LTM policies only works with http profile?
Hi all, Today I found a limit when needed the following config: A tcp-only service on one VS which does listen to any. About 60 tcp-only listener ports which should be load balanced to two backends. We need to monitor each of the tcp-ports of the backends, therefore we need about 60 pools for this. I created the following objects: 1 VS ANY TCP listener 60 pools, one for each tcp listener with two backend members. 1 LTM policy with 60 rules like the following: rule_AQ { actions { 0 { forward select pool /Common/pool_AQ_8137 } } conditions { 0 { tcp port values { 8137 } } } } When I try to add the LTM policy to the VS I get the error: 010716d9:3: Virtual server /Common/AQ-domain.com_any requires a profile of type http for ltm policy /Common/pol_AQ_8137. Since this config would be used as a tcp-only service, I cannot add a http profile to the VS. So are LTM policies only usable for HTTP traffic? Thanks, Peter
Redirect base on source IP Address for Virtual Server - Local Traffic Policy
Is it possible to have a local traffic policy to redirect traffic based on source ip address. Here's what I've setup but I don't get any hits on the policy Policy Name: Redirect-Traffic Strategy: Execute first matching rule Rule1 Rule Name: Match-Server1 Match all of the following conditions: TCP address matches any of 10.1.1.1 at request time (apply to traffic on remote side of external interface Forward traffic to node 10.2.2.1 Rule2 Rule Name: Match-Server1 Match all of the following conditions: TCP address matches any of 10.1.1.2 at request time (apply to traffic on remote side of external interface Forward traffic to node 10.2.2.2 ` I've generated traffic from both sources but the traffic policy never applies to Rule1 Here's an output of show ltm policy in tmsh `----------------------------------------------------- | Rule Action Invoked Succeeded ----------------------------------------------------- | Match-Server1 0 [forward select] 0 0 | Match-Server2 0 [forward select] 118 118 Is the remote side of external interface - the source client IP address (cs-client-addr)?
Configuring LTM policies with request and response conditions
BIG IP VERSION 13.1.0.6 Afternoon. The following LTM policy exists to insert security headers into responses when missing. The LTM policy is attached to a VS which performs virtual hosting using another LTM policy to switch the back-end pools depending on incoming header. A new requirement to remove the X-Content-Type-Options nosniff header for specific sites hosted on this virtual server exists and the LTM policy was adjusted as below to include a request condition against the host isnot header, this however has resulted in unexpected behaviour where-by the header is no longer inserted regardless of whatever site is being requested. Any ideas? Code ltm policy pol-tp-http-header-apply-security-controls-inc-exclusions { description "Edit headers on response to enable security controls" last-modified 2019-01-10:14:09:44 requires { http } rules { rl-tp-header-insert-x-content-type-options { actions { 0 { http-header response insert name X-Content-Type-Options value nosniff } } conditions { 0 { http-host host not values { site1.example.com site2.example.com } } 1 { http-header response name X-Content-Type-Options not values { nosniff } } } description "Insert the x-content-type-options header set to no sniff" ordinal 2 }
LTM Policy with HTTP_REQUEST and HTTP_PROXY_REQUEST
Hello, I try to create ltm Policy Rule to forward traffic to different virtual IP with check http host. BIG IP version: 13.1.08 I created a first Policy with two rules: Policy name: TEST2 First Rule to match HTTP PROXY REQUEST And When attempting to create a second rule to match HTTP REQUEST , the system displays an error message that appears similar to the following example: An error occurred: transaction failed:010716e2:3: Policy '//Drafts/', rule ''; an action precedes its conditions. The same configuration with an irule works. Thank you for your return. Guillaume
URL Rewrite using local traffic policy
I am looking to use a local traffic policy instead of a iRule (if possible). We want to rewrite the URI portion of incoming requests as they are presented to the inside web host. Outside: https://www.domain.com/something/prod/something/something Inside: https://www.domain.com/something/something I see the action when creating a policy to REPLACE a portion of the URI. I set it to match "/prod" and replace "" blank field. I also tried to match "/something/prod" and replace with "/something". Neither option seems to work. Is this the correct way to handle this? What is the best way to see how it is getting rewritten if you do not have direct access to web server? Thanks!Traffic policies and iControl REST - Behavior changes 11.5.3 -> 12.1.2?
Hi, We've been using iControl REST on 11.5.3 to create and modify traffic policies for some time now. Now we are begining to prepare for 12.1.2. Traffic Policies have gone through a improvment in the GUI, including the way published policies are changed and how policies are created (activated/published). My question is: Does the changes have implications for our use of REST iControl API to create/modify traffic policies? Do we have to change the way we are using the API when we move to 12.1.2? Regards Terje Gravvold
