f5xc_http_loadbalancer Resource - terraform-provider-f5xc

f5xc_http_loadbalancer (Resource)

Manages an HTTP Load Balancer resource in F5 Distributed Cloud for load balancing HTTP/HTTPS traffic with advanced routing and security.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# HTTP Loadbalancer Resource Example
# Manages an HTTP Load Balancer resource in F5 Distributed Cloud for load balancing HTTP/HTTPS traffic with advanced routing and security.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic HTTP Loadbalancer configuration
resource "f5xc_http_loadbalancer" "example" {
  name      = "example-http-loadbalancer"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  // One of the arguments from this list "advertise_custom advertise_on_public advertise_on_public_default_vip do_not_advertise" must be set

  advertise_on_public_default_vip = true

  // One of the arguments from this list "api_specification disable_api_definition" must be set

  disable_api_definition = true

  // One of the arguments from this list "disable_api_discovery enable_api_discovery" must be set

  enable_api_discovery {
    // One of the arguments from this list "api_discovery_from_code_scan api_discovery_from_discovered_schema api_discovery_from_live_traffic" must be set

    api_discovery_from_live_traffic {}

    discovered_api_settings {
      purge_duration_for_inactive_discovered_apis = "30"
    }

    // One of the arguments from this list "disable_learn_from_redirect_traffic enable_learn_from_redirect_traffic" must be set

    disable_learn_from_redirect_traffic = true
  }

  // One of the arguments from this list "api_testing disable_api_testing" must be set

  disable_api_testing = true

  // One of the arguments from this list "captcha_challenge enable_challenge js_challenge no_challenge policy_based_challenge" must be set

  js_challenge {
    cookie_expiry   = 3600
    custom_page     = ""
    js_script_delay = 5000
  }

  domains = ["app.example.com", "`www.example.com"`]

  // One of the arguments from this list "cookie_stickiness least_active random ring_hash round_robin source_ip_stickiness" must be set

  round_robin = true

  // One of the arguments from this list "http https https_auto_cert" must be set

  https_auto_cert {
    http_redirect = true
    add_hsts      = true

    // One of the arguments from this list "default_header no_headers server_name" must be set

    default_header {}

    tls_config {
      // One of the arguments from this list "custom_security default_security low_security medium_security" must be set

      default_security {}
    }

    // One of the arguments from this list "no_mtls use_mtls" must be set

    no_mtls {}
  }

  // One of the arguments from this list "disable_malicious_user_detection enable_malicious_user_detection" must be set

  enable_malicious_user_detection = true

  // One of the arguments from this list "disable_malware_protection malware_protection_settings" must be set

  disable_malware_protection = true

  // One of the arguments from this list "api_rate_limit disable_rate_limit rate_limit" must be set

  rate_limit {
    rate_limiter {
      name      = "example-rate-limiter"
      namespace = "staging"
    }
    no_ip_allowed_list {}
  }

  // One of the arguments from this list "default_sensitive_data_policy sensitive_data_policy" must be set

  default_sensitive_data_policy = true

  // One of the arguments from this list "active_service_policies no_service_policies service_policies_from_namespace" must be set

  active_service_policies {
    policies {
      name      = "example-service-policy"
      namespace = "staging"
    }
  }

  // One of the arguments from this list "disable_threat_mesh enable_threat_mesh" must be set

  enable_threat_mesh = true

  // One of the arguments from this list "disable_trust_client_ip_headers enable_trust_client_ip_headers" must be set

  disable_trust_client_ip_headers = true

  // One of the arguments from this list "user_id_client_ip user_identification" must be set

  user_identification {
    name      = "example-user-identification"
    namespace = "staging"
  }

  // One of the arguments from this list "app_firewall disable_waf" must be set

  app_firewall {
    name      = "example-app-firewall"
    namespace = "staging"
  }

  // One of the arguments from this list "bot_defense bot_defense_advanced disable_bot_defense" must be set

  bot_defense {
    policy {
      // One of the arguments from this list "js_download_path js_insert_all_pages js_insert_all_pages_except" must be set

      js_insert_all_pages {
        JavaScript_location = "AFTER_HEAD"
      }

      // One of the arguments from this list "disable_mobile_sdk enable_mobile_sdk" must be set

      disable_mobile_sdk {}
    }
    regional_endpoint = "US"
    timeout           = 1000
  }

  // Default route pools configuration
  default_route_pools {
    pool {
      name      = "example-origin-pool"
      namespace = "staging"
    }
    weight   = 1
    priority = 1
  }
}

# The following optional fields have server-applied defaults and can be omitted:
# - add_location
# - endpoint_selection
# - loadbalancer_algorithm
# - healthcheck
# - no_tls
# - same_as_endpoint_port
# - default_sensitive_data_policy
# - disable_api_definition
# - disable_api_discovery
# - disable_api_testing
# - disable_malware_protection
# - disable_rate_limit
# - disable_threat_mesh
# - disable_trust_client_ip_headers
# - l7_ddos_protection
# - round_robin
# - service_policies_from_namespace
# - user_id_client_ip

Verified Configuration Examples

These configurations are extracted from acceptance tests verified against the live F5 XC API.

Conflict Protocol

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  https_auto_cert {
    add_hsts = false
    no_mtls {}
    default_header {}
    enable_path_normalize {}
    non_default_loadbalancer {}
  }

  advertise_on_public_default_vip {}
}

Do Not Advertise

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  do_not_advertise {}
}

Https Auto Cert

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  domains = ["test.example.com"]

  https_auto_cert {
    add_hsts = false
    no_mtls {}
    default_header {}
    enable_path_normalize {}
    non_default_loadbalancer {}
  }

  advertise_on_public_default_vip {}
}

Ip Reputation

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  enable_ip_reputation {}

  advertise_on_public_default_vip {}
}

Js Challenge

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  js_challenge {
    js_script_delay = 5000
    cookie_expiry   = 3600
  }

  advertise_on_public_default_vip {}
}

Labels Update

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "example-value"
    managed_by  = "terraform"
  }

  domains = ["test.example.com"]

  http {
    port = 80
  }

  advertise_on_public_default_vip {}
}

Least Active

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  least_active {}

  advertise_on_public_default_vip {}
}

Security Stack

resource "f5xc_healthcheck" "test" {
  name      = "example"
  namespace = "system"

  healthy_threshold   = 3
  unhealthy_threshold = 1
  timeout             = 3
  interval            = 15

  http_health_check {
    path        = "/health"
    host_header = "example.com"
  }
}

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  healthcheck {
    name      = f5xc_healthcheck.test.name
    namespace = "system"
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}
}

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  domains = ["test.example.com"]

  http {
    port = 80
  }

  default_route_pools {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight   = 1
    priority = 1
  }

  app_firewall {
    name      = f5xc_app_firewall.test.name
    namespace = "system"
  }

  enable_malicious_user_detection {}
  enable_threat_mesh {}

  advertise_on_public_default_vip {}
}

Source Ip Stickiness

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  source_ip_stickiness {}

  advertise_on_public_default_vip {}
}

User Identification

resource "f5xc_user_identification" "test" {
  name      = "example"
  namespace = "system"

  rules {
    client_ip {}
  }
}

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  user_identification {
    name      = f5xc_user_identification.test.name
    namespace = "system"
  }

  advertise_on_public_default_vip {}
}

With Domains

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "test"
  }

  domains = [
    "app.example.com",
    "api.example.com"
  ]

  http {
    port = 80
  }

  advertise_on_public_default_vip {}
}

With Labels

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "test"
    team        = "platform"
    managed_by  = "terraform"
  }

  domains = ["test.example.com"]

  http {
    port = 80
  }

  advertise_on_public_default_vip {}
}

With Origin Pool

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  domains = ["test.example.com"]

  http {
    port = 80
  }

  default_route_pools {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight   = 1
    priority = 1
  }

  advertise_on_public_default_vip {}
}

With Rate Limit

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"
  domains   = ["test.example.com"]

  http {
    port = 80
  }

  rate_limit {
    rate_limiter {
      total_number     = 100
      unit             = "MINUTE"
      burst_multiplier = 10
    }
    no_ip_allowed_list {}
  }

  advertise_on_public_default_vip {}
}

With Waf

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}
}

resource "f5xc_http_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  domains = ["test.example.com"]

  http {
    port = 80
  }

  app_firewall {
    name      = f5xc_app_firewall.test.name
    namespace = "system"
  }

  advertise_on_public_default_vip {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

~> Dependencies — This resource requires: origin_pool.

Minimum Configuration

Required fields:

name
namespace
domains

Example (API format):

apiVersion: v1
kind: http_loadbalancer
metadata:
  name: example-app
  namespace: default
spec:
  domains:
    - example.com
  https_auto_cert:
    port: 443
    tls_config:
      default_security: {}
  advertise_on_public_default_vip: {}
  routes:
    - prefix: "/"
      origin_pool:
        pool_name: backend-pool

Metadata Argument Reference

• name - Required String
Name of the HTTP Load Balancer. Must be unique within the namespace

• namespace - Required String
Namespace where the HTTP Load Balancer will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • active_service_policies - Optional Block
Configuration parameter for active service policies
See Active Service Policies below for details.

• no_service_policies - Optional Block
Configuration parameter for no service policies

• add_location - Optional Bool Defaults to false
Add Location. X-example: true Appends header x-F5 Distributed Cloud-location = <RE-site-name> in responses. This configuration is ignored on CE sites. Server applies default when omitted

-> One of the following: • advertise_custom - Optional Block
Defines a way to advertise a VIP on specific sites
See Advertise Custom below for details.

• advertise_on_public - Optional Block
Defines a way to advertise a load balancer on public. If optional public_ip is provided, it will only be advertised on RE sites where that public_ip is available
See Advertise On Public below for details.

• advertise_on_public_default_vip - Optional Block
Enable this option

• api_protection_rules - Optional Block
API Protection Rules. API Protection Rules
See API Protection Rules below for details.

-> One of the following: • api_rate_limit - Optional Block
APIRateLimit

• disable_rate_limit - Optional Block Defaults to map[]
Configuration parameter for disable rate limit. Server applies default when omitted

-> One of the following: • api_specification - Optional Block
Settings for API specification (API definition, OpenAPI validation, etc.)

-> One of the following: • api_testing - Optional Block
API Testing

-> One of the following: • app_firewall - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name

• blocked_clients - Optional Block
Define rules to block IP Prefixes or AS numbers

-> One of the following: • bot_defense - Optional Block
Defines various configuration OPTIONS for Bot Defense Policy

• bot_defense_advanced - Optional Block
Configuration parameter for bot defense advanced

-> One of the following: • caching_policy - Optional Block
Policy configuration for this feature

-> One of the following: • captcha_challenge - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect

• enable_challenge - Optional Block
Configure auto mitigation i.e risk based challenges for malicious users

• js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do

• no_challenge - Optional Block Defaults to map[]
Configuration parameter for no challenge. Server applies default when omitted

-> One of the following: • client_side_defense - Optional Block
Defines various configuration OPTIONS for Client-Side Defense Policy

-> One of the following: • cookie_stickiness - Optional Block
Two types of cookie affinity: 1. Passive. Takes a cookie that’s present in the cookies header and hashes on its value. 2. Generated. Generates and sets a cookie with an expiration (TTL) on the first request from the client in its response to the client, based on the endpoint the request gets

• least_active - Optional Block
Enable this option

• random - Optional Block
Enable this option

• ring_hash - Optional Block
Hash Policy List. List of hash policy rules

• round_robin - Optional Block Defaults to map[]
Configuration parameter for round robin. Server applies default when omitted

• cors_policy - Optional Block
Cross-Origin Resource Sharing requests configuration specified at Virtual-host or Route level. Route level configuration takes precedence. An example of an Cross origin HTTP request GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel macOS X 10.5

• csrf_policy - Optional Block
To mitigate CSRF attack , the policy checks where a request is coming from to determine if the request’s origin is the same as its destination.the policy relies on two pieces of information used in determining if a request originated from the same host. 1. The origin that caused the user agent to

• data_guard_rules - Optional Block
Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*)

• ddos_mitigation_rules - Optional Block
Define manual mitigation rules to block L7 DDOS attacks

-> One of the following: • default_pool - Optional Block
Configuration parameter for default pool

• default_pool_list - Optional Block
Origin Pool List Type. List of Origin Pools

• default_route_pools - Optional Block
Origin Pools used when no route is specified (default route)

-> One of the following: • default_sensitive_data_policy - Optional Block Defaults to map[]
Policy configuration for this feature. Server applies default when omitted

• disable_api_definition - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

-> One of the following: • disable_api_discovery - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• disable_api_testing - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• disable_bot_defense - Optional Block
Configuration parameter for disable bot defense

• disable_caching - Optional Block
Configuration parameter for disable caching

• disable_client_side_defense - Optional Block
Enable this option

-> One of the following: • disable_ip_reputation - Optional Block
Enable this option

-> One of the following: • disable_malicious_user_detection - Optional Block Defaults to map[]
Configuration parameter for disable malicious user detection. Server applies default when omitted

-> One of the following: • disable_malware_protection - Optional Block Defaults to map[]
Configuration parameter for disable malware protection. Server applies default when omitted

-> One of the following: • disable_threat_mesh - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

-> One of the following: • disable_trust_client_ip_headers - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• disable_waf - Optional Block Defaults to map[]
Configuration parameter for disable WAF. Server applies default when omitted

• do_not_advertise - Optional Block
Configuration parameter for do not advertise

• domains - Required List
List of Domains (host/authority header) that will be matched to load balancer. Supported Domains and search order: 1. Exact Domain names: www.example.com. 2

• enable_api_discovery - Optional Block
Specifies the settings used for API discovery

• enable_ip_reputation - Optional Block
IP Threat Category List. List of IP threat categories

• enable_malicious_user_detection - Optional Block
Configuration parameter for enable malicious user detection

• enable_threat_mesh - Optional Block
Enable this option

• enable_trust_client_ip_headers - Optional Block
Trust Client IP Headers List. List of Client IP Headers

• graphql_rules - Optional Block
GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy

-> One of the following: • http - Optional Block
HTTP Choice. Choice for selecting HTTP proxy

• https - Optional Block
Choice for selecting HTTP proxy with bring your own certificates

• https_auto_cert - Optional Block
Choice for selecting HTTP proxy with bring your own certificates

• jwt_validation - Optional Block
JWT Validation stops JWT replay attacks and JWT tampering by cryptographically verifying incoming JWTs before they are passed to your API origin. JWT Validation will also stop requests with expired tokens or tokens that are not yet valid

-> One of the following: • l7_ddos_action_block - Optional Block
Enable this option

• l7_ddos_action_default - Optional Block
Enable this option

• l7_ddos_action_js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do

• l7_ddos_protection - Optional Block Defaults to map[]
L7 DDOS protection is critical for safeguarding web applications, APIs, and services that are exposed to the internet from sophisticated, volumetric, application-level threats. Configure actions, thresholds and policies to apply during L7 DDOS attack. Server applies default when omitted

• malware_protection_settings - Optional Block
Malware Protection protects Web Apps and APIs, from malicious file uploads by scanning files in real-time

• more_option - Optional Block
Defines various OPTIONS to define a route

-> One of the following: • multi_lb_app - Optional Block
Configuration parameter for multi LB app

• single_lb_app - Optional Block
Specific settings for Machine learning analysis on this HTTP LB, independently from other LBs

• origin_server_subset_rule_list - Optional Block
Origin Server Subset Rule List Type. List of Origin Pools

• policy_based_challenge - Optional Block
Specifies the settings for policy rule based challenge

• protected_cookies - Optional Block
Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite

• rate_limit - Optional Block
RateLimitConfigType

• routes - Optional Block
Routes allow users to define match condition on a path and/or HTTP method to either forward matching traffic to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic

• sensitive_data_disclosure_rules - Optional Block
Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses

• sensitive_data_policy - Optional Block
Policy configuration for this feature

• service_policies_from_namespace - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

-> One of the following: • slow_ddos_mitigation - Optional Block
’Slow and low’ attacks tie up server resources, leaving none available for servicing requests from actual users

• source_ip_stickiness - Optional Block
Enable this option

• system_default_timeouts - Optional Block
Configuration parameter for system default timeouts

• timeouts - Optional Block

• trusted_clients - Optional Block
Define rules to skip processing of one or more features such as WAF, Bot Defense etc

-> One of the following: • user_id_client_ip - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• user_identification - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name

• waf_exclusion - Optional Block
Configuration parameter for WAF exclusion

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Active Service Policies

An active_service_policies block supports the following:

• policies - Optional Block
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its
See Policies below.

Active Service Policies Policies

A policies block (within active_service_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom

An advertise_custom block supports the following:

• advertise_where - Optional Block
Where should this load balancer be available
See Advertise Where below.

Advertise Custom Advertise Where

An advertise_where block (within advertise_custom) supports the following:

• advertise_on_public - Optional Block
Defines a way to advertise a load balancer on public. If optional public_ip is provided, it will only be advertised on RE sites where that public_ip is available
See Advertise On Public below.

• port - Optional Number
Port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-’

• site - Optional Block
Defines a reference to a CE site along with network type and an optional IP address where a load balancer could be advertised
See Site below.

• use_default_port - Optional Block
Enable this option

• virtual_network - Optional Block
Parameters to advertise on a given virtual network
See Virtual Network below.

• virtual_site - Optional Block
Defines a reference to a customer site virtual site along with network type where a load balancer could be advertised
See Virtual Site below.

• virtual_site_with_vip - Optional Block
Defines a reference to a customer site virtual site along with network type and IP where a load balancer could be advertised
See Virtual Site With VIP below.

• vk8s_service - Optional Block
Defines a reference to a RE site or virtual site where a load balancer could be advertised in the vK8s service network
See Vk8s Service below.

Advertise Custom Advertise Where Advertise On Public

An advertise_on_public block (within advertise_custom.advertise_where) supports the following:

• public_ip - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Public IP below.

Advertise Custom Advertise Where Advertise On Public Public IP

Deeply nested IP block collapsed for readability.

Advertise Custom Advertise Where Site

A site block (within advertise_custom.advertise_where) supports the following:

• ip - Optional String
Use given IP address as VIP on the site

• network - Optional String Defaults to SITE_NETWORK_INSIDE_AND_OUTSIDE
Possible values are SITE_NETWORK_INSIDE_AND_OUTSIDE, SITE_NETWORK_INSIDE, SITE_NETWORK_OUTSIDE, SITE_NETWORK_SERVICE, SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_IP_FABRIC
[Enum: SITE_NETWORK_INSIDE_AND_OUTSIDE|SITE_NETWORK_INSIDE|SITE_NETWORK_OUTSIDE|SITE_NETWORK_SERVICE|SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_IP_FABRIC] Defines network types to be used on site All inside and outside networks. All inside and outside networks with internet VIP support. All inside networks

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

Advertise Custom Advertise Where Site Site

A site block (within advertise_custom.advertise_where.site) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom Advertise Where Virtual Network

A virtual_network block (within advertise_custom.advertise_where) supports the following:

• default_v6_vip - Optional Block
Enable this option

• default_vip - Optional Block
Enable this option

• specific_v6_vip - Optional String
Use given IPv6 address as VIP on virtual Network

• specific_vip - Optional String
Use given IPv4 address as VIP on virtual Network

• virtual_network - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Network below.

Advertise Custom Advertise Where Virtual Network Virtual Network

Deeply nested Network block collapsed for readability.

Advertise Custom Advertise Where Virtual Site

A virtual_site block (within advertise_custom.advertise_where) supports the following:

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Advertise Custom Advertise Where Virtual Site Virtual Site

Deeply nested Site block collapsed for readability.

Advertise Custom Advertise Where Virtual Site With VIP

Deeply nested VIP block collapsed for readability.

Advertise Custom Advertise Where Virtual Site With VIP Virtual Site

Deeply nested Site block collapsed for readability.

Advertise Custom Advertise Where Vk8s Service

A vk8s_service block (within advertise_custom.advertise_where) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

Advertise Custom Advertise Where Vk8s Service Site

A site block (within advertise_custom.advertise_where.vk8s_service) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom Advertise Where Vk8s Service Virtual Site

Deeply nested Site block collapsed for readability.

Advertise On Public

An advertise_on_public block supports the following:

• public_ip - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Public IP below.

Advertise On Public Public IP

A public_ip block (within advertise_on_public) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

API Protection Rules

An api_protection_rules block supports the following:

• api_endpoint_rules - Optional Block
Category defines specific rules per API endpoints. If request matches any of these rules, skipping second category rules
See API Endpoint Rules below.

• api_groups_rules - Optional Block
Category includes rules per API group or Server URL. For API groups, refer to API Definition which includes API groups derived from uploaded swaggers
See API Groups Rules below.

API Protection Rules API Endpoint Rules

An api_endpoint_rules block (within api_protection_rules) supports the following:

• action - Optional Block
X-displayName: ‘API Protection Rule Action’ The action to take if the input request matches the rule
See Action below.

• any_domain - Optional Block
Enable this option

• api_endpoint_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See API Endpoint Method below.

• api_endpoint_path - Optional String
The endpoint (path) of the request

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain. For

API Protection Rules API Endpoint Rules Action

An action block (within api_protection_rules.api_endpoint_rules) supports the following:

• allow - Optional Block
Enable this option

• deny - Optional Block
Enable this option

API Protection Rules API Endpoint Rules API Endpoint Method

Deeply nested Method block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Protection Rules API Endpoint Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Endpoint Rules Metadata

A metadata block (within api_protection_rules.api_endpoint_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

API Protection Rules API Endpoint Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Protection Rules API Endpoint Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Protection Rules API Groups Rules

An api_groups_rules block (within api_protection_rules) supports the following:

• action - Optional Block
X-displayName: ‘API Protection Rule Action’ The action to take if the input request matches the rule
See Action below.

• any_domain - Optional Block
Enable this option

• api_group - Optional String
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with ‘x-F5 Distributed

• base_path - Optional String
Base Path. Prefix of the request path. For example: /v1

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain. For

API Protection Rules API Groups Rules Action

An action block (within api_protection_rules.api_groups_rules) supports the following:

• allow - Optional Block
Enable this option

• deny - Optional Block
Enable this option

API Protection Rules API Groups Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Protection Rules API Groups Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Protection Rules API Groups Rules Metadata

A metadata block (within api_protection_rules.api_groups_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

API Protection Rules API Groups Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Protection Rules API Groups Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Rate Limit

An api_rate_limit block supports the following:

• api_endpoint_rules - Optional Block
Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above
See API Endpoint Rules below.

• bypass_rate_limiting_rules - Optional Block
Category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting
See Bypass Rate Limiting Rules below.

• custom_ip_allowed_list - Optional Block
IP Allowed list using existing ip_prefix_set objects
See Custom IP Allowed List below.

• ip_allowed_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See IP Allowed List below.

• no_ip_allowed_list - Optional Block
Enable this option

• server_url_rules - Optional Block
Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow
See Server URL Rules below.

API Rate Limit API Endpoint Rules

An api_endpoint_rules block (within api_rate_limit) supports the following:

• any_domain - Optional Block
Enable this option

• api_endpoint_path - Optional String
The endpoint (path) of the request

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• inline_rate_limiter - Optional Block
Configuration parameter for inline rate limiter
See Inline Rate Limiter below.

• ref_rate_limiter - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Ref Rate Limiter below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain

API Rate Limit API Endpoint Rules API Endpoint Method

Deeply nested Method block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit API Endpoint Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit API Endpoint Rules Inline Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit API Endpoint Rules Inline Rate Limiter Ref User ID

Deeply nested ID block collapsed for readability.

API Rate Limit API Endpoint Rules Ref Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit API Endpoint Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules

A bypass_rate_limiting_rules block (within api_rate_limit) supports the following:

• bypass_rate_limiting_rules - Optional Block
Category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting
See Bypass Rate Limiting Rules below.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules

Deeply nested Rules block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules API Groups

Deeply nested Groups block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit Bypass Rate Limiting Rules Bypass Rate Limiting Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Rate Limit Custom IP Allowed List

A custom_ip_allowed_list block (within api_rate_limit) supports the following:

• rate_limiter_allowed_prefixes - Optional Block
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting
See Rate Limiter Allowed Prefixes below.

API Rate Limit Custom IP Allowed List Rate Limiter Allowed Prefixes

Deeply nested Prefixes block collapsed for readability.

API Rate Limit IP Allowed List

An ip_allowed_list block (within api_rate_limit) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

API Rate Limit Server URL Rules

A server_url_rules block (within api_rate_limit) supports the following:

• any_domain - Optional Block
Enable this option

• base_path - Optional String
Prefix of the request path

• client_matcher - Optional Block
Client Matcher. Client conditions for matching a rule
See Client Matcher below.

• inline_rate_limiter - Optional Block
Configuration parameter for inline rate limiter
See Inline Rate Limiter below.

• request_matcher - Optional Block
Configuration parameter for request matcher
See Request Matcher below.

• specific_domain - Optional String
The rule will apply for a specific domain

API Rate Limit Server URL Rules Client Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn List

Deeply nested List block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher Client Selector

Deeply nested Selector block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher IP Prefix List

Deeply nested List block collapsed for readability.

API Rate Limit Server URL Rules Client Matcher TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

API Rate Limit Server URL Rules Inline Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit Server URL Rules Inline Rate Limiter Ref User ID

Deeply nested ID block collapsed for readability.

API Rate Limit Server URL Rules Ref Rate Limiter

Deeply nested Limiter block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher

Deeply nested Matcher block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Headers

Deeply nested Headers block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Headers Item

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher JWT Claims

Deeply nested Claims block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher JWT Claims Item

Deeply nested Item block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Query Params

Deeply nested Params block collapsed for readability.

API Rate Limit Server URL Rules Request Matcher Query Params Item

Deeply nested Item block collapsed for readability.

API Specification

An api_specification block supports the following:

• api_definition - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See API Definition below.

• validation_all_spec_endpoints - Optional Block
API Inventory. Settings for API Inventory validation
See Validation All Spec Endpoints below.

• validation_custom_list - Optional Block
Define API groups, base paths, or API endpoints and their OpenAPI validation modes. Any other API-endpoint not listed will act according to ‘Fall Through Mode’
See Validation Custom List below.

• validation_disabled - Optional Block
Enable this option

API Specification API Definition

An api_definition block (within api_specification) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

API Specification Validation All Spec Endpoints

A validation_all_spec_endpoints block (within api_specification) supports the following:

• fall_through_mode - Optional Block
Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. Swagger) or doesn’t have a specific rule in custom rules)
See Fall Through Mode below.

• settings - Optional Block
OpenAPI specification validation settings relevant for ‘API Inventory’ enforcement and for ‘Custom list’ enforcement
See Settings below.

• validation_mode - Optional Block
Validation mode of OpenAPI specification. When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. Swagger)
See Validation Mode below.

API Specification Validation All Spec Endpoints Fall Through Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation All Spec Endpoints Fall Through Mode Fall Through Mode Custom Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation All Spec Endpoints Settings

A settings block (within api_specification.validation_all_spec_endpoints) supports the following:

• oversized_body_fail_validation - Optional Block
Enable this option

• oversized_body_skip_validation - Optional Block
Enable this option

• property_validation_settings_custom - Optional Block
Configuration parameter for property validation settings custom
See Property Validation Settings Custom below.

• property_validation_settings_default - Optional Block
Configuration parameter for property validation settings default

API Specification Validation All Spec Endpoints Settings Property Validation Settings Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation All Spec Endpoints Settings Property Validation Settings Custom Query Parameters

Deeply nested Parameters block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode Response Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation All Spec Endpoints Validation Mode Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List

A validation_custom_list block (within api_specification) supports the following:

• open_api_validation_rules - Optional Block
Validation List
See Open API Validation Rules below.

• settings - Optional Block
OpenAPI specification validation settings relevant for ‘API Inventory’ enforcement and for ‘Custom list’ enforcement
See Settings below.

API Specification Validation Custom List Fall Through Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation Custom List Fall Through Mode Fall Through Mode Custom Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules

Deeply nested Rules block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules API Endpoint

Deeply nested Endpoint block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Metadata

Deeply nested Metadata block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode

Deeply nested Mode block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode Response Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List Open API Validation Rules Validation Mode Validation Mode Active

Deeply nested Active block collapsed for readability.

API Specification Validation Custom List Settings

A settings block (within api_specification.validation_custom_list) supports the following:

• oversized_body_fail_validation - Optional Block
Enable this option

• oversized_body_skip_validation - Optional Block
Enable this option

• property_validation_settings_custom - Optional Block
Configuration parameter for property validation settings custom
See Property Validation Settings Custom below.

• property_validation_settings_default - Optional Block
Configuration parameter for property validation settings default

API Specification Validation Custom List Settings Property Validation Settings Custom

Deeply nested Custom block collapsed for readability.

API Specification Validation Custom List Settings Property Validation Settings Custom Query Parameters

Deeply nested Parameters block collapsed for readability.

API Testing

An api_testing block supports the following:

• custom_header_value - Optional String
Add x-F5-API-testing-identifier header value to prevent security flags on API testing traffic

• domains - Optional Block
Add and configure testing domains and credentials
See Domains below.

• every_day - Optional Block
Enable this option

• every_month - Optional Block
Configuration parameter for every month

• every_week - Optional Block
Enable this option

API Testing Domains

A domains block (within api_testing) supports the following:

• allow_destructive_methods - Optional Bool
Enable to allow API test to execute destructive methods. Be cautious as these can alter or DELETE data

• credentials - Optional Block
Add credentials for API testing to use in the selected environment
See Credentials below.

• domain - Optional String
Add your testing environment domain. Be aware that running tests on a production domain can impact live applications, as API testing cannot distinguish between production and testing environments

API Testing Domains Credentials

A credentials block (within api_testing.domains) supports the following:

• admin - Optional Block
Enable this option

• api_key - Optional Block
API Key
See API Key below.

• basic_auth - Optional Block
Basic Authentication
See Basic Auth below.

• bearer_token - Optional Block
Configuration parameter for bearer token
See Bearer Token below.

• credential_name - Optional String
Enter a unique name for the credentials used in API testing

• login_endpoint - Optional Block
Login Endpoint
See Login Endpoint below.

• standard - Optional Block
Enable this option

API Testing Domains Credentials API Key

An api_key block (within api_testing.domains.credentials) supports the following:

• key - Optional String
Key

• value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Value below.

API Testing Domains Credentials API Key Value

A value block (within api_testing.domains.credentials.api_key) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

API Testing Domains Credentials API Key Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

API Testing Domains Credentials API Key Value Clear Secret Info

Deeply nested Info block collapsed for readability.

API Testing Domains Credentials Basic Auth

A basic_auth block (within api_testing.domains.credentials) supports the following:

• password - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Password below.

• user - Optional String
User

API Testing Domains Credentials Basic Auth Password

A password block (within api_testing.domains.credentials.basic_auth) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

API Testing Domains Credentials Basic Auth Password Blindfold Secret Info

Deeply nested Info block collapsed for readability.

API Testing Domains Credentials Basic Auth Password Clear Secret Info

Deeply nested Info block collapsed for readability.

API Testing Domains Credentials Bearer Token

A bearer_token block (within api_testing.domains.credentials) supports the following:

• token - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Token below.

API Testing Domains Credentials Bearer Token Token

A token block (within api_testing.domains.credentials.bearer_token) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

API Testing Domains Credentials Bearer Token Token Blindfold Secret Info

Deeply nested Info block collapsed for readability.

API Testing Domains Credentials Bearer Token Token Clear Secret Info

Deeply nested Info block collapsed for readability.

A login_endpoint block (within api_testing.domains.credentials) supports the following:

• json_payload - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See JSON Payload below.

• method - Optional String Defaults to ANY
See HTTP Methods
Specifies the HTTP method used to access a resource. Any HTTP Method

• path - Optional String
Path

• token_response_key - Optional String
Specifies the key name used to extract the authentication token from the login response, such as token or access_token

Deeply nested Payload block collapsed for readability.

Deeply nested Info block collapsed for readability.

App Firewall

An app_firewall block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Blocked Clients

A blocked_clients block supports the following:

• actions - Optional List Defaults to SKIP_PROCESSING_WAF
Possible values are SKIP_PROCESSING_WAF, SKIP_PROCESSING_BOT, SKIP_PROCESSING_MUM, SKIP_PROCESSING_IP_REPUTATION, SKIP_PROCESSING_API_PROTECTION, SKIP_PROCESSING_OAS_VALIDATION, SKIP_PROCESSING_DDOS_PROTECTION, SKIP_PROCESSING_THREAT_MESH, SKIP_PROCESSING_MALWARE_PROTECTION
[Enum: SKIP_PROCESSING_WAF|SKIP_PROCESSING_BOT|SKIP_PROCESSING_MUM|SKIP_PROCESSING_IP_REPUTATION|SKIP_PROCESSING_API_PROTECTION|SKIP_PROCESSING_OAS_VALIDATION|SKIP_PROCESSING_DDOS_PROTECTION|SKIP_PROCESSING_THREAT_MESH|SKIP_PROCESSING_MALWARE_PROTECTION] Actions that should be taken when client identifier matches the rule

• as_number - Optional Number
RFC 6793 defined 4-byte AS number

• bot_skip_processing - Optional Block
Enable this option

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• http_header - Optional Block
Configuration parameter for HTTP header
See HTTP Header below.

• ip_prefix - Optional String
IPv4 prefix string

• ipv6_prefix - Optional String
IPv6 prefix string

• skip_processing - Optional Block
Enable this option

• user_identifier - Optional String
Identify user based on user identifier. User identifier value needs to be copied from security event

• waf_skip_processing - Optional Block
Enable this option

Blocked Clients HTTP Header

A http_header block (within blocked_clients) supports the following:

• headers - Optional Block
List of HTTP header name and value pairs
See Headers below.

Blocked Clients HTTP Header Headers

A headers block (within blocked_clients.http_header) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Blocked Clients Metadata

A metadata block (within blocked_clients) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Bot Defense

A bot_defense block supports the following:

• disable_cors_support - Optional Block
Enable this option

• enable_cors_support - Optional Block
Enable this option

• policy - Optional Block
Defines various configuration OPTIONS for Bot Defense policy
See Policy below.

• regional_endpoint - Optional String Defaults to AUTO
Possible values are AUTO, US, EU, ASIA
[Enum: AUTO|US|EU|ASIA] Defines a selection for Bot Defense region - AUTO: AUTO Automatic selection based on client IP address - US: US US region - EU: EU European Union region - ASIA: ASIA Asia region

• timeout - Optional Number
The timeout for the inference check, in milliseconds

Bot Defense Policy

A policy block (within bot_defense) supports the following:

• disable_js_insert - Optional Block
Configuration parameter for disable js insert

• disable_mobile_sdk - Optional Block
Enable this option

• JavaScript_mode - Optional String Defaults to ASYNC_JS_NO_CACHING
Possible values are ASYNC_JS_NO_CACHING, ASYNC_JS_CACHING, SYNC_JS_NO_CACHING, SYNC_JS_CACHING
[Enum: ASYNC_JS_NO_CACHING|ASYNC_JS_CACHING|SYNC_JS_NO_CACHING|SYNC_JS_CACHING] Web Client JavaScript Mode. Bot Defense JavaScript for telemetry collection is requested asynchronously, and it is non-cacheable Bot Defense JavaScript for telemetry collection is requested asynchronously, and it is cacheable Bot Defense JavaScript for telemetry collection is requested

• js_download_path - Optional String
Customize Bot Defense Client JavaScript path. If not specified, default

• js_insert_all_pages - Optional Block
Insert Bot Defense JavaScript in all pages
See Js Insert All Pages below.

• js_insert_all_pages_except - Optional Block
Insert Bot Defense JavaScript in all pages with the exceptions
See Js Insert All Pages Except below.

• js_insertion_rules - Optional Block
Defines custom JavaScript insertion rules for Bot Defense Policy
See Js Insertion Rules below.

• mobile_sdk_config - Optional Block
Mobile SDK Configuration. Mobile SDK configuration
See Mobile SDK Config below.

• protected_app_endpoints - Optional Block
List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs
See Protected App Endpoints below.

Bot Defense Policy Js Insert All Pages

A js_insert_all_pages block (within bot_defense.policy) supports the following:

• JavaScript_location - Optional String Defaults to AFTER_HEAD
Possible values are AFTER_HEAD, AFTER_TITLE_END, BEFORE_SCRIPT
[Enum: AFTER_HEAD|AFTER_TITLE_END|BEFORE_SCRIPT] All inside networks. Insert JavaScript after <HEAD> tag Insert JavaScript after </title> tag. Insert JavaScript before first <script> tag

Bot Defense Policy Js Insert All Pages Except

Deeply nested Except block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insert All Pages Except Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Js Insertion Rules

A js_insertion_rules block (within bot_defense.policy) supports the following:

• exclude_list - Optional Block
Optional JavaScript insertions exclude list of domain and path matchers
See Exclude List below.

• rules - Optional Block
Required list of pages to insert Bot Defense client JavaScript
See Rules below.

Bot Defense Policy Js Insertion Rules Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insertion Rules Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules

A rules block (within bot_defense.policy.js_insertion_rules) supports the following:

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

Bot Defense Policy Js Insertion Rules Rules Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Policy Js Insertion Rules Rules Path

Deeply nested Path block collapsed for readability.

Bot Defense Policy Mobile SDK Config

A mobile_sdk_config block (within bot_defense.policy) supports the following:

• mobile_identifier - Optional Block
Mobile Traffic Identifier. Mobile traffic identifier type
See Mobile Identifier below.

Bot Defense Policy Mobile SDK Config Mobile Identifier

Deeply nested Identifier block collapsed for readability.

Bot Defense Policy Mobile SDK Config Mobile Identifier Headers

Deeply nested Headers block collapsed for readability.

Bot Defense Policy Mobile SDK Config Mobile Identifier Headers Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints

A protected_app_endpoints block (within bot_defense.policy) supports the following:

• allow_good_bots - Optional Block
Configuration parameter for allow good bots

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• flow_label - Optional Block
Bot Defense Flow Label Category allows to associate traffic with selected category
See Flow Label below.

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below.

• http_methods - Optional List Defaults to METHOD_ANY
Possible values are METHOD_ANY, METHOD_GET, METHOD_POST, METHOD_PUT, METHOD_PATCH, METHOD_DELETE, METHOD_GET_DOCUMENT
[Enum: METHOD_ANY|METHOD_GET|METHOD_POST|METHOD_PUT|METHOD_PATCH|METHOD_DELETE|METHOD_GET_DOCUMENT] HTTP Methods. List of HTTP methods

• mitigate_good_bots - Optional Block
Configuration parameter for mitigate good bots

• mitigation - Optional Block
Modify Bot Defense behavior for a matching request
See Mitigation below.

• mobile - Optional Block
Enable this option

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• protocol - Optional String Defaults to BOTH
Possible values are BOTH, HTTP, HTTPS
[Enum: BOTH|HTTP|HTTPS] SchemeType is used to indicate URL scheme. - BOTH: BOTH URL scheme for HTTPS:// or HTTP://. - HTTP: HTTP URL scheme HTTP:// only. - HTTPS: HTTPS URL scheme HTTPS:// only

• query_params - Optional Block
List of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query
See Query Params below.

• undefined_flow_label - Optional Block
Enable this option

• web - Optional Block
Enable this option

• web_mobile - Optional Block
Web and Mobile traffic type. Web and Mobile traffic type
See Web Mobile below.

Bot Defense Policy Protected App Endpoints Domain

A domain block (within bot_defense.policy.protected_app_endpoints) supports the following:

• exact_value - Optional String
Exact domain name

• regex_value - Optional String
Regular Expression value for the domain name

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

Bot Defense Policy Protected App Endpoints Flow Label

Deeply nested Label block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Account Management

Deeply nested Management block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Authentication

Deeply nested Authentication block collapsed for readability.

Deeply nested Login block collapsed for readability.

Deeply nested Result block collapsed for readability.

Deeply nested Conditions block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Financial Services

Deeply nested Services block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Flight

Deeply nested Flight block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Profile Management

Deeply nested Management block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Search

Deeply nested Search block collapsed for readability.

Bot Defense Policy Protected App Endpoints Flow Label Shopping Gift Cards

Deeply nested Cards block collapsed for readability.

Bot Defense Policy Protected App Endpoints Headers

A headers block (within bot_defense.policy.protected_app_endpoints) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Header Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-insensitive HTTP header name

Bot Defense Policy Protected App Endpoints Headers Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints Metadata

A metadata block (within bot_defense.policy.protected_app_endpoints) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Bot Defense Policy Protected App Endpoints Mitigation

A mitigation block (within bot_defense.policy.protected_app_endpoints) supports the following:

• block - Optional Block
Block request and respond with custom content
See Block below.

• flag - Optional Block
X-displayName: ‘Select Flag Bot Mitigation Action’ Flag mitigation action
See Flag below.

• none - Optional Block
Enable this option

• redirect - Optional Block
X-displayName: ‘Redirect bot mitigation’ Redirect request to a custom URI
See Redirect below.

Bot Defense Policy Protected App Endpoints Mitigation Block

Deeply nested Block block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Flag

Deeply nested Flag block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Flag Append Headers

Deeply nested Headers block collapsed for readability.

Bot Defense Policy Protected App Endpoints Mitigation Redirect

Deeply nested Redirect block collapsed for readability.

Bot Defense Policy Protected App Endpoints Path

A path block (within bot_defense.policy.protected_app_endpoints) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

Bot Defense Policy Protected App Endpoints Query Params

Deeply nested Params block collapsed for readability.

Bot Defense Policy Protected App Endpoints Query Params Item

Deeply nested Item block collapsed for readability.

Bot Defense Policy Protected App Endpoints Web Mobile

Deeply nested Mobile block collapsed for readability.

Bot Defense Advanced

A bot_defense_advanced block supports the following:

• disable_js_insert - Optional Block
Configuration parameter for disable js insert

• disable_mobile_sdk - Optional Block
Enable this option

• js_insert_all_pages - Optional Block
Insert Bot Defense JavaScript in all pages
See Js Insert All Pages below.

• js_insert_all_pages_except - Optional Block
Insert Bot Defense JavaScript in all pages with the exceptions
See Js Insert All Pages Except below.

• js_insertion_rules - Optional Block
Defines custom JavaScript insertion rules for Bot Defense Policy
See Js Insertion Rules below.

• mobile - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Mobile below.

• mobile_sdk_config - Optional Block
Mobile Request Identifier Headers. Mobile Request Identifier Headers
See Mobile SDK Config below.

• web - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Web below.

Bot Defense Advanced Js Insert All Pages

A js_insert_all_pages block (within bot_defense_advanced) supports the following:

Bot Defense Advanced Js Insert All Pages Except

Deeply nested Except block collapsed for readability.

Bot Defense Advanced Js Insert All Pages Except Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Advanced Js Insert All Pages Except Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Advanced Js Insert All Pages Except Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Advanced Js Insert All Pages Except Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Advanced Js Insertion Rules

A js_insertion_rules block (within bot_defense_advanced) supports the following:

• exclude_list - Optional Block
Optional JavaScript insertions exclude list of domain and path matchers
See Exclude List below.

• rules - Optional Block
Required list of pages to insert Bot Defense client JavaScript
See Rules below.

Bot Defense Advanced Js Insertion Rules Exclude List

Deeply nested List block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Exclude List Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Exclude List Path

Deeply nested Path block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Rules

A rules block (within bot_defense_advanced.js_insertion_rules) supports the following:

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

Bot Defense Advanced Js Insertion Rules Rules Domain

Deeply nested Domain block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

Bot Defense Advanced Js Insertion Rules Rules Path

Deeply nested Path block collapsed for readability.

Bot Defense Advanced Mobile

A mobile block (within bot_defense_advanced) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Bot Defense Advanced Mobile SDK Config

A mobile_sdk_config block (within bot_defense_advanced) supports the following:

• mobile_identifier - Optional Block
Mobile Traffic Identifier. Mobile traffic identifier type
See Mobile Identifier below.

Bot Defense Advanced Mobile SDK Config Mobile Identifier

Deeply nested Identifier block collapsed for readability.

Bot Defense Advanced Mobile SDK Config Mobile Identifier Headers

Deeply nested Headers block collapsed for readability.

Bot Defense Advanced Mobile SDK Config Mobile Identifier Headers Item

Deeply nested Item block collapsed for readability.

Bot Defense Advanced Web

A web block (within bot_defense_advanced) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Caching Policy

A caching_policy block supports the following:

• custom_cache_rule - Optional Block
Custom Cache Rules. Caching policies for CDN
See Custom Cache Rule below.

• default_cache_action - Optional Block
Default Cache Behaviour. This defines a Default Cache Action
See Default Cache Action below.

Caching Policy Custom Cache Rule

A custom_cache_rule block (within caching_policy) supports the following:

• cdn_cache_rules - Optional Block
Reference to CDN Cache Rule configuration object
See CDN Cache Rules below.

Caching Policy Custom Cache Rule CDN Cache Rules

Deeply nested Rules block collapsed for readability.

Caching Policy Default Cache Action

A default_cache_action block (within caching_policy) supports the following:

• cache_disabled - Optional Block
Enable this option

• cache_ttl_default - Optional String
Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided

• cache_ttl_override - Optional String
Always override the Cache TTL provided by Origin

Captcha Challenge

A captcha_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

client-side Defense

A client_side_defense block supports the following:

• policy - Optional Block
Defines various configuration OPTIONS for Client-Side Defense policy
See Policy below.

client-side Defense Policy

A policy block (within client_side_defense) supports the following:

• disable_js_insert - Optional Block
Configuration parameter for disable js insert

• js_insert_all_pages - Optional Block
Configuration parameter for js insert all pages

• js_insert_all_pages_except - Optional Block
Insert Client-Side Defense JavaScript in all pages with the exceptions
See Js Insert All Pages Except below.

• js_insertion_rules - Optional Block
Defines custom JavaScript insertion rules for Client-Side Defense Policy
See Js Insertion Rules below.

client-side Defense Policy Js Insert All Pages Except

Deeply nested Except block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List

Deeply nested List block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insert All Pages Except Exclude List Path

Deeply nested Path block collapsed for readability.

client-side Defense Policy Js Insertion Rules

A js_insertion_rules block (within client_side_defense.policy) supports the following:

• exclude_list - Optional Block
Optional JavaScript insertions exclude list of domain and path matchers
See Exclude List below.

• rules - Optional Block
Required list of pages to insert Client-Side Defense client JavaScript
See Rules below.

client-side Defense Policy Js Insertion Rules Exclude List

Deeply nested List block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insertion Rules Exclude List Path

Deeply nested Path block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules

Deeply nested Rules block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Domain

Deeply nested Domain block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

client-side Defense Policy Js Insertion Rules Rules Path

Deeply nested Path block collapsed for readability.

A cookie_stickiness block supports the following:

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_secure - Optional Block
Enable this option

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• name - Optional String
The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced

• path - Optional String
The name of the path for the cookie. If no path is specified here, no path will be set for the cookie

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

• ttl - Optional Number
If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds

CORS Policy

A cors_policy block supports the following:

• allow_credentials - Optional Bool
Specifies whether the resource allows credentials

• allow_headers - Optional String
Specifies the content for the access-control-allow-headers header

• allow_methods - Optional String
Specifies the content for the access-control-allow-methods header

• allow_origin - Optional List
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match

• allow_origin_regex - Optional List
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match

• disabled - Optional Bool
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• expose_headers - Optional String
Specifies the content for the access-control-expose-headers header

• maximum_age - Optional Number
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)

CSRF Policy

A csrf_policy block supports the following:

• all_load_balancer_domains - Optional Block
Configuration parameter for all load balancer domains

• custom_domain_list - Optional Block
List of domain names used for Host header matching
See Custom Domain List below.

• disabled - Optional Block
Enable this option

CSRF Policy Custom Domain List

A custom_domain_list block (within csrf_policy) supports the following:

• domains - Optional List
List of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form

Data Guard Rules

A data_guard_rules block supports the following:

• any_domain - Optional Block
Enable this option

• apply_data_guard - Optional Block
Enable this option

• exact_value - Optional String
Exact domain name

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• skip_data_guard - Optional Block
Enable this option

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

Data Guard Rules Metadata

A metadata block (within data_guard_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Data Guard Rules Path

A path block (within data_guard_rules) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

DDOS Mitigation Rules

A ddos_mitigation_rules block supports the following:

• block - Optional Block
Enable this option

• ddos_client_source - Optional Block
DDOS Client Source Choice. DDOS Mitigation sources to be blocked
See DDOS Client Source below.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

DDOS Mitigation Rules DDOS Client Source

A ddos_client_source block (within ddos_mitigation_rules) supports the following:

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• ja4_tls_fingerprint_matcher - Optional Block
Extended version of JA3 that includes additional fields for more comprehensive fingerprinting of SSL/TLS clients and potentially has a different structure and length
See Ja4 TLS Fingerprint Matcher below.

• tls_fingerprint_matcher - Optional Block
TLS fingerprint matcher specifies multiple criteria for matching a TLS fingerprint. The set of supported positive match criteria includes a list of known classes of TLS fingerprints and a list of exact values. The match is considered successful if either of these positive criteria are satisfied
See TLS Fingerprint Matcher below.

DDOS Mitigation Rules DDOS Client Source Asn List

Deeply nested List block collapsed for readability.

DDOS Mitigation Rules DDOS Client Source Ja4 TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

DDOS Mitigation Rules DDOS Client Source TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

DDOS Mitigation Rules IP Prefix List

An ip_prefix_list block (within ddos_mitigation_rules) supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

• ip_prefixes - Optional List
IPv4 Prefix List. List of IPv4 prefix strings

DDOS Mitigation Rules Metadata

A metadata block (within ddos_mitigation_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Default Pool

A default_pool block supports the following:

• advanced_options - Optional Block
Configure Advanced OPTIONS for origin pool
See Advanced Options below.

• automatic_port - Optional Block
Enable this option

• endpoint_selection - Optional String Defaults to DISTRIBUTED
Possible values are DISTRIBUTED, LOCAL_ONLY, LOCAL_PREFERRED
[Enum: DISTRIBUTED|LOCAL_ONLY|LOCAL_PREFERRED] Policy for selection of endpoints from local site/remote site/both Consider both remote and local endpoints for load balancing LOCAL_ONLY: Consider only local endpoints for load balancing Enable this policy to load balance ONLY among locally discovered endpoints Prefer the local endpoints for.. Server applies default when omitted

• health_check_port - Optional Number
Port used for performing health check

• healthcheck - Optional Block Defaults to []
Reference to healthcheck configuration objects. Server applies default when omitted
See Healthcheck below.

• lb_port - Optional Block
Enable this option

• loadbalancer_algorithm - Optional String Defaults to ROUND_ROBIN
Possible values are ROUND_ROBIN, LEAST_REQUEST, RING_HASH, RANDOM, LB_OVERRIDE
[Enum: ROUND_ROBIN|LEAST_REQUEST|RING_HASH|RANDOM|LB_OVERRIDE] Different load balancing algorithms supported When a connection to an endpoint in an upstream cluster is required, the load balancer uses loadbalancer_algorithm to determine which host is selected. - ROUND_ROBIN: ROUND_ROBIN Policy in which each healthy/available upstream endpoint is selected in.. Server applies default when omitted

• no_tls - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• origin_servers - Optional Block
List of origin servers in this pool
See Origin Servers below.

• port - Optional Number
Endpoint service is available on this port. Recommended: 443

• same_as_endpoint_port - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• upstream_conn_pool_reuse_type - Optional Block
Select upstream connection pool reuse state for every downstream connection. This configuration choice is for HTTP(S) LB only
See Upstream Conn Pool Reuse Type below.

• use_tls - Optional Block
TLS Parameters for Origin Servers. Upstream TLS Parameters
See Use TLS below.

• view_internal - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See View Internal below.

Default Pool Advanced Options

An advanced_options block (within default_pool) supports the following:

• auto_http_config - Optional Block
Enable this option

• circuit_breaker - Optional Block
CircuitBreaker provides a mechanism for watching failures in upstream connections or requests and if the failures reach a certain threshold, automatically fail subsequent requests which allows to apply back pressure on downstream quickly
See Circuit Breaker below.

• connection_timeout - Optional Number Defaults to 2 Specified in milliseconds
The timeout for new network connections to endpoints in the cluster. The seconds

• default_circuit_breaker - Optional Block
Configuration parameter for default circuit breaker

• disable_circuit_breaker - Optional Block
Configuration parameter for disable circuit breaker

• disable_lb_source_ip_persistance - Optional Block
Enable this option

• disable_outlier_detection - Optional Block
Configuration parameter for disable outlier detection

• disable_proxy_protocol - Optional Block
Configuration parameter for disable proxy protocol

• disable_subsets - Optional Block
Configuration parameter for disable subsets

• enable_lb_source_ip_persistance - Optional Block
Enable this option

• enable_subsets - Optional Block
Configure subset OPTIONS for origin pool
See Enable Subsets below.

• http1_config - Optional Block
HTTP/1.1 Protocol OPTIONS for upstream connections
See Http1 Config below.

• http2_options - Optional Block
Http2 Protocol OPTIONS for upstream connections
See Http2 Options below.

• http_idle_timeout - Optional Number
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed

• max_requests_per_connection - Optional Number
Sets the maximum number of requests allowed per connection to the origin server. Enter a value >=1 to define the request limit per connection

• no_panic_threshold - Optional Block
Configuration parameter for no panic threshold

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• outlier_detection - Optional Block
Outlier detection and ejection is the process of dynamically determining whether some number of hosts in an upstream cluster are performing unlike the others and removing them from the healthy load balancing set. Outlier detection is a form of passive health checkingg. Algorithm 1
See Outlier Detection below.

• panic_threshold - Optional Number
Configure a threshold (percentage of unhealthy endpoints) below which all endpoints will be considered for load balancing ignoring its health status

• proxy_protocol_v1 - Optional Block
Configuration parameter for proxy protocol v1

• proxy_protocol_v2 - Optional Block
Configuration parameter for proxy protocol v2

Default Pool Advanced Options Circuit Breaker

A circuit_breaker block (within default_pool.advanced_options) supports the following:

• connection_limit - Optional Number
The maximum number of connections that loadbalancer will establish to all hosts in an upstream cluster. In practice this is only applicable to TCP and HTTP/1.1 clusters since HTTP/2 uses a single connection to each host. Remove endpoint out of load balancing decision, if number of connections

• max_requests - Optional Number
The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. In practice this is applicable to HTTP/2 clusters since HTTP/1.1 clusters are governed by the maximum connections (connection_limit). Remove endpoint out of load balancing decision, if requests

• pending_requests - Optional Number
The maximum number of requests that will be queued while waiting for a ready connection pool connection. Since HTTP/2 requests are sent over a single connection, this circuit breaker only comes into play as the initial connection is created, as requests will be multiplexed immediately

• priority - Optional String Defaults to DEFAULT
Possible values are DEFAULT, HIGH
[Enum: DEFAULT|HIGH] Priority routing for each request. Different connection pools are used based on the priority selected for the request. Also, circuit-breaker configuration at destination cluster is chosen based on selected priority

• retries - Optional Number
The maximum number of retries that can be outstanding to all hosts in a cluster at any given time. Remove endpoint out of load balancing decision, if retries for request exceed this count

Default Pool Advanced Options Enable Subsets

An enable_subsets block (within default_pool.advanced_options) supports the following:

• any_endpoint - Optional Block
Enable this option

• default_subset - Optional Block
Configuration parameter for default subset
See Default Subset below.

• endpoint_subsets - Optional Block
List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset within the class
See Endpoint Subsets below.

• fail_request - Optional Block
Configuration parameter for fail request

Default Pool Advanced Options Enable Subsets Default Subset

Deeply nested Subset block collapsed for readability.

Default Pool Advanced Options Enable Subsets Endpoint Subsets

Deeply nested Subsets block collapsed for readability.

Default Pool Advanced Options Http1 Config

A http1_config block (within default_pool.advanced_options) supports the following:

• header_transformation - Optional Block
Header Transformation OPTIONS for HTTP/1.1 request/response headers
See Header Transformation below.

Default Pool Advanced Options Http1 Config Header Transformation

Deeply nested Transformation block collapsed for readability.

Default Pool Advanced Options Http2 Options

A http2_options block (within default_pool.advanced_options) supports the following:

• enabled - Optional Bool
Enable/disable HTTP2 Protocol for upstream connections

Default Pool Advanced Options Outlier Detection

An outlier_detection block (within default_pool.advanced_options) supports the following:

• base_ejection_time - Optional Number
The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. This causes hosts to GET ejected for longer periods if they continue to fail

• consecutive_5xx - Optional Number
If an upstream endpoint returns some number of consecutive 5xx, it will be ejected. Note that in this case a 5xx means an actual 5xx respond code, or an event that would cause the HTTP router to return one on the upstream’s behalf(reset, connection failure, etc.) consecutive_5xx indicates the

• consecutive_gateway_failure - Optional Number
If an upstream endpoint returns some number of consecutive “gateway errors” (502, 503 or 504 status code), it will be ejected. Note that this includes events that would cause the HTTP router to return one of these status codes on the upstream’s behalf (reset, connection failure, etc.)

• interval - Optional Number Defaults to 10000ms
The time interval between ejection analysis sweeps. This can result in both new ejections as well as endpoints being returned to service

• max_ejection_percent - Optional Number Defaults to 10%
The maximum % of an upstream cluster that can be ejected due to outlier detection. but will eject at least one host regardless of the value

Default Pool Healthcheck

A healthcheck block (within default_pool) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool Origin Servers

An origin_servers block (within default_pool) supports the following:

• cbip_service - Optional Block
Specify origin server with Classic BIG-IP Service (Virtual Server)
See Cbip Service below.

• consul_service - Optional Block
Specify origin server with Hashi Corp Consul service name and site information
See Consul Service below.

• custom_endpoint_object - Optional Block
Specify origin server with a reference to endpoint object
See Custom Endpoint Object below.

• k8s_service - Optional Block
Specify origin server with K8S service name and site information
See K8S Service below.

• labels - Optional Block
Add Labels for this origin server, these labels can be used to form subset

• private_ip - Optional Block
Specify origin server with private or public IP address and site information
See Private IP below.

• private_name - Optional Block
Specify origin server with private or public DNS name and site information
See Private Name below.

• public_ip - Optional Block
Specify origin server with public IP address
See Public IP below.

• public_name - Optional Block
Specify origin server with public DNS name
See Public Name below.

• vn_private_ip - Optional Block
Specify origin server with IP on Virtual Network
See Vn Private IP below.

• vn_private_name - Optional Block
Specify origin server with DNS name on Virtual Network
See Vn Private Name below.

Default Pool Origin Servers Cbip Service

A cbip_service block (within default_pool.origin_servers) supports the following:

• service_name - Optional String
Name of the discovered Classic BIG-IP virtual server to be used as origin

Default Pool Origin Servers Consul Service

A consul_service block (within default_pool.origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• service_name - Optional String
Consul service name of this origin server will be listed, including cluster-ID. The format is servicename:cluster-ID

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Default Pool Origin Servers Consul Service Site Locator

Deeply nested Locator block collapsed for readability.

Default Pool Origin Servers Consul Service Site Locator Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Consul Service Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Consul Service Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Consul Service Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Custom Endpoint Object

A custom_endpoint_object block (within default_pool.origin_servers) supports the following:

• endpoint - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Endpoint below.

Default Pool Origin Servers Custom Endpoint Object Endpoint

Deeply nested Endpoint block collapsed for readability.

Default Pool Origin Servers K8S Service

A k8s_service block (within default_pool.origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• protocol - Optional String Defaults to PROTOCOL_TCP
Possible values are PROTOCOL_TCP, PROTOCOL_UDP
[Enum: PROTOCOL_TCP|PROTOCOL_UDP] Type of protocol - PROTOCOL_TCP: TCP - PROTOCOL_UDP: UDP

• service_name - Optional String
K8S service name of the origin server will be listed, including the namespace and cluster-ID. For vK8s services, you need to enter a string with the format servicename.namespace:cluster-ID. If the servicename is ‘frontend’, namespace is ‘speedtest’ and cluster-ID is ‘prod’

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

• vk8s_networks - Optional Block
Configuration parameter for vk8s networks

Default Pool Origin Servers K8S Service Site Locator

Deeply nested Locator block collapsed for readability.

Default Pool Origin Servers K8S Service Site Locator Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers K8S Service Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers K8S Service Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers K8S Service Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Private IP

A private_ip block (within default_pool.origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• ip - Optional String
IP. Private IPv4 address

• outside_network - Optional Block
Configuration parameter for outside network

• segment - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Segment below.

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Default Pool Origin Servers Private IP Segment

A segment block (within default_pool.origin_servers.private_ip) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool Origin Servers Private IP Site Locator

Deeply nested Locator block collapsed for readability.

Default Pool Origin Servers Private IP Site Locator Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Private IP Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Private IP Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Private IP Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Private Name

A private_name block (within default_pool.origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

• segment - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Segment below.

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Default Pool Origin Servers Private Name Segment

A segment block (within default_pool.origin_servers.private_name) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool Origin Servers Private Name Site Locator

Deeply nested Locator block collapsed for readability.

Default Pool Origin Servers Private Name Site Locator Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Private Name Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Default Pool Origin Servers Private Name Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Private Name Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Default Pool Origin Servers Public IP

A public_ip block (within default_pool.origin_servers) supports the following:

• ip - Optional String
Public IPv4. Public IPv4 address

Default Pool Origin Servers Public Name

A public_name block (within default_pool.origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

Default Pool Origin Servers Vn Private IP

A vn_private_ip block (within default_pool.origin_servers) supports the following:

• ip - Optional String
IPv4. IPv4 address

Default Pool Origin Servers Vn Private IP Virtual Network

Deeply nested Network block collapsed for readability.

Default Pool Origin Servers Vn Private Name

A vn_private_name block (within default_pool.origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• private_network - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Private Network below.

Default Pool Origin Servers Vn Private Name Private Network

Deeply nested Network block collapsed for readability.

Default Pool Upstream Conn Pool Reuse Type

An upstream_conn_pool_reuse_type block (within default_pool) supports the following:

• disable_conn_pool_reuse - Optional Block
Configuration parameter for disable conn pool reuse

• enable_conn_pool_reuse - Optional Block
Configuration parameter for enable conn pool reuse

Default Pool Use TLS

An use_tls block (within default_pool) supports the following:

• default_session_key_caching - Optional Block
Configuration parameter for default session key caching

• disable_session_key_caching - Optional Block
Configuration parameter for disable session key caching

• disable_sni - Optional Block
Configuration parameter for disable sni

• max_session_keys - Optional Number
Number of session keys that are cached

• no_mtls - Optional Block
Enable this option

• skip_server_verification - Optional Block
Enable this option

• sni - Optional String
SNI value to be used

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_host_header_as_sni - Optional Block
Enable this option

• use_mtls - Optional Block
mTLS Certificate. mTLS Client Certificate
See Use mTLS below.

• use_mtls_obj - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Use mTLS Obj below.

• use_server_verification - Optional Block
Configuration parameter for use server verification
See Use Server Verification below.

• volterra_trusted_ca - Optional Block
Configuration parameter for volterra trusted CA

Default Pool Use TLS TLS Config

A tls_config block (within default_pool.use_tls) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

Default Pool Use TLS TLS Config Custom Security

Deeply nested Security block collapsed for readability.

Default Pool Use TLS Use mTLS

An use_mtls block (within default_pool.use_tls) supports the following:

• tls_certificates - Optional Block
mTLS Client Certificate. mTLS Client Certificate
See TLS Certificates below.

Default Pool Use TLS Use mTLS TLS Certificates

Deeply nested Certificates block collapsed for readability.

Default Pool Use TLS Use mTLS TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

Default Pool Use TLS Use mTLS TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

Default Pool Use TLS Use mTLS TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Default Pool Use TLS Use mTLS TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Default Pool Use TLS Use mTLS Obj

An use_mtls_obj block (within default_pool.use_tls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool Use TLS Use Server Verification

An use_server_verification block (within default_pool.use_tls) supports the following:

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate

Default Pool Use TLS Use Server Verification Trusted CA

Deeply nested CA block collapsed for readability.

Default Pool View Internal

A view_internal block (within default_pool) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool List

A default_pool_list block supports the following:

• pools - Optional Block
Origin Pools. List of Origin Pools
See Pools below.

Default Pool List Pools

A pools block (within default_pool_list) supports the following:

• cluster - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cluster below.

• endpoint_subsets - Optional Block
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that an endpoint must match in order to be selected by the load balancer For origin servers which are discovered in K8S or Consul

• pool - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Pool below.

• priority - Optional Number
Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the

• weight - Optional Number
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool

Default Pool List Pools Cluster

A cluster block (within default_pool_list.pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Pool List Pools Pool

A pool block (within default_pool_list.pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Route Pools

A default_route_pools block supports the following:

• cluster - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cluster below.

• pool - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Pool below.

• weight - Optional Number
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool

Default Route Pools Cluster

A cluster block (within default_route_pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Default Route Pools Pool

A pool block (within default_route_pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Enable API Discovery

An enable_api_discovery block supports the following:

• api_crawler - Optional Block
API Crawling. API Crawler message
See API Crawler below.

• api_discovery_from_code_scan - Optional Block
Select codebase and Repositories
See API Discovery From Code Scan below.

• custom_api_auth_discovery - Optional Block
API Discovery Advanced Settings. API Discovery Advanced settings
See Custom API Auth Discovery below.

• default_api_auth_discovery - Optional Block
Enable this option

• disable_learn_from_redirect_traffic - Optional Block
Configuration parameter for disable learn from redirect traffic

• discovered_api_settings - Optional Block
Discovered API Settings. Configure Discovered API Settings
See Discovered API Settings below.

• enable_learn_from_redirect_traffic - Optional Block
Configuration parameter for enable learn from redirect traffic

Enable API Discovery API Crawler

An api_crawler block (within enable_api_discovery) supports the following:

• api_crawler_config - Optional Block
Crawler Configure
See API Crawler Config below.

• disable_api_crawler - Optional Block
Enable this option

Enable API Discovery API Crawler API Crawler Config

Deeply nested Config block collapsed for readability.

Enable API Discovery API Crawler API Crawler Config Domains

Deeply nested Domains block collapsed for readability.

Deeply nested Login block collapsed for readability.

Deeply nested Password block collapsed for readability.

Deeply nested Info block collapsed for readability.

Enable API Discovery API Discovery From Code Scan

Deeply nested Scan block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations

Deeply nested Integrations block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations codebase Integration

Deeply nested Integration block collapsed for readability.

Enable API Discovery API Discovery From Code Scan codebase Integrations Selected Repos

Deeply nested Repos block collapsed for readability.

Enable API Discovery Custom API Auth Discovery

A custom_api_auth_discovery block (within enable_api_discovery) supports the following:

• api_discovery_ref - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See API Discovery Ref below.

Enable API Discovery Custom API Auth Discovery API Discovery Ref

Deeply nested Ref block collapsed for readability.

Enable API Discovery Discovered API Settings

A discovered_api_settings block (within enable_api_discovery) supports the following:

• purge_duration_for_inactive_discovered_apis - Optional Number
Inactive discovered API will be deleted after configured duration

Enable Challenge

An enable_challenge block supports the following:

• captcha_challenge_parameters - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See Captcha Challenge Parameters below.

• default_captcha_challenge_parameters - Optional Block
Configuration parameter for default captcha challenge parameters

• default_js_challenge_parameters - Optional Block
Configuration parameter for default js challenge parameters

• default_mitigation_settings - Optional Block
Enable this option

• js_challenge_parameters - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See Js Challenge Parameters below.

• malicious_user_mitigation - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Malicious User Mitigation below.

Enable Challenge Captcha Challenge Parameters

A captcha_challenge_parameters block (within enable_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

Enable Challenge Js Challenge Parameters

A js_challenge_parameters block (within enable_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Enable Challenge Malicious User Mitigation

A malicious_user_mitigation block (within enable_challenge) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Enable IP Reputation

An enable_ip_reputation block supports the following:

Enable Trust Client IP Headers

An enable_trust_client_ip_headers block supports the following:

• client_ip_headers - Optional List
Define the list of one or more Client IP Headers. Headers will be used in order from top to bottom, meaning if the first header is not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found. If none of the defined

GraphQL Rules

A graphql_rules block supports the following:

• any_domain - Optional Block
Enable this option

• exact_path - Optional String Defaults to /GraphQL
Specifies the exact path to GraphQL endpoint

• exact_value - Optional String
Exact domain name

• graphql_settings - Optional Block
X-displayName: ‘GraphQL Settings’ GraphQL configuration
See GraphQL Settings below.

• method_get - Optional Block
Enable this option

• method_post - Optional Block
Configuration parameter for method post

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

GraphQL Rules GraphQL Settings

A graphql_settings block (within graphql_rules) supports the following:

• disable_introspection - Optional Block
Enable this option

• enable_introspection - Optional Block
Enable this option

• max_batched_queries - Optional Number
X-displayName: ‘Maximum Batched Queries’Specify maximum number of queries in a single batched request

• max_depth - Optional Number
Specify maximum depth for the GraphQL query

• max_total_length - Optional Number
X-displayName: ‘Maximum Total Length’Specify maximum length in bytes for the GraphQL query

• max_value_length - Optional Number
X-displayName: ‘Maximum Value Length’Specify maximum value length in bytes for the GraphQL query

• policy_name - Optional String
X-displayName: ‘Policy Name’ Sets the BD Policy to use

GraphQL Rules Metadata

A metadata block (within graphql_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

HTTP

A http block supports the following:

• dns_volterra_managed - Optional Bool
DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal

• port - Optional Number
HTTP port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-‘

HTTPS

A https block supports the following:

• add_hsts - Optional Bool
Add HTTP Strict-Transport-Security response header

• append_server_name - Optional String
Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is

• coalescing_options - Optional Block
TLS connection coalescing configuration (not compatible with mTLS)
See Coalescing Options below.

• connection_idle_timeout - Optional Number
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed

• default_header - Optional Block
Configuration parameter for default header

• default_loadbalancer - Optional Block
Configuration parameter for default loadbalancer

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• http_protocol_options - Optional Block
HTTP protocol configuration OPTIONS for downstream connections
See HTTP Protocol Options below.

• http_redirect - Optional Bool
HTTP Redirect to HTTPS. Redirect HTTP traffic to HTTPS

• non_default_loadbalancer - Optional Block
Configuration parameter for non default loadbalancer

• pass_through - Optional Block
Configuration parameter for pass through

• port - Optional Number
HTTPS port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-’

• server_name - Optional String
Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header

• tls_cert_params - Optional Block
Configuration parameter for TLS cert params
See TLS Cert Params below.

• tls_parameters - Optional Block
Configuration parameter for TLS parameters
See TLS Parameters below.

HTTPS Coalescing Options

A coalescing_options block (within https) supports the following:

• default_coalescing - Optional Block
Configuration parameter for default coalescing

• strict_coalescing - Optional Block
Configuration parameter for strict coalescing

HTTPS HTTP Protocol Options

A http_protocol_options block (within https) supports the following:

• http_protocol_enable_v1_only - Optional Block
HTTP/1.1 Protocol OPTIONS for downstream connections
See HTTP Protocol Enable V1 Only below.

• http_protocol_enable_v1_v2 - Optional Block
Configuration parameter for HTTP protocol enable v1 v2

• http_protocol_enable_v2_only - Optional Block
Configuration parameter for HTTP protocol enable v2 only

HTTPS HTTP Protocol Options HTTP Protocol Enable V1 Only

Deeply nested Only block collapsed for readability.

HTTPS HTTP Protocol Options HTTP Protocol Enable V1 Only Header Transformation

Deeply nested Transformation block collapsed for readability.

HTTPS TLS Cert Params

A tls_cert_params block (within https) supports the following:

• certificates - Optional Block
Select one or more certificates with any domain names
See Certificates below.

• no_mtls - Optional Block
Enable this option

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

HTTPS TLS Cert Params Certificates

A certificates block (within https.tls_cert_params) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS TLS Cert Params TLS Config

A tls_config block (within https.tls_cert_params) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

HTTPS TLS Cert Params TLS Config Custom Security

Deeply nested Security block collapsed for readability.

HTTPS TLS Cert Params Use mTLS

An use_mtls block (within https.tls_cert_params) supports the following:

• client_certificate_optional - Optional Bool
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

HTTPS TLS Cert Params Use mTLS CRL

A crl block (within https.tls_cert_params.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS TLS Cert Params Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

HTTPS TLS Cert Params Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

HTTPS TLS Parameters

A tls_parameters block (within https) supports the following:

• no_mtls - Optional Block
Enable this option

• tls_certificates - Optional Block
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
See TLS Certificates below.

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

HTTPS TLS Parameters TLS Certificates

A tls_certificates block (within https.tls_parameters) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

HTTPS TLS Parameters TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

HTTPS TLS Parameters TLS Certificates Private Key

A private_key block (within https.tls_parameters.tls_certificates) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

HTTPS TLS Parameters TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTPS TLS Parameters TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

HTTPS TLS Parameters TLS Config

A tls_config block (within https.tls_parameters) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

HTTPS TLS Parameters TLS Config Custom Security

A custom_security block (within https.tls_parameters.tls_config) supports the following:

• cipher_suites - Optional List
The TLS listener will only support the specified cipher list

• max_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• min_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

HTTPS TLS Parameters Use mTLS

An use_mtls block (within https.tls_parameters) supports the following:

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

HTTPS TLS Parameters Use mTLS CRL

A crl block (within https.tls_parameters.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS TLS Parameters Use mTLS Trusted CA

A trusted_ca block (within https.tls_parameters.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS TLS Parameters Use mTLS Xfcc Options

A xfcc_options block (within https.tls_parameters.use_mtls) supports the following:

• xfcc_header_elements - Optional List Defaults to XFCC_NONE
Possible values are XFCC_NONE, XFCC_CERT, XFCC_CHAIN, XFCC_SUBJECT, XFCC_URI, XFCC_DNS
[Enum: XFCC_NONE|XFCC_CERT|XFCC_CHAIN|XFCC_SUBJECT|XFCC_URI|XFCC_DNS] X-Forwarded-Client-Cert header elements to be added to requests

HTTPS Auto Cert

A https_auto_cert block supports the following:

• add_hsts - Optional Bool
Add HTTP Strict-Transport-Security response header

• append_server_name - Optional String
Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is

• coalescing_options - Optional Block
TLS connection coalescing configuration (not compatible with mTLS)
See Coalescing Options below.

• default_header - Optional Block
Configuration parameter for default header

• default_loadbalancer - Optional Block
Configuration parameter for default loadbalancer

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• http_protocol_options - Optional Block
HTTP protocol configuration OPTIONS for downstream connections
See HTTP Protocol Options below.

• http_redirect - Optional Bool
HTTP Redirect to HTTPS. Redirect HTTP traffic to HTTPS

• no_mtls - Optional Block
Enable this option

• non_default_loadbalancer - Optional Block
Configuration parameter for non default loadbalancer

• pass_through - Optional Block
Configuration parameter for pass through

• port - Optional Number
HTTPS port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-’

• server_name - Optional String
Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

HTTPS Auto Cert Coalescing Options

A coalescing_options block (within https_auto_cert) supports the following:

• default_coalescing - Optional Block
Configuration parameter for default coalescing

• strict_coalescing - Optional Block
Configuration parameter for strict coalescing

HTTPS Auto Cert HTTP Protocol Options

A http_protocol_options block (within https_auto_cert) supports the following:

• http_protocol_enable_v1_only - Optional Block
HTTP/1.1 Protocol OPTIONS for downstream connections
See HTTP Protocol Enable V1 Only below.

• http_protocol_enable_v1_v2 - Optional Block
Configuration parameter for HTTP protocol enable v1 v2

• http_protocol_enable_v2_only - Optional Block
Configuration parameter for HTTP protocol enable v2 only

HTTPS Auto Cert HTTP Protocol Options HTTP Protocol Enable V1 Only

Deeply nested Only block collapsed for readability.

HTTPS Auto Cert HTTP Protocol Options HTTP Protocol Enable V1 Only Header Transformation

Deeply nested Transformation block collapsed for readability.

HTTPS Auto Cert TLS Config

A tls_config block (within https_auto_cert) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

HTTPS Auto Cert TLS Config Custom Security

A custom_security block (within https_auto_cert.tls_config) supports the following:

• cipher_suites - Optional List
The TLS listener will only support the specified cipher list

HTTPS Auto Cert Use mTLS

An use_mtls block (within https_auto_cert) supports the following:

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

HTTPS Auto Cert Use mTLS CRL

A crl block (within https_auto_cert.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS Auto Cert Use mTLS Trusted CA

A trusted_ca block (within https_auto_cert.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

HTTPS Auto Cert Use mTLS Xfcc Options

A xfcc_options block (within https_auto_cert.use_mtls) supports the following:

Js Challenge

A js_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

JWT Validation

A jwt_validation block supports the following:

• action - Optional Block
Action. X-displayName: ‘Action’
See Action below.

• authorization_server - Optional Block
Reference to Authorization Server object
See Authorization Server below.

• jwks_config - Optional Block
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details
See Jwks Config below.

• mandatory_claims - Optional Block
Configurable Validation of mandatory Claims
See Mandatory Claims below.

• reserved_claims - Optional Block
Configurable Validation of reserved Claims
See Reserved Claims below.

• target - Optional Block
Define endpoints for which JWT token validation will be performed
See Target below.

• token_location - Optional Block
Configuration parameter for token location
See Token Location below.

JWT Validation Action

An action block (within jwt_validation) supports the following:

• block - Optional Block
Enable this option

• report - Optional Block
Enable this option

JWT Validation Authorization Server

An authorization_server block (within jwt_validation) supports the following:

• authorization_servers - Optional Block
Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation
See Authorization Servers below.

JWT Validation Authorization Server Authorization Servers

An authorization_servers block (within jwt_validation.authorization_server) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

JWT Validation Jwks Config

A jwks_config block (within jwt_validation) supports the following:

• cleartext - Optional String
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details

JWT Validation Mandatory Claims

A mandatory_claims block (within jwt_validation) supports the following:

• claim_names - Optional List
Claim Names. Human-readable name for the resource

JWT Validation Reserved Claims

A reserved_claims block (within jwt_validation) supports the following:

• audience - Optional Block
Audiences
See Audience below.

• audience_disable - Optional Block
Configuration parameter for audience disable

• issuer - Optional String
Exact Match

• issuer_disable - Optional Block
Configuration parameter for issuer disable

• validate_period_disable - Optional Block
Configuration parameter for validate period disable

• validate_period_enable - Optional Block
Configuration parameter for validate period enable

JWT Validation Reserved Claims Audience

An audience block (within jwt_validation.reserved_claims) supports the following:

• audiences - Optional List
Values

JWT Validation Target

A target block (within jwt_validation) supports the following:

• all_endpoint - Optional Block
Enable this option

• api_groups - Optional Block
API Groups
See API Groups below.

• base_paths - Optional Block
Base Paths
See Base Paths below.

JWT Validation Target API Groups

An api_groups block (within jwt_validation.target) supports the following:

• api_groups - Optional List
API Groups

JWT Validation Target Base Paths

A base_paths block (within jwt_validation.target) supports the following:

• base_paths - Optional List
Prefix Values

JWT Validation Token Location

A token_location block (within jwt_validation) supports the following:

• bearer_token - Optional Block
Configuration parameter for bearer token

L7 DDOS Action Js Challenge

A l7_ddos_action_js_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

L7 DDOS Protection

A l7_ddos_protection block supports the following:

• clientside_action_captcha_challenge - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See client-side Action Captcha Challenge below.

• clientside_action_js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See client-side Action Js Challenge below.

• clientside_action_none - Optional Block
Enable this option

• ddos_policy_custom - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See DDOS Policy Custom below.

• ddos_policy_none - Optional Block
Configuration parameter for DDOS policy none

• default_rps_threshold - Optional Block
Configuration parameter for default rps threshold

• mitigation_block - Optional Block
Enable this option

• mitigation_captcha_challenge - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See Mitigation Captcha Challenge below.

• mitigation_js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See Mitigation Js Challenge below.

• rps_threshold - Optional Number
Configure custom RPS threshold

L7 DDOS Protection client-side Action Captcha Challenge

A clientside_action_captcha_challenge block (within l7_ddos_protection) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

L7 DDOS Protection client-side Action Js Challenge

A clientside_action_js_challenge block (within l7_ddos_protection) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

L7 DDOS Protection DDOS Policy Custom

A ddos_policy_custom block (within l7_ddos_protection) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

L7 DDOS Protection Mitigation Captcha Challenge

A mitigation_captcha_challenge block (within l7_ddos_protection) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

L7 DDOS Protection Mitigation Js Challenge

A mitigation_js_challenge block (within l7_ddos_protection) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Malware Protection Settings

A malware_protection_settings block supports the following:

• malware_protection_rules - Optional Block
Configure the match criteria to trigger Malware Protection Scan
See Malware Protection Rules below.

Malware Protection Settings Malware Protection Rules

A malware_protection_rules block (within malware_protection_settings) supports the following:

• action - Optional Block
Action. X-displayName: ‘Action’
See Action below.

• domain - Optional Block
Domain name for routing and identification
See Domain below.

• http_methods - Optional List Defaults to ANY
See HTTP Methods
HTTP Methods. Methods to be matched

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

Malware Protection Settings Malware Protection Rules Action

An action block (within malware_protection_settings.malware_protection_rules) supports the following:

• block - Optional Block
Enable this option

• report - Optional Block
Enable this option

Malware Protection Settings Malware Protection Rules Domain

A domain block (within malware_protection_settings.malware_protection_rules) supports the following:

• any_domain - Optional Block
Enable this option

• domain - Optional Block
Domain name for routing and identification
See Domain below.

Malware Protection Settings Malware Protection Rules Domain Domain

Deeply nested Domain block collapsed for readability.

Malware Protection Settings Malware Protection Rules Metadata

A metadata block (within malware_protection_settings.malware_protection_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Malware Protection Settings Malware Protection Rules Path

A path block (within malware_protection_settings.malware_protection_rules) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

More Option

A more_option block supports the following:

• buffer_policy - Optional Block
Some upstream applications are not capable of handling streamed data. This config enables buffering the entire request before sending to upstream application. We can specify the maximum buffer size and buffer interval with this config
See Buffer Policy below.

• compression_params - Optional Block
Enables loadbalancer to compress dispatched data from an upstream service upon client request. The content is compressed and then sent to the client with the appropriate headers if either response and request allow. Only GZIP compression is supported
See Compression Params below.

• custom_errors - Optional Block
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx

• disable_default_error_pages - Optional Bool
Disable the use of default F5XC error pages

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• idle_timeout - Optional Number
The amount of time that a stream can exist without upstream or downstream activity, in milliseconds. The stream is terminated with an HTTP 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise the stream is reset

• max_request_header_size - Optional Number
The maximum request header size for downstream connections, in KiB. A HTTP 431 (Request Header Fields Too Large) error code is sent for requests that exceed this size. If multiple load balancers share the same advertise_policy, the highest value configured across all such load balancers is used

• max_requests_per_connection - Optional Number
Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• request_cookies_to_add - Optional Block
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Request Cookies To Add below.

• request_cookies_to_remove - Optional List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied
See Request Headers To Add below.

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_add - Optional Block
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Response Cookies To Add below.

• response_cookies_to_remove - Optional List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied
See Response Headers To Add below.

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

More Option Buffer Policy

A buffer_policy block (within more_option) supports the following:

• disabled - Optional Bool
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• max_request_bytes - Optional Number
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response

More Option Compression Params

A compression_params block (within more_option) supports the following:

• content_length - Optional Number Defaults to 30
Minimum response length, in bytes, which will trigger compression. The

• content_type - Optional List
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: ‘application/JavaScript’ ‘application/JSON’, ‘application/xhtml+XML’ ‘image/svg+XML’ ‘text/CSS’ ‘text/HTML’ ‘text/plain’ ‘text/XML’

• disable_on_etag_header - Optional Bool
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed

• remove_accept_encoding_header - Optional Bool
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter

More Option Request Cookies To Add

A request_cookies_to_add block (within more_option) supports the following:

• name - Optional String
Name of the cookie in Cookie header

• overwrite - Optional Bool Defaults to do
Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the Cookie header

More Option Request Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

More Option Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

More Option Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

More Option Request Headers To Add

A request_headers_to_add block (within more_option) supports the following:

• append - Optional Bool Defaults to do
Should the value be appended? If true, the value is appended to existing values. not append

• name - Optional String
Name. Name of the HTTP header

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the HTTP header

More Option Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

More Option Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

More Option Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

More Option Response Cookies To Add

A response_cookies_to_add block (within more_option) supports the following:

• add_domain - Optional String
Add domain attribute

• add_expiry - Optional String
Add expiry attribute

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_partitioned - Optional Block
Configuration parameter for add partitioned

• add_path - Optional String
Add path attribute

• add_secure - Optional Block
Enable this option

• ignore_domain - Optional Block
Configuration parameter for ignore domain

• ignore_expiry - Optional Block
Configuration parameter for ignore expiry

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_max_age - Optional Block
Configuration parameter for ignore max age

• ignore_partitioned - Optional Block
Configuration parameter for ignore partitioned

• ignore_path - Optional Block
Enable this option

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• ignore_value - Optional Block
Configuration parameter for ignore value

• max_age_value - Optional Number
Add max age attribute

• name - Optional String
Name of the cookie in Cookie header

• overwrite - Optional Bool Defaults to do
Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the Cookie header

More Option Response Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

More Option Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

More Option Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

More Option Response Headers To Add

A response_headers_to_add block (within more_option) supports the following:

• append - Optional Bool Defaults to do
Should the value be appended? If true, the value is appended to existing values. not append

• name - Optional String
Name. Name of the HTTP header

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the HTTP header

More Option Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

More Option Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

More Option Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Origin Server Subset Rule List

An origin_server_subset_rule_list block supports the following:

• origin_server_subset_rules - Optional Block
Origin Server Subset Rules allow users to define match condition on Client (IP address, ASN, Country), IP Reputation, Regional Edge names, Request for subset selection of origin servers. Origin Server Subset is a sequential engine where rules are evaluated one after the other. It’s important to
See Origin Server Subset Rules below.

Origin Server Subset Rule List Origin Server Subset Rules

Deeply nested Rules block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules Asn List

Deeply nested List block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules Asn Matcher

Deeply nested Matcher block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules Client Selector

Deeply nested Selector block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules IP Matcher

Deeply nested Matcher block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules IP Prefix List

Deeply nested List block collapsed for readability.

Origin Server Subset Rule List Origin Server Subset Rules Metadata

Deeply nested Metadata block collapsed for readability.

Policy Based Challenge

A policy_based_challenge block supports the following:

• always_enable_captcha_challenge - Optional Block
Configuration parameter for always enable captcha challenge

• always_enable_js_challenge - Optional Block
Configuration parameter for always enable js challenge

• default_captcha_challenge_parameters - Optional Block
Configuration parameter for default captcha challenge parameters

• default_js_challenge_parameters - Optional Block
Configuration parameter for default js challenge parameters

• default_mitigation_settings - Optional Block
Enable this option

• default_temporary_blocking_parameters - Optional Block
Enable this option

• no_challenge - Optional Block
Configuration parameter for no challenge

• rule_list - Optional Block
List of challenge rules to be used in policy based challenge
See Rule List below.

• temporary_user_blocking - Optional Block
Specifies configuration for temporary user blocking resulting from user behavior analysis. When Malicious User Mitigation is enabled from service policy rules, users’ accessing the application will be analyzed for malicious activity and the configured mitigation actions will be taken on
See Temporary User Blocking below.

Policy Based Challenge Captcha Challenge Parameters

A captcha_challenge_parameters block (within policy_based_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

Policy Based Challenge Js Challenge Parameters

A js_challenge_parameters block (within policy_based_challenge) supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Policy Based Challenge Malicious User Mitigation

A malicious_user_mitigation block (within policy_based_challenge) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Policy Based Challenge Rule List

A rule_list block (within policy_based_challenge) supports the following:

• rules - Optional Block
Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions
See Rules below.

Policy Based Challenge Rule List Rules

A rules block (within policy_based_challenge.rule_list) supports the following:

• spec - Optional Block
Challenge Rule consists of an unordered list of predicates and an action. The predicates are evaluated against a set of input fields that are extracted from or derived from an L7 request API. A request API is considered to match the rule if all predicates in the rule evaluate to true for that
See Spec below.

Policy Based Challenge Rule List Rules Metadata

A metadata block (within policy_based_challenge.rule_list.rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Policy Based Challenge Rule List Rules Spec

A spec block (within policy_based_challenge.rule_list.rules) supports the following:

• any_asn - Optional Block
Enable this option

• any_client - Optional Block
Enable this option

• any_ip - Optional Block
Enable this option

• arg_matchers - Optional Block
List of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name
See Arg Matchers below.

• asn_matcher - Optional Block
Match any AS number contained in the list of bgp_asn_sets
See Asn Matcher below.

• body_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Body Matcher below.

• client_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Client Selector below.

• cookie_matchers - Optional Block
List of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name
See Cookie Matchers below.

• disable_challenge - Optional Block
Configuration parameter for disable challenge

• domain_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Domain Matcher below.

• enable_captcha_challenge - Optional Block
Configuration parameter for enable captcha challenge

• enable_JavaScript_challenge - Optional Block
Enable this option

• http_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See HTTP Method below.

• ip_matcher - Optional Block
Match any IP prefix contained in the list of ip_prefix_sets. The result of the match is inverted if invert_matcher is true
See IP Matcher below.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

• path - Optional Block
Path matcher specifies multiple criteria for matching an HTTP path string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of path prefixes, a list of exact path values and a list of regular expressions
See Path below.

Policy Based Challenge Rule List Rules Spec Arg Matchers

Deeply nested Matchers block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Arg Matchers Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn List

Deeply nested List block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Body Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Client Selector

Deeply nested Selector block collapsed for readability.

Deeply nested Matchers block collapsed for readability.

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Domain Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Headers

Deeply nested Headers block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Headers Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec HTTP Method

Deeply nested Method block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

Policy Based Challenge Rule List Rules Spec IP Prefix List

Deeply nested List block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Path

Deeply nested Path block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Query Params

Deeply nested Params block collapsed for readability.

Policy Based Challenge Rule List Rules Spec Query Params Item

Deeply nested Item block collapsed for readability.

Policy Based Challenge Rule List Rules Spec TLS Fingerprint Matcher

Deeply nested Matcher block collapsed for readability.

Policy Based Challenge Temporary User Blocking

A temporary_user_blocking block (within policy_based_challenge) supports the following:

• custom_page - Optional String
Custom message is of type . Currently supported URL schemes is . For scheme, message needs to be encoded in base64 format. You can specify this message as base64 encoded plain text message e.g. ‘Blocked.’ or it can be HTML paragraph or a body string encoded as base64 string E.g. ‘<p> Blocked

Protected Cookies

A protected_cookies block supports the following:

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_secure - Optional Block
Enable this option

• disable_tampering_protection - Optional Block
Configuration parameter for disable tampering protection

• enable_tampering_protection - Optional Block
Configuration parameter for enable tampering protection

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_max_age - Optional Block
Configuration parameter for ignore max age

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• max_age_value - Optional Number
Add max age attribute

• name - Optional String
Cookie Name. Name of the Cookie

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

Rate Limit

A rate_limit block supports the following:

• custom_ip_allowed_list - Optional Block
IP Allowed list using existing ip_prefix_set objects
See Custom IP Allowed List below.

• ip_allowed_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See IP Allowed List below.

• no_ip_allowed_list - Optional Block
Enable this option

• no_policies - Optional Block
Configuration parameter for no policies

• policies - Optional Block
List of rate limiter policies to be applied
See Policies below.

• rate_limiter - Optional Block
Tuple consisting of a rate limit period unit and the total number of allowed requests for that period
See Rate Limiter below.

Rate Limit Custom IP Allowed List

A custom_ip_allowed_list block (within rate_limit) supports the following:

Rate Limit Custom IP Allowed List Rate Limiter Allowed Prefixes

Deeply nested Prefixes block collapsed for readability.

Rate Limit IP Allowed List

An ip_allowed_list block (within rate_limit) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Rate Limit Policies

A policies block (within rate_limit) supports the following:

• policies - Optional Block
Ordered list of rate limiter policies
See Policies below.

Rate Limit Policies Policies

A policies block (within rate_limit.policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Rate Limit Rate Limiter

A rate_limiter block (within rate_limit) supports the following:

• action_block - Optional Block
X-displayName: ‘Rate Limit Block Action’ Action where a user is blocked from making further requests after exceeding rate limit threshold
See Action Block below.

• burst_multiplier - Optional Number
X-displayName: ‘Burst Multiplier’ The maximum burst of requests to accommodate, expressed as a multiple of the rate

• disabled - Optional Block
Enable this option

• leaky_bucket - Optional Block
X-displayName: ‘Leaky Bucket Rate Limiter’ Leaky-Bucket is the default rate limiter algorithm for F5

• period_multiplier - Optional Number
Setting, combined with Per Period units, provides a duration

• token_bucket - Optional Block
X-displayName: ‘Token Bucket Rate Limiter’ Token-Bucket is a rate limiter algorithm that is stricter with enforcing limits

• total_number - Optional Number
X-displayName: ‘Number Of Requests’The total number of allowed requests per rate-limiting period

• unit - Optional String Defaults to SECOND
Possible values are SECOND, MINUTE, HOUR, DAY
[Enum: SECOND|MINUTE|HOUR|DAY] Unit for the period per which the rate limit is applied. - SECOND: Second Rate limit period unit is seconds - MINUTE: Minute Rate limit period unit is minutes - HOUR: Hour Rate limit period unit is hours - DAY: Day Rate limit period unit is days

Rate Limit Rate Limiter Action Block

An action_block block (within rate_limit.rate_limiter) supports the following:

• hours - Optional Block
X-displayName: ‘Hours’ Input Duration Hours
See Hours below.

• minutes - Optional Block
X-displayName: ‘Minutes’ Input Duration Minutes
See Minutes below.

• seconds - Optional Block
X-displayName: ‘Seconds’ Input Duration Seconds
See Seconds below.

Rate Limit Rate Limiter Action Block Hours

A hours block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Rate Limit Rate Limiter Action Block Minutes

A minutes block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Rate Limit Rate Limiter Action Block Seconds

A seconds block (within rate_limit.rate_limiter.action_block) supports the following:

• duration - Optional Number
Duration. Configuration parameter for duration

Ring Hash

A ring_hash block supports the following:

• hash_policy - Optional Block
Specifies a list of hash policies to use for ring hash load balancing. Each hash policy is evaluated individually and the combined result is used to route the request
See Hash Policy below.

Ring Hash Hash Policy

A hash_policy block (within ring_hash) supports the following:

• cookie - Optional Block
Two types of cookie affinity: 1. Passive. Takes a cookie that’s present in the cookies header and hashes on its value. 2. Generated. Generates and sets a cookie with an expiration (TTL) on the first request from the client in its response to the client, based on the endpoint the request gets
See Cookie below.

• header_name - Optional String
The name or key of the request header that will be used to obtain the hash key

• source_ip - Optional Bool
Hash based on source IP address

• terminal - Optional Bool
Terminal. Specify if its a terminal policy

A cookie block (within ring_hash.hash_policy) supports the following:

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_secure - Optional Block
Enable this option

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• name - Optional String
The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced

• path - Optional String
The name of the path for the cookie. If no path is specified here, no path will be set for the cookie

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

Routes

A routes block supports the following:

• custom_route_object - Optional Block
Custom route uses a route object created outside of this view
See Custom Route Object below.

• direct_response_route - Optional Block
Direct response route matches on path, incoming header, incoming port and/or HTTP method and responds directly to the matching traffic
See Direct Response Route below.

• redirect_route - Optional Block
Redirect route matches on path, incoming header, incoming port and/or HTTP method and redirects the matching traffic to a different URL
See Redirect Route below.

• route_state_disabled - Optional Block
Enable this option

• route_state_enabled - Optional Block
Enable this option

• simple_route - Optional Block
Simple route matches on path, incoming header, incoming port and/or HTTP method and forwards the matching traffic to the associated pools
See Simple Route below.

Routes Custom Route Object

A custom_route_object block (within routes) supports the following:

• caching_disable - Optional Block
Configuration parameter for caching disable

• caching_inherit - Optional Block
Configuration parameter for caching inherit

• route_ref - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Route Ref below.

Routes Custom Route Object Route Ref

A route_ref block (within routes.custom_route_object) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Routes Direct Response Route

A direct_response_route block (within routes) supports the following:

• headers - Optional Block
Headers. List of (key, value) headers
See Headers below.

• http_method - Optional String Defaults to ANY
See HTTP Methods
Specifies the HTTP method used to access a resource. Any HTTP Method

• incoming_port - Optional Block
Port match of the request can be a range or a specific port
See Incoming Port below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• route_direct_response - Optional Block
Send this direct response in case of route match action is direct response
See Route Direct Response below.

Routes Direct Response Route Headers

A headers block (within routes.direct_response_route) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Routes Direct Response Route Incoming Port

An incoming_port block (within routes.direct_response_route) supports the following:

• no_port_match - Optional Block
Enable this option

• port - Optional Number
Exact Port to match

• port_ranges - Optional String
Port range to match

Routes Direct Response Route Path

A path block (within routes.direct_response_route) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

Routes Direct Response Route Route Direct Response

A route_direct_response block (within routes.direct_response_route) supports the following:

• response_body_encoded - Optional String
Response body to send. Currently supported URL schemes is string:/// for which message should be encoded in base64 format. The message can be either plain text or HTML

• response_code - Optional Number
Response Code. Response code to send

Routes Redirect Route

A redirect_route block (within routes) supports the following:

• headers - Optional Block
Headers. List of (key, value) headers
See Headers below.

• http_method - Optional String Defaults to ANY
See HTTP Methods
Specifies the HTTP method used to access a resource. Any HTTP Method

• incoming_port - Optional Block
Port match of the request can be a range or a specific port
See Incoming Port below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• route_redirect - Optional Block
Route redirect parameters when match action is redirect
See Route Redirect below.

Routes Redirect Route Headers

A headers block (within routes.redirect_route) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Routes Redirect Route Incoming Port

An incoming_port block (within routes.redirect_route) supports the following:

• no_port_match - Optional Block
Enable this option

• port - Optional Number
Exact Port to match

• port_ranges - Optional String
Port range to match

Routes Redirect Route Path

A path block (within routes.redirect_route) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

Routes Redirect Route Route Redirect

A route_redirect block (within routes.redirect_route) supports the following:

• host_redirect - Optional String
Swap host part of incoming URL in redirect URL

• path_redirect - Optional String
swap path part of incoming URL in redirect URL

• prefix_rewrite - Optional String
In Redirect response, the matched prefix (or path) should be swapped with this value. This option allows redirect URLs be dynamically created based on the request

• proto_redirect - Optional String
Swap protocol part of incoming URL in redirect URL The protocol can be swapped with either HTTP or HTTPS When incoming-proto option is specified, swapping of protocol is not done

• remove_all_params - Optional Block
Configuration parameter for remove all params

• replace_params - Optional String

• response_code - Optional Number
The HTTP status code to use in the redirect response

• retain_all_params - Optional Block
Configuration parameter for retain all params

Routes Simple Route

A simple_route block (within routes) supports the following:

• advanced_options - Optional Block
Configure advanced OPTIONS for route like path rewrite, hash policy, etc
See Advanced Options below.

• auto_host_rewrite - Optional Block
Enable this option

• caching_disable - Optional Block
Configuration parameter for caching disable

• caching_inherit - Optional Block
Configuration parameter for caching inherit

• disable_host_rewrite - Optional Block
Enable this option

• headers - Optional Block
Headers. List of (key, value) headers
See Headers below.

• host_rewrite - Optional String
Host header will be swapped with this value

• http_method - Optional String Defaults to ANY
See HTTP Methods
Specifies the HTTP method used to access a resource. Any HTTP Method

• incoming_port - Optional Block
Port match of the request can be a range or a specific port
See Incoming Port below.

• origin_pools - Optional Block
Origin Pools for this route
See Origin Pools below.

• path - Optional Block
Path match of the URI can be either be, Prefix match or exact match or regular expression match
See Path below.

• query_params - Optional Block
Handling of incoming query parameters in simple route
See Query Params below.

Routes Simple Route Advanced Options

An advanced_options block (within routes.simple_route) supports the following:

• app_firewall - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See App Firewall below.

• bot_defense_JavaScript_injection - Optional Block
Bot Defense JavaScript Injection Configuration for inline bot defense deployments
See Bot Defense JavaScript Injection below.

• common_buffering - Optional Block
Configuration parameter for common buffering

• common_hash_policy - Optional Block
Policy configuration for this feature

• default_retry_policy - Optional Block
Policy configuration for this feature

• disable_location_add - Optional Bool
Disables append of x-F5 Distributed Cloud-location = <RE-site-name> at route level, if it is configured at virtual-host level. This configuration is ignored on CE sites

• disable_mirroring - Optional Block
Configuration parameter for disable mirroring

• disable_prefix_rewrite - Optional Block
Configuration parameter for disable prefix rewrite

• disable_spdy - Optional Block
Configuration parameter for disable spdy

• disable_waf - Optional Block
Configuration parameter for disable WAF

• disable_web_socket_config - Optional Block
Enable this option

• do_not_retract_cluster - Optional Block
Enable this option

• enable_spdy - Optional Block
Configuration parameter for enable spdy

• inherited_bot_defense_JavaScript_injection - Optional Block
Enable this option

• inherited_waf - Optional Block
Configuration parameter for inherited WAF

• inherited_waf_exclusion - Optional Block
Configuration parameter for inherited WAF exclusion

• mirror_policy - Optional Block
MirrorPolicy is used for shadowing traffic from one origin pool to another. The approach used is ‘fire and forget’, meaning it will not wait for the shadow origin pool to respond before returning the response from the primary origin pool. All normal statistics are collected for the shadow origin
See Mirror Policy below.

• no_retry_policy - Optional Block
Policy configuration for this feature

• prefix_rewrite - Optional String
prefix_rewrite indicates that during forwarding, the matched prefix (or path) should be swapped with its value. When using regex path matching, the entire path (not including the query string) will be swapped with this value

• regex_rewrite - Optional Block
RegexMatchRewrite describes how to match a string and then produce a new string using a regular expression and a substitution string
See Regex Rewrite below.

• request_cookies_to_remove - Optional List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP request being routed towards upstream
See Request Headers To Add below.

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_remove - Optional List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP response being sent towards downstream
See Response Headers To Add below.

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

• retract_cluster - Optional Block
Enable this option

• retry_policy - Optional Block
Retry policy configuration for route destination
See Retry Policy below.

• specific_hash_policy - Optional Block
Policy configuration for this feature
See Specific Hash Policy below.

• timeout - Optional Number
The timeout for the route including all retries, in milliseconds. Should be set to a high value or 0 (infinite timeout) for server-side streaming

• waf_exclusion_policy - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See WAF Exclusion Policy below.

• web_socket_config - Optional Block
Configuration to allow WebSocket Request headers of such upgrade looks like below ‘connection’, ‘Upgrade’ ‘upgrade’, ‘WebSocket’ With configuration to allow WebSocket upgrade, ADC will produce following response ‘HTTP/1.1 101 Switching Protocols ‘Upgrade’: ‘WebSocket’ ‘Connection’: ‘Upgrade’
See Web Socket Config below.

Routes Simple Route Advanced Options App Firewall

An app_firewall block (within routes.simple_route.advanced_options) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Routes Simple Route Advanced Options Bot Defense JavaScript Injection

Deeply nested Injection block collapsed for readability.

Routes Simple Route Advanced Options Bot Defense JavaScript Injection JavaScript Tags

Deeply nested Tags block collapsed for readability.

Routes Simple Route Advanced Options Bot Defense JavaScript Injection JavaScript Tags Tag Attributes

Deeply nested Attributes block collapsed for readability.

Routes Simple Route Advanced Options Buffer Policy

A buffer_policy block (within routes.simple_route.advanced_options) supports the following:

• max_request_bytes - Optional Number
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response

Routes Simple Route Advanced Options CORS Policy

A cors_policy block (within routes.simple_route.advanced_options) supports the following:

• allow_credentials - Optional Bool
Specifies whether the resource allows credentials

• allow_headers - Optional String
Specifies the content for the access-control-allow-headers header

• allow_methods - Optional String
Specifies the content for the access-control-allow-methods header

• allow_origin - Optional List
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match

• allow_origin_regex - Optional List
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match

• expose_headers - Optional String
Specifies the content for the access-control-expose-headers header

Routes Simple Route Advanced Options CSRF Policy

A csrf_policy block (within routes.simple_route.advanced_options) supports the following:

• all_load_balancer_domains - Optional Block
Configuration parameter for all load balancer domains

• custom_domain_list - Optional Block
List of domain names used for Host header matching
See Custom Domain List below.

• disabled - Optional Block
Enable this option

Routes Simple Route Advanced Options CSRF Policy Custom Domain List

Deeply nested List block collapsed for readability.

Routes Simple Route Advanced Options Mirror Policy

A mirror_policy block (within routes.simple_route.advanced_options) supports the following:

• origin_pool - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Origin Pool below.

• percent - Optional Block
Fraction used where sampling percentages are needed. Example sampled requests
See Percent below.

Routes Simple Route Advanced Options Mirror Policy Origin Pool

Deeply nested Pool block collapsed for readability.

Routes Simple Route Advanced Options Mirror Policy Percent

Deeply nested Percent block collapsed for readability.

Routes Simple Route Advanced Options Regex Rewrite

A regex_rewrite block (within routes.simple_route.advanced_options) supports the following:

• pattern - Optional String
The regular expression used to find portions of a string that should be replaced

• substitution - Optional String
The string that should be substituted into matching portions of the subject string during a substitution operation to produce a new string

Routes Simple Route Advanced Options Request Cookies To Add

Deeply nested Add block collapsed for readability.

Routes Simple Route Advanced Options Request Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Routes Simple Route Advanced Options Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Request Headers To Add

Deeply nested Add block collapsed for readability.

Routes Simple Route Advanced Options Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Routes Simple Route Advanced Options Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Response Cookies To Add

Deeply nested Add block collapsed for readability.

Routes Simple Route Advanced Options Response Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Routes Simple Route Advanced Options Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Response Headers To Add

Deeply nested Add block collapsed for readability.

Routes Simple Route Advanced Options Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Routes Simple Route Advanced Options Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Routes Simple Route Advanced Options Retry Policy

A retry_policy block (within routes.simple_route.advanced_options) supports the following:

• back_off - Optional Block
Specifies parameters that control retry back off
See Back Off below.

• num_retries - Optional Number Defaults to 1
Specifies the allowed number of retries. Retries can be done any number of times. An exponential back-off algorithm is used between each retry

• per_try_timeout - Optional Number
Specifies a non-zero timeout per retry attempt. In milliseconds

• retriable_status_codes - Optional List
HTTP status codes that should trigger a retry in addition to those specified by retry_on

• retry_condition - Optional List
Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc The possible values are ‘5xx’ : Retry will be done if the

Routes Simple Route Advanced Options Retry Policy Back Off

Deeply nested Off block collapsed for readability.

Routes Simple Route Advanced Options Specific Hash Policy

Deeply nested Policy block collapsed for readability.

Routes Simple Route Advanced Options Specific Hash Policy Hash Policy

Deeply nested Policy block collapsed for readability.

Deeply nested Cookie block collapsed for readability.

Routes Simple Route Advanced Options WAF Exclusion Policy

Deeply nested Policy block collapsed for readability.

Routes Simple Route Advanced Options Web Socket Config

Deeply nested Config block collapsed for readability.

Routes Simple Route Headers

A headers block (within routes.simple_route) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Routes Simple Route Incoming Port

An incoming_port block (within routes.simple_route) supports the following:

• no_port_match - Optional Block
Enable this option

• port - Optional Number
Exact Port to match

• port_ranges - Optional String
Port range to match

Routes Simple Route Origin Pools

An origin_pools block (within routes.simple_route) supports the following:

• cluster - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cluster below.

• pool - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Pool below.

• weight - Optional Number
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool

Routes Simple Route Origin Pools Cluster

A cluster block (within routes.simple_route.origin_pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Routes Simple Route Origin Pools Pool

A pool block (within routes.simple_route.origin_pools) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Routes Simple Route Path

A path block (within routes.simple_route) supports the following:

• path - Optional String
Exact path value to match

• prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• regex - Optional String
Regular expression of path match (e.g. The value .* will match on all paths)

Routes Simple Route Query Params

A query_params block (within routes.simple_route) supports the following:

• remove_all_params - Optional Block
Configuration parameter for remove all params

• replace_params - Optional String

• retain_all_params - Optional Block
Configuration parameter for retain all params

Sensitive Data Disclosure Rules

A sensitive_data_disclosure_rules block supports the following:

• sensitive_data_types_in_response - Optional Block
Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses
See Sensitive Data Types In Response below.

Sensitive Data Disclosure Rules Sensitive Data Types In Response

Deeply nested Response block collapsed for readability.

Sensitive Data Disclosure Rules Sensitive Data Types In Response API Endpoint

Deeply nested Endpoint block collapsed for readability.

Sensitive Data Disclosure Rules Sensitive Data Types In Response Body

Deeply nested Body block collapsed for readability.

Sensitive Data Policy

A sensitive_data_policy block supports the following:

• sensitive_data_policy_ref - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Sensitive Data Policy Ref below.

Sensitive Data Policy Sensitive Data Policy Ref

A sensitive_data_policy_ref block (within sensitive_data_policy) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Single LB App

A single_lb_app block supports the following:

• disable_discovery - Optional Block
Configuration parameter for disable discovery

• disable_malicious_user_detection - Optional Block
Configuration parameter for disable malicious user detection

• enable_discovery - Optional Block
Specifies the settings used for API discovery
See Enable Discovery below.

• enable_malicious_user_detection - Optional Block
Configuration parameter for enable malicious user detection

Single LB App Enable Discovery

An enable_discovery block (within single_lb_app) supports the following:

• api_crawler - Optional Block
API Crawling. API Crawler message
See API Crawler below.

• api_discovery_from_code_scan - Optional Block
Select codebase and Repositories
See API Discovery From Code Scan below.

• custom_api_auth_discovery - Optional Block
API Discovery Advanced Settings. API Discovery Advanced settings
See Custom API Auth Discovery below.

• default_api_auth_discovery - Optional Block
Enable this option

• disable_learn_from_redirect_traffic - Optional Block
Configuration parameter for disable learn from redirect traffic

• discovered_api_settings - Optional Block
Discovered API Settings. Configure Discovered API Settings
See Discovered API Settings below.

• enable_learn_from_redirect_traffic - Optional Block
Configuration parameter for enable learn from redirect traffic

Single LB App Enable Discovery API Crawler

An api_crawler block (within single_lb_app.enable_discovery) supports the following:

• api_crawler_config - Optional Block
Crawler Configure
See API Crawler Config below.

• disable_api_crawler - Optional Block
Enable this option

Single LB App Enable Discovery API Crawler API Crawler Config

Deeply nested Config block collapsed for readability.

Single LB App Enable Discovery API Crawler API Crawler Config Domains

Deeply nested Domains block collapsed for readability.

Deeply nested Login block collapsed for readability.

Deeply nested Password block collapsed for readability.

Deeply nested Info block collapsed for readability.

Single LB App Enable Discovery API Discovery From Code Scan

Deeply nested Scan block collapsed for readability.

Single LB App Enable Discovery API Discovery From Code Scan codebase Integrations

Deeply nested Integrations block collapsed for readability.

Single LB App Enable Discovery API Discovery From Code Scan codebase Integrations codebase Integration

Deeply nested Integration block collapsed for readability.

Single LB App Enable Discovery API Discovery From Code Scan codebase Integrations Selected Repos

Deeply nested Repos block collapsed for readability.

Single LB App Enable Discovery Custom API Auth Discovery

Deeply nested Discovery block collapsed for readability.

Single LB App Enable Discovery Custom API Auth Discovery API Discovery Ref

Deeply nested Ref block collapsed for readability.

Single LB App Enable Discovery Discovered API Settings

Deeply nested Settings block collapsed for readability.

Slow DDOS Mitigation

A slow_ddos_mitigation block supports the following:

• disable_request_timeout - Optional Block
Configuration parameter for disable request timeout

• request_headers_timeout - Optional Number Defaults to 10000
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The milliseconds. This setting provides protection against Slowloris attacks

• request_timeout - Optional Number

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

Trusted Clients

A trusted_clients block supports the following:

• as_number - Optional Number
RFC 6793 defined 4-byte AS number

• bot_skip_processing - Optional Block
Enable this option

• http_header - Optional Block
Configuration parameter for HTTP header
See HTTP Header below.

• ip_prefix - Optional String
IPv4 prefix string

• ipv6_prefix - Optional String
IPv6 prefix string

• skip_processing - Optional Block
Enable this option

• user_identifier - Optional String
Identify user based on user identifier. User identifier value needs to be copied from security event

• waf_skip_processing - Optional Block
Enable this option

Trusted Clients HTTP Header

A http_header block (within trusted_clients) supports the following:

• headers - Optional Block
List of HTTP header name and value pairs
See Headers below.

Trusted Clients HTTP Header Headers

A headers block (within trusted_clients.http_header) supports the following:

• exact - Optional String
Header value to match exactly

• invert_match - Optional Bool
Invert the result of the match to detect missing header or non-matching value

• name - Optional String
Name. Name of the header

• presence - Optional Bool
If true, check for presence of header

• regex - Optional String
Regex match of the header value in re2 format

Trusted Clients Metadata

A metadata block (within trusted_clients) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

User Identification

An user_identification block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

WAF Exclusion

A waf_exclusion block supports the following:

• waf_exclusion_inline_rules - Optional Block
List of WAF exclusion rules that will be applied inline
See WAF Exclusion Inline Rules below.

WAF Exclusion WAF Exclusion Inline Rules

A waf_exclusion_inline_rules block (within waf_exclusion) supports the following:

• rules - Optional Block
Ordered list of WAF Exclusions specific to this Load Balancer
See Rules below.

WAF Exclusion WAF Exclusion Inline Rules Rules

A rules block (within waf_exclusion.waf_exclusion_inline_rules) supports the following:

• any_domain - Optional Block
Enable this option

• any_path - Optional Block
Enable this option

• app_firewall_detection_control - Optional Block
Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria
See App Firewall Detection Control below.

• exact_value - Optional String
Exact domain name

• methods - Optional List Defaults to ANY
See HTTP Methods
Methods. Methods to be matched

• path_prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)

• path_regex - Optional String
Define the regex for the path. For example, the regex ^/.*$ will match on all paths

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

• waf_skip_processing - Optional Block
Enable this option

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control

Deeply nested Control block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Attack Type Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Bot Name Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Signature Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules App Firewall Detection Control Exclude Violation Contexts

Deeply nested Contexts block collapsed for readability.

WAF Exclusion WAF Exclusion Inline Rules Rules Metadata

Deeply nested Metadata block collapsed for readability.

WAF Exclusion WAF Exclusion Policy

A waf_exclusion_policy block (within waf_exclusion) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_http_loadbalancer.example system/example

f5xc_http_loadbalancer Resource - terraform-provider-f5xc

f5xc_http_loadbalancer (Resource)

Example Usage

Verified Configuration Examples

Conflict Protocol

Do Not Advertise

Https Auto Cert

Ip Reputation

Js Challenge

Labels Update

Least Active

Security Stack

Source Ip Stickiness

User Identification

With Domains

With Labels

With Origin Pool

With Rate Limit

With Waf

Argument Reference

Minimum Configuration

Metadata Argument Reference

Spec Argument Reference

Attributes Reference

Active Service Policies

Active Service Policies Policies

Advertise Custom

Advertise Custom Advertise Where

Advertise Custom Advertise Where Advertise On Public

Advertise Custom Advertise Where Advertise On Public Public IP

Advertise Custom Advertise Where Site

Advertise Custom Advertise Where Site Site

Advertise Custom Advertise Where Virtual Network

Advertise Custom Advertise Where Virtual Network Virtual Network

Advertise Custom Advertise Where Virtual Site

Advertise Custom Advertise Where Virtual Site Virtual Site

Advertise Custom Advertise Where Virtual Site With VIP

Advertise Custom Advertise Where Virtual Site With VIP Virtual Site

Advertise Custom Advertise Where Vk8s Service

Advertise Custom Advertise Where Vk8s Service Site

Advertise Custom Advertise Where Vk8s Service Virtual Site

Advertise On Public

Advertise On Public Public IP

API Protection Rules

API Protection Rules API Endpoint Rules

API Protection Rules API Endpoint Rules Action

API Protection Rules API Endpoint Rules API Endpoint Method

API Protection Rules API Endpoint Rules Client Matcher

API Protection Rules API Endpoint Rules Client Matcher Asn List

API Protection Rules API Endpoint Rules Client Matcher Asn Matcher

API Protection Rules API Endpoint Rules Client Matcher Asn Matcher Asn Sets

API Protection Rules API Endpoint Rules Client Matcher Client Selector

API Protection Rules API Endpoint Rules Client Matcher IP Matcher

API Protection Rules API Endpoint Rules Client Matcher IP Matcher Prefix Sets

API Protection Rules API Endpoint Rules Client Matcher IP Prefix List

API Protection Rules API Endpoint Rules Client Matcher IP Threat Category List

API Protection Rules API Endpoint Rules Client Matcher TLS Fingerprint Matcher

API Protection Rules API Endpoint Rules Metadata

API Protection Rules API Endpoint Rules Request Matcher

API Protection Rules API Endpoint Rules Request Matcher Cookie Matchers

API Protection Rules API Endpoint Rules Request Matcher Cookie Matchers Item

API Protection Rules API Endpoint Rules Request Matcher Headers

API Protection Rules API Endpoint Rules Request Matcher Headers Item

API Protection Rules API Endpoint Rules Request Matcher JWT Claims

API Protection Rules API Endpoint Rules Request Matcher JWT Claims Item

API Protection Rules API Endpoint Rules Request Matcher Query Params

API Protection Rules API Endpoint Rules Request Matcher Query Params Item

API Protection Rules API Groups Rules

API Protection Rules API Groups Rules Action

API Protection Rules API Groups Rules Client Matcher

API Protection Rules API Groups Rules Client Matcher Asn List

API Protection Rules API Groups Rules Client Matcher Asn Matcher

API Protection Rules API Groups Rules Client Matcher Asn Matcher Asn Sets

API Protection Rules API Groups Rules Client Matcher Client Selector

API Protection Rules API Groups Rules Client Matcher IP Matcher

API Protection Rules API Groups Rules Client Matcher IP Matcher Prefix Sets

API Protection Rules API Groups Rules Client Matcher IP Prefix List

API Protection Rules API Groups Rules Client Matcher IP Threat Category List

API Protection Rules API Groups Rules Client Matcher TLS Fingerprint Matcher

API Protection Rules API Groups Rules Metadata