f5xc_cdn_loadbalancer Resource - terraform-provider-f5xc

f5xc_cdn_loadbalancer (Resource)

Manages a CDN Load Balancer resource in F5 Distributed Cloud for content delivery and edge caching with load balancing.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# CDN Loadbalancer Resource Example
# Manages a CDN Load Balancer resource in F5 Distributed Cloud for content delivery and edge caching with load balancing.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic CDN Loadbalancer configuration
resource "f5xc_cdn_loadbalancer" "example" {
  name      = "example-CDN-loadbalancer"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # CDN Load Balancer configuration
  domains = ["CDN.example.com"]

  # Origin pool
  origin_pool {
    public_name {
      dns_name = "origin.example.com"
    }
    follow_origin_redirect = true
    no_tls {}
  }

  # Cache TTL settings
  cache_ttl_options {
    cache_ttl_default = "1h"
  }

  # HTTP protocol
  https_auto_cert {
    http_redirect = true
  }

  # Add location header
  add_location = true
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

~> Dependencies — This resource requires: cdn_origin_pool.

Metadata Argument Reference

• name - Required String
Name of the CDN Load Balancer. Must be unique within the namespace

• namespace - Required String
Namespace where the CDN Load Balancer will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • active_service_policies - Optional Block
Configuration parameter for active service policies
See Active Service Policies below for details.

• no_service_policies - Optional Block
Configuration parameter for no service policies

-> One of the following: • api_rate_limit - Optional Block
APIRateLimit
See API Rate Limit below for details.

• disable_rate_limit - Optional Block
Configuration parameter for disable rate limit

-> One of the following: • api_specification - Optional Block
Settings for API specification (API definition, OpenAPI validation, etc.)

-> One of the following: • app_firewall - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name

• blocked_clients - Optional Block
Define rules to block IP Prefixes or AS numbers

• bot_defense - Optional Block
Defines various configuration OPTIONS for Bot Defense Policy

-> One of the following: • captcha_challenge - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect

• enable_challenge - Optional Block
Configure auto mitigation i.e risk based challenges for malicious users

• js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do

• no_challenge - Optional Block
Configuration parameter for no challenge

-> One of the following: • client_side_defense - Optional Block
Defines various configuration OPTIONS for Client-Side Defense Policy

• cors_policy - Optional Block
Cross-Origin Resource Sharing requests configuration specified at Virtual-host or Route level. Route level configuration takes precedence. An example of an Cross origin HTTP request GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel macOS X 10.5

• csrf_policy - Optional Block
To mitigate CSRF attack , the policy checks where a request is coming from to determine if the request’s origin is the same as its destination.the policy relies on two pieces of information used in determining if a request originated from the same host. 1. The origin that caused the user agent to

• custom_cache_rule - Optional Block
Custom Cache Rules. Caching policies for CDN

• data_guard_rules - Optional Block
Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*)

• ddos_mitigation_rules - Optional Block
Define manual mitigation rules to block L7 DDOS attacks

• default_cache_action - Optional Block
Default Cache Behaviour. This defines a Default Cache Action

-> One of the following: • default_sensitive_data_policy - Optional Block
Policy configuration for this feature

• disable_api_definition - Optional Block
Enable this option

-> One of the following: • disable_api_discovery - Optional Block
Enable this option

• disable_client_side_defense - Optional Block
Enable this option

-> One of the following: • disable_ip_reputation - Optional Block
Enable this option

-> One of the following: • disable_malicious_user_detection - Optional Block
Configuration parameter for disable malicious user detection

-> One of the following: • disable_threat_mesh - Optional Block
Enable this option

• disable_waf - Optional Block
Configuration parameter for disable WAF

• domains - Required List
List of fully qualified domain names. The CDN Distribution will be setup for these FQDN name(s). [This can be a domain or a sub-domain]

• enable_api_discovery - Optional Block
Specifies the settings used for API discovery

• enable_ip_reputation - Optional Block
IP Threat Category List. List of IP threat categories

• enable_malicious_user_detection - Optional Block
Configuration parameter for enable malicious user detection

• enable_threat_mesh - Optional Block
Enable this option

• graphql_rules - Optional Block
GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy

-> One of the following: • http - Optional Block
HTTP Choice. Choice for selecting HTTP proxy

• https - Optional Block
Choice for selecting CDN Distribution with bring your own certificates

• https_auto_cert - Optional Block
Choice for selecting HTTPS CDN distribution with bring your own certificates

• jwt_validation - Optional Block
JWT Validation stops JWT replay attacks and JWT tampering by cryptographically verifying incoming JWTs before they are passed to your API origin. JWT Validation will also stop requests with expired tokens or tokens that are not yet valid

-> One of the following: • l7_ddos_action_block - Optional Block
Enable this option

• l7_ddos_action_default - Optional Block
Enable this option

• l7_ddos_action_js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do

• origin_pool - Optional Block
Configuration parameter for origin pool

• other_settings - Optional Block
Configuration parameter for other settings

• policy_based_challenge - Optional Block
Specifies the settings for policy rule based challenge

• protected_cookies - Optional Block
Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite

• rate_limit - Optional Block
RateLimitConfigType

• sensitive_data_policy - Optional Block
Policy configuration for this feature

• service_policies_from_namespace - Optional Block
Enable this option

-> One of the following: • slow_ddos_mitigation - Optional Block
’Slow and low’ attacks tie up server resources, leaving none available for servicing requests from actual users

• system_default_timeouts - Optional Block
Configuration parameter for system default timeouts

• timeouts - Optional Block

• trusted_clients - Optional Block
Define rules to skip processing of one or more features such as WAF, Bot Defense etc

-> One of the following: • user_id_client_ip - Optional Block
Enable this option

• user_identification - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name

• waf_exclusion - Optional Block
Configuration parameter for WAF exclusion

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Active Service Policies

An active_service_policies block supports the following:

• policies - Optional Block
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its
See Policies below.

Active Service Policies Policies

A policies block (within active_service_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

API Rate Limit

An api_rate_limit block supports the following:

• api_endpoint_rules - Optional Block
Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above
See API Endpoint Rules below.

• bypass_rate_limiting_rules - Optional Block
Category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting
See Bypass Rate Limiting Rules below.

• custom_ip_allowed_list - Optional Block
IP Allowed list using existing ip_prefix_set objects
See Custom IP Allowed List below.

• ip_allowed_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See IP Allowed List below.

• no_ip_allowed_list - Optional Block
Enable this option

• server_url_rules - Optional Block
Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow
See Server URL Rules below.

API Rate Limit API Endpoint Rules

An api_endpoint_rules block (within api_rate_limit) supports the following:

• any_domain - Optional Block
Enable this option

• api_endpoint_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See API Endpoint Method below.

• api_endpoint_path - Optional String
The endpoint (path) of the request

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• inline_rate_limiter - Optional Block
Configuration parameter for inline rate limiter
See Inline Rate Limiter below.

• ref_rate_limiter - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Ref Rate Limiter below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain

API Rate Limit API Endpoint Rules API Endpoint Method

Deeply nested Method block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Threat Category List

Deeply nested List block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Inline Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit API Endpoint Rules Inline Rate Limiter Ref User ID

Deeply nested ID block collapsed for readability.

API Rate Limit API Endpoint Rules Ref Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Cookie Matchers

Deeply nested Matchers block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Cookie Matchers Item

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules

A bypass_rate_limiting_rules block (within api_rate_limit) supports the following:

• bypass_rate_limiting_rules - Optional Block
Category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting
See Bypass Rate Limiting Rules below.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules

Deeply nested Rules block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules API Groups

Deeply nested Groups block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Threat Category List

Deeply nested List block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Cookie Matchers

Deeply nested Matchers block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Cookie Matchers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Rate Limit Custom IP Allowed List

A custom_ip_allowed_list block (within api_rate_limit) supports the following:

• rate_limiter_allowed_prefixes - Optional Block
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting
See Rate Limiter Allowed Prefixes below.

API Rate Limit Custom IP Allowed List Rate Limiter Allowed Prefixes

Deeply nested Prefixes block collapsed for readability.

API Rate Limit IP Allowed List

An ip_allowed_list block (within api_rate_limit) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

API Rate Limit Server URL Rules

A server_url_rules block (within api_rate_limit) supports the following:

• any_domain - Optional Block
Enable this option

• api_group - Optional String
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with ‘x-F5 Distributed

• base_path - Optional String
Prefix of the request path

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• inline_rate_limiter - Optional Block
Configuration parameter for inline rate limiter
See Inline Rate Limiter below.

• ref_rate_limiter - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Ref Rate Limiter below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain

API Rate Limit Server URL Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Threat Category List

Deeply nested List block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Inline Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit Server URL Rules Inline Rate Limiter Ref User ID

Deeply nested ID block collapsed for readability.

API Rate Limit Server URL Rules Ref Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Cookie Matchers

Deeply nested Matchers block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Cookie Matchers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Specification

An api_specification block supports the following:

• api_definition - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See API Definition below.

• validation_all_spec_endpoints - Optional Block
API Inventory. Settings for API Inventory validation
See Validation All Spec Endpoints below.

• validation_custom_list - Optional Block
Define API groups, base paths, or API endpoints and their OpenAPI validation modes. Any other API-endpoint not listed will act according to ‘Fall Through Mode’
See Validation Custom List below.

• validation_disabled - Optional Block
Enable this option

API Specification API Definition

An api_definition block (within api_specification) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

API Specification Validation All Spec Endpoints

A validation_all_spec_endpoints block (within api_specification) supports the following:

• fall_through_mode - Optional Block
Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. Swagger) or doesn’t have a specific rule in custom rules)
See Fall Through Mode below.

• settings - Optional Block
OpenAPI specification validation settings relevant for ‘API Inventory’ enforcement and for ‘Custom list’ enforcement
See Settings below.

• validation_mode - Optional Block
Validation mode of OpenAPI specification. When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. Swagger)
See Validation Mode below.

API Specification Validation All Spec Endpoints Fall Through Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation All Spec Endpoints Settings

A settings block (within api_specification.validation_all_spec_endpoints) supports the following:

• oversized_body_fail_validation - Optional Block
Enable this option

• oversized_body_skip_validation - Optional Block
Enable this option

• property_validation_settings_custom - Optional Block
Configuration parameter for property validation settings custom
See Property Validation Settings Custom below.

• property_validation_settings_default - Optional Block
Configuration parameter for property validation settings default

API Specification Validation All Spec Endpoints Settings Property Validation Settings Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation All Spec Endpoints Settings Property Validation Settings Custom Query Parameters

Deeply nested Parameters block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode Response Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List

A validation_custom_list block (within api_specification) supports the following:

• fall_through_mode - Optional Block
Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. Swagger) or doesn’t have a specific rule in custom rules)
See Fall Through Mode below.

• open_api_validation_rules - Optional Block
Validation List
See Open API Validation Rules below.

• settings - Optional Block
OpenAPI specification validation settings relevant for ‘API Inventory’ enforcement and for ‘Custom list’ enforcement
See Settings below.

API Specification Validation Custom List Fall Through Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode Response Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List Settings

A settings block (within api_specification.validation_custom_list) supports the following:

• oversized_body_fail_validation - Optional Block
Enable this option

• oversized_body_skip_validation - Optional Block
Enable this option

• property_validation_settings_custom - Optional Block
Configuration parameter for property validation settings custom
See Property Validation Settings Custom below.

• property_validation_settings_default - Optional Block
Configuration parameter for property validation settings default

API Specification Validation Custom List Settings Property Validation Settings Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation Custom List Settings Property Validation Settings Custom Query Parameters

Deeply nested Parameters block collapsed for readability.

App Firewall

An app_firewall block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Blocked Clients

A blocked_clients block supports the following:

• actions - Optional List Defaults to SKIP_PROCESSING_WAF
Possible values are SKIP_PROCESSING_WAF, SKIP_PROCESSING_BOT, SKIP_PROCESSING_MUM, SKIP_PROCESSING_IP_REPUTATION, SKIP_PROCESSING_API_PROTECTION, SKIP_PROCESSING_OAS_VALIDATION, SKIP_PROCESSING_DDOS_PROTECTION, SKIP_PROCESSING_THREAT_MESH, SKIP_PROCESSING_MALWARE_PROTECTION
[Enum: SKIP_PROCESSING_WAF|SKIP_PROCESSING_BOT|SKIP_PROCESSING_MUM|SKIP_PROCESSING_IP_REPUTATION|SKIP_PROCESSING_API_PROTECTION|SKIP_PROCESSING_OAS_VALIDATION|SKIP_PROCESSING_DDOS_PROTECTION|SKIP_PROCESSING_THREAT_MESH|SKIP_PROCESSING_MALWARE_PROTECTION] Actions that should be taken when client identifier matches the rule

• as_number - Optional Number
RFC 6793 defined 4-byte AS number

• bot_skip_processing - Optional Block
Enable this option

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• http_header - Optional Block
Configuration parameter for HTTP header
See HTTP Header below.

• ip_prefix - Optional String
IPv4 prefix string

• ipv6_prefix - Optional String
IPv6 prefix string

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• skip_processing - Optional Block
Enable this option

• user_identifier - Optional String
Identify user based on user identifier. User identifier value needs to be copied from security event

• waf_skip_processing - Optional Block
Enable this option

Blocked Clients HTTP Header

A http_header block (within blocked_clients) supports the following:

• headers - Optional Block
List of HTTP header name and value pairs
See Headers below.

Blocked Clients HTTP Header Headers

A headers block (within blocked_clients.http_header) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Blocked Clients Metadata

A metadata block (within blocked_clients) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Bot Defense

A bot_defense block supports the following:

• disable_cors_support - Optional Block
Enable this option

• enable_cors_support - Optional Block
Enable this option

• policy - Optional Block
Defines various configuration OPTIONS for Bot Defense policy
See Policy below.

• regional_endpoint - Optional String Defaults to AUTO
Possible values are AUTO, US, EU, ASIA
[Enum: AUTO|US|EU|ASIA] Defines a selection for Bot Defense region - AUTO: AUTO Automatic selection based on client IP address - US: US US region - EU: EU European Union region - ASIA: ASIA Asia region

• timeout - Optional Number
The timeout for the inference check, in milliseconds

Bot Defense Policy

A policy block (within bot_defense) supports the following:

• disable_js_insert - Optional Block
Configuration parameter for disable js insert

• disable_mobile_sdk - Optional Block
Enable this option

• JavaScript_mode - Optional String Defaults to ASYNC_JS_NO_CACHING
Possible values are ASYNC_JS_NO_CACHING, ASYNC_JS_CACHING, SYNC_JS_NO_CACHING, SYNC_JS_CACHING
[Enum: ASYNC_JS_NO_CACHING|ASYNC_JS_CACHING|SYNC_JS_NO_CACHING|SYNC_JS_CACHING] Web Client JavaScript Mode. Bot Defense JavaScript for telemetry collection is requested asynchronously, and it is non-cacheable Bot Defense JavaScript for telemetry collection is requested asynchronously, and it is cacheable Bot Defense JavaScript for telemetry collection is requested

• js_download_path - Optional String
Customize Bot Defense Client JavaScript path. If not specified, default

• js_insert_all_pages - Optional Block
Insert Bot Defense JavaScript in all pages
See Js Insert All Pages below.

• js_insert_all_pages_except - Optional Block
Insert Bot Defense JavaScript in all pages with the exceptions
See Js Insert All Pages Except below.

• js_insertion_rules - Optional Block
Defines custom JavaScript insertion rules for Bot Defense Policy
See Js Insertion Rules below.

• mobile_sdk_config - Optional Block
Mobile SDK Configuration. Mobile SDK configuration
See Mobile SDK Config below.

• protected_app_endpoints - Optional Block
List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs
See Protected App Endpoints below.

Bot Defense Policy Js Insert All Pages

A js_insert_all_pages block (within bot_defense.policy) supports the following:

• JavaScript_location - Optional String Defaults to AFTER_HEAD
Possible values are AFTER_HEAD, AFTER_TITLE_END, BEFORE_SCRIPT
[Enum: AFTER_HEAD|AFTER_TITLE_END|BEFORE_SCRIPT] All inside networks. Insert JavaScript after <HEAD> tag Insert JavaScript after </title> tag. Insert JavaScript before first <script> tag

Bot Defense Policy Js Insert All Pages Except

Deeply nested Except block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Js Insertion Rules

A js_insertion_rules block (within bot_defense.policy) supports the following:

• exclude_list - Optional Block
Optional JavaScript insertions exclude list of domain and path matchers
See Exclude List below.

• rules - Optional Block
Required list of pages to insert Bot Defense client JavaScript
See Rules below.

Bot Defense Policy Js Insertion Rules Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules

A rules block (within bot_defense.policy.js_insertion_rules) supports the following:

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• JavaScript_location - Optional String Defaults to AFTER_HEAD
Possible values are AFTER_HEAD, AFTER_TITLE_END, BEFORE_SCRIPT
[Enum: AFTER_HEAD|AFTER_TITLE_END|BEFORE_SCRIPT] All inside networks. Insert JavaScript after <HEAD> tag Insert JavaScript after </title> tag. Insert JavaScript before first <script> tag

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

Bot Defense Policy Js Insertion Rules Rules Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Mobile SDK Config

A mobile_sdk_config block (within bot_defense.policy) supports the following:

• mobile_identifier - Optional Block
Mobile Traffic Identifier. Mobile traffic identifier type
See Mobile Identifier below.

Bot Defense Policy Mobile SDK Config Mobile Identifier

Deeply nested Identifier block collapsed for readability.

Bot Defense Policy Mobile SDK Config Mobile Identifier Headers

Deeply nested Headers block collapsed for readability.

Bot Defense Policy Mobile SDK Config Mobile Identifier Headers Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints

A protected_app_endpoints block (within bot_defense.policy) supports the following:

• allow_good_bots - Optional Block
Configuration parameter for allow good bots

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• flow_label - Optional Block
Bot Defense Flow Label Category allows to associate traffic with selected category
See Flow Label below.

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below.

• http_methods - Optional List Defaults to METHOD_ANY
Possible values are METHOD_ANY, METHOD_GET, METHOD_POST, METHOD_PUT, METHOD_PATCH, METHOD_DELETE, METHOD_GET_DOCUMENT
[Enum: METHOD_ANY|METHOD_GET|METHOD_POST|METHOD_PUT|METHOD_PATCH|METHOD_DELETE|METHOD_GET_DOCUMENT] HTTP Methods. List of HTTP methods

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• mitigate_good_bots - Optional Block
Configuration parameter for mitigate good bots

• mitigation - Optional Block
Modify Bot Defense behavior for a matching request
See Mitigation below.

• mobile - Optional Block
Enable this option

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• protocol - Optional String Defaults to BOTH
Possible values are BOTH, HTTP, HTTPS
[Enum: BOTH|HTTP|HTTPS] SchemeType is used to indicate URL scheme. - BOTH: BOTH URL scheme for HTTPS:// or HTTP://. - HTTP: HTTP URL scheme HTTP:// only. - HTTPS: HTTPS URL scheme HTTPS:// only

• query_params - Optional Block
List of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query
See Query Params below.

• undefined_flow_label - Optional Block
Enable this option

• web - Optional Block
Enable this option

• web_mobile - Optional Block
Web and Mobile traffic type. Web and Mobile traffic type
See Web Mobile below.

Bot Defense Policy Protected App Endpoints Domain

A domain block (within bot_defense.policy.protected_app_endpoints) supports the following:

• exact_value - Optional String
Exact domain name

• regex_value - Optional String
Regular Expression value for the domain name

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

Bot Defense Policy Protected App Endpoints Flow Label

Deeply nested Label block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Account Management

Deeply nested Management block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication

Deeply nested Authentication block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication Login

Deeply nested Login block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication Login Transaction Result

Deeply nested Result block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication Login Transaction Result Failure Conditions

Deeply nested Conditions block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication Login Transaction Result Success Conditions

Deeply nested Conditions block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Financial Services

Deeply nested Services block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Flight

Deeply nested Flight block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Profile Management

Deeply nested Management block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Search

Deeply nested Search block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Shopping Gift Cards

Deeply nested Cards block collapsed for readability.

Bot Defense Policy Protected App Endpoints Headers

A headers block (within bot_defense.policy.protected_app_endpoints) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Header Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-insensitive HTTP header name

Bot Defense Policy Protected App Endpoints Headers Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints Metadata

A metadata block (within bot_defense.policy.protected_app_endpoints) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Bot Defense Policy Protected App Endpoints Mitigation

A mitigation block (within bot_defense.policy.protected_app_endpoints) supports the following:

• block - Optional Block
Block request and respond with custom content
See Block below.

• flag - Optional Block
Select Flag Bot Mitigation Action. Flag mitigation action
See Flag below.

• redirect - Optional Block
Redirect bot mitigation. Redirect request to a custom URI
See Redirect below.

Bot Defense Policy Protected App Endpoints Mitigation Block

Deeply nested Block block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Flag

Deeply nested Flag block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Flag Append Headers

Deeply nested Headers block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Redirect

Deeply nested Redirect block collapsed for readability.

Bot Defense Policy Protected App Endpoints Path

A path block (within bot_defense.policy.protected_app_endpoints) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

Bot Defense Policy Protected App Endpoints Query Params

Deeply nested Params block collapsed for readability.

Bot Defense Policy Protected App Endpoints Query Params Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints Web Mobile

Deeply nested Mobile block collapsed for readability.

Captcha Challenge

A captcha_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

client-side Defense

A client_side_defense block supports the following:

• policy - Optional Block
Defines various configuration OPTIONS for Client-Side Defense policy
See Policy below.

client-side Defense Policy

A policy block (within client_side_defense) supports the following:

• disable_js_insert - Optional Block
Configuration parameter for disable js insert

• js_insert_all_pages - Optional Block
Configuration parameter for js insert all pages

• js_insert_all_pages_except - Optional Block
Insert Client-Side Defense JavaScript in all pages with the exceptions
See Js Insert All Pages Except below.

• js_insertion_rules - Optional Block
Defines custom JavaScript insertion rules for Client-Side Defense Policy
See Js Insertion Rules below.

client-side Defense Policy Js Insert All Pages Except

Deeply nested Except block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List

Deeply nested List block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Path

Deeply nested Path block collapsed for readability.

client-side Defense Policy Js Insertion Rules

A js_insertion_rules block (within client_side_defense.policy) supports the following:

• exclude_list - Optional Block
Optional JavaScript insertions exclude list of domain and path matchers
See Exclude List below.

• rules - Optional Block
Required list of pages to insert Client-Side Defense client JavaScript
See Rules below.

client-side Defense Policy Js Insertion Rules Exclude List

Deeply nested List block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Path

Deeply nested Path block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules

Deeply nested Rules block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Path

Deeply nested Path block collapsed for readability.

CORS Policy

A cors_policy block supports the following:

• allow_credentials - Optional Bool
Specifies whether the resource allows credentials

• allow_headers - Optional String
Specifies the content for the access-control-allow-headers header

• allow_methods - Optional String
Specifies the content for the access-control-allow-methods header

• allow_origin - Optional List
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match

• allow_origin_regex - Optional List
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match

• disabled - Optional Bool
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• expose_headers - Optional String
Specifies the content for the access-control-expose-headers header

• maximum_age - Optional Number
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)

CSRF Policy

A csrf_policy block supports the following:

• all_load_balancer_domains - Optional Block
Configuration parameter for all load balancer domains

• custom_domain_list - Optional Block
List of domain names used for Host header matching
See Custom Domain List below.

• disabled - Optional Block
Enable this option

CSRF Policy Custom Domain List

A custom_domain_list block (within csrf_policy) supports the following:

• domains - Optional List
List of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form

Custom Cache Rule

A custom_cache_rule block supports the following:

• cdn_cache_rules - Optional Block
Reference to CDN Cache Rule configuration object
See CDN Cache Rules below.

Custom Cache Rule CDN Cache Rules

A cdn_cache_rules block (within custom_cache_rule) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Data Guard Rules

A data_guard_rules block supports the following:

• any_domain - Optional Block
Enable this option

• apply_data_guard - Optional Block
Enable this option

• exact_value - Optional String
Exact domain name

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• skip_data_guard - Optional Block
Enable this option

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

Data Guard Rules Metadata

A metadata block (within data_guard_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Data Guard Rules Path

A path block (within data_guard_rules) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

DDOS Mitigation Rules

A ddos_mitigation_rules block supports the following:

• block - Optional Block
Enable this option

• ddos_client_source - Optional Block
DDOS Client Source Choice. DDOS Mitigation sources to be blocked
See DDOS Client Source below.

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

DDOS Mitigation Rules DDOS Client Source

A ddos_client_source block (within ddos_mitigation_rules) supports the following:

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• country_list - Optional List Defaults to COUNTRY_NONE
Possible values are COUNTRY_NONE, COUNTRY_AD, COUNTRY_AE, COUNTRY_AF, COUNTRY_AG, COUNTRY_AI, COUNTRY_AL, COUNTRY_AM, COUNTRY_AN, COUNTRY_AO, COUNTRY_AQ, COUNTRY_AR, COUNTRY_AS, COUNTRY_AT, COUNTRY_AU, COUNTRY_AW, COUNTRY_AX, COUNTRY_AZ, COUNTRY_BA, COUNTRY_BB, COUNTRY_BD, COUNTRY_BE, COUNTRY_BF, COUNTRY_BG, COUNTRY_BH, COUNTRY_BI, COUNTRY_BJ, COUNTRY_BL, COUNTRY_BM, COUNTRY_BN, COUNTRY_BO, COUNTRY_BQ, COUNTRY_BR, COUNTRY_BS, COUNTRY_BT, COUNTRY_BV, COUNTRY_BW, COUNTRY_BY, COUNTRY_BZ, COUNTRY_CA, COUNTRY_CC, COUNTRY_CD, COUNTRY_CF, COUNTRY_CG, COUNTRY_CH, COUNTRY_CI, COUNTRY_CK, COUNTRY_CL, COUNTRY_CM, COUNTRY_CN, COUNTRY_CO, COUNTRY_CR, COUNTRY_CS, COUNTRY_CU, COUNTRY_CV, COUNTRY_CW, COUNTRY_CX, COUNTRY_CY, COUNTRY_CZ, COUNTRY_DE, COUNTRY_DJ, COUNTRY_DK, COUNTRY_DM, COUNTRY_DO, COUNTRY_DZ, COUNTRY_EC, COUNTRY_EE, COUNTRY_EG, COUNTRY_EH, COUNTRY_ER, COUNTRY_ES, COUNTRY_ET, COUNTRY_FI, COUNTRY_FJ, COUNTRY_FK, COUNTRY_FM, COUNTRY_FO, COUNTRY_FR, COUNTRY_GA, COUNTRY_GB, COUNTRY_GD, COUNTRY_GE, COUNTRY_GF, COUNTRY_GG, COUNTRY_GH, COUNTRY_GI, COUNTRY_GL, COUNTRY_GM, COUNTRY_GN, COUNTRY_GP, COUNTRY_GQ, COUNTRY_GR, COUNTRY_GS, COUNTRY_GT, COUNTRY_GU, COUNTRY_GW, COUNTRY_GY, COUNTRY_HK, COUNTRY_HM, COUNTRY_HN, COUNTRY_HR, COUNTRY_HT, COUNTRY_HU, COUNTRY_ID, COUNTRY_IE, COUNTRY_IL, COUNTRY_IM, COUNTRY_IN, COUNTRY_IO, COUNTRY_IQ, COUNTRY_IR, COUNTRY_IS, COUNTRY_IT, COUNTRY_JE, COUNTRY_JM, COUNTRY_JO, COUNTRY_JP, COUNTRY_KE, COUNTRY_KG, COUNTRY_KH, COUNTRY_KI, COUNTRY_KM, COUNTRY_KN, COUNTRY_KP, COUNTRY_KR, COUNTRY_KW, COUNTRY_KY, COUNTRY_KZ, COUNTRY_LA, COUNTRY_LB, COUNTRY_LC, COUNTRY_LI, COUNTRY_LK, COUNTRY_LR, COUNTRY_LS, COUNTRY_LT, COUNTRY_LU, COUNTRY_LV, COUNTRY_LY, COUNTRY_MA, COUNTRY_MC, COUNTRY_MD, COUNTRY_ME, COUNTRY_MF, COUNTRY_MG, COUNTRY_MH, COUNTRY_MK, COUNTRY_ML, COUNTRY_MM, COUNTRY_MN, COUNTRY_MO, COUNTRY_MP, COUNTRY_MQ, COUNTRY_MR, COUNTRY_MS, COUNTRY_MT, COUNTRY_MU, COUNTRY_MV, COUNTRY_MW, COUNTRY_MX, COUNTRY_MY, COUNTRY_MZ, COUNTRY_NA, COUNTRY_NC, COUNTRY_NE, COUNTRY_NF, COUNTRY_NG, COUNTRY_NI, COUNTRY_NL, COUNTRY_NO, COUNTRY_NP, COUNTRY_NR, COUNTRY_NU, COUNTRY_NZ, COUNTRY_OM, COUNTRY_PA, COUNTRY_PE, COUNTRY_PF, COUNTRY_PG, COUNTRY_PH, COUNTRY_PK, COUNTRY_PL, COUNTRY_PM, COUNTRY_PN, COUNTRY_PR, COUNTRY_PS, COUNTRY_PT, COUNTRY_PW, COUNTRY_PY, COUNTRY_QA, COUNTRY_RE, COUNTRY_RO, COUNTRY_RS, COUNTRY_RU, COUNTRY_RW, COUNTRY_SA, COUNTRY_SB, COUNTRY_SC, COUNTRY_SD, COUNTRY_SE, COUNTRY_SG, COUNTRY_SH, COUNTRY_SI, COUNTRY_SJ, COUNTRY_SK, COUNTRY_SL, COUNTRY_SM, COUNTRY_SN, COUNTRY_SO, COUNTRY_SR, COUNTRY_SS, COUNTRY_ST, COUNTRY_SV, COUNTRY_SX, COUNTRY_SY, COUNTRY_SZ, COUNTRY_TC, COUNTRY_TD, COUNTRY_TF, COUNTRY_TG, COUNTRY_TH, COUNTRY_TJ, COUNTRY_TK, COUNTRY_TL, COUNTRY_TM, COUNTRY_TN, COUNTRY_TO, COUNTRY_TR, COUNTRY_TT, COUNTRY_TV, COUNTRY_TW, COUNTRY_TZ, COUNTRY_UA, COUNTRY_UG, COUNTRY_UM, COUNTRY_US, COUNTRY_UY, COUNTRY_UZ, COUNTRY_VA, COUNTRY_VC, COUNTRY_VE, COUNTRY_VG, COUNTRY_VI, COUNTRY_VN, COUNTRY_VU, COUNTRY_WF, COUNTRY_WS, COUNTRY_XK, COUNTRY_XT, COUNTRY_YE, COUNTRY_YT, COUNTRY_ZA, COUNTRY_ZM, COUNTRY_ZW
[Enum: COUNTRY_NONE|COUNTRY_AD|COUNTRY_AE|COUNTRY_AF|COUNTRY_AG|COUNTRY_AI|COUNTRY_AL|COUNTRY_AM|COUNTRY_AN|COUNTRY_AO|COUNTRY_AQ|COUNTRY_AR|COUNTRY_AS|COUNTRY_AT|COUNTRY_AU|COUNTRY_AW|COUNTRY_AX|COUNTRY_AZ|COUNTRY_BA|COUNTRY_BB|COUNTRY_BD|COUNTRY_BE|COUNTRY_BF|COUNTRY_BG|COUNTRY_BH|COUNTRY_BI|COUNTRY_BJ|COUNTRY_BL|COUNTRY_BM|COUNTRY_BN|COUNTRY_BO|COUNTRY_BQ|COUNTRY_BR|COUNTRY_BS|COUNTRY_BT|COUNTRY_BV|COUNTRY_BW|COUNTRY_BY|COUNTRY_BZ|COUNTRY_CA|COUNTRY_CC|COUNTRY_CD|COUNTRY_CF|COUNTRY_CG|COUNTRY_CH|COUNTRY_CI|COUNTRY_CK|COUNTRY_CL|COUNTRY_CM|COUNTRY_CN|COUNTRY_CO|COUNTRY_CR|COUNTRY_CS|COUNTRY_CU|COUNTRY_CV|COUNTRY_CW|COUNTRY_CX|COUNTRY_CY|COUNTRY_CZ|COUNTRY_DE|COUNTRY_DJ|COUNTRY_DK|COUNTRY_DM|COUNTRY_DO|COUNTRY_DZ|COUNTRY_EC|COUNTRY_EE|COUNTRY_EG|COUNTRY_EH|COUNTRY_ER|COUNTRY_ES|COUNTRY_ET|COUNTRY_FI|COUNTRY_FJ|COUNTRY_FK|COUNTRY_FM|COUNTRY_FO|COUNTRY_FR|COUNTRY_GA|COUNTRY_GB|COUNTRY_GD|COUNTRY_GE|COUNTRY_GF|COUNTRY_GG|COUNTRY_GH|COUNTRY_GI|COUNTRY_GL|COUNTRY_GM|COUNTRY_GN|COUNTRY_GP|COUNTRY_GQ|COUNTRY_GR|COUNTRY_GS|COUNTRY_GT|COUNTRY_GU|COUNTRY_GW|COUNTRY_GY|COUNTRY_HK|COUNTRY_HM|COUNTRY_HN|COUNTRY_HR|COUNTRY_HT|COUNTRY_HU|COUNTRY_ID|COUNTRY_IE|COUNTRY_IL|COUNTRY_IM|COUNTRY_IN|COUNTRY_IO|COUNTRY_IQ|COUNTRY_IR|COUNTRY_IS|COUNTRY_IT|COUNTRY_JE|COUNTRY_JM|COUNTRY_JO|COUNTRY_JP|COUNTRY_KE|COUNTRY_KG|COUNTRY_KH|COUNTRY_KI|COUNTRY_KM|COUNTRY_KN|COUNTRY_KP|COUNTRY_KR|COUNTRY_KW|COUNTRY_KY|COUNTRY_KZ|COUNTRY_LA|COUNTRY_LB|COUNTRY_LC|COUNTRY_LI|COUNTRY_LK|COUNTRY_LR|COUNTRY_LS|COUNTRY_LT|COUNTRY_LU|COUNTRY_LV|COUNTRY_LY|COUNTRY_MA|COUNTRY_MC|COUNTRY_MD|COUNTRY_ME|COUNTRY_MF|COUNTRY_MG|COUNTRY_MH|COUNTRY_MK|COUNTRY_ML|COUNTRY_MM|COUNTRY_MN|COUNTRY_MO|COUNTRY_MP|COUNTRY_MQ|COUNTRY_MR|COUNTRY_MS|COUNTRY_MT|COUNTRY_MU|COUNTRY_MV|COUNTRY_MW|COUNTRY_MX|COUNTRY_MY|COUNTRY_MZ|COUNTRY_NA|COUNTRY_NC|COUNTRY_NE|COUNTRY_NF|COUNTRY_NG|COUNTRY_NI|COUNTRY_NL|COUNTRY_NO|COUNTRY_NP|COUNTRY_NR|COUNTRY_NU|COUNTRY_NZ|COUNTRY_OM|COUNTRY_PA|COUNTRY_PE|COUNTRY_PF|COUNTRY_PG|COUNTRY_PH|COUNTRY_PK|COUNTRY_PL|COUNTRY_PM|COUNTRY_PN|COUNTRY_PR|COUNTRY_PS|COUNTRY_PT|COUNTRY_PW|COUNTRY_PY|COUNTRY_QA|COUNTRY_RE|COUNTRY_RO|COUNTRY_RS|COUNTRY_RU|COUNTRY_RW|COUNTRY_SA|COUNTRY_SB|COUNTRY_SC|COUNTRY_SD|COUNTRY_SE|COUNTRY_SG|COUNTRY_SH|COUNTRY_SI|COUNTRY_SJ|COUNTRY_SK|COUNTRY_SL|COUNTRY_SM|COUNTRY_SN|COUNTRY_SO|COUNTRY_SR|COUNTRY_SS|COUNTRY_ST|COUNTRY_SV|COUNTRY_SX|COUNTRY_SY|COUNTRY_SZ|COUNTRY_TC|COUNTRY_TD|COUNTRY_TF|COUNTRY_TG|COUNTRY_TH|COUNTRY_TJ|COUNTRY_TK|COUNTRY_TL|COUNTRY_TM|COUNTRY_TN|COUNTRY_TO|COUNTRY_TR|COUNTRY_TT|COUNTRY_TV|COUNTRY_TW|COUNTRY_TZ|COUNTRY_UA|COUNTRY_UG|COUNTRY_UM|COUNTRY_US|COUNTRY_UY|COUNTRY_UZ|COUNTRY_VA|COUNTRY_VC|COUNTRY_VE|COUNTRY_VG|COUNTRY_VI|COUNTRY_VN|COUNTRY_VU|COUNTRY_WF|COUNTRY_WS|COUNTRY_XK|COUNTRY_XT|COUNTRY_YE|COUNTRY_YT|COUNTRY_ZA|COUNTRY_ZM|COUNTRY_ZW] Sources that are located in one of the countries in the given list

• ja4_tls_fingerprint_matcher - Optional Block
Extended version of JA3 that includes additional fields for more comprehensive fingerprinting of SSL/TLS clients and potentially has a different structure and length
See Ja4 TLS Fingerprint Matcher below.

• tls_fingerprint_matcher - Optional Block
TLS fingerprint matcher specifies multiple criteria for matching a TLS fingerprint. The set of supported positive match criteria includes a list of known classes of TLS fingerprints and a list of exact values. The match is considered successful if either of these positive criteria are satisfied
See TLS Fingerprint Matcher below.

DDOS Mitigation Rules DDOS Client Source Asn List

Deeply nested List block collapsed for readability.

DDOS Mitigation Rules DDOS Client Source Ja4 TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

DDOS Mitigation Rules DDOS Client Source TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

DDOS Mitigation Rules IP Prefix List

An ip_prefix_list block (within ddos_mitigation_rules) supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

• ip_prefixes - Optional List
IPv4 Prefix List. List of IPv4 prefix strings

DDOS Mitigation Rules Metadata

A metadata block (within ddos_mitigation_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Default Cache Action

A default_cache_action block supports the following:

• cache_disabled - Optional Block
Enable this option

• cache_ttl_default - Optional String
Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided

• cache_ttl_override - Optional String
Always override the Cache TTL provided by Origin

Enable API Discovery

An enable_api_discovery block supports the following:

• api_crawler - Optional Block
API Crawling. API Crawler message
See API Crawler below.

• api_discovery_from_code_scan - Optional Block
Select codebase and Repositories
See API Discovery From Code Scan below.

• custom_api_auth_discovery - Optional Block
API Discovery Advanced Settings. API Discovery Advanced settings
See Custom API Auth Discovery below.

• default_api_auth_discovery - Optional Block
Enable this option

• disable_learn_from_redirect_traffic - Optional Block
Configuration parameter for disable learn from redirect traffic

• discovered_api_settings - Optional Block
Discovered API Settings. Configure Discovered API Settings
See Discovered API Settings below.

• enable_learn_from_redirect_traffic - Optional Block
Configuration parameter for enable learn from redirect traffic

Enable API Discovery API Crawler

An api_crawler block (within enable_api_discovery) supports the following:

• api_crawler_config - Optional Block
Crawler Configure
See API Crawler Config below.

• disable_api_crawler - Optional Block
Enable this option

Enable API Discovery API Crawler API Crawler Config

Deeply nested Config block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains

Deeply nested Domains block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains Simple Login

Deeply nested Login block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains Simple Login Password

Deeply nested Password block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains Simple Login Password Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains Simple Login Password Clear Secret Info

Deeply nested Info block collapsed for readability.

Enable API Discovery API Discovery From Code Scan

Deeply nested Scan block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations

Deeply nested Integrations block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations codebase Integration

Deeply nested Integration block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations Selected Repos

Deeply nested Repos block collapsed for readability.

Enable API Discovery Custom API Auth Discovery

A custom_api_auth_discovery block (within enable_api_discovery) supports the following:

• api_discovery_ref - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See API Discovery Ref below.

Enable API Discovery Custom API Auth Discovery API Discovery Ref

Deeply nested Ref block collapsed for readability.

Enable API Discovery Discovered API Settings

A discovered_api_settings block (within enable_api_discovery) supports the following:

• purge_duration_for_inactive_discovered_apis - Optional Number
Inactive discovered API will be deleted after configured duration

Enable Challenge

An enable_challenge block supports the following:

• captcha_challenge_parameters - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See Captcha Challenge Parameters below.

• default_captcha_challenge_parameters - Optional Block
Configuration parameter for default captcha challenge parameters

• default_js_challenge_parameters - Optional Block
Configuration parameter for default js challenge parameters

• default_mitigation_settings - Optional Block
Enable this option

• js_challenge_parameters - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See Js Challenge Parameters below.

• malicious_user_mitigation - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Malicious User Mitigation below.

Enable Challenge Captcha Challenge Parameters

A captcha_challenge_parameters block (within enable_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

Enable Challenge Js Challenge Parameters

A js_challenge_parameters block (within enable_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Enable Challenge Malicious User Mitigation

A malicious_user_mitigation block (within enable_challenge) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Enable IP Reputation

An enable_ip_reputation block supports the following:

• ip_threat_categories - Optional List Defaults to SPAM_SOURCES
See IP Threat Categories
[Enum: SPAM_SOURCES|WINDOWS_EXPLOITS|WEB_ATTACKS|BOTNETS|SCANNERS|REPUTATION|PHISHING|PROXY|MOBILE_THREATS|TOR_PROXY|DENIAL_OF_SERVICE|NETWORK] If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied

GraphQL Rules

A graphql_rules block supports the following:

• any_domain - Optional Block
Enable this option

• exact_path - Optional String Defaults to /GraphQL
Specifies the exact path to GraphQL endpoint

• exact_value - Optional String
Exact domain name

• graphql_settings - Optional Block
Configuration parameter for GraphQL settings
See GraphQL Settings below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• method_get - Optional Block
Enable this option

• method_post - Optional Block
Configuration parameter for method post

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

GraphQL Rules GraphQL Settings

A graphql_settings block (within graphql_rules) supports the following:

• disable_introspection - Optional Block
Enable this option

• enable_introspection - Optional Block
Enable this option

• max_batched_queries - Optional Number
Specify maximum number of queries in a single batched request

• max_depth - Optional Number
Specify maximum depth for the GraphQL query

• max_total_length - Optional Number
Specify maximum length in bytes for the GraphQL query

GraphQL Rules Metadata

A metadata block (within graphql_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

HTTP

A http block supports the following:

• dns_volterra_managed - Optional Bool
DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal

• port - Optional Number
HTTP port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-‘

HTTPS

A https block supports the following:

• add_hsts - Optional Bool
Add HTTP Strict-Transport-Security response header

• http_redirect - Optional Bool
HTTP Redirect to HTTPS. Redirect HTTP traffic to HTTPS

• tls_cert_options - Optional Block
Configuration parameter for TLS cert options
See TLS Cert Options below.

HTTPS TLS Cert Options

A tls_cert_options block (within https) supports the following:

• tls_cert_params - Optional Block
Configuration parameter for TLS cert params
See TLS Cert Params below.

• tls_inline_params - Optional Block
Configuration parameter for TLS inline params
See TLS Inline Params below.

HTTPS TLS Cert Options TLS Cert Params

A tls_cert_params block (within https.tls_cert_options) supports the following:

• certificates - Optional Block
Select one or more certificates with any domain names
See Certificates below.

• no_mtls - Optional Block
Enable this option

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

HTTPS TLS Cert Options TLS Cert Params Certificates

Deeply nested Certificates block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params TLS Config

Deeply nested Config block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params TLS Config Custom Security

Deeply nested Security block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params Use mTLS

Deeply nested mTLS block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params Use mTLS CRL

Deeply nested CRL block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

HTTPS TLS Cert Options TLS Cert Params Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params

A tls_inline_params block (within https.tls_cert_options) supports the following:

• no_mtls - Optional Block
Enable this option

• tls_certificates - Optional Block
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
See TLS Certificates below.

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

HTTPS TLS Cert Options TLS Inline Params TLS Certificates

Deeply nested Certificates block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Config

Deeply nested Config block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params TLS Config Custom Security

Deeply nested Security block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params Use mTLS

Deeply nested mTLS block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params Use mTLS CRL

Deeply nested CRL block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

HTTPS TLS Cert Options TLS Inline Params Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

HTTPS Auto Cert

A https_auto_cert block supports the following:

• add_hsts - Optional Bool
Add HTTP Strict-Transport-Security response header

• http_redirect - Optional Bool
HTTP Redirect to HTTPS. Redirect HTTP traffic to HTTPS

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

HTTPS Auto Cert TLS Config

A tls_config block (within https_auto_cert) supports the following:

• tls_11_plus - Optional Block
Configuration parameter for TLS 11 plus

• tls_12_plus - Optional Block
Configuration parameter for TLS 12 plus

Js Challenge

A js_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

JWT Validation

A jwt_validation block supports the following:

• action - Optional Block
Action
See Action below.

• authorization_server - Optional Block
Reference to Authorization Server object
See Authorization Server below.

• jwks_config - Optional Block
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details
See Jwks Config below.

• mandatory_claims - Optional Block
Configurable Validation of mandatory Claims
See Mandatory Claims below.

• reserved_claims - Optional Block
Configurable Validation of reserved Claims
See Reserved Claims below.

• target - Optional Block
Define endpoints for which JWT token validation will be performed
See Target below.

• token_location - Optional Block
Configuration parameter for token location
See Token Location below.

JWT Validation Action

An action block (within jwt_validation) supports the following:

• block - Optional Block
Enable this option

• report - Optional Block
Enable this option

JWT Validation Authorization Server

An authorization_server block (within jwt_validation) supports the following:

• authorization_servers - Optional Block
Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation
See Authorization Servers below.

JWT Validation Authorization Server Authorization Servers

An authorization_servers block (within jwt_validation.authorization_server) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

JWT Validation Jwks Config

A jwks_config block (within jwt_validation) supports the following:

• cleartext - Optional String
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details

JWT Validation Mandatory Claims

A mandatory_claims block (within jwt_validation) supports the following:

• claim_names - Optional List
Claim Names. Human-readable name for the resource

JWT Validation Reserved Claims

A reserved_claims block (within jwt_validation) supports the following:

• audience - Optional Block
Audiences
See Audience below.

• audience_disable - Optional Block
Configuration parameter for audience disable

• issuer - Optional String
Exact Match

• issuer_disable - Optional Block
Configuration parameter for issuer disable

• validate_period_disable - Optional Block
Configuration parameter for validate period disable

• validate_period_enable - Optional Block
Configuration parameter for validate period enable

JWT Validation Reserved Claims Audience

An audience block (within jwt_validation.reserved_claims) supports the following:

• audiences - Optional List
Values

JWT Validation Target

A target block (within jwt_validation) supports the following:

• all_endpoint - Optional Block
Enable this option

• api_groups - Optional Block
API Groups
See API Groups below.

• base_paths - Optional Block
Base Paths
See Base Paths below.

JWT Validation Target API Groups

An api_groups block (within jwt_validation.target) supports the following:

• api_groups - Optional List
API Groups

JWT Validation Target Base Paths

A base_paths block (within jwt_validation.target) supports the following:

• base_paths - Optional List
Prefix Values

JWT Validation Token Location

A token_location block (within jwt_validation) supports the following:

• bearer_token - Optional Block
Configuration parameter for bearer token

L7 DDOS Action Js Challenge

A l7_ddos_action_js_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Origin Pool

An origin_pool block supports the following:

• more_origin_options - Optional Block
Configuration parameter for more origin options
See More Origin Options below.

• no_tls - Optional Block
Enable this option

• origin_request_timeout - Optional String
Configures the time after which a request to the origin will time out waiting for a response

• origin_servers - Optional Block
List Of Origin Servers. List of original servers
See Origin Servers below.

• public_name - Optional Block
Specify origin server with public DNS name
See Public Name below.

• use_tls - Optional Block
TLS Parameters for Origin Servers. Upstream TLS Parameters
See Use TLS below.

Origin Pool More Origin Options

A more_origin_options block (within origin_pool) supports the following:

• enable_byte_range_request - Optional Bool
Choice to enable/disable byte range requests towards origin

• websocket_proxy - Optional Bool
Option to enable proxying of WebSocket connections to the origin server

Origin Pool Origin Servers

An origin_servers block (within origin_pool) supports the following:

• port - Optional Number
Origin Server Port. Port the workload can be reached on

• public_ip - Optional Block
Specify origin server with public IP address
See Public IP below.

• public_name - Optional Block
Specify origin server with public DNS name
See Public Name below.

Origin Pool Origin Servers Public IP

A public_ip block (within origin_pool.origin_servers) supports the following:

• ip - Optional String
Public IPv4. Public IPv4 address

Origin Pool Origin Servers Public Name

A public_name block (within origin_pool.origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

Origin Pool Public Name

A public_name block (within origin_pool) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

Origin Pool Use TLS

An use_tls block (within origin_pool) supports the following:

• default_session_key_caching - Optional Block
Configuration parameter for default session key caching

• disable_session_key_caching - Optional Block
Configuration parameter for disable session key caching

• disable_sni - Optional Block
Configuration parameter for disable sni

• max_session_keys - Optional Number
Number of session keys that are cached

• no_mtls - Optional Block
Enable this option

• skip_server_verification - Optional Block
Enable this option

• sni - Optional String
SNI value to be used

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_host_header_as_sni - Optional Block
Enable this option

• use_mtls - Optional Block
mTLS Certificate. mTLS Client Certificate
See Use mTLS below.

• use_mtls_obj - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Use mTLS Obj below.

• use_server_verification - Optional Block
Configuration parameter for use server verification
See Use Server Verification below.

• volterra_trusted_ca - Optional Block
Configuration parameter for volterra trusted CA

Origin Pool Use TLS TLS Config

A tls_config block (within origin_pool.use_tls) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

Origin Pool Use TLS TLS Config Custom Security

Deeply nested Security block collapsed for readability.

Origin Pool Use TLS Use mTLS

An use_mtls block (within origin_pool.use_tls) supports the following:

• tls_certificates - Optional Block
mTLS Client Certificate. mTLS Client Certificate
See TLS Certificates below.

Origin Pool Use TLS Use mTLS TLS Certificates

Deeply nested Certificates block collapsed for readability.

Origin Pool Use TLS Use mTLS TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

Origin Pool Use TLS Use mTLS TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

Origin Pool Use TLS Use mTLS TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Origin Pool Use TLS Use mTLS TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Origin Pool Use TLS Use mTLS Obj

An use_mtls_obj block (within origin_pool.use_tls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Pool Use TLS Use Server Verification

An use_server_verification block (within origin_pool.use_tls) supports the following:

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate

Origin Pool Use TLS Use Server Verification Trusted CA

Deeply nested CA block collapsed for readability.

Other Settings

An other_settings block supports the following:

• add_location - Optional Bool
Add Location. X-example: true Appends header x-F5 Distributed Cloud-location = <RE-site-name> in responses

• header_options - Optional Block
Defines various OPTIONS related to request/response headers
See Header Options below.

• logging_options - Optional Block
Defines various OPTIONS related to logging
See Logging Options below.

Other Settings Header Options

A header_options block (within other_settings) supports the following:

• request_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied
See Request Headers To Add below.

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied
See Response Headers To Add below.

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

Other Settings Header Options Request Headers To Add

Deeply nested Add block collapsed for readability.

Other Settings Header Options Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Other Settings Header Options Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Other Settings Header Options Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Other Settings Header Options Response Headers To Add

Deeply nested Add block collapsed for readability.

Other Settings Header Options Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Other Settings Header Options Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Other Settings Header Options Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Other Settings Logging Options

A logging_options block (within other_settings) supports the following:

• client_log_options - Optional Block
Headers to Log. List of headers to Log
See Client Log Options below.

• origin_log_options - Optional Block
Configuration parameter for origin log options
See Origin Log Options below.

Other Settings Logging Options Client Log Options

A client_log_options block (within other_settings.logging_options) supports the following:

• header_list - Optional List
Headers. List of headers

Other Settings Logging Options Origin Log Options

An origin_log_options block (within other_settings.logging_options) supports the following:

• header_list - Optional List
Headers. List of headers

Policy Based Challenge

A policy_based_challenge block supports the following:

• always_enable_captcha_challenge - Optional Block
Configuration parameter for always enable captcha challenge

• always_enable_js_challenge - Optional Block
Configuration parameter for always enable js challenge

• captcha_challenge_parameters - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See Captcha Challenge Parameters below.

• default_captcha_challenge_parameters - Optional Block
Configuration parameter for default captcha challenge parameters

• default_js_challenge_parameters - Optional Block
Configuration parameter for default js challenge parameters

• default_mitigation_settings - Optional Block
Enable this option

• default_temporary_blocking_parameters - Optional Block
Enable this option

• js_challenge_parameters - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See Js Challenge Parameters below.

• malicious_user_mitigation - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Malicious User Mitigation below.

• no_challenge - Optional Block
Configuration parameter for no challenge

• rule_list - Optional Block
List of challenge rules to be used in policy based challenge
See Rule List below.

• temporary_user_blocking - Optional Block
Specifies configuration for temporary user blocking resulting from user behavior analysis. When Malicious User Mitigation is enabled from service policy rules, users’ accessing the application will be analyzed for malicious activity and the configured mitigation actions will be taken on
See Temporary User Blocking below.

Policy Based Challenge Captcha Challenge Parameters

A captcha_challenge_parameters block (within policy_based_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

Policy Based Challenge Js Challenge Parameters

A js_challenge_parameters block (within policy_based_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Policy Based Challenge Malicious User Mitigation

A malicious_user_mitigation block (within policy_based_challenge) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Policy Based Challenge Rule List

A rule_list block (within policy_based_challenge) supports the following:

• rules - Optional Block
Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions
See Rules below.

Policy Based Challenge Rule List Rules

A rules block (within policy_based_challenge.rule_list) supports the following:

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• spec - Optional Block
Challenge Rule consists of an unordered list of predicates and an action. The predicates are evaluated against a set of input fields that are extracted from or derived from an L7 request API. A request API is considered to match the rule if all predicates in the rule evaluate to true for that
See Spec below.

Policy Based Challenge Rule List Rules Metadata

A metadata block (within policy_based_challenge.rule_list.rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Policy Based Challenge Rule List Rules Spec

A spec block (within policy_based_challenge.rule_list.rules) supports the following:

• any_asn - Optional Block
Enable this option

• any_client - Optional Block
Enable this option

• any_ip - Optional Block
Enable this option

• arg_matchers - Optional Block
List of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name
See Arg Matchers below.

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• asn_matcher - Optional Block
Match any AS number contained in the list of bgp_asn_sets
See Asn Matcher below.

• body_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Body Matcher below.

• client_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Client Selector below.

• cookie_matchers - Optional Block
List of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name
See Cookie Matchers below.

• disable_challenge - Optional Block
Configuration parameter for disable challenge

• domain_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Domain Matcher below.

• enable_captcha_challenge - Optional Block
Configuration parameter for enable captcha challenge

• enable_JavaScript_challenge - Optional Block
Enable this option

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below.

• http_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See HTTP Method below.

• ip_matcher - Optional Block
Match any IP prefix contained in the list of ip_prefix_sets. The result of the match is inverted if invert_matcher is true
See IP Matcher below.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

• path - Optional Block
Path matcher specifies multiple criteria for matching an HTTP path string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of path prefixes, a list of exact path values and a list of regular expressions
See Path below.

• query_params - Optional Block
List of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query
See Query Params below.

• tls_fingerprint_matcher - Optional Block
TLS fingerprint matcher specifies multiple criteria for matching a TLS fingerprint. The set of supported positive match criteria includes a list of known classes of TLS fingerprints and a list of exact values. The match is considered successful if either of these positive criteria are satisfied
See TLS Fingerprint Matcher below.

Policy Based Challenge Rule List Rules Spec Arg Matchers

Deeply nested Matchers block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Arg Matchers Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn List

Deeply nested List block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Body Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Client Selector

Deeply nested Selector block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Cookie Matchers

Deeply nested Matchers block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Cookie Matchers Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Domain Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Headers

Deeply nested Headers block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Headers Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec HTTP Method

Deeply nested Method block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Prefix List

Deeply nested List block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Path

Deeply nested Path block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Query Params

Deeply nested Params block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Query Params Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Temporary User Blocking

A temporary_user_blocking block (within policy_based_challenge) supports the following:

• custom_page - Optional String
Custom message is of type . Currently supported URL schemes is . For scheme, message needs to be encoded in base64 format. You can specify this message as base64 encoded plain text message e.g. ‘Blocked.’ or it can be HTML paragraph or a body string encoded as base64 string E.g. ‘<p> Blocked

Protected Cookies

A protected_cookies block supports the following:

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_secure - Optional Block
Enable this option

• disable_tampering_protection - Optional Block
Configuration parameter for disable tampering protection

• enable_tampering_protection - Optional Block
Configuration parameter for enable tampering protection

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_max_age - Optional Block
Configuration parameter for ignore max age

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• max_age_value - Optional Number
Add max age attribute

• name - Optional String
Cookie Name. Name of the Cookie

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

Rate Limit

A rate_limit block supports the following:

• custom_ip_allowed_list - Optional Block
IP Allowed list using existing ip_prefix_set objects
See Custom IP Allowed List below.

• ip_allowed_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See IP Allowed List below.

• no_ip_allowed_list - Optional Block
Enable this option

• no_policies - Optional Block
Configuration parameter for no policies

• policies - Optional Block
List of rate limiter policies to be applied
See Policies below.

• rate_limiter - Optional Block
Tuple consisting of a rate limit period unit and the total number of allowed requests for that period
See Rate Limiter below.

Rate Limit Custom IP Allowed List

A custom_ip_allowed_list block (within rate_limit) supports the following:

• rate_limiter_allowed_prefixes - Optional Block
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting
See Rate Limiter Allowed Prefixes below.

Rate Limit Custom IP Allowed List Rate Limiter Allowed Prefixes

Deeply nested Prefixes block collapsed for readability.

Rate Limit IP Allowed List

An ip_allowed_list block (within rate_limit) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Rate Limit Policies

A policies block (within rate_limit) supports the following:

• policies - Optional Block
Ordered list of rate limiter policies
See Policies below.

Rate Limit Policies Policies

A policies block (within rate_limit.policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Rate Limit Rate Limiter

A rate_limiter block (within rate_limit) supports the following:

• action_block - Optional Block
Action where a user is blocked from making further requests after exceeding rate limit threshold
See Action Block below.

• burst_multiplier - Optional Number
The maximum burst of requests to accommodate, expressed as a multiple of the rate

• disabled - Optional Block
Enable this option

• leaky_bucket - Optional Block
Leaky-Bucket is the default rate limiter algorithm for F5

• period_multiplier - Optional Number
Setting, combined with Per Period units, provides a duration

• token_bucket - Optional Block
Token-Bucket is a rate limiter algorithm that is stricter with enforcing limits

• total_number - Optional Number
The total number of allowed requests per rate-limiting period

• unit - Optional String Defaults to SECOND
Possible values are SECOND, MINUTE, HOUR
[Enum: SECOND|MINUTE|HOUR] Unit for the period per which the rate limit is applied. - SECOND: Second Rate limit period unit is seconds - MINUTE: Minute Rate limit period unit is minutes - HOUR: Hour Rate limit period unit is hours - DAY: Day Rate limit period unit is days

Rate Limit Rate Limiter Action Block

An action_block block (within rate_limit.rate_limiter) supports the following:

• hours - Optional Block
Hours. Input Duration Hours
See Hours below.

• minutes - Optional Block
Minutes. Input Duration Minutes
See Minutes below.

• seconds - Optional Block
Seconds. Input Duration Seconds
See Seconds below.

Rate Limit Rate Limiter Action Block Hours

A hours block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Rate Limit Rate Limiter Action Block Minutes

A minutes block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Rate Limit Rate Limiter Action Block Seconds

A seconds block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Sensitive Data Policy

A sensitive_data_policy block supports the following:

• sensitive_data_policy_ref - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Sensitive Data Policy Ref below.

Sensitive Data Policy Sensitive Data Policy Ref

A sensitive_data_policy_ref block (within sensitive_data_policy) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Slow DDOS Mitigation

A slow_ddos_mitigation block supports the following:

• disable_request_timeout - Optional Block
Configuration parameter for disable request timeout

• request_headers_timeout - Optional Number Defaults to 10000
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The milliseconds. This setting provides protection against Slowloris attacks

• request_timeout - Optional Number

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

Trusted Clients

A trusted_clients block supports the following:

• actions - Optional List Defaults to SKIP_PROCESSING_WAF
Possible values are SKIP_PROCESSING_WAF, SKIP_PROCESSING_BOT, SKIP_PROCESSING_MUM, SKIP_PROCESSING_IP_REPUTATION, SKIP_PROCESSING_API_PROTECTION, SKIP_PROCESSING_OAS_VALIDATION, SKIP_PROCESSING_DDOS_PROTECTION, SKIP_PROCESSING_THREAT_MESH, SKIP_PROCESSING_MALWARE_PROTECTION
[Enum: SKIP_PROCESSING_WAF|SKIP_PROCESSING_BOT|SKIP_PROCESSING_MUM|SKIP_PROCESSING_IP_REPUTATION|SKIP_PROCESSING_API_PROTECTION|SKIP_PROCESSING_OAS_VALIDATION|SKIP_PROCESSING_DDOS_PROTECTION|SKIP_PROCESSING_THREAT_MESH|SKIP_PROCESSING_MALWARE_PROTECTION] Actions that should be taken when client identifier matches the rule

• as_number - Optional Number
RFC 6793 defined 4-byte AS number

• bot_skip_processing - Optional Block
Enable this option

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• http_header - Optional Block
Configuration parameter for HTTP header
See HTTP Header below.

• ip_prefix - Optional String
IPv4 prefix string

• ipv6_prefix - Optional String
IPv6 prefix string

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• skip_processing - Optional Block
Enable this option

• user_identifier - Optional String
Identify user based on user identifier. User identifier value needs to be copied from security event

• waf_skip_processing - Optional Block
Enable this option

Trusted Clients HTTP Header

A http_header block (within trusted_clients) supports the following:

• headers - Optional Block
List of HTTP header name and value pairs
See Headers below.

Trusted Clients HTTP Header Headers

A headers block (within trusted_clients.http_header) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Trusted Clients Metadata

A metadata block (within trusted_clients) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

User Identification

An user_identification block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

WAF Exclusion

A waf_exclusion block supports the following:

• waf_exclusion_inline_rules - Optional Block
List of WAF exclusion rules that will be applied inline
See WAF Exclusion Inline Rules below.

• waf_exclusion_policy - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See WAF Exclusion Policy below.

WAF Exclusion WAF Exclusion Inline Rules

A waf_exclusion_inline_rules block (within waf_exclusion) supports the following:

• rules - Optional Block
Ordered list of WAF Exclusions specific to this Load Balancer
See Rules below.

WAF Exclusion WAF Exclusion Inline Rules Rules

A rules block (within waf_exclusion.waf_exclusion_inline_rules) supports the following:

• any_domain - Optional Block
Enable this option

• any_path - Optional Block
Enable this option

• app_firewall_detection_control - Optional Block
Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria
See App Firewall Detection Control below.

• exact_value - Optional String
Exact domain name

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• methods - Optional List Defaults to ANY
See HTTP Methods
Methods. Methods to be matched

• path_prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• path_regex - Optional String
Define the regex for the path. For example, the regex ^/.*$ will match on all paths

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

• waf_skip_processing - Optional Block
Enable this option

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control

Deeply nested Control block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Attack Type Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Bot Name Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Signature Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Violation Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

WAF Exclusion WAF Exclusion Policy

A waf_exclusion_policy block (within waf_exclusion) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_cdn_loadbalancer.example system/example