Policy Enforcement Manager provides the ability to intelligently steer traffic based on policy decision made using classification criteria, URL category, flow information, or custom criteria (iRule events). Steering, also called traffic forwarding, can help you police, control and optimize traffic. You can forward a particular type of traffic to a pool of one or more servers designed to handle that type of traffic, or to a location closer to clients requesting a service. For example, you can send HTTP video traffic to a pool of video delivery optimization servers. You can have one policy option to classify each transaction which allows transaction aware steering. This ability to classify traffic for every transaction is called transactional policy enforcement. The classification per transaction is for HTTP traffic only.

You set up steering by creating an enforcement policy that defines the traffic that you want to send to a particular location or endpoint. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to forward the traffic to a particular endpoint, called a forwarding endpoint.

You can create listeners to set up virtual servers and associate the enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses, among other uses, for traffic steering.

1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
2. Click Create. The New Pool screen opens.
3. In the Name field, type a unique name for the pool.
4. Using the New Members setting, add each resource that you want to include in the pool:
   1. Type an IP address in the Address field.
   2. Type a port number in the Service Port field, or select a service name from the list.
   3. To specify a priority group, type a priority number in the Priority Group Activation field.
   4. Click Add.
5. Click Finished.

1. On the Main tab, click Policy Enforcement > Forwarding > Endpoints. The Endpoints screen opens.
2. Click Create. The New Endpoint screen opens.
3. In the Name field, type a name for the endpoint.
4. From the Pool list, select the pool to which you want to steer a particular type of traffic, for example, in a policy rule.
5. If you want to translate the destination address of the virtual server to that of the pool, from the Address Translation list, select Enabled. Otherwise, leave this setting disabled.
6. If you want to translate the original destination port to another port, from the Port Translation list, select Enabled. Otherwise, leave this setting disabled.
7. From the Source Port list, select the appropriate option for the source port of the connection.

   Option	Description
   Preserve	Maintains the value configured for the source port, unless the source port from a particular SNAT is already in use.
   Preserve Strict	Maintains the value configured for the source port. If the port is in use, the system does not process the connection. Use this setting only when (1) the port is configured for UDP traffic; (2) the system is configured for nPath routing or running in transparent mode; or (3) a one-to-one relationship exists between virtual IP addresses and node addresses, or clustered multi-processing (CMP) is disabled.
   Change	Specifies that the system changes the source port.

8. To specify a SNAT pool for address translation, from the SNAT Pool list, select the name of an existing SNAT pool. The steering endpoint uses the SNAT pool to implement selective and intelligent SNATs.
9. If you have multiple pool members and want specific traffic to go to the same pool member every time, from the Persistence list, select the appropriate IP address type:

   Option	Description
   Source Address	Map the source IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
   Destination Address	Map the destination IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.

   If you do not need to maintain persistence, leave Persistence set to Disabled, the default value.
10. Click Finished.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click Create. The New Policy screen opens.
3. In the Name field, type a name for the policy.
   Tip: When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word global or unknown in the policy name to distinguish these from other subscriber policies.
4. From the Transactional list, select Enabled if you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
5. Click Finished.
   Important: The system performance is significantly affected, depending on complexity of the classification and the type of policy action.
   The new enforcement policy is added to the policy list.

1. On the Main tab, click Policy Enforcement > Policies > iRules.
2. Click Create. The New iRule screen opens.
3. In the Name field, type a name for the new iRule.
4. In the Description field, type a description of the new iRule.
5. In the Definition field, specify the TCL syntax that defines a custom iRule action, which can be later attached to a policy enforcement rule. when PEM_POLICY { if {[PEM::policy initial]} { /* Commands to run during the first time the policy is evaluated. */ } else { /* Commands to run during policy re-evaluation. */ } /* Commands to run during policy eval and re-eval time. */ } There can be two iRule events:
   • PEM_POLICY is triggered when a policy evaluation occurs.
   • RULE_INIT runs the first time the iRule is loaded or has changed.
   The two new PEM iRule commands are PEM::policy initial and PEM::policy name. You can select the Wrap Text check box to wrap the definition text, and select the Extend Text Area check box to increase the field space of format scripts.
6. Click Finished. The Policy Enforcement Manager creates a new iRule, and displays the iRule list.
7. To attach a custom action to a specific iRule, follow the steps:
   1. Click Policy Enforcement > Policies.
   2. Select a policy name.
   3. Click a policy rule.
   4. From the Custom Action list, select a iRule created.
8. Click Update.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
7. From the Modify Header list, select Enabled, to modify the HTTP request header. More modify header configuration options display.
8. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
9. Click Finished.
10. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. On the Classification tab, in the Classification setting, specify Layer 7 matching criteria for the rule:
   1. From the Match Criteria list, select whether you want perform actions on traffic that matches (select Match), or does not match (select No Match) the criteria specified.
   2. From the Category list, select the type of traffic this rule applies to, or select Any for all traffic.
   3. Some categories have specific applications associated with them. If this one does, from the Application list select the application this rule applies to, or select Any for all traffic in this category.
   4. Click Add to add this match criteria to the classification. Add as many matching criteria as are relevant to this rule.
7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
8. Click Finished.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. On the URL tab, in the URL setting, specify Layer 7 matching criteria for the rule :
   1. From the Match Criteria list, select whether you want perform actions on traffic that matches (select Match), or does not match (select No Match) the criteria specified.
   2. From the URL Category list, select the type of traffic this rule applies to.
   3. Click Add to add this match criteria to the classification. Add as many matching criteria as are relevant to this rule.
7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
8. Click Finished.

1. On the Main tab, click Policy Enforcement > Classification. The Classification screen opens showing a list of the supported classification categories.
2. Select an URL category. The URL Properties screen opens.
3. In the Description field, type optional descriptive text for the category.
4. In the iRule Event field, select the appropriate setting.
   • To trigger an iRule event for this category of traffic, select Enabled. You can then create an iRule that performs an action on this type of traffic.
   • If you do not need to trigger an iRule event for this category of traffic, select Disabled.
   Note: CLASSIFICATION::DETECTED is the only event that is supported.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. On the Flow tab, in the Flow setting, specify Layer 4 conditions that the traffic must meet (or not meet) for this rule to apply.

   Option	Description
   Match	Select whether you want to perform actions on traffic that matches (select Match) or does not match (select No Match) the criteria specified.
   DSCP Marking	To match incoming traffic based on a DSCP value, type an integer from 0 to 63.
   Protocol	To specify the applicable traffic by protocol, select UDP, TCP, or leave the default value of Any.
   Source Address/Mask	To match incoming traffic based on the address or network it is coming from, type the source IP address/netmask of the network you want the rule to affect. The default value is 0.0.0.0/32.
   Source Port	To match incoming traffic based on the port it is coming from, type the port number you want the rule to affect. The default value (empty) matches traffic from all ports.
   Source VLAN	To match incoming traffic based on the VLAN, select a previously configured VLAN.
   Destination Address/Mask	To match traffic based on the address or network it is directed to, type the source IP address/netmask of the network you want the rule to affect. The default value is 0.0.0.0/32.
   Destination Port	To match incoming traffic based on the port it is directed to, type the port number you want the rule to affect. The default value (empty) matches traffic headed to all ports.

   1. Click Add to add this match criteria to the classification.
      Tip: F5 recommends that you keep the matching criteria in a rule simple, adding more rules to specify additional conditions rather than including too many in one rule.
7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
8. Click Finished.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
7. In the Gate area, for Gate Status, select Enabled. Options provide several ways to forward the traffic.
   • To redirect traffic to a URL, for HTTP Redirect, select Enabled, and type the URL.
   • To direct traffic to specific location, from the Forwarding list, select an option where you would like to forward the traffic.
     • If you select Route to Network then the traffic flow is forwarded to the default destination.
     • If you select Forwarding to Endpoint, the flow is steered to a different destination and you can select one of the endpoints.
     • If you select >Forward to ICAP virtual Server, the flow is forwarded to the ICAP virtual server.
   • To direct traffic to more than one location (such as value-added services), from the Service Chain list, select the name of a service chain that you previously created.
8. Click Finished.

1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
3. In the Policy Rules area, click Add. The New Rule screen opens.
4. In the Name field, type a name for the rule.
5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
   Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
7. For Gate Status, select Enabled. If you select Disabled, then the corresponding traffic will be dropped. Forwarding and QoS options are displayed.
8. To set DSCP bits on the downlink traffic, for IP Marking (DSCP), select Specify, and type a value between 0 and 63, inclusive. The traffic that matches this rule is marked with this value.
9. To set DSCP bits on the uplink traffic, for IP Marking (DSCP), select Specify, and type a value between 0 and 63, inclusive. The traffic that matches this rule is marked with this value.
10. To set a Layer 2 Quality of Service (QoS) level in downlink packets, for L2 Marking (802.1p), select Specify, and type a value between 0 and 7, inclusive. Setting a QoS level affects the packet delivery priority.
11. To set a Layer 2 Quality of Service (QoS) level in uplink packets, for L2 Marking (802.1p), select Specify, and type a value between 0 and 7, inclusive. Setting a QoS level affects the packet delivery priority.
12. To apply rate control to downlink traffic, in the Bandwidth Controller setting, select the name of a bandwidth control policy.
    Note: You can assign any previously created static or dynamic bandwidth control policies. However, F5 does not recommend using the default-bwc-policy, which the system provides, nor the dynamic_spm_bwc_policy, which you can create to enforce dynamic QoS settings provisioned by the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, or any combination of these.
13. To apply rate control to uplink traffic and per category of application, in the Bandwidth Controller setting, select the name of a bandwidth control policy.
    Note: You can assign any previously created static or dynamic bandwidth control policies. However, we do not recommend using the default-bwc-policy, which the system provides, nor the dynamic_spm_bwc_policy, which you can create for communicating with the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, per category of applications or any combination of these.
14. Click Finished.

1. On the Main tab, click Policy Enforcement > Listeners. The Listeners screen opens.
2. Click Create. The New Listener screen opens.
3. In the Name field, type a unique name for the listener.
4. For the Destination setting, select Host or Network, and type the IP address or network and netmask to use.
   Tip: You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is routed to the BIG-IP system.
   The system will create a virtual server using the address or network you specify.
5. For the Service Port setting, type or select the service port for the virtual server.
6. Subscriber provisioning using RADIUS is enabled by default. If your system is using RADIUS for snooping subscriber identity, you need to specify VLANs and tunnels. If you are not using RADIUS, you need to disable it.
   • For the VLANs and Tunnels setting, move the VLANs and tunnels that you want to monitor for RADIUS traffic from the Available list to the Selected list.
   • If you do not want to use RADIUS, from the Subscriber Identity Collection list, select Disabled.
7. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
   1. For Global Policy, move policies to apply to all subscribers to High Precedence or Low Precedence.
      Note: For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
   2. For Unknown Subscriber Policy, move policies to use if the subscriber is unknown to Selected.
   The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
8. Click Finished. The Policy Enforcement Manager creates a listener, and displays the listener list.