Manual Chapter : Enforcing Policy and Classification on IP Protocols

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About enforcing policy and classification on IP protocols

The BIG-IP system now provides classification and policy enforcement on all non-TCP and non-UDP traffic, which includes IPsec traffic. The Policy Enforcement Manager is able to classify and enforce any action on virtually any type of IP traffic. This enables detection of IPsec, ICMP, GRE, and other IP protocols (especially tunneling) for the service providers. For IPsec, Encapsulating Security Payloads (ESP) and Authentication Headers (AH) protocols are used, in both tunnel and transport modes.

A bottom hudfilter forwards non-TCP and non-UDP traffic for both classification and policy enforcement.

Note: HTTP redirect is not supported. Based on the protocol, not all actions work and some traffic is not steered.
Important: You can use SNAT, only when you forward ICMP and ICMPv6 traffic.

Creating Any IP profiles for PEM

Before you create multiple Any IP profiles, you must create a listener in Policy Enforcement Manager (PEM), which creates a virtual server with Any IP profile.
You can create a new Any IP profile through local traffic management in PEM.
  1. On the Main tab, click Local Traffic > Profiles > Any IP. The Any IP screen opens.
  2. Click Create. The New Any IP Profile screen opens.
  3. From the Parent Profile list, select the default ipother or any other Any IP profile, from where the new profile can inherit the settings.
    Note:
    You will see multiple Any IP profiles in the list only if you have created the profiles earlier.
  4. To specify the idle timeout, click Customize, select Specify, and type a value (in seconds). The idle time out specifies the number of seconds for which a connection is idle before the connection is eligible for deletion.
  5. Click Finished.
Now you have created a new Any IP profile. You can view non-TCP and UDP traffic that passes through the BIG-IP system (Statistics > Classification > Statistics).

Updating Any IP profile

If you have created other Any IP profile and you want to attach this profile to the Any IP traffic, then you can attach the profile through local traffic management in Policy Enforcement Manager (PEM).
  1. On the Main tab, click Local Traffic > Virtual Servers > Virtual Server List. The Virtual Server List screen opens.
  2. Select any profile. The profile's properties screen opens.
  3. From the Protocol list, select *All Protocols. Any IP profile settings displays.
  4. From the Any IP Profile list, select the default setting ipother, or any other Any IP profile from where the new profile can inherit the settings.
    Note:
    You will see multiple Any IP profiles from the list only if you have created the profiles earlier.
  5. Click Update.
Now you have updated the Any IP profile and attached it to the Any IP traffic.

IPOther filter for current PEM actions

The policy actions configured in the Policy Enforcement Manager can support non-TCP and non-UDP traffic flows. This table contains the information that highlights the actions supported for non-TCP and non-UDP traffic.

Action All non-TCP and non-UDP flows
Forwarding Only non-tunnel protocols.
Note: ICMP traffic can be steered.
Service-chain Only non-tunnel protocols.
Note: ICMP traffic can be steered.
Cloning Yes
BWC (both directions) Yes
L2 QoS markings (both directions) Yes
Flow Reporting Yes
Session Reporting Yes
Gate status drop Yes
Quota Yes
HTTP-redirect No
Modify HTTP headers No
iRules CLIENT_DATA and CLIENT_ACCEPTED iRules only (like UDP filter).