Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP Local Traffic Management: 5 - Understanding Profiles
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Understanding Profiles


Introducing profiles

The BIG-IP® local traffic management system can manage application-specific network traffic in a variety of ways, depending on the protocols and services being used. For example, you can configure the BIG-IP system to compress HTTP response data, or you can configure the system to authenticate SSL client certificates before passing requests on to a target server.

For each type of traffic that you want to manage, the BIG-IP system contains configuration tools that you can use to intelligently control the behavior of that traffic. These tools are called profiles. A profile is a system-supplied configuration tool that enhances your capabilities for managing application-specific traffic. More specifically, a profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. After configuring a profile, you associate the profile with a virtual server. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.

You can associate multiple profiles with a single virtual server. For example, you can associate a TCP profile, an SSL profile, and an HTTP profile with the same virtual server.

Profile types

The BIG-IP system provides several types of profiles. While some profile types correspond to specific protocols, such as HTTP, SSL, and FTP, other profiles pertain to traffic behaviors applicable to multiple protocols. Examples of these are connection persistence profiles and authentication profiles. Table 5.1 lists the available profile types, with descriptions.

 

Table 5.1 Available profile types on the BIG-IP system
Profile Type
Description
Services profiles
HTTP
Defines the behavior of HTTP traffic.
FTP
Defines the behavior of FTP traffic.
Persistence profiles
Cookie
Implements session persistence using HTTP cookies.
Destination Address Affinity
Implements session persistence based on the destination IP address specified in the header of a client request. Also known as sticky persistence.
Hash
Implements session persistence in a way similar to universal persistence, except that the BIG-IP system uses a hash for finding a persistence entry.
Microsoft® Remote Desktop
Implements session persistence for Microsoft® Remote Desktop Protocol sessions.
SIP
Implements session persistence for connections using Session Initiation Protocol Call-ID.
Source Address Affinity
Implements session persistence based on the source IP address specified in the header of a client request. Also known as simple persistence.
SSL
Implements session persistence for non-terminated SSL sessions, using the session ID.
Universal
Implements session persistence using the BIG-IP system's Universal Inspection Engine (UIE).
Protocol profiles
Fast L4
Defines the behavior of Layer 4 IP traffic.
Fast HTTP
Improves the speed at which a virtual server processes traffic.
TCP
Defines the behavior of TCP traffic.
UDP
Defines the behavior of UDP traffic.
SSL profiles
Client
Defines the behavior of client-side SSL traffic. See also Persistence Profiles.
Server
Defines the behavior of server-side SSL traffic. See also Persistence Profiles.
Authentication profiles
LDAP
Allows the BIG-IP system to authenticate traffic based on authentication data stored on a remote Lightweight Directory Access Protocol (LDAP) server.
RADIUS
Allows the BIG-IP system to authenticate traffic based on authentication data stored on a remote RADIUS server.
TACACS+
Allows the BIG-IP system to authenticate traffic based on authentication data stored on a remote TACACS+ server.
SSL Client Certificate LDAP
Allows the BIG-IP system to control a client's access to server resources based on data stored on a remote LDAP server. Client authorization credentials are based on SSL certificates, as well as defined user groups and roles.
SSL OCSP
Allows the BIG-IP system to check on the revocation status of a client certificate using data stored on a remote Online Certificate Status Protocol (OCSP) server. Client credentials are based on SSL certificates.
Other profiles
OneConnect
Enables client requests to reuse server-side connections. The ability for the BIG-IP system to reuse server-side connections is known as Connection PoolingTM.
Statistics
Provides user-defined statistical counters.
Stream
Searches for and replaces strings within a data stream, such as a TCP connection.

 

Default profiles

The BIG-IP system includes one or more default profiles for each profile type listed in Table 5.1 . A default profile is a system-supplied profile that contains default values for its settings. An example of a default profile is the http default profile. You can use a default profile in several ways:

  • You can use a default profile as is.
    You simply configure your virtual server to reference the default profile.
  • You can modify the default profile settings (not recommended).
    When you modify a default profile, you lose the original default profile settings. Thus, any custom profiles you create in the future that are based on that default profile inherit the modified settings.
  • You can create a custom profile, based on the default profile (recommended).
    This allows you to preserve the default profile, and instead configure personalized settings in the custom profile. Custom profiles inherit some of the setting values of a parent profile that you specify. After creating a custom profile, you can configure your virtual server to reference the custom profile instead of the default profile. For more information on custom profiles, see Custom and parent profiles , following.
Note

You can modify a default profile, but you cannot create or delete a default profile.

Custom and parent profiles

A custom profile is a profile that is derived from a parent profile that you specify. A parent profile is a profile from which your custom profile inherits its settings and their default values.

When creating a custom profile, you have the option of changing one or more setting values that the profile inherited from the parent profile. In this way, you can pick and choose which setting values you would like to change and which ones you would like to retain. An advantage to creating a custom profile is that by doing so, you preserve the setting values of the parent profile.

Note

If you do not specify a parent profile when you create a custom profile, the BIG-IP system automatically assigns a related default profile as the parent profile. For example, if you create a custom HTTP type of profile, the default parent profile is the default profile http.

Using the default profile as the parent profile

A typical profile that you can specify as a parent profile when you create a custom profile is a default profile. For example, if you create a custom TCP-type profile called my_tcp_profile, you can use the default profile tcp as the parent profile. In this case, the BIG-IP system automatically creates the profile my_tcp_profile so that it contains the same settings and default values as the default profile tcp. The new custom profile thus inherits its settings and values from its parent profile. You can then retain or change the inherited setting values in the custom profile to suit your needs.

Using a custom profile as the parent profile

When creating a custom profile, you can specify another custom profile, rather than the default profile, as the parent profile. The only restriction is that the custom profile that you specify as the parent must be of the same profile type as the profile you are deriving from the parent. Once you have created the new custom profile, its settings and default values are automatically inherited from the custom profile that you specified as the parent.

For example, if you create a profile called my_tcp_profile2, you can specify the custom profile my_tcp_profile as its parent. The result is that the default setting values of profile my_tcp_profile2 are those of its parent profile my_tcp_profile.

If you subsequently modify the settings of the parent profile (my_tcp_profile), the BIG-IP system automatically propagates those changes to the new custom profile.

For example, if you create the custom profile my_tcp_profile and use it as a parent profile to create the custom profile my_tcp_profile2, any changes you make later to the parent profile my_tcp_profile are automatically propagated to profile my_tcp_profile2. Conversely, if you modify any of the settings in the new custom profile (in our example, my_tcp_profile2), the new custom profile does not inherit values from the parent profile for those particular settings that you modified.

Summarizing profiles

Profiles are a configuration tool that you can use to affect the behavior of certain types of network traffic. By default, the BIG-IP system provides you with a set of profiles that you can use as is. These profiles contain various settings that define the behavior of different types of traffic. Profiles also give you a way to enable connection and session persistence, and to manage client application authentication. Once you have assigned a profile to a virtual server, the BIG-IP system manages any traffic that corresponds to that profile type according to the settings defined in that profile.

There are two possible types of profiles: default profiles, which the BIG-IP system supplies, and custom profiles, which you typically create.

To help you better manage HTTP and TCP traffic specifically, the BIG-IP system includes a set of F5-created custom profiles. These profiles contain recommended configurations that you would most likely want to use. By using these profiles, you do not need to create them yourself.

Default profiles are useful when the values contained in them are sufficient for your needs. Custom profiles are useful when you want your values to differ from those contained in the default profile. To ease your task of configuring and maintaining profiles, the BIG-IP system ensures that a custom profile automatically inherits settings and values from a parent profile.

When you create profiles to manage a type of network traffic, you can use them in the following ways:

  • You do not need to take any action to use the default profiles that are enabled by default. The BIG-IP system uses them to automatically direct the corresponding traffic types according to the values specified in the those profiles.
  • You can create a custom profile, using the default profile as the parent profile, modifying some or all of the values defined in that profile.
  • You can create a custom profile to use as a parent profile for other custom profiles.

Creating and modifying profiles

As described in the previous section, profiles are a configuration tool to help you manage your application traffic. To make use of profiles, you can either use the default profiles that the BIG-IP system provides, or you can create your own custom profiles. You can also modify existing profiles as needed.

More specifically, you can:

  • Use a default profile as is.
  • Modify a default profile.
  • Create a custom profile.
  • Modify a custom profile.

The following sections contain the procedures for creating and modifying profiles. To understand individual profile settings and their effect on different types of traffic, see either the remainder of this chapter, or one of the following chapters:

For background information on default and custom profiles, see Introducing profiles .

Using a default profile as is

The BIG-IP system provides a default profile that you can use as is for each type of traffic. A default profile includes default values for any of the properties and settings related to managing that type of traffic. To implement a default profile, you simply assign the profile to a virtual server, using the Configuration utility. You are not required to configure the setting values. For more information, see Implementing a profile .

For information on creating or modifying a virtual server, see Chapter 2, Configuring Virtual Servers .

Modifying a default profile

Using the Configuration utility, you can modify the values of a default profile. We do not recommend this. Although modifying a default profile appears to be simpler and quicker than creating a custom profile, be aware that in so doing, you lose the original values. If you want to reset the profile back to its original state, you must do this manually by modifying the settings of the default profile again to specify the original values. (To find the original default values, see the relevant profile chapter in this guide, or see the online help.)

Modifying and implementing a default profile is a two-step process:

  • First, you must modify the settings of the default profile, using the Configuration utility. For more information, see To modify a default profile , following.
  • Second, you must associate that profile with a virtual server. For information on associating a profile with a virtual server, see Implementing a profile .

To modify a default profile

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. Select the default profile that you want to modify:
    • If you are modifying the http profile, click the name http.
      This displays the properties and settings of the default http profile.
    • If you are modifying a default profile other than the http profile, click the appropriate profile menu on the menu bar and choose a profile type. Then click a profile name.
      This displays the properties and settings of that default profile.
  3. Modify the settings to suit your needs.
  4. Click Update.

Creating a custom profile

If you do not want to use a default profile as is or change its settings, you can create a custom profile. Creating a custom profile and associating it with a virtual server allows you to implement your own specific set of traffic-management policies.

When you create a custom profile, the profile is a child profile and automatically inherits the setting values of a parent profile that you specify. However, you can change any of the values in the child profile to better suit your needs. If you do not specify a parent profile, the BIG-IP system uses the default profile that matches the type of profile you are creating. For background information on custom profiles and inheritance of setting values, see Custom and parent profiles .

Implementing a custom profile is a two-step process:

  • First, you must create the custom profile, using the Configuration utility. For more information, see To create a custom profile .
  • Second, you must associate that profile with a virtual server. For information on associating a profile with a virtual server, see Implementing a profile .
Important

Within the Configuration utility, each profile creation screen contains a check box to the right of each profile setting. When you check a box for a setting and then specify a value for that setting, the profile then retains that value, even if you change the corresponding value in the parent profile later. Thus, checking the box for a setting ensures that the parent profile never overwrites that value through inheritance.

To create a custom profile

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The Profiles screen opens and, by default, displays a list of any existing HTTP profiles.
  2. Select the type of profile you want to create:
    • If you are creating an HTTP type of profile, proceed to step 3.
    • If you are creating another type of profile, click a profile category on the menu bar and choose a profile type. Then proceed to step 3.
  3. On the right side of the screen, click Create.
    This displays the screen to create a new profile.
  4. In the Name box, type a unique name for your profile.
  5. For the Parent Profile setting, select a profile from the list.
    You can select either the default profile or another custom profile.
  6. Specify, modify, or retain values for all settings:
    • If you want to specify or modify a value, locate the setting, click the box in the Custom column on the right side of the screen, and then type or modify a value.
    • If you want to retain a value inherited from the parent profile, leave the setting as is. Do not check the box in the Custom column.
  7. Click Finished.

Tip


An alternative way to access the New Profile screen in the Configuration utility is to locate the Main tab, expand Local Traffic, click the Create button adjacent to the Profiles menu item, and select a profile type.

Modifying a custom profile

Once you have created a custom profile, you can use the Configuration utility to adjust the settings of your custom profile later if necessary. If you have already associated the profile with a virtual server, you do not need to perform that task again.

Important

Within the Configuration utility, each profile creation screen contains a check box to the right of each profile setting. When you check a box for a setting and then specify a value for that setting, the profile then retains that value, even if you change the corresponding value in the parent profile later. Thus, checking the box for a setting ensures that the parent profile never overwrites that value through inheritance.

To modify custom profile settings

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. Point to the menu for the type of profile you want to modify (Services, Persistence, Protocols, SSL, or Authentication) and choose a profile type.
    This displays a list of existing profiles of that type.
  3. In the Name column, click the name of the profile you want to modify.
    This displays the settings and values for that profile.
  4. Modify or retain values for all settings:
    • If you want to modify a value, locate the setting, click the box in the Custom column on the right side of the screen, and then modify the value.
    • If you want to retain a value inherited from the parent profile, leave the setting as is. Do not check the box in the Custom column.
    • If you want to reset a value back to the parent profile value, clear the check box in the Custom column on the right side of the screen.
  5. Click the Update button.

Viewing and deleting profiles

You can use the Configuration utility to view a list of profiles or delete a profile from the system.

Viewing a list of profiles

You can view a list of existing profiles. When you display a list of profiles, the Configuration utility displays the following information about each profile:

  • Profile name
  • Type of profile (persistence and authentication profiles only)
  • Parent profile

Use the following procedure to view a list of profiles defined on the BIG-IP system.

Tip


When listing existing profiles, you can use the Search box that appears directly above the profile list. With the Search box, you can specify a string to filter the list, thereby showing only those objects that match the string. The default setting is an asterisk (*), which means show all objects.

To view a list of profiles

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. If you want to list profiles other than HTTP profiles, complete steps 3 and 4.
  3. On the menu bar, click the category of profile you want to view. For example, if you want to view a list of TCP profiles, click Protocol.
  4. From the menu, choose a profile type.
    The list screen opens for that profile type.

Deleting a profile

You can delete any existing profile except a default profile.

To delete a profile

  1. Display the pertinent list of profiles, using the previous procedure.
  2. Click the Select box to the left of the custom profile that you want to delete.
  3. Click Delete.
    A confirmation screen appears.
  4. Click Delete.

Implementing a profile

Once you have created a profile for a specific type of traffic, you implement the profile by associating that profile with one or more virtual servers.

You associate a profile with a virtual server by configuring the virtual server to reference the profile. Whenever the virtual server receives that type of traffic, the BIG-IP system applies the profile settings to that traffic, thereby controlling its behavior. Thus, profiles not only define capabilities per network traffic type, but also ensure that those capabilities are available for a virtual server.

To assign a profile to a virtual server

  1. On the Main tab, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click a virtual server name.
    This displays the properties and settings for that virtual server.
  3. Locate the setting for the type of profile you want to assign and select the name of a default or custom profile.
  4. At the bottom of the screen, click Update.
Note

You can also assign a profile to a virtual server at the time that you create the virtual server.

Because certain kinds of traffic use multiple protocols and services, users often create multiple profiles and associate them with a single virtual server.

For example, a client application might use the TCP, SSL, and HTTP protocols and services to send a request. This type of traffic would therefore require three profiles, based on the three profile types TCP, Client SSL, and HTTP.

Each virtual server lists the names of the profiles currently associated with that virtual server. You can add or remove profiles from the profile list, using the Configuration utility.

The BIG-IP system has specific requirements regarding the combinations of profile types allowed for a given virtual server. Table 5.2 shows the specific combinations of profile types that you can configure on a virtual server.

Table 5.2 Profile combinations that the BIG-IP system allows and disallows
Profile Type
Prerequisite
Profiles
Incompatible Profiles
Protocol profiles
Fast L4
None
All
Fast HTTP
None
All
TCP
None
UDP, Fast L4, Fast L7
UDP
None
TCP, Fast L4, Fast L7
Services profiles
HTTP
TCP
FTP
FTP
TCP
HTTP, CLient SSL or Server SSL
SSL profiles
Client SSL
TCP
FTP
Server SSL
TCP
FTP
Persistence profiles
Cookie
HTTP
N/A
Destination Address Affinity
Any
None
Hash
Fast L4, TCP, UDP
N/A
MSRDP
TCP
N/A
SIP
TCP or UDP
FTP
Source Address Affinity
Any
None
SSL
TCP
FTP
Universal
None
N/A
Authentication profiles
LDAP
TCP
N/A
RADIUS
TCP
N/A
TACACS+
TCP
N/A
SSL Client Certificate LDAP
TCP
N/A
OCSP
TCP
N/A
Other profiles
OneConnect
TCP
N/A
Statistics
TCP
N/A
Stream
TCP
Fast L4, UDP

 

In directing traffic, if a virtual server requires a specific type of profile that does not appear in its profile list, the BIG-IP system uses the relevant default profile, automatically adding the profile to the profile list. For example, if a client application sends traffic over TCP, SSL, and HTTP, and you have assigned SSL and HTTP profiles only, the BIG-IP system automatically adds the default profile tcp to its profile list.

At a minimum, a virtual server must reference a profile, and that profile must be associated with a UDP, Fast L4, Fast HTTP, or TCP profile type. Thus, if you have not associated a profile with the virtual server, the BIG-IP system adds a UDP, Fast L4, Fast HTTP, or TCP default profile to the profile list.

The default profile that the BIG-IP system chooses depends on the configuration of the virtual server's protocol setting. If the protocol setting is set to UDP, the BIG-IP system adds the udp profile to its profile list. If the protocol setting is set to anything other than UDP, the BIG-IP system adds the Fast L4 profile to its profile list.

For more information

For information on configuring specific types of profiles, see the following chapters:




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)