List Configure HTTP Load Balancer.
const url = 'https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/http_loadbalancers';const options = {method: 'GET', headers: {Authorization: '<Authorization>'}};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/http_loadbalancers \ --header 'Authorization: <Authorization>'List the set of http_loadbalancer in a namespace.
Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Namespace Namespace to scope the listing of http_loadbalancer.
Query Parameters
Section titled “Query Parameters”A LabelSelectorType expression that every item in list response will satisfy.
X-example: "" Extra fields to return along with summary fields.
X-example: "" Extra status fields to return along with summary fields.
Responses
Section titled “Responses”A successful response.
This is the output message of ‘List’ RPC.
object
Errors(if any) while listing items from collection.
Information about a error in API operation.
object
object
A URL/resource name that uniquely identifies the type of the serialized
protocol buffer message. This string must contain at least
one ”/” character. The last segment of the URL’s path must represent
the fully qualified name of the type (as in
path/google.protobuf.duration). The name should be in a canonical form
(e.g., leading ”.” is not accepted).
In practice, teams usually precompile into the binary all types that they
expect it to use in the context of Any. However, for URLs which use the
scheme HTTP, HTTPS, or no scheme, one can optionally set up a type
server that maps type URLs to message definitions as follows:
- If no scheme is provided,
HTTPSis assumed. - An HTTP GET on the URL must yield a [google.protobuf.type][] value in binary format, or produce an error.
- Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.)
Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com.
Schemes other than HTTP, HTTPS (or the empty scheme) might be
used with implementation specific semantics.
Must be a valid serialized protocol buffer of the above specified type.
A human readable string of the error.
Items represents the collection in response.
By default a summary of http_loadbalancer is returned in ‘List’. By setting ‘report_fields’ in the ListRequest more details of each item can be got.
object
The set of annotations present on this http_loadbalancer.
object
The description set for this http_loadbalancer.
A value of true indicates http_loadbalancer is administratively disabled.
object
object
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the current policy, then the policy takes effect, and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be denied by default.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
X-example: true
Appends header x-F5 Distributed Cloud-location =
object
Where should this load balancer be available
Required: YES.
This defines various OPTIONS where a Loadbalancer could be advertised.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [port_ranges use_default_port] Port to Listen.
Exclusive with [port use_default_port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
object
Use given IP address as VIP on the site.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
Exclusive with [default_v6_vip] Use given IPv6 address as VIP on virtual Network.
Exclusive with [default_vip] Use given IPv4 address as VIP on virtual Network.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Use given IP address as VIP on the site.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
This category defines specific rules per API endpoints. If request matches any of these rules, skipping second category rules.
API Protection Rule for a specific endpoint.
object
object
object
object
object
object
Invert the match result.
List of methods values to match against.
The endpoint (path) of the request. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.
This category includes rules per API group or Server URL. For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.
API Protection Rule for a group or a base URL.
object
object
object
object
object
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.
Prefix of the request path. For example: /v1 Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.
object
Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.
object
object
object
Invert the match result.
List of methods values to match against.
The endpoint (path) of the request. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
object
Required: YES.
Exclusive with [any_url api_endpoint api_groups] The base path which this validation applies to.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow.
object
object
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.
Prefix of the request path. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
object
object
object
object
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Required: YES.
OpenAPI Validation Rule for a specific endpoint, base-path, or API group.
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
object
object
object
object
object
Add x-F5-API-testing-identifier header value to prevent security flags on API testing traffic.
Add and configure testing domains and credentials
Required: YES.
The Domain configuration message.
object
Enable to allow API test to execute destructive methods. Be cautious as these can alter or DELETE data.
Add credentials for API testing to use in the selected environment.
Required: YES.
Configure credential details, including type(e.g., API Key, bearer token) and role.
object
object
object
Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Enter a unique name for the credentials used in API testing
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Required: YES.
Specifies how to handle the API response, extracting authentication tokens.
Required: YES.
object
Add your testing environment domain. Be aware that running tests on a production domain can impact live applications, as API testing cannot distinguish between production and testing environments.
Required: YES.
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Auto certificate expiry timestamp.
Issuer of the auto certificate.
Subject of the auto certificate.
DNS Records that are to be added by user in their DNS domain. Currently, this will be populated when auto certificates are desired but DNS delegation is not enabled.
Defines a DNS record.
object
Name of the DNS record.
Type of the DNS record.
DNS record Value.
Define rules to block IP Prefixes or AS numbers.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
object
object
object
object
Customize Bot Defense Client JavaScript path. If not specified, default /common.js
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Bot Defense client JavaScript.
Required: YES.
This defines a rule for Bot Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
Headers that can be used to identify mobile traffic.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs.
Required: YES.
Application Endpoint.
object
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
object
object
object
object
object
object
Failure Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
Success Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of HTTP methods.
Required: YES.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
Custom body message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Your request was blocked” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Your request was blocked
”. Base64 encoded string for this HTML is “LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==”X-displayName: “Body Hash” Represents the corresponding MD5 Hash for the body message.
object
object
A case-insensitive HTTP header name. Required: YES.
A case-insensitive HTTP header name. Required: YES.
object
object
URI location for redirect may be relative or absolute. Required: YES.
object
object
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
object
object
The timeout for the inference check, in milliseconds.
object
object
object
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Bot Defense client JavaScript.
Required: YES.
This defines a rule for Bot Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Headers that can be used to identify mobile traffic.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Reference to CDN Cache Rule configuration object.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Exclusive with [cache_disabled cache_ttl_override] Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided.
Exclusive with [cache_disabled cache_ttl_default] Always override the Cahce TTL provided by Origin.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Client-Side Defense client JavaScript.
Required: YES.
This defines a rule for Client-Side Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
object
object
object
object
The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.
The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.
object
object
object
If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*). Note: App Firewall should be enabled, to use Data Guard feature.
Simple Data Guard rule specifies a simple set of match conditions to enable data guard protection.
object
object
object
Exclusive with [any_domain suffix_value] Exact domain name.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Define manual mitigation rules to block L7 DDoS attacks.
DDoS Mitigation Rule specifies the sources to be blocked.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
Sources that are located in one of the countries in the given list.
object
A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Invert the match result.
List of IPv4 prefix strings.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
The maximum number of connections that loadbalancer will establish to all hosts in an upstream cluster. In practice this is only applicable to TCP and HTTP/1.1 clusters since HTTP/2 uses a single connection to each host. Remove endpoint out of load balancing decision, if number of connections reach connection limit.
The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. In practice this is applicable to HTTP/2 clusters since HTTP/1.1 clusters are governed by the maximum connections (connection_limit). Remove endpoint out of load balancing decision, if requests exceed this count.
The maximum number of requests that will be queued while waiting for a ready connection pool connection. Since HTTP/2 requests are sent over a single connection, this circuit breaker only comes into play as the initial connection is created, as requests will be multiplexed immediately afterwards. For HTTP/1.1, requests are added to the list of pending requests whenever there aren’t enough upstream connections available to immediately dispatch the request, so this circuit breaker will remain in play for the lifetime of the process. Remove endpoint out of load balancing decision, if pending request reach pending_request.
The maximum number of retries that can be outstanding to all hosts in a cluster at any given time. Remove endpoint out of load balancing decision, if retries for request exceed this count.
The timeout for new network connections to endpoints in the cluster. This is specified in milliseconds. The default value is 2 seconds.
object
object
object
object
object
object
object
object
object
object
List of key-value pairs that define default subset. Which gets used when route specifies no metadata or no subset matching the metadata exists.
object
List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.
Required: YES.
Upstream cluster may be configured to divide its endpoints into subsets based on metadata attached to the endpoints. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer. List of keys that define a cluster subset. Each endpoint that has a metadata value for all of the keys in the definition is added to that subset. If no endpoint has all the keys, no subsets result from the definition. A single endpoint may appear in multiple subsets if it matches multiple definitions.
object
List of keys that define a cluster subset class. Required: YES.
object
object
object
object
object
object
object
object
Enable/disable HTTP2 Protocol for upstream connections.
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 5 minutes.
object
object
The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. This causes hosts to GET ejected for longer periods if they continue to fail. Defaults to 30000ms or 30s. Specified in milliseconds.
If an upstream endpoint returns some number of consecutive 5xx, it will be ejected. Note that in this case a 5xx means an actual 5xx respond code, or an event that would cause the HTTP router to return one on the upstream’s behalf(reset, connection failure, etc.) consecutive_5xx indicates the number of consecutive 5xx responses required before a consecutive 5xx ejection occurs. Defaults to 5.
If an upstream endpoint returns some number of consecutive “gateway errors” (502, 503 or 504 status code), it will be ejected. Note that this includes events that would cause the HTTP router to return one of these status codes on the upstream’s behalf (reset, connection failure, etc.). Consecutive_gateway_failure indicates the number of consecutive gateway failures before a consecutive gateway failure ejection occurs. Defaults to 5.
The time interval between ejection analysis sweeps. This can result in both new ejections as well as endpoints being returned to service. Defaults to 10000ms or 10s. Specified in milliseconds.
The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% but will eject at least one host regardless of the value.
Exclusive with [no_panic_threshold]
Configure a threshold (percentage of unhealthy endpoints) below which all endpoints will be considered for load balancing ignoring its health status.
object
object
Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests allowed per connection to the origin server. Enter a value >=1 to define the request limit per connection.
object
object
Exclusive with [same_as_endpoint_port] Port used for performing health check.
Reference to healthcheck configuration objects.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
List of origin servers in this pool
Required: YES.
Various OPTIONS to specify origin server.
object
object
Name of the discovered Classic BIG-IP virtual server to be used as origin. Required: YES.
object
object
object
Consul service name of this origin server will be listed, including cluster-ID. The format is servicename:cluster-ID. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
List of IPv4 prefixes that represent an endpoint.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Exclusive with [] K8s service name of the origin server will be listed, including the namespace and cluster-ID. For vK8s services, you need to enter a string with the format servicename.namespace:cluster-ID. If the servicename is “frontend”, namespace is “speedtest” and cluster-ID is “prod”, then you will enter “frontend.speedtest:prod”. Both namespace and cluster-ID are optional.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
List of IPv4 prefixes that represent an endpoint.
object
Add Labels for this origin server, these labels can be used to form subset.
object
object
object
Exclusive with [] Private IPv4 address.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
List of IPv4 prefixes that represent an endpoint.
object
DNS Name Required: YES.
object
object
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
List of IPv4 prefixes that represent an endpoint.
object
Exclusive with [] Public IPv4 address.
object
DNS Name Required: YES.
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
Exclusive with [] IPv4 address.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
DNS Name Required: YES.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [automatic_port lb_port] Endpoint service is available on this port.
object
object
object
object
object
object
object
object
Exclusive with [default_session_key_caching disable_session_key_caching]
Number of session keys that are cached.
object
object
Exclusive with [disable_sni use_host_header_as_sni] SNI value to be used.
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
object
MTLS Client Certificate
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of Origin Pools.
This defines a combination of origin pool with weight and priority.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer
For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.
List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.
Origin Pools used when no route is specified (default route)
This defines a combination of origin pool with weight and priority.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer
For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.
List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.
object
object
object
object
object
object
object
object
object
object
object
object
object
object
DNS information for this virtual host.
A message that contains DNS information for a given IP address.
object
IP address associated with virtual host.
object
A list of Domains (host/authority header) that will be matched to load balancer.
Supported Domains and search order:
- Exact Domain names: www.example.com.
- Domains starting with a Wildcard: *.example.com.
Not supported Domains:
- Just a Wildcard: *
- A Wildcard and TLD with no root Domain: *.com.
- A Wildcard not matching a whole DNS label. E.g. *.example.com and *.bar.example.com are valid Wildcards however *bar.example.com, -bar.example.com, and bar.example.com are all invalid.
Additional notes: A Wildcard will not match empty string. E.g. *.example.com will match bar.example.com and baz-bar.example.com but not .example.com. The longest Wildcards match first. Only a single virtual host in the entire route configuration can match on *. Also a Domain must be unique across all virtual hosts within an advertise policy.
Domains are also used for SNI matching if the Loadbalancer type is HTTPS. Domains also indicate the list of names for which DNS resolution will be automatically resolved to IP addresses by the system. Required: YES.
object
object
object
Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.
Required: YES.
The DomainConfiguration message.
object
Select the domain to execute API Crawling with given credentials.
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Enter the username to assign credentials for the selected domain to crawl.
object
object
Required: YES.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Code repository which contain API endpoints
Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Inactive discovered API will be deleted after configured duration.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied.
Required: YES.
object
object
object
Define the list of one or more Client IP Headers. Headers will be used in order from top to bottom, meaning if the first header is not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found. If none of the defined headers exist, or the value is not an IP address, then the system will use the source IP of the packet. If multiple defined headers with different names are present in the request, the value of the first header name in the configuration will be used. If multiple defined headers with the same name are present in the request, values of all those headers will be combined. The system will read the right-most IP address from header, if there are multiple IP addresses in the header value. For X-Forwarded-For header, the system will read the IP address(rightmost - 1), as the client IP Required: YES.
GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy configuration to analyze GraphQL queries and prevent GraphQL tailored attacks.
This section defines various configuration OPTIONS for GraphQL inspection.
object
object
Specifies the exact path to GraphQL endpoint. Default value is /graphql. Required: YES.
Exclusive with [any_domain suffix_value] Exact domain name.
object
object
object
Specify maximum number of queries in a single batched request. Required: YES.
Specify maximum depth for the GraphQL query. Required: YES.
Specify maximum length in bytes for the GraphQL query. Required: YES.
X-displayName: “Maximum Value Length” x-required Specify maximum value length in bytes for the GraphQL query.
X-displayName: “Policy Name” Sets the BD Policy to use.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Internally generated host name to be used for the virtual host.
object
DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal.
Exclusive with [port_ranges] HTTP port to Listen.
Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
object
Add HTTP Strict-Transport-Security response header.
Exclusive with [default_header pass_through server_name] Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is.
object
object
object
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.
object
object
object
object
object
object
object
object
object
object
object
object
object
Redirect HTTP traffic to HTTPS.
object
object
Exclusive with [port_ranges] HTTPS port to Listen.
Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
Exclusive with [append_server_name default_header pass_through] Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header.
object
Select one or more certificates with any domain names.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
object
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
Add HTTP Strict-Transport-Security response header.
Exclusive with [default_header pass_through server_name] Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is.
object
object
object
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.
object
object
object
object
object
object
object
object
object
object
object
object
object
Redirect HTTP traffic to HTTPS.
object
object
object
Exclusive with [port_ranges] HTTPS port to Listen.
Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
Exclusive with [append_server_name default_header pass_through] Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header.
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
Internet VIP Info.
Internet VIP Info.
object
Site Name where Internet VIP is installed.
object
Configuration parameter for arn
Human-readable name for the resource
NLB CNAME
NLB Status.
Reason
Target Group Status.
object
Configuration parameter for arn
Listener status.
object
Configuration parameter for arn
TCP/UDP port number (1-65535)
Protocol
Reason
Status
Human-readable name for the resource
Protocol
Reason
Status
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
object
object
object
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.
object
Human-readable name for the resource
object
object
Required: YES.
object
Exclusive with [issuer_disable]
object
object
object
object
object
object
Required: YES.
object
Required: YES.
object
object
object
Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
Exclusive with [default_rps_threshold] Configure custom RPS threshold.
object
object
Configure the match criteria to trigger Malware Protection Scan
Required: YES.
Configure the match criteria to trigger Malware Protection Scan.
object
object
object
object
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Methods to be matched.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.
object
Minimum response length, in bytes, which will trigger compression. The default value is 30.
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: “application/javascript” “application/JSON”, “application/xhtml+XML” “image/svg+XML” “text/CSS” “text/HTML” “text/plain” “text/XML”
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed.
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter.
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx response code class 5 — for 5xx response code class Value of the map is string which represents custom HTTP responses. Specific response code takes preference when both response code and response code class matches for a request.
object
Disable the use of default F5XC error pages.
object
object
The amount of time that a stream can exist without upstream or downstream activity, in milliseconds. The stream is terminated with a HTTP 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise the stream is reset.
The maximum request header size for downstream connections, in KiB. A HTTP 431 (Request Header Fields Too Large) error code is sent for requests that exceed this size.
If multiple load balancers share the same advertise_policy, the highest value configured across all such load balancers is used for all the load balancers in question.
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and value for cookie header.
object
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the Cookie header.
List of keys of Cookies to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and its attribute values in set-cookie header.
object
Exclusive with [ignore_domain] Add domain attribute.
Exclusive with [ignore_expiry] Add expiry attribute.
object
object
Exclusive with [ignore_path] Add path attribute.
object
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [ignore_value secret_value] Value of the Cookie header.
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection.
object
object
object
object
object
Origin Server Subset Rules allow users to define match condition on Client (IP address, ASN, Country), IP Reputation, Regional Edge names, Request for subset selection of origin servers. Origin Server Subset is a sequential engine where rules are evaluated one after the other. It’s important to define the correct order for Origin Server Subset to GET the intended result, rules are evaluated from top to bottom in the list. When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.
“Origin Server Subset rule specifies a simple set of match conditions to be matched to select a list of origin server key/val pairs.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
List of Country Codes.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Add labels to select one or more origin servers. Note: The pre-requisite settings to be configured in the origin pool are:
- Add labels to origin servers
- Enable subset load balancing in the Origin Server Subsets section and configure keys in origin server subsets classes Required: YES.
object
List of RE names for match.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions.
Challenge rule.
object
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
A list of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name. Note that all specified arg matcher predicates must evaluate to true.
A argument matcher specifies the name of a single argument in the body and the criteria to match it. A argument matcher can check for one of the following:
- Presence or absence of the argument
- At least one of the values for the argument in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive JSON path in the HTTP request body. Required: YES.
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
object
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
object
Invert the match result.
List of methods values to match against.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
A list of exact path values to match the input HTTP path against.
Invert the match result.
A list of path prefix values to match the input HTTP path against.
A list of regular expressions to match the input HTTP path against.
A list of path suffix values to match the input HTTP path against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
Custom message is of type uri_ref. Currently supported URL schemes is string:///.
For string:/// scheme, message needs to be encoded in Base64 format.
You can specify this message as base64 encoded plain text message e.g. “Blocked..”
or it can be HTML paragraph or a body string encoded as base64 string
E.g. ”
Blocked
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite. The configured mode of WAF (monitoring or blocking) will be enforced on the request when cookie tampering is identified. Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.
Set Cookie protection attributes.
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the Cookie Required: YES.
object
object
object
object
object
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
object
object
Ordered list of rate limiter policies.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Configuration parameter for duration
object
Configuration parameter for duration
object
Configuration parameter for duration
The maximum burst of requests to accommodate, expressed as a multiple of the rate.
object
object
This setting, combined with Per Period units, provides a duration.
object
The total number of allowed requests per rate-limiting period. Required: YES.
object
Specifies a list of hash policies to use for ring hash load balancing. Each hash policy is evaluated individually and the combined result is used to route the request
Required: YES.
HashPolicyType specifies the field of the incoming request that will be used for generating hash key. When multiple hash policies are configured, this can also specify if the current hash policy is terminal policy or not.
object
object
object
object
object
object
object
The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.
The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.
object
object
object
If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.
Exclusive with [cookie source_ip] The name or key of the request header that will be used to obtain the hash key.
Exclusive with [cookie header_name] Hash based on source IP address.
Specify if its a terminal policy.
object
Routes allow users to define match condition on a path and/or HTTP method to either forward matching traffic to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic.
This defines various OPTIONS to define a route.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
List of (key, value) headers.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
object
object
Exclusive with [no_port_match port_ranges] Exact Port to match.
Exclusive with [no_port_match port] Port range to match.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Response body to send. Currently supported URL schemes is string:/// for which message should be encoded in Base64 format. The message can be either plain text or HTML. E.g. ”
Access Denied
”. Base64 encoded string URL for this is string:///PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==.Response code to send.
object
List of (key, value) headers.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
object
object
Exclusive with [no_port_match port_ranges] Exact Port to match.
Exclusive with [no_port_match port] Port range to match.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Swap host part of incoming URL in redirect URL.
Exclusive with [prefix_rewrite] swap path part of incoming URL in redirect URL.
Exclusive with [path_redirect] In Redirect response, the matched prefix (or path) should be swapped with this value. This option allows redirect URLs be dynamically created based on the request.
Swap protocol part of incoming URL in redirect URL The protocol can be swapped with either HTTP or HTTPS When incoming-proto option is specified, swapping of protocol is not done.
object
Exclusive with [remove_all_params retain_all_params]
The HTTP status code to use in the redirect response.
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.
Required: YES.
JavaScript URL and attributes.
object
Please enter the full URL (include domain and path), or relative path. Required: YES.
Add the tag attributes you want to include in your Javascript tag.
Attribute for JavaScript tag.
object
Add the tag attribute value.
object
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.
object
object
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
object
Disables append of x-F5 Distributed Cloud-location =
object
object
object
object
object
object
object
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer
For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.
List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.
object
object
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 Required: YES.
object
Exclusive with [disable_prefix_rewrite regex_rewrite] prefix_rewrite indicates that during forwarding, the matched prefix (or path) should be swapped with its value. When using regex path matching, the entire path (not including the query string) will be swapped with this value.
object
The regular expression used to find portions of a string that should be replaced.
The string that should be substituted into matching portions of the subject string during a substitution operation to produce a new string.
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and value for cookie header.
object
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the Cookie header.
List of keys of Cookies to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP request being routed towards upstream.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and its attribute values in set-cookie header.
object
Exclusive with [ignore_domain] Add domain attribute.
Exclusive with [ignore_expiry] Add expiry attribute.
object
object
Exclusive with [ignore_path] Add path attribute.
object
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [ignore_value secret_value] Value of the Cookie header.
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.
Headers are key-value pairs to be added to HTTP response being sent towards downstream.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
object
object
object
Specifies the base interval between retries in milliseconds.
Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval.
Specifies the allowed number of retries. Defaults to 1. Retries can be done any number of times. An exponential back-off algorithm is used between each retry.
Specifies a non-zero timeout per retry attempt. In milliseconds.
HTTP status codes that should trigger a retry in addition to those specified by retry_on.
Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc
The possible values are
“5xx” : Retry will be done if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
“gateway-error” : Retry will be done only if the upstream server responds with 502, 503 or 504 responses (Included in 5xx)
“connect-failure” : Retry will be done if the request fails because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx)
“refused-stream” : Retry is done if the upstream server resets the stream with a REFUSED_STREAM error code (Included in 5xx)
“retriable-4xx” : Retry is done if the upstream server responds with a retriable 4xx response code. The only response code in this category is HTTP CONFLICT (409)
“retriable-status-codes” : Retry is done if the upstream server responds with any response code matching one defined in retriable_status_codes field
“reset” : Retry is done if the upstream server does not respond at all (disconnect/reset/read timeout.) Required: YES.
object
Specifies a list of hash policies to use for ring hash load balancing. Each hash policy is evaluated individually and the combined result is used to route the request
Required: YES.
HashPolicyType specifies the field of the incoming request that will be used for generating hash key. When multiple hash policies are configured, this can also specify if the current hash policy is terminal policy or not.
object
object
object
object
object
object
object
The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.
The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.
object
object
object
If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.
Exclusive with [cookie source_ip] The name or key of the request header that will be used to obtain the hash key.
Exclusive with [cookie header_name] Hash based on source IP address.
Specify if its a terminal policy.
The timeout for the route including all retries, in milliseconds. Should be set to a high value or 0 (infinite timeout) for server-side streaming.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Specifies that the HTTP client connection to this route is allowed to upgrade to a WebSocket connection.
object
object
List of (key, value) headers.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [auto_host_rewrite disable_host_rewrite] Host header will be swapped with this value.
object
object
Exclusive with [no_port_match port_ranges] Exact Port to match.
Exclusive with [no_port_match port] Port range to match.
Origin Pools for this route
Required: YES.
This defines a combination of origin pool with weight and priority.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer
For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.
List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
Exclusive with [remove_all_params retain_all_params]
object
object
object
object
object
object
Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses.
Settings to mask sensitive data in request/response payload.
object
object
Methods to be matched.
Path to be matched Required: YES.
object
List of JSON Path field values. Use square brackets with an underscore [] to indicate array elements (e.g., person.emails[]). To reference JSON keys that contain spaces, enclose the entire path in double quotes. For example: “person.first name”. Required: YES.
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
object
object
object
Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.
Required: YES.
The DomainConfiguration message.
object
Select the domain to execute API Crawling with given credentials.
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Enter the username to assign credentials for the selected domain to crawl.
object
object
Required: YES.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Code repository which contain API endpoints
Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Inactive discovered API will be deleted after configured duration.
object
object
object
object
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.
Exclusive with [disable_request_timeout]
object
object
Define rules to skip processing of one or more features such as WAF, Bot Defense etc. For clients.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
An ordered list of WAF Exclusions specific to this Load Balancer.
Simple WAF exclusion rule specifies a simple set of match conditions to be matched to skip a list of WAF detections.
object
object
object
object
Attack Types to be excluded for the defined match criteria.
App Firewall Attack Type context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Bot Names to be excluded for the defined match criteria.
Specifies bot to be excluded by its name.
object
Required: YES.
Signature IDs to be excluded for the defined match criteria.
App Firewall signature context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
The allowed values for signature ID are 0 and in the range of 200000001-299999999. 0 implies that all signatures will be excluded for the specified context. Required: YES.
Violations to be excluded for the defined match criteria.
App Firewall violation context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Exclusive with [any_domain suffix_value] Exact domain name.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Methods to be matched.
Exclusive with [any_path path_regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [any_path path_prefix] Define the regex for the path. For example, the regex ^/.*$ will match on all paths.
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The set of labels present on this http_loadbalancer.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
The name of this http_loadbalancer.
The namespace this item belongs to.
object
Kind of the view object.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
UID of the view object.
The status reported by different services for this configuration object.
Most recently observed status of object.
object
object
Error message (if any)
Name of the site that reported this status.
object
Cfg version.
CP version.
Error message.
Conditions represent the normalized status values for configuration object.
Conditions are used in the object status to describe the current state of the object, e.g. Ready, Succeeded, etc.
object
Hostname of the instance of the site that sent the status.
Last time the condition was updated.
A human readable string explaining the reason for reaching this condition.
Name of the service that sent the status.
Status of the condition “Success” Validation has succeeded. Requested operation was successful. “Failed” Validation has failed. “Incomplete” Validation of configuration has failed due to missing configuration. “Installed” Validation has passed and configuration has been installed in data path or K8s “Down” Configuration is operationally down. E.g. Down interface “Disabled” Configuration is administratively disabled i.e. objectmetatype.disable = true. “NotApplicable” Configuration is not applicable e.g. Tenant service_policy_set(s) in system namespace are not applicable on REs.
Type of the condition “Validation” represents validation user given configuration object “Operational” represents operational status of a given configuration object.
object
Creation_timestamp is when the status object was created. It is used to find/tie-break for latest status object from same origin.
Class of creator which created this StatusObject. This will be service’s DNS FQDN. This will be set by the system based on client certificate information.
ID of creator which created this StatusObject. This will be a concrete identifier for service (e.g. Identifying the environment also). This will be set by the system based on client certificate information.
Status_id is a field used by the generator to distinguish (if necessary) between two status objects for the same config object from the same site and same service and potentially same daemon(creator-ID)
Uid is the unique in time and space value for a StatusObject.
Origin of this status exchanged by VTRP.
Indicate whether mars deems this object to be stale via graceful restart timer information.
HTTP loadbalancer view object direct reference.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Description of error during DNS configuration.
Status of Existing Auto Certficate.
Suggested action for customer on error.
object
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
A value identifying the class of the user or service which created this configuration object.
A value identifying the exact user or service that created this configuration object.
DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
Populated by the system when a graceful deletion is requested. Read-only.
Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
object
Pending is a list of initializers that must execute in order before this object is initialized. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.
Initializer is information about an initializer that has not yet completed.
object
Name of the service that is responsible for initializing this object.
object
Suggested HTTP return code for this status, 0 if not set.
A human-readable description of why this operation is in the “Failure” status. If this value is empty there is no information available.
Status of the operation. One of: “Success” or “Failure”.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the operator or software. Values here can be interpreted by software(backend or frontend) to enable certain behavior e.g. Things marked as soft-deleted(restorable).
object
ModificationTimestamp is a timestamp representing the server time when this object was last modified.
Unique index for the object. Some objects need a unique integer index to be allocated for each object type. This field will be populated for all objects that need it and will be zero otherwise.
object
Kind of the view object.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
UID of the view object.
Tenant to which this configuration object belongs to. The value for this is found from presented credentials.
Uid is the unique in time and space value for this object. It is generated by the server on successful creation of an object and is not allowed to change on Replace API. The value of is taken from uid field of ObjectMetaType, if provided.
The tenant this item belongs to.
The unique uid of this http_loadbalancer.
Example
{ "errors": [ { "code": "EOK" } ], "items": [ { "get_spec": { "add_location": false, "advertise_custom": { "advertise_where": [ { "site": { "network": "SITE_NETWORK_INSIDE_AND_OUTSIDE" }, "virtual_site": { "network": "SITE_NETWORK_INSIDE_AND_OUTSIDE" }, "virtual_site_with_vip": { "network": "SITE_NETWORK_SPECIFIED_VIP_OUTSIDE" } } ] }, "api_protection_rules": { "api_endpoint_rules": [ { "api_endpoint_method": { "methods": [ "ANY" ] }, "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ], "api_groups_rules": [ { "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ] }, "api_rate_limit": { "api_endpoint_rules": [ { "api_endpoint_method": { "methods": [ "ANY" ] }, "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "inline_rate_limiter": { "unit": "SECOND" }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ], "bypass_rate_limiting_rules": { "bypass_rate_limiting_rules": [ { "api_endpoint": { "methods": [ "ANY" ] }, "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ] }, "server_url_rules": [ { "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "inline_rate_limiter": { "unit": "SECOND" }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ] }, "api_specification": { "validation_all_spec_endpoints": { "fall_through_mode": { "fall_through_mode_custom": { "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] } } ] } }, "validation_mode": { "response_validation_mode_active": { "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "validation_mode_active": { "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } }, "validation_custom_list": { "fall_through_mode": { "fall_through_mode_custom": { "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] } } ] } }, "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] }, "validation_mode": { "response_validation_mode_active": { "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "validation_mode_active": { "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } } ] } }, "api_testing": { "domains": [ { "credentials": [ { "login_endpoint": { "method": "ANY" } } ] } ] }, "auto_cert_info": { "auto_cert_state": "AutoCertDisabled" }, "blocked_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ] } ], "bot_defense": { "policy": { "javascript_mode": "ASYNC_JS_NO_CACHING", "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "rules": [ { "javascript_location": "AFTER_HEAD" } ] }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } }, "protected_app_endpoints": [ { "flow_label": { "authentication": { "login": { "transaction_result": { "failure_conditions": [ { "status": "EmptyStatusCode" } ], "success_conditions": [ { "status": "EmptyStatusCode" } ] } } } }, "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "http_methods": [ "METHOD_ANY" ], "mitigation": { "block": { "status": "EmptyStatusCode" } }, "protocol": "BOTH", "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "web_mobile": { "mobile_identifier": "HEADERS" } } ] }, "regional_endpoint": "AUTO" }, "bot_defense_advanced": { "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "rules": [ { "javascript_location": "AFTER_HEAD" } ] }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } }, "cert_state": "AutoCertDisabled", "ddos_mitigation_rules": [ { "ddos_client_source": { "country_list": [ "COUNTRY_NONE" ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } } } ], "default_pool": { "advanced_options": { "auto_http_config": {}, "circuit_breaker": { "priority": "DEFAULT" }, "connection_timeout": 0, "default_circuit_breaker": {}, "disable_outlier_detection": {}, "disable_subsets": {}, "http_idle_timeout": 0, "no_panic_threshold": {}, "no_request_limit_per_connection": {} }, "endpoint_selection": "DISTRIBUTED", "healthcheck": [], "loadbalancer_algorithm": "ROUND_ROBIN", "no_tls": {}, "origin_servers": [ { "k8s_service": { "protocol": "PROTOCOL_TCP" } } ], "same_as_endpoint_port": {}, "use_tls": { "default_session_key_caching": {}, "no_mtls": {}, "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_host_header_as_sni": {}, "use_mtls": { "tls_certificates": [ { "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] } } ] }, "volterra_trusted_ca": {} } }, "default_sensitive_data_policy": {}, "disable_api_definition": {}, "disable_api_discovery": {}, "disable_api_testing": {}, "disable_bot_defense": {}, "disable_ip_reputation": {}, "disable_malicious_user_detection": {}, "disable_malware_protection": {}, "disable_rate_limit": {}, "disable_threat_mesh": {}, "disable_trust_client_ip_headers": {}, "disable_waf": {}, "enable_ip_reputation": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "https": { "tls_cert_params": { "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_mtls": { "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "tls_parameters": { "tls_certificates": [ { "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] } } ], "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_mtls": { "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } } }, "https_auto_cert": { "add_hsts": false, "connection_idle_timeout": 0, "enable_path_normalize": {}, "http_redirect": false, "no_mtls": {}, "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_mtls": { "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "internet_vip_info": [ { "site_network_type": "SITE_NETWORK_INSIDE_AND_OUTSIDE" } ], "l7_ddos_protection": {}, "malware_protection_settings": { "malware_protection_rules": [ { "http_methods": [ "ANY" ] } ] }, "no_challenge": {}, "origin_server_subset_rule_list": { "origin_server_subset_rules": [ { "country_codes": [ "COUNTRY_NONE" ] } ] }, "policy_based_challenge": { "rule_list": { "rules": [ { "spec": { "arg_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "body_matcher": { "transformers": [ "LOWER_CASE" ] }, "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "http_method": { "methods": [ "ANY" ] }, "path": { "transformers": [ "LOWER_CASE" ] }, "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } } } ] } }, "rate_limit": { "no_ip_allowed_list": {}, "no_policies": {}, "rate_limiter": { "period_multiplier": 0, "unit": "SECOND" } }, "round_robin": {}, "routes": [ { "direct_response_route": { "http_method": "ANY" }, "redirect_route": { "http_method": "ANY" }, "simple_route": { "advanced_options": { "bot_defense_javascript_injection": { "javascript_location": "AFTER_HEAD", "javascript_tags": [ { "tag_attributes": [ { "javascript_tag": "JS_ATTR_ID" } ] } ] }, "mirror_policy": { "percent": { "denominator": "HUNDRED" } }, "priority": "DEFAULT" }, "http_method": "ANY" } } ], "sensitive_data_disclosure_rules": { "sensitive_data_types_in_response": [ { "api_endpoint": { "methods": [ "ANY" ] } } ] }, "service_policies_from_namespace": {}, "state": "VIRTUAL_HOST_READY", "trusted_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ] } ], "user_id_client_ip": {}, "waf_exclusion": { "waf_exclusion_inline_rules": { "rules": [ { "app_firewall_detection_control": { "exclude_attack_type_contexts": [ { "context": "CONTEXT_ANY", "exclude_attack_type": "ATTACK_TYPE_NONE" } ], "exclude_signature_contexts": [ { "context": "CONTEXT_ANY" } ], "exclude_violation_contexts": [ { "context": "CONTEXT_ANY", "exclude_violation": "VIOL_NONE" } ] }, "methods": [ "ANY" ] } ] } } }, "status_set": [ { "cdn_site_status": { "status": "DEPLOYMENT_STATUS_NOT_DEPLOYED" }, "cdn_status": { "deployment_status": "CDN_LB_STATUS_CREATED" }, "metadata": { "publish": "STATUS_DO_NOT_PUBLISH" }, "virtual_host_status": { "renew_certificate_state": "AutoCertDisabled", "state": "VIRTUAL_HOST_READY" } } ] } ]}Returned when operation is not authorized.
Examplegenerated
exampleReturned when there is no permission to access resource.
Examplegenerated
exampleReturned when resource is not found.
Examplegenerated
exampleReturned when operation on resource is conflicting with current value.
Examplegenerated
exampleReturned when operation has been rejected as it is happening too frequently.
Examplegenerated
exampleReturned when server encountered an error in processing API.
Examplegenerated
exampleReturned when service is unavailable temporarily.
Examplegenerated
exampleReturned when server timed out processing request.
Examplegenerated
example