f5xc_service_policy_rule Resource - terraform-provider-f5xc

f5xc_service_policy_rule (Resource)

Manages service_policy_rule creates a new object in the storage backend for metadata.namespace. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Service Policy Rule Resource Example
# Manages service_policy_rule creates a new object in the storage backend for metadata.namespace. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Service Policy Rule configuration
resource "f5xc_service_policy_rule" "example" {
  name      = "example-service-policy-rule"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # [OneOf: any_asn, asn_list, asn_matcher] Enable this option
  any_asn {
    # Configure any_asn settings
  }
  # [OneOf: any_client, client_name, client_name_matcher, cli...
  any_client {
    # Configure any_client settings
  }
  # [OneOf: any_ip, ip_matcher, ip_prefix_list] Enable this o...
  any_ip {
    # Configure any_ip settings
  }
}

# The following optional fields have server-applied defaults and can be omitted:
# - port_matcher

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Service Policy Rule. Must be unique within the namespace

• namespace - Required String
Namespace where the Service Policy Rule will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• action - Optional String Defaults to DENY
Possible values are DENY, ALLOW, NEXT_POLICY
[Enum: DENY|ALLOW|NEXT_POLICY] The rule action determines the disposition of the input request API. If a policy matches a rule with an ALLOW action, the processing of the request proceeds forward. If it matches a rule with a DENY action, the processing of the request is terminated and an appropriate message/code returned to

-> One of the following: • any_asn - Optional Block
Enable this option

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below for details.

• asn_matcher - Optional Block
Match any AS number contained in the list of bgp_asn_sets
See Asn Matcher below for details.

-> One of the following: • any_client - Optional Block
Enable this option

• client_name - Optional String
The expected name of the client invoking the request API. The predicate evaluates to true if any of the actual names is the same as the expected client name

• client_name_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Client Name Matcher below for details.

• client_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Client Selector below for details.

• ip_threat_category_list - Optional Block
IP Threat Category List Type. List of IP threat categories
See IP Threat Category List below for details.

-> One of the following: • any_ip - Optional Block
Enable this option

• ip_matcher - Optional Block
Match any IP prefix contained in the list of ip_prefix_sets. The result of the match is inverted if invert_matcher is true
See IP Matcher below for details.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below for details.

• api_group_matcher - Optional Block
Matcher specifies a list of values for matching an input string. The match is considered successful if the input value is present in the list. The result of the match is inverted if invert_matcher is true
See API Group Matcher below for details.

• arg_matchers - Optional Block
List of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name
See Arg Matchers below for details.

• body_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Body Matcher below for details.

• bot_action - Optional Block
Modify Bot protection behavior for a matching request. The modification could be to entirely skip Bot processing
See Bot Action below for details.

• cookie_matchers - Optional Block
List of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name
See Cookie Matchers below for details.

• domain_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Domain Matcher below for details.

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below for details.

• http_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See HTTP Method below for details.

-> One of the following: • ja4_tls_fingerprint - Optional Block
Extended version of JA3 that includes additional fields for more comprehensive fingerprinting of SSL/TLS clients and potentially has a different structure and length
See Ja4 TLS Fingerprint below for details.

• tls_fingerprint_matcher - Optional Block
TLS fingerprint matcher specifies multiple criteria for matching a TLS fingerprint. The set of supported positive match criteria includes a list of known classes of TLS fingerprints and a list of exact values. The match is considered successful if either of these positive criteria are satisfied

• jwt_claims - Optional Block
List of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings
See JWT Claims below for details.

• label_matcher - Optional Block
Label matcher specifies a list of label keys whose values need to match for source/client and destination/server. Note that the actual label values are not specified and do not matter. This allows an ability to scope grouping by the label key name
See Label Matcher below for details.

• mum_action - Optional Block
Modify behavior for a matching request. The modification could be to entirely skip processing
See Mum Action below for details.

• path - Optional Block
Path matcher specifies multiple criteria for matching an HTTP path string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of path prefixes, a list of exact path values and a list of regular expressions
See Path below for details.

• port_matcher - Optional Block
Port matcher specifies a list of port ranges as match criteria. The match is considered successful if the input port falls within any of the port ranges. The result of the match is inverted if invert_matcher is true. Server applies default when omitted
See Port Matcher below for details.

• query_params - Optional Block
List of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query
See Query Params below for details.

• request_constraints - Optional Block
Configuration parameter for request constraints
See Request Constraints below for details.

• segment_policy - Optional Block
Configure source and destination segment for policy

• timeouts - Optional Block

• waf_action - Optional Block
Modify App Firewall behavior for a matching request. The modification could either be to entirely skip firewall processing or to customize the firewall rules to be applied as defined by App Firewall Rule Control settings

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

API Group Matcher

An api_group_matcher block supports the following:

• invert_matcher - Optional Bool
Invert String Matcher. Invert the match result

• match - Optional List
List of exact values to match the input against

Arg Matchers

An arg_matchers block supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert Match of the expression defined

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-sensitive JSON path in the HTTP request body

Arg Matchers Item

An item block (within arg_matchers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Asn List

An asn_list block supports the following:

• as_numbers - Optional List
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer

Asn Matcher

An asn_matcher block supports the following:

• asn_sets - Optional Block
List of references to bgp_asn_set objects
See Asn Sets below.

Asn Matcher Asn Sets

An asn_sets block (within asn_matcher) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Body Matcher

A body_matcher block supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Bot Action

A bot_action block supports the following:

• bot_skip_processing - Optional Block
Enable this option

• none - Optional Block
Enable this option

Client Name Matcher

A client_name_matcher block supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Client Selector

A client_selector block supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Cookie Matchers

A cookie_matchers block supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert Match of the expression defined

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-sensitive cookie name

Cookie Matchers Item

An item block (within cookie_matchers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Domain Matcher

A domain_matcher block supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Headers

A headers block supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Header Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-insensitive HTTP header name

Headers Item

An item block (within headers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

HTTP Method

A http_method block supports the following:

• invert_matcher - Optional Bool
Invert Method Matcher. Invert the match result

• methods - Optional List Defaults to ANY
See HTTP Methods
List of methods values to match against

IP Matcher

An ip_matcher block supports the following:

• invert_matcher - Optional Bool
Invert IP Matcher. Invert the match result

• prefix_sets - Optional Block
List of references to ip_prefix_set objects
See Prefix Sets below.

IP Matcher Prefix Sets

A prefix_sets block (within ip_matcher) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

IP Prefix List

An ip_prefix_list block supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

• ip_prefixes - Optional List
IPv4 Prefix List. List of IPv4 prefix strings

IP Threat Category List

An ip_threat_category_list block supports the following:

• ip_threat_categories - Optional List Defaults to SPAM_SOURCES
See IP Threat Categories
[Enum: SPAM_SOURCES|WINDOWS_EXPLOITS|WEB_ATTACKS|BOTNETS|SCANNERS|REPUTATION|PHISHING|PROXY|MOBILE_THREATS|TOR_PROXY|DENIAL_OF_SERVICE|NETWORK] The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Ja4 TLS Fingerprint

A ja4_tls_fingerprint block supports the following:

• exact_values - Optional List
List of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against

JWT Claims

A jwt_claims block supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
JWT Claim Name. JWT claim name

JWT Claims Item

An item block (within jwt_claims) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Label Matcher

A label_matcher block supports the following:

• keys - Optional List
The list of label key names that have to match

Mum Action

A mum_action block supports the following:

• default - Optional Block
Enable this option

• skip_processing - Optional Block
Enable this option

Path

A path block supports the following:

• exact_values - Optional List
List of exact path values to match the input HTTP path against

• invert_matcher - Optional Bool
Invert Path Matcher. Invert the match result

• prefix_values - Optional List
List of path prefix values to match the input HTTP path against

• regex_values - Optional List
List of regular expressions to match the input HTTP path against

• suffix_values - Optional List
List of path suffix values to match the input HTTP path against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Port Matcher

A port_matcher block supports the following:

• invert_matcher - Optional Bool
Invert Port Matcher. Invert the match result

• ports - Optional List
List of strings, each of which is a single port value or a tuple of start and end port values separated by ’-’. The start and end values are considered to be part of the range

Query Params

A query_params block supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Query Parameter Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• key - Optional String
Case-sensitive HTTP query parameter name

Query Params Item

An item block (within query_params) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Request Constraints

A request_constraints block supports the following:

• max_cookie_count_exceeds - Optional Number
Match on the Count for all Cookies that exceed this value

• max_cookie_count_none - Optional Block
Configuration parameter for max cookie count none

• max_cookie_key_size_exceeds - Optional Number

• max_cookie_key_size_none - Optional Block
Configuration parameter for max cookie key size none

• max_cookie_value_size_exceeds - Optional Number

• max_cookie_value_size_none - Optional Block
Configuration parameter for max cookie value size none

• max_header_count_exceeds - Optional Number
Match on the Count for all Headers that exceed this value

• max_header_count_none - Optional Block
Configuration parameter for max header count none

• max_header_key_size_exceeds - Optional Number

• max_header_key_size_none - Optional Block
Configuration parameter for max header key size none

• max_header_value_size_exceeds - Optional Number

• max_header_value_size_none - Optional Block
Configuration parameter for max header value size none

• max_parameter_count_exceeds - Optional Number

• max_parameter_count_none - Optional Block
Configuration parameter for max parameter count none

• max_parameter_name_size_exceeds - Optional Number

• max_parameter_name_size_none - Optional Block
Enable this option

• max_parameter_value_size_exceeds - Optional Number

• max_parameter_value_size_none - Optional Block
Configuration parameter for max parameter value size none

• max_query_size_exceeds - Optional Number
Match on the URL Query Size that exceed this value

• max_query_size_none - Optional Block
Configuration parameter for max query size none

• max_request_line_size_exceeds - Optional Number

• max_request_line_size_none - Optional Block
Configuration parameter for max request line size none

• max_request_size_exceeds - Optional Number
Match on the Request Size that exceed this value

• max_request_size_none - Optional Block
Configuration parameter for max request size none

• max_url_size_exceeds - Optional Number
Match on the URL Size that exceed this value

• max_url_size_none - Optional Block
Enable this option

Segment Policy

A segment_policy block supports the following:

• dst_any - Optional Block
Enable this option

• dst_segments - Optional Block
X-displayName: ‘Segment List’ List of references to Segments
See Dst Segments below.

• intra_segment - Optional Block
Configuration parameter for intra segment

• src_any - Optional Block
Enable this option

• src_segments - Optional Block
X-displayName: ‘Segment List’ List of references to Segments
See Src Segments below.

Segment Policy Dst Segments

A dst_segments block (within segment_policy) supports the following:

• segments - Optional Block
X-displayName: ‘Segments’Select list of segments
See Segments below.

Segment Policy Dst Segments Segments

A segments block (within segment_policy.dst_segments) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Segment Policy Src Segments

A src_segments block (within segment_policy) supports the following:

• segments - Optional Block
X-displayName: ‘Segments’Select list of segments
See Segments below.

Segment Policy Src Segments Segments

A segments block (within segment_policy.src_segments) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

TLS Fingerprint Matcher

A tls_fingerprint_matcher block supports the following:

• classes - Optional List Defaults to TLS_FINGERPRINT_NONE
See TLS Fingerprints
[Enum: TLS_FINGERPRINT_NONE|ANY_MALICIOUS_FINGERPRINT|ADWARE|ADWIND|DRIDEX|GOOTKIT|GOZI|JBIFROST|QUAKBOT|RANSOMWARE|TROLDESH|TOFSEE|TORRENTLOCKER|TRICKBOT] List of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against

• exact_values - Optional List
List of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against

• excluded_values - Optional List
List of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher

WAF Action

A waf_action block supports the following:

• app_firewall_detection_control - Optional Block
Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria
See App Firewall Detection Control below.

• none - Optional Block
Enable this option

• waf_skip_processing - Optional Block
Enable this option

WAF Action App Firewall Detection Control

An app_firewall_detection_control block (within waf_action) supports the following:

• exclude_attack_type_contexts - Optional Block
Attack Types to be excluded for the defined match criteria
See Exclude Attack Type Contexts below.

• exclude_bot_name_contexts - Optional Block
Bot Names to be excluded for the defined match criteria
See Exclude Bot Name Contexts below.

• exclude_signature_contexts - Optional Block
Signature IDs to be excluded for the defined match criteria
See Exclude Signature Contexts below.

• exclude_violation_contexts - Optional Block
Violations to be excluded for the defined match criteria
See Exclude Violation Contexts below.

WAF Action App Firewall Detection Control Exclude Attack Type Contexts

Deeply nested Contexts block collapsed for readability.

WAF Action App Firewall Detection Control Exclude Bot Name Contexts

Deeply nested Contexts block collapsed for readability.

WAF Action App Firewall Detection Control Exclude Signature Contexts

Deeply nested Contexts block collapsed for readability.

WAF Action App Firewall Detection Control Exclude Violation Contexts

Deeply nested Contexts block collapsed for readability.

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_service_policy_rule.example system/example