Skip to content
API Enriched

Replace HTTP Load Balancer.

PUT
/api/config/namespaces/{metadata.namespace}/http_loadbalancers/{metadata.name}
curl --request PUT \
  --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/http_loadbalancers/example \
  --header 'Authorization: <Authorization>' \
  --header 'Content-Type: application/json' \
  --data '{ "metadata": { "annotations": {}, "description": "example", "disable": true, "labels": {}, "name": "example", "namespace": "example" }, "spec": { "active_service_policies": { "policies": [ { "name": "example", "namespace": "example" } ] }, "add_location": false, "advertise_custom": { "advertise_where": [ { "advertise_on_public": { "public_ip": { "name": "example", "namespace": "example" } }, "port": 1, "port_ranges": "example", "site": { "ip": "example", "network": "SITE_NETWORK_INSIDE_AND_OUTSIDE", "site": { "name": "example", "namespace": "example" } }, "use_default_port": {}, "virtual_network": { "default_v6_vip": {}, "default_vip": {}, "specific_v6_vip": "example", "specific_vip": "example", "virtual_network": { "name": "example", "namespace": "example" } }, "virtual_site": { "network": "SITE_NETWORK_INSIDE_AND_OUTSIDE", "virtual_site": { "name": "example", "namespace": "example" } }, "virtual_site_with_vip": { "ip": "example", "network": "SITE_NETWORK_SPECIFIED_VIP_OUTSIDE", "virtual_site": { "name": "example", "namespace": "example" } }, "vk8s_service": { "site": { "name": "example", "namespace": "example" }, "virtual_site": { "name": "example", "namespace": "example" } } } ] }, "advertise_on_public": { "public_ip": { "name": "example", "namespace": "example" } }, "advertise_on_public_default_vip": {}, "api_protection_rules": { "api_endpoint_rules": [ { "action": { "allow": {}, "deny": {} }, "any_domain": {}, "api_endpoint_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "api_endpoint_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "metadata": { "description": "example", "name": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ], "api_groups_rules": [ { "action": { "allow": {}, "deny": {} }, "any_domain": {}, "api_group": "example", "base_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "metadata": { "description": "example", "name": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ] }, "api_rate_limit": { "api_endpoint_rules": [ { "any_domain": {}, "api_endpoint_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "api_endpoint_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "inline_rate_limiter": { "ref_user_id": { "name": "example", "namespace": "example" }, "threshold": 1, "unit": "SECOND", "use_http_lb_user_id": {} }, "ref_rate_limiter": { "name": "example", "namespace": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ], "bypass_rate_limiting_rules": { "bypass_rate_limiting_rules": [ { "any_domain": {}, "any_url": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_groups": { "api_groups": [ "example" ] }, "base_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ] }, "custom_ip_allowed_list": { "rate_limiter_allowed_prefixes": [ { "name": "example", "namespace": "example" } ] }, "ip_allowed_list": { "prefixes": [ "example" ] }, "no_ip_allowed_list": {}, "server_url_rules": [ { "any_domain": {}, "api_group": "example", "base_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "inline_rate_limiter": { "ref_user_id": { "name": "example", "namespace": "example" }, "threshold": 1, "unit": "SECOND", "use_http_lb_user_id": {} }, "ref_rate_limiter": { "name": "example", "namespace": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ] }, "api_specification": { "api_definition": { "name": "example", "namespace": "example" }, "validation_all_spec_endpoints": { "fall_through_mode": { "fall_through_mode_allow": {}, "fall_through_mode_custom": { "open_api_validation_rules": [ { "action_block": {}, "action_report": {}, "action_skip": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" } } ] } }, "settings": { "oversized_body_fail_validation": {}, "oversized_body_skip_validation": {}, "property_validation_settings_custom": { "queryParameters": { "allow_additional_parameters": {}, "disallow_additional_parameters": {} } }, "property_validation_settings_default": {} }, "validation_mode": { "response_validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "skip_response_validation": {}, "skip_validation": {}, "validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } }, "validation_custom_list": { "fall_through_mode": { "fall_through_mode_allow": {}, "fall_through_mode_custom": { "open_api_validation_rules": [ { "action_block": {}, "action_report": {}, "action_skip": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" } } ] } }, "open_api_validation_rules": [ { "any_domain": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" }, "specific_domain": "example", "validation_mode": { "response_validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "skip_response_validation": {}, "skip_validation": {}, "validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } } ], "settings": { "oversized_body_fail_validation": {}, "oversized_body_skip_validation": {}, "property_validation_settings_custom": { "queryParameters": { "allow_additional_parameters": {}, "disallow_additional_parameters": {} } }, "property_validation_settings_default": {} } }, "validation_disabled": {} }, "api_testing": { "custom_header_value": "example", "domains": [ { "allow_destructive_methods": true, "credentials": [ { "admin": {}, "api_key": { "key": "example", "value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } } }, "basic_auth": { "password": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "user": "example" }, "bearer_token": { "token": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } } }, "credential_name": "example", "login_endpoint": { "json_payload": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "method": "ANY", "path": "example", "token_response_key": "example" }, "standard": {} } ], "domain": "example" } ], "every_day": {}, "every_month": {}, "every_week": {} }, "app_firewall": { "name": "example", "namespace": "example" }, "blocked_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ], "as_number": 1, "bot_skip_processing": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "http_header": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ] }, "ip_prefix": "example", "ipv6_prefix": "example", "metadata": { "description": "example", "name": "example" }, "skip_processing": {}, "user_identifier": "example", "waf_skip_processing": {} } ], "bot_defense": { "disable_cors_support": {}, "enable_cors_support": {}, "policy": { "disable_js_insert": {}, "disable_mobile_sdk": {}, "javascript_mode": "ASYNC_JS_NO_CACHING", "js_download_path": "example", "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "rules": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "javascript_location": "AFTER_HEAD", "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "check_not_present": {}, "check_present": {}, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ] } }, "protected_app_endpoints": [ { "allow_good_bots": {}, "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "flow_label": { "account_management": { "create": {}, "password_reset": {} }, "authentication": { "login": { "disable_transaction_result": {}, "transaction_result": { "failure_conditions": [ { "name": "example", "regex_values": [ "example" ], "status": "EmptyStatusCode" } ], "success_conditions": [ { "name": "example", "regex_values": [ "example" ], "status": "EmptyStatusCode" } ] } }, "login_mfa": {}, "login_partner": {}, "logout": {}, "token_refresh": {} }, "financial_services": { "apply": {}, "money_transfer": {} }, "flight": { "checkin": {} }, "profile_management": { "create": {}, "update": {}, "view": {} }, "search": { "flight_search": {}, "product_search": {}, "reservation_search": {}, "room_search": {} }, "shopping_gift_cards": { "gift_card_make_purchase_with_gift_card": {}, "gift_card_validation": {}, "shop_add_to_cart": {}, "shop_checkout": {}, "shop_choose_seat": {}, "shop_enter_drawing_submission": {}, "shop_make_payment": {}, "shop_order": {}, "shop_price_inquiry": {}, "shop_promo_code_validation": {}, "shop_purchase_gift_card": {}, "shop_update_quantity": {} } }, "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "http_methods": [ "METHOD_ANY" ], "metadata": { "description": "example", "name": "example" }, "mitigate_good_bots": {}, "mitigation": { "block": { "body": "example", "status": "EmptyStatusCode", "body_hash": "example" }, "flag": { "append_headers": { "auto_type_header_name": "example", "inference_header_name": "example" }, "no_headers": {} }, "redirect": { "uri": "example" }, "none": {} }, "mobile": {}, "path": { "path": "example", "prefix": "example", "regex": "example" }, "protocol": "BOTH", "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ], "undefined_flow_label": {}, "web": {}, "web_mobile": { "mobile_identifier": "HEADERS" } } ] }, "regional_endpoint": "AUTO", "timeout": 1 }, "bot_defense_advanced": { "disable_js_insert": {}, "disable_mobile_sdk": {}, "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "rules": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "javascript_location": "AFTER_HEAD", "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "mobile": { "name": "example", "namespace": "example" }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "check_not_present": {}, "check_present": {}, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ] } }, "web": { "name": "example", "namespace": "example" } }, "caching_policy": { "custom_cache_rule": { "cdn_cache_rules": [ { "name": "example", "namespace": "example" } ] }, "default_cache_action": { "cache_disabled": {}, "cache_ttl_default": "example", "cache_ttl_override": "example" } }, "captcha_challenge": { "cookie_expiry": 1, "custom_page": "example" }, "client_side_defense": { "policy": { "disable_js_insert": {}, "js_insert_all_pages": {}, "js_insert_all_pages_except": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "js_insertion_rules": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "rules": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] } } }, "cookie_stickiness": { "add_httponly": {}, "add_secure": {}, "ignore_httponly": {}, "ignore_samesite": {}, "ignore_secure": {}, "name": "example", "path": "example", "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "ttl": 1 }, "cors_policy": { "allow_credentials": true, "allow_headers": "example", "allow_methods": "example", "allow_origin": [ "example" ], "allow_origin_regex": [ "example" ], "disabled": true, "expose_headers": "example", "maximum_age": 1 }, "csrf_policy": { "all_load_balancer_domains": {}, "custom_domain_list": { "domains": [ "example" ] }, "disabled": {} }, "data_guard_rules": [ { "any_domain": {}, "apply_data_guard": {}, "exact_value": "example", "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" }, "skip_data_guard": {}, "suffix_value": "example" } ], "ddos_mitigation_rules": [ { "block": {}, "ddos_client_source": { "asn_list": { "as_numbers": [ 1 ] }, "country_list": [ "COUNTRY_NONE" ], "ja4_tls_fingerprint_matcher": { "exact_values": [ "example" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "expiration_timestamp": "2026-04-15T12:00:00Z", "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "metadata": { "description": "example", "name": "example" } } ], "default_pool": { "advanced_options": { "auto_http_config": {}, "circuit_breaker": { "connection_limit": 1, "max_requests": 1, "pending_requests": 1, "priority": "DEFAULT", "retries": 1 }, "connection_timeout": 0, "default_circuit_breaker": {}, "disable_circuit_breaker": {}, "disable_lb_source_ip_persistance": {}, "disable_outlier_detection": {}, "disable_proxy_protocol": {}, "disable_subsets": {}, "enable_lb_source_ip_persistance": {}, "enable_subsets": { "any_endpoint": {}, "default_subset": { "default_subset": {} }, "endpoint_subsets": [ { "keys": [ "example" ] } ], "fail_request": {} }, "http1_config": { "header_transformation": { "default_header_transformation": {}, "legacy_header_transformation": {}, "preserve_case_header_transformation": {}, "proper_case_header_transformation": {} } }, "http2_options": { "enabled": true }, "http_idle_timeout": 0, "no_panic_threshold": {}, "outlier_detection": { "base_ejection_time": 1, "consecutive_5xx": 1, "consecutive_gateway_failure": 1, "interval": 1, "max_ejection_percent": 1 }, "panic_threshold": 1, "proxy_protocol_v1": {}, "proxy_protocol_v2": {}, "max_requests_per_connection": 1, "no_request_limit_per_connection": {} }, "automatic_port": {}, "endpoint_selection": "DISTRIBUTED", "health_check_port": 1, "healthcheck": [], "lb_port": {}, "loadbalancer_algorithm": "ROUND_ROBIN", "no_tls": {}, "origin_servers": [ { "cbip_service": { "service_name": "example" }, "consul_service": { "inside_network": {}, "outside_network": {}, "service_name": "example", "site_locator": { "site": { "name": "example", "namespace": "example" }, "virtual_site": { "name": "example", "namespace": "example" } }, "snat_pool": { "no_snat_pool": {}, "snat_pool": { "prefixes": [ "example" ] } } }, "custom_endpoint_object": { "endpoint": { "name": "example", "namespace": "example" } }, "k8s_service": { "inside_network": {}, "outside_network": {}, "protocol": "PROTOCOL_TCP", "service_name": "example", "site_locator": { "site": { "name": "example", "namespace": "example" }, "virtual_site": { "name": "example", "namespace": "example" } }, "snat_pool": { "no_snat_pool": {}, "snat_pool": { "prefixes": [ "example" ] } }, "vk8s_networks": {} }, "labels": {}, "private_ip": { "inside_network": {}, "ip": "example", "outside_network": {}, "segment": { "name": "example", "namespace": "example" }, "site_locator": { "site": { "name": "example", "namespace": "example" }, "virtual_site": { "name": "example", "namespace": "example" } }, "snat_pool": { "no_snat_pool": {}, "snat_pool": { "prefixes": [ "example" ] } } }, "private_name": { "dns_name": "example", "inside_network": {}, "outside_network": {}, "refresh_interval": 1, "segment": { "name": "example", "namespace": "example" }, "site_locator": { "site": { "name": "example", "namespace": "example" }, "virtual_site": { "name": "example", "namespace": "example" } }, "snat_pool": { "no_snat_pool": {}, "snat_pool": { "prefixes": [ "example" ] } } }, "public_ip": { "ip": "example" }, "public_name": { "dns_name": "example", "refresh_interval": 1 }, "vn_private_ip": { "ip": "example", "virtual_network": { "name": "example", "namespace": "example" } }, "vn_private_name": { "dns_name": "example", "private_network": { "name": "example", "namespace": "example" } } } ], "port": 1, "same_as_endpoint_port": {}, "upstream_conn_pool_reuse_type": { "disable_conn_pool_reuse": {}, "enable_conn_pool_reuse": {} }, "use_tls": { "default_session_key_caching": {}, "disable_session_key_caching": {}, "disable_sni": {}, "max_session_keys": 1, "no_mtls": {}, "skip_server_verification": {}, "sni": "example", "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_host_header_as_sni": {}, "use_mtls": { "tls_certificates": [ { "certificate_url": "example", "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] }, "description": "example", "disable_ocsp_stapling": {}, "private_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "use_system_defaults": {} } ] }, "use_mtls_obj": { "name": "example", "namespace": "example" }, "use_server_verification": { "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example" }, "volterra_trusted_ca": {} }, "view_internal": { "name": "example", "namespace": "example" } }, "default_pool_list": { "pools": [ { "cluster": { "name": "example", "namespace": "example" }, "endpoint_subsets": {}, "pool": { "name": "example", "namespace": "example" }, "priority": 1, "weight": 1 } ] }, "default_route_pools": [ { "cluster": { "name": "example", "namespace": "example" }, "endpoint_subsets": {}, "pool": { "name": "example", "namespace": "example" }, "priority": 1, "weight": 1 } ], "default_sensitive_data_policy": {}, "disable_api_definition": {}, "disable_api_discovery": {}, "disable_api_testing": {}, "disable_bot_defense": {}, "disable_caching": {}, "disable_client_side_defense": {}, "disable_ip_reputation": {}, "disable_malicious_user_detection": {}, "disable_malware_protection": {}, "disable_rate_limit": {}, "disable_threat_mesh": {}, "disable_trust_client_ip_headers": {}, "disable_waf": {}, "do_not_advertise": {}, "domains": [ "example" ], "enable_api_discovery": { "api_crawler": { "api_crawler_config": { "domains": [ { "domain": "example", "simple_login": { "password": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "user": "example" } } ] }, "disable_api_crawler": {} }, "api_discovery_from_code_scan": { "code_base_integrations": [ { "all_repos": {}, "code_base_integration": { "name": "example", "namespace": "example" }, "selected_repos": { "api_code_repo": [ "example" ] } } ] }, "custom_api_auth_discovery": { "api_discovery_ref": { "name": "example", "namespace": "example" } }, "default_api_auth_discovery": {}, "disable_learn_from_redirect_traffic": {}, "discovered_api_settings": { "purge_duration_for_inactive_discovered_apis": 1 }, "enable_learn_from_redirect_traffic": {} }, "enable_challenge": { "captcha_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example" }, "default_captcha_challenge_parameters": {}, "default_js_challenge_parameters": {}, "default_mitigation_settings": {}, "js_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "malicious_user_mitigation": { "name": "example", "namespace": "example" } }, "enable_ip_reputation": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "enable_malicious_user_detection": {}, "enable_threat_mesh": {}, "enable_trust_client_ip_headers": { "client_ip_headers": [ "example" ] }, "graphql_rules": [ { "any_domain": {}, "exact_path": "example", "exact_value": "example", "graphql_settings": { "disable_introspection": {}, "enable_introspection": {}, "max_batched_queries": 1, "max_depth": 1, "max_total_length": 1, "max_value_length": 1, "policy_name": "example" }, "metadata": { "description": "example", "name": "example" }, "method_get": {}, "method_post": {}, "suffix_value": "example" } ], "http": { "dns_volterra_managed": true, "port": 1, "port_ranges": "example" }, "https": { "add_hsts": true, "append_server_name": "example", "coalescing_options": { "default_coalescing": {}, "strict_coalescing": {} }, "connection_idle_timeout": 1, "default_header": {}, "default_loadbalancer": {}, "disable_path_normalize": {}, "enable_path_normalize": {}, "http_protocol_options": { "http_protocol_enable_v1_only": { "header_transformation": { "default_header_transformation": {}, "legacy_header_transformation": {}, "preserve_case_header_transformation": {}, "proper_case_header_transformation": {} } }, "http_protocol_enable_v1_v2": {}, "http_protocol_enable_v2_only": {} }, "http_redirect": true, "non_default_loadbalancer": {}, "pass_through": {}, "port": 1, "port_ranges": "example", "server_name": "example", "tls_cert_params": { "certificates": [ { "name": "example", "namespace": "example" } ], "no_mtls": {}, "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_mtls": { "client_certificate_optional": true, "crl": { "name": "example", "namespace": "example" }, "no_crl": {}, "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example", "xfcc_disabled": {}, "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "tls_parameters": { "no_mtls": {}, "tls_certificates": [ { "certificate_url": "example", "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] }, "description": "example", "disable_ocsp_stapling": {}, "private_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "use_system_defaults": {} } ], "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_mtls": { "client_certificate_optional": true, "crl": { "name": "example", "namespace": "example" }, "no_crl": {}, "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example", "xfcc_disabled": {}, "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } } }, "https_auto_cert": { "add_hsts": false, "append_server_name": "example", "coalescing_options": { "default_coalescing": {}, "strict_coalescing": {} }, "connection_idle_timeout": 0, "default_header": {}, "default_loadbalancer": {}, "disable_path_normalize": {}, "enable_path_normalize": {}, "http_protocol_options": { "http_protocol_enable_v1_only": { "header_transformation": { "default_header_transformation": {}, "legacy_header_transformation": {}, "preserve_case_header_transformation": {}, "proper_case_header_transformation": {} } }, "http_protocol_enable_v1_v2": {}, "http_protocol_enable_v2_only": {} }, "http_redirect": false, "no_mtls": {}, "non_default_loadbalancer": {}, "pass_through": {}, "port": 1, "port_ranges": "example", "server_name": "example", "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_mtls": { "client_certificate_optional": true, "crl": { "name": "example", "namespace": "example" }, "no_crl": {}, "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example", "xfcc_disabled": {}, "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "js_challenge": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "jwt_validation": { "action": { "block": {}, "report": {} }, "jwks_config": { "cleartext": "example" }, "mandatory_claims": { "claim_names": [ "example" ] }, "reserved_claims": { "audience": { "audiences": [ "example" ] }, "audience_disable": {}, "issuer": "example", "issuer_disable": {}, "validate_period_disable": {}, "validate_period_enable": {} }, "target": { "all_endpoint": {}, "api_groups": { "api_groups": [ "example" ] }, "base_paths": { "base_paths": [ "example" ] } }, "token_location": { "bearer_token": {} }, "authorization_server": { "authorization_servers": [ { "name": "example", "namespace": "example" } ] } }, "l7_ddos_action_block": {}, "l7_ddos_action_default": {}, "l7_ddos_action_js_challenge": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "l7_ddos_protection": {}, "least_active": {}, "malware_protection_settings": { "malware_protection_rules": [ { "action": { "block": {}, "report": {} }, "domain": { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" } }, "http_methods": [ "ANY" ], "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "more_option": { "buffer_policy": { "disabled": true, "max_request_bytes": 1 }, "compression_params": { "content_length": 1, "content_type": [ "example" ], "disable_on_etag_header": true, "remove_accept_encoding_header": true }, "custom_errors": {}, "disable_default_error_pages": true, "disable_path_normalize": {}, "enable_path_normalize": {}, "idle_timeout": 1, "max_request_header_size": 1, "request_cookies_to_add": [ { "name": "example", "overwrite": true, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_cookies_to_remove": [ "example" ], "request_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_headers_to_remove": [ "example" ], "response_cookies_to_add": [ { "add_domain": "example", "add_expiry": "example", "add_httponly": {}, "add_partitioned": {}, "add_path": "example", "add_secure": {}, "ignore_domain": {}, "ignore_expiry": {}, "ignore_httponly": {}, "ignore_max_age": {}, "ignore_partitioned": {}, "ignore_path": {}, "ignore_samesite": {}, "ignore_secure": {}, "ignore_value": {}, "max_age_value": 1, "name": "example", "overwrite": true, "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_cookies_to_remove": [ "example" ], "response_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_headers_to_remove": [ "example" ], "max_requests_per_connection": 1, "no_request_limit_per_connection": {} }, "multi_lb_app": {}, "no_challenge": {}, "no_service_policies": {}, "origin_server_subset_rule_list": { "origin_server_subset_rules": [ { "any_asn": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "country_codes": [ "COUNTRY_NONE" ], "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "metadata": { "description": "example", "name": "example" }, "none": {}, "origin_server_subsets_action": {}, "re_name_list": [ "example" ] } ] }, "policy_based_challenge": { "always_enable_captcha_challenge": {}, "always_enable_js_challenge": {}, "captcha_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example" }, "default_captcha_challenge_parameters": {}, "default_js_challenge_parameters": {}, "default_mitigation_settings": {}, "default_temporary_blocking_parameters": {}, "js_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "malicious_user_mitigation": { "name": "example", "namespace": "example" }, "no_challenge": {}, "rule_list": { "rules": [ { "metadata": { "description": "example", "name": "example" }, "spec": { "any_asn": {}, "any_client": {}, "any_ip": {}, "arg_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "body_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "client_selector": { "expressions": [ "example" ] }, "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "disable_challenge": {}, "domain_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ] }, "enable_captcha_challenge": {}, "enable_javascript_challenge": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "http_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "path": { "exact_values": [ "example" ], "invert_matcher": true, "prefix_values": [ "example" ], "regex_values": [ "example" ], "suffix_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } } } ] }, "temporary_user_blocking": { "custom_page": "example" } }, "protected_cookies": [ { "add_httponly": {}, "add_secure": {}, "disable_tampering_protection": {}, "enable_tampering_protection": {}, "ignore_httponly": {}, "ignore_max_age": {}, "ignore_samesite": {}, "ignore_secure": {}, "max_age_value": 1, "name": "example", "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {} } ], "random": {}, "rate_limit": { "custom_ip_allowed_list": { "rate_limiter_allowed_prefixes": [ { "name": "example", "namespace": "example" } ] }, "ip_allowed_list": { "prefixes": [ "example" ] }, "no_ip_allowed_list": {}, "no_policies": {}, "policies": { "policies": [ { "name": "example", "namespace": "example" } ] }, "rate_limiter": { "action_block": { "hours": { "duration": 1 }, "minutes": { "duration": 1 }, "seconds": { "duration": 1 } }, "burst_multiplier": 1, "disabled": {}, "leaky_bucket": {}, "period_multiplier": 0, "token_bucket": {}, "total_number": 1, "unit": "SECOND" } }, "ring_hash": { "hash_policy": [ { "cookie": { "add_httponly": {}, "add_secure": {}, "ignore_httponly": {}, "ignore_samesite": {}, "ignore_secure": {}, "name": "example", "path": "example", "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "ttl": 1 }, "header_name": "example", "source_ip": true, "terminal": true } ] }, "round_robin": {}, "routes": [ { "custom_route_object": { "route_ref": { "name": "example", "namespace": "example" }, "caching_disable": {}, "caching_inherit": {} }, "direct_response_route": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ], "http_method": "ANY", "incoming_port": { "no_port_match": {}, "port": 1, "port_ranges": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" }, "route_direct_response": { "response_body_encoded": "example", "response_code": 1 } }, "redirect_route": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ], "http_method": "ANY", "incoming_port": { "no_port_match": {}, "port": 1, "port_ranges": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" }, "route_redirect": { "host_redirect": "example", "path_redirect": "example", "prefix_rewrite": "example", "proto_redirect": "example", "remove_all_params": {}, "replace_params": "example", "response_code": 1, "retain_all_params": {} } }, "simple_route": { "advanced_options": { "app_firewall": { "name": "example", "namespace": "example" }, "bot_defense_javascript_injection": { "javascript_location": "AFTER_HEAD", "javascript_tags": [ { "javascript_url": "example", "tag_attributes": [ { "javascript_tag": "JS_ATTR_ID", "tag_value": "example" } ] } ] }, "buffer_policy": { "disabled": true, "max_request_bytes": 1 }, "common_buffering": {}, "common_hash_policy": {}, "cors_policy": { "allow_credentials": true, "allow_headers": "example", "allow_methods": "example", "allow_origin": [ "example" ], "allow_origin_regex": [ "example" ], "disabled": true, "expose_headers": "example", "maximum_age": 1 }, "csrf_policy": { "all_load_balancer_domains": {}, "custom_domain_list": { "domains": [ "example" ] }, "disabled": {} }, "default_retry_policy": {}, "disable_location_add": true, "disable_mirroring": {}, "disable_prefix_rewrite": {}, "disable_spdy": {}, "disable_waf": {}, "disable_web_socket_config": {}, "do_not_retract_cluster": {}, "enable_spdy": {}, "endpoint_subsets": {}, "inherited_bot_defense_javascript_injection": {}, "inherited_waf": {}, "inherited_waf_exclusion": {}, "mirror_policy": { "origin_pool": { "name": "example", "namespace": "example" }, "percent": { "denominator": "HUNDRED", "numerator": 1 } }, "no_retry_policy": {}, "prefix_rewrite": "example", "priority": "DEFAULT", "regex_rewrite": { "pattern": "example", "substitution": "example" }, "request_cookies_to_add": [ { "name": "example", "overwrite": true, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_cookies_to_remove": [ "example" ], "request_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_headers_to_remove": [ "example" ], "response_cookies_to_add": [ { "add_domain": "example", "add_expiry": "example", "add_httponly": {}, "add_partitioned": {}, "add_path": "example", "add_secure": {}, "ignore_domain": {}, "ignore_expiry": {}, "ignore_httponly": {}, "ignore_max_age": {}, "ignore_partitioned": {}, "ignore_path": {}, "ignore_samesite": {}, "ignore_secure": {}, "ignore_value": {}, "max_age_value": 1, "name": "example", "overwrite": true, "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_cookies_to_remove": [ "example" ], "response_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_headers_to_remove": [ "example" ], "retract_cluster": {}, "retry_policy": { "back_off": { "base_interval": 1, "max_interval": 1 }, "num_retries": 1, "per_try_timeout": 1, "retriable_status_codes": [ 1 ], "retry_condition": [ "example" ] }, "specific_hash_policy": { "hash_policy": [ { "cookie": { "add_httponly": {}, "add_secure": {}, "ignore_httponly": {}, "ignore_samesite": {}, "ignore_secure": {}, "name": "example", "path": "example", "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "ttl": 1 }, "header_name": "example", "source_ip": true, "terminal": true } ] }, "timeout": 1, "waf_exclusion_policy": { "name": "example", "namespace": "example" }, "web_socket_config": { "use_websocket": true } }, "auto_host_rewrite": {}, "disable_host_rewrite": {}, "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ], "host_rewrite": "example", "http_method": "ANY", "incoming_port": { "no_port_match": {}, "port": 1, "port_ranges": "example" }, "origin_pools": [ { "cluster": { "name": "example", "namespace": "example" }, "endpoint_subsets": {}, "pool": { "name": "example", "namespace": "example" }, "priority": 1, "weight": 1 } ], "path": { "path": "example", "prefix": "example", "regex": "example" }, "query_params": { "remove_all_params": {}, "replace_params": "example", "retain_all_params": {} }, "caching_disable": {}, "caching_inherit": {} }, "route_state_disabled": {}, "route_state_enabled": {} } ], "sensitive_data_disclosure_rules": { "sensitive_data_types_in_response": [ { "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "body": { "fields": [ "example" ] }, "mask": {}, "report": {} } ] }, "sensitive_data_policy": { "sensitive_data_policy_ref": { "name": "example", "namespace": "example" } }, "service_policies_from_namespace": {}, "single_lb_app": { "disable_discovery": {}, "disable_malicious_user_detection": {}, "enable_discovery": { "api_crawler": { "api_crawler_config": { "domains": [ { "domain": "example", "simple_login": { "password": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "user": "example" } } ] }, "disable_api_crawler": {} }, "api_discovery_from_code_scan": { "code_base_integrations": [ { "all_repos": {}, "code_base_integration": { "name": "example", "namespace": "example" }, "selected_repos": { "api_code_repo": [ "example" ] } } ] }, "custom_api_auth_discovery": { "api_discovery_ref": { "name": "example", "namespace": "example" } }, "default_api_auth_discovery": {}, "disable_learn_from_redirect_traffic": {}, "discovered_api_settings": { "purge_duration_for_inactive_discovered_apis": 1 }, "enable_learn_from_redirect_traffic": {} }, "enable_malicious_user_detection": {} }, "slow_ddos_mitigation": { "disable_request_timeout": {}, "request_headers_timeout": 1, "request_timeout": 1 }, "source_ip_stickiness": {}, "system_default_timeouts": {}, "trusted_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ], "as_number": 1, "bot_skip_processing": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "http_header": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ] }, "ip_prefix": "example", "ipv6_prefix": "example", "metadata": { "description": "example", "name": "example" }, "skip_processing": {}, "user_identifier": "example", "waf_skip_processing": {} } ], "user_id_client_ip": {}, "user_identification": { "name": "example", "namespace": "example" }, "waf_exclusion": { "waf_exclusion_inline_rules": { "rules": [ { "any_domain": {}, "any_path": {}, "app_firewall_detection_control": { "exclude_attack_type_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_attack_type": "ATTACK_TYPE_NONE" } ], "exclude_bot_name_contexts": [ { "bot_name": "example" } ], "exclude_signature_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "signature_id": 1 } ], "exclude_violation_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_violation": "VIOL_NONE" } ] }, "exact_value": "example", "expiration_timestamp": "2026-04-15T12:00:00Z", "metadata": { "description": "example", "name": "example" }, "methods": [ "ANY" ], "path_prefix": "example", "path_regex": "example", "suffix_value": "example", "waf_skip_processing": {} } ] }, "waf_exclusion_policy": { "name": "example", "namespace": "example" } } } }'

Shape of the HTTP load balancer specification.

Examples of this operation.

Authorizations

Section titled “Authorizations”

Parameters

Section titled “Parameters”

Path Parameters

Section titled “Path Parameters”
metadata.namespace
required
string

Namespace This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""

metadata.name
required
string

Name The configuration object to be replaced will be looked up by name.

Request Bodyrequired

Section titled “Request Bodyrequired”
Media typeapplication/json
ReplaceRequest is used to replace contents of a http_loadbalancer

This is the input message of the ‘Replace’ RPC.

object
metadata
object
annotations
annotations

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

object
description
description

Human readable description for the object.

string
>= 21 characters <= 1200 characters
disable
disable

A value of true will administratively disable the object.

boolean format: boolean
labels
labels

Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.

object
name
name

This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 6 characters <= 1024 characters
namespace
namespace

This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""

string
>= 6 characters <= 1024 characters
spec
object
active_service_policies
object
policies
policies

Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the current policy, then the policy takes effect, and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be denied by default.

Required: YES.

Array<object>
>= 1 items <= 16 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
add_location

X-example: true Appends header x-F5 Distributed Cloud-location = in responses. This configuration is ignored on CE sites.

boolean format: boolean
advertise_custom
object
advertise_where
Advertise Where

Where should this load balancer be available

Required: YES.

Array<object>
>= 1 items <= 32 items
WhereType

This defines various OPTIONS where a Loadbalancer could be advertised.

object
advertise_on_public
object
public_ip
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
port
Port to listen

Exclusive with [port_ranges use_default_port] Port to Listen.

integer format: int64
>= 1 <= 65535
port_ranges
Port ranges to listen

Exclusive with [port use_default_port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.

string
>= 1 characters <= 512 characters
site
object
ip
IP address on the site

Use given IP address as VIP on the site.

string
<= 1024 characters
network
string
default: SITE_NETWORK_INSIDE_AND_OUTSIDE
Allowed values: SITE_NETWORK_INSIDE_AND_OUTSIDE SITE_NETWORK_INSIDE SITE_NETWORK_OUTSIDE SITE_NETWORK_SERVICE SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP SITE_NETWORK_IP_FABRIC
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
use_default_port
object
virtual_network
object
default_v6_vip
object
default_vip
object
specific_v6_vip
Specific V6 VIP

Exclusive with [default_v6_vip] Use given IPv6 address as VIP on virtual Network.

string
<= 1024 characters
specific_vip
Specific VIP

Exclusive with [default_vip] Use given IPv4 address as VIP on virtual Network.

string
<= 1024 characters
virtual_network
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
network
string
default: SITE_NETWORK_INSIDE_AND_OUTSIDE
Allowed values: SITE_NETWORK_INSIDE_AND_OUTSIDE SITE_NETWORK_INSIDE SITE_NETWORK_OUTSIDE SITE_NETWORK_SERVICE SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP SITE_NETWORK_IP_FABRIC
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site_with_vip
object
ip
IP address on the site

Use given IP address as VIP on the site.

string
<= 1024 characters
network
string
default: SITE_NETWORK_SPECIFIED_VIP_OUTSIDE
Allowed values: SITE_NETWORK_SPECIFIED_VIP_OUTSIDE SITE_NETWORK_SPECIFIED_VIP_INSIDE
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
vk8s_service
object
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
advertise_on_public
object
public_ip
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
advertise_on_public_default_vip
object
api_protection_rules
object
api_endpoint_rules
api_endpoint_rules

This category defines specific rules per API endpoints. If request matches any of these rules, skipping second category rules.

Array<object>
<= 20 items
API Endpoint Protection Rule

API Protection Rule for a specific endpoint.

object
action
object
allow
object
deny
object
any_domain
object
api_endpoint_method
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
methods
methods

List of methods values to match against.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
api_endpoint_path
api endpoint path

The endpoint (path) of the request. Required: YES.

string
<= 1024 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.

string
<= 128 characters
api_groups_rules
api_groups_rules

This category includes rules per API group or Server URL. For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.

Array<object>
<= 20 items
API Group Protection Rule

API Protection Rule for a group or a base URL.

object
action
object
allow
object
deny
object
any_domain
object
api_group
api_group

API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.

string
<= 128 characters
base_path
base path

Prefix of the request path. For example: /v1 Required: YES.

string
<= 128 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.

string
<= 128 characters
api_rate_limit
object
api_endpoint_rules
api_endpoint_policy

Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.

Array<object>
<= 20 items
ApiEndpointRule
object
any_domain
object
api_endpoint_method
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
methods
methods

List of methods values to match against.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
api_endpoint_path
api endpoint path

The endpoint (path) of the request. Required: YES.

string
<= 1024 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
inline_rate_limiter
object
ref_user_id
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
threshold
threshold

The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.

integer format: int64
unit
string
default: SECOND
Allowed values: SECOND MINUTE HOUR DAY
use_http_lb_user_id
object
ref_rate_limiter
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain.

string
<= 128 characters
bypass_rate_limiting_rules
object
bypass_rate_limiting_rules
bypass_rate_limiting_policy

This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.

Array<object>
<= 20 items
BypassRateLimitingRule
object
any_domain
object
any_url
object
api_endpoint
object
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Path

Path to be matched Required: YES.

string
<= 1024 characters
api_groups
object
api_groups
api group

Required: YES.

Array<string>
<= 32 items
base_path
base path

Exclusive with [any_url api_endpoint api_groups] The base path which this validation applies to.

string
<= 128 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.

string
<= 128 characters
custom_ip_allowed_list
object
rate_limiter_allowed_prefixes
rate_limiter_allowed_prefixes

References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.

Required: YES.

Array<object>
>= 1 items <= 4 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
ip_allowed_list
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
no_ip_allowed_list
object
server_url_rules
server_url_policy

Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow.

Array<object>
<= 20 items
ServerUrlRule
object
any_domain
object
api_group
api_group

API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.

string
<= 128 characters
base_path
base path

Prefix of the request path. Required: YES.

string
<= 128 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
inline_rate_limiter
object
ref_user_id
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
threshold
threshold

The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.

integer format: int64
unit
string
default: SECOND
Allowed values: SECOND MINUTE HOUR DAY
use_http_lb_user_id
object
ref_rate_limiter
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain.

string
<= 128 characters
api_specification
object
api_definition
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
validation_all_spec_endpoints
object
fall_through_mode
object
fall_through_mode_allow
object
fall_through_mode_custom
object
open_api_validation_rules
Custom Fall Through Rule List

Required: YES.

Array<object>
<= 15 items
Fall Through Rule

Fall Through Rule for a specific endpoint, base-path, or API group.

object
action_block
object
action_report
object
action_skip
object
api_endpoint
object
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Path

Path to be matched Required: YES.

string
<= 1024 characters
api_group
api_group

Exclusive with [api_endpoint base_path] The API group which this validation applies to.

string
<= 128 characters
base_path
base path

Exclusive with [api_endpoint api_group] The base path which this validation applies to.

string
<= 128 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
settings
object
oversized_body_fail_validation
object
oversized_body_skip_validation
object
property_validation_settings_custom
object
queryParameters
object
allow_additional_parameters
object
disallow_additional_parameters
object
property_validation_settings_default
object
validation_mode
object
response_validation_mode_active
object
enforcement_block
object
enforcement_report
object
response_validation_properties
Response Validation Properties

List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)

Required: YES.

Array<string>
>= 1 items
Allowed values: PROPERTY_QUERY_PARAMETERS PROPERTY_PATH_PARAMETERS PROPERTY_CONTENT_TYPE PROPERTY_COOKIE_PARAMETERS PROPERTY_HTTP_HEADERS PROPERTY_HTTP_BODY PROPERTY_SECURITY_SCHEMA PROPERTY_RESPONSE_CODE
skip_response_validation
object
skip_validation
object
validation_mode_active
object
enforcement_block
object
enforcement_report
object
request_validation_properties
Request Validation Properties

List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)

Required: YES.

Array<string>
>= 1 items
Allowed values: PROPERTY_QUERY_PARAMETERS PROPERTY_PATH_PARAMETERS PROPERTY_CONTENT_TYPE PROPERTY_COOKIE_PARAMETERS PROPERTY_HTTP_HEADERS PROPERTY_HTTP_BODY PROPERTY_SECURITY_SCHEMA PROPERTY_RESPONSE_CODE
validation_custom_list
object
fall_through_mode
object
fall_through_mode_allow
object
fall_through_mode_custom
object
open_api_validation_rules
Custom Fall Through Rule List

Required: YES.

Array<object>
<= 15 items
Fall Through Rule

Fall Through Rule for a specific endpoint, base-path, or API group.

object
action_block
object
action_report
object
action_skip
object
api_endpoint
object
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Path

Path to be matched Required: YES.

string
<= 1024 characters
api_group
api_group

Exclusive with [api_endpoint base_path] The API group which this validation applies to.

string
<= 128 characters
base_path
base path

Exclusive with [api_endpoint api_group] The base path which this validation applies to.

string
<= 128 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
open_api_validation_rules
Validation List

Required: YES.

Array<object>
<= 15 items
OpenAPI Validation Rule

OpenAPI Validation Rule for a specific endpoint, base-path, or API group.

object
any_domain
object
api_endpoint
object
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Path

Path to be matched Required: YES.

string
<= 1024 characters
api_group
api_group

Exclusive with [api_endpoint base_path] The API group which this validation applies to.

string
<= 128 characters
base_path
base path

Exclusive with [api_endpoint api_group] The base path which this validation applies to.

string
<= 128 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain.

string
<= 128 characters
validation_mode
object
response_validation_mode_active
object
enforcement_block
object
enforcement_report
object
response_validation_properties
Response Validation Properties

List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)

Required: YES.

Array<string>
>= 1 items
Allowed values: PROPERTY_QUERY_PARAMETERS PROPERTY_PATH_PARAMETERS PROPERTY_CONTENT_TYPE PROPERTY_COOKIE_PARAMETERS PROPERTY_HTTP_HEADERS PROPERTY_HTTP_BODY PROPERTY_SECURITY_SCHEMA PROPERTY_RESPONSE_CODE
skip_response_validation
object
skip_validation
object
validation_mode_active
object
enforcement_block
object
enforcement_report
object
request_validation_properties
Request Validation Properties

List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)

Required: YES.

Array<string>
>= 1 items
Allowed values: PROPERTY_QUERY_PARAMETERS PROPERTY_PATH_PARAMETERS PROPERTY_CONTENT_TYPE PROPERTY_COOKIE_PARAMETERS PROPERTY_HTTP_HEADERS PROPERTY_HTTP_BODY PROPERTY_SECURITY_SCHEMA PROPERTY_RESPONSE_CODE
settings
object
oversized_body_fail_validation
object
oversized_body_skip_validation
object
property_validation_settings_custom
object
queryParameters
object
allow_additional_parameters
object
disallow_additional_parameters
object
property_validation_settings_default
object
validation_disabled
object
api_testing
object
custom_header_value
Custom Header Value

Add x-F5-API-testing-identifier header value to prevent security flags on API testing traffic.

string
<= 128 characters
domains
Domain Configuration

Add and configure testing domains and credentials

Required: YES.

Array<object>
<= 32 items
Configured API Domains

The Domain configuration message.

object
allow_destructive_methods
Destructive Methods

Enable to allow API test to execute destructive methods. Be cautious as these can alter or DELETE data.

boolean format: boolean
credentials
The Domain credentials

Add credentials for API testing to use in the selected environment.

Required: YES.

Array<object>
Credentials

Configure credential details, including type(e.g., API Key, bearer token) and role.

object
admin
object
api_key
object
key
Api Key

Required: YES.

string
>= 7 characters <= 128 characters
value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
basic_auth
object
password
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
user
The custom domain user authentication

Required: YES.

string
<= 64 characters
bearer_token
object
token
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
credential_name
Credential Name

Enter a unique name for the credentials used in API testing

Required: YES.

string
<= 64 characters
login_endpoint
object
json_payload
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
method
string
default: ANY
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Login Endpoint Path

Required: YES.

string
<= 1024 characters
token_response_key
Token Response Key

Specifies how to handle the API response, extracting authentication tokens.

Required: YES.

string
<= 1024 characters
standard
object
domain
Domain

Add your testing environment domain. Be aware that running tests on a production domain can impact live applications, as API testing cannot distinguish between production and testing environments.

Required: YES.

string format: hostname
>= 26 characters <= 256 characters
every_day
object
every_month
object
every_week
object
app_firewall
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
blocked_clients

Define rules to block IP Prefixes or AS numbers.

Array<object>
<= 256 items
SimpleClientSrcRule

Simple client source rule specifies the sources to be blocked or trusted (skip WAF)

object
actions
actions

Actions that should be taken when client identifier matches the rule.

Array<string>
<= 10 items
Allowed values: SKIP_PROCESSING_WAF SKIP_PROCESSING_BOT SKIP_PROCESSING_MUM SKIP_PROCESSING_IP_REPUTATION SKIP_PROCESSING_API_PROTECTION SKIP_PROCESSING_OAS_VALIDATION SKIP_PROCESSING_DDOS_PROTECTION SKIP_PROCESSING_THREAT_MESH SKIP_PROCESSING_MALWARE_PROTECTION
as_number
as number

Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.

integer format: int64
bot_skip_processing
object
expiration_timestamp
expiration timestamp

The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.

string format: date-time
<= 1024 characters
http_header
object
headers
headers

List of HTTP header name and value pairs

Required: YES.

Array<object>
<= 16 items
HeaderMatcherType

Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header

Header Match can also be inverse of above, which be used to check missing header or non-matching value.

object
exact
exact

Exclusive with [presence regex] Header value to match exactly.

string
<= 256 characters
invert_match
invert_match

Invert the result of the match to detect missing header or non-matching value.

boolean format: boolean
name
name

Name of the header Required: YES.

string
>= 1 characters <= 256 characters
presence
presence

Exclusive with [exact regex] If true, check for presence of header.

boolean format: boolean
regex
regex

Exclusive with [exact presence] Regex match of the header value in re2 format.

string
<= 256 characters
ip_prefix
ip prefix

Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.

string
<= 1024 characters
ipv6_prefix
ipv6 prefix

Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.

string
<= 1024 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
skip_processing
object
user_identifier
user identifier

Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.

string
<= 256 characters
waf_skip_processing
object
bot_defense
object
disable_cors_support
object
enable_cors_support
object
policy
object
disable_js_insert
object
disable_mobile_sdk
object
javascript_mode
string
default: ASYNC_JS_NO_CACHING
Allowed values: ASYNC_JS_NO_CACHING ASYNC_JS_CACHING SYNC_JS_NO_CACHING SYNC_JS_CACHING
js_download_path
js_download_path

Customize Bot Defense Client JavaScript path. If not specified, default /common.js

string
<= 1024 characters
js_insert_all_pages
object
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
js_insert_all_pages_except
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
js_insertion_rules
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
rules
rules

Required list of pages to insert Bot Defense client JavaScript.

Required: YES.

Array<object>
>= 1 items <= 128 items
ShapeJavaScriptInsertionRule

This defines a rule for Bot Defense JavaScript insertion.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
mobile_sdk_config
object
mobile_identifier
object
headers
Mobile headers

Headers that can be used to identify mobile traffic.

Array<object>
<= 32 items
HeaderMatcherTypeBasic

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
protected_app_endpoints
AppEndpointType

List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs.

Required: YES.

Array<object>
>= 1 items <= 128 items
AppEndpointType

Application Endpoint.

object
allow_good_bots
object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
flow_label
object
account_management
object
create
object
password_reset
object
authentication
object
login
object
disable_transaction_result
object
transaction_result
object
failure_conditions
Failure Conditions

Failure Conditions.

Array<object>
<= 3 items
BotDefenseTransactionResultCondition

Bot Defense Transaction Result Condition.

object
name
name

A case-insensitive HTTP header name.

string
>= 6 characters <= 256 characters
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
status
string
default: EmptyStatusCode
Allowed values: EmptyStatusCode Continue OK Created Accepted NonAuthoritativeInformation NoContent ResetContent PartialContent MultiStatus AlreadyReported IMUsed MultipleChoices MovedPermanently Found SeeOther NotModified UseProxy TemporaryRedirect PermanentRedirect BadRequest Unauthorized PaymentRequired Forbidden NotFound MethodNotAllowed NotAcceptable ProxyAuthenticationRequired RequestTimeout Conflict Gone LengthRequired PreconditionFailed PayloadTooLarge URITooLong UnsupportedMediaType RangeNotSatisfiable ExpectationFailed MisdirectedRequest UnprocessableEntity Locked FailedDependency UpgradeRequired PreconditionRequired TooManyRequests RequestHeaderFieldsTooLarge InternalServerError NotImplemented BadGateway ServiceUnavailable GatewayTimeout HTTPVersionNotSupported VariantAlsoNegotiates InsufficientStorage LoopDetected NotExtended NetworkAuthenticationRequired
success_conditions
Success Conditions

Success Conditions.

Array<object>
<= 3 items
BotDefenseTransactionResultCondition

Bot Defense Transaction Result Condition.

object
name
name

A case-insensitive HTTP header name.

string
>= 6 characters <= 256 characters
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
status
string
default: EmptyStatusCode
Allowed values: EmptyStatusCode Continue OK Created Accepted NonAuthoritativeInformation NoContent ResetContent PartialContent MultiStatus AlreadyReported IMUsed MultipleChoices MovedPermanently Found SeeOther NotModified UseProxy TemporaryRedirect PermanentRedirect BadRequest Unauthorized PaymentRequired Forbidden NotFound MethodNotAllowed NotAcceptable ProxyAuthenticationRequired RequestTimeout Conflict Gone LengthRequired PreconditionFailed PayloadTooLarge URITooLong UnsupportedMediaType RangeNotSatisfiable ExpectationFailed MisdirectedRequest UnprocessableEntity Locked FailedDependency UpgradeRequired PreconditionRequired TooManyRequests RequestHeaderFieldsTooLarge InternalServerError NotImplemented BadGateway ServiceUnavailable GatewayTimeout HTTPVersionNotSupported VariantAlsoNegotiates InsufficientStorage LoopDetected NotExtended NetworkAuthenticationRequired
login_mfa
object
login_partner
object
logout
object
token_refresh
object
financial_services
object
apply
object
money_transfer
object
flight
object
checkin
object
profile_management
object
create
object
update
object
view
object
search
object
flight_search
object
product_search
object
reservation_search
object
room_search
object
shopping_gift_cards
object
gift_card_make_purchase_with_gift_card
object
gift_card_validation
object
shop_add_to_cart
object
shop_checkout
object
shop_choose_seat
object
shop_enter_drawing_submission
object
shop_make_payment
object
shop_order
object
shop_price_inquiry
object
shop_promo_code_validation
object
shop_purchase_gift_card
object
shop_update_quantity
object
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
http_methods
HTTP Methods

List of HTTP methods.

Required: YES.

Array<string>
>= 1 items <= 5 items
Allowed values: METHOD_ANY METHOD_GET METHOD_POST METHOD_PUT METHOD_PATCH METHOD_DELETE METHOD_GET_DOCUMENT
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
mitigate_good_bots
object
mitigation
object
block
object
body
body

Custom body message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Your request was blocked” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Your request was blocked

”. Base64 encoded string for this HTML is “LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==”

string
<= 4096 characters
status
string
default: EmptyStatusCode
Allowed values: EmptyStatusCode Continue OK Created Accepted NonAuthoritativeInformation NoContent ResetContent PartialContent MultiStatus AlreadyReported IMUsed MultipleChoices MovedPermanently Found SeeOther NotModified UseProxy TemporaryRedirect PermanentRedirect BadRequest Unauthorized PaymentRequired Forbidden NotFound MethodNotAllowed NotAcceptable ProxyAuthenticationRequired RequestTimeout Conflict Gone LengthRequired PreconditionFailed PayloadTooLarge URITooLong UnsupportedMediaType RangeNotSatisfiable ExpectationFailed MisdirectedRequest UnprocessableEntity Locked FailedDependency UpgradeRequired PreconditionRequired TooManyRequests RequestHeaderFieldsTooLarge InternalServerError NotImplemented BadGateway ServiceUnavailable GatewayTimeout HTTPVersionNotSupported VariantAlsoNegotiates InsufficientStorage LoopDetected NotExtended NetworkAuthenticationRequired
body_hash
body_hash

X-displayName: “Body Hash” Represents the corresponding MD5 Hash for the body message.

string
<= 1024 characters
flag
object
append_headers
object
auto_type_header_name
auto_type_header_name

A case-insensitive HTTP header name. Required: YES.

string
<= 256 characters
inference_header_name
inference_header_name

A case-insensitive HTTP header name. Required: YES.

string
<= 256 characters
no_headers
object
redirect
object
uri
URI

URI location for redirect may be relative or absolute. Required: YES.

string
<= 1024 characters
none
object
mobile
object
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
protocol
string
default: BOTH
Allowed values: BOTH HTTP HTTPS
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
undefined_flow_label
object
web
object
web_mobile
object
mobile_identifier
string
default: HEADERS
Allowed values: HEADERS
regional_endpoint
string
default: AUTO
Allowed values: AUTO US EU ASIA
timeout
timeout

The timeout for the inference check, in milliseconds.

integer format: int64
bot_defense_advanced
object
disable_js_insert
object
disable_mobile_sdk
object
js_insert_all_pages
object
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
js_insert_all_pages_except
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
js_insertion_rules
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
rules
rules

Required list of pages to insert Bot Defense client JavaScript.

Required: YES.

Array<object>
>= 1 items <= 128 items
ShapeJavaScriptInsertionRule

This defines a rule for Bot Defense JavaScript insertion.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
mobile
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
mobile_sdk_config
object
mobile_identifier
object
headers
Mobile headers

Headers that can be used to identify mobile traffic.

Array<object>
<= 32 items
HeaderMatcherTypeBasic

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
web
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
caching_policy
object
custom_cache_rule
object
cdn_cache_rules
cdn_cache_rule

Reference to CDN Cache Rule configuration object.

Array<object>
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
default_cache_action
object
cache_disabled
object
cache_ttl_default
Use Cache TTL Provided by Origin

Exclusive with [cache_disabled cache_ttl_override] Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided.

string
<= 1024 characters
cache_ttl_override
Override Cache TTL Provided by Origin

Exclusive with [cache_disabled cache_ttl_default] Always override the Cahce TTL provided by Origin.

string
<= 1024 characters
captcha_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
client_side_defense
object
policy
object
disable_js_insert
object
js_insert_all_pages
object
js_insert_all_pages_except
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
js_insertion_rules
object
exclude_list
exclude_list

Optional JavaScript insertions exclude list of domain and path matchers.

Array<object>
<= 128 items
ShapeJavaScriptExclusionRule

Define JavaScript insertion exclusion rule.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
rules
rules

Required list of pages to insert Client-Side Defense client JavaScript.

Required: YES.

Array<object>
>= 1 items <= 128 items
CSDJavaScriptInsertionRule

This defines a rule for Client-Side Defense JavaScript insertion.

object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
cookie_stickiness
object
add_httponly
object
add_secure
object
ignore_httponly
object
ignore_samesite
object
ignore_secure
object
name
name

The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.

string
>= 1 characters <= 256 characters
path
path

The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.

string
<= 1024 characters
samesite_lax
object
samesite_none
object
samesite_strict
object
ttl
ttl

If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.

integer format: int64
cors_policy
object
allow_credentials
allow_credentials

Specifies whether the resource allows credentials.

boolean format: boolean
allow_headers
allow_headers

Specifies the content for the access-control-allow-headers header.

string
<= 1024 characters
allow_methods
allow_methods

Specifies the content for the access-control-allow-methods header.

string
<= 1024 characters
allow_origin
allow_origin

Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.

Array<string>
<= 128 items
allow_origin_regex
allow_origin_regex

Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.

Array<string>
<= 16 items
disabled
disabled

Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.

boolean format: boolean
expose_headers
expose_headers

Specifies the content for the access-control-expose-headers header.

string
<= 1024 characters
maximum_age
maximum_age

Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)

integer format: int32
csrf_policy
object
all_load_balancer_domains
object
custom_domain_list
object
domains
Domains

A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.

Array<string>
>= 1 items <= 32 items
disabled
object
data_guard_rules

Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*). Note: App Firewall should be enabled, to use Data Guard feature.

Array<object>
<= 64 items
SimpleDataGuardRule

Simple Data Guard rule specifies a simple set of match conditions to enable data guard protection.

object
any_domain
object
apply_data_guard
object
exact_value
exact value

Exclusive with [any_domain suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
skip_data_guard
object
suffix_value
suffix value

Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
ddos_mitigation_rules

Define manual mitigation rules to block L7 DDoS attacks.

Array<object>
<= 256 items
DDoSMitigationRule

DDoS Mitigation Rule specifies the sources to be blocked.

object
block
object
ddos_client_source
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
country_list
country_list

Sources that are located in one of the countries in the given list.

Array<string>
<= 64 items
Allowed values: COUNTRY_NONE COUNTRY_AD COUNTRY_AE COUNTRY_AF COUNTRY_AG COUNTRY_AI COUNTRY_AL COUNTRY_AM COUNTRY_AN COUNTRY_AO COUNTRY_AQ COUNTRY_AR COUNTRY_AS COUNTRY_AT COUNTRY_AU COUNTRY_AW COUNTRY_AX COUNTRY_AZ COUNTRY_BA COUNTRY_BB COUNTRY_BD COUNTRY_BE COUNTRY_BF COUNTRY_BG COUNTRY_BH COUNTRY_BI COUNTRY_BJ COUNTRY_BL COUNTRY_BM COUNTRY_BN COUNTRY_BO COUNTRY_BQ COUNTRY_BR COUNTRY_BS COUNTRY_BT COUNTRY_BV COUNTRY_BW COUNTRY_BY COUNTRY_BZ COUNTRY_CA COUNTRY_CC COUNTRY_CD COUNTRY_CF COUNTRY_CG COUNTRY_CH COUNTRY_CI COUNTRY_CK COUNTRY_CL COUNTRY_CM COUNTRY_CN COUNTRY_CO COUNTRY_CR COUNTRY_CS COUNTRY_CU COUNTRY_CV COUNTRY_CW COUNTRY_CX COUNTRY_CY COUNTRY_CZ COUNTRY_DE COUNTRY_DJ COUNTRY_DK COUNTRY_DM COUNTRY_DO COUNTRY_DZ COUNTRY_EC COUNTRY_EE COUNTRY_EG COUNTRY_EH COUNTRY_ER COUNTRY_ES COUNTRY_ET COUNTRY_FI COUNTRY_FJ COUNTRY_FK COUNTRY_FM COUNTRY_FO COUNTRY_FR COUNTRY_GA COUNTRY_GB COUNTRY_GD COUNTRY_GE COUNTRY_GF COUNTRY_GG COUNTRY_GH COUNTRY_GI COUNTRY_GL COUNTRY_GM COUNTRY_GN COUNTRY_GP COUNTRY_GQ COUNTRY_GR COUNTRY_GS COUNTRY_GT COUNTRY_GU COUNTRY_GW COUNTRY_GY COUNTRY_HK COUNTRY_HM COUNTRY_HN COUNTRY_HR COUNTRY_HT COUNTRY_HU COUNTRY_ID COUNTRY_IE COUNTRY_IL COUNTRY_IM COUNTRY_IN COUNTRY_IO COUNTRY_IQ COUNTRY_IR COUNTRY_IS COUNTRY_IT COUNTRY_JE COUNTRY_JM COUNTRY_JO COUNTRY_JP COUNTRY_KE COUNTRY_KG COUNTRY_KH COUNTRY_KI COUNTRY_KM COUNTRY_KN COUNTRY_KP COUNTRY_KR COUNTRY_KW COUNTRY_KY COUNTRY_KZ COUNTRY_LA COUNTRY_LB COUNTRY_LC COUNTRY_LI COUNTRY_LK COUNTRY_LR COUNTRY_LS COUNTRY_LT COUNTRY_LU COUNTRY_LV COUNTRY_LY COUNTRY_MA COUNTRY_MC COUNTRY_MD COUNTRY_ME COUNTRY_MF COUNTRY_MG COUNTRY_MH COUNTRY_MK COUNTRY_ML COUNTRY_MM COUNTRY_MN COUNTRY_MO COUNTRY_MP COUNTRY_MQ COUNTRY_MR COUNTRY_MS COUNTRY_MT COUNTRY_MU COUNTRY_MV COUNTRY_MW COUNTRY_MX COUNTRY_MY COUNTRY_MZ COUNTRY_NA COUNTRY_NC COUNTRY_NE COUNTRY_NF COUNTRY_NG COUNTRY_NI COUNTRY_NL COUNTRY_NO COUNTRY_NP COUNTRY_NR COUNTRY_NU COUNTRY_NZ COUNTRY_OM COUNTRY_PA COUNTRY_PE COUNTRY_PF COUNTRY_PG COUNTRY_PH COUNTRY_PK COUNTRY_PL COUNTRY_PM COUNTRY_PN COUNTRY_PR COUNTRY_PS COUNTRY_PT COUNTRY_PW COUNTRY_PY COUNTRY_QA COUNTRY_RE COUNTRY_RO COUNTRY_RS COUNTRY_RU COUNTRY_RW COUNTRY_SA COUNTRY_SB COUNTRY_SC COUNTRY_SD COUNTRY_SE COUNTRY_SG COUNTRY_SH COUNTRY_SI COUNTRY_SJ COUNTRY_SK COUNTRY_SL COUNTRY_SM COUNTRY_SN COUNTRY_SO COUNTRY_SR COUNTRY_SS COUNTRY_ST COUNTRY_SV COUNTRY_SX COUNTRY_SY COUNTRY_SZ COUNTRY_TC COUNTRY_TD COUNTRY_TF COUNTRY_TG COUNTRY_TH COUNTRY_TJ COUNTRY_TK COUNTRY_TL COUNTRY_TM COUNTRY_TN COUNTRY_TO COUNTRY_TR COUNTRY_TT COUNTRY_TV COUNTRY_TW COUNTRY_TZ COUNTRY_UA COUNTRY_UG COUNTRY_UM COUNTRY_US COUNTRY_UY COUNTRY_UZ COUNTRY_VA COUNTRY_VC COUNTRY_VE COUNTRY_VG COUNTRY_VI COUNTRY_VN COUNTRY_VU COUNTRY_WF COUNTRY_WS COUNTRY_XK COUNTRY_XT COUNTRY_YE COUNTRY_YT COUNTRY_ZA COUNTRY_ZM COUNTRY_ZW
ja4_tls_fingerprint_matcher
object
exact_values
exact values

A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against.

Array<string>
<= 16 items
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
expiration_timestamp
expiration timestamp

The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.

string format: date-time
<= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
default_pool
object
advanced_options
object
auto_http_config
object
circuit_breaker
object
connection_limit
connection_limit

The maximum number of connections that loadbalancer will establish to all hosts in an upstream cluster. In practice this is only applicable to TCP and HTTP/1.1 clusters since HTTP/2 uses a single connection to each host. Remove endpoint out of load balancing decision, if number of connections reach connection limit.

integer format: int64
max_requests
max_requests

The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. In practice this is applicable to HTTP/2 clusters since HTTP/1.1 clusters are governed by the maximum connections (connection_limit). Remove endpoint out of load balancing decision, if requests exceed this count.

integer format: int64
pending_requests
pending_requests

The maximum number of requests that will be queued while waiting for a ready connection pool connection. Since HTTP/2 requests are sent over a single connection, this circuit breaker only comes into play as the initial connection is created, as requests will be multiplexed immediately afterwards. For HTTP/1.1, requests are added to the list of pending requests whenever there aren’t enough upstream connections available to immediately dispatch the request, so this circuit breaker will remain in play for the lifetime of the process. Remove endpoint out of load balancing decision, if pending request reach pending_request.

integer format: int64
priority
string
default: DEFAULT
Allowed values: DEFAULT HIGH
retries
retries

The maximum number of retries that can be outstanding to all hosts in a cluster at any given time. Remove endpoint out of load balancing decision, if retries for request exceed this count.

integer format: int64
connection_timeout
connection_timeout

The timeout for new network connections to endpoints in the cluster. This is specified in milliseconds. The default value is 2 seconds.

integer format: int64
0
default_circuit_breaker
object
disable_circuit_breaker
object
disable_lb_source_ip_persistance
object
disable_outlier_detection
object
disable_proxy_protocol
object
disable_subsets
object
enable_lb_source_ip_persistance
object
enable_subsets
object
any_endpoint
object
default_subset
object
default_subset
default_subset

List of key-value pairs that define default subset. Which gets used when route specifies no metadata or no subset matching the metadata exists.

object
endpoint_subsets
Origin Server Subsets Classes

List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.

Required: YES.

Array<object>
<= 32 items
EndpointSubsetSelectorType

Upstream cluster may be configured to divide its endpoints into subsets based on metadata attached to the endpoints. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer. List of keys that define a cluster subset. Each endpoint that has a metadata value for all of the keys in the definition is added to that subset. If no endpoint has all the keys, no subsets result from the definition. A single endpoint may appear in multiple subsets if it matches multiple definitions.

object
keys
keys

List of keys that define a cluster subset class. Required: YES.

Array<string>
<= 16 items
fail_request
object
http1_config
object
header_transformation
object
default_header_transformation
object
legacy_header_transformation
object
preserve_case_header_transformation
object
proper_case_header_transformation
object
http2_options
object
enabled
enabled

Enable/disable HTTP2 Protocol for upstream connections.

boolean format: boolean
http_idle_timeout
http_idle_timeout

The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 5 minutes.

integer format: int64
0
no_panic_threshold
object
outlier_detection
object
base_ejection_time
base_ejection_time

The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. This causes hosts to GET ejected for longer periods if they continue to fail. Defaults to 30000ms or 30s. Specified in milliseconds.

integer format: int64
consecutive_5xx
consecutive_5xx

If an upstream endpoint returns some number of consecutive 5xx, it will be ejected. Note that in this case a 5xx means an actual 5xx respond code, or an event that would cause the HTTP router to return one on the upstream’s behalf(reset, connection failure, etc.) consecutive_5xx indicates the number of consecutive 5xx responses required before a consecutive 5xx ejection occurs. Defaults to 5.

integer format: int64
consecutive_gateway_failure
consecutive_gateway_failure

If an upstream endpoint returns some number of consecutive “gateway errors” (502, 503 or 504 status code), it will be ejected. Note that this includes events that would cause the HTTP router to return one of these status codes on the upstream’s behalf (reset, connection failure, etc.). Consecutive_gateway_failure indicates the number of consecutive gateway failures before a consecutive gateway failure ejection occurs. Defaults to 5.

integer format: int64
interval
interval

The time interval between ejection analysis sweeps. This can result in both new ejections as well as endpoints being returned to service. Defaults to 10000ms or 10s. Specified in milliseconds.

integer format: int64
max_ejection_percent
max_ejection_percent

The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% but will eject at least one host regardless of the value.

integer format: int64
panic_threshold
Panic threshold

Exclusive with [no_panic_threshold]

Configure a threshold (percentage of unhealthy endpoints) below which all endpoints will be considered for load balancing ignoring its health status.

integer format: int64
proxy_protocol_v1
object
proxy_protocol_v2
object
max_requests_per_connection
Maximum Requests Per Connection

Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests allowed per connection to the origin server. Enter a value >=1 to define the request limit per connection.

integer format: int64
no_request_limit_per_connection
object
automatic_port
object
endpoint_selection
string
default: DISTRIBUTED
Allowed values: DISTRIBUTED LOCAL_ONLY LOCAL_PREFERRED
health_check_port
Health check port

Exclusive with [same_as_endpoint_port] Port used for performing health check.

integer format: int64
healthcheck
Health Check

Reference to healthcheck configuration objects.

Array<object>
default: <= 4 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
lb_port
object
loadbalancer_algorithm
string
default: ROUND_ROBIN
Allowed values: ROUND_ROBIN LEAST_REQUEST RING_HASH RANDOM LB_OVERRIDE
no_tls
object
origin_servers
List of Origin Servers

List of origin servers in this pool

Required: YES.

Array<object>
>= 1 items <= 32 items
OriginServerType

Various OPTIONS to specify origin server.

object
cbip_service
object
service_name
Service Name

Name of the discovered Classic BIG-IP virtual server to be used as origin. Required: YES.

string
<= 1024 characters
consul_service
object
inside_network
object
outside_network
object
service_name
Service Name

Consul service name of this origin server will be listed, including cluster-ID. The format is servicename:cluster-ID. Required: YES.

string
<= 1024 characters
site_locator
object
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
snat_pool
object
no_snat_pool
object
snat_pool
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
custom_endpoint_object
object
endpoint
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
k8s_service
object
inside_network
object
outside_network
object
protocol
string
default: PROTOCOL_TCP
Allowed values: PROTOCOL_TCP PROTOCOL_UDP
service_name
Service Name

Exclusive with [] K8s service name of the origin server will be listed, including the namespace and cluster-ID. For vK8s services, you need to enter a string with the format servicename.namespace:cluster-ID. If the servicename is “frontend”, namespace is “speedtest” and cluster-ID is “prod”, then you will enter “frontend.speedtest:prod”. Both namespace and cluster-ID are optional.

string
<= 1024 characters
site_locator
object
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
snat_pool
object
no_snat_pool
object
snat_pool
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
vk8s_networks
object
labels
Origin Server Labels

Add Labels for this origin server, these labels can be used to form subset.

object
private_ip
object
inside_network
object
ip
IP

Exclusive with [] Private IPv4 address.

string
<= 1024 characters
outside_network
object
segment
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
site_locator
object
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
snat_pool
object
no_snat_pool
object
snat_pool
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
private_name
object
dns_name
DNS name

DNS Name Required: YES.

string
<= 1024 characters
inside_network
object
outside_network
object
refresh_interval
refresh_interval

Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.

integer format: int64
segment
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
site_locator
object
site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
virtual_site
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
snat_pool
object
no_snat_pool
object
snat_pool
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
public_ip
object
ip
IP

Exclusive with [] Public IPv4 address.

string
<= 1024 characters
public_name
object
dns_name
DNS name

DNS Name Required: YES.

string
>= 1 characters <= 256 characters
refresh_interval
refresh_interval

Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.

integer format: int64
vn_private_ip
object
ip
IPV4

Exclusive with [] IPv4 address.

string
<= 1024 characters
virtual_network
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
vn_private_name
object
dns_name
DNS name

DNS Name Required: YES.

string
<= 1024 characters
private_network
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
port
Port

Exclusive with [automatic_port lb_port] Endpoint service is available on this port.

integer format: int64
>= 1 <= 65535
same_as_endpoint_port
object
upstream_conn_pool_reuse_type
object
disable_conn_pool_reuse
object
enable_conn_pool_reuse
object
use_tls
object
default_session_key_caching
object
disable_session_key_caching
object
disable_sni
object
max_session_keys
Max Session Keys Cached

Exclusive with [default_session_key_caching disable_session_key_caching]

Number of session keys that are cached.

integer format: int64
no_mtls
object
skip_server_verification
object
sni
sni

Exclusive with [disable_sni use_host_header_as_sni] SNI value to be used.

string
<= 256 characters
tls_config
object
custom_security
object
cipher_suites
cipher_suites

The TLS listener will only support the specified cipher list. Required: YES.

Array<string>
max_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
min_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
default_security
object
low_security
object
medium_security
object
use_host_header_as_sni
object
use_mtls
object
tls_certificates
mTLS certificate

MTLS Client Certificate

Required: YES.

Array<object>
>= 1 items <= 1 items
TlsCertificateType

Handle to fetch certificate and key.

object
certificate_url
certificate_url

TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.

string
>= 1 characters <= 131072 characters
custom_hash_algorithms
object
hash_algorithms
Hash Algorithms

Ordered list of hash algorithms to be used.

Required: YES.

Array<string>
>= 1 items <= 4 items
Allowed values: INVALID_HASH_ALGORITHM SHA256 SHA1
description
description

Description for the certificate.

string
>= 21 characters <= 1024 characters
disable_ocsp_stapling
object
private_key
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
use_system_defaults
object
use_mtls_obj
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
use_server_verification
object
trusted_ca
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
trusted_ca_url
trusted_ca_url

Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate.

string
>= 1 characters <= 131072 characters
volterra_trusted_ca
object
view_internal
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
default_pool_list
object
pools
Pools

List of Origin Pools.

Array<object>
<= 8 items
OriginPoolWithWeight

This defines a combination of origin pool with weight and priority.

object
cluster
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
endpoint_subsets
Origin Servers Subset

Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer

For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.

List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.

object
pool
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
priority
Priority

Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.

integer format: int64
weight
Weight

Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.

integer format: int64
default_route_pools

Origin Pools used when no route is specified (default route)

Array<object>
<= 8 items
OriginPoolWithWeight

This defines a combination of origin pool with weight and priority.

object
cluster
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
endpoint_subsets
Origin Servers Subset

Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer

For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.

List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.

object
pool
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
priority
Priority

Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.

integer format: int64
weight
Weight

Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.

integer format: int64
default_sensitive_data_policy
object
disable_api_definition
object
disable_api_discovery
object
disable_api_testing
object
disable_bot_defense
object
disable_caching
object
disable_client_side_defense
object
disable_ip_reputation
object
disable_malicious_user_detection
object
disable_malware_protection
object
disable_rate_limit
object
disable_threat_mesh
object
disable_trust_client_ip_headers
object
disable_waf
object
do_not_advertise
object
domains

A list of Domains (host/authority header) that will be matched to load balancer.

Supported Domains and search order:

  1. Exact Domain names: www.example.com.
  2. Domains starting with a Wildcard: *.example.com.

Not supported Domains:

  • Just a Wildcard: *
  • A Wildcard and TLD with no root Domain: *.com.
  • A Wildcard not matching a whole DNS label. E.g. *.example.com and *.bar.example.com are valid Wildcards however *bar.example.com, -bar.example.com, and bar.example.com are all invalid.

Additional notes: A Wildcard will not match empty string. E.g. *.example.com will match bar.example.com and baz-bar.example.com but not .example.com. The longest Wildcards match first. Only a single virtual host in the entire route configuration can match on *. Also a Domain must be unique across all virtual hosts within an advertise policy.

Domains are also used for SNI matching if the Loadbalancer type is HTTPS. Domains also indicate the list of names for which DNS resolution will be automatically resolved to IP addresses by the system. Required: YES.

Array<string>
>= 1 items <= 32 items
enable_api_discovery
object
api_crawler
object
api_crawler_config
object
domains
Configured API Domains

Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.

Required: YES.

Array<object>
<= 32 items
Configured API Domains

The DomainConfiguration message.

object
domain
Custom domain to crawl

Select the domain to execute API Crawling with given credentials.

Required: YES.

string format: hostname
>= 26 characters <= 256 characters
simple_login
object
password
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
user
The custom domain user authentication

Enter the username to assign credentials for the selected domain to crawl.

string
<= 64 characters
disable_api_crawler
object
api_discovery_from_code_scan
object
code_base_integrations
Code Base Integrations

Required: YES.

Array<object>
<= 5 items
Code Base Integration
object
all_repos
object
code_base_integration
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
selected_repos
object
api_code_repo
API Code Repository

Code repository which contain API endpoints

Required: YES.

Array<string>
custom_api_auth_discovery
object
api_discovery_ref
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
default_api_auth_discovery
object
disable_learn_from_redirect_traffic
object
discovered_api_settings
object
purge_duration_for_inactive_discovered_apis
purge_duration_for_inactive_discovered_apis

Inactive discovered API will be deleted after configured duration.

integer format: int64
enable_learn_from_redirect_traffic
object
enable_challenge
object
captcha_challenge_parameters
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
default_captcha_challenge_parameters
object
default_js_challenge_parameters
object
default_mitigation_settings
object
js_challenge_parameters
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
malicious_user_mitigation
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
enable_ip_reputation
object
ip_threat_categories
IP Threat Categories

If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied.

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
enable_malicious_user_detection
object
enable_threat_mesh
object
enable_trust_client_ip_headers
object
client_ip_headers
Client IP Headers

Define the list of one or more Client IP Headers. Headers will be used in order from top to bottom, meaning if the first header is not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found. If none of the defined headers exist, or the value is not an IP address, then the system will use the source IP of the packet. If multiple defined headers with different names are present in the request, the value of the first header name in the configuration will be used. If multiple defined headers with the same name are present in the request, values of all those headers will be combined. The system will read the right-most IP address from header, if there are multiple IP addresses in the header value. For X-Forwarded-For header, the system will read the IP address(rightmost - 1), as the client IP Required: YES.

Array<string>
>= 1 items <= 5 items
graphql_rules

GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy configuration to analyze GraphQL queries and prevent GraphQL tailored attacks.

Array<object>
<= 64 items
GraphQL Rule

This section defines various configuration OPTIONS for GraphQL inspection.

object
any_domain
object
exact_path
Path

Specifies the exact path to GraphQL endpoint. Default value is /graphql. Required: YES.

string
<= 256 characters
exact_value
exact value

Exclusive with [any_domain suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
graphql_settings
object
disable_introspection
object
enable_introspection
object
max_batched_queries
Max Batched Queries

Specify maximum number of queries in a single batched request. Required: YES.

integer format: int64
max_depth
Max Depth

Specify maximum depth for the GraphQL query. Required: YES.

integer format: int64
max_total_length
Max Total Length

Specify maximum length in bytes for the GraphQL query. Required: YES.

integer format: int64
max_value_length
Max Value Length

X-displayName: “Maximum Value Length” x-required Specify maximum value length in bytes for the GraphQL query.

integer format: int64
policy_name
Set BD Policy name

X-displayName: “Policy Name” Sets the BD Policy to use.

string
<= 1024 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
method_get
object
method_post
object
suffix_value
suffix value

Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
http
object
dns_volterra_managed
Manage DNS Domain

DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal.

boolean format: boolean
port
HTTP port to listen

Exclusive with [port_ranges] HTTP port to Listen.

integer format: int64
>= 1 <= 65535
port_ranges
Port_ranges

Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.

string
>= 1 characters <= 512 characters
https
object
add_hsts
Add HSTS

Add HTTP Strict-Transport-Security response header.

boolean format: boolean
append_server_name
append_server_name

Exclusive with [default_header pass_through server_name] Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is.

string
<= 8096 characters
coalescing_options
object
default_coalescing
object
strict_coalescing
object
connection_idle_timeout
Connection Idle Timeout

The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.

integer format: int64
default_header
object
default_loadbalancer
object
disable_path_normalize
object
enable_path_normalize
object
http_protocol_options
object
http_protocol_enable_v1_only
object
header_transformation
object
default_header_transformation
object
legacy_header_transformation
object
preserve_case_header_transformation
object
proper_case_header_transformation
object
http_protocol_enable_v1_v2
object
http_protocol_enable_v2_only
object
http_redirect
HTTP Redirect

Redirect HTTP traffic to HTTPS.

boolean format: boolean
non_default_loadbalancer
object
pass_through
object
port
HTTPS port to listen

Exclusive with [port_ranges] HTTPS port to Listen.

integer format: int64
>= 1 <= 65535
port_ranges
Port_ranges

Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.

string
>= 1 characters <= 512 characters
server_name
server_name

Exclusive with [append_server_name default_header pass_through] Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header.

string
<= 8096 characters
tls_cert_params
object
certificates
certificates

Select one or more certificates with any domain names.

Required: YES.

Array<object>
<= 32 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
no_mtls
object
tls_config
object
custom_security
object
cipher_suites
cipher_suites

The TLS listener will only support the specified cipher list. Required: YES.

Array<string>
max_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
min_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
default_security
object
low_security
object
medium_security
object
use_mtls
object
client_certificate_optional
client_certificate_optional

Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.

boolean format: boolean
crl
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
no_crl
object
trusted_ca
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
trusted_ca_url
trusted_ca_url

Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.

string
>= 1 characters <= 131072 characters
xfcc_disabled
object
xfcc_options
object
xfcc_header_elements
XFCC Header

X-Forwarded-Client-Cert header elements to be added to requests

Required: YES.

Array<string>
Allowed values: XFCC_NONE XFCC_CERT XFCC_CHAIN XFCC_SUBJECT XFCC_URI XFCC_DNS
tls_parameters
object
no_mtls
object
tls_certificates
tls_certificates

Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms

Required: YES.

Array<object>
>= 1 items <= 16 items
TlsCertificateType

Handle to fetch certificate and key.

object
certificate_url
certificate_url

TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.

string
>= 1 characters <= 131072 characters
custom_hash_algorithms
object
hash_algorithms
Hash Algorithms

Ordered list of hash algorithms to be used.

Required: YES.

Array<string>
>= 1 items <= 4 items
Allowed values: INVALID_HASH_ALGORITHM SHA256 SHA1
description
description

Description for the certificate.

string
>= 21 characters <= 1024 characters
disable_ocsp_stapling
object
private_key
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
use_system_defaults
object
tls_config
object
custom_security
object
cipher_suites
cipher_suites

The TLS listener will only support the specified cipher list. Required: YES.

Array<string>
max_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
min_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
default_security
object
low_security
object
medium_security
object
use_mtls
object
client_certificate_optional
client_certificate_optional

Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.

boolean format: boolean
crl
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
no_crl
object
trusted_ca
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
trusted_ca_url
trusted_ca_url

Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.

string
>= 1 characters <= 131072 characters
xfcc_disabled
object
xfcc_options
object
xfcc_header_elements
XFCC Header

X-Forwarded-Client-Cert header elements to be added to requests

Required: YES.

Array<string>
Allowed values: XFCC_NONE XFCC_CERT XFCC_CHAIN XFCC_SUBJECT XFCC_URI XFCC_DNS
https_auto_cert
object
add_hsts
Add HSTS

Add HTTP Strict-Transport-Security response header.

boolean format: boolean
append_server_name
append_server_name

Exclusive with [default_header pass_through server_name] Define the header value for the header name “server”. If header value is already present, it is not overwritten and passed as-is.

string
<= 8096 characters
coalescing_options
object
default_coalescing
object
strict_coalescing
object
connection_idle_timeout
Connection Idle Timeout

The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.

integer format: int64
0
default_header
object
default_loadbalancer
object
disable_path_normalize
object
enable_path_normalize
object
http_protocol_options
object
http_protocol_enable_v1_only
object
header_transformation
object
default_header_transformation
object
legacy_header_transformation
object
preserve_case_header_transformation
object
proper_case_header_transformation
object
http_protocol_enable_v1_v2
object
http_protocol_enable_v2_only
object
http_redirect
HTTP Redirect

Redirect HTTP traffic to HTTPS.

boolean format: boolean
no_mtls
object
non_default_loadbalancer
object
pass_through
object
port
HTTPS port to listen

Exclusive with [port_ranges] HTTPS port to Listen.

integer format: int64
>= 1 <= 65535
port_ranges
Port_ranges

Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.

string
>= 1 characters <= 512 characters
server_name
server_name

Exclusive with [append_server_name default_header pass_through] Define the header value for the header name “server”. This will overwrite existing values, if any, for the server header.

string
<= 8096 characters
tls_config
object
custom_security
object
cipher_suites
cipher_suites

The TLS listener will only support the specified cipher list. Required: YES.

Array<string>
max_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
min_version
string
default: TLS_AUTO
Allowed values: TLS_AUTO TLSv1_0 TLSv1_1 TLSv1_2 TLSv1_3
default_security
object
low_security
object
medium_security
object
use_mtls
object
client_certificate_optional
client_certificate_optional

Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.

boolean format: boolean
crl
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
no_crl
object
trusted_ca
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
trusted_ca_url
trusted_ca_url

Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.

string
>= 1 characters <= 131072 characters
xfcc_disabled
object
xfcc_options
object
xfcc_header_elements
XFCC Header

X-Forwarded-Client-Cert header elements to be added to requests

Required: YES.

Array<string>
Allowed values: XFCC_NONE XFCC_CERT XFCC_CHAIN XFCC_SUBJECT XFCC_URI XFCC_DNS
js_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
jwt_validation
object
action
object
block
object
report
object
jwks_config
object
cleartext
cleartext

The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.

string
<= 1024 characters
mandatory_claims
object
claim_names
Claim names

Human-readable name for the resource

Array<string>
<= 16 items
reserved_claims
object
audience
object
audiences
audiences

Required: YES.

Array<string>
>= 1 items <= 16 items
audience_disable
object
issuer
issuer

Exclusive with [issuer_disable]

string
<= 1024 characters
issuer_disable
object
validate_period_disable
object
validate_period_enable
object
target
object
all_endpoint
object
api_groups
object
api_groups
api group

Required: YES.

Array<string>
<= 32 items
base_paths
object
base_paths
base_paths

Required: YES.

Array<string>
<= 16 items
token_location
object
bearer_token
object
authorization_server
object
authorization_servers
authorization_server_name

Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation.

Required: YES.

Array<object>
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
l7_ddos_action_block
object
l7_ddos_action_default
object
l7_ddos_action_js_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
l7_ddos_protection
object
clientside_action_captcha_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
clientside_action_js_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
clientside_action_none
object
ddos_policy_custom
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
ddos_policy_none
object
default_rps_threshold
object
mitigation_block
object
mitigation_captcha_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
mitigation_js_challenge
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
rps_threshold
Custom RPS Threshold

Exclusive with [default_rps_threshold] Configure custom RPS threshold.

integer format: int64
least_active
object
malware_protection_settings
object
malware_protection_rules
rules

Configure the match criteria to trigger Malware Protection Scan

Required: YES.

Array<object>
>= 1 items <= 32 items
MalwareProtectionRule

Configure the match criteria to trigger Malware Protection Scan.

object
action
object
block
object
report
object
domain
object
any_domain
object
domain
object
exact_value
exact value

Exclusive with [regex_value suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
regex_value
regex values of Domains

Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.

string
>= 1 characters <= 256 characters
suffix_value
suffix value

Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
http_methods
HTTP Methods

Methods to be matched.

Array<string>
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
more_option
object
buffer_policy
object
disabled
disable

Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.

boolean format: boolean
max_request_bytes
max_request_bytes

The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.

integer format: int64
compression_params
object
content_length
content_length

Minimum response length, in bytes, which will trigger compression. The default value is 30.

integer format: int64
content_type
content_type

Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: “application/javascript” “application/JSON”, “application/xhtml+XML” “image/svg+XML” “text/CSS” “text/HTML” “text/plain” “text/XML”

Array<string>
<= 50 items
disable_on_etag_header
disable_on_etag_header

If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed.

boolean format: boolean
remove_accept_encoding_header
remove_accept_encoding_header

If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter.

boolean format: boolean
custom_errors
Custom Errors

Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx response code class 5 — for 5xx response code class Value of the map is string which represents custom HTTP responses. Specific response code takes preference when both response code and response code class matches for a request.

object
disable_default_error_pages
Disable the use of default F5XC error pages

Disable the use of default F5XC error pages.

boolean format: boolean
disable_path_normalize
object
enable_path_normalize
object
idle_timeout
Idle timeout

The amount of time that a stream can exist without upstream or downstream activity, in milliseconds. The stream is terminated with a HTTP 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise the stream is reset.

integer format: int64
max_request_header_size
Maximum request header size

The maximum request header size for downstream connections, in KiB. A HTTP 431 (Request Header Fields Too Large) error code is sent for requests that exceed this size.

If multiple load balancers share the same advertise_policy, the highest value configured across all such load balancers is used for all the load balancers in question.

integer format: int64
request_cookies_to_add
Cookies to add in request

Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.

Array<object>
<= 32 items
CookieValueOption

Cookie name and value for cookie header.

object
name
name

Name of the cookie in Cookie header. Required: YES.

string
>= 6 characters <= 256 characters
overwrite
overwrite

Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.

boolean format: boolean
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the Cookie header.

string
>= 3 characters <= 8096 characters
request_cookies_to_remove
Cookies to be removed from request

List of keys of Cookies to be removed from the HTTP request being sent towards upstream.

Array<string>
<= 32 items
request_headers_to_add
Headers to add in request

Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.

Array<object>
<= 32 items
HeaderManipulationOptionType

HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.

object
append
append

Should the value be appended? If true, the value is appended to existing values. Default value is do not append.

boolean format: boolean
name
name

Name of the HTTP header. Required: YES.

string
>= 6 characters <= 256 characters
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the HTTP header.

string
>= 3 characters <= 8096 characters
request_headers_to_remove
Header to be removed from request

List of keys of Headers to be removed from the HTTP request being sent towards upstream.

Array<string>
<= 32 items
response_cookies_to_add
Cookies to add in set-cookie header in response

Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.

Array<object>
<= 32 items
SetCookieValueOption

Cookie name and its attribute values in set-cookie header.

object
add_domain
add_domain

Exclusive with [ignore_domain] Add domain attribute.

string
>= 1 characters <= 256 characters
add_expiry
add_expiry

Exclusive with [ignore_expiry] Add expiry attribute.

string
<= 256 characters
add_httponly
object
add_partitioned
object
add_path
add_path

Exclusive with [ignore_path] Add path attribute.

string
<= 256 characters
add_secure
object
ignore_domain
object
ignore_expiry
object
ignore_httponly
object
ignore_max_age
object
ignore_partitioned
object
ignore_path
object
ignore_samesite
object
ignore_secure
object
ignore_value
object
max_age_value
add_max_age

Exclusive with [ignore_max_age] Add max age attribute.

integer format: int32
name
name

Name of the cookie in Cookie header. Required: YES.

string
>= 6 characters <= 256 characters
overwrite
overwrite

Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.

boolean format: boolean
samesite_lax
object
samesite_none
object
samesite_strict
object
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [ignore_value secret_value] Value of the Cookie header.

string
>= 3 characters <= 8096 characters
response_cookies_to_remove
Cookies to be removed from response

List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.

Array<string>
<= 32 items
response_headers_to_add
Headers to add in response

Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.

Array<object>
<= 32 items
HeaderManipulationOptionType

HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.

object
append
append

Should the value be appended? If true, the value is appended to existing values. Default value is do not append.

boolean format: boolean
name
name

Name of the HTTP header. Required: YES.

string
>= 6 characters <= 256 characters
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the HTTP header.

string
>= 3 characters <= 8096 characters
response_headers_to_remove
Header to be removed from response

List of keys of Headers to be removed from the HTTP response being sent towards downstream.

Array<string>
<= 32 items
max_requests_per_connection
Maximum Requests Per Connection

Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection.

integer format: int64
no_request_limit_per_connection
object
multi_lb_app
object
no_challenge
object
no_service_policies
object
origin_server_subset_rule_list
object
origin_server_subset_rules
Origin Server Subset

Origin Server Subset Rules allow users to define match condition on Client (IP address, ASN, Country), IP Reputation, Regional Edge names, Request for subset selection of origin servers. Origin Server Subset is a sequential engine where rules are evaluated one after the other. It’s important to define the correct order for Origin Server Subset to GET the intended result, rules are evaluated from top to bottom in the list. When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.

Array<object>
<= 64 items
OriginServerSubsetRule

“Origin Server Subset rule specifies a simple set of match conditions to be matched to select a list of origin server key/val pairs.

object
any_asn
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
country_codes
country codes

List of Country Codes.

Array<string>
<= 64 items
Allowed values: COUNTRY_NONE COUNTRY_AD COUNTRY_AE COUNTRY_AF COUNTRY_AG COUNTRY_AI COUNTRY_AL COUNTRY_AM COUNTRY_AN COUNTRY_AO COUNTRY_AQ COUNTRY_AR COUNTRY_AS COUNTRY_AT COUNTRY_AU COUNTRY_AW COUNTRY_AX COUNTRY_AZ COUNTRY_BA COUNTRY_BB COUNTRY_BD COUNTRY_BE COUNTRY_BF COUNTRY_BG COUNTRY_BH COUNTRY_BI COUNTRY_BJ COUNTRY_BL COUNTRY_BM COUNTRY_BN COUNTRY_BO COUNTRY_BQ COUNTRY_BR COUNTRY_BS COUNTRY_BT COUNTRY_BV COUNTRY_BW COUNTRY_BY COUNTRY_BZ COUNTRY_CA COUNTRY_CC COUNTRY_CD COUNTRY_CF COUNTRY_CG COUNTRY_CH COUNTRY_CI COUNTRY_CK COUNTRY_CL COUNTRY_CM COUNTRY_CN COUNTRY_CO COUNTRY_CR COUNTRY_CS COUNTRY_CU COUNTRY_CV COUNTRY_CW COUNTRY_CX COUNTRY_CY COUNTRY_CZ COUNTRY_DE COUNTRY_DJ COUNTRY_DK COUNTRY_DM COUNTRY_DO COUNTRY_DZ COUNTRY_EC COUNTRY_EE COUNTRY_EG COUNTRY_EH COUNTRY_ER COUNTRY_ES COUNTRY_ET COUNTRY_FI COUNTRY_FJ COUNTRY_FK COUNTRY_FM COUNTRY_FO COUNTRY_FR COUNTRY_GA COUNTRY_GB COUNTRY_GD COUNTRY_GE COUNTRY_GF COUNTRY_GG COUNTRY_GH COUNTRY_GI COUNTRY_GL COUNTRY_GM COUNTRY_GN COUNTRY_GP COUNTRY_GQ COUNTRY_GR COUNTRY_GS COUNTRY_GT COUNTRY_GU COUNTRY_GW COUNTRY_GY COUNTRY_HK COUNTRY_HM COUNTRY_HN COUNTRY_HR COUNTRY_HT COUNTRY_HU COUNTRY_ID COUNTRY_IE COUNTRY_IL COUNTRY_IM COUNTRY_IN COUNTRY_IO COUNTRY_IQ COUNTRY_IR COUNTRY_IS COUNTRY_IT COUNTRY_JE COUNTRY_JM COUNTRY_JO COUNTRY_JP COUNTRY_KE COUNTRY_KG COUNTRY_KH COUNTRY_KI COUNTRY_KM COUNTRY_KN COUNTRY_KP COUNTRY_KR COUNTRY_KW COUNTRY_KY COUNTRY_KZ COUNTRY_LA COUNTRY_LB COUNTRY_LC COUNTRY_LI COUNTRY_LK COUNTRY_LR COUNTRY_LS COUNTRY_LT COUNTRY_LU COUNTRY_LV COUNTRY_LY COUNTRY_MA COUNTRY_MC COUNTRY_MD COUNTRY_ME COUNTRY_MF COUNTRY_MG COUNTRY_MH COUNTRY_MK COUNTRY_ML COUNTRY_MM COUNTRY_MN COUNTRY_MO COUNTRY_MP COUNTRY_MQ COUNTRY_MR COUNTRY_MS COUNTRY_MT COUNTRY_MU COUNTRY_MV COUNTRY_MW COUNTRY_MX COUNTRY_MY COUNTRY_MZ COUNTRY_NA COUNTRY_NC COUNTRY_NE COUNTRY_NF COUNTRY_NG COUNTRY_NI COUNTRY_NL COUNTRY_NO COUNTRY_NP COUNTRY_NR COUNTRY_NU COUNTRY_NZ COUNTRY_OM COUNTRY_PA COUNTRY_PE COUNTRY_PF COUNTRY_PG COUNTRY_PH COUNTRY_PK COUNTRY_PL COUNTRY_PM COUNTRY_PN COUNTRY_PR COUNTRY_PS COUNTRY_PT COUNTRY_PW COUNTRY_PY COUNTRY_QA COUNTRY_RE COUNTRY_RO COUNTRY_RS COUNTRY_RU COUNTRY_RW COUNTRY_SA COUNTRY_SB COUNTRY_SC COUNTRY_SD COUNTRY_SE COUNTRY_SG COUNTRY_SH COUNTRY_SI COUNTRY_SJ COUNTRY_SK COUNTRY_SL COUNTRY_SM COUNTRY_SN COUNTRY_SO COUNTRY_SR COUNTRY_SS COUNTRY_ST COUNTRY_SV COUNTRY_SX COUNTRY_SY COUNTRY_SZ COUNTRY_TC COUNTRY_TD COUNTRY_TF COUNTRY_TG COUNTRY_TH COUNTRY_TJ COUNTRY_TK COUNTRY_TL COUNTRY_TM COUNTRY_TN COUNTRY_TO COUNTRY_TR COUNTRY_TT COUNTRY_TV COUNTRY_TW COUNTRY_TZ COUNTRY_UA COUNTRY_UG COUNTRY_UM COUNTRY_US COUNTRY_UY COUNTRY_UZ COUNTRY_VA COUNTRY_VC COUNTRY_VE COUNTRY_VG COUNTRY_VI COUNTRY_VN COUNTRY_VU COUNTRY_WF COUNTRY_WS COUNTRY_XK COUNTRY_XT COUNTRY_YE COUNTRY_YT COUNTRY_ZA COUNTRY_ZM COUNTRY_ZW
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
none
object
origin_server_subsets_action
Origin Server Labels Action

Add labels to select one or more origin servers. Note: The pre-requisite settings to be configured in the origin pool are:

  1. Add labels to origin servers
  2. Enable subset load balancing in the Origin Server Subsets section and configure keys in origin server subsets classes Required: YES.
object
re_name_list
RE Name list

List of RE names for match.

Array<string>
<= 32 items
policy_based_challenge
object
always_enable_captcha_challenge
object
always_enable_js_challenge
object
captcha_challenge_parameters
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
default_captcha_challenge_parameters
object
default_js_challenge_parameters
object
default_mitigation_settings
object
default_temporary_blocking_parameters
object
js_challenge_parameters
object
cookie_expiry
cookie_expiry

Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.

integer format: int64
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Please Wait

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
js_script_delay
js_script_delay

Delay introduced by Javascript, in milliseconds.

integer format: int64
malicious_user_mitigation
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
no_challenge
object
rule_list
object
rules
Rules

Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions.

Array<object>
<= 64 items
Challenge Rule

Challenge rule.

object
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
spec
object
any_asn
object
any_client
object
any_ip
object
arg_matchers

A list of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name. Note that all specified arg matcher predicates must evaluate to true.

Array<object>
<= 16 items
ArgMatcherType

A argument matcher specifies the name of a single argument in the body and the criteria to match it. A argument matcher can check for one of the following:

  • Presence or absence of the argument
  • At least one of the values for the argument in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive JSON path in the HTTP request body. Required: YES.

string
>= 6 characters <= 256 characters
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
body_matcher
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
cookie_matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
disable_challenge
object
domain_matcher
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
enable_captcha_challenge
object
enable_javascript_challenge
object
expiration_timestamp

The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.

string format: date-time
<= 1024 characters
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
http_method
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
methods
methods

List of methods values to match against.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
path
object
exact_values
exact values

A list of exact path values to match the input HTTP path against.

Array<string>
<= 16 items
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_values
prefix values

A list of path prefix values to match the input HTTP path against.

Array<string>
<= 16 items
regex_values
regex values

A list of regular expressions to match the input HTTP path against.

Array<string>
<= 16 items
suffix_values
Suffix values

A list of path suffix values to match the input HTTP path against.

Array<string>
<= 64 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
query_params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
temporary_user_blocking
object
custom_page
custom_page

Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Blocked..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”

Blocked

”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”

string
<= 65536 characters
protected_cookies

Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite. The configured mode of WAF (monitoring or blocking) will be enforced on the request when cookie tampering is identified. Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.

Array<object>
<= 16 items
CookieManipulationOptionType

Set Cookie protection attributes.

object
add_httponly
object
add_secure
object
disable_tampering_protection
object
enable_tampering_protection
object
ignore_httponly
object
ignore_max_age
object
ignore_samesite
object
ignore_secure
object
max_age_value
add_max_age

Exclusive with [ignore_max_age] Add max age attribute.

integer format: int32
name
name

Name of the Cookie Required: YES.

string
>= 6 characters <= 256 characters
samesite_lax
object
samesite_none
object
samesite_strict
object
random
object
rate_limit
object
custom_ip_allowed_list
object
rate_limiter_allowed_prefixes
rate_limiter_allowed_prefixes

References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.

Required: YES.

Array<object>
>= 1 items <= 4 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
ip_allowed_list
object
prefixes
ipv4 prefix list

List of IPv4 prefixes that represent an endpoint.

Array<string>
<= 128 items
no_ip_allowed_list
object
no_policies
object
policies
object
policies
Rate Limiter Policies

Ordered list of rate limiter policies.

Required: YES.

Array<object>
<= 16 items
ObjectRefType

This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.

object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
rate_limiter
object
action_block
object
hours
object
duration
Duration

Configuration parameter for duration

integer format: int64
minutes
object
duration
Duration

Configuration parameter for duration

integer format: int64
seconds
object
duration
Duration

Configuration parameter for duration

integer format: int64
burst_multiplier
burst_multiplier

The maximum burst of requests to accommodate, expressed as a multiple of the rate.

integer format: int64
disabled
object
leaky_bucket
object
period_multiplier
period_multiplier

This setting, combined with Per Period units, provides a duration.

integer format: int64
0
token_bucket
object
total_number
total_number

The total number of allowed requests per rate-limiting period. Required: YES.

integer format: int64
unit
string
default: SECOND
Allowed values: SECOND MINUTE HOUR DAY
ring_hash
object
hash_policy
hash_policy

Specifies a list of hash policies to use for ring hash load balancing. Each hash policy is evaluated individually and the combined result is used to route the request

Required: YES.

Array<object>
<= 8 items
HashPolicyType

HashPolicyType specifies the field of the incoming request that will be used for generating hash key. When multiple hash policies are configured, this can also specify if the current hash policy is terminal policy or not.

object
cookie
object
add_httponly
object
add_secure
object
ignore_httponly
object
ignore_samesite
object
ignore_secure
object
name
name

The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.

string
>= 1 characters <= 256 characters
path
path

The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.

string
<= 1024 characters
samesite_lax
object
samesite_none
object
samesite_strict
object
ttl
ttl

If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.

integer format: int64
header_name
Header

Exclusive with [cookie source_ip] The name or key of the request header that will be used to obtain the hash key.

string
>= 1 characters <= 256 characters
source_ip
Source IP

Exclusive with [cookie header_name] Hash based on source IP address.

boolean format: boolean
terminal
terminal

Specify if its a terminal policy.

boolean format: boolean
round_robin
object
routes

Routes allow users to define match condition on a path and/or HTTP method to either forward matching traffic to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic.

Array<object>
<= 256 items
RouteType

This defines various OPTIONS to define a route.

object
custom_route_object
object
route_ref
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
caching_disable
object
caching_inherit
object
direct_response_route
object
headers
headers

List of (key, value) headers.

Array<object>
<= 16 items
HeaderMatcherType

Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header

Header Match can also be inverse of above, which be used to check missing header or non-matching value.

object
exact
exact

Exclusive with [presence regex] Header value to match exactly.

string
<= 256 characters
invert_match
invert_match

Invert the result of the match to detect missing header or non-matching value.

boolean format: boolean
name
name

Name of the header Required: YES.

string
>= 1 characters <= 256 characters
presence
presence

Exclusive with [exact regex] If true, check for presence of header.

boolean format: boolean
regex
regex

Exclusive with [exact presence] Regex match of the header value in re2 format.

string
<= 256 characters
http_method
string
default: ANY
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
incoming_port
object
no_port_match
object
port
port

Exclusive with [no_port_match port_ranges] Exact Port to match.

integer format: int64
>= 1 <= 65535
port_ranges
port_range

Exclusive with [no_port_match port] Port range to match.

string
>= 1 characters <= 32 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
route_direct_response
object
response_body_encoded
response_body

Response body to send. Currently supported URL schemes is string:/// for which message should be encoded in Base64 format. The message can be either plain text or HTML. E.g. ”

Access Denied

”. Base64 encoded string URL for this is string:///PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==.

string
<= 65536 characters
response_code
response_code

Response code to send.

integer format: int64
redirect_route
object
headers
headers

List of (key, value) headers.

Array<object>
<= 16 items
HeaderMatcherType

Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header

Header Match can also be inverse of above, which be used to check missing header or non-matching value.

object
exact
exact

Exclusive with [presence regex] Header value to match exactly.

string
<= 256 characters
invert_match
invert_match

Invert the result of the match to detect missing header or non-matching value.

boolean format: boolean
name
name

Name of the header Required: YES.

string
>= 1 characters <= 256 characters
presence
presence

Exclusive with [exact regex] If true, check for presence of header.

boolean format: boolean
regex
regex

Exclusive with [exact presence] Regex match of the header value in re2 format.

string
<= 256 characters
http_method
string
default: ANY
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
incoming_port
object
no_port_match
object
port
port

Exclusive with [no_port_match port_ranges] Exact Port to match.

integer format: int64
>= 1 <= 65535
port_ranges
port_range

Exclusive with [no_port_match port] Port range to match.

string
>= 1 characters <= 32 characters
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
route_redirect
object
host_redirect
host_redirect

Swap host part of incoming URL in redirect URL.

string
<= 1024 characters
path_redirect
path_redirect

Exclusive with [prefix_rewrite] swap path part of incoming URL in redirect URL.

string
<= 256 characters
prefix_rewrite
prefix_rewrite

Exclusive with [path_redirect] In Redirect response, the matched prefix (or path) should be swapped with this value. This option allows redirect URLs be dynamically created based on the request.

string
<= 256 characters
proto_redirect
proto_redirect

Swap protocol part of incoming URL in redirect URL The protocol can be swapped with either HTTP or HTTPS When incoming-proto option is specified, swapping of protocol is not done.

string
<= 1024 characters
remove_all_params
object
replace_params
Replace All Params

Exclusive with [remove_all_params retain_all_params]

string
>= 1 characters <= 256 characters
response_code
response_code

The HTTP status code to use in the redirect response.

integer format: int64
retain_all_params
object
simple_route
object
advanced_options
object
app_firewall
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
bot_defense_javascript_injection
object
javascript_location
string
default: AFTER_HEAD
Allowed values: AFTER_HEAD AFTER_TITLE_END BEFORE_SCRIPT
javascript_tags
javascript_tags

Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.

Required: YES.

Array<object>
>= 1 items <= 5 items
JavaScriptTag

JavaScript URL and attributes.

object
javascript_url
JavaScriptURL

Please enter the full URL (include domain and path), or relative path. Required: YES.

string
>= 1 characters <= 2048 characters
tag_attributes
TagAttributes

Add the tag attributes you want to include in your Javascript tag.

Array<object>
<= 9 items
TagAttribute

Attribute for JavaScript tag.

object
javascript_tag
string
default: JS_ATTR_ID
Allowed values: JS_ATTR_ID JS_ATTR_CID JS_ATTR_CN JS_ATTR_API_DOMAIN JS_ATTR_API_URL JS_ATTR_API_PATH JS_ATTR_ASYNC JS_ATTR_DEFER
tag_value
TagValue

Add the tag attribute value.

string
<= 1024 characters
buffer_policy
object
disabled
disable

Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.

boolean format: boolean
max_request_bytes
max_request_bytes

The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.

integer format: int64
common_buffering
object
common_hash_policy
object
cors_policy
object
allow_credentials
allow_credentials

Specifies whether the resource allows credentials.

boolean format: boolean
allow_headers
allow_headers

Specifies the content for the access-control-allow-headers header.

string
<= 1024 characters
allow_methods
allow_methods

Specifies the content for the access-control-allow-methods header.

string
<= 1024 characters
allow_origin
allow_origin

Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.

Array<string>
<= 128 items
allow_origin_regex
allow_origin_regex

Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.

Array<string>
<= 16 items
disabled
disabled

Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.

boolean format: boolean
expose_headers
expose_headers

Specifies the content for the access-control-expose-headers header.

string
<= 1024 characters
maximum_age
maximum_age

Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)

integer format: int32
csrf_policy
object
all_load_balancer_domains
object
custom_domain_list
object
domains
Domains

A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.

Array<string>
>= 1 items <= 32 items
disabled
object
default_retry_policy
object
disable_location_add
disable_location_add

Disables append of x-F5 Distributed Cloud-location = at route level, if it is configured at virtual-host level. This configuration is ignored on CE sites.

boolean format: boolean
disable_mirroring
object
disable_prefix_rewrite
object
disable_spdy
object
disable_waf
object
disable_web_socket_config
object
do_not_retract_cluster
object
enable_spdy
object
endpoint_subsets
Origin Servers Subset

Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer

For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.

List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.

object
inherited_bot_defense_javascript_injection
object
inherited_waf
object
inherited_waf_exclusion
object
mirror_policy
object
origin_pool
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
percent
object
denominator
string
default: HUNDRED
Allowed values: HUNDRED TEN_THOUSAND MILLION
numerator
numerator

Sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 Required: YES.

integer format: int64
no_retry_policy
object
prefix_rewrite
prefix_rewrite

Exclusive with [disable_prefix_rewrite regex_rewrite] prefix_rewrite indicates that during forwarding, the matched prefix (or path) should be swapped with its value. When using regex path matching, the entire path (not including the query string) will be swapped with this value.

string
<= 256 characters
priority
string
default: DEFAULT
Allowed values: DEFAULT HIGH
regex_rewrite
object
pattern
Pattern

The regular expression used to find portions of a string that should be replaced.

string
>= 1 characters <= 256 characters
substitution
Substitution

The string that should be substituted into matching portions of the subject string during a substitution operation to produce a new string.

string
<= 256 characters
request_cookies_to_add
Cookies to add in request

Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.

Array<object>
<= 32 items
CookieValueOption

Cookie name and value for cookie header.

object
name
name

Name of the cookie in Cookie header. Required: YES.

string
>= 6 characters <= 256 characters
overwrite
overwrite

Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.

boolean format: boolean
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the Cookie header.

string
>= 3 characters <= 8096 characters
request_cookies_to_remove
Cookies to be removed from request

List of keys of Cookies to be removed from the HTTP request being sent towards upstream.

Array<string>
<= 32 items
request_headers_to_add
Headers to add in request

Headers are key-value pairs to be added to HTTP request being routed towards upstream.

Array<object>
<= 32 items
HeaderManipulationOptionType

HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.

object
append
append

Should the value be appended? If true, the value is appended to existing values. Default value is do not append.

boolean format: boolean
name
name

Name of the HTTP header. Required: YES.

string
>= 6 characters <= 256 characters
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the HTTP header.

string
>= 3 characters <= 8096 characters
request_headers_to_remove
Header to be removed from request

List of keys of Headers to be removed from the HTTP request being sent towards upstream.

Array<string>
<= 32 items
response_cookies_to_add
Cookies to add in set-cookie header in response

Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.

Array<object>
<= 32 items
SetCookieValueOption

Cookie name and its attribute values in set-cookie header.

object
add_domain
add_domain

Exclusive with [ignore_domain] Add domain attribute.

string
>= 1 characters <= 256 characters
add_expiry
add_expiry

Exclusive with [ignore_expiry] Add expiry attribute.

string
<= 256 characters
add_httponly
object
add_partitioned
object
add_path
add_path

Exclusive with [ignore_path] Add path attribute.

string
<= 256 characters
add_secure
object
ignore_domain
object
ignore_expiry
object
ignore_httponly
object
ignore_max_age
object
ignore_partitioned
object
ignore_path
object
ignore_samesite
object
ignore_secure
object
ignore_value
object
max_age_value
add_max_age

Exclusive with [ignore_max_age] Add max age attribute.

integer format: int32
name
name

Name of the cookie in Cookie header. Required: YES.

string
>= 6 characters <= 256 characters
overwrite
overwrite

Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.

boolean format: boolean
samesite_lax
object
samesite_none
object
samesite_strict
object
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [ignore_value secret_value] Value of the Cookie header.

string
>= 3 characters <= 8096 characters
response_cookies_to_remove
Cookies to be removed from response

List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.

Array<string>
<= 32 items
response_headers_to_add
Headers to add in response

Headers are key-value pairs to be added to HTTP response being sent towards downstream.

Array<object>
<= 32 items
HeaderManipulationOptionType

HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.

object
append
append

Should the value be appended? If true, the value is appended to existing values. Default value is do not append.

boolean format: boolean
name
name

Name of the HTTP header. Required: YES.

string
>= 6 characters <= 256 characters
secret_value
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
value
value

Exclusive with [secret_value] Value of the HTTP header.

string
>= 3 characters <= 8096 characters
response_headers_to_remove
Header to be removed from response

List of keys of Headers to be removed from the HTTP response being sent towards downstream.

Array<string>
<= 32 items
retract_cluster
object
retry_policy
object
back_off
object
base_interval
base_interval

Specifies the base interval between retries in milliseconds.

integer format: int64
max_interval
max_interval

Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval.

integer format: int64
num_retries
num_retries

Specifies the allowed number of retries. Defaults to 1. Retries can be done any number of times. An exponential back-off algorithm is used between each retry.

integer format: int64
per_try_timeout
per_try_timeout

Specifies a non-zero timeout per retry attempt. In milliseconds.

integer format: int64
retriable_status_codes
Retriable status Code

HTTP status codes that should trigger a retry in addition to those specified by retry_on.

Array<integer>
<= 16 items
retry_condition
retry_condition

Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc

The possible values are

“5xx” : Retry will be done if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).

“gateway-error” : Retry will be done only if the upstream server responds with 502, 503 or 504 responses (Included in 5xx)

“connect-failure” : Retry will be done if the request fails because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx)

“refused-stream” : Retry is done if the upstream server resets the stream with a REFUSED_STREAM error code (Included in 5xx)

“retriable-4xx” : Retry is done if the upstream server responds with a retriable 4xx response code. The only response code in this category is HTTP CONFLICT (409)

“retriable-status-codes” : Retry is done if the upstream server responds with any response code matching one defined in retriable_status_codes field

“reset” : Retry is done if the upstream server does not respond at all (disconnect/reset/read timeout.) Required: YES.

Array<string>
>= 1 items <= 7 items
specific_hash_policy
object
hash_policy
hash_policy

Specifies a list of hash policies to use for ring hash load balancing. Each hash policy is evaluated individually and the combined result is used to route the request

Required: YES.

Array<object>
<= 8 items
HashPolicyType

HashPolicyType specifies the field of the incoming request that will be used for generating hash key. When multiple hash policies are configured, this can also specify if the current hash policy is terminal policy or not.

object
cookie
object
add_httponly
object
add_secure
object
ignore_httponly
object
ignore_samesite
object
ignore_secure
object
name
name

The name of the cookie that will be used to obtain the hash key. If the cookie is not present and TTL below is not set, no hash will be produced Required: YES.

string
>= 1 characters <= 256 characters
path
path

The name of the path for the cookie. If no path is specified here, no path will be set for the cookie.

string
<= 1024 characters
samesite_lax
object
samesite_none
object
samesite_strict
object
ttl
ttl

If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie. TTL value is in milliseconds.

integer format: int64
header_name
Header

Exclusive with [cookie source_ip] The name or key of the request header that will be used to obtain the hash key.

string
>= 1 characters <= 256 characters
source_ip
Source IP

Exclusive with [cookie header_name] Hash based on source IP address.

boolean format: boolean
terminal
terminal

Specify if its a terminal policy.

boolean format: boolean
timeout
timeout

The timeout for the route including all retries, in milliseconds. Should be set to a high value or 0 (infinite timeout) for server-side streaming.

integer format: int64
waf_exclusion_policy
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
web_socket_config
object
use_websocket
use_websocket

Specifies that the HTTP client connection to this route is allowed to upgrade to a WebSocket connection.

boolean format: boolean
auto_host_rewrite
object
disable_host_rewrite
object
headers
headers

List of (key, value) headers.

Array<object>
<= 16 items
HeaderMatcherType

Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header

Header Match can also be inverse of above, which be used to check missing header or non-matching value.

object
exact
exact

Exclusive with [presence regex] Header value to match exactly.

string
<= 256 characters
invert_match
invert_match

Invert the result of the match to detect missing header or non-matching value.

boolean format: boolean
name
name

Name of the header Required: YES.

string
>= 1 characters <= 256 characters
presence
presence

Exclusive with [exact regex] If true, check for presence of header.

boolean format: boolean
regex
regex

Exclusive with [exact presence] Regex match of the header value in re2 format.

string
<= 256 characters
host_rewrite
HostRewrite

Exclusive with [auto_host_rewrite disable_host_rewrite] Host header will be swapped with this value.

string
<= 1024 characters
http_method
string
default: ANY
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
incoming_port
object
no_port_match
object
port
port

Exclusive with [no_port_match port_ranges] Exact Port to match.

integer format: int64
>= 1 <= 65535
port_ranges
port_range

Exclusive with [no_port_match port] Port range to match.

string
>= 1 characters <= 32 characters
origin_pools
Origin Pools

Origin Pools for this route

Required: YES.

Array<object>
>= 1 items <= 16 items
OriginPoolWithWeight

This defines a combination of origin pool with weight and priority.

object
cluster
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
endpoint_subsets
Origin Servers Subset

Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that a endpoint must match in order to be selected by the load balancer

For origin servers which are discovered in K8s or Consul cluster, the label of the service is merged with endpoint’s labels. In case of Consul, the label is derived from the “Tag” field. For labels that are common between configured endpoint and discovered service, labels from discovered service takes precedence.

List of key-value pairs that will be used as matching metadata. Only those origin servers of upstream origin pool which match this metadata will be selected for load balancing.

object
pool
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
priority
Priority

Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the increasing priority.

integer format: int64
weight
Weight

Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool.

integer format: int64
path
object
path
exact

Exclusive with [prefix regex] Exact path value to match.

string
<= 256 characters
prefix
prefix

Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
regex
regex

Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)

string
>= 1 characters <= 256 characters
query_params
object
remove_all_params
object
replace_params
Replace All Params

Exclusive with [remove_all_params retain_all_params]

string
>= 1 characters <= 256 characters
retain_all_params
object
caching_disable
object
caching_inherit
object
route_state_disabled
object
route_state_enabled
object
sensitive_data_disclosure_rules
object
sensitive_data_types_in_response
Sensitive Data Exposure Rules

Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses.

Array<object>
<= 100 items
Sensitive Data Types

Settings to mask sensitive data in request/response payload.

object
api_endpoint
object
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path
Path

Path to be matched Required: YES.

string
<= 1024 characters
body
object
fields
Field Values

List of JSON Path field values. Use square brackets with an underscore [] to indicate array elements (e.g., person.emails[]). To reference JSON keys that contain spaces, enclose the entire path in double quotes. For example: “person.first name”. Required: YES.

Array<string>
>= 1 items <= 16 items
mask
object
report
object
sensitive_data_policy
object
sensitive_data_policy_ref
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
service_policies_from_namespace
object
single_lb_app
object
disable_discovery
object
disable_malicious_user_detection
object
enable_discovery
object
api_crawler
object
api_crawler_config
object
domains
Configured API Domains

Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.

Required: YES.

Array<object>
<= 32 items
Configured API Domains

The DomainConfiguration message.

object
domain
Custom domain to crawl

Select the domain to execute API Crawling with given credentials.

Required: YES.

string format: hostname
>= 26 characters <= 256 characters
simple_login
object
password
object
blindfold_secret_info
object
decryption_provider
Decryption Provider

Name of the Secret Management Access object that contains information about the backend Secret Management service.

string
<= 1024 characters
location
Location

Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.

string
>= 4 characters <= 1024 characters
store_provider
Store Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
<= 1024 characters
clear_secret_info
object
provider
Provider

Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.

string
>= 3 characters <= 1024 characters
url
URL

URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.

string format: uri
<= 131072 characters
user
The custom domain user authentication

Enter the username to assign credentials for the selected domain to crawl.

string
<= 64 characters
disable_api_crawler
object
api_discovery_from_code_scan
object
code_base_integrations
Code Base Integrations

Required: YES.

Array<object>
<= 5 items
Code Base Integration
object
all_repos
object
code_base_integration
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
selected_repos
object
api_code_repo
API Code Repository

Code repository which contain API endpoints

Required: YES.

Array<string>
custom_api_auth_discovery
object
api_discovery_ref
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
default_api_auth_discovery
object
disable_learn_from_redirect_traffic
object
discovered_api_settings
object
purge_duration_for_inactive_discovered_apis
purge_duration_for_inactive_discovered_apis

Inactive discovered API will be deleted after configured duration.

integer format: int64
enable_learn_from_redirect_traffic
object
enable_malicious_user_detection
object
slow_ddos_mitigation
object
disable_request_timeout
object
request_headers_timeout
Request Headers Timeout

The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.

integer format: int64
request_timeout
Custom Timeout

Exclusive with [disable_request_timeout]

integer format: int64
source_ip_stickiness
object
system_default_timeouts
object
trusted_clients

Define rules to skip processing of one or more features such as WAF, Bot Defense etc. For clients.

Array<object>
<= 256 items
SimpleClientSrcRule

Simple client source rule specifies the sources to be blocked or trusted (skip WAF)

object
actions
actions

Actions that should be taken when client identifier matches the rule.

Array<string>
<= 10 items
Allowed values: SKIP_PROCESSING_WAF SKIP_PROCESSING_BOT SKIP_PROCESSING_MUM SKIP_PROCESSING_IP_REPUTATION SKIP_PROCESSING_API_PROTECTION SKIP_PROCESSING_OAS_VALIDATION SKIP_PROCESSING_DDOS_PROTECTION SKIP_PROCESSING_THREAT_MESH SKIP_PROCESSING_MALWARE_PROTECTION
as_number
as number

Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.

integer format: int64
bot_skip_processing
object
expiration_timestamp
expiration timestamp

The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.

string format: date-time
<= 1024 characters
http_header
object
headers
headers

List of HTTP header name and value pairs

Required: YES.

Array<object>
<= 16 items
HeaderMatcherType

Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header

Header Match can also be inverse of above, which be used to check missing header or non-matching value.

object
exact
exact

Exclusive with [presence regex] Header value to match exactly.

string
<= 256 characters
invert_match
invert_match

Invert the result of the match to detect missing header or non-matching value.

boolean format: boolean
name
name

Name of the header Required: YES.

string
>= 1 characters <= 256 characters
presence
presence

Exclusive with [exact regex] If true, check for presence of header.

boolean format: boolean
regex
regex

Exclusive with [exact presence] Regex match of the header value in re2 format.

string
<= 256 characters
ip_prefix
ip prefix

Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.

string
<= 1024 characters
ipv6_prefix
ipv6 prefix

Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.

string
<= 1024 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
skip_processing
object
user_identifier
user identifier

Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.

string
<= 256 characters
waf_skip_processing
object
user_id_client_ip
object
user_identification
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters
waf_exclusion
object
waf_exclusion_inline_rules
object
rules
List of WAF Exclusion Rules

An ordered list of WAF Exclusions specific to this Load Balancer.

Array<object>
<= 256 items
SimpleWafExclusionRule

Simple WAF exclusion rule specifies a simple set of match conditions to be matched to skip a list of WAF detections.

object
any_domain
object
any_path
object
app_firewall_detection_control
object
exclude_attack_type_contexts
Exclude Attack Types Contexts

Attack Types to be excluded for the defined match criteria.

Array<object>
<= 64 items
App Firewall Attack Type Context

App Firewall Attack Type context changes to be applied for this request.

object
context
string
default: CONTEXT_ANY
Allowed values: CONTEXT_ANY CONTEXT_BODY CONTEXT_REQUEST CONTEXT_RESPONSE CONTEXT_PARAMETER CONTEXT_HEADER CONTEXT_COOKIE CONTEXT_URL CONTEXT_URI
context_name
Context Name

Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).

string
<= 128 characters
exclude_attack_type
string
default: ATTACK_TYPE_NONE
Allowed values: ATTACK_TYPE_NONE ATTACK_TYPE_NON_BROWSER_CLIENT ATTACK_TYPE_OTHER_APPLICATION_ATTACKS ATTACK_TYPE_TROJAN_BACKDOOR_SPYWARE ATTACK_TYPE_DETECTION_EVASION ATTACK_TYPE_VULNERABILITY_SCAN ATTACK_TYPE_ABUSE_OF_FUNCTIONALITY ATTACK_TYPE_AUTHENTICATION_AUTHORIZATION_ATTACKS ATTACK_TYPE_BUFFER_OVERFLOW ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION ATTACK_TYPE_INFORMATION_LEAKAGE ATTACK_TYPE_DIRECTORY_INDEXING ATTACK_TYPE_PATH_TRAVERSAL ATTACK_TYPE_XPATH_INJECTION ATTACK_TYPE_LDAP_INJECTION ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION ATTACK_TYPE_COMMAND_EXECUTION ATTACK_TYPE_SQL_INJECTION ATTACK_TYPE_CROSS_SITE_SCRIPTING ATTACK_TYPE_DENIAL_OF_SERVICE ATTACK_TYPE_HTTP_PARSER_ATTACK ATTACK_TYPE_SESSION_HIJACKING ATTACK_TYPE_HTTP_RESPONSE_SPLITTING ATTACK_TYPE_FORCEFUL_BROWSING ATTACK_TYPE_REMOTE_FILE_INCLUDE ATTACK_TYPE_MALICIOUS_FILE_UPLOAD ATTACK_TYPE_GRAPHQL_PARSER_ATTACK
exclude_bot_name_contexts
Exclude Bot Names Contexts

Bot Names to be excluded for the defined match criteria.

Array<object>
<= 64 items
Bot Name Context

Specifies bot to be excluded by its name.

object
bot_name
BotName

Required: YES.

string
<= 1024 characters
exclude_signature_contexts
Exclude Signature Contexts

Signature IDs to be excluded for the defined match criteria.

Array<object>
<= 1024 items
App Firewall Signature Context

App Firewall signature context changes to be applied for this request.

object
context
string
default: CONTEXT_ANY
Allowed values: CONTEXT_ANY CONTEXT_BODY CONTEXT_REQUEST CONTEXT_RESPONSE CONTEXT_PARAMETER CONTEXT_HEADER CONTEXT_COOKIE CONTEXT_URL CONTEXT_URI
context_name
Context Name

Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).

string
<= 128 characters
signature_id
SignatureID

The allowed values for signature ID are 0 and in the range of 200000001-299999999. 0 implies that all signatures will be excluded for the specified context. Required: YES.

integer format: int64
exclude_violation_contexts
Exclude Violation Contexts

Violations to be excluded for the defined match criteria.

Array<object>
<= 64 items
App Firewall Violation Context

App Firewall violation context changes to be applied for this request.

object
context
string
default: CONTEXT_ANY
Allowed values: CONTEXT_ANY CONTEXT_BODY CONTEXT_REQUEST CONTEXT_RESPONSE CONTEXT_PARAMETER CONTEXT_HEADER CONTEXT_COOKIE CONTEXT_URL CONTEXT_URI
context_name
Context Name

Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).

string
<= 128 characters
exclude_violation
string
default: VIOL_NONE
Allowed values: VIOL_NONE VIOL_FILETYPE VIOL_METHOD VIOL_MANDATORY_HEADER VIOL_HTTP_RESPONSE_STATUS VIOL_REQUEST_MAX_LENGTH VIOL_FILE_UPLOAD VIOL_FILE_UPLOAD_IN_BODY VIOL_XML_MALFORMED VIOL_JSON_MALFORMED VIOL_ASM_COOKIE_MODIFIED VIOL_HTTP_PROTOCOL_MULTIPLE_HOST_HEADERS VIOL_HTTP_PROTOCOL_BAD_HOST_HEADER_VALUE VIOL_HTTP_PROTOCOL_UNPARSABLE_REQUEST_CONTENT VIOL_HTTP_PROTOCOL_NULL_IN_REQUEST VIOL_HTTP_PROTOCOL_BAD_HTTP_VERSION VIOL_HTTP_PROTOCOL_CRLF_CHARACTERS_BEFORE_REQUEST_START VIOL_HTTP_PROTOCOL_NO_HOST_HEADER_IN_HTTP_1_1_REQUEST VIOL_HTTP_PROTOCOL_BAD_MULTIPART_PARAMETERS_PARSING VIOL_HTTP_PROTOCOL_SEVERAL_CONTENT_LENGTH_HEADERS VIOL_HTTP_PROTOCOL_CONTENT_LENGTH_SHOULD_BE_A_POSITIVE_NUMBER VIOL_EVASION_DIRECTORY_TRAVERSALS VIOL_MALFORMED_REQUEST VIOL_EVASION_MULTIPLE_DECODING VIOL_DATA_GUARD VIOL_EVASION_APACHE_WHITESPACE VIOL_COOKIE_MODIFIED VIOL_EVASION_IIS_UNICODE_CODEPOINTS VIOL_EVASION_IIS_BACKSLASHES VIOL_EVASION_PERCENT_U_DECODING VIOL_EVASION_BARE_BYTE_DECODING VIOL_EVASION_BAD_UNESCAPE VIOL_HTTP_PROTOCOL_BAD_MULTIPART_FORMDATA_REQUEST_PARSING VIOL_HTTP_PROTOCOL_BODY_IN_GET_OR_HEAD_REQUEST VIOL_HTTP_PROTOCOL_HIGH_ASCII_CHARACTERS_IN_HEADERS VIOL_ENCODING VIOL_COOKIE_MALFORMED VIOL_GRAPHQL_FORMAT VIOL_GRAPHQL_MALFORMED VIOL_GRAPHQL_INTROSPECTION_QUERY
exact_value
exact value

Exclusive with [any_domain suffix_value] Exact domain name.

string
>= 1 characters <= 256 characters
expiration_timestamp
expiration timestamp

The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.

string format: date-time
<= 1024 characters
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
methods
Methods

Methods to be matched.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
path_prefix
prefix

Exclusive with [any_path path_regex] Path prefix to match (e.g. The value / will match on all paths)

string
<= 256 characters
path_regex
Path Regex

Exclusive with [any_path path_prefix] Define the regex for the path. For example, the regex ^/.*$ will match on all paths.

string
<= 256 characters
suffix_value
suffix value

Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”

string
>= 1 characters <= 256 characters
waf_skip_processing
object
waf_exclusion_policy
object
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string
>= 1 characters <= 128 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 64 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 64 characters

Responses

Section titled “Responses”

200

Section titled “200”

A successful response.

Media typeapplication/json
object
Examplegenerated
{}

401

Section titled “401”

Returned when operation is not authorized.

Media typeapplication/json
string format: string
Examplegenerated
example

403

Section titled “403”

Returned when there is no permission to access resource.

Media typeapplication/json
string format: string
Examplegenerated
example

404

Section titled “404”

Returned when resource is not found.

Media typeapplication/json
string format: string
Examplegenerated
example

409

Section titled “409”

Returned when operation on resource is conflicting with current value.

Media typeapplication/json
string format: string
Examplegenerated
example

429

Section titled “429”

Returned when operation has been rejected as it is happening too frequently.

Media typeapplication/json
string format: string
Examplegenerated
example

500

Section titled “500”

Returned when server encountered an error in processing API.

Media typeapplication/json
string format: string
Examplegenerated
example

503

Section titled “503”

Returned when service is unavailable temporarily.

Media typeapplication/json
string format: string
Examplegenerated
example

504

Section titled “504”

Returned when server timed out processing request.

Media typeapplication/json
string format: string
Examplegenerated
example