Policies > Strategy List .
    The Strategy List screen opens.
  2. Click Create.
    The New Strategy List screen opens.
  3. In the Name field, type a unique name for the strategy definition.
  4. In the Operands area, define the application traffic to which this rule applies. Specify these values and use default values for the remainder.
    1. From the Operand list, select http-host.
    2. From the Event list, select request.
    3. From the Selector list, select all.
    4. From the Condition list, select ends-with.
    5. Type the value; for example, f5.com.
    6. Click Finished.
Now you have created a strategy list and changed how the system processes the operands by reordering the list of definitions.

Creating a virtual server for SSL traffic policy enforcement

The BIG-IP® system allows SSL pass through mode to collect certificate information. You have to define a virtual server that references SSL pool and classifies SSL traffic for policy enforcement.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For a network, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the Classification list, select Enabled, for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
  8. From the Policy Enforcement Profile list, select the name of the policy enforcement profile that you previously created.
  9. Click Finished.
  10. From the Default Persistence Profile list, select ssl.
    This implements simple persistence, using the default ssl profile.
  11. In the Policies area, click the Manage button.
  12. For the Policies setting, from the Available list, select the name of the iRule that you want to assign, and use the buttons to move the name into the Enabled list.
You have created a virtual server for SSL traffic. The virtual server that references SSL pools appears in the Virtual Servers list.

Associating a published local traffic policy with a virtual server

After you publish a local traffic policy, you associate that published policy with the virtual server created to handle application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Resources.
  4. In the Policies area, click the Manage button.
  5. For the Policies setting, select the local traffic policy you created from the Available list and move it to the Enabled list.
  6. Click Finished.
The published policy is associated with the virtual server.

Creating custom local traffic policy for PEM

Before you modify rules on existing policies, you must set up an application or category ( Traffic Intelligence > Classification ).
You can add rules to define conditions and run specific actions for different types of application traffic in Policy Enforcement Manager™ (PEM™). For example, if you create an application signature for company A and want to send traffic from company A's website, you can perform actions, such as bandwidth control and disable Gate status from PEM. This is a rule that can be assigned to an existing policy.
  1. On the Main tab, click Local Traffic > Policies .
    For more information about local traffic policies, refer to BIG-IP® Local Traffic Manager™: Implementations.
    The Policy List screen opens.
  2. Click create.
    The New Policy List screen opens.
  3. In the Policy Name field, type a unique name for the policy, for example companyA.
  4. In the Description field, type descriptive text that identifies the policy definition.
  5. From the Strategy list, select the action that is executed when there are multiple rules that match.
    Rule Description
    All Uses the first or best strategy to resolve the conflict of rule match.
    Best Applies the actions of the rule specified in the list of defined strategies for the associated policy.
    First Applies the actions of only the first rule. This implies that the rule with the lowest ordinal,highest priority or first in the list is executed.
  6. From the Type list, select the CE Profile to create a custom signature.
  7. Click Create Policy to create a policy that manages traffic assigned to a virtual server.
  8. Click the down arrow for Save Draft. Select Save Draft Policy to save the policy as a draft or Save and Publish policy to publish a policy and assign it to a virtual server.
    You should be able to create a rule for the Draft Policies list.
  9. Click the name of the draft policy you just created.
    The Draft Policy screen opens.
  10. From the Rules list, select Create.
    The New Rule screen opens.
  11. In the Name field, type a unique name for the rule.
  12. In the Description field, type descriptive text that identifies the rule definition.
  13. In Match all of the following conditions, click + and specify the conditions.
    For example, select Client SSL, cipher, contains and type COMPAT:AES128-GCM-SHA256, request
  14. Click Add.
  15. In Do the following when the traffic is matched, click + and specify the actions:
    For example, select Enable, cache, at request.
  16. Click Save.
Now you have added a new rule to the existing policy. When you send traffic that matches the rule you defined, you should be able to see the application or category you have configured.