Overview¶

Modes¶

The iApp supports multiple modes of operation:

Mode	Description
Standalone	Deployment driven by BIG-IP via GUI or API (SOAP/REST
F5 iWorkflow	Deployment driven by the F5’s iWorkflow product (Service Catalog/REST Proxy)
Cisco APIC	Deployment driven by L4-7 Service Graphs via the iWorkflow Dynamic Device Package and Cisco Systems APIC Controller
VMware NSX	Deployment driven by L4-7 Service Insertion via iWorkflow from VMware NSX

Features¶

Deployment Control¶

Strict Updates setting Control
Automated Statistics Handler Creation
Deployment mode override
Route Domain support
ASM/APM Policy Redeployment Control
- Preserve on-box policy (allow out-of-band policy updates)
- Enforce template policy (overwrite local changes)
Deployment Log Level Control

L4-7 Helpers¶

Statistics:
- TLS/SSL
- HTTP
- Virtual Server/Pool
HTTP/HTTPS ADC:
- Full HTTP/L7 Policy Creation (e.g. URI/Header/etc based routing, HTTP Request Manipulation)
- X-Forwarded-For Header Insertion
- HTTP->HTTPS Redirect creation
- TLS/SSL Easy Cipher String
L4 Security:
- L4 Firewall Policy Support
- Dynamic IP Blacklisting/IP Intelligence (BIG-IP subscription required)
- Static Blacklist Source Address List
- Static Allowed Source Address List
HTTP/HTTPS L7 Security:
- HTTP Strict Transport Security Header Insertion
- Web Application Firewall (ASM) policy bundling and deployment from URL
- Identity and Access Management (APM) policy bundling deployment from URL

Custom Extensions¶

Extensibility through custom TCL scripting
- See Custom Extensions for more info

Virtual Address Options¶

Route Advertisement Control
Advanced Option Support
- Access to any TMSH configurable attribute

Virtual Server Options¶

Multiple listeners:
- IPv4 & IPv6 Address and L4 Port
  - Remove SSL/TLS profile(s) (Client, Server, Both)
  - Destinations:
    - Pools (template created and existing pools on system)
    - Create additional HTTP->HTTPS Redirect
Administrative Attributes:
- Name
- Description
L3/4 Functionality:
- IPv4 & IPv6
- Types:
  - Standard
  - Performance/FastL4
  - Forwarding (L2/IP)
  - Internal
  - IP
- Network Mask
- Port
- Protocol (tcp/udp)
- L4 Protocol Profiles (Server/Client-side)
  - Access to any TMSH configurable attribute via ‘create’ syntax
- SNAT
  - Automap
  - Pre-existing SNAT Pool
  - Dynamic SNAT Pool creation
  - Dynamic SNAT Pool referencing (Cisco APIC specific)
- Connection Limits
- Dynamic IP Blacklist/IP Intelligence Profiles
- Source Port Behavior
- Connection Mirroring
- Advanced Option Support
  - Access to any TMSH configurable attribute
L4-7 Functionality:
- iRules:
  - Reference pre-existing iRules (ordering preserved)
  - Bundled iRule support
  - Dynamically load from URL
    Required URLs
    
    Optional URLs - allow deployment to succeed if iRule does not exist on remote server
  - Advanced Profile Support
    - Reference any pre-existing policy on the device
- SSL/TLS:
  - Dynamically created Client-SSL profiles
    Reference pre-existing static Cert/Key
    
    ‘auto’ mode to dynamically link pre-existing Cert/Key pair
    
    Load cert/key from URL
  - Certificate Chain/Bundle
  - Cipher String
  - Advanced Option Support
    - Access to any TMSH configurable Client-SSL profile attribute
- Profiles with create syntax support:
  - L4 Protocol (tcp/udp/fastL4)
  - HTTP
  - OneConnect
  - Compression
  - Request Logging
  - Server-SSL
  - Client-SSL
  - Default/Fallback Persistence
- Profiles without create syntax support:
  - Pre-existing Client-SSL
  - Analytics
  - Security Logging
  - DoS Protection
  - Access Specific (APM):
    - Access Profile
    - Connectivity Profile
    - Per-Request Profile

Pool Options¶

Create multiple pools
Advanced Option Support
- Access to any TMSH configurable attribute
Administrative Attributes:
- Name
- Description
Health Monitor(s) w/ Minimum # monitors
Load Balancing Method
Dynamic Member Update Defaults (Port)
Members
- Addressing
  - IPv4 & IPv6
  - Existing Node
  - Node Creation with Custom Name
  - FQDN Lookup
- Port
- Connection Limit
- Ratio
- Priority Groups
- Administrative State
- Advanced Option Support
  - Access to any TMSH configurable attribute

Health Monitors¶

Multiple monitor support
Create custom health monitors
- Advanced Option Support
  - Access to any TMSH configurable attribute
Reference existing health monitors

Helper Scripts¶

import_template_bigip.py: Create/update iApp template
import_cery_key.py: Create/update SSL/TLS Cert/Key on BIG-IP
deploy_iapp_bigip.py: Deploy iApp Service on BIG-IP
delete_iapp_bigip.py: Delete iApp Service on BIG-IP

User Guide¶

This guide will walk you through the functionality of the App Services Integration iApp template. The guide is built in a lab format and assumes the user has access to a suitable lab environment.

For access to evaluation licenses please contact your F5 Account Team.

F5 products are also available on the following public cloud providers:

Amazon AWS
Microsoft Azure

Note

Please enter all input values EXACTLY as defined in this guide. Deviation from the guide will result in failures in later labs. This includes preserving the case-sensitivity of input values.

Getting Started¶

In this section we will review the assumptions this document makes for the lab environment. We will then install the App Services Integration iApp template on your BIG-IP system.

Lab Environment¶

This guide assumes the following devices are available in your lab environment:

Minimum 1 x F5 BIG-IP (Version Info)
1 x Windows/Linux/Mac OS Host
- Python >= 2.7
- Web Browser (Google Chrome is recommended)

To complete the labs that demonstrate loading of resources by URL in iRule & WAF/IAM Policies you will need:

1 x HTTP Web Server
remote_url_files.tar.gz extracted to the public root of the web server

Pre-built Lab Environment¶

If you are using a pre-built lab environment please assume the following:

Base Networking is configured
BIG-IP Devices Licensed/Activated
BIG-IP Active/Standy Cluster with Auto-sync
- BIGIP_A is the Active Device
- Cluster is synced
All actions will be performed on BIGIP_A
All configured virtual servers are accessible by IP from your jump host

VLAN	VLAN Tag	CIDR Block
Management	1	10.1.1.0/24
Internal	10	10.1.10.0/24
External	20	10.1.20.0/24

Device	IP’s	Credentials
BIG-IP A	Management: 10.1.1.1 Internal: 10.1.10.1/24 Internal (Float): 10.1.10.3/24 External: 10.1.20.1/24	admin/admin root/default
BIG-IP B	Management: 10.1.1.2 Internal: 10.1.10.2/24 Internal (Float): 10.1.10.3/24 External: 10.1.20.2/24	admin/admin root/default
Windows Jump Host	Management: 10.1.1.4 External: 10.1.20.250/24	user/user
Linux Webserver	Management: 10.1.1.5 Internal: 10.1.10.100-103/24 Services: HTTP/HTTPS/SSH	user/user root/default

Obtain and Import the Pre-built Template¶

Obtain the Pre-built Template¶

Right-click here and save version 2.1dev(001)_001 of the template to your system.

Import the Template¶

Open a web browser and navigate to https://<BIG-IP Management IP>. You may be prompted with an SSL/TLS security warning. It is safe to bypass this warning in this case.

Note

Template installation is possible via API and included scripts. These methods are covered in subsequent labs
Authenticate to the BIG-IP system with an admin user (default is admin/admin)
On the navigation menu on the left of the screen click iApps -> Templates
Click the ‘Import...’ button on the top right of the screen
Click the ‘Choose File’ button
Find the .tmpl file saved previously and double click it
Click the ‘Upload’ button

You should now see a template beginning with the name ‘appsvcs_integration’ at the top of the template list

Note

iApp templates are part of the BIG-IP config; as a result they will be synchronized across BIG-IP clusters that have config synchronization enabled

ADC/LTM Functionality¶

This module will focus specifically on BIG-IP LTM and provide the foundation for an operational model for both F5 deployment automation and Service Insertion with third party solutions (Cisco APIC, VMware NSX, AWS, etc). The solutions detailed here can be used independent of any third party products and are intended to show how deployment-centric automation can be achieved using existing F5 iApp technology. It is important to note that the Application Services iApp does not deploy any L1-3 connectivity config to the device. This is done by design because the expectation is that L1-3 config is performed by the user or by a third party system prior to L4-7 Application Service deployment.

To simplify this and future tasks when deploying an iApp from the BIG-IP GUI we will present the various field values in a table. To complete the task please enter/modify all values included in the table. If a specific value is not specified please do not modify the default value. You can also use the Find feature (Ctrl+F) of the web browser to find fields using the Field Name.

Deploy Basic HTTP ADC Service¶

Note

It is recommended you review the Indexes in APL Tables section the of Reference Guide before continuing

Open an SSH connection to your BIG-IP device: ssh root@<management ip>
Execute the following command to monitor the iApp deployment log: tail -f /var/tmp/scriptd.out
Open a web browser window and navigate to https://<BIG-IP Management IP>
Click iApps -> Application Services
Click the ‘Create...’ button

Populate the following values in the form:

Field Name	Value
Name	Lab2.1
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.11
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http

Click the ‘Finished’ button to deploy the template
Review the deployed configuration using the iApp Components view
Review the deployment log in your SSH window
Click the ‘Reconfigure’ button
Add a new Pool Member to the Pool: Members table
Field Name Value
Pool: Members
Row 3:

Pool Idx: 0

IP/Node Name: 10.1.10.102

Port: 80
Click the ‘Finished’ button and review the config changes

Note

Redeployment of iApp templates makes use of underlying mechanism in the BIG-IP platform that allows safe changes to the configuration without interrupting existing user traffic.

Deploy Basic HTTPS ADC Service¶

Note

From this point on the guide will use an abbreviated version of the previous instructions. Please complete the initial deployment of each task as instructed. You are then free to modify values and experiment as needed.

Deploy HTTPS Service (auto-created Client-SSL profile and SNAT pool)¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.2
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.12
Virtual Server: Port	443
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
Virtual Server: SNAT Configuration	`create:10.1.10.250,10.1.10.251` Note This is the first example of the Advanced Options & Create String Syntax. This value will create a SNAT pool with two IPs in it.
Virtual Server: Client SSL Certificate	/Common/default.crt
Virtual Server: Client SSL Key	/Common/default.key
Virtual Server: Client SSL Certificate Chain	/Common/ca-bundle.crt

Review the deployed configuration using the iApp Components view and deployment log
- The deployment used the default SSL key/cert pair on the device. In a real world deployment you would import your cert/key pair into the Common partition and reference the name(s) in the Virtual Server: Client SSL Certificate and Virtual Server: Client SSL Key fields.
- A port 80 -> 443 redirect was created automatically due to a L4-7 Functionality feature of the iApp. We will review this functionality in subsequent labs
- After about 1 minute click the ‘Properties’ button. Notice all the statistics we are now tracking. This is another L4-7 feature we will review later.

Note

You can also use the value ‘auto’ in the ‘Virtual Server: Client SSL Certificate’ and ‘Virtual Server: Client SSL Key’ fields. The behavior for ‘auto’ is to look for a Certificate and/or Key on the system with the same name and the name for the iApp deployment. For example, in this lab the system would look for ‘/Common/Lab2.2.crt’ and/or ‘/Common/Lab2.2.key’. This feature is included to allow for automated deployment when a separate process is used to populate Crypto objects (ie. Network HSM, Scripting, PKI solutions, etc.)

Modify to reference an existing Client-SSL profile¶

Click iApps -> Application Services -> Lab2.2 -> Reconfigure
Modify the following values and click ‘Finished’:

Field Name Value

Virtual Server: Client SSL Profile /Common/clientssl

Virtual Server: Client SSL Certificate <remove the value>

Virtual Server: Client SSL Key <remove the value>
Review the deployed config. It should now reference the /Common/clientssl profile. The previously created client-ssl profile was automatically removed.

Note

iApp deployments create non-shared objects under an Application Service Object (ASO). As a result all configuration is contained within the ASO. Modifications of one ASO does not impact any other deployments. Deletion of the deployment results in the deletion of the ASO and all objects under it.

Deploy Generic TCP SLB Service¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.3
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.13
Virtual Server: Port	245
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 245 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 245
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/tcp
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: Default Persistence Profile	/Common/source_addr

Note

The health monitors will fail because the backend pool member is not listening on TCP/245. This is normal and can be ignored.

Review the deployed config and deployment log

Deploy Generic UDP SLB Service¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.4
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.14
Virtual Server: Port	245
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 245 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 245
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/udp
Virtual Server: IP Protocol	udp
Virtual Server: Client-side L4 Protocol Profile	/Common/udp
Virtual Server: Server-side L4 Protocol Profile	/Common/udp
Virtual Server: Default Persistence Profile	/Common/source_addr

Note

The health monitors will fail because the backend pool member is not listening on UDP/245. This is normal and can be ignored.

Review the deployed config and deployment log

Advanced Options & Create String Syntax¶

The BIG-IP platform allows very fine-grained control of options for L4-7 protocol profiles (ex: TCP, UDP, HTTP, Compression, etc.) and options for Virtual Servers and Pools. To expose the ability to customize these options we use a syntax that can be expressed using the APL String field. The create syntax can be used with specific Profiles, while the option syntax is used with the Virtual Server and Pool objects. This syntax is defined as a string in the following format:

Create String¶

Description

A custom TMOS profile will be created with the specified options. Options are validated at run-time with the underlying TMOS version. Use of this format allows exposure of fine-grained options without exposing each option as a field in the APL Presentation Layer. The following profiles support the this syntax:

Client/Server-side L4 Protocol (tcp, udp)

Server SSL

Client SSL

HTTP

OneConnect

Compression

Request Logging

Persistence (Default & Fallback)

Syntax create:type=<profile type>;<tmsh_option_name>=<tmsh_option_value>[;<tmsh_option_name>=<tmsh_option_value>]

Example create:type=tcp;nagle=disabled;proxy-low-buffer=10000;defaults-from=/Common/tcp

Advanced Options String¶

Description

The object will be created with the specified TMOS options. Options are validated at run-time with the underlying TMOS version. Use of this format allows exposure of fine-grained options without exposing each option as a field in the APL Presentation Layer. The following object types support the this syntax:

Virtual Servers

Pools

Auto-create Client-SSL Profiles

Syntax <tmsh_option_name>=<tmsh_option_value>[;<tmsh_option_name>=<tmsh_option_value>]

Example slow-ramp-time=300;min-up-members=1

Deploy HTTPS ADC Service with Customizations¶

We will deploy a virtual server with the following customizations:

Virtual Server:
- Disable port translation
- Enable rate limiting with 100 connections/sec allowed
- Add a stats profile
- Add a gtm-score attribute
Monitors:
- Use the existing default HTTP monitor
- Create a new custom HTTP monitor
- Create a new custom TCP monitor
Pool:
- Configure a slow ramp time
- Set the minimum members to ‘1’
- Associate three monitors with a minimum of 1 monitor passing
SSL/TLS:
- Create Client-SSL with Secure Renegotiation option set to ‘request’
- (optional) Load Certificate, Key and Certificate Bundle from remote URL resource
Customized Profiles:
- Client-side TCP: Nagle disabled
- OneConnect: Change source-mask
- Compression: Adjust cpu-saver attributes
- HTTP: Response Header “Server” set to “Lab2_6”
- HTTP: X-Forwarded-For Header inserted
- Persistence (Default): Cookie based persistence using ‘MyCookie’
- Persistence (Secondary): IP Source Address persistence with a custom timeout

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.6
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.16
Virtual Server: Port	443
Pool: Pool Table	Row 1: Index: 0 Monitor(s): `0,1,2;2` Note Documentation of this syntax is available here Adv Options: `slow-ramp-time=345;min-up-members=1`
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http Row 2: Index: 1 Type: http Options: `send=GET /test HTTP/1.0;recv=OK` Row 3: Index: 2 Type: tcp Options: `timeout=3600`
Virtual Server: Client-side L4 Protocol Profile	create:type=tcp;nagle=disabled;defaults-from=/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	create:server-agent-name=Lab2_6;insert-xforwarded-for=enabled;defaults-from=/Common/http
Virtual Server: OneConnect Profile	create:source-mask=255.255.0.0;defaults-from=/Common/oneconnect
Virtual Server: Compression Profile	create:cpu-saver=enabled;cpu-saver-high=90;defaults-from=/Common/httpcompression
Virtual Server: Default Persistence Profile	create:type=cookie;cookie-name=MyCookie
Virtual Server: Fallback Persistence Profile	create:type=source-addr;timeout=300
Virtual Server: Client SSL Certificate	/Common/default.crt
Virtual Server: Client SSL Key	/Common/default.key
Virtual Server: Client SSL Certificate Chain	/Common/ca-bundle.crt
Virtual Server: Client SSL Advanced Options	secure-renegotiation=request
Virtual Server: Advanced Options	gtm-score=50;rate-limit=100
Virtual Server: Advanced Profiles	/Common/stats

Review the deployed config and deployment log

SSL/TLS Resource Deployment via URL¶

We will now modify the deployment to dynamically load SSL/TLS resources from a remote server. This functionality allows users to integrate App Services Integration iApp deployments with third party PKI solutions. Additionally the variable substitution functionality described in Dynamic Loading from URL is also available.

Note

To complete this lab you must have a web server configured as detailed in the Lab Environment

Warning

Loading SSL/TLS Keys from remote URLs is dependent on proper security of the PKI infrastructure.

Warning

Re-deployment of the iApp results in the remote resources being reloaded from the remote server automatically.

Click iApps -> Application Services -> Lab2.6 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Virtual Server: Client SSL Certificate	url=https://10.1.1.5/appsvcs/default.crt
Virtual Server: Client SSL Key	url=https://10.1.1.5/appsvcs/default.key
Virtual Server: Client SSL Certificate Chain	url=https://10.1.1.5/appsvcs/bundle.crt

Review the deployed config and deployment log
- Notice that the previously deployed resources have been replaced by ones loaded dynamically from the specified URLs

Mulitple Pools & Listeners¶

In order to support more complex ADC configurations this template includes the ability to create multiple pools and/or listeners as part of a single deployment.

Important

When creating multiple listeners the protocol and profile configuration will be duplicated. The only exception to this rule is the option to exclude SSL/TLS specific profiles.

Deploy HTTP Service on Multiple TCP Ports¶

In this lab we will deploy a HTTP Service that listens on TCP/80 and TCP/8080

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.7
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.171
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Additional Listeners	Row 1: Listener: 10.1.20.171:8080 Destination: default Note Specifying ‘default’ as the destination for the TCP/8080 listener sets the pool index by reading the value of the Virtual Server: Default Pool Index field. The default value of this field is ‘0’ resulting in the listener sending traffic to the pool with Index 0 in the Pool table.
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http

Review the deployed config and deployment log
- Notice that two listeners were created.

Modify HTTP Service on Multiple TCP Ports¶

In this lab we will modify the service deployed above and create two pools. We will then route traffic destined to TCP/8080 to the newly created pool.

Click iApps -> Application Services -> Lab2.7 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0 Row 2: Index: 1 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80 Row 3: Pool Idx: 1 IP/Node Name: 10.1.10.102 Port: 80 Row 4: Pool Idx: 1 IP/Node Name: 10.1.10.103 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Additional Listeners	Row 1: Listener: 10.1.20.171:8080 Destination: 1

Review the deployed config and deployment log
- Notice that there are now two pools
- Notice that the listeners now route traffic to different pools

Deploy Complex IPv4/v6 HTTP/HTTPS Service¶

In this lab we will deploy a complex service that consists of the following:

2 Pools
- Pool 0: Members listen on TCP/80 (HTTP)
- Pool 1: Members listen on TCP/443 (HTTPS)
5 Listeners
- 10.1.20.172:443 -> Pool 1
- 10.1.20.172:80 -> Pool 0
- 10.1.20.173:80 -> HTTP Redirect
- 10.1.20.173:443 -> Pool 0
- 2001:f5f5:1::17.443 -> Pool 1
- 2001:f5f5:1::17.80 -> HTTP Redirect

All HTTPS traffic will be decrypted and then re-encrypted towards Pool 1.

Click iApps -> Application Services -> Lab2.7 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Virtual Server: Address	10.1.20.172
Virtual Server: Port	443
Virtual Server: Default Pool Index	1
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0 Row 2: Index: 1 Monitor(s): 1
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80 Row 3: Pool Idx: 1 IP/Node Name: 10.1.10.102 Port: 443 Row 4: Pool Idx: 1 IP/Node Name: 10.1.10.103 Port: 443
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http Row 2: Index: 1 Name: /Common/https
Virtual Server: Additional Listeners	Row 1: Listener: 10.1.20.172:80 Destination: 0;nossl Row 2: Listener: 10.1.20.173:80 Destination: redirect Row 3: Listener: 10.1.20.173:443 Destination: 0;noserverssl Row 4: Listener: 2001:f5f5:1::17.443 Destination: default Row 5: Listener: 2001:f5f5:1::17.80 Destination: 1;noclientssl
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
Virtual Server: Server SSL Profile	/Common/serverssl
Virtual Server: Client SSL Profile	/Common/clientssl

Review the deployed config and deployment log

L7 HTTP Policies¶

To enable advanced ADC functionality this iApp template includes the ability to fully create and manipulate LTM Local Traffic Policies. The policies allow various routing and manipulation operations of HTTP/HTTPS requests. In this lab we will cover some common use cases for Local Traffic Policies.

HTTP URI/Host Based Routing¶

In this lab we will create a deployment that implements routing based on the HTTP URI or Host Header to one of four pools:

HTTP Host equals www.example1.com
- HTTP URI starts with /pool0/ -> Pool 0
- HTTP URI starts with /pool1/ -> Pool 1
HTTP Host equals www.example2.com
- HTTP URI starts with /pool2/ -> Pool 2
- HTTP URI starts with /pool3/ -> Pool 3

Create a new deployment with the following values:

Field Name	Value
Name	Lab2.8
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.18
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0 Row 2: Index: 1 Monitor(s): 0 Row 3: Index: 2 Monitor(s): 0 Row 4: Index: 3 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 1 IP/Node Name: 10.1.10.101 Port: 80 Row 3: Pool Idx: 2 IP/Node Name: 10.1.10.102 Port: 80 Row 4: Pool Idx: 3 IP/Node Name: 10.1.10.103 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
L7 Policy: Rules: Matching	Row 1: Group: 0 Operand: http-host/request/host Condition: equals Value: www.example1.com Row 2: Group: 0 Operand: http-uri/request/path Condition: starts-with Value: /pool0/ Row 3: Group: 1 Operand: http-host/request/host Condition: equals Value: www.example1.com Row 4: Group: 1 Operand: http-uri/request/path Condition: starts-with Value: /pool1/ Row 5: Group: 2 Operand: http-host/request/host Condition: equals Value: www.example2.com Row 6: Group: 2 Operand: http-uri/request/path Condition: starts-with Value: /pool2/ Row 7: Group: 3 Operand: http-host/request/host Condition: equals Value: www.example2.com Row 8: Group: 3 Operand: http-uri/request/path Condition: starts-with Value: /pool3/
L7 Policy: Rules: Action	Row 1: Group: 0 Target: forward/request/select/pool Parameter: pool:0 Row 2: Group: 1 Target: forward/request/select/pool Parameter: pool:1 Row 3: Group: 2 Target: forward/request/select/pool Parameter: pool:2 Row 4: Group: 3 Target: forward/request/select/pool Parameter: pool:3

Review the deployed policy by clicking on the Lab2.8_l7policy object in the component view.
- Review the rules that were created by the iApp template

HTTP Cookie/Header Manipulation¶

We will now modify the existing deployment to perform some Header and Cookie manipulations.

Click iApps -> Application Services -> Lab2.8 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
L7 Policy: Rules: Action	Row 5: Group: 0 Target: http-header/request/insert/name,value Parameter: X-My-Header,Lab2.8 Row 6: Group: 1 Target: http-cookie/request/insert/name,value Parameter: MyCookie,Lab2.8 Row 7: Group: 2 Target: http-header/request/remove/name Parameter: User-Agent Row 8: Group: 3 Target: http-header/response/replace/name,value Parameter: Server,GoAway

Review the deployed policy by clicking on the Lab2.8_l7policy object in the component view.
- Review the updated actions in the existing rules.

HTTP Redirects¶

Finally, we will modify the existing deployment to issue an HTTP redirect for any traffic that does not specfically match the rules we created in the first step of this lab.

Click iApps -> Application Services -> Lab2.8 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
L7 Policy: Rules: Matching	Row 9: Group: default
L7 Policy: Rules: Action	Row 9: Group: default Target: http-reply/request/redirect/location Parameter: http://www.example3.com

Review the deployed policy by clicking on the Lab2.8_l7policy object in the component view.
- Review the updated rules in the policy.

L4-7 Helpers¶

This lab will review some of the basic L4-7 functionality included with the App Services Integration iApp template. The goal is to add options that not only provide convenience to users if the system is already licensed for them. Where possible you will see that the L4-7 feature has an ‘auto’ setting. The auto setting tries to programmatically determine whether the feature should be enabled or disabled.

Note

All L4-7 Helpers will check to determine if the required BIG-IP module is provisioned (enabled) on the system. If a module is not enabled the specific helper will be ignored.

For example the ‘HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect’ helper will automatically create the redirect virtual server if a Client-SSL profile was created or configured. It will also modify it’s behavior to be compatible with features such as the ‘HTTP: Security: Enable HTTP Strict Transport Security’ option. The HSTS specification requires that redirects are a ‘301’ redirect rather than the ‘302’ that is used as the system default. The redirect feature will automatically take this into account and configure properly in either case.

Statistics Helpers¶

To start we will review the statistics features that were deployed in Labs 2.1, 2.2 & 2.3. Please repeat the following steps for each of the lab.

Navigate to the iApp properties page by clicking iApps -> Application Services -> Lab2.<X> -> Properties
Review the ‘User-defined Application Service Statistics’ section to see which stats were enabled during deployment
Review the deployed iCall handler and script to see the mechanism used to collect the stats:
- Open an SSH session to your BIG-IP
- Execute the following tmsh command to view the iCall handler:
  tmsh list sys icall handler periodic Lab2.<X>.app/publish_stats
- Execute the following tmsh command to view the iCall stats collector script:
  tmsh list sys icall script Lab2.<X>.app/publish_stats
- Look for the ‘set http_enabled’ and ‘set ssl_enabled’ TCL code near the top of the script. Notice how they change depending on the type of virtual server deployed in the lab?

Base statistics are deployed for all virtual servers and controlled by the iApp: Statistics Handler Creation option in the template. The protocol specific statistics are controlled by the protocol relevant options in the L4-7 Application Functionality section of the template. The ‘auto’ setting in the L4-7 section will automatically expose the statistics in configured protocol profiles (HTTP, SSL) via iStats to Northbound systems (iWorkflow, APIC, etc.)

HTTP/HTTPS Helpers¶

For this section we will review HTTP/HTTPS specific L4-7 features. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed.

L4-7 Functionality Name Description ‘auto’ behavior

HTTP: Insert X-Forwarded-For Header Sets the insert-xforwarded-for option in the HTTP profile to enabled Enabled when SNAT is configured and a HTTP profile is present

HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect Creates a port 80->443 redirect virtual server on the specified Listener IPs. Default is to create a 302 redirect. Modified by HSTS feature to a 301 if HSTS is enabled. Enabled when a Client-SSL profile is configured and Virtual Server: Port is 443

TLS/SSL: Easy Cipher String Allows user to select from a predefined set of TLS/SSL cipher strings and set those in the Client-SSLprofile No auto option

HTTP: Security: Enable HTTP Strict Transport Security Configures insertion of the ‘Strict-Transport-Security’ HTTP header. Options include the ability to specify any combination of the preload and includeSubDomains options. No auto option

L4 Firewall & IP Blacklist Helpers¶

Note

L4 Firewall functionality is provided by the Advanced Firewall Manager (AFM) BIG-IP module.

Note

IP Blacklist functionality is provided by an IP Intelligence (IPI) subscription

If licensed the App Services Integration iApp template can automatically enable L4 Firewall and IP Blacklist functionality. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed. You can also modify your existing deployments for Lab 2.1 and 2.2 using the ‘Reconfigure’ option to experiment with this feature.

L4-7 Functionality Name Description ‘auto’ behavior

Security: Firewall: Configure L4 Firewall Policy
Configures an AFM policy in the Virtual Server context. Refer to the field reference for details.

When IPI is enabled with this option the Virtual Server: IP Blacklist Profile option is modified to achieve the intended config. IPI can also be configured independently using the option in the Virtual Server section
If AFM is provisioned the auto option will use the ‘base+ip_blacklist_block’ option

Security: Firewall: Static Blacklisted Addresses A table of Source IP CIDR blocks that will be blocked via an address list at the beginning of the base AFM policy N/A

Security: Firewall: Static Allowed Source Addresses A table of CIDR blocks that will be added as allowed source addresses in the base AFM policy. Note the default is to allow all addresses (0.0.0.0/0) N/A

iRule & WAF/IAM Policies¶

Building a Custom Template¶

Note

To fully understand this module of the lab it is recommended that you review the Resource Bundling & L4-7 Policies section of the Reference Guide.

In order to use Bundling and Custom Extensions functionality the App Services Integration iApp template needs to be custom built with the resources that you wish to include.

To build the template your system must meet the following requirements:

Windows/Mac/Linux OS
Python >= 2.7

Additionally, if you would like to build the documentation the following python packages are required:

sphinx
sphinx_rtd_theme

Download and Build the Template¶

To build the template complete these tasks:

Download the source tree archive:
- https://www.github.com/0xHiteshPatel/appsvcs_integration_iapp/archive/develop.zip
Extract the archive on your local system
Run python build.py -nd -a custom using a shell/command line in the extracted source directory

Note

Notice the -nd -a custom flag to the build script. This flag disables building the documentation tree. Running python build.py --help will show you other options available during the build process.
You should now have a file named appsvcs_integration_v2.1dev-001_001_custom.tmpl in the source directory

Bundling Resources with a Custom Template¶

In this lab we will rebuild the custom template and add some bundled resources. This method of bundling allows a user to package specific resources with the template itself allowing a full L4-7 service deployment without interaction with any other systems. URL based resources are also available and will be covered in subsequent labs.

Note

The ASM and APM policies used below were exported from a running BIG-IP system.

Open the source directory that was created in the previous lab
Open the ‘bundled’ directory. Notice the three directories that exist there.
We will now populate the directories with sample resources that included with the App Services Integration iApp test framework. Copy the follow files (paths relative to the root of the source tree):
- test/bundled.test/irules/* -> bundled/irules/
- test/bundled.test/asm_policies/* -> bundled/asm_policies/
- test/bundled.test/apl_policies/* -> bundled/apm_policies/

Run build.py -nd -a custom using a shell/command line. Take note of the output form the build script. You should see the copied files are now being packaged into the template:

$ ./build.py -nd -a custom
Appending "custom" to template name
Generating APL...
Assembling main template...
Building bundled resources:
 Adding iRules (bundled/irules/*.irule)...
 Adding ASM policies (bundled/asm_policies/*.xml)...
 Adding APM policies (bundled/apm_policies/*.tar.gz)...
 Processing file: bundled/irules/bundle1.irule
 Processing file: bundled/irules/bundle2.irule
 Processing file: bundled/asm_policies/asm_example1.xml
 Processing file: bundled/asm_policies/asm_example2.xml
 Processing file: bundled/apm_policies/test_11_5.conf.tar.gz
  Found BIG-IP Version: 11.5
 Processing file: bundled/apm_policies/test_11_6.conf.tar.gz
  Found BIG-IP Version: 11.6
 Processing file: bundled/apm_policies/test_12_0.conf.tar.gz
  Found BIG-IP Version: 12.0
 Processing file: bundled/apm_policies/test_12_1.conf.tar.gz
  Found BIG-IP Version: 12.1

You should now have a file named appsvcs_integration_v2.1dev-001_001_custom.tmpl in the source directory
Import this template into your BIG-IP system using the procedure described in Import the Template

iRule Deployment¶

In this lab we will show how to deploy iRule resources with a deployment.

iRule Deployment via Bundled Resource¶

Click iApps -> Application Services
Click the ‘Create...’ button

Populate the following values in the form:

Field Name	Value
Name	Lab3.2
Template	appsvcs_integration_v2.1dev_001_custom
Virtual Server: Address	10.1.20.32
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
Virtual Server: Bundled Items	Row 1: Resource: irule:bundle2 Row 2: Resource: irule:bundle1 Note Be sure to preserve the order shown above. iRules are ordered resources and the ordering below is specifically designed to show that this ordering is preserved.

Click the ‘Finished’ button to deploy the template
Review the deployed configuration using the iApp Components view
- Notice that iRule resources were automatically created and attached to the virtual server.
Click Local Traffic -> Virtual Server List. Click the ‘Edit...’ link next to the ‘Lab3.2_default_vs_80’ object.
Notice the order of the deployed iRules was preserved during the deployment.

iRule Deployment via URL¶

Note

To complete this lab you must have a web server configured as detailed in the Lab Environment

The second method of resource deployment is via a URL that dynamically loads the resource at runtime. This functionality is fully documented in the Dynamic Loading from URL section of the Reference Guide.

Note

If you specify a hostname in a URL please be sure to configure DNS resolution on the BIG-IP system

Click iApps -> Application Services -> Lab3.2 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Virtual Server: Bundled Items	Row 3: Resource: `irule:urloptional=http://<web server IP>/appsvcs/remote_1_optional.irule` Row 4: Resource: `irule:url=http://<web server IP>/appsvcs/remote_1.irule`

Review the deployed config and deployment log
- Notice that there are now three iRules tied to the Virtual Server
- The ‘urloptional’ resource does not exist on the remote server therefore the template skipped deployment of that iRule resource.

WAF/ASM Policy Deployment¶

In this lab we will deploy a Web Application Firewall policies that can be used by Application Security Manager. Be sure to review the following documentation before continuing:

WAF Policy Deployment via Bundled Resource¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab3.3
Template	appsvcs_integration_v2.1dev_001_custom
Virtual Server: Address	10.1.20.33
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
Virtual Server: Bundled Items	Row 1: Resource: asm:asm_example1 Row 2: Resource: asm:asm_example2
L7 Policy: Rules: Matching	Row 1: Group: 0 Operand: http-host/request/host Condition: equals Value: www.example1.com Row 2: Group: 1 Operand: http-host/request/host Condition: equals Value: www.example2.com Row 3: Group: default
L7 Policy: Rules: Action	Row 1: Group: 0 Target: asm/request/enable/policy Parameter: bundled:asm_example1 Row 2: Group: 1 Target: asm/request/enable/policy Parameter: bundled:asm_example2 Row 3: Group: default Target: forward/request/reset

Click the ‘Finished’ button to deploy the template and monitor the deployment log
The initial objects in the Components view does not represent the final state of the deployment as detailed in Execution Flow
Monitor the deployment log and wait for the postdeploy_final process to complete
Review the deployed configuration using the iApp Components view
Review the L7 policy that was created

WAF Policy Deployment via URL¶

Click iApps -> Application Services -> Lab3.3 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Virtual Server: Bundled Items	Row 3: Resource: `asm:url=http://<web server IP>/appsvcs/remote_asm1.xml`
L7 Policy: Rules: Matching	Row 3: Group: 2 Operand: http-host/request/host Condition: equals Value: www.example3.com Row 4: Group: default
L7 Policy: Rules: Action	Row 3: Group: 2 Target: asm/request/enable/policy Parameter: bundled:remote_asm1 Row 4: Group: default Target: forward/request/reset

Click the ‘Finished’ button to deploy the template and monitor the deployment log
Monitor the deployment log and wait for the postdeploy_final process to complete
Review the deployed configuration using the iApp Components view
Review the L7 policy that was created

IAM/APM Policy Deployment¶

In this lab we will deploy a Identity and Access Management policy that can be used by Access Policy Manager. Be sure to review the following documentation before continuing:

IAM Policy Deployment via Bundled Resource¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab3.4
Template	appsvcs_integration_v2.1dev_001_custom
Virtual Server: Address	10.1.20.34
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
Virtual Server: Access Profile	`use-bundled`
Virtual Server: Bundled Items	Row 1: Resource: <select the resource from the dropdown that begins with ‘apm:’ that matches the BIG-IP version you are using>

Click the ‘Finished’ button to deploy the template and monitor the deployment log
The initial objects in the Components view does not represent the final state of the deployment as detailed in Execution Flow
Monitor the deployment log and wait for the postdeploy_final process to complete
Review the deployed configuration using the iApp Components view
- Notice the APM policy was deployed and linked to the Virtual Server with an object name of ‘bundled_apm_policy’

IAM Policy Deployment via URL¶

Note

As mentioned previously only one APM policy can be deployed at a time. We will replace the policy deployed previously with one loaded from a URL.

Click iApps -> Application Services -> Lab3.4 -> Reconfigure

Modify the following values and click ‘Finished’:

Field Name	Value
Virtual Server: Bundled Items	Row 1: Resource: <select the appropriate item from below> 11.5: `apm:url=http://<web server IP>/appsvcs/remote_apm_11_5.conf.tar.gz` 11.6: `apm:url=http://<web server IP>/appsvcs/remote_apm_11_6.conf.tar.gz` 12.0: `apm:url=http://<web server IP>/appsvcs/remote_apm_12_0.conf.tar.gz` 12.1: `apm:url=http://<web server IP>/appsvcs/remote_apm_12_1.conf.tar.gz`

Click the ‘Finished’ button to deploy the template and monitor the deployment log
Monitor the deployment log and wait for the postdeploy_final process to complete
Review the deployed configuration using the iApp Components view
Review the deployed configuration using the iApp Components view
- Notice the APM policy was deployed and linked to the Virtual Server with an object name of ‘bundled_apm_policy’

iApp/Policy Redeployment Behaviour¶

The App Services Integration iApp template includes the ability to control what action is taken with policies upon an iApp re-deployment event. This functionality applies specifically to ASM and APM policies and controls two specific categories of behaviour:

The action the template will take with the policy object upon re-deployment. This action controls whether the source-of-truth for the policy is the current config on the BIG-IP device or the policy bundled/loaded in the template.
- preserve: The policy on the device will be preserved. This option allows direct policy manipulation on the the device or by third party systems
- redeploy: The policy bundled in the template will be re-deployed, overwriting any local changes
Whether user traffic is allowed through the virtual server during re-deployment
- bypass: User traffic will bypass all policies during redeployment
- block: The virtual server will be marked down resulting in no user traffic transiting the virtual server

The available options are:

Option Name	Description
preserve-bypass	Source-of-truth: BIG-IP Device Traffic: Allowed during re-deployment
preserve-block	Source-of-truth: BIG-IP Device Traffic: Blocked during re-deployment
redeploy-bypass	Source-of-truth: iApp template Traffic: Allowed during re-deployment
redeploy-block	Source-of-truth: iApp template Traffic: Blocked during re-deployment

The behaviour can be controlled independently using these fields:

ASM: iApp: ASM: Deployment Mode
APM: iApp: APM: Deployment Mode

Advanced Functionality¶

Multi-Tier Deployments¶

By default the App Services Integration iApp template deploys a configuration that automatically creates at least one Virtual Server associated with 0 or more pools. In advanced use cases it may be required to create a de-coupled or multi-tier deployment that allows the user to create Pools and Virtual Server objects as separate iApp deployments.

This functionality is useful when L7 policies or iRules are used to route traffic in multi-tenant environments that want to expose a service on a minimal number of client facing IP addresses. The advantage of creating a multi-tier deployment is the ability to add tenant Pool resources without having to centralize the config in a single iApp deployment

In this lab we will create a two tier deployment that consists of the following:

Tier 1:
- HTTP Virtual Server with a L7 Policy:
  - URI ‘/tenant1/’ -> Tenant 1, Pool 0
  - URI ‘/tenant2/’ -> Tenant 2, Pool 0
Tier 2:
- Tenant 1: 1 Pool with HTTP members
- Tenant 2: 1 Pool with HTTP members

This lab will consist of 3 seperate iApp deployments. Two for the Pool objects and one for the Virtual Server.

Create Tenant 1 Pool¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab4.1_tenant1
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	255.255.255.254 Note This special value is used to skip Virtual Server creation
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.100 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.101 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http

Review the deployment. Notice that only a pool object was created.

Create Tenant 2 Pool¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab4.1_tenant2
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	255.255.255.254 Note This special value is used to skip Virtual Server creation
Virtual Server: Port	80
Pool: Pool Table	Row 1: Index: 0 Monitor(s): 0
Pool: Members	Row 1: Pool Idx: 0 IP/Node Name: 10.1.10.103 Port: 80 Row 2: Pool Idx: 0 IP/Node Name: 10.1.10.104 Port: 80
Monitor: Monitor Table	Row 1: Index: 0 Name: /Common/http

Review the deployment. Notice that only a pool object was created.

Create Virtual Server¶

Create a new deployment with the following values:

Field Name	Value
Name	Lab4.1_virtual
Template	appsvcs_integration_v2.1dev_001
Virtual Server: Address	10.1.20.41
Virtual Server: Port	80
Virtual Server: Default Pool Index	<remove the default value>
Pool: Pool Table	Row 1: <remove the default row that is shown>
Pool: Members	Row 1: <remove the default row that is shown>
Monitor: Monitor Table	Row 1: <remove the default row that is shown>
Virtual Server: Client-side L4 Protocol Profile	/Common/tcp-wan-optimized
Virtual Server: Server-side L4 Protocol Profile	/Common/tcp-lan-optimized
Virtual Server: HTTP Profile	/Common/http
L7 Policy: Rules: Matching	Row 1: Group: 0 Operand: http-uri/request/path Condition: starts-with Value: /tenant1/ Row 2: Group: 1 Operand: http-uri/request/path Condition: starts-with Value: /tenant2/
L7 Policy: Rules: Action	Row 1: Group: 0 Target: forward/request/select/pool Parameter: /Common/Lab4.1_tenant1.app/Lab4.1_tenant1_pool_0 Row 2: Group: 1 Target: forward/request/select/pool Parameter: /Common/Lab4.1_tenant2.app/Lab4.1_tenant2_pool_0

Click the ‘Finished’ button to deploy the template
Review the deployed configuration using the iApp Components view
Review the L7 policy deployed by the template and notice that the previously created pools are referenced

Helper Scripts¶

The App Services Integration iApp package includes helper scripts that aid the user with various automation tasks. The scripts are located in the scripts directory.

import_template_bigip.py¶

This script uses the F5 BIG-IP iControl REST API to import an iApp template. It supports setting multiple options as shown built-in --help output.

The script supports:

Creating a new template that does not exist on the target system
Modifying an existing template if the -o option is specified

We require that the implementation, presentation, HTML Help and macro definitions of the iApp template be in different files. By default it will look in the current working directory for the following files:

Default Filename Description Required CLI Argument

iapp.tcl Implementation Layer TCL Code Yes -i

iapp.apl Presentation Layer TCL Code Yes -a

iapp.html HTML Based Help No -n

iapp.macro iApp Macro Definition No -m

Different filenames can be specified using the corresponding CLI arguments in the table above

By default the script will automatically save the system config. This behaviour can be disabled by using the -d option.

If you are specifying the require TMOS modules please format as a comma separated list of module names such as:

ltm,gtm,asm,afm

For further options please run the script with the --help argument

import_cert_key.py¶

This script uses the F5 BIG-IP iControl REST API to import a cert/key pair. It supports setting multiple options as shown built-in --help output.

The script supports:

Importing cert/key objects
Overwriting an existing object (-o option)

Example:

python import_cert_key.py -P Common -c example.crt -k exmaple.key <BIG-IP mgmt IP> example

The preceding command will create the following objects:

/Common/example.crt:
	The cert contained in the example.crt file
/Common/example.key:
	The key contained in the example.key file

For further options please run the script with the --help argument

deploy_iapp_bigip.py¶

This script uses the F5 BIG-IP iControl REST API to create a specific instance of an iApp deployment.

The script supports:

Deployment/Redeployment of an iApp using JSON template files
Hierarchical definition of a deployment using multiple JSON files
- A JSON template can specify a ‘parent’ file to inherit properties from
- No limit to the number of levels of inheritance
Automatic selection of the latest version of the appsvcs_integration_iapp
Specification of partition, traffic-group, device-group and other global items

Sample template files are included in the deploy_iapp_samples directory that implement a three-level hierarchy and deploy a HTTPS or HTTP virtual server using the App Services Integration iApp template. The following table describes the contents of the sample files:

sample_defaults.json: Default values for all the fields contained in the iApp
- sample_https.json: Default values for a HTTPS service (parent: sample_defaults.json)
  - sample_myhttps.json: Top level definition of the service (parent: sample_https.json)
- sample_http.json: Default values for a HTTP service (parent: sample_defaults.json)
  - sample_myhttp.json: Top level definition of the service (parent: sample_http.json)

To deploy the sample_myhttps.json template a command like this can be used:

cd deploy_iapp_samples
python ../deploy_iapp_bigip.py -u <username> -p <password> <BIG-IP mgmt IP> sample_myhttps.json

By default the script will automatically save the system config. This behaviour can be disabled by using the -d option.

For further options please run the script with the --help argument

delete_iapp_bigip.py¶

This script uses the F5 BIG-IP iControl REST API to delete a specific instance of an iApp deployment.

The script supports:

Specification of the BIG-IP partition (-P option; default is Common)
Script-friendly operation to suppress delete confirmation (-n option)

To delete the an iApp deployment named my_http a command like this can be used:

python delete_iapp_bigip.py -u <username> -p <password> <BIG-IP mgmt IP> my_http

By default the script will automatically save the system config. This behaviour can be disabled by using the -d option.

For further options please run the script with the --help argument

Test Cases¶

The App Services Integration iApp package includes a comprehensive test framework that uses the deploy_iapp_bigip.py helper script to test the functionality of the template.

The use cases are contained within the test directory of the source tree. The .json files within this directory represent the input variables used to test the specific use case.

Users of the App Services Integration iApp template can refer to the test case JSON files as the authoritative source for implemented functionality. The Presentation Layer Reference also includes links to each test case that references a particular input variable. By examining the test case templates a user can determine additional functionality that is available but has not been covered in a specific lab.

Developers interested in running the test framework would use the run_tests.py script. The script can be run with the --help option to obtain more information.

To run the complete test framework the following prerequisite steps are required:

Note

The test script currently requires unix-style utilities (scp/ssh). Linux and Mac OS have these utilities installed or available. To run the test framework on a Windows system please install Cygwin.

Provision your BIG-IP device with the following modules in at a ‘nominal’ level:
- LTM
- APM
- ASM
- AFM
Configure NTP and DNS servers on the BIG-IP system. DNS servers should be able to resolve internet host names.
Untar remote_url_files.tar.gz to the root of a webserver.
Provide the IP address of the server to run_tests.py with the -b <IP Address> option.
Build the template using the command python build.py -nd -b test/bundled.test
Upload the template to the BIG-IP (deploy_iapp_bigip.py can be used)
Monitor the deployment log on BIG-IP using tail –f /var/tmp/scriptd.out

Custom Extensions¶

To address the need for site-specific extensions the App Services Integration iApp has been designed to allow inclusion of custom code. Custom extensions have full access to the runtime environment of the implementation layer allowing both addition of new functionality, or modification of existing functionality. There are 6 specific points at which a user can execute custom code:

The start of the deployment
Before creation of the pools
- Before creation of each pool
- After creation of each pool
After creation of the pools
Before creation of the virtual servers
- Before creation of each virtual server
- After creation of each virtual server
After creation of the virtual servers
At the end of the deployment

While custom extensions have full access to all variable values passed from the presentation layer during deployment, any new functionality that requires user input should utilize the fields in the ‘Custom Extensions’ section. Three Extension fields are provided with the base template for this purpose. This lab will walk through some of the included Custom Extension samples to provide a general overview of the functionality. Custom Extensions are contained in the custom_extensions.tcl file. This file is automatically included into the template when it is built via the build scripts.

Review the comments in the custom_extensions.tcl file to see how it is structured.
Monitor the deployment log and modify one of your existing deployments to include the string custom_example=1 in the Extensions: Field 1. Do you see the log messages that are generated in the deployment log?

Reference Guide¶

Design Methodology & Goals¶

Goals¶

The high level goals for this project are as follows:

Enable utilization of the full F5 L4-7 feature set while masking complexity from NorthBound systems

Cover the most common deployment use cases as standard, community supported, features

Provide simple extension mechanisms for customization that may be required in your environment

Minimize (over time) changes to the NorthBound API Data Model

Normalize F5 specific configuration as much as possible between all integrations

Rapidly deliver new features and functionality

Support a broad range of F5 BIG-IP software releases

iApp Basics & Constraints¶

Note

For full documentation on iApp’s please refer to the F5 DevCentral iApp Wiki This documentation is limited to explaining how we utilize the iApp infrastructure with this particular project.

Basic Terms¶

Term	Definition
iApp template	A file (.tmpl extension) that contains the tmsh importable definition of an iApp. The template contains the implementation and presentation layers along with other settings
Presentation layer	The APL definition of the user interface and API data model for the iApp template
Implementation layer	The TCL based tmsh script that actually processes input defined in the presentation layer and deploys a configuration on the BIG-IP device
[North/South]bound	The direction of API calls in an implementation. Northbound generally implies integration with another system or product through a standardized API (REST, SOAP, etc). Southbound generally implies vendor specific integration through open or non-standards based APIs
BIG-IP	The data plane element that executes the implementation layer code of an iApp template and deploys a config to process network traffic
iWorkflow	The optional control plane element that interacts with and manipulates the presentation layer of an iApp

Presentation Layer Contraints¶

To provide the broadest compatibility with third-party systems we implement a very simple presentation layer. Advanced TCL-based programmatic logic in the presentation layer is not implemented by this iApp (even though APL supports this). The reasoning behind this is that there is no reliable, standard way to execute logical arguments in third party systems. Some simple use cases are implemented (e.g. auto-population of a dropdown), however, these are only useful when the iApp Presentation Layer is rendered via the BIG-IP GUI. As a result all functionality implemented is required to function correctly without this programmatic logic.

Implementation Layer Constraints¶

Within the implementation layer we have a lot more flexibility in how features are implemented. Generally, anything is possible, however we take care to implement features in a manner that can work with all possible integrations.

All deployments are fully Partition and Route-Domain aware to enable full multi-tenancy. When running in Standalone mode users may choose to simply use the Common partition and route-domain 0 to achieve a non-multi-tenant config, however, the implementation of all features should enable multi-tenancy by default.

Furthermore, all implementation layer code must be compatible with all modes unless specifically enabled only for a particular mode and documented clearly. Introduction of additional presentation layer fields for mode-specific options should be avoided to maintain the simplest possible user and API interface.

Versioning¶

To integrate in the most flexible manner with other systems we have to implement versioning in a flexible manner. The version number of the template needs to convey three pieces of information:

Implementation Major Version	The major functionality and modes implemented by the template
Implementation Minor Version	The minor revision of the template. Allows hotfixes, field-level option additions and custom extension changes without impacting northbound systems
Presentation Version	The version of the presentation layer data model that is exposed via a northbound API

Additionally we have to also create a unique object name for the template that is used within BIG-IP and iWorkflow while maintaining support for previous versions of the template.

Assuming the following:

impl_major = 0.1

impl_minor = 002

pres_rev = 003

We substitute into this format:

Template Version: v<impl_major>(<impl_minor>)_<pres_rev>
BIG-IP/IQ Template Name: appsvcs_integration_v<impl_major>_<pres_rev>

Resulting in:

Template Version: v0.1(002)_003
BIG-IP/IQ Template Name: appsvcs_integration_v0.1_003

While this scheme is somewhat complex, we have little choice in the matter, because most northbound integrations require that we maintain a consistent copy of the template for each service deployment instance throughout the entire automation/orchestration stack. This versioning system allows use to maintain full compatibility for existing service deployment, while still providing a mechanism to deploy new/hotfix versions of the template without service impacting outages at the data plane layer for existing service deployments.

Data Model¶

Presentation Layer Structure¶

The Presentation Layer implemented using APL by this templates consists of three major components:

Type	Description
Section	A specific section that contains various value fields. Serves as base for REST API attribute names
Value Field	A particular value field that accepts user input
Text String	The text description used by the GUI

To form the TCL variable names used in the Implementation Layer you combine the Section name and Value Field name with two underscores (“__”). For example, given a Section name of “mysection” and a Value Field name of “myfield” the corresponding TCL variable name would be “$mysection__myfield”.

APL Data Types¶

APL provides a set of field types that are used for data input to an iApp template. These fields types behave differently based on a GUI or API interaction with the system. This section details how the various field types used in this iApp template can be leveraged via a GUI or API based interaction.

Field Type

Description

GUI/REST API Representation

String

Used for arbitrary string input. Built-in validators may be used but are only used by the GUI.

GUI:

REST API:

{
  "variables":[
      {
              "name":"iapp__strictUpdates",
              "value":"enabled"
      },
      {
              "name":"iapp__appStats",
              "value":"enabled"
      }
  ]
}

Table

Used for input of table based data. Arbitrary input field types are specified as columns within the table. User input is accomplished by sending a set of rows that maps to the input fields specified as columns. Tables cannot be nested.

GUI:

REST API:

{
  "tables":[
      {
              "columnNames":[ "Integer", "String1", "String2" ],
              "rows":[
              { "row":[ "0", "abc", "xyz" ] },
              { "row":[ "1", "ABC", "XYZ" ] }
              ],
              "name":"example__table1"
      },
      {
              "columnNames":[ "Integer", "String1", "String2" ],
              "rows":[
              { "row":[ "0", "abc", "xyz" ] },
              { "row":[ "1", "ABC", "XYZ" ] }
              ],
              "name":"example__table2"
      }
  ]
}

List/Multi Choice

Used for input of an ordered list of arbitrary strings. GUI representation is displayed and a fixed set of options, however, API representation allows for arbitrary input.

GUI:

REST API:

{
        "lists": [
                {
                        "encrypted": "no",
                        "name": "example__list1",
                        "value": [ "value 1", "value 2" ]
                }
        ]
}

Template Specific Data Model/Syntax¶

The formats described in this section are implemented specifically by this template only. The items specified in this section extend APL data types to add additional functionality.

Indexes in APL Tables¶

Index columns are used by various APL Tables in this template to provide a consistent method to access and reference specific table rows in other parts of the presentation layer. This consistency is required because the order of rows cannot be guaranteed to remain consistent in an orchestration/automation toolchain. Throughout the Presentation Layer of the template the value of the Index field is used to provide a ‘hard’ link to a specific item within a table.

As an example, when creating LTM Pools and Monitors, we use the Pool__Pools and Monitor__Monitors tables. Each row in the Monitor__Monitors table creates a specific monitor on the system. To reference a particular Monitor to use for the Pool we use the Index of the row in the Monitor__Monitors table. To implement the following:

2 LTM Pools
- 1st pool uses a TCP & HTTP monitor
- 2nd pool uses a TCP monitor
2 LTM Monitors
- HTTP
- TCP

We would use the following tables (JSON format):

{
   "tables":[
                {
                "name":"monitor__Monitors",
                "columnNames": ["Index", "Name", "Type", "Options"],
                "rows" : [
                { "row": [ "0", "/Common/tcp", "none", "none" ] },
                { "row": [ "1", "/Common/http", "none", "none" ] }
                ]
        },
        {
                "name":"pool__Pools",
                "columnNames": [ "Index", "Name", "Description", "LbMethod", "Monitor", "AdvOptions" ],
                "rows" : [
                { "row": [ "0", "pool_0", "", "round-robin", "0,1", "none"] },
                { "row": [ "1", "pool_1", "", "round-robin", "0", "none"] },
                ]
        }
    ]
}

Advanced Options & Create String Syntax¶

The BIG-IP platform allows very fine-grained control of options for L4-7 protocol profiles (ex: TCP, UDP, HTTP, Compression, etc.) and options for Virtual Servers and Pools. To expose the ability to customize these options we use a syntax that can be expressed using the APL String field. The create syntax can be used with specific Profiles, while the option syntax is used with the Virtual Server and Pool objects. This syntax is defined as a string in the following format:

Create String¶

Description

A custom TMOS profile will be created with the specified options. Options are validated at run-time with the underlying TMOS version. Use of this format allows exposure of fine-grained options without exposing each option as a field in the APL Presentation Layer. The following profiles support the this syntax:

Client/Server-side L4 Protocol (tcp, udp)

Server SSL

Client SSL

HTTP

OneConnect

Compression

Request Logging

Persistence (Default & Fallback)

Syntax create:type=<profile type>;<tmsh_option_name>=<tmsh_option_value>[;<tmsh_option_name>=<tmsh_option_value>]

Example create:type=tcp;nagle=disabled;proxy-low-buffer=10000;defaults-from=/Common/tcp

Advanced Options String¶

Description

The object will be created with the specified TMOS options. Options are validated at run-time with the underlying TMOS version. Use of this format allows exposure of fine-grained options without exposing each option as a field in the APL Presentation Layer. The following object types support the this syntax:

Virtual Servers

Pools

Auto-create Client-SSL Profiles

Syntax <tmsh_option_name>=<tmsh_option_value>[;<tmsh_option_name>=<tmsh_option_value>]

Example slow-ramp-time=300;min-up-members=1

Additional Syntaxes¶

Various fields use specific syntaxes to expose functionality. If applicable, the format of these fields are documented in the specific entry for the field/table/column in question in the Presentation Layer Reference

Logging & Debugging¶

Log File¶

The iApp/iCall framework on TMOS logs to the file /var/tmp/scriptd.out on the BIG-IP system. It is recommended that this log be reviewed in the case a deployment fails.

Log Levels¶

The App Services iApp template implements a granular logging system that can be controlled by:

An integer specified in the iapp__logLevel field.
Setting the scriptd log-level in TMOS to ‘debug’ (useful if inputs can’t be modified)
- Silently sets iapp__logLevel to ‘10’
- TMSH Command: tmsh modify sys scriptd log-level debug

Log levels are specified as an integer in the range 0-10 with numerically higher log levels including all messages from lower levels:

Log Level	Description
0	start/stop messages only
1	all TMSH commands
2	inputs & global state information
3	unused
4	unused
5	object creation details
6	custom extensions
7	execution debug
8	unused
9	cached state debug
10	utility function debug

For troubleshooting purposes it is required that a log with a log level set to ‘10’ be provided.

Execution Flow¶

Overview¶

This iApp template uses a multi-stage execution flow to allow full deployment of services available on the BIG-IP platform. The number of stages used vary based on the specific features utilized during a particular deployment.

Each stage executes sequentially after the previous stage completes in the following order:

Implementation Layer TCL code
postdeploy_bundler iCall script to handle L4-7 policy deployment
postdeploy_final iCall script to handle deferred TMSH commands

Step 2 above is only executed if deployment of a L4-7 service policy is required. For more details on L4-7 policies see Resource Bundling & L4-7 Policies

Implementation Layer¶

The Implementation Layer consists of TCL code that executes sequentially and adheres to the underlying ordering required by the BIG-IP platform. The overall flow is as follows:

Template startup (determine mode, debug level, input fix-up, etc)
SSL/TLS Profile Creation
Monitors
Pools
L7 Policy Creation (may be deferred to postdeploy_final)
Virtual Servers
1. Bundled iRules (see: Resource Bundling & L4-7 Policies)
2. Profile Processing
3. SNAT
4. SSL/TLS Profiles
5. Policies
6. Additional Listeners
Statistics Handlers
Virtual Address Options
1. Route Advertisement
2. Advanced Options
postdeploy_bundler handler creation (only required for WAF/IAM policies)
postdeploy_final handler creation

postdeploy_bundler¶

The postdeploy_bundler iCall script is scheduled for execution by the Implementation Layer as required. The primary purpose of this script is to create L4-7 policy elements (Resource Bundling & L4-7 Policies) and associate those policies with any required Virtual Servers. Execution can be tracked via the mechanisms detailed in Logging & Debugging or via specific iStat keys that are populated at each step of execution of the script. The iStat keys are tied to the Application Service Object (ASO) that is created by the iApp framework for each deployment. The iStat keys created are:

Key Name	Possible States
deploy.postdeploy_bundler	ASM_IN_PROGRESS ASM_COMPLETE APM_IN_PROGRESS APM_COMPLETE DEFERRED_CMDS_IN_PROGRESS DEFERRED_CMDS_COMPLETE FINISHED
deploy.postdeploy_bundler.asm.<policy name>	DEPLOY_IN_PROGRESS DEPLOY_COMPLETE
deploy.postdeploy_bundler.apm.<policy name>	DEPLOY_IN_PROGRESS DEPLOY_COMPLETE

The final action of the postdeploy_bundler script is to create an iCall handler that executes the postdeploy_final script.

postdeploy_final¶

The postdeploy_final iCall script is scheduled for execution by either the Implementation Layer or the postdeploy_bundler script. The purpose of this script is to execute any final commands that have been deferred to this stage. Additionally this script populates iStat keys that should be used to determine success or failure of the deployment. The iStat keys created are:

Key Name	Possible States
deploy.postdeploy_final	STARTED DEFERRED_CMDS_IN_PROGRESS DEFERRED_CMDS_COMPLETE FINISHED_<epoch timestamp>

Determining Success/Failure of Deployment¶

To determine overall success of a deployment the upstream system should NOT rely on the state returned via the GUI or API on the initial creation of the deployment. Rather, the deploy.postdeploy_final iStat key should be queried for the FINISHED_<epoch timestamp> state. A reference implementation of this mechanism can be found in the deploy_iapp_bigip.py helper script. The mechanism implemented performs the following:

Capture current start epoch time from deployment system
Determine polling interval and max number of polls
Loop until max number of polls
1. Send REST POST to retrieve deploy.postdeploy_final iStat key
2. Check if returned state starts with FINISHED_
  1. Check if timestamp returned in state is greater than start time
    
    Return success
1. Sleep until next polling interval
Return failure

Resource Bundling & L4-7 Policies¶

This template implements a generic mechanism that allows various system resources to be ‘bundled’ within the template and/or loading dynamically from a URL. This mechanism allows users to deploy the following types of resources:

Packaged within template:
- iRules
- ASM (Web Application Firewall) Policies
- APM (Identity & Access Management) Policies
Dynamically loaded from URL:
- iRules
- ASM Policies
- APM Policies
- SSL/TLS Objects:
  Certificates
  
  Keys
  
  Certificate Chain/Bundle

The two methods detailed below are NOT mutually exclusive and may be used together without issue.

Bundling¶

Bundling resources with the template allows a user to create packaged templates for specific use cases. Because resources are packaged as part of the template this mechanism is appropriate for environments that properly version control the template itself and do not need the ability to load resources dynamically at runtime.

For a step-by-step walk through on this process please refer to Building a Custom Template. The following steps are required to use this functionality:

Download the source tree for the iApp
Install required packages on the build system
Place resources in the appropriate location under the bundled/ directory
Build the template using the command python build.py -nd -a <optional name>
Upload the resulting template to the BIG-IP system

Bundled items will now be available to select for deployment via the vs__BundledItems table.

Row in this table are specified using a <type>:<name> format. Examples are:

irule:my_irule
asm:my_asm_policy
apm:my_apm_policy

With the exception of APM policies multiple resources of each type can be deployed with each deployment by adding rows to the table.

Dynamic Loading from URL¶

Dynamic loading of resources allows for a more flexible approach to automated deployment in Continuous Integration/Continuous Deployment environments. This mechanism allows URLs to be specified for resources that are then loaded at runtime from the BIG-IP system. To accomplish this the vs__BundledItems table is used with a special syntax that specifies the URL of the resource to load:

Syntax	Description
`irule:url=<url>`	An iRule resource. The file MUST exist on the remote server
`irule:urloptional=<url>`	An OPTIONAL iRule resource. The deployment will continue even if the resource does not exist on the remote server
`asm:url=<url>`	An ASM Policy resource. The file MUST exist on the remote server
`apm:url=<url>`	An APM Policy resource. The file MUST exist on the remote server. Only one APM resource is supported.

Note

This feature requires network connectivity from the BIG-IP system to the server hosting the remote resources.

Variable substitution is available within the URL string to allow runtime specification of URL components. The variables currently supported are:

Variable	Description
%APP_NAME%	The name of the iApp deployment
%APP_PATH%	The path of the iApp deployment
%PARTITION%	The name of the BIG-IP partition used for deployment
%VS_NAME%	The value of the vs__Name field
%VS_DESCR%	The value of the vs__Description field
%EXT1%	The value of the extensions__Field1 field
%EXT2%	The value of the extensions__Field2 field
%EXT3%	The value of the extensions__Field3 field

For example, if the name of our iApp deployment was my_http_app providing:

irule:url=https://git.company.com/infra/adc/%APP_NAME%/default_irule.irule

Would result in a URL of:

https://git.company.com/infra/adc/my_http_app/default_irule.irule

The same constraints mentioned in Item Bundling apply when loading multiple resources via URLs

Referencing Bundled Policies¶

In the case of ASM and APM policies, the mechanism used by the postdeploy_bundler only CREATES the resources on the system. To utilize the resource you must cross-reference it in the appropriate presentation layer fields.

APM Policy¶

To use a policy deployed via the bundler you must specify the value use-bundled in the vs__ProfileAccess field.

The postdeploy_bundler will then associate the APM policy with the Virtual Server automatically.

An example is provided in IAM/APM Policy Deployment

ASM Policies¶

To use an ASM policy deployed via the bundler you must create a L7 policy that references the resource name as a target. The format for the name is bundled:<resource name> and it must be specified as a value for a Parameter in the L7 Policy Action table. An example of this can be found in WAF/ASM Policy Deployment

Presentation Layer Reference¶

Section: iapp¶

Field: iapp__strictUpdates¶

Display Name	iApp: Strict Updates
Description	Control Strict Updates mode
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	boolean
Default	enabled
Min. Version	0.3_001
Examples	include_defaults.json

Field: iapp__appStats¶

Display Name	iApp: Statistics Handler Creation
Description	Control whether Virtual Server/Pool statistics handlers are created in Standalone or iWorkflow mode
Modes	Standalone, iWorkflow
Type	boolean
Default	enabled
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json

Field: iapp__mode¶

Display Name	iApp: Mode
Description	The mode to use during deployment. The default setting of auto determines the mode automatically.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	auto
Min. Version	0.3_013
Examples	include_defaults.json

Field: iapp__logLevel¶

Display Name	iApp: Log Level
Description	The log level to use during deployment. 0=silent, 10=most verbose
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	7
Min. Version	2.0_001
Examples	include_defaults.json

Field: iapp__routeDomain¶

Display Name	iApp: Route Domain
Description	The route domain to use during deployment. Setting to ‘auto’ determines the Route Domain automatically using the partition default-route-domain. In APIC mode we determine the RD from the config since it doesn’t set default-route-domain
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	auto
Min. Version	0.3_013
Examples	include_defaults.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json

Field: iapp__asmDeployMode¶

Display Name	iApp: ASM: Deployment Mode
Description	The behaviour to take on iApp (re)deployment for ASM policies. The ‘redeploy’ options will replace the existing policy with the one packaged in the template. The ‘preserve’ options keep the existing policy. The ‘block’ modifier to both preserve and redeploy marks the deployed virtual server down to prevent traffic from reaching pool members until policy deployment is complete. The ‘bypass’ modifier does not change the virtual server state, however, could cause traffic to bypass the policy until deployment completes.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	preserve-bypass
Min. Version	2.0_001
Choices	preserve-bypass, preserve-block, redeploy-bypass, redeploy-block
Examples	include_defaults.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json

Field: iapp__apmDeployMode¶

Display Name	iApp: APM: Deployment Mode
Description	The behaviour to take on iApp (re)deployment for an APM policy. The ‘redeploy’ options will replace the existing policy with the one packaged in the template. The ‘preserve’ options keep the existing policy. The ‘block’ modifier to both preserve and redeploy marks the deployed virtual server down to prevent traffic from reaching pool members until policy deployment is complete. The ‘bypass’ modifier does not change the virtual server state, however, could cause traffic to bypass the policy until deployment completes.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	preserve-bypass
Min. Version	2.0_001
Choices	preserve-bypass, preserve-block, redeploy-bypass, redeploy-block
Examples	include_defaults.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json

Section: pool¶

Field: pool__addr¶

Display Name	Virtual Server: Address
Description	The destination address of the Virtual Server. Specifying a value of ‘255.255.255.254’ will skip Virtual Server creation.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_monitors.json \| test_monitors_noindex.json \| test_pools.json \| test_pools_2.json \| test_pools_3.json \| test_pools_noindex.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: pool__mask¶

Display Name	Virtual Server: Mask
Description	The destination network mask of the Virtual Server
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	255.255.255.255
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http_ipv6.json

Field: pool__port¶

Display Name	Virtual Server: Port
Description	The L4 port the Virtual Server listens on. ‘*’ is supported
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_monitors.json \| test_monitors_noindex.json \| test_pools.json \| test_pools_2.json \| test_pools_3.json \| test_pools_noindex.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: pool__DefaultPoolIndex¶

Display Name	Virtual Server: Default Pool Index
Description	The index of the pool to use as the default pool for the Virtual Server
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	0
Min. Version	2.0_001
Examples	include_defaults.json \| test_monitors.json \| test_monitors_noindex.json \| test_pools.json \| test_pools_2.json \| test_pools_3.json \| test_pools_noindex.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Table: pool__Pools¶

The pools to create. Note that pool index must be >0 and sequential.

Column Details

Index

Display Name:	Index:
Description:	The Pool Index of this Pool
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0
Min. Version:	2.0_001

Name

Display Name:	Name:
Description:	The Name of this Pool
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Description

Display Name:	Description:
Description:	The Description of this Pool
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

LbMethod

Display Name:	LB Method:
Description:	The pool Load Balancing Method
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:	round-robin
Min. Version:	2.0_001
Choices:	dynamic-ratio-member, dynamic-ratio-node, fastest-app-response, fastest-node, least-connections-member, least-connections-node, least-sessions, observed-member, observed-node, predictive-member, predictive-node, round-robin, ratio-member, ratio-node, ratio-session, ratio-least-connections-member, ratio-least-connections-node, weighted-least-connections-member

Monitor

Display Name:	Monitor(s):
Description:	The pool monitor(s) and minimum number of monitors that have to pass can be specified using a string of the format ‘[<monitor index>[,<monitor index>][;<minimum # healthy>]]’. For example ‘0,1,2;2’ would associate the monitors with indexes 0, 1 and 2 and require at least 2 pass. If no value is specified no monitor is associated with the pool
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

AdvOptions

Display Name:	Adv Options:
Description:	The options to set in the created Pool. Options can be specified using the format: <tmsh_option_name>=<tmsh_option_value>[,<tmsh_option_name>=<tmsh_option_value>]
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	0.3_012

Field: pool__MemberDefaultPort¶

Display Name	Pool: Member Default Port
Description	The L4 port to used when a pool member is added via a Dynamic Endpoint Insertion notication from Cisco APIC
Modes	Cisco APIC
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_pools_2.json \| test_pools_3.json \| test_pools_noindex.json

Table: pool__Members¶

The configuration for Pool Members within the Pool.

Column Details

Index

Display Name:	Pool Idx:
Description:	The Index cross-reference of the Pool in the Pools table this Member is a part of
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0
Min. Version:	2.0_001

IPAddress

Display Name:	IP/Node Name:
Description:	IP Address OR Node Name of the Pool Member
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	editchoice
Default:
Min. Version:	0.3_001

Port

Display Name:	Port:
Description:	L4 port of the Pool Member
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	80
Min. Version:	0.3_001

ConnectionLimit

Display Name:	Connection Limit:
Description:	The Connection Limit for the Pool Member. ‘0’ denotes unlimited connections
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0
Min. Version:	0.3_001

Ratio

Display Name:	Ratio:
Description:	The Ratio weight for the Pool Member. Used with ‘ratio’ based Load Balancing Methods
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	1
Min. Version:	0.3_001

PriorityGroup

Display Name:	Priority Group:
Description:	The Priority Group for the Pool Member.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0
Min. Version:	1.0_002

State

Display Name:	State:
Description:	The administrative state of the Pool Member upon creation
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:	enabled
Min. Version:	0.3_001
Choices:	enabled, drain-disabled, disabled

AdvOptions

Display Name:	Adv Options:
Description:	The Advanced Options for the Pool Member.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Section: monitor¶

Table: monitor__Monitors¶

The monitors to create/associate. Note that monitor index must be >0 and sequential.

Column Details

Index

Display Name:	Index:
Description:	The Index of this Monitor
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0
Min. Version:	2.0_001

Name

Display Name:	Name:
Description:	The Name of the Monitor to create or associate. To associate an existing monitor specify the full path to the existing monitor object (e.g. ‘/Common/http’)
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Type

Display Name:	Type:
Description:	The Type of this Monitor. To determine the available types on a BIG-IP system execute ‘tmsh create ltm monitor ?’ from the CLI
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Options

Display Name:	Options:
Description:	The options to set in the created Monitor. Options can be specified using the format: <tmsh_option_name>=<tmsh_option_value>[,<tmsh_option_name>=<tmsh_option_value>]
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Section: vs¶

Table: vs__Listeners¶

A list of additional IPv4/IPv6 listeners to create. All listeners will be configured identically except if flags are specified in the Destination column modifying specific profiles.

Column Details

Listener

Display Name:	Listener:
Description:	Listener to create in <address>:<port> format
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Destination

Display Name:	Destination
Description:	The destination for traffic bound for this listener in the format (default\|<pool index>\|redirect\|<TMOS pool object path>)[;(nossl\|noclientssl\|noserverssl)]. If no value or the keyword ‘default’ is specified the default pool index will be used.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Examples include_defaults.json | test_vs_standard_https_multi_listeners.json

Field: vs__Name¶

Display Name	Virtual Server: Name
Description	The name of the Virtual Server. If no value is specified the name will be set to <iapp_name>_vs
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__Description¶

Display Name	Virtual Server: Description
Description	The description string configured in the Virtual Server
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__RouteAdv¶

Display Name	Virtual Server: Route Advertisement
Description	Control the route-advertisement behaviour setting of the associated Virtual Address object. Routing protocol configuration must be completed on the device manually.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	disabled
Min. Version	2.0_001
Choices	disabled, all_vs, any_vs, always
Examples	include_defaults.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json

Field: vs__SourceAddress¶

Display Name	Virtual Server: Source Address
Description	The source address filter for the Virtual Server
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	0.0.0.0/0
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_tcp_options.json

Field: vs__IpProtocol¶

Display Name	Virtual Server: IP Protocol
Description	The IP Protocol of the Virtual Server (e.g. tcp, udp)
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	tcp
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__ConnectionLimit¶

Display Name	Virtual Server: Virtual Server Connection Limit (0=unlimited)
Description	The connection limit for the virtual server. A value of ‘0’ means no limit
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	0
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_tcp_options.json

Field: vs__ProfileClientProtocol¶

Display Name	Virtual Server: Client-side L4 Protocol Profile
Description	The client-side protocol profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_tcp_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__ProfileServerProtocol¶

Display Name	Virtual Server: Server-side L4 Protocol Profile
Description	The server-side protocol profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_tcp_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__ProfileHTTP¶

Display Name	Virtual Server: HTTP Profile
Description	The HTTP protocol profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileOneConnect¶

Display Name	Virtual Server: OneConnect Profile
Description	The oneconnect profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileCompression¶

Display Name	Virtual Server: Compression Profile
Description	The compression profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_005
Examples	include_defaults.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileAnalytics¶

Display Name	Virtual Server: Analytics Profile
Description	The analytics profile
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_005
Examples	include_defaults.json

Field: vs__ProfileRequestLogging¶

Display Name	Virtual Server: Request Logging Profile
Description	The request logging profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_005
Examples	include_defaults.json

Field: vs__ProfileDefaultPersist¶

Display Name	Virtual Server: Default Persistence Profile
Description	The default persistence profile. This field supports the ‘create:’ format for customization. A key of ‘type’ specifying the persisence type to create must be specified (ex: create:type=cookie;...)
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp_options.json

Field: vs__ProfileFallbackPersist¶

Display Name	Virtual Server: Fallback Persistence Profile
Description	The fallback persistence profile. This field supports the ‘create:’ format for customization. A key of ‘type’ specifying the persisence type to create must be specified (ex: create:type=cookie;...)
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__SNATConfig¶

Display Name	Virtual Server: SNAT Configuration (enter SNAT pool name, ‘automap’ or leave blank to disable SNAT)
Description	The SNAT option to use. Specifiy ‘automap’,’/Common/<existing_snat_pool_name>’,’partition-default’,’create:<ip1,>....<ipX>’. The partition-default option references a SNAT pool created by Cisco APIC as part of the APIC partition
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default	automap
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_http.json \| test_vs_standard_http_afm.json \| test_vs_standard_http_autoxff.json \| test_vs_standard_http_bundle_irule.json \| test_vs_standard_http_ipv6.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json \| test_vs_standard_tcp.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_tcp_options.json \| test_vs_standard_tcp_rd_auto.json \| test_vs_standard_tcp_rd_nonauto.json \| test_vs_standard_tcp_routeadv_all.json \| test_vs_standard_tcp_routeadv_always.json \| test_vs_standard_tcp_routeadv_any.json \| test_vs_standard_tcp_virt_addr_options.json \| test_vs_standard_udp.json \| test_vs_standard_udp_afm.json

Field: vs__ProfileServerSSL¶

Display Name	Virtual Server: Server SSL Profile
Description	The server-ssl profile. This field supports the ‘create:’ format for customization
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_005
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSL¶

Display Name	Virtual Server: Client SSL Profile
Description	The path to an existing Client-SSL profile. If specified this value overrides Client-SSL profile creation
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSLCert¶

Display Name	Virtual Server: Client SSL Certificate
Description	The path to an existing SSL Certificate. If the word ‘auto’ is specfied the value /Common/<iapp_name>.crt will be substituted. This field also supports the url=<url> format to load a PEM encoded resources.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSLKey¶

Display Name	Virtual Server: Client SSL Key
Description	The path to an existing SSL Key. If the word ‘auto’ is specfied the value /Common/<iapp_name>.key will be substituted. This field also supports the url=<url> format to load a PEM encoded resources.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json \| test_vs_standard_https_bundle_asm_redeploy.json \| test_vs_standard_https_bundle_asm_redeploy_2.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_l7policy.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSLChain¶

Display Name	Virtual Server: Client SSL Certificate Chain
Description	The path to the SSL Certicate Chain bundle. This field also supports the url=<url> format to load a PEM encoded resources.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSLCipherString¶

Display Name	Virtual Server: Client SSL Cipher String
Description	The SSL Cipher String
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	DEFAULT
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileClientSSLAdvOptions¶

Display Name	Virtual Server: Client SSL Advanced Options
Description	The options to set in the created Client-SSL profile. Options can be specified using the format: <tmsh_option_name>=<tmsh_option_value>[,<tmsh_option_name>=<tmsh_option_value>]
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_010
Examples	include_defaults.json \| test_vs_standard_https.json \| test_vs_standard_https_create.json \| test_vs_standard_https_create_url.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json \| test_vs_standard_https_serverssl.json \| test_vs_standard_https_serverssl_create.json

Field: vs__ProfileSecurityLogProfiles¶

Display Name	Virtual Server: Security Logging Profiles
Description	A comma seperated list of existing security logging profiles
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_008
Examples	include_defaults.json

Field: vs__ProfileSecurityIPBlacklist¶

Display Name	Virtual Server: IP Blacklist Profile
Description	Configuration for the IP Intelligence Dynamic IP Blacklist. An existing subscription is required for this feature. A pre-exsiting policy may be specified by entering it’s full path (ex: /Common/my_ipi_policy)
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default	none
Min. Version	0.3_015
Choices	none, enabled-block, enabled-log
Examples	include_defaults.json

Field: vs__ProfileSecurityDoS¶

Display Name	Virtual Server: Security: DoS Profile
Description	The DoS Protection Policy to configure
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_016
Examples	include_defaults.json

Field: vs__ProfileAccess¶

Display Name	Virtual Server: Access Profile
Description	The APM Access Policy to configure. To automatically associate a bundled APM policy after deployment use the value ‘use-bundled’
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_011
Examples	include_defaults.json \| test_vs_standard_https_bundle_all_preserve.json \| test_vs_standard_https_bundle_all_preserve_2.json \| test_vs_standard_https_bundle_all_redeploy.json \| test_vs_standard_https_bundle_all_redeploy_2.json \| test_vs_standard_https_bundle_all_url.json \| test_vs_standard_https_bundle_apm_preserve.json \| test_vs_standard_https_bundle_apm_preserve_2.json \| test_vs_standard_https_bundle_apm_redeploy.json \| test_vs_standard_https_bundle_apm_redeploy_2.json

Field: vs__ProfileConnectivity¶

Display Name	Virtual Server: Connectivity Profile
Description	The APM Connectivity Policy to configure
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_011
Examples	include_defaults.json

Field: vs__ProfilePerRequest¶

Display Name	Virtual Server: Per-Request Profile
Description	The APM Per-Request Policy to configure
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_011
Examples	include_defaults.json

Field: vs__OptionSourcePort¶

Display Name	Virtual Server: Source Port Behavior
Description	The source port translation behavior
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	preserve
Min. Version	0.3_001
Choices	preserve, preserve-strict, change
Examples	include_defaults.json \| test_vs_standard_tcp_options.json

Field: vs__OptionConnectionMirroring¶

Display Name	Virtual Server: Connection Mirroring
Description	The connection mirroring behavior
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	boolean
Default	disabled
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_tcp_options.json

Field: vs__Irules¶

Display Name	Virtual Server: iRules (to specify multiple iRules seperate with a comma ex: irule1,irule2,irule3)
Description	A comma seperated list of existing iRules to attach to the virtual server. Ordering is preserved.
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default
Min. Version	0.3_001
Examples	include_defaults.json \| test_vs_standard_http_options.json \| test_vs_standard_http_options_2.json

Table: vs__BundledItems¶

The bundled resources to deploy. See bundled/README for more info.

Column Details

Resource

Display Name:	Resource:
Description:	The bundled items to deploy. See bundled/README for more info.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	editchoice
Default:
Min. Version:	2.0_001
Choices:	no bundled items

Examples include_defaults.json | test_vs_standard_http_bundle_irule.json | test_vs_standard_https_bundle_all_preserve.json | test_vs_standard_https_bundle_all_preserve_2.json | test_vs_standard_https_bundle_all_redeploy.json | test_vs_standard_https_bundle_all_redeploy_2.json | test_vs_standard_https_bundle_all_url.json | test_vs_standard_https_bundle_apm_preserve.json | test_vs_standard_https_bundle_apm_preserve_2.json | test_vs_standard_https_bundle_apm_redeploy.json | test_vs_standard_https_bundle_apm_redeploy_2.json | test_vs_standard_https_bundle_asm_preserve.json | test_vs_standard_https_bundle_asm_preserve_2.json | test_vs_standard_https_bundle_asm_redeploy.json | test_vs_standard_https_bundle_asm_redeploy_2.json

Field: vs__AdvOptions¶

Display Name	Virtual Server: Advanced Options
Description	The options to set in the created Virtual Server. Options can be specified using the format: <tmsh_option_name>=<tmsh_option_value>[,<tmsh_option_name>=<tmsh_option_value>]
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_010
Examples	include_defaults.json \| test_vs_fasthttp_tcp.json \| test_vs_fastl4_tcp.json \| test_vs_fastl4_udp.json \| test_vs_ipforward.json \| test_vs_ipforward_emptypool.json \| test_vs_ipother.json \| test_vs_sctp.json \| test_vs_standard_tcp_options.json

Field: vs__AdvProfiles¶

Display Name	Virtual Server: Advanced Profiles
Description	A comma-seperated list of profiles to link to the Virtual Server: <profile_name>[,<profile_name>]
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_010
Examples	include_defaults.json

Field: vs__AdvPolicies¶

Display Name	Virtual Server: Advanced Policies
Description	A comma-seperated list of policies to link to the Virtual Server: <policy_name>[,<policy_name>]
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	2.0_001
Examples	include_defaults.json

Field: vs__VirtualAddrAdvOptions¶

Display Name	Virtual Address: Advanced Options
Description	The options to set in the global Virtual Address object. Options can be specified using the format: <tmsh_option_name>=<tmsh_option_value>[,<tmsh_option_name>=<tmsh_option_value>]
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	2.0_001
Examples	include_defaults.json \| test_vs_standard_tcp_virt_addr_options.json

Section: l7policy¶

Field: l7policy__strategy¶

Display Name	L7 Policy: Match Strategy
Description	The Matching Strategy to use for the L7 Policy
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default	/Common/first-match
Min. Version	2.0_001
Choices	/Common/first-match, /Common/best-match, /Common/all-match
Examples	include_defaults.json

Field: l7policy__defaultASM¶

Display Name	L7 Policy: Default ASM Policy
Description	The default ASM policy to use for the L7 Policy. Specifying a value of ‘bypass’ will set all actions to bypass ASM processing unless a explicit ASM Action Target is specified
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	bypass
Min. Version	2.0_001
Examples	include_defaults.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json

Field: l7policy__defaultL7DOS¶

Display Name	L7 Policy: Default L7 DoS Policy
Description	The default L7 DoS policy to use for the L7 Policy. Specifying a value of ‘bypass’ will set all actions to bypass ASM processing unless a explicit L7 DoS Action Target is specified
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default	bypass
Min. Version	2.0_001
Examples	include_defaults.json \| test_vs_standard_https_bundle_asm_preserve.json \| test_vs_standard_https_bundle_asm_preserve_2.json

Table: l7policy__rulesMatch¶

The L7 policy Matching ruleset to configure.

Column Details

Group

Display Name:	Group:
Description:	The group for this match rule. The corresponding action is configured by specifying a matching action with the same group(s). Multiple rows with the same group may be specified to create multiple match conditions.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Operand

Display Name:	Operand:
Description:	The specific operand to use for a policy match.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	editchoice
Default:
Min. Version:	2.0_001
Choices:	client-ssl/request/cipher, client-ssl/request/cipher-bits, client-ssl/request/protocol, client-ssl/response/cipher, client-ssl/response/cipher-bits, client-ssl/response/protocol, http-basic-auth/request/username, http-basic-auth/request/password, http-cookie/request/all/name/<name>, http-header/request/all/name/<name>, http-header/request/all/name/<name>, http-host/request/all, http-host/request/host, http-host/request/port, http-method/request/all, http-referer/request/all, http-referer/request/extension, http-referer/request/host, http-referer/request/path, http-referer/request/path-segment/index/<index>, http-referer/request/port, http-referer/request/query-parameter/name/<name>, http-referer/request/scheme, http-referer/request/unnamed-query-parameter/index/<index>, http-set-cookie/response/domain/name/<name>, http-set-cookie/response/expiry/name/<name>, http-set-cookie/response/path/name/<name>, http-set-cookie/response/value/name/<name>, http-set-cookie/response/version/name/<name>, http-status/response/all, http-status/response/code, http-status/response/text, http-uri/request/all, http-uri/request/extension, http-uri/request/host, http-uri/request/path, http-uri/request/path-segment/index/<index>, http-uri/request/port, http-uri/request/query-parameter/name/<name>, http-uri/request/scheme, http-uri/request/unnamed-query-parameter/index/<index>, http-version/request/all, http-version/request/major, http-version/request/minor, http-version/request/protocol, http-version/response/all, http-version/response/major, http-version/response/minor, http-version/response/protocol, ssl-cert/ssl-server-handshake/common-name/index/<index>, ssl-extension/ssl-client-hello/alpn, ssl-extension/ssl-client-hello/npn, ssl-extension/ssl-client-hello/server-name, ssl-extension/ssl-server-hello/alpn, ssl-extension/ssl-server-hello/npn, ssl-extension/ssl-server-hello/server-name, tcp/request/mss/internal, tcp/request/port/internal, tcp/request/port/local, tcp/request/route-domain/internal, tcp/request/rtt/internal, tcp/request/vlan/internal, tcp/request/vlan-id/internal

Negate

Display Name:	Negate:
Description:	Reverses the meaning of the operation (for example, enabling Negate and specifying https as the starts-with value resolves to true if the header does not start with https).
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:	no
Min. Version:	2.0_001
Choices:	no, yes

Condition

Display Name:	Condition:
Description:	Specifies a conditions to use for matching.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:
Min. Version:	2.0_001
Choices:	equals, starts-with, ends-with, contains, greater, greater-or-equal, less, less-or-equal

Value

Display Name:	Value:
Description:	Specifies a list of values the operand is matched against. To specify multiple values seperate with a ‘;’
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

CaseSensitive

Display Name:	Case Sensitive:
Description:	Specifies a list of values the operand is matched against. To specify multiple values seperate with a ‘;’
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:	no
Min. Version:	2.0_001
Choices:	no, yes

Missing

Display Name:	Missing:
Description:	Indicates whether a value can be missing.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	choice
Default:	no
Min. Version:	2.0_001
Choices:	no, yes

Examples include_defaults.json | test_vs_standard_https_bundle_all_preserve.json | test_vs_standard_https_bundle_all_preserve_2.json | test_vs_standard_https_bundle_all_redeploy.json | test_vs_standard_https_bundle_all_redeploy_2.json | test_vs_standard_https_bundle_all_url.json | test_vs_standard_https_bundle_asm_preserve.json | test_vs_standard_https_bundle_asm_preserve_2.json | test_vs_standard_https_bundle_asm_redeploy.json | test_vs_standard_https_bundle_asm_redeploy_2.json | test_vs_standard_https_l7policy.json

Table: l7policy__rulesAction¶

The L7 policy Action ruleset actions to configure

Column Details

Group

Display Name:	Group:
Description:	The group for this action rule. Multiple rows with the same group may be specified to create multiple action targets
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Target

Display Name:	Target:
Description:	The specific target to use for a policy match.
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	editchoice
Default:
Min. Version:	2.0_001
Choices:	asm/request/enable/policy, asm/request/disable, cache/request/enable/pin, cache/request/disable, cache/response/enable/pin, cache/respones/disable, compress/request/enable, compress/request/disable, compress/response/enable, compress/response/disable, decompress/request/enable, decompress/request/disable, decompress/response/enable, decompress/response/disable, forward/request/reset, forward/request/select/clone-pool, forward/request/select/member, forward/request/select/nexthop, forward/request/select/node, forward/request/select/pool, forward/request/select/rateclass, forward/request/select/snat, forward/request/select/snatpool, forward/request/select/vlan, forward/request/select/vlan-id, http/request/enable, http/request/disable, http-cookie/request/insert/name,value, http-cookie/request/remove/name, http-header/request/insert/name,value, http-header/request/remove/name, http-header/request/replace/name,value, http-header/response/insert/name,value, http-header/response/remove/name, http-header/response/replace/name,value, http-host/request/replace/value, http-referer/request/insert/value, http-referer/request/remove, http-referer/request/replace/value, http-reply/request/redirect/location, http-reply/response/redirect/location, http-set-cookie/response/insert/name,domain,path,value, http-set-cookie/response/remove/name, http-uri/response/replace/path,query-string,value, l7dos/request/enable/from-profile, l7dos/request/disable, log/request/write/message, log/response/write/message, request-adapt/request/enable/internal-virtual-server, request-adapt/request/disable, request-adapt/response/enable/internal-virtual-server, request-adapt/response/disable, response-adapt/request/enable/internal-virtual-server, response-adapt/request/disable, response-adapt/response/enable/internal-virtual-server, request-adapt/response/disable, server-ssl/request/enable, server-ssl/request/disable, tcl/request/set-variable/name,expression, tcl/response/set-variable/name,expression, tcl/ssl-client-hello/set-variable/name,expression, tcl/ssl-server-handshake/set-variable/name,expression, tcl/ssl-server-hello/set-variable/name,expression, tcp-nagle/request/enable, tcp-nagle/request/disable

Parameter

Display Name:	Parameter:
Description:	Specifies the value for the action. Possible values depend on the target. Multiple values can be entered by seperating with a ‘;’. To reference a bundled policy item for use with a supported target use the format ‘bundled:<bundled item name>’
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	2.0_001

Examples include_defaults.json | test_vs_standard_https_bundle_all_preserve.json | test_vs_standard_https_bundle_all_preserve_2.json | test_vs_standard_https_bundle_all_redeploy.json | test_vs_standard_https_bundle_all_redeploy_2.json | test_vs_standard_https_bundle_all_url.json | test_vs_standard_https_bundle_asm_preserve.json | test_vs_standard_https_bundle_asm_preserve_2.json | test_vs_standard_https_bundle_asm_redeploy.json | test_vs_standard_https_bundle_asm_redeploy_2.json | test_vs_standard_https_l7policy.json

Section: feature¶

Field: feature__statsTLS¶

Display Name	TLS/SSL: Stats Reporting
Description	TLS/SSL Statistics reporting. The auto option will enable this feature if a client-ssl profile is attached, otherwise disable
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	auto
Min. Version	0.3_006
Choices	auto, enabled, disabled
Examples	include_defaults.json

Field: feature__statsHTTP¶

Display Name	HTTP: Stats Reporting
Description	HTTP Statistics reporting. The auto option will enable this feature if a http profile is attached, otherwise disable
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	auto
Min. Version	0.3_006
Choices	auto, enabled, disabled
Examples	include_defaults.json

Field: feature__insertXForwardedFor¶

Display Name	HTTP: Insert X-Forwarded-For Header
Description	Insert the X-Forwarded-For header. The auto option will enable this feature if a HTTP profile and SNAT is configured, otherwise disable
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	auto
Min. Version	0.3_005
Choices	auto, enabled, disabled
Examples	include_defaults.json \| test_vs_standard_https_features.json

Field: feature__redirectToHTTPS¶

Display Name	HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect
Description	Create a virtual service on TCP/80 that performs a 302 HTTP redirect to TCP/443 on the same IP address. The auto option will enable this feature if a HTTP profile is configured and the TCP port is 443, otherwise disable
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	auto
Min. Version	0.3_001
Choices	auto, enabled, disabled
Examples	include_defaults.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json

Field: feature__sslEasyCipher¶

Display Name	TLS/SSL: Easy Cipher String (overrides VS section setting)
Description	Easily configure TLS/SSL Cipher Strings. This setting overrides the value in the Virtual Server section
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	disabled
Min. Version	0.3_007
Choices	compatible, medium, high, tls_1.2, tls_1.1+1.2, disabled
Examples	include_defaults.json \| test_vs_standard_https_features.json

Field: feature__securityEnableHSTS¶

Display Name	HTTP: Security: Enable HTTP Strict Transport Security (only valid if ClientSSL is configured)
Description	Enabled insertion of the Strict-Transport-Security HTTP header. The preload and subdomain options can be omitted or included based on this selection. This setting also modifies creation of the HTTP->HTTPS redirect option to perform a 301 HTTP redirect. The max-age parameter can be specified by appending ‘;max-age=<value>’
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	editchoice
Default	disabled
Min. Version	0.3_001
Choices	disabled, enabled, enabled-preload, enabled-subdomain, enabled-preload-subdomain
Examples	include_defaults.json \| test_vs_standard_https_features.json \| test_vs_standard_https_multi_listeners.json

Field: feature__easyL4Firewall¶

Display Name	Security: Firewall: Configure L4 Firewall Policy
Description	Configure a AFM L4 Firewall policy. The ‘base’ option creates a policy that allows traffic to the Virtual Server with optional Blacklist and Source addresses specified in the following fields. The base+ip_blacklist options also configure an IP Intelligence Blacklist policy in either blocking or logging mode. The auto mode is equivalent to the base+ip_blacklist_block option with the exception that if a user-specfic IPI policy is specified it will be preserved
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	choice
Default	auto
Min. Version	0.3_008
Choices	auto, base, base+ip_blacklist_block, base+ip_blacklist_log, disabled
Examples	include_defaults.json \| test_vs_standard_http_afm.json \| test_vs_standard_https_features.json \| test_vs_standard_tcp_afm.json \| test_vs_standard_udp_afm.json

Table: feature__easyL4FirewallBlacklist¶

A list of CIDR formatted blacklisted IP/Network ranges. Packets sourced from these networks will be dropped

Column Details

CIDRRange

Display Name:	CIDR Block:
Description:	CIDR Range
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:
Min. Version:	0.3_008

Examples include_defaults.json | test_vs_standard_http_afm.json | test_vs_standard_tcp_afm.json | test_vs_standard_udp_afm.json

Table: feature__easyL4FirewallSourceList¶

A list of CIDR formatted allowed IP/Network ranges. Packets sourced from these networks will be allowed

Column Details

CIDRRange

Display Name:	CIDR Block:
Description:	CIDR Range
Modes:	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type:	string
Default:	0.0.0.0/0
Min. Version:	0.3_008

Examples include_defaults.json | test_vs_standard_http_afm.json | test_vs_standard_tcp_afm.json | test_vs_standard_udp_afm.json

Section: extensions¶

Field: extensions__Field1¶

Display Name	Extensions: Field 1
Description	Extensions: Field 1
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json

Field: extensions__Field2¶

Display Name	Extensions: Field 2
Description	Extensions: Field 2
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json

Field: extensions__Field3¶

Display Name	Extensions: Field 3
Description	Extensions: Field 3
Modes	Standalone, iWorkflow, Cisco APIC, VMware NSX
Type	string
Default
Min. Version	0.3_001
Examples	include_defaults.json

App Services Integration iApp¶

Release Version: 2.1dev(001)_001

Introduction¶

The purpose of this project is to provide an iApp template that can be used to automate and orchestrate Layer 4-7 applications service deployments using F5 Networks BIG-IP/iWorkflow Products. Additionally, this template serves as a common integration point for third party SDN/NFV/Automation/Orchestration products.

Support¶

Please use GitHub Issues to report any bugs or feature requests. This project is Community Supported.

Tested Versions¶

We currently test against the following versions of the F5 BIG-IP TMOS:

11.5.3 HF2 Build: 2.0.196
11.5.4 HF2 Build: 2.0.291
11.6.0 HF8 Build: 8.0.482
11.6.1 HF1 Build: 1.0.326
12.0.0 HF4 Build: 4.0.674
12.1.0 HF2 Build: 2.0.1468
12.1.1 HF1 Build: 1.0.196

Getting Started¶

To get started head over to the User Guide. Advanced users should also read the Reference Guide