diff --git a/SUPPORT.md b/SUPPORT.md index 283c7a37..ddbf8dae 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -20,9 +20,9 @@ Currently supported versions: | Software Version | Release Type | First Customer Ship | End of Support | |------------------|---------------|---------------------|-----------------| -| AS 3.2.0 | Feature | 06-Jul-2018 | 06-Oct-2018 | | AS 3.3.0 | Feature | 06-Aug-2018 | 06-Nov-2018 | | AS 3.4.0 | Feature | 05-Sep-2018 | 05-Dec-2018 | +| AS 3.5.0 | Feature | 02-Oct-2018 | 02-Jan-2019 | Versions no longer supported: @@ -30,5 +30,6 @@ Versions no longer supported: |------------------|---------------|---------------------|-----------------| | AS 3.0.0 | Feature | 30-Apr-2018 | 30-Jul-2018 | | AS 3.1.0 | Feature | 05-Jun-2018 | 05-Sep-2018 | +| AS 3.2.0 | Feature | 06-Jul-2018 | 06-Oct-2018 | See the [Release notes](https://github.com/F5Networks/f5-appsvcs-extension/releases) and [AS3 documentation](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/) for new features and issues resolved for each release. diff --git a/dist/f5-appsvcs-3.4.0-2.noarch.rpm.sha256 b/dist/f5-appsvcs-3.4.0-2.noarch.rpm.sha256 deleted file mode 100644 index 6a596726..00000000 --- a/dist/f5-appsvcs-3.4.0-2.noarch.rpm.sha256 +++ /dev/null @@ -1 +0,0 @@ -15cfb892c1d56eddff21ade327d7c19f5ed4f846e06b59f880a9ba4e0ac787eb f5-appsvcs-3.4.0-2.noarch.rpm diff --git a/dist/f5-appsvcs-3.4.0-2.noarch.rpm b/dist/f5-appsvcs-3.5.0-3.noarch.rpm similarity index 86% rename from dist/f5-appsvcs-3.4.0-2.noarch.rpm rename to dist/f5-appsvcs-3.5.0-3.noarch.rpm index a2e025e9..10e271c6 100644 Binary files a/dist/f5-appsvcs-3.4.0-2.noarch.rpm and b/dist/f5-appsvcs-3.5.0-3.noarch.rpm differ diff --git a/dist/f5-appsvcs-3.5.0-3.noarch.rpm.sha256 b/dist/f5-appsvcs-3.5.0-3.noarch.rpm.sha256 new file mode 100644 index 00000000..eb8f4780 --- /dev/null +++ b/dist/f5-appsvcs-3.5.0-3.noarch.rpm.sha256 @@ -0,0 +1 @@ +404036142583eac53d140b44608e3631ed6f979901401ad09340f4c142657fc3 \ No newline at end of file diff --git a/schema/adc-schema-3.5.0-3.json b/schema/adc-schema-3.5.0-3.json new file mode 100644 index 00000000..a5bc7833 --- /dev/null +++ b/schema/adc-schema-3.5.0-3.json @@ -0,0 +1,14734 @@ +{ + "$id": "urn:uuid:f83d84a1-b27b-441a-ae32-314b3de3315a", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "ADC Declaration", + "description": "A declarative configuration for an ADC such as F5 BIG-IP", + "type": "object", + "properties": { + "class": { + "title": "Class", + "description": "Indicates this JSON document is an ADC declaration", + "type": "string", + "const": "ADC" + }, + "updateMode": { + "title": "Update mode", + "description": "When set to 'selective' (default) AS3 does not modify Tenants not referenced in the declaration. Otherwise ('complete') AS3 removes unreferenced Tenants.", + "type": "string", + "enum": [ + "complete", + "selective" + ], + "default": "selective" + }, + "schemaVersion": { + "title": "Schema version", + "description": "Version of ADC Declaration schema this declaration uses", + "type": "string", + "$comment": "IMPORTANT: In enum array, please put current schema version first, oldest-supported version last. Keep enum array sorted most-recent-first.", + "enum": [ + "3.5.0", + "3.4.0", + "3.3.0", + "3.2.0", + "3.1.0", + "3.0.0" + ] + }, + "id": { + "title": "Declaration ID", + "description": "Unique identifier for this declaration (max 255 printable chars with no spaces, quotation marks, angle brackets, nor backslashes)", + "type": "string", + "minLength": 1, + "format": "f5long-id" + }, + "label": { + "title": "Label", + "description": "Optional friendly name for this declaration", + "type": "string", + "format": "f5label" + }, + "remark": { + "title": "Remark", + "description": "Arbitrary (brief) text pertaining to this declaration (optional)", + "type": "string", + "format": "f5remark" + }, + "constants": { + "title": "Constants", + "description": "Declaration metadata and/or named values for (re-)use by declaration objects", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Constants", + "default": "Constants" + }, + "version": { + "title": "Declaration version", + "description": "Version number of declaration; update when you change contents but not ID (optional but recommended)", + "type": [ + "number", + "string" + ] + }, + "timestamp": { + "title": "Declaration timestamp", + "description": "Date+time (this version of) declaration was created (optional but recommended)", + "type": "string", + "format": "date-time" + } + }, + "additionalProperties": { + "type": [ + "boolean", + "integer", + "number", + "string", + "array", + "object" + ], + "if": { + "type": "object", + "required": [ + "protected", + "ciphertext" + ] + }, + "then": { + "properties": { + "allowReuse": { + "title": "Allow reuse", + "description": "If true (default), different declaration objects may reuse a cryptogram, WHICH MAY POSE A SECURITY RISK!", + "type": "boolean", + "default": true + } + }, + "additionalProperties": false, + "if": true, + "then": { + "$ref": "#/definitions/JWE" + } + } + }, + "propertyNames": { + "pattern": "^[A-Za-z][0-9A-Za-z_]{0,47}$" + } + }, + "Common": { + "title": "Common tenant", + "description": "Special tenant Common holds objects other tenants can share", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Tenant", + "default": "Tenant" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "verifiers": { + "title": "Verifiers", + "description": "Data (in 'key':'value' properties) used to verify automated tests. Ordinary declarations do not need this", + "type": "object" + }, + "enable": { + "title": "Enable", + "description": "If declared, you must enable the Common tenant", + "type": "boolean", + "const": true + }, + "Shared": { + "$ref": "#/definitions/Application_Shared" + }, + "constants": { + "$ref": "#/definitions/Constants" + }, + "controls": { + "$ref": "#/definitions/Controls" + } + }, + "additionalProperties": false + }, + "controls": { + "title": "Controls", + "description": "Options to control configuration process", + "type": "object", + "$comment": "archiveId and archiveTimestamp reserved for future use.", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Controls", + "default": "Controls" + }, + "logLevel": { + "title": "Log level", + "description": "Controls the amount of detail in logs produced by the configuration process using RFC 5424 severity levels (default is 'error'). May be overridden on a per-Tenant basis", + "type": "string", + "enum": [ + "emergency", + "alert", + "critical", + "error", + "warning", + "notice", + "info", + "debug" + ], + "default": "error" + }, + "trace": { + "title": "Trace", + "description": "If true, AS3 creates a detailed trace of the configuration process for subsequent analysis (default false). May be overridden on a per-Tenant basis. Warning: trace files may contain sensitive configuration data", + "type": "boolean", + "default": false + }, + "archiveId": { + "title": "Archive ID", + "description": "Read-only property present when you GET a declaration from configuration system. Archived versions of declaration are identified by a combination of 'id' and 'archiveId'", + "type": [ + "number", + "string" + ], + "readOnly": true + }, + "archiveTimestamp": { + "title": "Archive timestamp", + "description": "Read-only property present when you GET a declaration from configuration system. Indicates when this version (see archiveId) of declaration was archived", + "type": "string", + "format": "date-time", + "readOnly": true + } + }, + "additionalProperties": false + }, + "scratch": { + "title": "f5 scratch", + "description": "Holds some system data during declaration processing", + "type": "string", + "readOnly": true + } + }, + "additionalProperties": { + "$ref": "#/definitions/Tenant" + }, + "propertyNames": { + "pattern": "^[A-Za-z][0-9A-Za-z_]{0,47}$" + }, + "required": [ + "class", + "schemaVersion", + "id" + ], + "definitions": { + "Tenant": { + "title": "Tenant", + "description": "Declares a Tenant", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Tenant" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "verifiers": { + "title": "Verifiers", + "description": "Data (in 'key':'value' properties) used to verify automated tests. Ordinary declarations do not need this", + "type": "object" + }, + "enable": { + "title": "Enable", + "description": "Tenant handles traffic only when enabled (default)", + "type": "boolean", + "default": true + }, + "defaultRouteDomain": { + "title": "Default route domain", + "description": "Selects the default route domain for IP traffic to and from this Tenant's application resources (note: affects declared IP addresses which do not include a %RD route-domain specifier). You must choose an existing route domain--this option cannot create one. Route domain 0 (default) is always available", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0, + "f5bigComponent": "query net route-domain" + }, + "targetDevice": { + "title": "Target Device", + "description": "BIG-IP or SSG target for config when configuring with BIG-IQ", + "type": "string" + }, + "Shared": { + "$ref": "#/definitions/Application_Shared" + }, + "constants": { + "$ref": "#/definitions/Constants" + }, + "controls": { + "$ref": "#/definitions/Controls" + } + }, + "additionalProperties": { + "$ref": "#/definitions/Application" + }, + "propertyNames": { + "pattern": "^[A-Za-z][0-9A-Za-z_]{0,47}$" + }, + "required": [ + "class" + ] + }, + "Application_Shared": { + "title": "Shared Application", + "description": "Special application Shared holds objects other applications can share", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Application" + }, + "template": { + "title": "Template Name", + "description": "Shared Application template is always generic", + "type": "string", + "const": "shared" + }, + "enable": { + "title": "Enable", + "description": "If declared, you must enable the Shared Application", + "type": "boolean", + "const": true, + "default": true + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Application" + }, + "required": [ + "class", + "template" + ] + }, + "Application": { + "title": "Application", + "description": "Application declaration master schema", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Application" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "template": { + "title": "Template Name", + "description": "Each application type has certain required and default elements and selects appropriate setup of various ADC/Security features", + "type": "string" + }, + "enable": { + "title": "Enable", + "description": "Application handles traffic only when enabled (default)", + "type": "boolean", + "default": true + }, + "constants": { + "$ref": "#/definitions/Constants" + }, + "serviceMain": { + "description": "Primary service of the application" + } + }, + "additionalProperties": { + "properties": { + "class": { + "type": "string", + "enum": [ + "Service_HTTP", + "Service_HTTPS", + "Service_TCP", + "Service_UDP", + "Service_L4", + "Service_Generic", + "Service_Address", + "SNAT_Pool", + "iRule", + "WAF_Policy", + "Persist", + "Pool", + "Monitor", + "TLS_Server", + "TLS_Client", + "Certificate", + "CA_Bundle", + "FIX_Profile", + "HTTP_Profile", + "HTTP_Compress", + "TCP_Profile", + "UDP_Profile", + "L4_Profile", + "Classification_Profile", + "Radius_Profile", + "IP_Other_Profile", + "Firewall_Address_List", + "Firewall_Port_List", + "Firewall_Rule_List", + "Firewall_Policy", + "NAT_Policy", + "NAT_Source_Translation", + "Data_Group", + "DNS_Profile", + "DNS_TSIG_Key", + "DNS_Zone", + "DNS_Nameserver", + "Security_Log_Profile", + "Log_Publisher", + "Log_Destination", + "Endpoint_Policy", + "Endpoint_Strategy", + "Bandwidth_Control_Policy", + "Enforcement_Policy", + "Enforcement_Diameter_Endpoint_Profile", + "Enforcement_Radius_AAA_Profile", + "Enforcement_Profile", + "Enforcement_Subscriber_Management_Profile", + "Enforcement_Listener", + "Enforcement_Interception_Endpoint", + "Enforcement_Format_Script", + "Enforcement_Forwarding_Endpoint", + "Enforcement_Service_Chain_Endpoint" + ] + } + }, + "allOf": [ + { + "if": { + "properties": { + "class": { + "const": "Service_HTTP" + } + } + }, + "then": { + "$ref": "#/definitions/Service_HTTP" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_HTTPS" + } + } + }, + "then": { + "$ref": "#/definitions/Service_HTTPS" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_TCP" + } + } + }, + "then": { + "$ref": "#/definitions/Service_TCP" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_UDP" + } + } + }, + "then": { + "$ref": "#/definitions/Service_UDP" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_L4" + } + } + }, + "then": { + "$ref": "#/definitions/Service_L4" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_Generic" + } + } + }, + "then": { + "$ref": "#/definitions/Service_Generic" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Service_Address" + } + } + }, + "then": { + "$ref": "#/definitions/Service_Address" + } + }, + { + "if": { + "properties": { + "class": { + "const": "SNAT_Pool" + } + } + }, + "then": { + "$ref": "#/definitions/SNAT_Pool" + } + }, + { + "if": { + "properties": { + "class": { + "const": "iRule" + } + } + }, + "then": { + "$ref": "#/definitions/iRule" + } + }, + { + "if": { + "properties": { + "class": { + "const": "WAF_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/WAF_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Persist" + } + } + }, + "then": { + "$ref": "#/definitions/Persist" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Pool" + } + } + }, + "then": { + "$ref": "#/definitions/Pool" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Monitor" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor" + } + }, + { + "if": { + "properties": { + "class": { + "const": "TLS_Server" + } + } + }, + "then": { + "$ref": "#/definitions/TLS_Server" + } + }, + { + "if": { + "properties": { + "class": { + "const": "TLS_Client" + } + } + }, + "then": { + "$ref": "#/definitions/TLS_Client" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Certificate" + } + } + }, + "then": { + "$ref": "#/definitions/Certificate" + } + }, + { + "if": { + "properties": { + "class": { + "const": "CA_Bundle" + } + } + }, + "then": { + "$ref": "#/definitions/CA_Bundle" + } + }, + { + "if": { + "properties": { + "class": { + "const": "FIX_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/FIX_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "HTTP_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/HTTP_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "HTTP_Compress" + } + } + }, + "then": { + "$ref": "#/definitions/HTTP_Compress" + } + }, + { + "if": { + "properties": { + "class": { + "const": "TCP_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/TCP_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "UDP_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/UDP_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "L4_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/L4_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Classification_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Classification_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Radius_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Radius_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "IP_Other_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/IP_Other_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + } + }, + "then": { + "$ref": "#/definitions/Firewall_Address_List" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + } + }, + "then": { + "$ref": "#/definitions/Firewall_Port_List" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Firewall_Rule_List" + } + } + }, + "then": { + "$ref": "#/definitions/Firewall_Rule_List" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Firewall_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/Firewall_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "NAT_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/NAT_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "NAT_Source_Translation" + } + } + }, + "then": { + "$ref": "#/definitions/NAT_Source_Translation" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Data_Group" + } + } + }, + "then": { + "$ref": "#/definitions/Data_Group" + } + }, + { + "if": { + "properties": { + "class": { + "const": "DNS_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/DNS_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "DNS_TSIG_Key" + } + } + }, + "then": { + "$ref": "#/definitions/DNS_TSIG_Key" + } + }, + { + "if": { + "properties": { + "class": { + "const": "DNS_Zone" + } + } + }, + "then": { + "$ref": "#/definitions/DNS_Zone" + } + }, + { + "if": { + "properties": { + "class": { + "const": "DNS_Nameserver" + } + } + }, + "then": { + "$ref": "#/definitions/DNS_Nameserver" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Security_Log_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Security_Log_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Log_Publisher" + } + } + }, + "then": { + "$ref": "#/definitions/Log_Publisher" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Log_Destination" + } + } + }, + "then": { + "$ref": "#/definitions/Log_Destination" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Endpoint_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/Endpoint_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Endpoint_Strategy" + } + } + }, + "then": { + "$ref": "#/definitions/Endpoint_Strategy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Bandwidth_Control_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/Bandwidth_Control_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Policy" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Policy" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Diameter_Endpoint_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Diameter_Endpoint_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Radius_AAA_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Radius_AAA_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Subscriber_Management_Profile" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Subscriber_Management_Profile" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Listener" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Listener" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Interception_Endpoint" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Interception_Endpoint" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Format_Script" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Format_Script" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Forwarding_Endpoint" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Forwarding_Endpoint" + } + }, + { + "if": { + "properties": { + "class": { + "const": "Enforcement_Service_Chain_Endpoint" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Service_Chain_Endpoint" + } + } + ] + }, + "propertyNames": { + "pattern": "^[A-Za-z][0-9A-Za-z_]{0,47}$" + }, + "allOf": [ + { + "if": { + "properties": { + "template": { + "const": "https" + } + } + }, + "then": { + "$ref": "#/definitions/Template_https" + } + }, + { + "if": { + "properties": { + "template": { + "const": "http" + } + } + }, + "then": { + "$ref": "#/definitions/Template_http" + } + }, + { + "if": { + "properties": { + "template": { + "const": "tcp" + } + } + }, + "then": { + "$ref": "#/definitions/Template_tcp" + } + }, + { + "if": { + "properties": { + "template": { + "const": "udp" + } + } + }, + "then": { + "$ref": "#/definitions/Template_udp" + } + }, + { + "if": { + "properties": { + "template": { + "const": "l4" + } + } + }, + "then": { + "$ref": "#/definitions/Template_l4" + } + }, + { + "if": { + "properties": { + "template": { + "const": "generic" + } + } + }, + "then": { + "$ref": "#/definitions/Template_generic" + } + } + ], + "required": [ + "class", + "template" + ] + }, + "Template_https": { + "title": "HTTPS application", + "description": "Declares an HTTPS application", + "properties": { + "serviceMain": { + "$ref": "#/definitions/Service_HTTPS" + } + }, + "required": [ + "serviceMain" + ] + }, + "Template_http": { + "title": "HTTP application", + "description": "Declares an HTTP application", + "properties": { + "serviceMain": { + "$ref": "#/definitions/Service_HTTP" + } + }, + "required": [ + "serviceMain" + ] + }, + "Template_tcp": { + "title": "TCP application", + "description": "Declares a TCP application", + "properties": { + "serviceMain": { + "$ref": "#/definitions/Service_TCP" + } + }, + "required": [ + "serviceMain" + ] + }, + "Template_udp": { + "title": "UDP application", + "description": "Declares a UDP application", + "properties": { + "serviceMain": { + "$ref": "#/definitions/Service_UDP" + } + }, + "required": [ + "serviceMain" + ] + }, + "Template_l4": { + "title": "L4 application", + "description": "Declares a L4 application", + "properties": { + "serviceMain": { + "$ref": "#/definitions/Service_L4" + } + }, + "required": [ + "serviceMain" + ] + }, + "Template_generic": { + "title": "Generic application", + "description": "Declares a generic application", + "properties": { + "template": { + "title": "Template Name", + "description": "In addition to 'generic' and 'shared' other values may appear here for extensibility", + "type": "string" + }, + "serviceMain": { + "$ref": "#/definitions/Service_Generic" + } + } + }, + "Service_HTTP": { + "title": "HTTP virtual server", + "description": "HTTP virtual server", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_HTTP" + }, + "virtualPort": { + "title": "Virtual server TCP port", + "description": "Default 80 is well-known HTTP port", + "type": "integer", + "default": 80 + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_HTTP_Core" + }, + "dependencies": { + "serverTLS": { + "not": {} + } + }, + "required": [ + "class" + ] + }, + "Service_HTTPS": { + "title": "HTTPS virtual server", + "description": "HTTPS (HTTP+TLS) virtual server", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_HTTPS" + }, + "virtualPort": { + "title": "Virtual server TCP port", + "description": "Default 443 is well-known HTTPS port", + "type": "integer", + "default": 443 + }, + "redirect80": { + "title": "Redirect HTTP", + "description": "If true, AS3 redirects HTTP traffic to any virtualAddress on port 80 to virtualPort", + "type": "boolean", + "default": true + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_HTTP_Core" + }, + "dependencies": { + "serverTLS": { + "properties": { + "serverTLS": { + "minLength": 1 + } + } + } + }, + "required": [ + "class", + "serverTLS" + ] + }, + "Service_HTTP_Core": { + "title": "HTTP VS core", + "description": "Core attributes of HTTP(S) virtual server", + "properties": { + "persistenceMethods": { + "title": "Persistence methods", + "description": "Default 'cookie' is generally good", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Persist" + }, + "default": [ + "cookie" + ] + }, + "profileHTTP": { + "title": "HTTP profile", + "description": "HTTP profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "basic" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to HTTP profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "HTTP_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP HTTP profile", + "description": "Pathname of existing BIG-IP HTTP profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile http" + }, + "default": "basic" + }, + "profileHTTPCompression": { + "title": "HTTP compression profile", + "description": "HTTP compression profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "basic", + "wan" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to HTTP compression profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "HTTP_Compress" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP HTTP compression profile", + "description": "Pathname of existing BIG-IP HTTP compression profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile http-compression" + } + }, + "profileHTTPAcceleration": { + "title": "Web acceleration profile", + "description": "Web acceleration profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "basic" + ] + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP web acceleration profile", + "description": "Pathname of existing BIG-IP HTTP compression profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile web-acceleration" + } + }, + "profileMultiplex": { + "title": "Multiplex profile", + "description": "Multiplex (OneConnect) profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "basic" + ] + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP OneConnect profile", + "description": "Pathname of existing BIG-IP OneConnect profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile one-connect" + } + }, + "policyWAF": { + "title": "WAF policy", + "description": "AS3 pointer to WAF (ASM) policy declaration", + "f5modules": [ + "asm" + ], + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP WAF policy", + "description": "Pathname of existing BIG-IP WAF (ASM) policy", + "type": "string", + "format": "f5bigip" + }, + "use": { + "title": "Use", + "description": "AS3 pointer to WAF policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "WAF_Policy" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "oneOf": [ + { + "required": [ + "bigip" + ] + }, + { + "required": [ + "use" + ] + } + ], + "f5bigComponent": "asm policy" + }, + "policyIAM": { + "title": "IAM policy", + "description": "AS3 pointer to IAM (APM) policy declaration", + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP IAM policy", + "description": "Pathname of existing BIG-IP IAM (APM) policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query apm profile access" + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_TCP_Core" + }, + "required": [ + "class" + ] + }, + "Service_TCP": { + "title": "TCP virtual server", + "description": "Declares a TCP virtual server (w/optional TLS)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_TCP" + }, + "persistenceMethods": { + "title": "Persistence methods", + "description": "Default 'source-address' is generally good", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Persist" + }, + "default": [ + "source-address" + ] + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_TCP_Core" + }, + "required": [ + "class" + ] + }, + "Service_TCP_Core": { + "title": "Service_TCP core", + "description": "Core attributes of TCP virtual server", + "type": "object", + "properties": { + "virtualPort": { + "title": "virtual server TCP port", + "description": "virtual server TCP port", + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, + "layer4": { + "title": "L4 protocol", + "description": "For TCP virtual server, Layer 4 protocol must be TCP", + "type": "string", + "const": "tcp", + "default": "tcp" + }, + "profileFIX": { + "$ref": "#/definitions/Pointer_FIX_Profile" + }, + "profileTCP": { + "f5tcpProfile": true, + "title": "TCP profile", + "description": "TCP profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "normal", + "lan", + "wan", + "mobile" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to TCP profile declaration for ingress and egress", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TCP_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP TCP profile", + "description": "Pathname of existing BIG-IP TCP profile for both ingress and egress", + "type": "string", + "format": "f5bigip" + }, + "ingress": { + "title": "Ingress profile", + "description": "Ingress (client-side context) TCP profile", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "normal", + "lan", + "wan", + "mobile" + ], + "default": "normal" + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to TCP profile declaration for incoming connections", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TCP_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP TCP profile", + "description": "Pathname of existing BIG-IP TCP profile in client-side context", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1 + } + }, + "egress": { + "title": "Egress TCP profile", + "description": "Egress (server-side context) TCP profile", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "normal", + "lan", + "wan", + "mobile" + ], + "default": "normal" + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to TCP profile declaration for outgoing connections", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TCP_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP server-side TCP profile", + "description": "Pathname of existing BIG-IP TCP profile in server-side context", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1 + } + } + }, + "additionalProperties": false, + "dependencies": { + "use": { + "minProperties": 1, + "maxProperties": 1 + }, + "bigip": { + "minProperties": 1, + "maxProperties": 1 + }, + "ingress": { + "minProperties": 2, + "maxProperties": 2 + }, + "egress": { + "minProperties": 2, + "maxProperties": 2 + } + }, + "f5bigComponent": "query ltm profile tcp" + }, + "default": "normal" + }, + "serverTLS": { + "title": "TLS server", + "description": "AS3 pointer to TLS Server declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TLS_Server" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP client SSL profile", + "description": "Pathname of existing BIG-IP Client SSL profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm profile client-ssl" + } + }, + "clientTLS": { + "title": "TLS client", + "description": "AS3 pointer to TLS Client declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TLS_Client" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP server SSL profile", + "description": "Pathname of existing BIG-IP Server SSL profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm profile server-ssl" + } + }, + "policyEndpoint": { + "title": "Endpoint policy", + "description": "AS3 pointer to Endpoint policy declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Endpoint_Policy" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP Endpoint policy", + "description": "Pathname of existing BIG-IP LTM policy", + "type": "string", + "format": "f5bigip" + } + }, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm policy" + } + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_Core" + }, + "required": [ + "virtualPort" + ] + }, + "Service_UDP": { + "title": "UDP virtual server", + "description": "Declares a UDP virtual server (w/optional (D)TLS)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_UDP" + }, + "persistenceMethods": { + "title": "Persistence methods", + "description": "Default 'source-address' is generally good", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Persist" + }, + "default": [ + "source-address" + ] + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_UDP_Core" + }, + "required": [ + "class" + ] + }, + "Service_UDP_Core": { + "title": "Service_UDP core", + "description": "Core attributes of UDP virtual server", + "type": "object", + "properties": { + "virtualPort": { + "title": "Virtual server UDP port", + "description": "Virtual server UDP port", + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, + "layer4": { + "title": "L4 protocol", + "description": "For UDP virtual server, Layer 4 protocol must be UDP", + "type": "string", + "const": "udp", + "default": "udp" + }, + "profileUDP": { + "title": "UDP profile", + "description": "UDP profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "normal" + ] + }, + "else": { + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to UDP profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "UDP_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP UDP profile", + "description": "Pathname of existing BIG-IP UDP profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile udp" + }, + "default": "normal" + }, + "serverTLS": { + "title": "TLS server", + "description": "AS3 pointer to TLS Server declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TLS_Server" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP client SSL profile", + "description": "Pathname of existing BIG-IP Client SSL profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm profile client-ssl" + } + }, + "clientTLS": { + "title": "TLS client", + "description": "AS3 pointer to TLS Client declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "TLS_Client" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP server SSL profile", + "description": "Pathname of existing BIG-IP Server SSL profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm profile server-ssl" + } + }, + "policyEndpoint": { + "title": "Endpoint policy", + "description": "AS3 pointer to Endpoint policy declaration", + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP Endpoint policy", + "description": "Pathname of existing BIG-IP LTM policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm policy" + }, + "profileRADIUS": { + "$ref": "#/definitions/Pointer_Radius_Profile" + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_Core" + }, + "required": [ + "virtualPort" + ] + }, + "Service_L4": { + "title": "L4 virtual server", + "description": "Declares a L4 (FastL4) virtual server", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_L4" + }, + "persistenceMethods": { + "title": "Persistence methods", + "description": "Default 'source-address' is generally good", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Persist" + }, + "default": [ + "source-address" + ] + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_L4_Core" + }, + "required": [ + "class" + ] + }, + "Service_Generic": { + "description": "Declares a generic virtual server", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_Generic" + }, + "layer4": { + "title": "L4 protocol", + "description": "The L4 protocol type for this virtual server", + "default": "any" + }, + "profileIPOther": { + "allOf": [ + { + "$ref": "#/definitions/Pointer_IP_Other_Profile" + } + ], + "default": { + "bigip": "/Common/ipother" + } + } + }, + "allOf": [ + { + "$ref": "#/definitions/Service_L4_Core" + } + ], + "required": [ + "class" + ] + }, + "Service_L4_Core": { + "title": "Service_L4 core", + "description": "Core attributes of L4 virtual server", + "type": "object", + "properties": { + "virtualPort": { + "title": "virtual server TCP port", + "description": "virtual server port", + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, + "layer4": { + "title": "L4 protocol", + "description": "The L4 protocol type for this virtual server", + "type": "string", + "enum": [ + "any", + "tcp", + "udp", + "3pc", + "a/n", + "ah", + "argus", + "aris", + "ax.25", + "bbn-rcc", + "bna", + "br-sat-mon", + "cbt", + "cftp", + "chaos", + "compaq-peer", + "cphb", + "cpnx", + "crdup", + "crtp", + "dccp", + "dcn", + "ddp", + "ddx", + "dgp", + "dsr", + "egp", + "eigrp", + "emcon", + "encap", + "esp", + "etherip", + "fc", + "fire", + "ggp", + "gmtp", + "gre", + "hip", + "hmp", + "hopopt", + "i-nlsp", + "iatp", + "icmp", + "idpr", + "idpr-cmtp", + "idrp", + "ifmp", + "igmp", + "igp", + "il", + "ip", + "ipcomp", + "ipcv", + "ipencap", + "ipip", + "iplt", + "ippc", + "ipv6", + "ipv6-auth", + "ipv6-crypt", + "ipv6-frag", + "ipv6-icmp", + "ipv6-nonxt", + "ipv6-opts", + "ipv6-route", + "ipx-in-ip", + "irtp", + "isis", + "iso-ip", + "iso-tp4", + "kryptolan", + "l2tp", + "larp", + "leaf-1", + "leaf-2", + "manet", + "merit-inp", + "mfe-nsp", + "micp", + "mobile", + "mpls-in-ip", + "mtp", + "mux", + "narp", + "netblt", + "nsfnet-igp", + "nvp", + "ospf", + "pgm", + "pim", + "pipe", + "pnni", + "prm", + "ptp", + "pup", + "pvp", + "qnx", + "rdp", + "rsvp", + "rsvp-e2e-ignore", + "rvd", + "sat-expak", + "sat-mon", + "scc-sp", + "scps", + "sctp", + "sdrp", + "secure-vmtp", + "shim6", + "skip", + "sm", + "smp", + "snp", + "sprite-rpc", + "sps", + "srp", + "sscopmce", + "st", + "stp", + "sun-nd", + "swipe", + "tcf", + "tlsp", + "tp++", + "trunk-1", + "trunk-2", + "ttp", + "udplite", + "uti", + "vines", + "visa", + "vmtp", + "vrrp", + "wb-expak", + "wb-mon", + "wesp", + "wsn", + "xnet", + "xns-idp", + "xtp" + ], + "default": "tcp" + }, + "profileFIX": { + "$ref": "#/definitions/Pointer_FIX_Profile" + }, + "profileL4": { + "title": "L4 profile", + "description": "L4 profile; name of built-in or else AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "basic" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to L4 profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "L4_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP FastL4 profile", + "description": "Pathname of existing BIG-IP FastL4 profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "dependencies": { + "use": { + "minProperties": 1, + "maxProperties": 1 + }, + "bigip": { + "minProperties": 1, + "maxProperties": 1 + } + }, + "f5bigComponent": "query ltm profile fastl4" + }, + "default": "basic" + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Service_Core" + }, + "required": [ + "virtualPort" + ] + }, + "Service_Core": { + "title": "Virtual-server core", + "description": "Core attributes of a virtual server", + "type": "object", + "properties": { + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "virtualAddresses": { + "title": "Virtual addresses", + "description": "Virtual server will listen to each IP address in list. To accept connections only from certain subnet(s), replace IP address with array [IP-address, accept-from-subnet]", + "type": "array", + "items": { + "if": { + "type": "string" + }, + "then": { + "format": "f5ip" + }, + "else": { + "if": { + "type": "array" + }, + "then": { + "type": "array", + "items": { + "title": "Virtual address", + "type": "string", + "format": "f5ip" + }, + "minItems": 2, + "maxItems": 2, + "uniqueItems": true + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "definition": "AS3 pointer to Service_Address declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Service_Address" + } + }, + "required": [ + "class" + ] + } + } + }, + "minProperties": 1, + "maxProperties": 1 + } + } + }, + "minItems": 1, + "uniqueItems": true + }, + "enable": { + "title": "Enable", + "description": "Virtual server handles traffic only when enabled (default)", + "type": "boolean", + "default": true + }, + "maxConnections": { + "title": "Maximum connections", + "description": "Specifies the maximum number of concurrent connections you want to allow for the virtual server", + "type": "integer", + "minimum": 0, + "default": 0 + }, + "snat": { + "title": "SNAT", + "description": "Name of built-in SNAT method or AS3 pointer to SNAT pool. If 'self', the system uses the virtual-server address as SNAT address", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "none", + "self", + "auto" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "definition": "AS3 pointer to SNAT pool declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "SNAT_Pool" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP SNAT pool", + "description": "Pathname of existing BIG-IP SNAT pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1, + "f5bigComponent": "query ltm snatpool" + }, + "default": "auto" + }, + "iRules": { + "title": "iRules", + "description": "List iRules for this virtual server (order is significant)", + "type": "array", + "items": { + "title": "iRule", + "description": "AS3 pointer to iRule (declared separately)", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "iRule" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP iRule", + "description": "Pathname of existing BIG-IP iRule", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm rule" + } + }, + "minItems": 1, + "$comment": "uniqueItems: true" + }, + "pool": { + "title": "Pool", + "description": "AS3 pointer to pool if any (declared separately)", + "if": { + "type": "string" + }, + "then": { + "f5pointsTo": { + "properties": { + "class": { + "const": "Pool" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP pool", + "description": "Pathname of existing BIG-IP pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm pool" + } + }, + "addressStatus": { + "title": "Address status", + "description": "Specifies whether the virtual server will contribute to the operational status of the associated virtual address", + "type": "boolean", + "default": true + }, + "mirroring": { + "title": "Mirroring", + "description": "Controls connection-mirroring for high-availability", + "type": "string", + "enum": [ + "none", + "L4" + ], + "default": "none" + }, + "policyFirewallEnforced": { + "title": "Firewall policy", + "description": "AS3 pointer to firewall (ASM) policy declaration", + "f5modules": [ + "afm" + ], + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP firewall policy", + "description": "Pathname of existing BIG-IP firewall policy", + "type": "string", + "format": "f5bigip" + }, + "use": { + "title": "Use", + "description": "AS3 pointer to firewall policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Policy" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall policy" + }, + "policyFirewallStaged": { + "title": "Firewall policy", + "description": "AS3 pointer to firewall (ASM) policy declaration", + "f5modules": [ + "afm" + ], + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP firewall policy", + "description": "Pathname of existing BIG-IP firewall policy", + "type": "string", + "format": "f5bigip" + }, + "use": { + "title": "Use", + "description": "AS3 pointer to firewall policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Policy" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall policy" + }, + "policyNAT": { + "description": "AS3 pointer to NAT policy declaration", + "f5modules": [ + "afm" + ], + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP NAT policy", + "description": "Pathname of existing BIG-IP NAT policy", + "type": "string", + "format": "f5bigip" + }, + "use": { + "title": "Use", + "description": "AS3 pointer to NAT policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "NAT_Policy" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security nat policy" + }, + "lastHop": { + "title": "Last hop", + "description": "Name of built-in last-hop method or AS3 pointer to last-hop pool (default 'default' means use system setting)", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "default", + "auto", + "disable" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "definition": "AS3 pointer to last-hop pool declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Pool" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP last-hop pool", + "description": "Pathname of existing BIG-IP pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1, + "f5bigComponent": "query ltm pool" + }, + "default": "default" + }, + "translateClientPort": { + "title": "Translate client port", + "description": "If true, hide client's port number from server (default false)", + "type": "boolean", + "default": false + }, + "translateServerAddress": { + "title": "Translate server address", + "description": "If true (default), make server-side connection to server address (otherwise, treat server as gateway to virtual-server address)", + "type": "boolean", + "default": true + }, + "translateServerPort": { + "title": "Translate server port", + "description": "If true (default), make server-side connection to server port (otherwise, connect to server on virtual-server port)", + "type": "boolean", + "default": true + }, + "persistenceMethods": { + "title": "Persistence method(s)", + "description": "List of persistence methods (each by name or AS3 pointer). Element 0 is primary (default) persistence method", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Persist" + }, + "minItems": 0, + "$comment": "uniqueItems: true" + }, + "fallbackPersistenceMethod": { + "$ref": "#/definitions/Basic_Persist" + }, + "allowVlans": { + "title": "VLAN list to allow", + "description": "Names of existing VLANs to add to this virtual server to allow.", + "type": "array", + "items": { + "bigip": { + "title": "BIG-IP VLAN", + "description": "Pathname of existing BIG-IP VLAN", + "type": "string", + "format": "f5bigip" + } + } + }, + "rejectVlans": { + "title": "VLAN list to reject", + "description": "Names of existing VLANs to add to this virtual server to reject.", + "type": "array", + "items": { + "bigip": { + "title": "BIG-IP VLAN", + "description": "Pathname of existing BIG-IP VLAN", + "type": "string", + "format": "f5bigip" + } + } + }, + "securityLogProfiles": { + "title": "Security Log Profiles", + "description": "Specifies the log profile applied to the virtual server", + "type": "array", + "f5modules": [ + "afm", + "asm" + ], + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to security log profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Security_Log_Profile" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP security log profile", + "description": "Pathname of existing BIG-IP security log profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security log profile" + } + }, + "profileDiameterEndpoint": { + "$ref": "#/definitions/Pointer_Enforcement_Diameter_Endpoint_Profile" + }, + "profileEnforcement": { + "$ref": "#/definitions/Pointer_Enforcement_Profile" + }, + "profileSubscriberManagement": { + "$ref": "#/definitions/Pointer_Enforcement_Subscriber_Management_Profile" + }, + "profileIPOther": { + "$ref": "#/definitions/Pointer_IP_Other_Profile" + }, + "profileClassification": { + "$ref": "#/definitions/Pointer_Classification_Profile" + }, + "profileDNS": { + "$ref": "#/definitions/Pointer_DNS_Profile" + } + }, + "if": { + "properties": { + "allowVlans": {} + }, + "required": [ + "allowVlans" + ] + }, + "then": { + "not": { + "properties": { + "rejectVlans": {} + }, + "required": [ + "rejectVlans" + ] + } + }, + "dependencies": { + "fallbackPersistenceMethod": [ + "persistenceMethods" + ] + }, + "required": [ + "virtualAddresses" + ] + }, + "Service_Address": { + "title": "Service address", + "description": "Service IP address definition (BIG-IP virtual-address)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Service_Address" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "virtualAddress": { + "title": "Virtual address", + "description": "The virtual IP address", + "type": "string", + "format": "f5ip" + }, + "arpEnabled": { + "title": "Enable ARP", + "description": "If true (default), the system services ARP requests on this address", + "type": "boolean", + "default": true + }, + "icmpEcho": { + "title": "Enable ICMP echo", + "description": "If true (default), the system answers ICMP echo requests on this address", + "type": "string", + "enum": [ + "enable", + "disable", + "selective" + ], + "default": "enable" + }, + "spanningEnabled": { + "title": "Enable spanning", + "description": "Enable all BIG-IP systems in device group to listen for and process traffic on the same virtual address", + "type": "boolean", + "default": false + } + }, + "dependencies": { + "arpEnabled": { + "$comment": "Only 1 of 2 can be true.", + "if": { + "properties": { + "arpEnabled": { + "const": true + } + } + }, + "then": { + "properties": { + "spanningEnabled": { + "const": false + } + } + } + } + }, + "required": [ + "virtualAddress" + ], + "additionalProperties": false + }, + "SNAT_Pool": { + "title": "SNAT pool", + "description": "Declares a list of SNAT addresses", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "SNAT_Pool" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "snatAddresses": { + "title": "SNAT addresses", + "description": "List of SNAT addresses-- may include both IPv4 and IPv6", + "type": "array", + "items": { + "title": "SNAT address", + "type": "string", + "format": "f5ip" + }, + "minItems": 1, + "uniqueItems": true + } + }, + "additionalProperties": false, + "required": [ + "class", + "snatAddresses" + ] + }, + "iRule": { + "title": "iRule", + "description": "An iRule", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "iRule" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "expand": { + "title": "Expand", + "description": "If true (default), expand backquoted variables in iRule", + "type": "boolean", + "default": true + }, + "iRule": { + "description": "Reference to an iRule", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "string", + "f5expand": { + "when": "1/expand" + } + } + }, + "additionalProperties": false, + "required": [ + "class", + "iRule" + ] + }, + "WAF_Policy": { + "title": "WAF Policy", + "description": "A Web Application Firewall Policy", + "type": "object", + "f5modules": [ + "asm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "WAF_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "url": { + "title": "URL", + "description": "The URL to pull the ASM policy from", + "type": "string", + "minLength": 3, + "f5expand": true + }, + "file": { + "title": "File", + "description": "The absolute file path for the ASM policy stored on the BIG-IP", + "type": "string", + "minLength": 3, + "f5expand": true + }, + "ignoreChanges": { + "title": "Ignore changes", + "description": "If false (default), the system updates the policy in every AS3 declaration deployment. If true, AS3 creates the policy on first deployment, and leaves it untouched afterwards", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false, + "required": [ + "class" + ], + "oneOf": [ + { + "required": [ + "url" + ] + }, + { + "required": [ + "file" + ] + } + ] + }, + "Basic_Persist": { + "title": "Basic Persist", + "description": "Holds name of simple persistence method or AS3 pointer to persistence method", + "if": { + "type": "string" + }, + "then": { + "enum": [ + "cookie", + "destination-address", + "msrdp", + "source-address", + "tls-session-id" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to persistence method declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Persist" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP persistence profile", + "description": "Pathname of existing BIG-IP persistence profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1, + "f5bigComponent": "probe ltm persistence dest-addr" + } + }, + "Persist": { + "title": "Persistence method", + "description": "Declares a persistence method", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Persist" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "persistenceMethod": { + "title": "Persistence method", + "description": "You may customize each basic persistence method", + "type": "string", + "enum": [ + "cookie", + "destination-address", + "hash", + "msrdp", + "sip-info", + "source-address", + "tls-session-id", + "universal" + ] + }, + "matchAcrossPools": { + "title": "Match across pools", + "description": "Specifies that the system can use any pool that contains this persistence record", + "type": "boolean", + "default": false + }, + "matchAcrossVirtualPorts": { + "title": "Match across virtual ports", + "description": "Specifies that all persistent connections from a client IP address that go to the same virtual IP address also go to the same node", + "type": "boolean", + "default": false + }, + "matchAcrossVirtualAddresses": { + "title": "Match across virtual addresses", + "description": "Specifies that all persistent connections from the same client IP address go to the same node", + "type": "boolean", + "default": false + }, + "mirror": { + "title": "Mirror", + "description": "If true, try to maintain persistence even after HA failover of ADC (default false)", + "type": "boolean", + "default": false + }, + "overrideConnectionLimit": { + "title": "Override connection limit", + "description": "If true, do not enforce pool member connection limit for persisted connections (default false)", + "type": "boolean", + "default": false + } + }, + "if": { + "properties": { + "persistenceMethod": { + "const": "cookie" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_Cookie" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "enum": [ + "destination-address", + "source-address" + ] + } + } + }, + "then": { + "$ref": "#/definitions/Persist_Addr" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "const": "hash" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_Hash" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "const": "msrdp" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_MSRDP" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "const": "sip-info" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_SIP" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "const": "tls-session-id" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_TLS_Session" + }, + "else": { + "if": { + "properties": { + "persistenceMethod": { + "const": "universal" + } + } + }, + "then": { + "$ref": "#/definitions/Persist_UIE" + }, + "else": { + "$comment": "Unrecognized persistenceMethod.", + "not": {} + } + } + } + } + } + } + }, + "dependencies": { + "use": { + "not": {} + }, + "bigip": { + "not": {} + } + }, + "required": [ + "class", + "persistenceMethod" + ] + }, + "Persist_Addr": { + "title": "Address persistence", + "description": "Configures an address affinity persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 180)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 180 + }, + "hashAlgorithm": { + "title": "Hash algorithm", + "description": "Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm.", + "type": "string", + "enum": [ + "carp", + "default" + ], + "default": "default" + }, + "addressMask": { + "title": "Address mask", + "description": "Optional mask selects portion of address used by simple persistence (if omitted the system uses all address bits)", + "type": "string", + "format": "f5ip" + } + } + }, + "Persist_Cookie": { + "title": "Cookie persistence", + "description": "Configures a cookie persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 0 means indefinite)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 0 + }, + "cookieMethod": { + "title": "Method", + "description": "Selects cookie processing method (default is insert)", + "type": "string", + "enum": [ + "insert", + "hash", + "passive", + "rewrite" + ], + "default": "insert" + }, + "cookieName": { + "title": "Cookie name", + "description": "Cookie name (for method 'insert', default (empty-string) yields system-generated name)", + "type": "string", + "pattern": "^[0-9A-Za-z.~#$%^&*_-]{0,64}$", + "default": "" + } + }, + "if": { + "properties": { + "cookieMethod": { + "const": "insert" + } + } + }, + "then": { + "properties": { + "ttl": { + "title": "TTL", + "description": "Requested cookie lifetime (seconds, default 0 means session cookie)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 0 + }, + "httpOnly": { + "title": "HTTP only flag", + "description": "If true (default) the system sets the HTTPOnly flag", + "type": "boolean", + "default": true + }, + "secure": { + "title": "Secure flag", + "description": "If true (default) the system sets the Secure (TLS) flag", + "type": "boolean", + "default": true + }, + "alwaysSet": { + "title": "Always set", + "description": "If true, set cookie with every HTTP response (default false)", + "type": "boolean", + "default": false + }, + "encrypt": { + "title": "Encrypt cookie", + "description": "If true, prevent disclosure of (or tampering with) ADC info in cookie (default false, to reduce latency)", + "type": "boolean", + "default": false + }, + "passphrase": { + "title": "Passphrase", + "description": "Used to create secret key for cookie encryption", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + } + }, + "if": { + "properties": { + "encrypt": { + "const": true + } + } + }, + "then": { + "required": [ + "passphrase" + ] + } + }, + "else": { + "if": { + "properties": { + "cookieMethod": { + "const": "hash" + } + } + }, + "then": { + "properties": { + "cookieName": { + "minLength": 1 + }, + "startAt": { + "title": "Start at", + "description": "Index of first octet in cookie value to hash", + "type": "integer", + "minimum": 0, + "maximum": 4096, + "default": 0 + }, + "hashCount": { + "title": "Hash count", + "description": "Number of octets in cookie value to hash; 0 (default) means all", + "type": "integer", + "minimum": 0, + "maximum": 4096, + "default": 0 + } + } + }, + "else": { + "$comment": "No extra properties for passive or rewrite." + } + } + }, + "Persist_Hash": { + "title": "Hash persistence", + "description": "Configures a hash persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 180)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 180 + }, + "hashAlgorithm": { + "title": "Hash algorithm", + "description": "Specifies the algorithm the system uses for hash persistence load balancing. The hash result is the input for the algorithm.", + "type": "string", + "enum": [ + "carp", + "default" + ], + "default": "default" + }, + "startAt": { + "title": "Start at", + "description": "Index of first octet in packet to hash", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "count": { + "title": "Hash count", + "description": "Number of octets in cookie value to hash; 0 (default) means all", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "startPattern": { + "title": "Start pattern", + "description": "Regular expression which matches start of data to hash; default \"\" averts matching", + "type": "string", + "default": "" + }, + "endPattern": { + "title": "End pattern", + "description": "Regular expression which matches end of data to hash; default \"\" averts matching", + "type": "string", + "default": "" + }, + "bufferLimit": { + "title": "Buffer limit", + "description": "Number of octets to buffer while pattern-matching", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "iRule": { + "title": "iRule", + "description": "AS3 pointer to iRule if any (declared separately)", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "iRule" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP iRule", + "description": "Pathname of existing BIG-IP iRule", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm rule" + } + } + } + }, + "Persist_MSRDP": { + "title": "MSRDP persistence", + "description": "Configures a Microsoft(r) Remote Display Protocol (MSRDP) persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 300)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 300 + }, + "sessionBroker": { + "title": "Session broker", + "description": "If true (default), the system will persist the client to the server chosen by session broker", + "type": "boolean", + "default": true + } + } + }, + "Persist_SIP": { + "title": "SIP info persistence", + "description": "Configures a Session Initiation Protocol (SIP) persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 180)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 180 + }, + "header": { + "title": "SIP header", + "description": "Suggested values include: Call-ID, To, From, SIP-ETag, and Subject", + "type": "string", + "minLength": 1 + } + }, + "required": [ + "header" + ] + }, + "Persist_TLS_Session": { + "title": "TLS session persistence", + "description": "Configures a Secure Socket Layer (SSL) persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 300)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 300 + } + } + }, + "Persist_UIE": { + "title": "Universal persistence", + "description": "Configures a universal persistence profile", + "properties": { + "duration": { + "title": "Duration", + "description": "Lifetime of persistence record (seconds, default 180)", + "type": "integer", + "minimum": 0, + "maximum": 604800, + "default": 180 + }, + "iRule": { + "title": "iRule", + "description": "AS3 pointer to required iRule (declared separately)", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "iRule" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP iRule", + "description": "Pathname of existing BIG-IP iRule", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm rule" + } + } + }, + "required": [ + "iRule" + ] + }, + "Pool": { + "title": "pool", + "description": "Declares a service pool", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Pool" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "loadBalancingMode": { + "title": "LB mode", + "description": "Load-balancing mode", + "type": "string", + "enum": [ + "dynamic-ratio-member", + "dynamic-ratio-node", + "fastest-app-response", + "fastest-node", + "least-connections-member", + "least-connections-node", + "least-sessions", + "observed-member", + "observed-node", + "predictive-member", + "predictive-node", + "ratio-least-connections-member", + "ratio-least-connections-node", + "ratio-member", + "ratio-node", + "ratio-session", + "round-robin", + "weighted-least-connections-member", + "weighted-least-connections-node" + ], + "default": "round-robin" + }, + "minimumMembersActive": { + "title": "Minimum active", + "description": "Pool is down when fewer than this number of members are up", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 1 + }, + "monitors": { + "title": "Monitors", + "description": "List of health monitors (each by name or AS3 pointer)", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Monitor" + }, + "minItems": 1, + "$comment": "uniqueItems: true" + }, + "minimumMonitors": { + "title": "Minimum monitors", + "description": "Member is down when fewer than minimum monitors report it healthy", + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "members": { + "title": "Members", + "description": "Set of Pool members", + "type": "array", + "items": { + "$ref": "#/definitions/Pool_Member" + }, + "minItems": 1, + "$comment": "uniqueItems: true", + "f5node": true + }, + "reselectTries": { + "title": "Reselect tries", + "description": "Maximum number of attempts to find a responsive member for a connection", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "serviceDownAction": { + "title": "Service-down action", + "description": "Specifies connection handling when member is non-responsive", + "type": "string", + "enum": [ + "drop", + "none", + "reselect", + "reset" + ], + "default": "none" + }, + "slowRampTime": { + "title": "Slow ramp time", + "description": "AS3 slowly the connection rate to a newly-active member slowly during this interval (seconds)", + "type": "integer", + "minimum": 0, + "maximum": 900, + "default": 10 + } + }, + "additionalProperties": false, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "class" + ] + }, + "Pool_Member": { + "title": "Pool member", + "description": "Declares a service-pool member", + "type": "object", + "properties": { + "remark": { + "$ref": "#/definitions/Remark" + }, + "servicePort": { + "title": "Service port", + "description": "Service L4 port (optional port-discovery may override)", + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, + "bigip": { + "title": "BIG-IP node", + "description": "If defined, pathname of existing BIG-IP node", + "type": "string", + "format": "f5bigip" + }, + "enable": { + "description": "Maps to BIG-IP pool member state", + "type": "boolean", + "default": true + }, + "connectionLimit": { + "title": "Connection limit", + "description": "Maximum concurrent connections to member", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 0 + }, + "rateLimit": { + "title": "Rate limit", + "description": "Value zero prevents use of member", + "type": "integer", + "minimum": -1, + "maximum": 2147483647, + "default": -1 + }, + "dynamicRatio": { + "title": "Dynamic ratio", + "description": "Specifies a range of numbers that you want the system to use in conjunction with the ratio load balancing method", + "type": "integer", + "minimum": 0, + "maximum": 100, + "default": 1 + }, + "ratio": { + "title": "Ratio", + "description": "Specifies the weight of the pool member for load balancing purposes", + "type": "integer", + "minimum": 0, + "maximum": 100, + "default": 1 + }, + "priorityGroup": { + "title": "Priority group", + "description": "Specifies the priority group within the pool for this pool member", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "monitors": { + "title": "Monitors", + "description": "List of monitors (each by name or AS3 pointer)", + "type": "array", + "items": { + "$ref": "#/definitions/Basic_Monitor" + }, + "minItems": 1, + "$comment": "uniqueItems: true" + }, + "minimumMonitors": { + "title": "Minimum monitors", + "description": "Member is down when fewer than minimum monitors report it healthy", + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "adminState": { + "title": "Administration State", + "description": "Setting adminState to enable will create the node in an operational state. Set to disable to disallow new connections but allow existing connections to drain. Set to offline to force immediate termination of all connections.", + "type": "string", + "enum": [ + "enable", + "disable", + "offline" + ], + "default": "enable" + }, + "addressDiscovery": { + "title": "Address discovery", + "description": "Selects how server (node) addresses are discovered", + "type": "string", + "enum": [ + "static", + "fqdn", + "aws", + "gce", + "azure" + ], + "default": "static" + } + }, + "f5bigComponent": "query ltm node", + "dependencies": { + "addressDiscovery": { + "not": { + "required": [ + "bigip" + ] + } + } + }, + "required": [ + "servicePort" + ], + "allOf": [ + { + "if": { + "required": [ + "bigip" + ] + }, + "then": { + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + } + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "enum": [ + "fqdn", + "aws", + "azure", + "gce" + ] + } + } + }, + "then": { + "updateInterval": { + "title": "Update interval", + "description": "Server-discovery update interval (seconds)", + "type": "integer", + "minimum": 1, + "maximum": 3600, + "default": 60 + } + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "enum": [ + "aws", + "azure", + "gce" + ] + } + } + }, + "then": { + "properties": { + "tagKey": { + "title": "Tag key", + "type": "string", + "minLength": 1, + "description": "The tag key associated with the node to add to this pool" + }, + "tagValue": { + "title": "Tag value", + "type": "string", + "minLength": 1, + "description": "The tag value associated with the node to add to this pool" + }, + "addressRealm": { + "title": "Address realm", + "type": "string", + "enum": [ + "public", + "private" + ], + "description": "Specifies whether to look for public or private ip addresses" + }, + "credentialUpdate": { + "title": "Credential Update", + "type": "boolean", + "description": "Specifies whether you are updating your credentials", + "default": false + } + }, + "required": [ + "tagKey", + "tagValue", + "addressRealm" + ] + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "const": "static" + } + } + }, + "then": { + "properties": { + "serverAddresses": { + "title": "Server addresses", + "description": "Static IP addresses of servers (nodes)", + "type": "array", + "items": { + "title": "Server address", + "type": "string", + "format": "f5ip" + }, + "minItems": 1, + "uniqueItems": true + }, + "": { + "not": { + "type": "string" + } + } + }, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "serverAddresses" + ] + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "const": "fqdn" + } + } + }, + "then": { + "properties": { + "hostname": { + "title": "Hostname", + "type": "string", + "format": "hostname" + }, + "addressFamily": { + "title": "Address family", + "description": "Selects IPv4/6 and DNS A/AAAA RR's", + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ], + "default": "IPv4" + }, + "autoPopulate": { + "title": "Auto-populate", + "description": "If true use multiple server (node) addresses when available, otherwise use only one", + "type": "boolean", + "default": false + }, + "queryInterval": { + "title": "Query interval", + "description": "Normal DNS query interval (seconds, default 0 means RR TTL)", + "type": "integer", + "minimum": 0, + "default": 0 + }, + "downInterval": { + "title": "Down interval", + "description": "DNS retry interval after resolution failure (seconds)", + "type": "integer", + "minimum": 0, + "default": 5 + } + }, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "hostname" + ] + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "const": "aws" + } + } + }, + "then": { + "properties": { + "region": { + "title": "AWS region", + "description": "Empty string (default) means region in which ADC is running", + "type": "string", + "default": "" + }, + "roleARN": { + "title": "Role Amazon Resource Name", + "description": "Assume a role (also requires the externalId field)", + "type": "string", + "minLength": 1 + }, + "externalId": { + "title": "External Id", + "description": "External Id", + "type": "string", + "minLength": 1 + }, + "accessKeyId": { + "title": "Access Key Id", + "description": "Information for discovering AWS nodes that are not in the same region as your BigIP (also requires the secretAccessKey field", + "type": "string", + "minLength": 1 + }, + "secretAccessKey": { + "title": "Secret Access Key", + "description": "Will be stored in the declaration as an encrypted string", + "type": "string", + "minLength": 1, + "cloudLibsEncrypt": true + } + }, + "dependencies": { + "roleARN": { + "required": [ + "externalId" + ] + }, + "externalId": { + "required": [ + "roleARN" + ] + }, + "accessKeyId": { + "required": [ + "secretAccessKey" + ] + }, + "secretAccessKey": { + "required": [ + "accessKeyId" + ] + } + }, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "region" + ] + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "const": "azure" + } + } + }, + "then": { + "properties": { + "resourceGroup": { + "title": "Resource group", + "description": "Azure Resource Group name", + "type": "string" + }, + "subscriptionId": { + "title": "Subscription ID", + "description": "Azure subscription ID", + "type": "string" + }, + "directoryId": { + "title": "(Azure) Directory ID", + "description": "Azure Active Directory ID (AKA tenant ID)", + "type": "string" + }, + "applicationId": { + "title": "(Azure) Application ID", + "description": "Azure registered application ID (AKA client ID)", + "type": "string" + }, + "apiAccessKey": { + "title": "Azure API access key", + "description": "Azure registered application API access key (AKA service principal secret). Will be stored in the declaration in an encrypted format.", + "type": "string", + "minLength": 1, + "cloudLibsEncrypt": true + } + }, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "resourceGroup", + "subscriptionId", + "directoryId", + "applicationId", + "apiAccessKey" + ] + } + }, + { + "if": { + "properties": { + "addressDiscovery": { + "const": "gce" + } + } + }, + "then": { + "properties": { + "region": { + "title": "GCE region", + "description": "Empty string (default) means region in which ADC is running", + "type": "string" + }, + "encodedCredentials": { + "title": "Encoded Service Account Credentials", + "description": "Base 64 encoded service account credentials JSON", + "type": "string", + "minLength": 1, + "cloudLibsEncrypt": true + } + }, + "if": { + "required": [ + "monitors" + ] + }, + "then": { + "properties": { + "minimumMonitors": { + "default": 1 + } + } + }, + "required": [ + "region" + ] + } + } + ] + }, + "Basic_Monitor": { + "title": "Basic Monitor", + "description": "Holds name of simple monitor or AS3 pointer to a monitor declaration", + "if": { + "type": "string" + }, + "then": { + "enum": [ + "http", + "https", + "icmp", + "tcp-half-open", + "tcp" + ] + }, + "else": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to monitor declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Monitor" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP monitor", + "description": "Pathname of existing BIG-IP monitor", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1, + "f5bigComponent": "probe ltm monitor icmp" + } + }, + "Monitor": { + "title": "Monitor", + "description": "Declares a (possibly complex) monitor", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Monitor" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "monitorType": { + "title": "Monitor type", + "description": "You may customize each monitor type", + "type": "string", + "enum": [ + "external", + "http", + "https", + "icmp", + "sip", + "smtp", + "tcp", + "tcp-half-open", + "udp" + ] + }, + "targetAddress": { + "title": "Address", + "description": "IP address monitor should probe; if empty (default) then pool member address", + "type": "string", + "format": "f5ip", + "default": "" + }, + "interval": { + "title": "Interval", + "description": "Poll interval (seconds)", + "type": "integer", + "minimum": 0, + "maximum": 3600, + "default": 5 + }, + "upInterval": { + "title": "Up-Interval", + "description": "Poll interval when service is already up (seconds)", + "type": "integer", + "minimum": 0, + "maximum": 3600, + "default": 0 + }, + "timeUntilUp": { + "title": "Time until up", + "description": "Delay between successful probe and sending traffic to node (seconds)", + "type": "integer", + "minimum": 0, + "maximum": 1800, + "default": 0 + }, + "timeout": { + "title": "Timeout", + "description": "Time limit for node to respond (seconds)", + "type": "integer", + "minimum": 0, + "maximum": 900, + "default": 16 + } + }, + "if": { + "properties": { + "monitorType": { + "const": "icmp" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_ICMP" + }, + "else": { + "properties": { + "targetPort": { + "title": "Port", + "description": "L4 port (if any) monitor should probe; if 0 (default) then pool member port", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + } + }, + "if": { + "properties": { + "monitorType": { + "const": "http" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_HTTP" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "https" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_HTTPS" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "external" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_External" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "tcp" + } + } + }, + "then": { + "properties": { + "dscp": { + "title": "IP DSCP", + "description": "Value for IP DSCP (ex-TOS) field (default 0)", + "type": "integer", + "minimum": 0, + "maximum": 63, + "default": 0 + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Monitor_Send_Recv" + } + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "udp" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_Send_Recv" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "smtp" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_SMTP" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "sip" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_SIP" + }, + "else": { + "if": { + "properties": { + "monitorType": { + "const": "tcp-half-open" + } + } + }, + "then": { + "$ref": "#/definitions/Monitor_TCP_Half_Open" + }, + "else": { + "$comment": "Unrecognized monitorType.", + "not": {} + } + } + } + } + } + } + } + } + }, + "required": [ + "class", + "monitorType" + ] + }, + "Monitor_May_Adapt": { + "description": "Additional Monitor class properties available when monitorType = http, https, tcp, udp, or icmp", + "properties": { + "adaptive": { + "title": "Adaptive", + "description": "If true, use adaptive probe timing", + "type": "boolean", + "default": false + }, + "adaptiveDivergenceType": { + "title": "Adaptive divergence type", + "description": "Adaptive divergence, 'absolute' selects milliseconds, 'relative' (default) selects percentage", + "type": "string", + "enum": [ + "absolute", + "relative" + ], + "default": "relative" + }, + "adaptiveDivergenceMilliseconds": { + "title": "Adaptive divergence msec", + "description": "Probe fails if response latency exceeds mean by this number of milliseconds", + "type": "integer", + "minimum": 1, + "maximum": 10000, + "default": 500 + }, + "adaptiveDivergencePercentage": { + "title": "Adaptive divergence percent", + "description": "Probe fails if response latency exceeds mean by this percentage", + "type": "integer", + "minimum": 1, + "maximum": 500, + "default": 100 + }, + "adaptiveLimitMilliseconds": { + "title": "Adaptive limit msec", + "description": "Probe fails if response latency exceeds this number of milliseconds", + "type": "integer", + "minimum": 1, + "maximum": 10000, + "default": 1000 + }, + "adaptiveWindow": { + "title": "Adaptive window", + "description": "Time window over which the system samples latency (seconds)", + "type": "integer", + "minimum": 60, + "maximum": 1800, + "default": 180 + } + } + }, + "Monitor_External": { + "description": "Additional Monitor class properties available when monitorType = external", + "properties": { + "command": { + "title": "Command", + "description": "Full (Linux) pathname of command (will be backquote-expanded)", + "type": "string", + "minLength": 2, + "f5expand": true + }, + "arguments": { + "title": "Arguments", + "description": "Arguments to specified command (will be backquote-expanded)", + "type": "string", + "default": "", + "f5expand": true + } + }, + "required": [ + "command" + ] + }, + "Monitor_HTTP": { + "description": "Additional Monitor class properties available when monitorType = http or https", + "properties": { + "send": { + "title": "Send", + "description": "Send this (backquote-expanded) string to query node", + "type": "string", + "default": "HEAD / HTTP/1.0\\r\\n\\r\\n", + "f5expand": true + }, + "receive": { + "title": "Receive = up", + "description": "Mark node up upon receipt of this (backquote-expanded) string", + "type": "string", + "default": "HTTP/1.", + "f5expand": true + }, + "receiveDown": { + "title": "Receive = down", + "description": "Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when 'reverse' is true)", + "type": "string", + "default": "", + "f5expand": true + }, + "reverse": { + "title": "Reverse", + "description": "If true, mark node down upon receipt of 'receive' string", + "type": "boolean", + "default": false + }, + "username": { + "title": "Username", + "description": "Username if any for query authentication", + "type": "string" + }, + "passphrase": { + "title": "Passphrase", + "description": "Passphrase if any for query authentication", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "transparent": { + "title": "Transparent", + "description": "If true, treat pool member address as gateway to server (node) (default false)", + "type": "boolean", + "default": false + }, + "dscp": { + "title": "IP DSCP", + "description": "Value for IP DSCP (ex-TOS) field (default 0)", + "type": "integer", + "minimum": 0, + "maximum": 63, + "default": 0 + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Monitor_May_Adapt" + }, + "dependencies": { + "reverse": { + "if": { + "properties": { + "reverse": { + "const": true + } + } + }, + "then": { + "properties": { + "receiveDown": { + "const": "" + } + } + } + } + } + }, + "Monitor_HTTPS": { + "description": "Additional Monitor class properties available when monitorType = https", + "properties": { + "ciphers": { + "title": "Ciphers", + "description": "Ciphersuite selection string", + "type": "string", + "default": "DEFAULT" + }, + "clientCertificate": { + "title": "Client certificate", + "description": "AS3 pointer to client Certificate declaration, for TLS authentication (optional)", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Certificate" + } + }, + "required": [ + "class" + ] + } + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Monitor_HTTP" + } + }, + "Monitor_ICMP": { + "description": "Additional Monitor class properties available when monitorType = icmp", + "properties": { + "transparent": { + "title": "Transparent", + "description": "If true, treat pool member address as gateway to server (node) (default false)", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Monitor_May_Adapt" + } + }, + "Monitor_SIP": { + "description": "Additional Monitor class properties available when monitorType = sip", + "properties": { + "protocol": { + "title": "Protocol", + "description": "SIP transport protocol", + "type": "string", + "enum": [ + "sips", + "tcp", + "tls", + "udp" + ], + "default": "udp" + }, + "request": { + "title": "Request", + "description": "SIP request to send in probes (default empty)", + "type": "string", + "default": "" + }, + "headers": { + "title": "Headers", + "description": "SIP headers to send in probes (if any)--separate by newlines (backquote-expanded)", + "type": "string", + "default": "", + "f5expand": true + }, + "codesUp": { + "title": "Codes = up", + "description": "List of additional (to all 1/2/3xx) status codes meaning service is up (0 matches any code)", + "type": "array", + "items": { + "title": "Code = up", + "type": "integer", + "minimum": 0 + }, + "minItems": 1, + "uniqueItems": true + }, + "codesDown": { + "title": "Codes = down", + "description": "List of status codes meaning service is down (0 matches any code)", + "type": "array", + "items": { + "title": "Code = down", + "type": "integer", + "minimum": 0 + }, + "minItems": 1, + "uniqueItems": true + }, + "ciphers": { + "title": "Ciphers", + "description": "Ciphersuite selection string", + "type": "string", + "default": "DEFAULT" + }, + "clientCertificate": { + "title": "Client certificate", + "description": "AS3 pointer to client Certificate declaration, for TLS authentication (optional)", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Certificate" + } + }, + "required": [ + "class" + ] + } + } + }, + "dependencies": { + "clientCertificate": { + "properties": { + "protocol": { + "enum": [ + "sips", + "tls" + ] + } + } + } + } + }, + "Monitor_SMTP": { + "description": "Additional Monitor class properties available when monitorType = smtp", + "properties": { + "domain": { + "title": "Domain", + "description": "Mail domain to check, if any (backquote-expanded)", + "type": "string", + "format": "hostname", + "default": "", + "f5expand": true + } + } + }, + "Monitor_Send_Recv": { + "description": "Additional Monitor class properties available when monitorType = tcp or udp", + "properties": { + "send": { + "title": "Send", + "description": "Send this (backquote-expanded) string to node", + "type": "string", + "f5expand": true + }, + "receive": { + "title": "Receive = up", + "description": "Mark node up upon receipt of this (backquote-expanded) string", + "type": "string", + "f5expand": true + }, + "receiveDown": { + "title": "Receive = down", + "description": "Mark node down upon receipt of this (backquote-expanded) string (optional; must be empty when 'reverse' is true)", + "type": "string", + "default": "", + "f5expand": true + }, + "reverse": { + "title": "Reverse", + "description": "If true, mark node down upon receipt of 'receive' string", + "type": "boolean", + "default": false + }, + "transparent": { + "title": "Transparent", + "description": "If true, treat pool member address as gateway to server (node) (default false)", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Monitor_May_Adapt" + }, + "dependencies": { + "reverse": { + "if": { + "properties": { + "reverse": { + "const": true + } + } + }, + "then": { + "properties": { + "receiveDown": { + "const": "" + } + } + } + } + }, + "required": [ + "send", + "receive" + ] + }, + "Monitor_TCP_Half_Open": { + "description": "Additional Monitor class properties available when monitorType = tcp-half-open", + "properties": { + "transparent": { + "title": "Transparent", + "description": "If true, treat pool member address as gateway to server (node) (default false)", + "type": "boolean", + "default": false + } + } + }, + "TLS_Server": { + "title": "TLS Server", + "description": "TLS server parameters (connections arriving to ADC)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "TLS_Server" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "requireSNI": { + "title": "Require SNI", + "description": "When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client", + "type": "boolean", + "default": false + }, + "certificates": { + "title": "Certificates", + "description": "Primary and (optional) additional certificates (order is significant, element 0 is primary cert)", + "type": "array", + "items": { + "type": "object", + "properties": { + "matchToSNI": { + "title": "Match to SNI", + "description": "If value is FQDN (wildcard okay), ignore all names in certificate and select this cert when SNI matches value (or by default)", + "type": "string" + }, + "certificate": { + "title": "Certificate", + "description": "AS3 pointer to Certificate declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Certificate" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "required": [ + "certificate" + ] + }, + "minItems": 1, + "$comment": "uniqueItems: true" + }, + "ciphers": { + "title": "Ciphers", + "description": "Ciphersuite selection string", + "type": "string", + "default": "DEFAULT" + }, + "authenticationMode": { + "title": "Authentication mode", + "description": "Client certificate authentication mode", + "type": "string", + "enum": [ + "ignore", + "request", + "require" + ], + "default": "ignore" + }, + "authenticationFrequency": { + "title": "Authentication frequency", + "description": "Client certificate authentication frequency", + "type": "string", + "enum": [ + "one-time", + "every-time" + ], + "default": "one-time" + }, + "authenticationTrustCA": { + "title": "Authentication trust CA", + "description": "AS3 pointer to declaration of CA Bundle used to validate client certificates", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "CA_Bundle" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP CA bundle", + "description": "Pathname of existing BIG-IP CA bundle", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query sys file ssl-cert" + } + }, + "authenticationInviteCA": { + "title": "Authentication invite CA", + "description": "AS3 pointer to declaration of CA Bundle used to invite client certificates", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "CA_Bundle" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP CA bundle", + "description": "Pathname of existing BIG-IP CA bundle", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query sys file ssl-cert" + } + } + }, + "additionalProperties": false, + "if": { + "properties": { + "authenticationMode": { + "enum": [ + "request", + "require" + ] + } + } + }, + "then": { + "required": [ + "authenticationTrustCA" + ] + }, + "required": [ + "class", + "certificates" + ] + }, + "TLS_Client": { + "title": "TLS Client", + "description": "TLS client parameters (connections leaving ADC)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "TLS_Client" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "sendSNI": { + "title": "Send SNI", + "description": "FQDN to send in SNI (optional)", + "type": "string", + "format": "hostname", + "default": "none" + }, + "ciphers": { + "title": "Ciphers", + "description": "Ciphersuite selection string", + "type": "string", + "default": "DEFAULT" + }, + "serverName": { + "title": "Server name", + "description": "FQDN which server certificate must match (optional)", + "type": "string", + "format": "hostname", + "default": "none" + }, + "validateCertificate": { + "title": "Validate certificate", + "description": "If false (default) accept any cert from server, else validate server cert against trusted CA bundle", + "type": "boolean", + "default": false + }, + "trustCA": { + "title": "Trusted CA bundle", + "description": "CA's trusted to validate server certificate; 'generic' (default) or else AS3 pointer to declaration of CA Bundle", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string", + "enum": [ + "generic" + ], + "default": "generic" + }, + "else": { + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to declaration of CA bundle", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "CA_Bundle" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP CA bundle", + "description": "Pathname of existing BIG-IP CA bundle", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1, + "f5bigComponent": "query sys file ssl-cert" + } + }, + "ignoreExpired": { + "title": "Ignored expired", + "description": "If false (default) drop connections with expired server certificates", + "type": "boolean", + "default": false + }, + "ignoreUntrusted": { + "title": "Ignored untrusted", + "description": "If false (default) drop connections with untrusted server certificates", + "type": "boolean", + "default": false + }, + "sessionTickets": { + "title": "Session tickets", + "description": "If false (default) do not use rfc5077 session tickets", + "type": "boolean", + "default": false + }, + "clientCertificate": { + "title": "Client certificate", + "description": "AS3 pointer to client Certificate declaration (optional)", + "type": "string", + "f5pointsTo": { + "properties": { + "class": { + "const": "Certificate" + } + }, + "required": [ + "class" + ] + } + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "Certificate": { + "title": "Certificate", + "description": "PKI certificate with optional private-key and/or chain, optional OCSP stapler", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Certificate" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "pkcs12": { + "title": "PKCS#12 certificate+key", + "description": "PKCS#12 (.p12/.pfx) blob containing both certificate and private key", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "binary" + }, + "certificate": { + "title": "Certificate", + "description": "X.509 public-key certificate", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "pki-cert", + "f5bigComponent": "query sys file ssl-cert" + }, + "privateKey": { + "title": "Private key", + "description": "Private key matching certificate's public key (optional)", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "pki-key", + "f5bigComponent": "query sys file ssl-key" + }, + "passphrase": { + "title": "Passphrase", + "description": "If supplied, used to decrypt privateKey at runtime (optional)", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "chainCA": { + "title": "CA chain", + "description": "Bundle of one or more CA certificates in trust-chain from root CA to certificate (optional)", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "pki-bundle", + "f5bigComponent": "query sys file ssl-cert" + }, + "staplerOCSP": { + "title": "OCSP Stapler", + "description": "AS3 pointer to OCSP Stapler declaration (optional)", + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP OCSP stapling params", + "description": "Pathname of existing BIG-IP OCSP stapling parameters", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm profile ocsp-stapling-params" + } + }, + "additionalProperties": false, + "if": { + "required": [ + "pkcs12" + ] + }, + "then": { + "dependencies": { + "certificate": { + "not": {} + }, + "privateKey": { + "not": {} + } + } + }, + "else": { + "required": [ + "certificate" + ], + "not": { + "required": [ + "pkcs12" + ] + } + }, + "required": [ + "class" + ] + }, + "CA_Bundle": { + "title": "CA Bundle", + "description": "Bundle of one or more PKI Certificate-Authority certificates", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "CA_Bundle" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "bundle": { + "description": "Reference to a CA bundle", + "if": true, + "then": { + "$ref": "#/definitions/F5string" + }, + "f5fetch": "pki-cert", + "f5bigComponent": "query sys file ssl-cert" + } + }, + "additionalProperties": false, + "required": [ + "class", + "bundle" + ] + }, + "Sender_Tag_Mapping": { + "title": "Sender and Tag Data Group Mapping", + "description": "Establishes a mapping between a sender value and data group containing tag substitution values", + "type": "object", + "properties": { + "senderId": { + "title": "Sender ID", + "description": "Specifies sender ID value", + "type": "string" + }, + "tagDataGroup": { + "description": "Specifies tag substitution data group", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to data group if any (declared separately)", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Data_Group" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP data group", + "description": "Pathname of existing BIG-IP data group", + "type": "string", + "format": "f5bigip" + } + }, + "dependencies": { + "bigip": { + "properties": { + "isExternal": { + "title": "External data group", + "description": "Toggles whether existing data group is internal or external", + "type": "boolean", + "default": false + } + } + } + }, + "if": { + "properties": { + "isExternal": { + "const": true + } + } + }, + "then": { + "f5bigComponent": "query ltm data-group external" + }, + "else": { + "f5bigComponent": "query ltm data-group internal" + }, + "minProperties": 1, + "maxProperties": 2 + } + }, + "additionalProperties": false, + "required": [ + "senderId", + "tagDataGroup" + ] + }, + "FIX_Profile": { + "title": "FIX Profile", + "type": "object", + "description": "Configures a Financial Information eXchange Protocol (FIX) profile", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "FIX_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the profile object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_FIX_Profile" + } + ], + "default": { + "bigip": "/Common/fix" + } + }, + "errorAction": { + "title": "Error Action", + "description": "Specifies the error handling method", + "type": "string", + "enum": [ + "dont-forward", + "drop-connection" + ], + "default": "dont-forward" + }, + "fullLogonParsingEnabled": { + "title": " Fully Parse Logon Message", + "description": "Enables or disables logon message as always fully parsed. Other messages are parsed according to the configuration of Quick Parsing", + "type": "boolean", + "default": true + }, + "messageLogPublisher": { + "title": "Message Log Publisher", + "description": "Specifies the publisher for message logging", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Log_Publisher" + } + ] + }, + "reportLogPublisher": { + "description": "Specifies the publisher for error messages and status reports", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Log_Publisher" + } + ] + }, + "quickParsingEnabled": { + "title": "Quick Parsing", + "description": "Enables or disables quick parsing which parses the basic standard fields and validates message length and checksum", + "type": "boolean", + "default": false + }, + "responseParsingEnabled": { + "title": "Response Parsing", + "description": "Enables or disables response parsing which parses the messages from the FIX server. Applies the same parser configuration and error handling at server side as at client side. If not enabled, server side messages are directly passed through", + "type": "boolean", + "default": false + }, + "statisticsSampleInterval": { + "title": "Statistics Sample Interval", + "description": "Specifies the sample interval of the message rate in seconds", + "type": "integer", + "default": 20, + "minimum": 10, + "maximum": 4294967295 + }, + "senderTagMappingList": { + "title": "Sender and Tag Substitution Mapping", + "description": "Specifies the mappings between sender ID and tag substitution data group.", + "type": "array", + "items": { + "$ref": "#/definitions/Sender_Tag_Mapping" + } + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "HTTP_Profile": { + "title": "HTTP Profile", + "type": "object", + "description": "HTTP profile with configurable options", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "HTTP_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "proxyType": { + "title": "Proxy type", + "description": "Default value 'reverse' is usually appropriate. You may use 'transparent' when virtual server will handle a mix of HTTP and non-HTTP traffic. You may use 'explicit' when clients will ask ADC to proxy connections to arbitrary remote services", + "type": "string", + "enum": [ + "reverse", + "transparent", + "explicit" + ], + "default": "reverse" + }, + "encryptCookies": { + "title": "Encrypt cookies", + "description": "List cookies to encrypt en-route to the client and decrypt en-route to a pool member", + "type": "array", + "items": { + "title": "Cookie name", + "type": "string", + "pattern": "^[^\\x00-\\x20\\x22=\\x5c\\x7f-\\xff]+$" + }, + "minItems": 1, + "uniqueItems": true + }, + "cookiePassphrase": { + "title": "Cookie encryption passphrase", + "description": "Used to create secret key for cookie encryption (when missing, AS3 uses a system-generated key)", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "fallbackRedirect": { + "title": "Fallback Redirect", + "description": "Domain name (or IP address) of service (if any) to which AS3 should redirect a request when no pool member is responsive or selected pool member returns a fallbackStatusCode", + "type": "string", + "minLength": 1, + "anyOf": [ + { + "format": "hostname" + }, + { + "format": "f5ip" + } + ] + }, + "fallbackStatusCodes": { + "title": "Fallback status codes", + "description": "When a pool member responds to a request with one of these HTTP status codes (for example, 500), redirect the client to the fallbackRedirect", + "type": "array", + "items": { + "title": "Status code", + "type": "integer", + "minimum": 100, + "maximum": 999 + }, + "minItems": 1, + "uniqueItems": true + }, + "requestChunking": { + "title": "Request chunking", + "description": "Controls handling of HTTP payload chunking in requests from clients (default is 'preserve')", + "type": "string", + "enum": [ + "selective", + "preserve", + "rechunk" + ], + "default": "preserve" + }, + "responseChunking": { + "title": "Response chunking", + "description": "Controls handling of HTTP payload chunking in responses from pool members (default 'selective' adapts to most situations)", + "type": "string", + "enum": [ + "selective", + "preserve", + "unchunk", + "rechunk" + ], + "default": "selective" + }, + "rewriteRedirects": { + "title": "Rewrite redirects", + "description": "In selected Location-header values (default none) of redirect responses from pool members, change protocol HTTP to HTTPS before passing redirects to clients", + "type": "string", + "enum": [ + "none", + "all", + "matching", + "addresses" + ], + "default": "none" + }, + "multiplexTransformations": { + "title": "Multiplex transformations", + "description": "If true (default), AS3 adjusts request headers to work properly when the virtual server uses a Multiplex profile", + "type": "boolean", + "default": true + }, + "insertHeader": { + "title": "Insert header", + "description": "You may insert one header into each request before AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy", + "type": "object", + "properties": { + "name": { + "title": "Header name", + "description": "Name of the HTTP header to insert", + "type": "string", + "pattern": "^[^\\x00-\\x20\\x22:\\x5c\\x7f-\\xff]{1,128}$" + }, + "value": { + "title": "Header value", + "description": "May contain iRules TCL expression", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x7f-\\xff]*$" + } + }, + "additionalProperties": false + }, + "whiteOutHeader": { + "title": "White-out header", + "description": "You may name one request header you want whited-out of each request before AS3 sends it to a pool member. To remove more than a single named header, use an iRule or an Endpoint policy. (Whiting-out a header leaves its name but replaces its value in the request with space characters (ASCII 0x20) to avoid changing the length of the headers.)", + "type": "string", + "pattern": "^[^\\x00-\\x20\\x22:\\x5c\\x7f-\\xff]{1,128}$" + }, + "allowedResponseHeaders": { + "title": "Allow response headers", + "description": "By default AS3 passes HTTP headers in responses from pool members to clients unaltered. You may list names of allowed response headers here and AS3 removes any you do not list from responses.", + "type": "array", + "items": { + "title": "Allowed header", + "type": "string", + "pattern": "^[^\\x00-\\x20\\x22:\\x5c\\x7f-\\xff]{1,128}$" + }, + "minItems": 1, + "uniqueItems": true + }, + "xForwardedFor": { + "title": "Insert X-Forwarded-For", + "description": "If true, insert an X-Forwarded-For header carrying the client IP address into each HTTP request sent to a pool member (default false)", + "type": "boolean", + "default": true + }, + "trustXFF": { + "title": "Trust X-Forwarded-For", + "description": "If true, WAF (ASM) and AVR may trust X-Forwarded-For headers found in incoming requests and report statistics using client IP addresses appearing in them (default false). Use this feature only when you control upstream gateway(s)", + "type": "boolean", + "default": false + }, + "otherXFF": { + "title": "Other XFF headers", + "description": "Names of request headers to treat as equivalent to X-Forwarded-For (see trustXFF)", + "type": "array", + "items": { + "title": "Header name", + "type": "string", + "minLength": 1, + "pattern": "^[^\\x00-\\x20\\x22:\\x5c\\x7f-\\xff]{1,128}$" + }, + "minItems": 1, + "uniqueItems": true + }, + "hstsInsert": { + "title": "Insert HSTS headers", + "description": "If true, insert HSTS (HTTP Strict Transport Security) headers into responses sent to clients (default false). Warning: misconfiguration of HSTS can make a website unreachable", + "type": "boolean", + "default": false + }, + "hstsPeriod": { + "title": "Period of HSTS", + "description": "If hstsInsert is true, this value tells each client how long (in seconds; default 7862400 equals 91 days) to wait before refreshing HSTS settings for this service. Warning: once a client receives erroneous HSTS settings it will ignore any attempt to correct them until this period has expired", + "type": "integer", + "minimum": 0, + "maximum": 31557600, + "default": 7862400 + }, + "hstsIncludeSubdomains": { + "title": "Include subdomains in HSTS", + "description": "If true then HSTS headers (see hstsInsert) will tell clients to apply HSTS settings to the hostnames of this service and all their possible subdomains. Warning: an incorrect value here can make multiple websites unreachable, not just this service", + "type": "boolean", + "default": true + }, + "hstsPreload": { + "title": "Include domain in preload list", + "description": "If true, include the domain for the web site associated with this HTTP profile in the browser's preload list. This forces the client to send packets over SSL/TLS.", + "type": "boolean", + "default": false + }, + "viaRequest": { + "title": "Via request control", + "description": "Controls treatment of Via: headers in requests from clients. When set to 'append' AS3 requires viaHost", + "type": "string", + "enum": [ + "append", + "preserve", + "remove" + ], + "default": "remove" + }, + "viaResponse": { + "title": "Via response control", + "description": "Controls treatment of Via: headers in responses from pool members. When set to 'append' AS3 requires viaHost", + "type": "string", + "enum": [ + "append", + "preserve", + "remove" + ], + "default": "remove" + }, + "viaHost": { + "title": "Via hostname", + "description": "Hostname to place in Via header when viaRequest or viaResponse is 'append'", + "type": "string", + "minLength": 1, + "anyOf": [ + { + "format": "hostname" + }, + { + "format": "f5ip" + } + ] + }, + "serverHeaderValue": { + "title": "Server header value", + "description": "Server header value to place in responses generated by the ADC itself (not obtained from a pool member)", + "type": "string", + "default": "BigIP" + }, + "knownMethods": { + "title": "Known methods", + "description": "List of HTTP request methods AS3 should recognize as normal. Any method not in this list will provoke the 'unknownMethodAction' action", + "type": "array", + "items": { + "title": "HTTP method", + "type": "string", + "pattern": "^[A-Z0-9]{1,32}$" + }, + "minItems": 0, + "uniqueItems": true, + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "LOCK", + "OPTIONS", + "POST", + "PROPFIND", + "PUT", + "TRACE", + "UNLOCK" + ] + }, + "unknownMethodAction": { + "title": "Unknown method action", + "description": "Default 'allow' means clients may make HTTP requests using unknown methods. Otherwise, 'reject' means to discard any unknown-method request and reject the client connection, and 'pass-through' causes the connection to switch to pass-through mode upon the first unknown-method request", + "type": "string", + "enum": [ + "allow", + "reject", + "pass-through" + ], + "default": "allow" + }, + "maxRequests": { + "title": "Maximum requests per connection", + "description": "When AS3 has processed more than this number of requests through a connection, the system closes it. Default 0 means permit unlimited requests", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 0 + }, + "pipelineAction": { + "title": "Pipeline action", + "description": "Default 'allow' means clients may pipeline HTTP/1.1 requests to pool members which support pipelining. Otherwise, 'reject' prevents pipelining, and 'pass-through' causes the connection to switch to pass-through mode when the system detects pipelining", + "type": "string", + "enum": [ + "allow", + "reject", + "pass-through" + ], + "default": "allow" + } + }, + "if": { + "properties": { + "proxyType": { + "const": "reverse" + } + } + }, + "then": { + "$ref": "#/definitions/HTTP_Profile_Reverse" + }, + "else": { + "if": { + "properties": { + "proxyType": { + "const": "transparent" + } + } + }, + "then": { + "$ref": "#/definitions/HTTP_Profile_Transparent" + }, + "else": { + "if": { + "properties": { + "proxyType": { + "const": "explicit" + } + } + }, + "then": { + "$ref": "#/definitions/HTTP_Profile_Explicit" + } + } + }, + "dependencies": { + "cookiePassphrase": { + "required": [ + "encryptCookies" + ] + }, + "fallbackStatusCodes": { + "required": [ + "fallbackRedirect" + ] + }, + "viaRequest": { + "if": { + "properties": { + "viaRequest": { + "const": "append" + } + } + }, + "then": { + "required": [ + "viaHost" + ] + } + }, + "viaResponse": { + "if": { + "properties": { + "viaResponse": { + "const": "append" + } + } + }, + "then": { + "required": [ + "viaHost" + ] + } + }, + "proxyType": { + "if": { + "properties": { + "proxyType": { + "not": { + "const": "transparent" + } + } + } + }, + "then": { + "not": { + "anyOf": [ + { + "required": [ + "excessClientHeaders" + ] + }, + { + "required": [ + "excessServerHeaders" + ] + }, + { + "required": [ + "oversizeClientHeaders" + ] + }, + { + "required": [ + "oversizeServerHeaders" + ] + } + ] + } + }, + "else": { + "if": { + "properties": { + "proxyType": { + "not": { + "const": "explicit" + } + } + } + }, + "then": { + "not": { + "anyOf": [ + { + "required": [ + "resolver" + ] + }, + { + "required": [ + "doNotProxyHosts" + ] + }, + { + "required": [ + "tunnelName" + ] + }, + { + "required": [ + "defaultConnectAction" + ] + }, + { + "required": [ + "routeDomain" + ] + }, + { + "required": [ + "connectErrorMessage" + ] + }, + { + "required": [ + "dnsErrorMessage" + ] + }, + { + "required": [ + "badRequestMessage" + ] + }, + { + "required": [ + "badResponseMessage" + ] + }, + { + "required": [ + "ipv6" + ] + } + ] + } + } + } + } + }, + "required": [ + "class" + ] + }, + "HTTP_Profile_Reverse": { + "title": "HTTP Profile Reverse", + "type": "object", + "description": "Extra HTTP profile configurable options when proxyType is 'reverse'", + "properties": { + "maxHeaderCount": { + "title": "Maximum header count", + "description": "When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection", + "type": "integer", + "minimum": 1, + "maximum": 1024, + "default": 64 + }, + "maxHeaderSize": { + "title": "Maximum header size", + "description": "When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection", + "type": "integer", + "minimum": 9, + "maximum": 262144, + "default": 32768 + }, + "truncatedRedirects": { + "title": "Truncated redirects", + "description": "If false (default) elide malformed redirects from pool members, otherwise pass them to client", + "type": "boolean", + "default": false + } + } + }, + "HTTP_Profile_Transparent": { + "title": "HTTP Profile Transparent", + "type": "object", + "description": "Extra HTTP profile configurable options when proxyType is 'transparent'", + "properties": { + "maxHeaderCount": { + "title": "Maximum header count", + "description": "When the number of headers in a request or response exceeds this value (default 32), take the excessX...Headers action", + "type": "integer", + "minimum": 1, + "maximum": 1024, + "default": 32 + }, + "maxHeaderSize": { + "title": "Maximum header size", + "description": "When the total size in octets of the headers of request or response exceeds this value (default 16384), take the oversizeX...Headers action", + "type": "integer", + "minimum": 9, + "maximum": 262144, + "default": 16384 + }, + "excessClientHeaders": { + "title": "Excess client headers action", + "description": "When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection", + "type": "string", + "enum": [ + "pass-through", + "reject" + ], + "default": "pass-through" + }, + "excessServerHeaders": { + "title": "Excess server headers action", + "description": "When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection", + "type": "string", + "enum": [ + "pass-through", + "reject" + ], + "default": "pass-through" + }, + "oversizeClientHeaders": { + "title": "Oversize client headers action", + "description": "When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection", + "type": "string", + "enum": [ + "pass-through", + "reject" + ], + "default": "pass-through" + }, + "oversizeServerHeaders": { + "title": "Oversize server headers action", + "description": "When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection", + "type": "string", + "enum": [ + "pass-through", + "reject" + ], + "default": "pass-through" + }, + "truncatedRedirects": { + "title": "Truncated redirects", + "description": "If true (default) pass malformed redirects to client", + "type": "boolean", + "default": true + } + } + }, + "HTTP_Profile_Explicit": { + "title": "HTTP Profile Explicit", + "type": "object", + "description": "Extra HTTP profile configurable options when proxyType is 'explicit'", + "properties": { + "maxHeaderCount": { + "title": "Maximum header count", + "description": "When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection", + "type": "integer", + "minimum": 1, + "maximum": 1024, + "default": 64 + }, + "maxHeaderSize": { + "title": "Maximum header size", + "description": "When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection", + "type": "integer", + "minimum": 9, + "maximum": 262144, + "default": 32768 + }, + "truncatedRedirects": { + "title": "Truncated redirects", + "description": "If false (default) elide malformed redirects from pool members, otherwise pass them to client", + "type": "boolean", + "default": false + }, + "resolver": { + "title": "DNS resolver", + "description": "AS3 pointer to DNS resolver used to resolve hostnames in client requests", + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP resolver", + "description": "Pathname of existing BIG-IP net DNS resolver", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "f5bigComponent": "query net dns-resolver" + }, + "doNotProxyHosts": { + "title": "Do-not-proxy hosts", + "description": "When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests", + "type": "array", + "items": { + "title": "host", + "type": "string", + "anyOf": [ + { + "format": "hostname" + }, + { + "format": "f5ip" + } + ] + }, + "default": [ + "none" + ], + "minItems": 1, + "uniqueItems": true + }, + "tunnelName": { + "title": "Tunnel name", + "description": "Name of tunnel used for outbound CONNECT requests (default 'http-tunnel')", + "type": "string", + "minLength": 1, + "maxLength": 63, + "default": "http-tunnel", + "f5bigComponent": "query net tunnels tunnel" + }, + "defaultConnectAction": { + "title": "Default CONNECT action", + "description": "By default (value 'deny') the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value 'allow' will let clients CONNECT to arbitrary remote services", + "type": "string", + "enum": [ + "deny", + "allow" + ], + "default": "deny" + }, + "routeDomain": { + "title": "Exit route domain", + "description": "Proxy requests will leave the ADC from a Self IP in this route domain (default 0)", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0, + "f5bigComponent": "query net route-domain" + }, + "connectErrorMessage": { + "title": "Connect-error message", + "description": "Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions", + "type": "string", + "maxLength": 65279, + "default": "Connection Error

Unable to connect to host in proxy request

" + }, + "dnsErrorMessage": { + "title": "DNS-error message", + "description": "Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions", + "type": "string", + "maxLength": 65279, + "default": "DNS Resolution Error

Cannot resolve hostname in proxy request

" + }, + "badRequestMessage": { + "title": "Bad-request message", + "description": "Message returned to client when proxy request is erroneous. May include iRules TCL expressions", + "type": "string", + "maxLength": 65279, + "default": "Bad Request

Invalid proxy request

" + }, + "badResponseMessage": { + "title": "Bad-response message", + "description": "Message returned to client when response to proxy request is erroneous. May include iRules TCL expressions", + "type": "string", + "maxLength": 65279, + "default": "Bad Response

Proxy request provoked invalid response

" + }, + "ipv6": { + "title": "IPv6 first priority", + "description": "Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6.", + "type": "boolean", + "default": false + } + } + }, + "HTTP_Compress": { + "title": "HTTP Compression profile", + "type": "object", + "description": "HTTP Compression profile with configurable options", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "HTTP_Compress" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "allowHTTP10": { + "title": "Allow HTTP/1.0", + "description": "If true, AS3 may compress HTTP/1.0 responses (default false)", + "type": "boolean", + "default": false + }, + "bufferSize": { + "title": "Buffer size", + "description": "Maximum number of response octets to buffer before deciding whether to apply compression (default 4096)", + "type": "integer", + "minimum": 256, + "maximum": 32768, + "default": 4096 + }, + "contentTypeExcludes": { + "title": "Content-Type exclude list", + "description": "List of response Content-Type values which AS3 should not compress. Values are regular expressions that match Content-Type strings", + "type": "array", + "items": { + "title": "Content-Type regex", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x22\\x7f-\\xff]+$" + }, + "minItems": 1, + "uniqueItems": true + }, + "contentTypeIncludes": { + "title": "Content-Type include list", + "description": "List of response Content-Type values which AS3 should compress. Values are regular expressions that match Content-Type strings", + "type": "array", + "items": { + "title": "Content-Type regex", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x22\\x7f-\\xff]+$" + }, + "minItems": 1, + "uniqueItems": true, + "default": [ + "text/", + "application/(xml|x-javascript)" + ] + }, + "uriExcludes": { + "title": "URI exclude list", + "description": "List of request URI's for which AS3 should not compress responses. Values are regular expressions that match request URI strings", + "type": "array", + "items": { + "title": "URI regex", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x7f-\\xff]+$" + }, + "minItems": 1, + "uniqueItems": true + }, + "uriIncludes": { + "title": "URI include list", + "description": "List of request URI's for which AS3 should compress responses. Values are regular expressions that match URI strings", + "type": "array", + "items": { + "title": "URI regex", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x7f-\\xff]+$" + }, + "minItems": 1, + "uniqueItems": true + }, + "cpuSaver": { + "title": "CPU saver", + "description": "If true (default), system will reduce compression rate when CPU utilization exceeds cpuSaverHigh threshold and increase it when CPU utilization falls below cpuSaverLow threshold", + "type": "boolean", + "default": true + }, + "cpuSaverHigh": { + "title": "CPU-saver %high", + "description": "CPU utilization percentage (default 90) above which AS3 should moderate compression", + "type": "integer", + "minimum": 15, + "maximum": 99, + "default": 90 + }, + "cpuSaverLow": { + "title": "CPU-saver %low", + "description": "CPU utilization percentage (default 75) below which the system returns compression to normal", + "type": "integer", + "minimum": 10, + "maximum": 95, + "default": 75 + }, + "minimumSize": { + "title": "Minimum size to compress", + "description": "AS3 will not compress responses of fewer octets than this (default 1024)", + "type": "integer", + "minimum": 128, + "maximum": 131072, + "default": 1024 + }, + "preferMethod": { + "title": "Prefer method", + "description": "Select preferred compression method (default gzip, strongly recommended)", + "type": "string", + "enum": [ + "gzip", + "deflate" + ], + "default": "gzip" + }, + "gzipLevel": { + "title": "GZIP level", + "description": "Compression level (default 1); higher values produce greater compression but use more CPU cycles", + "type": "integer", + "minimum": 1, + "maximum": 9, + "default": 1 + }, + "gzipMemory": { + "title": "GZIP memory level", + "description": "Compression memory allocation in kilobytes (default 8), should be a power of two", + "type": "integer", + "minimum": 1, + "maximum": 256, + "default": 8 + }, + "gzipWindowSize": { + "title": "GZIP window size", + "description": "Compression window size in kilobytes (default 16), should be a power of two", + "type": "integer", + "minimum": 1, + "maximum": 128, + "default": 16 + }, + "keepAcceptEncoding": { + "title": "Keep Accept-Encoding header", + "description": "If true, pool member may compress responses; if false (default) ADC will compress responses. Set to true when pool member stores/caches pre-compressed responses", + "type": "boolean", + "default": false + }, + "selective": { + "title": "Selective mode", + "description": "If true, AS3 will only compress a response when an iRule attached to the virtual server requests it (default is false, meaning AS3 will compress responses which meet the criteria in this profile)", + "type": "boolean", + "default": false + }, + "varyHeader": { + "title": "Vary header", + "description": "If true (default), a Vary header will appear in compressed responses", + "type": "boolean", + "default": true + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "TCP_Profile": { + "title": "TCP Profile", + "description": "Configures a Transmission Control Protocol (TCP) profile", + "type": "object", + "$comment": "Configures TCP settings. When deployed on BIG-IP, defaults match f5-tcp-progressive.", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "TCP_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "abc": { + "title": "Appropriate Byte Counting", + "description": "If true (default), AS3 adjusts the congestion window per rfc3465", + "type": "boolean", + "default": true + }, + "ackOnPush": { + "title": "ACK on PSH", + "description": "If true (default), the system immediately acknowledges segments with the PSH flag set", + "type": "boolean", + "default": true + }, + "autoProxyBufferSize": { + "title": "Automatic proxy-buffer size", + "description": "If true (default), AS3 adjusts the proxy buffer size automatically to optimize throughput", + "type": "boolean", + "default": true + }, + "autoReceiveWindowSize": { + "title": "Automatic receive-window size", + "description": "If true (default), AS3 adjusts the receive window size automatically to optimize throughput", + "type": "boolean", + "default": true + }, + "autoSendBufferSize": { + "title": "Automatic send-buffer size", + "description": "If true (default), AS3 adjusts the send buffer size automatically to optimize throughput", + "type": "boolean", + "default": true + }, + "closeWaitTimeout": { + "title": "Close-wait timeout", + "description": "Number of seconds (default 5) connection will remain in LAST-ACK state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout", + "type": "integer", + "minimum": -1, + "maximum": 3600, + "default": 5 + }, + "congestionControl": { + "title": "Congestion-control algorithm", + "description": "Selects TCP congestion-control algorithm (default 'woodside')", + "type": "string", + "enum": [ + "cdg", + "chd", + "cubic", + "high-speed", + "illinois", + "new-reno", + "none", + "reno", + "scalable", + "vegas", + "westwood", + "woodside" + ], + "default": "woodside" + }, + "congestionMetricsCache": { + "title": "Congestion metrics cache", + "description": "If true (default), the system may cache congestion metrics to inform the congestion control algorithm", + "type": "boolean", + "default": true + }, + "congestionMetricsCacheTimeout": { + "title": "Congestion metrics cache timeout", + "description": "Number of seconds for which entries in the congestion metrics cache are valid (default 0 means use system default)", + "type": "integer", + "minimum": 0, + "maximum": 1000, + "default": 0 + }, + "deferredAccept": { + "title": "Deferred accept", + "description": "If true, ADC will defer allocating resources to a connection until some payload data has arrived from the client (default false). This may help minimize the impact of certain DoS attacks but adds undesirable latency under normal conditions. Note: 'deferredAccept' is incompatible with server-speaks-first application protocols", + "type": "boolean", + "default": false + }, + "delayedAcks": { + "title": "Delayed ACKs", + "description": "If true (default), the system may coalesce multiple adjacent ACK responses", + "type": "boolean", + "default": true + }, + "delayWindowControl": { + "title": "Delay-window control", + "description": "If true, AS3 uses queueing delay as well as packet loss to estimate congestion (default false)", + "type": "boolean", + "default": false + }, + "dsack": { + "title": "Use D-SACK", + "description": "If true, AS3 uses rfc2883 duplicate selective-acknowledgements extension (default false). Do not enable this option unless you are certain all peers support D-SACK", + "type": "boolean", + "default": false + }, + "earlyRetransmit": { + "title": "Early retransmit", + "description": "If true (default), AS3 uses rfc5827 Early Retransmit recovery", + "type": "boolean", + "default": true + }, + "ecn": { + "title": "Explicit congestion notification", + "description": "If true (default), AS3 may send explicit congestion notification (ECN) flags (CWR, ECE) to peers", + "type": "boolean", + "default": true + }, + "enhancedLossRecovery": { + "title": "Enhanced loss recovery", + "description": "If true (default), AS3 uses Selective ACK data to increase throughput", + "type": "boolean", + "default": true + }, + "fastOpen": { + "title": "Fast-open", + "description": "If true (default), the system can use the TCP Fast Open protocol extension to reduce latency by sending payload data with initial SYN", + "type": "boolean", + "default": true + }, + "fastOpenCookieExpiration": { + "title": "Fast-open cookie expiration", + "description": "Sets maximum lifetime in seconds (default 21600 = six hours) of TCP Fast Open cookies", + "type": "integer", + "minimum": 1, + "maximum": 1000000, + "default": 21600 + }, + "finWaitTimeout": { + "title": "FIN-WAIT timeout", + "description": "Number of seconds (default 5) connection will remain in FIN-WAIT-1 or closing state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout", + "type": "integer", + "minimum": -1, + "maximum": 3600, + "default": 5 + }, + "finWait2Timeout": { + "title": "FIN-WAIT-2 timeout", + "description": "Number of seconds (default 300) connection will remain in LAST-ACK state before closing. Value -1 means indefinite, limited by maximum retransmission timeout", + "type": "integer", + "minimum": -1, + "maximum": 3600, + "default": 300 + }, + "idleTimeout": { + "title": "Idle timeout", + "description": "Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite", + "type": "integer", + "anyOf": [ + { + "minimum": 1, + "maximum": 86400 + }, + { + "const": -1 + } + ], + "default": 300 + }, + "initCwnd": { + "title": "Initial congestion-window size", + "description": "Sets the initial congestion-window size (default 16) in multiples of MSS (not in octets)", + "type": "integer", + "minimum": 0, + "maximum": 64, + "default": 16 + }, + "initRwnd": { + "title": "Initial receive-window size", + "description": "Sets the initial receive-window size (default 16) in multiples of MSS (not in octets)", + "type": "integer", + "minimum": 0, + "maximum": 64, + "default": 16 + }, + "ipDfMode": { + "title": "IP DF mode", + "description": "Controls DF (Don't Fragment) flag in outgoing packets. Value 'pmtu' (default) sets DF based on IP PMTU value. Value 'preserve' copies DF from received packets. Value 'set' forces DF true in all outgoing packets. Value 'clear' forces DF false in all outgoing packets", + "type": "string", + "enum": [ + "clear", + "pmtu", + "preserve", + "set" + ], + "default": "pmtu" + }, + "ipTosToClient": { + "title": "IP DSCP (TOS) to client", + "description": "Specifies the IP DSCP/TOS value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP per rfc2474 (and the system uses the rightmost two bits for congestion signaling when 'ecn' is true). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four to obtain the proper 'ipTosToClient' value, such as 184. Value 'pass-through' sets DSCP from the initial server-side value. Value 'mimic' copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection)", + "type": [ + "integer", + "string" + ], + "minimum": 0, + "maximum": 252, + "multipleOf": 4, + "pattern": "^(pass-through|mimic)$", + "default": 0 + }, + "keepAliveInterval": { + "title": "Keep-alive interval", + "description": "Number of seconds (default 1800) between keep-alive probes", + "type": "integer", + "minimum": 1, + "maximum": 86400, + "default": 1800 + }, + "limitedTransmit": { + "title": "Limited transmit recovery", + "description": "When true (default), the system can use rfc3042 limited transmit recovery scheme", + "type": "boolean", + "default": true + }, + "linkQosToClient": { + "title": "Link QOS to client", + "description": "Specifies the Layer-2 QOS code in packets sent to clients (default 0). Ethernet-type networks recognize codes from 0 to 7. Value 'pass-through' sets QOS from the initial server-side value", + "type": [ + "integer", + "string" + ], + "minimum": 0, + "maximum": 7, + "pattern": "^pass-through$", + "default": 0 + }, + "maxRetrans": { + "title": "Maximum segment retransmissions", + "description": "Sets maximum number of times the system may retransmit a segment (default 8)", + "type": "integer", + "minimum": 0, + "maximum": 12, + "default": 8 + }, + "maxSegmentSize": { + "title": "MSS", + "description": "Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice", + "type": "integer", + "anyOf": [ + { + "minimum": 28, + "maximum": 8960 + }, + { + "const": 0 + } + ], + "default": 0 + }, + "md5Signature": { + "title": "MD5 signatures", + "description": "If true, the system signs TCP headers using MD5 per rfc2385 (default false)", + "type": "boolean", + "default": false + }, + "md5SignaturePassphrase": { + "title": "MD5 passphrase", + "description": "Passphrase from which the system derives the key for MD5 signatures (MACs) when 'md5signature' is true", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "minimumRto": { + "title": "Minimum retransmission timeout", + "description": "Minimum retransmission timeout in milliseconds (default 1000)", + "type": "integer", + "minimum": 1, + "maximum": 5000, + "default": 1000 + }, + "mptcp": { + "title": "Multipath TCP (MPTCP)", + "description": "Value 'disable' (default) excludes use of Multipath TCP (MPTCP) through virtual server. Value 'enable' means virtual server will accept and participate in MPTCP connections. Value 'passthrough' means MPTCP packets may pass through virtual server", + "type": "string", + "enum": [ + "disable", + "enable", + "passthrough" + ], + "default": "disable" + }, + "mptcpCsum": { + "title": "MPTCP checksums", + "description": "If true, the system calculates MPTCP checksums (default false)", + "type": "boolean", + "default": false + }, + "mptcpCsumVerify": { + "title": "MPTCP checksum verify", + "description": "If true, the system verifies MPTCP checksums (default false)", + "type": "boolean", + "default": false + }, + "mptcpFallback": { + "title": "MPTCP fallback action", + "description": "Selects action on fallback from MPTCP to ordinary TCP", + "type": "string", + "enum": [ + "accept", + "active-accept", + "reset", + "retransmit" + ], + "default": "reset" + }, + "mptcpFastJoin": { + "title": "MPTCP fast join", + "description": "If true, the system may send data with MP_JOIN SYN packet, reducing connection latency (default false)", + "type": "boolean", + "default": false + }, + "mptcpIdleTimeout": { + "title": "Idle timeout", + "description": "Number of seconds (default 300) connection may remain idle before it becomes eligible for deletion", + "type": "integer", + "minimum": 1, + "maximum": 86400, + "default": 300 + }, + "mptcpJoinMax": { + "title": "MPTCP join maximum", + "description": "Limit on number of subflows which the system may add to the MPTCP connection (default 5)", + "type": "integer", + "minimum": 1, + "maximum": 20, + "default": 5 + }, + "mptcpMakeAfterBreak": { + "title": "MPTCP make-after-break", + "description": "If true, the system can add additional subflows during the 'mptcpTimeout' period, even if the ADC is not currently handling an active connection (default false)", + "type": "boolean", + "default": false + }, + "mptcpNoJoinDssAck": { + "title": "MPTCP fast join", + "description": "If true, no DSS option will sent with MP_JOIN ACK packet (default false)", + "type": "boolean", + "default": false + }, + "mptcpRtoMax": { + "title": "MPTCP RTO maximum", + "description": "Maximum number of retransmission timeouts which may occur before the system declares a subflow dead", + "type": "integer", + "minimum": 1, + "maximum": 20, + "default": 5 + }, + "mptcpRetransmitMin": { + "title": "MPTCP retransmit timer", + "description": "Minimum value in milliseconds (default 1000) of MPTCP retransmission timer", + "type": "integer", + "minimum": 1, + "maximum": 5000, + "default": 1000 + }, + "mptcpSubflowMax": { + "title": "MPTCP subflow maximum", + "description": "Maximum number of subflows per connection (default 6)", + "type": "integer", + "minimum": 1, + "maximum": 20, + "default": 6 + }, + "mptcpTimeout": { + "title": "MPTCP timeout", + "description": "Number of seconds (default 3600) after which the system may expunge an MPTCP session with no active flow", + "type": "integer", + "minimum": 60, + "maximum": 3600, + "default": 3600 + }, + "nagle": { + "title": "Nagle's algorithm", + "description": "Value 'enable' means to use Nagle's algorithm to minimize the transmission of short TCP segments (note: Nagle's algorithm yields undesirable results with many application protocols). Value 'auto' (default) means the ADC will choose automatically whether to enable Nagle's algorithm. Value 'disable' averts application of Nagle's algorithm", + "type": "string", + "enum": [ + "disable", + "enable", + "auto" + ], + "default": "auto" + }, + "pktLossIgnoreBurst": { + "title": "Packet loss ignore burst", + "description": "Modulates use of congestion control when losing multiple packets. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion", + "type": "integer", + "minimum": 0, + "maximum": 32, + "default": 0 + }, + "pktLossIgnoreRate": { + "title": "Packet loss ignore rate", + "description": "Sets threshold of packet loss rate (lost-packets/million-packets) above which the system performs congestion control. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion", + "type": "integer", + "minimum": 0, + "maximum": 1000000, + "default": 0 + }, + "proxyBufferHigh": { + "title": "Proxy-buffer high", + "description": "The system closes the receive window when the number of octets in proxy buffer rises above this value", + "type": "integer", + "minimum": 64, + "maximum": 33554432, + "default": 262144 + }, + "proxyBufferLow": { + "title": "Proxy-buffer low", + "description": "The system opens the receive window when the number of octets in proxy buffer falls below this value", + "type": "integer", + "minimum": 64, + "maximum": 33554432, + "default": 196608 + }, + "proxyMSS": { + "title": "Proxy MSS", + "description": "If true (default), the MSS value advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints", + "type": "boolean", + "default": true + }, + "proxyOptions": { + "title": "Proxy options", + "description": "If true, TCP options such as timestamp advertised on the server side will match those negotiated with client (default false)", + "type": "boolean", + "default": false + }, + "pushFlag": { + "title": "PuSH flag control", + "description": "Controls when ADC sets PSH flag in outbound TCP segments. Limiting the sending of segments with PSH improves performance. Value 'auto' (recommended) sets PSH according to a system algorithm optimal in most cases. Value 'default' (not recommended) sets the PUSH flag in every segment which happens to empty the send buffer. Value 'none' prevents use of the PSH flag, and 'one' means the system sets PSH only when FIN is, at the end of a connection", + "type": "string", + "enum": [ + "auto", + "default", + "none", + "one" + ], + "default": "auto" + }, + "ratePace": { + "title": "Rate pace", + "description": "If true (default), system will automatically pace rate of data transmission to optimize throughput", + "type": "boolean", + "default": true + }, + "ratePaceMaxRate": { + "title": "Rate pace maximum rate", + "description": "Limit maximum data-transmission rate in octets/second to this value when 'ratePace' is true. Default 0 means choose maximum rate automatically", + "type": "integer", + "minimum": 0, + "maximum": 4294967295, + "$comment": "maximum in future: 137438953472", + "default": 0 + }, + "receiveWindowSize": { + "title": "Receive-window size", + "description": "Maximum size of receive window (octets, default 131072)", + "type": "integer", + "minimum": 64, + "maximum": 33554432, + "default": 131072 + }, + "resetOnTimeout": { + "title": "Reset on timeout", + "description": "If true (default), connections which time out will be reset (that is, the system will send an RST packet to the peer) before the system expunges them. Value false is not recommended", + "type": "boolean", + "default": true + }, + "retransmitThreshold": { + "title": "Retransmit threshold", + "description": "Specifies the number of duplicate ACKs to start fast recovery", + "type": "integer", + "minimum": 0, + "maximum": 12, + "default": 3 + }, + "selectiveAcks": { + "title": "Selective ACKs", + "description": "If true (default), the system negotiates rfc2018 Selective Acknowledgements with peers", + "type": "boolean", + "default": true + }, + "selectiveNack": { + "title": "Selective NAK", + "description": "If true, the system negotiates Selective Negative Acknowledgements with peers (default false)", + "type": "boolean", + "default": false + }, + "sendBufferSize": { + "title": "Send-buffer size", + "description": "Maximum size of send buffer (octets, default 262144)", + "type": "integer", + "minimum": 64, + "maximum": 33554432, + "default": 262144 + }, + "slowStart": { + "title": "Slow-start", + "description": "If true (default), AS3 adjusts the initial window size per rfc3390. This generally makes connections start more quickly, NOT more slowly", + "type": "boolean", + "default": true + }, + "synCookieEnable": { + "title": "SYN cookie enable", + "description": "If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks)", + "type": "boolean", + "default": true + }, + "synCookieWhitelist": { + "title": "SYN cookie whitelist", + "description": "If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds (default false)", + "type": "boolean", + "default": false + }, + "synMaxRetrans": { + "title": "Maximum SYN retransmissions", + "description": "Maximum number of times the system retransmits a SYN when it does not receive a SYN+ACK (default 3)", + "type": "integer", + "minimum": 0, + "maximum": 12, + "default": 3 + }, + "synRtoBase": { + "title": "SYN RTO base", + "description": "Number of milliseconds (default 3000) to which the system initially sets the SYN retransmission timer. The system adjusts the timer after each retransmission to implement binary-exponential-backoff", + "type": "integer", + "minimum": 0, + "maximum": 5000, + "default": 3000 + }, + "tailLossProbe": { + "title": "Tail loss probe", + "description": "If true (default), the system uses the Tail Loss Probe scheme to reduce retransmission timeouts", + "type": "boolean", + "default": true + }, + "tcpOptions": { + "title": "TCP options capture for iRules", + "description": "Selects which TCP Option values the system captures for reference by iRules", + "type": "array", + "items": { + "title": "Option", + "type": "object", + "properties": { + "option": { + "title": "Number", + "description": "Specifies the TCP option to capture", + "type": "integer", + "minimum": 0, + "maximum": 255 + }, + "when": { + "title": "When seen", + "description": "Specifies when to capture the TCP option", + "type": "string", + "enum": [ + "first", + "last" + ] + } + }, + "additionalProperties": false + }, + "minItems": 1, + "maxItems": 255, + "$comment": "uniqueItems: true" + }, + "timestamps": { + "title": "Timestamps", + "description": "If true (default and recommended), AS3 enables rfc1323 timestamps", + "type": "boolean", + "default": true + }, + "timeWaitRecycle": { + "title": "TIME-WAIT recycle", + "description": "If true (default), the system reuses connection resources immediately when it receives a SYN during the TIME-WAIT period", + "type": "boolean", + "default": true + }, + "timeWaitTimeout": { + "title": "Time-wait timeout", + "description": "Number of milliseconds (default 2,000) connection will remain in TIME-WAIT state before closing. Value -1 means indefinite", + "type": "integer", + "minimum": -1, + "maximum": 600000, + "default": 2000 + }, + "ttlMode": { + "title": "TTL mode", + "description": "Controls IP TTL in outgoing packets. Value 'set' forces TTL to value of property 'ttlIPv4' or 'ttlIPv6' as appropriate. Value 'proxy' (default) forces TTL to the default value for IPv4 or IPv6 as appropriate. Value 'preserve' copies TTL from received packet. Value 'decrement' sets TTL to one less than received packet's TTL", + "type": "string", + "enum": [ + "decrement", + "preserve", + "proxy", + "set" + ], + "default": "proxy" + }, + "ttlIPv4": { + "title": "TTL for IPv4", + "description": "TTL the system sets in outgoing IPv4 packets", + "type": "integer", + "minimum": 1, + "maximum": 255, + "default": 255 + }, + "ttlIPv6": { + "title": "TTL for IPv6", + "description": "TTL the system sets in outgoing IPv6 packets", + "type": "integer", + "minimum": 1, + "maximum": 255, + "default": 64 + }, + "verifiedAccept": { + "title": "Verified accept", + "description": "If true, the system must establish a server-side connection before a it accepts a corresponding client-side connection (default false). Value 'true' is incompatible with iRules", + "type": "boolean", + "default": false + }, + "zeroWindowTimeout": { + "title": "Zero-window timeout", + "description": "Number of milliseconds (default 20,000) connection will persist with window-size of zero (effective timeout is value rounded up to the nearest multiple of 5000). Value -1 means indefinite", + "type": "integer", + "minimum": -1, + "maximum": 86400000, + "default": 20000 + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "UDP_Profile": { + "title": "UDP Profile", + "description": "Configures a User Datagram Protocol (UDP) profile", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "UDP_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "allowNoPayload": { + "title": "Allow empty payload", + "description": "When true, forward UDP datagrams with empty payloads (default false)", + "type": "boolean", + "default": false + }, + "bufferMaxBytes": { + "title": "Buffer maximum-bytes", + "description": "Limit to number of octets which the system may buffer for a UDP flow (default 655350)", + "type": "integer", + "minimum": 65535, + "maximum": 16777215, + "default": 655350 + }, + "bufferMaxPackets": { + "title": "Buffer maximum-packets", + "description": "Limit to number of packets which the system may buffer for a UDP flow (default 0)", + "type": "integer", + "minimum": 0, + "maximum": 255, + "default": 0 + }, + "datagramLoadBalancing": { + "title": "Datagram load-balancing", + "description": "When true, process UDP datagrams independently, without recognizing flows (default false)", + "type": "boolean", + "default": false + }, + "idleTimeout": { + "title": "Idle timeout", + "description": "Number of seconds (default 60) flow may remain idle before it becomes eligible for deletion. Value 0 allows system to recover per-flow resources whenever convenient (always safe with UDP). Value -1 means indefinite (not recommended)", + "type": "integer", + "minimum": -1, + "maximum": 86400, + "default": 60 + }, + "ipDfMode": { + "title": "IP DF mode", + "description": "Controls DF (Don't Fragment) flag in outgoing datagrams. Value 'pmtu' (default) sets DF based on IP PMTU value. Value 'preserve' copies DF from received datagram. Value 'set' forces DF true in all outgoing datagrams. Value 'clear' forces DF false in all outgoing datagrams", + "type": "string", + "enum": [ + "clear", + "pmtu", + "preserve", + "set" + ], + "default": "pmtu" + }, + "ipTosToClient": { + "title": "IP TOS/DSCP to client", + "description": "Specifies the IP TOS/DSCP value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP code per rfc2474 (and the rightmost two bits reserved). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four, to obtain the 'ipTosToClient' value, such as 184. Value 'pass-through' sets DSCP from the initial server-side value. Value 'mimic' copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection)", + "type": [ + "integer", + "string" + ], + "minimum": 0, + "maximum": 252, + "multipleOf": 4, + "pattern": "^(pass-through|mimic)$", + "default": 0 + }, + "linkQosToClient": { + "title": "Link QOS to client", + "description": "Specifies the Layer-2 QOS value in packets sent to clients (default 0). Ethernet-type networks recognize numeric codes from 0 to 7. Value 'pass-through' sets QOS from the initial server-side value", + "type": [ + "integer", + "string" + ], + "minimum": 0, + "maximum": 7, + "pattern": "^pass-through$", + "default": 0 + }, + "proxyMSS": { + "title": "Proxy MSS", + "description": "When true, MSS advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints (default false)", + "type": "boolean", + "default": false + }, + "ttlMode": { + "title": "TTL mode", + "description": "Controls IP TTL in outgoing datagrams. Value 'set' forces TTL to value of property 'ttlIPv4' or 'ttlIPv6' as appropriate. Value 'proxy' forces TTL to the default value for IPv4 or IPv6 as appropriate. Value 'preserve' copies TTL from received datagram. Value 'decrement' sets TTL to one less than received datagrams's TTL", + "type": "string", + "enum": [ + "decrement", + "preserve", + "proxy", + "set" + ], + "default": "proxy" + }, + "ttlIPv4": { + "title": "TTL for IPv4", + "description": "TTL the system sets in outgoing IPv4 datagrams", + "type": "integer", + "minimum": 1, + "maximum": 255, + "default": 255 + }, + "ttlIPv6": { + "title": "TTL for IPv6", + "description": "TTL the system sets in outgoing IPv6 datagrams", + "type": "integer", + "minimum": 1, + "maximum": 255, + "default": 64 + }, + "useChecksum": { + "title": "Use checksum", + "description": "When true, system will validate UDP checksums for IPv4 datagrams (default false). Checksums are always validated for IPv6", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "L4_Profile": { + "title": "L4 (FastL4) Profile", + "description": "Configures a Fast Layer 4 profile", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "L4_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "clientTimeout": { + "title": "Client timeout", + "description": "Number of seconds allowed for a client to transmit enough data to select a server when you have late binding enabled. Value -1 means indefinite (not recommended)", + "type": "integer", + "minimum": -1, + "maximum": 86400, + "default": 30 + }, + "idleTimeout": { + "title": "Idle timeout", + "description": "Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite", + "type": "integer", + "anyOf": [ + { + "minimum": 1, + "maximum": 86400 + }, + { + "const": -1 + } + ], + "default": 300 + }, + "looseClose": { + "title": "Loose close", + "description": "When true, system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server (default false).", + "type": "boolean", + "default": false + }, + "looseInitialization": { + "title": "Loose initialization", + "description": "When true, system initializes a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation (default false).", + "type": "boolean", + "default": false + }, + "maxSegmentSize": { + "title": "MSS", + "description": "Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice", + "type": "integer", + "anyOf": [ + { + "minimum": 256, + "maximum": 9162 + }, + { + "const": 0 + } + ], + "default": 0 + }, + "resetOnTimeout": { + "title": "Reset on timeout", + "description": "If true (default), connections which time out will be reset (that is, the system sends an RST packet to the peer) before the system expunges them", + "type": "boolean", + "default": true + }, + "tcpCloseTimeout": { + "title": "TCP Close timeout", + "description": "Specifies an TCP close timeout in seconds. Value -1 means indefinite (not recommended)", + "type": "integer", + "minimum": -1, + "maximum": 86400, + "default": 5 + }, + "tcpHandshakeTimeout": { + "title": "TCP Handshake timeout", + "description": "Specifies a TCP handshake timeout in seconds. The default value is 5 seconds. Value -1 means indefinite (not recommended)", + "type": "integer", + "minimum": -1, + "maximum": 86400, + "default": 5 + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "Classification_Profile": { + "description": "Configures a classification profile", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Classification_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Classification_Profile" + } + ], + "default": { + "bigip": "/Common/classification" + } + }, + "appDetectionEnabled": { + "description": "Enables/disables Application Detection feature", + "type": "boolean", + "default": true + }, + "urlCategorizationEnabled": { + "description": "Enables/disables URL Categorization feature", + "type": "boolean", + "default": false + }, + "iRuleEventEnabled": { + "description": "Enables/disables CLASSIFICATION_DETECTED iRule event generation", + "type": "boolean", + "default": false + }, + "logPublisher": { + "$ref": "#/definitions/Pointer_Log_Publisher" + }, + "logUnclassifiedDomain": { + "description": "Enables/disables unclassified domain logging", + "type": "boolean", + "default": false + }, + "preset": { + "allOf": [ + { + "$ref": "#/definitions/Pointer_Classification_Preset" + } + ], + "default": { + "bigip": "/Common/ce" + } + }, + "statisticsCollectionEnabled": { + "description": "Enables/disables statistics collection", + "type": "boolean", + "default": false + }, + "statisticsPublisher": { + "$ref": "#/definitions/Pointer_Log_Publisher" + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "Radius_Profile": { + "description": "Configures a RADIUS profile for network traffic load balancing", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Radius_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Radius_Profile" + } + ], + "default": { + "bigip": "/Common/radiusLB" + } + }, + "persistAttribute": { + "description": "Specifies the name of the RADIUS attribute on which traffic persists. Acceptable values are ASCII strings from section 5 of RFC 2865 or numeric codes (1-255). A value of none indicates that persistence is disabled.", + "oneOf": [ + { + "type": "integer", + "minimum": 1, + "maximum": 255 + }, + { + "type": "string", + "enum": [ + "none", + "User-Name", + "User-Password", + "NAS-IP-Address", + "NAS-Port", + "Service-Type", + "Framed-Protocol", + "Framed-IP-Address", + "Framed-IP-Netmask", + "Framed-Routing", + "Filter-Id", + "Framed-MTU", + "Framed-Compression", + "Login-IP-Host", + "Login-Service", + "Login-TCP-Port", + "Reply-Message", + "Callback-Number", + "Callback-Id", + "Framed-Route", + "Framed-IPX-Network", + "State", + "Class", + "Vendor-Specific", + "Session-Timeout", + "Idle-Timeout", + "Termination-Action", + "Called-Station-Id", + "Calling-Station-Id", + "NAS-Identifier", + "Proxy-State", + "Login-LAT-Service", + "Login-LAT-Node", + "Login-LAT-Group", + "Framed-AppleTalk-Link", + "Framed-AppleTalk-Network", + "Framed-AppleTalk-Zone", + "CHAP-Challenge", + "NAS-Port-Type", + "Port-Limit", + "Login-LAT-Port" + ] + } + ], + "default": "none" + }, + "protocolProfile": { + "allOf": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Protocol_Profile_Radius" + } + ], + "default": { + "bigip": "/Common/_sys_radius_proto_imsi" + } + }, + "subscriberDiscoveryEnabled": { + "description": "Specifies whether to enable PEM subscriber discovery based on the content of RADIUS packets", + "type": "boolean", + "default": true + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "IP_Other_Profile": { + "description": "Configures a generic IP profile for non-TCP and non-UDP traffic", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "IP_Other_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_IP_Other_Profile" + } + ], + "default": { + "bigip": "/Common/ipother" + } + }, + "idleTimeout": { + "description": "Specifies the number of seconds a connection can be idle before the connection is eligible for deletion", + "$comment": "It might be possible to specify a value of 0 and remove the immediate option", + "if": { + "type": "string" + }, + "then": { + "enum": [ + "indefinite", + "immediate" + ] + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 4294967295 + }, + "default": 60 + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "Constants": { + "title": "Constants", + "description": "Named values for (re-)use by declaration objects", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Constants" + } + }, + "additionalProperties": { + "type": [ + "boolean", + "integer", + "number", + "string", + "array", + "object" + ], + "if": { + "type": "object", + "required": [ + "protected", + "ciphertext" + ] + }, + "then": { + "properties": { + "allowReuse": { + "title": "Allow reuse", + "description": "If true (default), cryptogram may be reused by different declaration objects, WHICH MAY POSE A SECURITY RISK!", + "type": "boolean", + "default": true + } + }, + "if": true, + "then": { + "$ref": "#/definitions/JWE" + } + } + }, + "propertyNames": { + "pattern": "^[A-Za-z][0-9A-Za-z_]{0,47}$" + }, + "required": [ + "class" + ] + }, + "Label": { + "title": "Label", + "description": "Optional friendly name for this object", + "type": "string", + "format": "f5label" + }, + "Remark": { + "title": "Remark", + "description": "Arbitrary (brief) text pertaining to this object (optional)", + "type": "string", + "format": "f5remark" + }, + "F5string": { + "title": "String value", + "description": "String value optionally in base64 or from URL or AS3 pointer", + "if": { + "not": { + "type": "object" + } + }, + "then": { + "type": "string" + }, + "else": { + "$comment": "May add 'cryptogram' in future.", + "properties": { + "base64": { + "title": "Base64", + "description": "Base64-encoded value (in JSON string)", + "type": "string", + "format": "f5base64" + }, + "text": { + "title": "Text", + "description": "UTF-8 text (in JSON string)", + "type": "string" + }, + "url": { + "title": "URL", + "description": "URL from which to retrieve value", + "type": "string", + "minLength": 3, + "f5expand": true + }, + "copyFrom": { + "title": "Copy from", + "description": "AS3 pointer to declaration object/property from which to copy value", + "type": "string", + "format": "f5pointer" + }, + "bigip": { + "title": "BIG-IP component pathname", + "description": "Pathname of existing BIG-IP component", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minimumProperties": 1, + "maximumProperties": 1 + } + }, + "Secret": { + "title": "Secret value", + "description": "A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL", + "type": "object", + "properties": { + "allowReuse": { + "title": "Allow reuse", + "description": "If true, other declaration objects may reuse this value", + "type": "boolean" + }, + "reuseFrom": { + "title": "Reuse from", + "description": "AS3 pointer to another JWE cryptogram in this declaration to copy", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "type": "object", + "required": [ + "ciphertext" + ] + } + }, + "url": { + "title": "URL", + "description": "URL from which secret should be fetched", + "type": "string", + "format": "url", + "f5expand": true + } + }, + "oneOf": [ + { + "required": [ + "ciphertext" + ] + }, + { + "required": [ + "reuseFrom" + ] + }, + { + "required": [ + "url" + ] + } + ], + "if": { + "required": [ + "ciphertext" + ] + }, + "then": { + "$ref": "#/definitions/JWE" + } + }, + "JWE": { + "title": "JWE cryptogram", + "description": "A value in a cryptogram which is a Flattened JWE JSON Serialization object. If 'miniJWE' is true then enc=(none|f5sv) only (in JOSE header)", + "type": "object", + "properties": { + "miniJWE": { + "title": "Mini JWE", + "description": "If true (default), object is an f5 mini-JWE", + "type": "boolean", + "default": true + }, + "protected": { + "title": "JOSE header", + "description": "JOSE header: alg=dir, enc=(none|f5sv); default enc=none (encoded default is 'protected'='eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0', use with secret simply base64url-encoded into 'ciphertext'). If you see 'protected'='eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0', 'ciphertext' contains base64url-encoded SecureVault cryptogram", + "type": "string", + "minLength": 2, + "format": "f5base64", + "default": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0" + }, + "ciphertext": { + "title": "Ciphertext", + "description": "Put base64url(data_value) here", + "type": "string", + "minLength": 2, + "format": "f5base64" + }, + "ignoreChanges": { + "title": "Ignore changes", + "description": "If false (default), the system updates the ciphertext in every AS3 declaration deployment. If true, AS3 creates the ciphertext on first deployment, and leaves it untouched afterwards", + "type": "boolean", + "default": false + } + }, + "required": [ + "protected" + ] + }, + "Controls": { + "title": "Controls", + "description": "Options to control configuration process", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Controls", + "default": "Controls" + }, + "logLevel": { + "title": "Log level", + "description": "Controls the amount of detail in logs produced while configuring this Tenant (default is whole-declaration Controls/logLevel value)", + "type": "string", + "enum": [ + "emergency", + "alert", + "critical", + "error", + "warning", + "notice", + "info", + "debug" + ], + "default": "error" + }, + "trace": { + "title": "Trace", + "description": "If true, AS3 creates a detailed trace of the configuration process for this Tenant for subsequent analysis (default is whole-declaration Controls/trace value). Warning: trace files may contain sensitive configuration data", + "type": "boolean", + "default": false + }, + "fortune": { + "title": "Fortune", + "description": "If true, AS3 will activate Zoltar mode and read you your fortune", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false + }, + "Firewall_Address_List": { + "title": "Firewall Address List", + "description": "Declares an address-list for use by firewall rules. An address list is a list of IP-address prefixes to compare against the source-IP address and/or destination-IP address in an IP packet", + "type": "object", + "f5modules": [ + "afm", + "asm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Firewall_Address_List" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "addresses": { + "type": "array", + "description": "A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation.", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "fqdns": { + "type": "array", + "description": "A list of fully qualified domain names.", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "geo": { + "type": "array", + "description": "A list of geographic locations (for example, US:Washington).", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "addressLists": { + "type": "array", + "description": "A list of other address lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall address list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall address-list" + }, + "minItems": 1 + } + }, + "additionalProperties": false, + "required": [ + "class" + ], + "anyOf": [ + { + "required": [ + "addresses" + ] + }, + { + "required": [ + "fqdns" + ] + }, + { + "required": [ + "geo" + ] + }, + { + "required": [ + "addressLists" + ] + } + ] + }, + "Firewall_Port_List": { + "title": "Firewall Port List", + "description": "Declares a port-list for use by firewall rules. A firewall rule can match a packet's source port or destination port against one of the ports in a port list, and can take some action (such as ACCEPT or DROP) for a matching packet.", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Firewall_Port_List" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "ports": { + "type": "array", + "description": "A list of ports and port ranges (for example, 80, \"8080-8090\").", + "items": { + "type": [ + "integer", + "string" + ] + }, + "minItems": 1 + }, + "portLists": { + "type": "array", + "description": "A list of other port lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall port list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Port List", + "description": "Pathname of existing BIG-IP firewall port list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall port-list" + }, + "minItems": 1 + } + }, + "additionalProperties": false, + "required": [ + "class" + ], + "anyOf": [ + { + "required": [ + "ports" + ] + }, + { + "required": [ + "portLists" + ] + } + ] + }, + "Firewall_Rule_List": { + "title": "Firewall Rule List", + "description": "Declares a list of network firewall rules. You can reuse a rule list in multiple firewalls, such as the firewalls for self IPs, routing domains, and the global firewall.", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Firewall_Rule_List" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "rules": { + "type": "array", + "description": "A list of network firewall rules.", + "items": { + "$ref": "#/definitions/Firewall_Rule" + } + } + }, + "additionalProperties": false, + "required": [ + "class" + ] + }, + "Firewall_Rule": { + "title": "Firewall Rule", + "description": "Declares a network firewall rule.", + "type": "object", + "properties": { + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "name": { + "type": "string", + "description": "The name of the firewall rule." + }, + "action": { + "type": "string", + "description": "Specifies the action that the firewall rule will take on matching packets.", + "enum": [ + "accept", + "drop" + ] + }, + "protocol": { + "type": "string", + "description": "Specifies the protocol to which the firewall rule applies", + "enum": [ + "any", + "tcp", + "udp" + ], + "default": "any" + }, + "source": { + "$ref": "#/definitions/Firewall_Rule_Source" + }, + "destination": { + "$ref": "#/definitions/Firewall_Rule_Destination" + }, + "loggingEnabled": { + "type": "boolean", + "description": "Specifies whether the system enables or disables logging for the firewall rule.", + "default": false + }, + "iRule": { + "type": "object", + "description": "Specifies the name of the iRule (by AS3 pointer or BIG-IP pathname) that the system will trigger when a packet matches the firewall rule.", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to iRule declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "iRule" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP iRule", + "description": "Pathname of existing BIG-IP iRule", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm rule" + }, + "iRuleSampleRate": { + "type": "integer", + "description": "Specifies the rate at which the system will trigger the specified iRule when a packet matches this firewall rule. The default value is 1 and causes the system to trigger the iRule for every packet that matches. A value of 0 disables iRule triggering." + } + }, + "additionalProperties": false, + "dependencies": { + "iRuleSampleRate": [ + "iRule" + ] + }, + "required": [ + "name", + "action" + ] + }, + "Firewall_Rule_Source": { + "title": "Firewall Rule Source", + "description": "Declares the packet sources to which the network firewall rule applies.", + "type": "object", + "properties": { + "addressLists": { + "type": "array", + "description": "A list of address lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall address list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall address-list" + }, + "minItems": 0 + }, + "portLists": { + "type": "array", + "description": "A list of port lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall port list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Port List", + "description": "Pathname of existing BIG-IP firewall port list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall port-list" + }, + "minItems": 0 + } + }, + "additionalProperties": false + }, + "Firewall_Rule_Destination": { + "title": "Firewall Rule Destination", + "description": "Declares the packet destinations to which the network firewall rule applies.", + "type": "object", + "properties": { + "addressLists": { + "type": "array", + "description": "A list of address lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall address list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall address-list" + }, + "minItems": 0 + }, + "portLists": { + "type": "array", + "description": "A list of port lists (each by AS3 pointer or BIG-IP pathname).", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall port list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Port List", + "description": "Pathname of existing BIG-IP firewall port list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall port-list" + }, + "minItems": 0 + } + }, + "additionalProperties": false + }, + "Firewall_Policy": { + "title": "Firewall Policy", + "description": "Configures firewall policy", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Firewall_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "rules": { + "description": "A list of firewall policy rules", + "type": "array", + "items": { + "oneOf": [ + { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to Firewall Rule List declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Rule_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Rule List", + "description": "Pathname of existing BIG-IP Firewall Rule List", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall rule-list" + }, + { + "$ref": "#/definitions/Firewall_Rule" + } + ] + } + } + }, + "additionalProperties": false, + "required": [ + "class", + "rules" + ] + }, + "NAT_Policy": { + "description": "Configures network address translation policy", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "NAT_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "rules": { + "description": "A list of NAT rules", + "type": "array", + "items": { + "$ref": "#/definitions/NAT_Rule" + } + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "NAT_Rule": { + "description": "Network address translation rule", + "type": "object", + "properties": { + "name": { + "description": "NAT rule name", + "type": "string" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "source": { + "$ref": "#/definitions/NAT_Rule_Source" + }, + "destination": { + "$ref": "#/definitions/NAT_Rule_Destination" + }, + "protocol": { + "description": "Specifies the IP protocol against which the packet will be compared", + "type": "string", + "enum": [ + "any", + "tcp", + "udp" + ], + "default": "any" + }, + "sourceTranslation": { + "description": "AS3 pointer to NAT source translation declaration", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to NAT source translation declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "NAT_Source_Translation" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP NAT Source Translation", + "description": "Pathname of existing BIG-IP NAT Source Translation", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security nat source-translation" + } + }, + "required": [ + "name" + ], + "additionalProperties": false + }, + "NAT_Rule_Destination": { + "description": "Network address translation destination configuration", + "type": "object", + "properties": { + "addressLists": { + "description": "A list of address lists (each by AS3 pointer or BIG-IP pathname)", + "type": "array", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall address list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall address-list" + } + }, + "portLists": { + "description": "A list of port lists (each by AS3 pointer or BIG-IP pathname)", + "type": "array", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall port list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Port List", + "description": "Pathname of existing BIG-IP firewall port list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall port-list" + } + } + }, + "required": [], + "additionalProperties": false + }, + "NAT_Rule_Source": { + "description": "Network address translation source configuration", + "type": "object", + "properties": { + "addressLists": { + "description": "A list of address lists (each by AS3 pointer or BIG-IP pathname)", + "type": "array", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall address list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Address_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall address-list" + } + }, + "portLists": { + "description": "A list of port lists (each by AS3 pointer or BIG-IP pathname)", + "type": "array", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to firewall port list declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Firewall_Port_List" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP Firewall Port List", + "description": "Pathname of existing BIG-IP firewall port list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security firewall port-list" + } + } + }, + "required": [], + "additionalProperties": false + }, + "NAT_Source_Translation": { + "description": "Configures a Security network address translation source translation object", + "type": "object", + "f5modules": [ + "afm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "NAT_Source_Translation" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "addresses": { + "description": "Specifies addresses on which source translation is performed", + "type": "array", + "items": { + "type": "string" + } + }, + "allowEgressInterfaces": { + "description": "Specifies the egress interfaces (tunnels and VLANs) on which source translation is allowed", + "type": "array", + "items": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "oneOf": [ + { + "f5bigComponent": "query net tunnels endpoint" + }, + { + "f5bigComponent": "query net tunnels etherip" + }, + { + "f5bigComponent": "query net tunnels fec" + }, + { + "f5bigComponent": "query net tunnels fec-stat" + }, + { + "f5bigComponent": "query net tunnels geneve" + }, + { + "f5bigComponent": "query net tunnels gre" + }, + { + "f5bigComponent": "query net tunnels ipip" + }, + { + "f5bigComponent": "query net tunnels ipsec" + }, + { + "f5bigComponent": "query net tunnels lw4o6" + }, + { + "f5bigComponent": "query net tunnels map" + }, + { + "f5bigComponent": "query net tunnels ppp" + }, + { + "f5bigComponent": "query net tunnels tcp-forward" + }, + { + "f5bigComponent": "query net tunnels tunnel" + }, + { + "f5bigComponent": "query net tunnels v6rd" + }, + { + "f5bigComponent": "query net tunnels vxlan" + }, + { + "f5bigComponent": "query net tunnels wccp" + }, + { + "f5bigComponent": "query net vlan" + } + ] + } + }, + "clientConnectionLimit": { + "description": "Maximum number of simultaneous translated connections a client or subscriber is allowed to have", + "type": "integer", + "minimum": 0, + "maximum": 2147483647 + }, + "disallowEgressInterfaces": { + "description": "Specifies the egress interfaces (tunnels and VLANs) on which source translation is not allowed", + "type": "array", + "items": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP Firewall Address List", + "description": "Pathname of existing BIG-IP firewall address list", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "required": [ + "bigip" + ], + "oneOf": [ + { + "f5bigComponent": "query net tunnels endpoint" + }, + { + "f5bigComponent": "query net tunnels etherip" + }, + { + "f5bigComponent": "query net tunnels fec" + }, + { + "f5bigComponent": "query net tunnels fec-stat" + }, + { + "f5bigComponent": "query net tunnels geneve" + }, + { + "f5bigComponent": "query net tunnels gre" + }, + { + "f5bigComponent": "query net tunnels ipip" + }, + { + "f5bigComponent": "query net tunnels ipsec" + }, + { + "f5bigComponent": "query net tunnels lw4o6" + }, + { + "f5bigComponent": "query net tunnels map" + }, + { + "f5bigComponent": "query net tunnels ppp" + }, + { + "f5bigComponent": "query net tunnels tcp-forward" + }, + { + "f5bigComponent": "query net tunnels tunnel" + }, + { + "f5bigComponent": "query net tunnels v6rd" + }, + { + "f5bigComponent": "query net tunnels vxlan" + }, + { + "f5bigComponent": "query net tunnels wccp" + }, + { + "f5bigComponent": "query net vlan" + } + ] + } + }, + "hairpinModeEnabled": { + "type": "boolean", + "description": "Enables or disables hairpinning for incoming connections to active translation end-points" + }, + "inboundMode": { + "description": "Specifies the persistence settings for NAT translation entries", + "type": "string", + "enum": [ + "endpoint-independent-filtering", + "explicit", + "none" + ] + }, + "mapping": { + "$ref": "#/definitions/NAT_Source_Translation_Mapping" + }, + "patMode": { + "description": "Specifies whether the translation address mapping is performed in Network Address Port Translation mode, Deterministic mode, or in Port Block Allocation mode", + "type": "string", + "enum": [ + "napt", + "deterministic", + "pba" + ] + }, + "portBlockAllocation": { + "$ref": "#/definitions/NAT_Source_Translation_PortBlockAllocation" + }, + "ports": { + "description": "Specifies source ports and port ranges on which source translation is performed", + "type": "array", + "items": { + "type": [ + "integer", + "string" + ], + "minimum": 0, + "maximum": 65535 + } + }, + "routeAdvertisement": { + "type": "boolean", + "description": "Specifies that the traffic is advertised to dynamic routing protocols configured in the route domain", + "default": false + }, + "type": { + "description": "Specifies the type of source translation item", + "type": "string", + "enum": [ + "dynamic-pat", + "static-nat", + "static-pat" + ] + } + }, + "dependencies": { + "clientConnectionLimit": { + "properties": { + "type": { + "const": "dynamic-pat" + } + } + }, + "hairpinModeEnabled": { + "properties": { + "type": { + "const": "dynamic-pat" + } + } + }, + "inboundMode": { + "properties": { + "type": { + "const": "dynamic-pat" + } + } + }, + "mapping": { + "properties": { + "type": { + "const": "dynamic-pat" + } + } + }, + "patMode": { + "properties": { + "type": { + "const": "dynamic-pat" + } + } + }, + "portBlockAllocation": { + "properties": { + "type": { + "const": "dynamic-pat" + }, + "patMode": { + "const": "pba" + } + } + }, + "ports": { + "properties": { + "type": { + "enum": [ + "static-pat", + "dynamic-pat" + ] + } + } + } + }, + "if": { + "properties": { + "allowEgressInterfaces": {} + }, + "required": [ + "allowEgressInterfaces" + ] + }, + "then": { + "not": { + "properties": { + "disallowEgressInterfaces": {} + }, + "required": [ + "disallowEgressInterfaces" + ] + } + }, + "required": [ + "type" + ], + "additionalProperties": false + }, + "NAT_Source_Translation_Mapping": { + "description": "Configure the mapping settings for translation entries. It is the preservation of a public-side IP address for a client from session to session. Only available if type is dynamic-pat.", + "type": "object", + "properties": { + "mode": { + "description": "Specifies the mapping mode for translation entries", + "type": "string", + "enum": [ + "address-pooling-paired", + "endpoint-independent-mapping", + "none" + ], + "default": "address-pooling-paired" + }, + "timeout": { + "description": "Specifies the timeout (in seconds) for address and port mapping", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 300 + } + }, + "required": [], + "additionalProperties": false + }, + "NAT_Source_Translation_PortBlockAllocation": { + "description": "Configure the port block allocation", + "type": "object", + "properties": { + "blockIdleTimeout": { + "description": "Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 3600 + }, + "blockLifetime": { + "description": "Specifies the lifetime in seconds of a block of ports", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 0 + }, + "blockSize": { + "description": "Specifies the nmber of ports per block. Each block is assigned to one client. A client can use all ports in a block multiplied by the number of blocks, up to the connection limit, if one is set", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 64 + }, + "clientBlockLimit": { + "description": "Specifies the number of blocks that can be assigned to a client", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 1 + }, + "zombieTimeout": { + "description": "Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 0 + } + }, + "required": [], + "additionalProperties": false + }, + "Data_Group": { + "title": "Data Group", + "description": "Configures a data group object which contains list of data", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Data_Group" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "storageType": { + "title": "Storage Type", + "description": "Toggles whether the data group is internal or external", + "type": "string", + "enum": [ + "internal", + "external" + ], + "default": "internal" + }, + "keyDataType": { + "title": "Data Type", + "description": "Specifies the type of record keys the data group contains. If string, the value will be escaped by default", + "type": "string", + "enum": [ + "integer", + "ip", + "string" + ] + } + }, + "if": { + "properties": { + "storageType": { + "const": "internal" + } + } + }, + "then": { + "allOf": [ + { + "if": { + "properties": { + "keyDataType": { + "const": "string" + } + } + }, + "then": { + "$ref": "#/definitions/Data_Group_Records_String" + } + }, + { + "if": { + "properties": { + "keyDataType": { + "const": "integer" + } + } + }, + "then": { + "$ref": "#/definitions/Data_Group_Records_Integer" + } + }, + { + "if": { + "properties": { + "keyDataType": { + "const": "ip" + } + } + }, + "then": { + "$ref": "#/definitions/Data_Group_Records_IP" + } + } + ], + "required": [ + "class", + "keyDataType", + "records" + ] + }, + "else": { + "properties": { + "externalFilePath": { + "title": "External File Path", + "description": "Specifies the location (URI) from where the records will be copied", + "type": "string", + "f5expand": true + }, + "separator": { + "title": "Record Key Value Separator", + "description": "Specifies the character(s) that separate the record key and value", + "type": "string", + "default": ":=" + }, + "ignoreChanges": { + "title": "Ignore changes", + "description": "If false (default), the system updates data group in every AS3 declaration deployment. If true, AS3 creates the data group on first deployment, and leaves it untouched afterwards", + "type": "boolean", + "default": false + }, + "dataGroupFile": { + "$ref": "#/definitions/Pointer_Data_Group_File" + } + }, + "oneOf": [ + { + "required": [ + "class", + "keyDataType", + "externalFilePath" + ] + }, + { + "required": [ + "class", + "keyDataType", + "dataGroupFile" + ] + } + ], + "not": { + "required": [ + "externalFilePath", + "dataGroupFile" + ] + } + } + }, + "Data_Group_Records_Base": { + "title": "Data Group - Records", + "description": "Configures data group records to store", + "type": "object", + "records": { + "type": "array", + "items": { + "type": "object", + "description": "A record object to store", + "properties": { + "value": { + "title": "Record value", + "description": "Value to store", + "type": "string" + } + } + } + } + }, + "Data_Group_Records_String": { + "allOf": [ + { + "$ref": "#/definitions/Data_Group_Records_Base" + }, + { + "dependencies": { + "records": { + "items": { + "properties": { + "key": { + "title": "Record Key", + "description": "Record Identifier", + "type": "string" + } + }, + "required": [ + "key" + ] + } + } + } + } + ] + }, + "Data_Group_Records_Integer": { + "allOf": [ + { + "$ref": "#/definitions/Data_Group_Records_Base" + }, + { + "dependencies": { + "records": { + "items": { + "properties": { + "key": { + "title": "Record Key", + "description": "Record Identifier", + "type": "integer" + } + }, + "required": [ + "key" + ] + } + } + } + } + ] + }, + "Data_Group_Records_IP": { + "allOf": [ + { + "$ref": "#/definitions/Data_Group_Records_Base" + }, + { + "dependencies": { + "records": { + "items": { + "properties": { + "key": { + "title": "Record Key", + "description": "Record Identifier - string can be ip address or ip address with netmask (if not provided, default is /32)", + "type": "string", + "format": "f5ip" + } + }, + "required": [ + "key" + ] + } + } + } + } + ] + }, + "DNS_Profile": { + "description": "Configures a Domain Name System (DNS) profile", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "DNS_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_DNS_Profile" + }, + { + "default": { + "bigip": "/Common/dns" + } + } + ] + }, + "rapidResponseEnabled": { + "description": "When enabled, if the query name matches a GTM wide IP name and GTM is enabled on this profile, the DNS query will bypass Rapid Response. Note: This setting is supported only on physical BIG-IP hardware because it needs a High-Speed Bridge (HSB) to work. When using BIG-IP Virtual Edition, however, the system does not prevent you from selecting an action, even though the setting is ignored.", + "type": "boolean", + "default": false + }, + "rapidResponseLastAction": { + "description": "Specifies what action the system takes when Rapid Response Mode is enabled and the incoming DNS query does not match a DNS Express Zone", + "type": "string", + "enum": [ + "allow", + "drop", + "noerror", + "nxdomain", + "refuse", + "truncate" + ], + "default": "drop" + }, + "hardwareQueryValidationEnabled": { + "description": "On supported platforms, indicates whether the hardware will accelerate query validation", + "type": "boolean", + "default": false + }, + "hardwareResponseCacheEnabled": { + "description": "On supported platforms, indicates whether the hardware will cache responses", + "type": "boolean", + "default": false + }, + "dnssecEnabled": { + "description": "Specifies whether the system signs responses with DNSSEC keys and replies to DNSSEC specific queries (e.g., DNSKEY query type)", + "type": "boolean", + "default": true + }, + "globalServerLoadBalancingEnabled": { + "description": "Specifies whether the system uses Global Traffic Manager to manage the response", + "type": "boolean", + "default": true + }, + "dnsExpressEnabled": { + "description": "Specifies whether the DNS Express engine is enabled. The DNS Express engine receives zone transfers from the authoritative DNS server for the zone. If the Zone Transfer setting is also enabled on this profile, the DNS Express engine also responds to zone transfer requests made by the nameservers configured as zone transfer clients for the DNS Express zone. ", + "type": "boolean", + "default": true + }, + "cacheEnabled": { + "description": "Specifies whether the system caches DNS responses", + "type": "boolean", + "default": false + }, + "cache": { + "$ref": "#/definitions/Pointer_DNS_Cache" + }, + "dns64Mode": { + "description": "Specifies handling of AAAA and A DNS queries and responses", + "type": "string", + "enum": [ + "disabled", + "secondary", + "immediate", + "v4-only" + ], + "default": "disabled" + }, + "dns64Prefix": { + "description": "Specifies the prefix to use for the IPv6-formatted IP addresses that the system converts to IPv4-formatted IP addresses", + "type": "string", + "default": "0:0:0:0:0:0:0:0" + }, + "dns64AdditionalSectionRewrite": { + "description": "Select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses", + "type": "string", + "enum": [ + "disabled", + "v6-only", + "v4-only", + "any" + ], + "default": "disabled" + }, + "unhandledQueryAction": { + "description": "Specifies whether the system uses the local BIND server on the BIG-IP system", + "type": "string", + "enum": [ + "allow", + "drop", + "hint", + "noerror", + "reject" + ], + "default": "allow" + }, + "localBindServerEnabled": { + "description": "Specifies whether the system forwards non-wide IP queries to the local BIND server on the BIG-IP system. For best performance, disable this setting when using a DNS cache.", + "type": "boolean", + "default": true + }, + "zoneTransferEnabled": { + "description": "Specifies whether the system answers zone transfer requests for a DNS zone created on the system. The DNS Express and Zone Transfer settings on a DNS profile affect how the system responds to zone transfer requests. ", + "type": "boolean", + "default": false + }, + "recursionDesiredEnabled": { + "description": "Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option.", + "type": "boolean", + "default": true + }, + "securityEnabled": { + "description": "Specifies whether DNS firewall capability is enabled.", + "type": "boolean", + "default": true + }, + "securityProfile": { + "$ref": "#/definitions/Pointer_DNS_Security_Profile" + }, + "loggingEnabled": { + "description": "Specifies whether to process client-side DNS packets with Recursion Desired set in the header. If set to Disabled, processing of the packet is subject to the unhandled-query-action option.", + "type": "boolean", + "default": true + }, + "loggingProfile": { + "$ref": "#/definitions/Pointer_DNS_Logging_Profile" + }, + "statisticsSampleRate": { + "description": "Sets AVR DNS statistics sampling rate. A value of 0 (zero) means that no query will be sent to the analytics database. A value of 1 means that every query will be sent. A value of n means that every nth query will be sent, and that the analytics database will count that query n times. When sampling rate is greater than one, the statistics will be inaccurate if the traffic volume is low. However, when the traffic volume is high, the system performance will benefit from sampling and the inaccuracy will be negligible. DNS statistics contain query name, query type, virtual server IP and client IP. ", + "type": "integer", + "minimum": 0, + "maximum": 4294967295, + "default": 0 + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "DNS_TSIG_Key": { + "description": "Configures a TSIG key", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "DNS_TSIG_Key" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "algorithm": { + "description": "Specifies the algorithm the system uses to authenticate AXFR zone transfer requests as coming from an approved DNS nameserver, or to authenticate AXFR zone transfers as coming from an approved back-end DNS authoritative server. The algorithm involves a cryptographic hash function in combination with a secret, which is specified in the Secret field. The default is HMAC MD5 (the Hash-based Message Authentication Code MD5).", + "type": "string", + "enum": [ + "hmacmd5", + "hmacsha1", + "hmacsha256" + ] + }, + "secret": { + "description": "Specifies the secret used with the algorithm in the verification process. The secret must be generated by a third-party tool such as BIND's keygen utility; the BIG-IP system does not generate the TSIG key secret.", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + } + }, + "required": [ + "class", + "secret" + ], + "additionalProperties": false + }, + "DNS_Zone": { + "description": "Configures a DNS zone", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "DNS_Zone" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "dnsExpress": { + "$ref": "#/definitions/DNS_Zone_DNS_Express" + }, + "responsePolicyEnabled": { + "description": "Specifies if this is a response policy zone. If this is set to yes, this zone may be assigned as an RPZ to a DNS Cache", + "type": "boolean", + "default": false + }, + "serverTsigKey": { + "$ref": "#/definitions/Pointer_DNS_TSIG_Key" + }, + "transferClients": { + "description": "Specifies the DNS nameservers to which the system sends NOTIFY messages. The system allows only the DNS nameservers in the Active column to initiate AXFR zone transfers for this DNS zone.", + "type": "array", + "items": { + "$ref": "#/definitions/Pointer_DNS_Nameserver" + } + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "DNS_Zone_DNS_Express": { + "description": "Configure zone DNS Express settings", + "properties": { + "enabled": { + "description": "Specifies whether DNS Express is enabled to process queries for this zone", + "type": "boolean", + "default": true + }, + "nameserver": { + "description": "Specifies the back-end authoritative DNS server from which the BIG-IP system receives AXFR zone transfers for the DNS Express zone. The options are None and user-defined nameservers.", + "allOf": [ + { + "$ref": "#/definitions/Pointer_DNS_Nameserver" + } + ] + }, + "notifyAction": { + "description": "Specifies the action the system takes when a NOTIFY message is received for this DNS Express zone. NOTIFY responses are assumed to be sent by the authoritative nameserver for the zone, except when the action is Consume, and then DNS Express generates the response. Note: If a TSIG key is configured for the zone, the signature is only validated for Consume and Repeat actions.", + "type": "string", + "enum": [ + "consume", + "bypass", + "repeat" + ] + }, + "allowNotifyFrom": { + "description": "Specifies the IP addresses from which the system accepts NOTIFY messages for this DNS Express zone", + "type": "array", + "items": { + "type": "string", + "format": "f5ip" + } + }, + "verifyNotifyTsig": { + "description": "Specifies whether the system verifies the identity of the authoritative nameserver that sends updated information for this DNS Express zone", + "type": "boolean", + "default": true + } + }, + "required": [ + "nameserver" + ], + "additionalProperties": false + }, + "DNS_Nameserver": { + "description": "Configures a DNS nameserver", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "DNS_Nameserver" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "address": { + "description": "Specifies the IP address on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages", + "type": "string", + "default": "127.0.0.1", + "format": "f5ip" + }, + "port": { + "description": "Specifies the service port on which the DNS nameserver (client) or back-end DNS authoritative server (DNS Express server) listens for DNS messages", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 53 + }, + "routeDomain": { + "$ref": "#/definitions/Pointer_Route_Domain" + }, + "tsigKey": { + "$ref": "#/definitions/Pointer_DNS_TSIG_Key" + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Security_Log_Profile": { + "type": "object", + "title": "Security Log Profile", + "description": "Configures a Security log profile", + "f5modules": [ + "afm", + "asm" + ], + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Security_Log_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "botDefense": { + "$ref": "#/definitions/Security_Log_Profile_Bot_Defense" + }, + "classification": { + "$ref": "#/definitions/Security_Log_Profile_Classification" + }, + "dosApplication": { + "$ref": "#/definitions/Security_Log_Profile_Dos_Application" + }, + "dosNetwork": { + "$ref": "#/definitions/Security_Log_Profile_Dos_Network" + }, + "ipIntelligence": { + "$ref": "#/definitions/Security_Log_Profile_Ip_Intelligence" + }, + "nat": { + "$ref": "#/definitions/Security_Log_Profile_Nat" + }, + "network": { + "$ref": "#/definitions/Security_Log_Profile_Network" + }, + "protocolDns": { + "$ref": "#/definitions/Security_Log_Profile_Protocol_Dns" + }, + "protocolDnsDos": { + "$ref": "#/definitions/Security_Log_Profile_Protocol_Dns_Dos" + }, + "protocolSip": { + "$ref": "#/definitions/Security_Log_Profile_Protocol_Sip" + }, + "protocolSipDos": { + "$ref": "#/definitions/Security_Log_Profile_Protocol_Sip_Dos" + }, + "protocolTransfer": { + "$ref": "#/definitions/Security_Log_Profile_Protocol_Transfer" + }, + "sshProxy": { + "$ref": "#/definitions/Security_Log_Profile_Ssh_Proxy" + } + }, + "required": [ + "class" + ] + }, + "Security_Log_Profile_Bot_Defense": { + "title": "Bot Defense Log Profile", + "description": "Specifies, when enabled, that the system logs events from the Proactive Bot Defense mechanism. Depending on settings, the system logs Illegal requests, Legal requests and BIGIP Challenges.", + "f5modules": [ + "asm" + ], + "properties": { + "localPublisher": { + "description": "Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination)", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "remotePublisher": { + "description": "Enables selecting a Log Publisher that has Splunk enabled", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logBotSignatureMatchedRequests": { + "description": "This option enables or disables the logging of reported bot signature requests", + "type": "boolean", + "default": false + }, + "logCaptchaChallengedRequests": { + "description": "This option enables or disables the logging of captcha challenged requests", + "type": "boolean", + "default": false + }, + "logChallengedRequests": { + "description": "This option enables or disables the logging of challenged requests", + "type": "boolean", + "default": false + }, + "logIllegalRequests": { + "description": "This option enables or disables the logging of illegal requests", + "type": "boolean", + "default": true + }, + "logLegalRequests": { + "description": "This option enables or disables the logging of legal requests", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Classification": { + "f5modules": [ + "afm" + ], + "title": "Classification Log Profile", + "description": "Specifies, when enabled, that the system logs events from the Classification engine.", + "properties": { + "publisher": { + "description": "Specifies where the system sends log messages", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logAllMatches": { + "description": "This option enables or disables the logging of all matches", + "type": "boolean", + "default": "false" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Dos_Application": { + "title": "DoS Application Log Profile", + "description": "Specifies, when enabled, that the system logs detected application DoS attacks", + "f5modules": [ + "asm" + ], + "properties": { + "localPublisher": { + "description": "Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "remotePublisher": { + "description": "Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Dos_Network": { + "f5modules": [ + "afm", + "dos", + "em" + ], + "title": "DoS Network Log Profile", + "description": "Specifies, when enabled, that the system logs detected network DoS attacks", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging Network DoS events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Nat": { + "f5modules": [ + "afm" + ], + "title": "Network Address Translation Log Profile", + "description": "Specifies, when enabled, that the system logs Firewall NAT events", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging Network Address Translation events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logErrors": { + "description": "Generates event log entries when a NAT translation errors occur", + "type": "boolean", + "default": false + }, + "logSubscriberId": { + "description": "Logs the subscriber ID associated with a subscriber IP address", + "type": "boolean", + "default": false + }, + "logQuotaExceeded": { + "description": "Generates event log entries when a NAT client exceeds allocated resources", + "type": "boolean", + "default": false + }, + "logStartInboundSession": { + "description": "Generates event log entries at the start of the incoming connection event for a translated endpoint. Triggered when the system creates the inbound session.", + "type": "boolean", + "default": false + }, + "logEndInboundSession": { + "description": "Generates event log entries at the end of the incoming connection event for a translated endpoint. Triggered when the system frees the inbound session.", + "type": "boolean", + "default": false + }, + "logStartOutboundSession": { + "description": "Generates event log entries at start of the translation event for a NAT client. Triggered when the system creates the outbound session.", + "type": "boolean", + "default": false + }, + "logEndOutboundSession": { + "description": "Generates event log entries at end of translation event for a NAT client. Triggered when the system frees the outbound session.", + "type": "boolean", + "default": false + }, + "rateLimitAggregate": { + "description": " This option sets the aggregate rate for all the Firewall NAT log events that the system can log per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitErrors": { + "description": "This option rate limits the errors the system logs per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitQuotaExceeded": { + "description": "This option rate limits the quota exceeded log events per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitStartInboundSession": { + "description": "This option rate limits the start inbound session log events per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitEndInboundSession": { + "description": "This option rate limits the end inbound session log events per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitStartOutboundSession": { + "description": "This option rate limits the start outbound session log events per second", + "type": "integer", + "default": 4294967295 + }, + "rateLimitEndOutboundSession": { + "description": "This option rate limits the end outbound session log events per second", + "type": "integer", + "default": 4294967295 + }, + "formatErrors": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + }, + "formatQuotaExceeded": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + }, + "formatStartInboundSession": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + }, + "formatEndInboundSession": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + }, + "formatStartOutboundSession": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + }, + "formatEndOutboundSession": { + "$ref": "#/definitions/Security_Log_Profile_Nat_Storage_Format" + } + }, + "required": [ + "publisher" + ], + "additionalProperties": false + }, + "Security_Log_Profile_Nat_Storage_Format": { + "description": "Specifies the format type for log messages", + "anyOf": [ + { + "type": "string", + "minLength": 1 + }, + { + "type": "object", + "properties": { + "fields": { + "description": "Replaces a set of fields in the predefined storage format", + "type": "array", + "items": { + "type": "string", + "enum": [ + "context-name", + "duration", + "route-domain", + "sub-id", + "translated-dest-port", + "translated-src-port", + "dest-ip", + "event-name", + "src-ip", + "timestamp", + "translated-route-domain", + "dest-port", + "protocol", + "src-port", + "translated-dest-ip", + "translated-src-ip" + ] + } + }, + "delimiter": { + "description": "Specifies a field delimiter in the predefined storage format", + "type": "string", + "default": "." + } + }, + "required": [ + "fields" + ], + "additionalProperties": false + } + ] + }, + "Security_Log_Profile_Network": { + "f5modules": [ + "afm", + "em" + ], + "title": "Network Log Profile", + "description": "Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging Network events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logRuleMatchAccepts": { + "description": "Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept", + "type": "boolean", + "default": false + }, + "logRuleMatchDrops": { + "description": "Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop", + "type": "boolean", + "default": false + }, + "logRuleMatchRejects": { + "description": "Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject", + "type": "boolean", + "default": false + }, + "logIpErrors": { + "description": "Specifies, when enabled, that the system logs IP error packets", + "type": "boolean", + "default": false + }, + "logTcpErrors": { + "description": "Specifies, when enabled, that the system logs TCP error packets", + "type": "boolean", + "default": false + }, + "logTcpEvents": { + "description": "Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions)", + "type": "boolean", + "default": false + }, + "logTranslationFields": { + "description": "Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event", + "type": "boolean", + "default": false + }, + "alwaysLogRegion": { + "description": "Specifies, when enabled, that when a geolocation event causes a network firewall event, the system logs the associated IP address", + "type": "boolean", + "default": false + }, + "rateLimitRuleMatchAccepts": { + "description": "This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively", + "type": "integer", + "default": 4294967295 + }, + "rateLimitRuleMatchDrops": { + "description": "This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively", + "type": "integer", + "default": 4294967295 + }, + "rateLimitRuleMatchRejects": { + "description": "This option sets rate limits for the logging of packets that match ACL rules configured with action = Reject", + "type": "integer", + "default": 4294967295 + }, + "rateLimitIpErrors": { + "description": "This option enables or disables the logging of IP error packets", + "type": "integer", + "default": 4294967295 + }, + "rateLimitTcpErrors": { + "description": "This option sets rate limits for the logging of TCP error packets", + "type": "integer", + "default": 4294967295 + }, + "rateLimitTcpEvents": { + "description": "This option sets rate limits for the logging of TCP events on client side", + "type": "integer", + "default": 4294967295 + }, + "rateLimitAggregate": { + "description": "This option sets the aggregate rate limit that applies to any network logging message", + "type": "integer", + "default": 4294967295 + }, + "storageFormat": { + "description": "Specifies the format type for log messages", + "anyOf": [ + { + "type": "string", + "minLength": 1 + }, + { + "type": "object", + "properties": { + "fields": { + "description": "Replaces a set of fields in the predefined storage format", + "type": "array", + "items": { + "type": "string", + "enum": [ + "acl-policy-name", + "acl-policy-type", + "acl-rule-name", + "action", + "bigip-hostname", + "context-name", + "context-type", + "date-time", + "dest-ip", + "dest-port", + "drop-reason", + "management-ip-address", + "protocol", + "route-domain", + "sa-translation-pool", + "sa-translation-type", + "src-ip", + "src-port", + "translated-dest-ip", + "translated-dest-port", + "translated-ip-protocol", + "translated-route-domain", + "translated-src-ip", + "translated-src-port", + "translated-vlan", + "vlan" + ] + } + }, + "delimiter": { + "description": "Specifies a field delimiter in the predefined storage format", + "type": "string", + "default": "." + } + }, + "required": [ + "fields" + ], + "additionalProperties": false + } + ] + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Ip_Intelligence": { + "title": "IP Intelligence Log Profile", + "description": "Specifies, when enabled, that the system logs IP Intelligence events", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging IP Intelligence events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logTranslationFields": { + "description": "Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event", + "type": "boolean", + "default": "false" + }, + "rateLimitAggregate": { + "description": "Defines a rate limit for all combined IP intelligence log messages per second", + "type": "integer", + "default": 4294967295 + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Protocol_Dns": { + "f5modules": [ + "afm", + "em" + ], + "title": "Protocol DNS Log Profile", + "description": "Specifies, when enabled, that the system logs DNS security events", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging DNS security events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logDroppedRequests": { + "description": "Specifies, when enabled, that the system logs dropped DNS requests", + "type": "boolean", + "default": false + }, + "logFilteredDroppedRequests": { + "description": "Specifies, when enabled, that the system logs DNS requests dropped due to DNS query/header-opcode filtering. The system does not log DNS requests dropped due to errors in the way the system processes DNS packets.", + "type": "boolean", + "default": false + }, + "logMalformedRequests": { + "description": "Specifies, when enabled, that the system logs malformed DNS requests", + "type": "boolean", + "default": false + }, + "logRejectedRequests": { + "description": "Specifies, when enabled, that the system logs rejected DNS requests", + "type": "boolean", + "default": false + }, + "logMaliciousRequests": { + "description": "Specifies, when enabled, that the system logs malicious DNS requests", + "type": "boolean", + "default": false + }, + "storageFormat": { + "description": "Specifies the format type for log messages", + "anyOf": [ + { + "type": "string", + "minLength": 1 + }, + { + "type": "object", + "properties": { + "fields": { + "description": "Replaces a set of fields in the predefined storage format", + "type": "array", + "items": { + "type": "string", + "enum": [ + "action", + "attack-type", + "context-name", + "date-time", + "dest-ip", + "dest-port", + "dns-query-name", + "dns-query-type", + "src-ip", + "src-port", + "vlan", + "route-domain" + ] + } + }, + "delimiter": { + "description": "Specifies a field delimiter in the predefined storage format", + "type": "string", + "default": "." + } + }, + "required": [ + "fields" + ], + "additionalProperties": false + } + ] + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Protocol_Sip_Dos": { + "f5modules": [ + "afm", + "em" + ], + "title": "Protocol SIP DoS Log Profile", + "description": "Specifies, when enabled, that the system logs detected SIP DoS attacks", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging SIP DoS events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Protocol_Sip": { + "f5modules": [ + "afm", + "em" + ], + "title": "Protocol SIP Log Profile", + "description": "Specifies, when enabled, that the system logs SIP protocol security events", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging SIP protocol security events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logDroppedRequests": { + "description": "Specifies, when enabled, that the system logs dropped requests", + "type": "boolean", + "default": false + }, + "logGlobalFailures": { + "description": "Specifies, when enabled, that the system logs global failures", + "type": "boolean", + "default": false + }, + "logMalformedRequests": { + "description": "Specifies, when enabled, that the system logs malformed requests", + "type": "boolean", + "default": false + }, + "logRedirectedResponses": { + "description": "Specifies, when enabled, that the system logs redirection responses", + "type": "boolean", + "default": false + }, + "logRequestFailures": { + "description": "Specifies, when enabled, that the system logs request failures", + "type": "boolean", + "default": false + }, + "logServerErrors": { + "description": "Specifies, when enabled, that the system logs server errors", + "type": "boolean", + "default": false + }, + "storageFormat": { + "description": "Specifies the format type for log messages", + "anyOf": [ + { + "type": "string", + "minLength": 1 + }, + { + "type": "object", + "properties": { + "fields": { + "description": "Replaces a set of fields in the predefined storage format", + "type": "array", + "items": { + "type": "string", + "enum": [ + "action", + "context-name", + "date-time", + "dest-ip", + "dest-port", + "sip-method-type", + "sip-caller", + "sip-callee", + "src-ip", + "src-port", + "vlan", + "route-domain" + ] + } + }, + "delimiter": { + "description": "Specifies a field delimiter in the predefined storage format", + "type": "string", + "default": "." + } + }, + "required": [ + "fields" + ], + "additionalProperties": false + } + ] + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Protocol_Dns_Dos": { + "f5modules": [ + "afm", + "em" + ], + "title": "Protocol DNS DoS Log Profile", + "description": "Specifies, when enabled, that the system logs detected DNS DoS attacks", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging DNS DoS events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Protocol_Transfer": { + "title": "Protocol Transfer Log Profile", + "description": "Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events", + "properties": { + "publisher": { + "description": "Specifies where the system sends log messages", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + } + }, + "additionalProperties": false + }, + "Security_Log_Profile_Ssh_Proxy": { + "f5modules": [ + "afm", + "em" + ], + "title": "SSH Proxy Security Log Profile", + "description": "Specifies, when enabled, that the system logs SSH Proxy events", + "properties": { + "publisher": { + "description": "Specifies the name of the log publisher used for logging SSH Proxy events", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Publisher" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP log publisher", + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "logClientAuthFail": { + "description": "Specifies the name of the log publisher used for logging SSH Proxy events", + "type": "boolean", + "default": false + }, + "logClientAuthSuccess": { + "description": "Specifies, when enabled, that the system logs client auth success events", + "type": "boolean", + "default": false + }, + "logClientAuthPartial": { + "description": "Specifies, when enabled, that the system logs client auth partial events", + "type": "boolean", + "default": false + }, + "logServerAuthFail": { + "description": "Specifies, when enabled, that the system logs server auth failure events", + "type": "boolean", + "default": false + }, + "logServerAuthSuccess": { + "description": "Specifies, when enabled, that the system logs server auth failure events", + "type": "boolean", + "default": false + }, + "logServerAuthPartial": { + "description": "Specifies, when enabled, that the system logs server auth partial events", + "type": "boolean", + "default": false + }, + "logDisallowedChannelAction": { + "description": "Specifies, when enabled, that the system logs disallowed channel actions", + "type": "boolean", + "default": false + }, + "logAllowedChannelAction": { + "description": "Specifies, when enabled, that the system logs allowed channel actions", + "type": "boolean", + "default": false + }, + "logSshTimeout": { + "description": "Specifies, when enabled, that the system logs SSH timeouts", + "type": "boolean", + "default": false + }, + "logNonSshTraffic": { + "description": "Specifies, when enabled, that the system logs non-SSH traffic events", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false + }, + "Log_Publisher": { + "title": "Log Publisher", + "description": "Configures lists of destinations for the common logging interface", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Log_Publisher" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "destinations": { + "description": "specify log destinations for this log publisher to use", + "type": "array", + "items": { + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to log destination declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Destination" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP remote high speed log", + "description": "Pathname of existing BIG-IP log destination", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "anyOf": [ + { + "f5bigComponent": "query sys log-config destination alertd" + }, + { + "f5bigComponent": "query sys log-config destination arcsight" + }, + { + "f5bigComponent": "query sys log-config destination ipfix" + }, + { + "f5bigComponent": "query sys log-config destination local-database" + }, + { + "f5bigComponent": "query sys log-config destination local-syslog" + }, + { + "f5bigComponent": "query sys log-config destination management-port" + }, + { + "f5bigComponent": "query sys log-config destination remote-high-speed-log" + }, + { + "f5bigComponent": "query sys log-config destination remote-syslog" + }, + { + "f5bigComponent": "query sys log-config destination splunk" + } + ] + } + } + }, + "required": [ + "class", + "destinations" + ] + }, + "Log_Destination": { + "title": "Log Destination", + "description": "Configures a log destination", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Log_Destination" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "type": { + "description": "The type of the log destination", + "type": "string", + "enum": [ + "remote-syslog", + "remote-high-speed-log" + ] + } + }, + "required": [ + "class", + "type" + ], + "if": { + "properties": { + "type": { + "const": "remote-syslog" + } + } + }, + "then": { + "$ref": "#/definitions/Log_Destination_Remote_Syslog" + }, + "else": { + "if": { + "properties": { + "type": { + "const": "remote-high-speed-log" + } + } + }, + "then": { + "$ref": "#/definitions/Log_Destination_Remote_High_Speed_Log" + } + } + }, + "Log_Destination_Remote_Syslog": { + "description": "Configures Remote Syslog destinations to format log messages into Syslog format and forward them to a Remote High-Speed Log destination", + "type": "object", + "properties": { + "format": { + "description": "Specifies the method to use to format the logs", + "type": "string", + "enum": [ + "legacy-bigip", + "rfc3164", + "rfc5424" + ], + "default": "rfc3164" + }, + "defaultFacility": { + "description": "Specifies the facility given to log messages received that do not already have a facility listed", + "type": "string", + "enum": [ + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ], + "default": "local0" + }, + "defaultSeverity": { + "description": "Specifies the severity given to log messages received that do not already have a severity listed", + "type": "string", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warn" + ], + "default": "info" + }, + "remoteHighSpeedLog": { + "description": "Specifies a remote high-speed log destination, which the system uses to forward the logs to a pool of remote log servers", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to remote high speed log declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Log_Destination" + }, + "type": { + "const": "remote-high-speed-log" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP remote high speed log", + "description": "Pathname of existing BIG-IP remote high speed log", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config destination remote-high-speed-log" + } + }, + "required": [ + "remoteHighSpeedLog" + ] + }, + "Log_Destination_Remote_High_Speed_Log": { + "description": "Sends received messages to a specified pool", + "type": "object", + "properties": { + "distribution": { + "description": "Specifies the distribution method used to send messages to pool members", + "type": "string", + "enum": [ + "adaptive", + "balanced", + "replicated" + ], + "default": "adaptive" + }, + "protocol": { + "description": "Specifies the protocol for the system to use to send logs to the pool", + "type": "string", + "enum": [ + "tcp", + "udp" + ], + "default": "tcp" + }, + "pool": { + "description": "AS3 pointer to pool if any (declared separately)", + "title": "Pool", + "type": "object", + "properties": { + "use": { + "title": "Use", + "description": "AS3 pointer to pool declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Pool" + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "title": "BIG-IP pool", + "description": "Pathname of existing BIG-IP pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm pool" + } + }, + "required": [ + "pool" + ] + }, + "Endpoint_Policy_Rule": { + "title": "Rule", + "type": "object", + "properties": { + "name": { + "title": "Name", + "description": "Name of the endpoint policy rule", + "type": "string", + "format": "f5name" + }, + "conditions": { + "title": "Conditions", + "description": "Specifies the conditions for the rule to apply", + "type": "array", + "items": { + "$ref": "#/definitions/Policy_Condition" + }, + "default": [] + }, + "actions": { + "title": "Actions", + "description": "Specifies the actions for the rule to execute", + "type": "array", + "items": { + "$ref": "#/definitions/Policy_Action" + }, + "default": [] + } + }, + "additionalProperties": false, + "required": [ + "name" + ] + }, + "Endpoint_Policy": { + "title": "Endpoint policy", + "description": "Policy to manage connections based on metadata and content", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Endpoint_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "rules": { + "title": "Rules", + "description": "List of policy rules, order is significant", + "type": "array", + "items": { + "$ref": "#/definitions/Endpoint_Policy_Rule" + }, + "minItems": 1 + }, + "strategy": { + "title": "Strategy", + "description": "Rule-matching strategy; value 'custom' means AS3 requires a custom strategy (default is best-match)", + "type": "string", + "enum": [ + "all-match", + "best-match", + "first-match", + "custom" + ], + "default": "best-match" + }, + "customStrategy": { + "title": "Custom strategy", + "description": "AS3 pointer to custom strategy declaration", + "if": { + "type": "string" + }, + "then": { + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "const": "Endpoint_Strategy" + } + }, + "required": [ + "class" + ] + } + }, + "else": { + "type": "object", + "properties": { + "bigip": { + "title": "BIG-IP LTM strategy", + "description": "Pathname of existing BIG-IP LTM strategy", + "type": "string", + "format": "f5bigip" + } + }, + "required": [ + "bigip" + ], + "f5bigComponent": "query ltm policy-strategy" + } + } + }, + "additionalProperties": false, + "if": { + "properties": { + "strategy": { + "const": "custom" + } + } + }, + "then": { + "required": [ + "customStrategy" + ] + }, + "required": [ + "class" + ] + }, + "Endpoint_Strategy": { + "title": "Endpoint strategy", + "description": "Strategy for evaluation of an Endpoint policy", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Endpoint_Strategy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "matchMethod": { + "title": "Match method", + "description": "Specifies the match method", + "type": "string", + "enum": [ + "all-match", + "best-match", + "first-match" + ] + }, + "operands": { + "title": "Operands", + "description": "Specifies the attribute for the rule to match. Sometimes this represents a specific value (for example, http-method or http-status), but frequently the operand needs a specific Selector to identify an instance (for example, http-header needs a Selectorname parameter).", + "type": "array", + "items": { + "title": "Operand", + "type": "string" + }, + "minItems": 1 + } + }, + "additionalProperties": false, + "required": [ + "class", + "matchMethod" + ] + }, + "Policy_Action": { + "type": "object", + "description": "LTM policy action", + "properties": { + "type": { + "description": "Selects the LTM policy action this object describes", + "type": "string", + "enum": [ + "httpRedirect", + "waf", + "forward", + "drop" + ] + } + }, + "if": { + "properties": { + "type": { + "const": "waf" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Action_WAF" + }, + "else": { + "if": { + "properties": { + "type": { + "const": "forward" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Action_Forward" + }, + "else": { + "if": { + "properties": { + "type": { + "const": "drop" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Action_Drop" + }, + "else": { + "if": { + "properties": { + "type": { + "const": "httpRedirect" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Action_HTTP_Redirect" + } + } + } + }, + "required": [ + "type" + ] + }, + "Policy_Action_WAF": { + "type": "object", + "description": "Control web security", + "properties": { + "event": { + "type": "string", + "description": "When to run this event in the request-response cycle", + "enum": [ + "client-accepted", + "proxy-request", + "request" + ], + "default": "request" + }, + "policy": { + "$ref": "#/definitions/Pointer_WAF_Policy" + } + }, + "required": [ + "policy" + ] + }, + "Policy_Action_Drop": { + "type": "object", + "description": "Reset connection", + "properties": { + "event": { + "type": "string", + "description": "When to run this event in the request-response cycle", + "enum": [ + "ssl-client-hello", + "request" + ], + "default": "ssl-client-hello" + } + } + }, + "Policy_Action_Forward_Select": { + "description": "Select appropriate location for forwarding the connection based on specified parameters", + "type": "object", + "oneOf": [ + { + "properties": { + "pool": { + "$ref": "#/definitions/Pointer_Pool" + } + }, + "required": [ + "pool" + ] + }, + { + "properties": { + "service": { + "$ref": "#/definitions/Pointer_Service" + } + }, + "required": [ + "service" + ] + } + ] + }, + "Policy_Action_Forward": { + "description": "Controls where the system forwards a connection", + "type": "object", + "allOf": [ + { + "properties": { + "event": { + "type": "string", + "description": "When to run this event in the request-response cycle", + "enum": [ + "ssl-client-hello", + "request" + ], + "default": "ssl-client-hello" + } + } + }, + { + "oneOf": [ + { + "properties": { + "select": { + "description": "Select appropriate location for forwarding the connection based on specified parameters", + "allOf": [ + { + "$ref": "#/definitions/Policy_Action_Forward_Select" + } + ] + } + }, + "required": [ + "select" + ] + } + ] + } + ] + }, + "Policy_Action_HTTP_Redirect": { + "type": "object", + "description": "Redirect an HTTP request to a different URL", + "properties": { + "event": { + "type": "string", + "description": "When to run this event in the request-response cycle", + "enum": [ + "proxy-request", + "request", + "response" + ], + "default": "proxy-request" + }, + "location": { + "description": "The new URL for which the system will send a redirect response; you can use a Tcl command substitution for this field", + "type": "string" + } + }, + "required": [ + "location" + ] + }, + "Policy_Condition": { + "type": "object", + "description": "LTM policy condition", + "properties": { + "type": { + "description": "Selects the LTM policy condition this object describes", + "type": "string", + "enum": [ + "httpHeader", + "httpUri" + ] + } + }, + "if": { + "properties": { + "type": { + "const": "httpUri" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Condition_HTTP_URI" + }, + "else": { + "if": { + "properties": { + "type": { + "const": "httpHeader" + } + } + }, + "then": { + "$ref": "#/definitions/Policy_Condition_HTTP_Header" + } + }, + "required": [ + "type" + ] + }, + "Policy_Condition_HTTP_URI": { + "description": "Inspect the URI on a request and match on various parts or the entire URI", + "type": "object", + "allOf": [ + { + "properties": { + "event": { + "description": "When to evaluate this condition in the request-response cycle", + "type": "string", + "enum": [ + "request" + ], + "default": "request" + } + } + }, + { + "oneOf": [ + { + "properties": { + "path": { + "description": "Match on the URI path", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "path" + ] + }, + { + "properties": { + "scheme": { + "description": "Match on the scheme (e.g. http, https, ftp, file)", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "scheme" + ] + }, + { + "properties": { + "host": { + "description": "Match on the hostname in the URI", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "host" + ] + }, + { + "properties": { + "port": { + "description": "Match on the port number in the URI", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_Number" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "port" + ] + }, + { + "properties": { + "extension": { + "description": "Match on the file extension in the URI (e.g. jpg, html, cgi)", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "extension" + ] + }, + { + "properties": { + "queryString": { + "description": "Match against text in the query string", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "queryString" + ] + }, + { + "properties": { + "queryParameter": { + "description": "Match value of the named query parameter from the query string", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "name": { + "description": "Specify the name of the particular query parameter whose value you want to use", + "type": "string" + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "queryParameter", + "name" + ] + }, + { + "properties": { + "unnamedQueryParameter": { + "description": "Match the value of a query parameter by a numeric index instead of by name", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "index": { + "description": "The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left", + "type": "integer", + "minimum": 1 + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "unnamedQueryParameter", + "index" + ] + }, + { + "properties": { + "pathSegment": { + "description": "Match a part of the URI path by a numeric index", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "index": { + "description": "The numeric order of the item whose value you want to use, start at 1; negative values indicate counting right to left", + "type": "integer", + "minimum": 1 + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "pathSegment", + "index" + ] + }, + { + "properties": { + "all": { + "description": "Match on the full URI", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "normalized": { + "description": "Normalizes the result to a canonical form to allow consistent comparisons", + "type": "boolean", + "default": "false" + } + }, + "required": [ + "all" + ] + } + ] + } + ] + }, + "Policy_Condition_HTTP_Header": { + "description": "Match against any HTTP header", + "type": "object", + "allOf": [ + { + "properties": { + "event": { + "description": "When to evaluate this condition in the request-response cycle", + "type": "string", + "enum": [ + "proxy-request", + "request", + "proxy-connect", + "proxy-response", + "response" + ], + "default": "proxy-request" + } + } + }, + { + "oneOf": [ + { + "properties": { + "all": { + "description": "Match on the full HTTP header", + "allOf": [ + { + "$ref": "#/definitions/Policy_Compare_String" + } + ] + }, + "name": { + "description": "Specify the name of the particular HTTP header whose value you want to use", + "type": "string" + } + }, + "required": [ + "all" + ] + } + ] + } + ] + }, + "Policy_Compare_String": { + "description": "Perform a comparison against string values", + "type": "object", + "properties": { + "operand": { + "description": "Specifies the comparison that the system should perform with values", + "type": "string", + "enum": [ + "equals", + "starts-with", + "ends-with", + "contains" + ], + "default": "equals" + }, + "values": { + "description": "A list of strings to do comparisons against", + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "caseSensitive": { + "description": "Specifies if the comparison the system should perform with case sensitivity", + "type": "boolean", + "default": false + } + }, + "required": [ + "values" + ], + "additionalProperties": false + }, + "Policy_Compare_Number": { + "description": "Perform a comparison against number values", + "type": "object", + "properties": { + "operand": { + "description": "Specifies the comparison that the system should perform with values", + "type": "string", + "enum": [ + "equals", + "less", + "greater", + "less-or-equal", + "greater-or-equal" + ], + "default": "equals" + }, + "values": { + "description": "A list of numbers to do comparisons against", + "type": "array", + "items": { + "type": "integer" + }, + "minItems": 1 + } + }, + "required": [ + "values" + ], + "additionalProperties": false + }, + "Bandwidth_Control_Policy": { + "description": "Create a listener to specify how to handle traffic for policy enforcement", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Bandwidth_Control_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "dynamicControlEnabled": { + "description": "Specifies whether the policy is a static or dynamic policy. When enabled, the policy is dynamic, and additional settings are available. A dynamic policy enforces the specified maximum user rate and flow fairness for all traffic associated with the policy and for each session. The default is disabled, which indicates a static policy. A static policy enforces the maximum rate for combined traffic and does not guarantee fairness bandwidth for each session.", + "type": "boolean", + "default": false + }, + "maxBandwidth": { + "description": "Specifies the maximum amount of bandwidth that traffic associated with the bandwidth control policy can use. The range is from 1 Mbps to 320 Gbps (between 1000000 bps and 320000000000 bps.", + "type": "integer", + "minimum": 0, + "maximum": 18446744073709552000 + }, + "maxBandwidthUnit": { + "description": "Specifies the units used by the maxBandwidth property", + "type": "string", + "enum": [ + "bps", + "Kbps", + "Mbps", + "Gbps" + ], + "default": "Mbps" + }, + "maxUserBandwidth": { + "description": "Specifies the maximum amount of bandwidth that each session associated with the bandwidth control policy can use. The range is from 5 Kbps to 2 Gbps. Note: For FTP traffic, the throughput is roughly half of this setting, because the FTP protocol creates two connections per user: a control connection and a data connection.", + "type": "integer", + "minimum": 0, + "maximum": 18446744073709552000, + "default": 0 + }, + "maxUserBandwidthUnit": { + "description": "Specifies the units used by the maxUserBandwidth property", + "type": "string", + "enum": [ + "bps", + "Kbps", + "Mbps", + "Gbps" + ], + "default": "Mbps" + }, + "maxUserPPS": { + "description": "Specifies the limiter in packets per second that traffic is allowed per instance. It functions as a DoS limiter without fair share allocation. The system applies whichever value is lower, between this value and the specified Maximum Rate Per User. When both values are specified, both must pass for packets to go through. You can specify the rate in packets per second (PPS), kilo packets per second (KPPS), mega packets per second (MPPS), or giga packets per second (GPPS). The default value is 0 (not configured).", + "type": "integer", + "minimum": 0, + "maximum": 18446744073709552000, + "default": 0 + }, + "maxUserPPSUnit": { + "description": "Specifies the units used by the maxUserBandwidthPPS property", + "type": "string", + "enum": [ + "bpps", + "Kpps", + "Mpps", + "Gpps" + ], + "default": "Mpps" + }, + "loggingEnabled": { + "description": "Specifies whether the system measures bandwidth on all future instances of this bandwidth control policy. When enabled, the system measures bandwidth and sends it to the log publisher specified by the logPublisher setting. You can override this setting using iRules. For example, if you want measurement on only some instances, keep this setting disabled, and use iRules to enable measurement on specific instances.", + "type": "boolean", + "default": false + }, + "logPublisher": { + "$ref": "#/definitions/Pointer_Log_Publisher" + }, + "logPeriod": { + "description": "Specifies the frequency, in milliseconds, with which the system generates bandwidth measurement logs", + "type": "integer", + "minimum": 0, + "maximum": 18446744073709552000, + "default": 2048 + }, + "markIP": { + "description": "Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is \"pass-through\", which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "default": "pass-through" + }, + "markL2": { + "description": "Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is \"pass-through\", which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 7 + }, + "default": "pass-through" + }, + "categories": { + "description": "This specifies the categories under policy. Note: policy need to be enabled as dynamic to configure categories. Up to a maximum of 32 categories can be configured. All the categories under the dynamic policy share the bandwidth as specified for the category, up to a maximum of maxUserBandwidth.", + "additionalProperties": { + "$ref": "#/definitions/Bandwidth_Control_Policy_Category" + } + } + }, + "required": [ + "class", + "maxBandwidth" + ], + "if": { + "properties": { + "dynamicControlEnabled": { + "const": true + } + } + }, + "then": { + "required": [ + "maxUserBandwidth" + ] + }, + "additionalProperties": false + }, + "Bandwidth_Control_Policy_Category": { + "description": "Create a listener to specify how to handle traffic for policy enforcement", + "type": "object", + "properties": { + "remark": { + "$ref": "#/definitions/Remark" + }, + "maxBandwidth": { + "description": "Specifies the maximum bandwidth that this category of traffic can use when associated with this bandwidth control policy. The range is from 5 kbps to the value set for Maximum Rate Per User.", + "type": "integer", + "minimum": 0, + "maximum": 18446744073709552000 + }, + "maxBandwidthUnit": { + "description": "Specifies the units used by the maxBandwidth property", + "type": "string", + "enum": [ + "bps", + "Kbps", + "Mbps", + "Gbps", + "%" + ], + "default": "Mbps" + }, + "markIP": { + "description": "Specifies whether to mark traffic that exceeds the per-user limit by setting a Type of Service (ToS) bit in the IP headers of TCP packets associated with this bandwidth control policy. The default value is \"pass-through\", which means there is no change to the ToS bit. To set a ToS bit use a value from 0 to 63. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "default": "pass-through" + }, + "markL2": { + "description": "Specifies whether to mark traffic that exceeds the per-user limit by setting a Quality of Service (QoS) bit in the L2 headers of packets associated with this bandwidth control policy. The default value is \"pass-through\", which means there is no change to the QoS bit. To set a QoS bit use a value from 0 to 7. If this setting is specified, the bandwidth policy is not enforced, but rather the packets are marked for a downstream system to process.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 7 + }, + "default": "pass-through" + } + }, + "required": [ + "maxBandwidth" + ], + "additionalProperties": false + }, + "Enforcement_Policy": { + "description": "Configures policies for the Policy Enforcement Manager (PEM)", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Policy" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "enable": { + "description": "Specifies the current status of the policy", + "type": "boolean", + "default": true + }, + "allTransactions": { + "description": "Specifies, when set to true, that the system enables policy enforcement for each http transaction. When set to false, the system allows only policy enforcement of the first http transaction.", + "type": "boolean", + "default": false + }, + "rules": { + "description": "Enforcement policy rules", + "type": "array", + "items": { + "$ref": "#/definitions/Enforcement_Rule" + } + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Rule": { + "description": "A rule to match traffic flows and apply actions", + "type": "object", + "properties": { + "dscpMarkingDownlink": { + "description": "Specifies whether to set DSCP bits in the IP header of outgoing traffic to the subscriber", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "default": "pass-through" + }, + "dscpMarkingUplink": { + "description": "Specifies whether to set DSCP bits in the IP header of outgoing traffic to the network", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + "default": "pass-through" + }, + "gateStatusEnabled": { + "description": "Specifies, when set to true, that the traffic can pass through the system without being changed. Select false to drop traffic that this rule applies to.", + "type": "boolean", + "default": true + }, + "interceptionEndpoint": { + "$ref": "#/definitions/Pointer_Enforcement_Interception_Endpoint" + }, + "iRule": { + "$ref": "#/definitions/Pointer_Enforcement_iRule" + }, + "l2MarkingDownlink": { + "description": "Set Layer-2 Quality of Service Marking in downlink traffic that matches a rule. Setting a L2 QoS Marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 7 + }, + "default": "pass-through" + }, + "l2MarkingUplink": { + "description": "Set Layer-2 Quality of Service Marking in uplink traffic that matches a rule. Setting a L2 QoS marking affects the packet delivery priority. The range is 0 to 7, or pass-through. The default value is pass-through, indicating the L2 QoS Marking of the packet will not be changed when the packet matches the rule.", + "if": { + "type": "string" + }, + "then": { + "const": "pass-through" + }, + "else": { + "type": "integer", + "minimum": 0, + "maximum": 7 + }, + "default": "pass-through" + }, + "name": { + "description": "The name of the policy rule.", + "type": "string" + }, + "precedence": { + "description": "Specifies an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence (lower numbers) are evaluated before other rules with lower precedence (higher numbers).", + "type": "integer", + "minimum": 1, + "maximum": 4294967295 + }, + "qosBandwidthControllerUplink": { + "$ref": "#/definitions/Enforcement_Rule_QOS" + }, + "qosBandwidthControllerDownlink": { + "$ref": "#/definitions/Enforcement_Rule_QOS" + }, + "serviceChain": { + "$ref": "#/definitions/Pointer_Enforcement_Service_Chain_Endpoint" + }, + "tclFilter": { + "description": "Specifies the tcl expression which uses iRule commands to filter the packet. It is a match if tclFilter returns TRUE/1 or nomatch if FALSE/0.", + "type": "string" + }, + "tcpAnalyticsEnabled": { + "description": "Specifies the action to enable tcp analytics when the traffic flow matches the rule matching criteria", + "type": "boolean", + "default": false + }, + "tcpOptimizationDownlink": { + "$ref": "#/definitions/Pointer_TCP_Profile" + }, + "tcpOptimizationUplink": { + "$ref": "#/definitions/Pointer_TCP_Profile" + }, + "classificationFilters": { + "description": "Classification filters to apply to the traffic", + "type": "array", + "items": { + "$ref": "#/definitions/Enforcement_Rule_Classification_Filter" + } + }, + "DTOSTethering": { + "allOf": [ + { + "$ref": "#/definitions/Enforcement_Rule_DTOS_Tethering" + } + ], + "default": {} + }, + "flowInfoFilters": { + "description": "Flow information filters to apply to the traffic", + "type": "array", + "items": { + "$ref": "#/definitions/Enforcement_Rule_Flow_Filter" + } + }, + "forwarding": { + "$ref": "#/definitions/Enforcement_Rule_Forwarding" + }, + "insertContent": { + "$ref": "#/definitions/Enforcement_Rule_Insert_Content" + }, + "modifyHttpHeader": { + "$ref": "#/definitions/Enforcement_Rule_Modify_HTTP_Header" + }, + "qoeReporting": { + "$ref": "#/definitions/Enforcement_Rule_Report_Destination_HSL" + }, + "quota": { + "$ref": "#/definitions/Enforcement_Rule_Quota" + }, + "ranCongestion": { + "$ref": "#/definitions/Enforcement_Rule_Ran_Congestion" + }, + "usageReporting": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Reporting" + }, + "urlCategorizationFilters": { + "description": "URL categorization filters to apply to the traffic", + "type": "array", + "items": { + "$ref": "#/definitions/Enforcement_Rule_URL_Categorization_Filter" + } + } + }, + "required": [ + "name", + "precedence" + ], + "additionalProperties": false + }, + "Enforcement_Rule_QOS": { + "description": "Specifies a previously configured bandwidth control policy to apply to traffic that matches this rule", + "type": "object", + "properties": { + "policy": { + "$ref": "#/definitions/Pointer_Bandwidth_Control_Policy" + }, + "category": { + "description": "Specifies a category of traffic within the bandwidth control policy to which to apply the rule. This option provides more specific rate control to a certain type of traffic. The category must be defined in the selected bandwidth control policy.", + "type": "string" + } + }, + "required": [ + "policy" + ], + "additionalProperties": false + }, + "Enforcement_Rule_DTOS_Tethering": { + "description": "Specifies options for device type, operating system, and tethering detection", + "properties": { + "detectDtos": { + "description": "Specifies the detection of the subscriber's device and the operating system", + "type": "boolean", + "default": false + }, + "detectTethering": { + "description": "Specifies if you want to enable detection of tethering", + "type": "boolean", + "default": false + }, + "reportDestinationHsl": { + "$ref": "#/definitions/Enforcement_Rule_Report_Destination_HSL" + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Report_Destination_HSL": { + "description": "Specifies report destination and format", + "properties": { + "highSpeedLogPublisher": { + "$ref": "#/definitions/Pointer_Log_Publisher" + }, + "formatScript": { + "$ref": "#/definitions/Pointer_Enforcement_Format_Script" + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Forwarding_ICAP": { + "description": "Specifies that the flow forwards to the ICAP virtual server", + "properties": { + "icapType": { + "description": "Specifies the ICAP adaptation type", + "type": "string", + "enum": [ + "request", + "response", + "both" + ] + }, + "icapService": { + "description": "ICAP service to route to", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Service" + } + ] + } + }, + "required": [ + "icapType", + "icapService" + ] + }, + "Enforcement_Rule_Forwarding_Endpoint": { + "description": "Specifies that the flow steers to a different destination", + "properties": { + "endpoint": { + "$ref": "#/definitions/Pointer_Enforcement_Forwarding_Endpoint" + } + }, + "required": [ + "endpoint" + ] + }, + "Enforcement_Rule_Forwarding_Route_To_Network": { + "description": "Specifies that the system forwards the flow to the default destination", + "properties": {}, + "required": [] + }, + "Enforcement_Rule_Forwarding_HTTP": { + "description": "Specifies that traffic affected by this rule should be redirected to the specified URL", + "properties": { + "redirectUrl": { + "description": "Specifies that traffic affected by this rule should be redirected to the specified URL", + "type": "string" + } + }, + "required": [ + "redirectUrl" + ] + }, + "Enforcement_Rule_Forwarding": { + "description": "Manages the forwarding action and its attributes", + "properties": { + "type": { + "description": "Specifies the type of forwarding action", + "type": "string", + "enum": [ + "icap", + "endpoint", + "route-to-network", + "http" + ] + }, + "fallbackAction": { + "description": "Specifies if the connection can remain unchanged or should be dropped if the forwarding action fails for any reason", + "type": "string", + "enum": [ + "continue", + "drop" + ], + "default": "drop" + } + }, + "allOf": [ + { + "if": { + "properties": { + "type": { + "const": "icap" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Forwarding_ICAP" + } + }, + { + "if": { + "properties": { + "type": { + "const": "endpoint" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Forwarding_Endpoint" + } + }, + { + "if": { + "properties": { + "type": { + "const": "route-to-network" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Forwarding_Route_To_Network" + } + }, + { + "if": { + "properties": { + "type": { + "const": "http" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Forwarding_HTTP" + } + } + ], + "required": [ + "type" + ] + }, + "Enforcement_Rule_Insert_Content": { + "description": "Specifies the action to insert content into the webpage", + "properties": { + "duration": { + "description": "Specifies the periodicity of the insert action in seconds", + "type": "integer", + "minimum": 1, + "maximum": 4294967295 + }, + "frequency": { + "description": "Specifies the number of content insertion actions per transaction", + "type": "string", + "enum": [ + "always", + "once", + "once-every" + ], + "default": "always" + }, + "position": { + "description": "Specifies position with respect to the configured tagName", + "type": "string", + "enum": [ + "append", + "prepend" + ], + "default": "append" + }, + "tagName": { + "description": "Specifies the tag name to which the content is either appended or prepended", + "type": "string" + }, + "valueContent": { + "description": "Specifies the value content to be inserted into the webpage", + "type": "string" + }, + "valueType": { + "description": "Specifies the type of content format used in the valueContent option", + "type": "string", + "enum": [ + "string", + "tcl-snippet" + ], + "default": "string" + } + }, + "if": { + "properties": { + "frequency": { + "const": "once-every" + } + } + }, + "then": { + "required": [ + "duration" + ] + }, + "dependencies": { + "duration": { + "properties": { + "frequency": { + "const": "once-every" + } + } + }, + "tagName": { + "required": [ + "valueContent" + ] + }, + "valueContent": { + "required": [ + "tagName" + ] + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Modify_HTTP_Header": { + "description": "Specifies the action to modify the HTTP header when the traffic flow matches the rule matching criteria", + "properties": { + "headerName": { + "description": "Specifies the HTTP header name used by the operation option to modify the HTTP header", + "type": "string" + }, + "operation": { + "description": "Specifies the operation used to modify the HTTP header", + "type": "string", + "enum": [ + "insert", + "remove" + ] + }, + "valueContent": { + "description": "Specifies the HTTP header value content used by the insert operation to modify the HTTP header", + "type": "string" + }, + "valueType": { + "description": "Specifies the type of content format used in the valueContent option", + "type": "string", + "enum": [ + "string", + "tcl-snippet" + ], + "default": "string" + } + }, + "dependencies": { + "valueContent": { + "properties": { + "operation": { + "const": "insert" + } + } + }, + "valueType": { + "properties": { + "operation": { + "const": "insert" + } + } + } + }, + "if": { + "properties": { + "operation": { + "const": "insert" + } + } + }, + "then": { + "required": [ + "valueContent" + ] + }, + "required": [ + "headerName", + "operation" + ], + "additionalProperties": false + }, + "Enforcement_Rule_Quota": { + "description": "Specify quota management options", + "properties": { + "ratingGroup": { + "$ref": "#/definitions/Pointer_Enforcement_Rating_Group" + }, + "reportingLevel": { + "description": "Specifies the quota reporting level", + "type": "string", + "enum": [ + "rating-group", + "service-id" + ], + "default": "rating-group" + } + }, + "dependencies": { + "ratingGroup": { + "properties": { + "reportingLevel": { + "const": "rating-group" + } + } + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Ran_Congestion": { + "description": "Detect congestion in the Radio Access Network", + "properties": { + "threshold": { + "description": "Specifies lower threshold bandwidth (in kbps) for a sesion to be marked as congested", + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "default": 1000 + }, + "reportDestinationHsl": { + "$ref": "#/definitions/Enforcement_Rule_Report_Destination_HSL" + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Usage_Reporting": { + "description": "Send reporting data concerning traffic affected by this rule to either an external analytics system or to a PCRF over a Gx interface", + "properties": { + "destination": { + "description": "Specifies where to send the usage monitoring data", + "type": "string", + "enum": [ + "gx", + "sd", + "hsl", + "radius-accounting" + ] + }, + "granularity": { + "description": "Specifies the type of reporting will be generated when the policy applies", + "type": "string", + "enum": [ + "flow", + "session", + "transaction" + ], + "default": "session" + }, + "interval": { + "description": "Specifies the time interval in seconds the report will be generated. A value of 0 indicates this feature is disabled.", + "type": "integer", + "minimum": 0, + "default": 0 + }, + "volume": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Reporting_Volume" + }, + "transaction": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Reporting_Transaction" + } + }, + "allOf": [ + { + "if": { + "properties": { + "destination": { + "const": "gx" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Gx" + } + }, + { + "if": { + "properties": { + "destination": { + "const": "sd" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Sd" + } + }, + { + "if": { + "properties": { + "destination": { + "const": "hsl" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Hsl" + } + }, + { + "if": { + "properties": { + "destination": { + "const": "radius-accounting" + } + } + }, + "then": { + "$ref": "#/definitions/Enforcement_Rule_Usage_Radius" + } + }, + { + "if": { + "properties": { + "destination": { + "enum": [ + "gx", + "sd", + "radius-accounting" + ] + } + } + }, + "then": { + "properties": { + "granularity": { + "const": "session" + } + } + } + }, + { + "if": { + "properties": { + "destination": { + "enum": [ + "gx", + "sd" + ] + } + } + }, + "then": { + "properties": { + "interval": { + "const": 0 + } + } + } + }, + { + "if": { + "properties": { + "destination": { + "enum": [ + "hsl", + "radius-accounting" + ] + }, + "granularity": { + "enum": [ + "flow", + "session" + ] + } + } + }, + "then": { + "anyOf": [ + { + "properties": { + "interval": { + "minimum": 1 + } + }, + "required": [ + "interval" + ] + }, + { + "required": [ + "volume" + ] + } + ] + } + }, + { + "if": { + "properties": { + "destination": { + "const": "hsl" + }, + "granularity": { + "const": "transaction" + } + } + }, + "then": { + "properties": { + "interval": { + "const": 0 + } + } + } + } + ], + "dependencies": { + "transaction": { + "properties": { + "granularity": { + "const": "transaction" + } + } + } + }, + "required": [ + "destination" + ] + }, + "Enforcement_Rule_Usage_Reporting_Volume": { + "description": "Configures volume threshold settings", + "properties": { + "downlink": { + "description": "Send reporting data if the number of octets to the client exceeds the threshold. A value of 0 indicates this feature is disabled.", + "type": "integer", + "minimum": 0, + "default": 0 + }, + "total": { + "description": "Send reporting data if the total number of octets both to and from the client exceeds the threshold. A value of 0 indicates this feature is disabled.", + "type": "integer", + "minimum": 0, + "default": 0 + }, + "uplink": { + "description": "Send reporting data if the number of octets from the client exceeds the threshold. A value of 0 indicates this feature is disabled.", + "type": "integer", + "minimum": 0, + "default": 0 + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Usage_Reporting_Transaction": { + "description": "Specifies policy enforcement configuration on transaction report for each HTTP transaction", + "properties": { + "hostname": { + "description": "Specifies the maximum HTTP hostname string length option to include in the HTTP transaction report", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "uri": { + "description": "Specifies the maximum HTTP URI string length option to include in the HTTP transaction report", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 256 + }, + "userAgent": { + "description": "Specifies the maximum HTTP user agent string length to include in the HTTP transaction report", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Rule_Usage_Gx": { + "description": "Sends usage monitoring data to a PCRF over a Gx interface", + "properties": { + "applicationReportingEnabled": { + "description": "Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected", + "type": "boolean", + "default": false + }, + "monitoringKey": { + "description": "Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule", + "type": "string" + } + }, + "required": [] + }, + "Enforcement_Rule_Usage_Sd": { + "description": "Sends usage monitoring data to a PCRF over a Sd interface", + "properties": { + "applicationReportingEnabled": { + "description": "Report APPLICATION_START and APPLICATION_END Event-Triggers when the application start/stop is detected", + "type": "boolean", + "default": false + }, + "monitoringKey": { + "description": "Specifies a string to use for usage monitoring indicating the portion of traffic that is accounted for in this dynamic policy and charging control (PCC) rule", + "type": "string" + } + }, + "required": [ + "monitoringKey" + ] + }, + "Enforcement_Rule_Usage_Hsl": { + "description": "Sends reporting data to remote HSL servers", + "properties": { + "publisher": { + "$ref": "#/definitions/Pointer_Log_Publisher" + }, + "formatScript": { + "$ref": "#/definitions/Pointer_Enforcement_Format_Script" + }, + "sessionReportingFields": { + "description": "Specifies the session fields and their order based on which messages should be published", + "type": "array", + "items": { + "type": "string", + "enum": [ + "3gpp-parameters", + "application-id", + "called-station-id", + "calling-station-id", + "concurrent-flows", + "downlink-volume", + "duration-seconds", + "last-record-sent", + "new-flows", + "observation-time-seconds", + "record-reason", + "record-type", + "report-id", + "report-version", + "subscriber-id", + "subscriber-id-type", + "successful-transactions", + "terminated-flows", + "timestamp-msec", + "total-transactions", + "uplink-volume" + ] + } + }, + "flowReportingFields": { + "description": "Specifies the flow fields and their order based on which messages should be published", + "type": "array", + "items": { + "type": "string", + "enum": [ + "application-id", + "destination-ip", + "destination-transport-port", + "downlink-volume", + "flow-end-milli-seconds", + "flow-end-seconds", + "flow-start-milli-seconds", + "flow-start-seconds", + "observation-time-seconds", + "protocol-identifier", + "record-type", + "report-id", + "report-version", + "route-domain", + "source-ip", + "source-transport-port", + "subscriber-id", + "subscriber-id-type", + "timestamp-msec", + "total-transactions", + "uplink-volume", + "url-category-id", + "vlan-id" + ] + } + }, + "transactionReportingFields": { + "description": "Specifies the transaction fields and their order based on which messages should be published", + "type": "array", + "items": { + "type": "string", + "enum": [ + "application-id", + "destination-ip", + "destination-transport-port", + "downlink-volume", + "http-hostname", + "http-hostname-truncated", + "http-response-code", + "http-url", + "http-url-truncated", + "http-user-agent", + "http-user-agent-truncated", + "protocol-identifier", + "record-type", + "report-id", + "report-version", + "route-domain", + "skipped-transactions", + "source-ip", + "source-transport-port", + "subscriber-id", + "subscriber-id-type", + "transaction-classification-result", + "transaction-end-milli-seconds", + "transaction-end-seconds", + "transaction-number", + "transaction-start-milli-seconds", + "transaction-start-seconds", + "uplink-volume", + "url-category-id", + "vlan-id" + ] + } + } + }, + "required": [ + "publisher" + ] + }, + "Enforcement_Rule_Usage_Radius": { + "description": "Specifies a RADIUS internal virtual server as a reporting destination", + "properties": { + "radiusAAAService": { + "$ref": "#/definitions/Pointer_Service" + } + }, + "required": [ + "radiusAAAService" + ] + }, + "Enforcement_Rule_Classification_Filter": { + "description": "Defines the category or application (Layer 7) conditions that the traffic must meet (or not meet) for this enforcement policy rule to apply", + "properties": { + "application": { + "$ref": "#/definitions/Pointer_Classification_Application" + }, + "category": { + "$ref": "#/definitions/Pointer_Classification_Category" + }, + "invertMatch": { + "description": "Specifies that a traffic flow should not match the condition", + "type": "boolean", + "default": false + }, + "name": { + "description": "The name of the classification filter.", + "type": "string" + } + }, + "required": [ + "name" + ], + "oneOf": [ + { + "required": [ + "application" + ] + }, + { + "required": [ + "category" + ] + } + ], + "additionalProperties": false + }, + "Enforcement_Rule_URL_Categorization_Filter": { + "description": "Defines the category of URL, which provides information about the content type requested by the subscriber", + "properties": { + "category": { + "description": "Specifies which type of URL category you want the rule to affect", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Classification_Category" + } + ] + }, + "invertMatch": { + "description": "Specifies that a traffic flow should not match the condition", + "type": "boolean", + "default": false + }, + "name": { + "description": "The name of the URL categorization filter.", + "type": "string" + } + }, + "required": [ + "name", + "category" + ], + "additionalProperties": false + }, + "Enforcement_Rule_Flow_Filter": { + "description": "Defines the flow conditions (Layer 4) that the traffic must meet (or not meet) for this enforcement policy rule to apply", + "properties": { + "name": { + "description": "The name of the flow filter.", + "type": "string" + }, + "invertMatch": { + "description": "Specifies that a traffic flow should not match the condition", + "type": "boolean", + "default": false + }, + "dscpMarking": { + "description": "Matches incoming traffic based on a value in the DSCP field in the IP header", + "oneOf": [ + { + "type": "integer", + "minimum": 0, + "maximum": 63 + }, + { + "type": "string", + "const": "disabled" + } + ], + "default": "disabled" + }, + "destinationAddress": { + "description": "Matches traffic going to a destination address or network", + "type": "string", + "default": "0.0.0.0/0" + }, + "destinationPort": { + "description": "Matches traffic headed to a destination port", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "sourceVlan": { + "description": "Matches incoming traffic from a VLAN", + "allOf": [ + { + "$ref": "#/definitions/Pointer_VLAN" + } + ] + }, + "sourceAddress": { + "description": "Matches traffic coming from a source address or network", + "type": "string", + "default": "0.0.0.0/32" + }, + "sourcePort": { + "description": "Matches traffic coming from a source port", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "protocol": { + "description": "Specifies the protocol of the traffic to which the rule applies", + "type": "string", + "enum": [ + "any", + "tcp", + "udp" + ], + "default": "any" + }, + "ipAddressType": { + "description": "Specifies the IP address type that this rule applies to", + "type": "string", + "enum": [ + "any", + "ipv4", + "ipv6" + ], + "default": "any" + } + }, + "required": [ + "name" + ], + "additionalProperties": false + }, + "Enforcement_Diameter_Endpoint_Profile": { + "description": "Create a listener to specify how to handle traffic for policy enforcement", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Diameter_Endpoint_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Diameter_Endpoint_Profile" + } + ], + "default": { + "bigip": "/Common/diameter-endpoint" + } + }, + "destinationHost": { + "description": "Specifies the destination host name of the PCRF or external policy server, for example, pcrfdest.net.com", + "type": "string" + }, + "destinationRealm": { + "description": "Specifies the realm name or network of the PCRF, for example, net.com", + "type": "string" + }, + "fatalGraceTime": { + "description": "Specifies the time period in seconds that a diameter (PCRF) connection can be disconnected before the system clears all subscriber session information associated with that diameter endpoint. If the connection is re-established within the fatal grace time period, session information is not cleared. A value of 0 means if the PCRF is disconnected, session information is cleared immediately.", + "type": "integer", + "minimum": 0, + "default": 500 + }, + "messageMaxRetransmits": { + "description": "Specifies the maximum number of times that messages can be retransmitted from the BIG-IP system to the PCRF", + "type": "integer", + "minimum": 0, + "default": 2 + }, + "messageRetransmitDelay": { + "description": "Specifies the number of milliseconds to wait before retransmitting unanswered messages in case of failure from the BIG-IP system to the PCRF over the Gx interface", + "type": "integer", + "minimum": 0, + "default": 1500 + }, + "originHost": { + "description": "Specifies the host name of the PCRF or external policy server, for example, pcrf.xnet.com", + "type": "string" + }, + "originRealm": { + "description": "Specifies the realm name or network in which the PCRF resides, for example, xnet.com", + "type": "string" + }, + "protocolProfileGx": { + "description": "Specifies the protocol profile to be used when you enable subscriber discovery. The PEM protocol profile defines mapping of Diameter Gx AVPs to subscriber ID and other PEM subscriber session attributes.", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Profile_Gx" + } + ] + }, + "productName": { + "description": "Specifies the value of the string used in the product name attribute value pair (AVP), in capabilities exchange message in the diameter when communicating with the PCRF", + "type": "string", + "default": "BIG-IP" + }, + "supportedApps": { + "description": "Specifies the diameter endpoint you would like to provision. You can select Gx, Gy or SD. Gx and SD are mutually exclusive.", + "type": "array", + "items": { + "type": "string", + "enum": [ + "Gx", + "Gy", + "Sd" + ] + }, + "minItems": 1, + "uniqueItems": true + } + }, + "required": [ + "class", + "supportedApps" + ], + "additionalProperties": false + }, + "Enforcement_Radius_AAA_Profile": { + "description": "Configures a radius AAA profile", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Radius_AAA_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allof": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Radius_AAA_Profile" + } + ], + "default": { + "bigip": "/Common/radiusaaa" + } + }, + "retransmissionTimeout": { + "description": "The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server", + "type": "integer", + "minimum": 0, + "maximum": 60 + }, + "sharedSecret": { + "description": "Specifies the shared secret of the RADIUS server used for aunthentication or accounting", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "password": { + "description": "The password of the RADIUS AAA profile for RADIUS server authentication", + "type": "object", + "properties": { + "allowReuse": { + "description": "If true, other declaration objects may reuse this value", + "type": "boolean", + "default": false + } + }, + "if": true, + "then": { + "$ref": "#/definitions/Secret" + }, + "f5fetch": "object", + "f5secret": true + }, + "transactionTimeout": { + "description": "The number of seconds to wait before resending authentication or accounting transaction messages to the RADIUS server", + "type": "integer", + "minimum": 5, + "maximum": 300 + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Profile": { + "description": "Configures a subscriber policy manager profile", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Profile" + } + ], + "default": { + "bigip": "/Common/spm" + } + }, + "policiesGlobalHighPrecedence": { + "description": "Adds, deletes, or replaces a set of the policies", + "type": "array", + "items": { + "$ref": "#/definitions/Pointer_Enforcement_Policy" + } + }, + "policiesGlobalLowPrecedence": { + "description": "Adds, deletes, or replaces a set of the policies", + "type": "array", + "items": { + "$ref": "#/definitions/Pointer_Enforcement_Policy" + } + }, + "policiesUnknownSubscribers": { + "description": "Adds, deletes, or replaces a set of the policies", + "type": "array", + "items": { + "$ref": "#/definitions/Pointer_Enforcement_Policy" + } + }, + "connectionOptimizationEnabled": { + "description": "Specifies whether connection optimization is enabled or not", + "type": "boolean", + "default": true + }, + "connectionOptimizationService": { + "$ref": "#/definitions/Pointer_Service" + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Subscriber_Management_Profile": { + "description": "Configures a subscriber management profile", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Subscriber_Management_Profile" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "parentProfile": { + "description": "Specifies the name of the object to inherit the settings from", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Enforcement_Subscriber_Management_Profile" + } + ], + "default": { + "bigip": "/Common/subscriber-mgmt" + } + }, + "dhcpLeaseQuery": { + "$ref": "#/definitions/Enforcement_Subscriber_Management_Profile_DHCP" + }, + "serverSideSessionsEnabled": { + "description": "Specifies that the session is created based on server side IP when the server side traffic comes and is enabled", + "type": "boolean", + "default": true + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Subscriber_Management_Profile_DHCP": { + "description": "Configures DHCP lease query settings for a subscriber management profile", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "enabled": { + "description": "Specifies that the subscriber management settings use DHCP lease query to communicate with DHCP servers to obtain DHCP lease information for the unknown IP address and creates a new policy enforcement session using the lease information received", + "type": "boolean", + "default": true + }, + "service": { + "$ref": "#/definitions/Pointer_Service" + } + }, + "required": [ + "service" + ], + "additionalProperties": false + }, + "Enforcement_Listener": { + "description": "Configures an enforcement data plane listener", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Listener" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "enforcementProfile": { + "$ref": "#/definitions/Pointer_Enforcement_Profile" + }, + "subscriberManagementProfile": { + "$ref": "#/definitions/Pointer_Enforcement_Subscriber_Management_Profile" + }, + "services": { + "description": "A set of virtual servers", + "type": "array", + "items": { + "$ref": "#/definitions/Pointer_Service" + }, + "minItems": 1 + } + }, + "required": [ + "class", + "enforcementProfile", + "services" + ], + "additionalProperties": false + }, + "Enforcement_Interception_Endpoint": { + "description": "Configures an interception endpoint to clone all traffic", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Interception_Endpoint" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "persistence": { + "description": "Specifies the persistence that is based on either the source or destination IP addresses only", + "type": "string", + "enum": [ + "destination-ip", + "source-ip", + "disabled" + ], + "default": "disabled" + }, + "pool": { + "$ref": "#/definitions/Pointer_Pool" + } + }, + "required": [ + "class", + "pool" + ], + "additionalProperties": false + }, + "Enforcement_Format_Script": { + "description": "Specifies a script using TCL syntax that defines a custom format for HSL reporting applied in an enforcement policy rule. The format and fields available differ depending on whether you are using session-based or flow-based reporting in the rule.", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Format_Script" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "definition": { + "description": "TCL script text", + "type": "string" + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Forwarding_Endpoint": { + "description": "Configures an forwarding endpoint to specify PEM policy forwarding actions", + "f5modules": [ + "pem" + ], + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Forwarding_Endpoint" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "pool": { + "$ref": "#/definitions/Pointer_Pool" + }, + "SNATPool": { + "$ref": "#/definitions/Pointer_SNAT_Pool" + }, + "sourcePortAction": { + "description": "Specifies whether the system preserves the source port of the connection", + "type": "string", + "enum": [ + "change", + "preserve", + "preserve-strict" + ], + "default": "preserve" + }, + "addressTranslationEnabled": { + "description": "Specifies, when enabled, that the system translates the original destination address of the virtual server. When disabled, specifies that the system uses the address without translation.", + "type": "boolean", + "default": false + }, + "portTranslationEnabled": { + "description": "Specifies, when enabled, that the system translates the original destination port. When disabled, specifies that the system uses the original destination port without translation.", + "type": "boolean", + "default": false + }, + "defaultPersistenceType": { + "description": "Specifies a persistence method for the pool member selection. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type.", + "type": "string", + "enum": [ + "destination-ip", + "disabled", + "hash", + "source-ip" + ], + "default": "disabled" + }, + "fallbackPersistenceType": { + "description": "Specifies the fallback persistance method that is applied when default persistence fails. If you have multiple pool members and want specific traffic to go to the same pool member, select the appropriate IP address type.", + "type": "string", + "enum": [ + "destination-ip", + "disabled", + "source-ip" + ], + "default": "disabled" + }, + "persistenceHashSettings": { + "$ref": "#/definitions/Enforcement_Forwarding_Endpoint_Hash_Settings" + } + }, + "required": [ + "class", + "pool" + ], + "additionalProperties": false + }, + "Enforcement_Forwarding_Endpoint_Hash_Settings": { + "description": "Specifies the settings for the hash persistence method", + "type": "object", + "properties": { + "length": { + "description": "Specifies the length of the source string used to calculate the hash value", + "minimum": 0, + "maximum": 4294967295, + "default": 1024 + }, + "offset": { + "description": "Specifies the offset, in bytes, from start of the source string to calculate the hash value", + "minimum": 0, + "maximum": 4294967295, + "default": 0 + }, + "tclScript": { + "description": "The results from this TCL script are used to calculate the hash value. If no script is specified, the URI is used instead.", + "type": "string" + } + }, + "required": [], + "additionalProperties": false + }, + "Enforcement_Service_Chain_Endpoint": { + "description": "Configures service chain endpoint definitions for the Policy Enforcement Manager (PEM)", + "type": "object", + "properties": { + "class": { + "title": "Class", + "type": "string", + "const": "Enforcement_Service_Chain_Endpoint" + }, + "label": { + "$ref": "#/definitions/Label" + }, + "remark": { + "$ref": "#/definitions/Remark" + }, + "serviceEndpoints": { + "description": "Specifies a list of forwarding endpoints that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can provide value-added services. Traffic goes to the endpoints in the order in which they are listed.", + "type": "array", + "items": { + "$ref": "#/definitions/Enforcement_Service_Chain_Endpoint_Service_Endpoint" + } + } + }, + "required": [ + "class" + ], + "additionalProperties": false + }, + "Enforcement_Service_Chain_Endpoint_Service_Endpoint": { + "description": "Configures an individual service chain endpoint", + "type": "object", + "properties": { + "name": { + "description": "Specify the name of the service endpoint where the traffic is going to", + "type": "string" + }, + "forwardingEndpoint": { + "$ref": "#/definitions/Pointer_Enforcement_Forwarding_Endpoint" + }, + "sourceVLAN": { + "$ref": "#/definitions/Pointer_VLAN" + }, + "serviceOption": { + "description": "Specifies the service option in case the service endpoint is not accessible through the network, for forwarding endpoint. For ICAP service endpoint, the service endpoint works as a fallback action for non-HTTP traffic. Select \"optional\" if you want to skip the service endpoint. Select \"mandatory\" if you want all traffic flows dropped.", + "type": "string", + "enum": [ + "mandatory", + "optional" + ], + "default": "mandatory" + }, + "internalService": { + "description": "Specifies the internal ICAP virtual server", + "allOf": [ + { + "$ref": "#/definitions/Pointer_Service" + } + ] + }, + "internalServiceICAPType": { + "description": "Specifies the ICAP adaptation type. Select \"request\" to send only HTTP requests to ICAP server. Select \"response\" to send only HTTP responses to ICAP server. Select \"both\" to have both requests and responses.", + "type": "string", + "enum": [ + "request", + "response", + "both", + "none" + ] + }, + "steeringPolicy": { + "$ref": "#/definitions/Pointer_Enforcement_Policy" + } + }, + "dependencies": { + "internalServiceICAPType": [ + "internalService" + ] + }, + "required": [ + "sourceVLAN" + ], + "additionalProperties": false + }, + "Pointer_Bandwidth_Control_Policy": { + "description": "Reference to a bandwidth control policy", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to bandwidth control policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Bandwidth_Control_Policy" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP bandwidth control policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query net bwc policy" + }, + "Pointer_Classification_Application": { + "description": "Reference to a application classification", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP application classification", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm classification application" + }, + "Pointer_Classification_Category": { + "description": "Reference to a category classification", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP category classification", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm classification category" + }, + "Pointer_Classification_Preset": { + "description": "Reference to a classification preset", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP classification preset", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm classification ce" + }, + "Pointer_Classification_Profile": { + "description": "Reference to a classification profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to classification profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Classification_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP classification profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile classification" + }, + "Pointer_DNS_Cache": { + "description": "Reference to a DNS cache", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP DNS cache", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm dns cache resolver" + }, + "Pointer_Data_Group_File": { + "description": "Reference to a Data Group File", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP Data Group File", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys file data-group" + }, + "Pointer_DNS_Listener": { + "description": "Reference to a DNS Listener", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to DNS Listener declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "DNS_Listener" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP DNS Listener", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query gtm listener" + }, + "Pointer_DNS_Logging_Profile": { + "description": "Reference to a DNS logging profile", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP DNS logging profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile dns-logging" + }, + "Pointer_DNS_Nameserver": { + "description": "Reference to a DNS nameserver", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to DNS nameserver declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "DNS_Nameserver" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP DNS nameserver", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm dns nameserver" + }, + "Pointer_DNS_Profile": { + "description": "Reference to a DNS profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to DNS profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "DNS_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP DNS profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile dns" + }, + "Pointer_DNS_Security_Profile": { + "description": "Reference to a DNS security profile", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP DNS security profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query security dns profile" + }, + "Pointer_DNS_TSIG_Key": { + "description": "Reference to a DNS TSIG key", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to DNS TSIG key declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "DNS_TSIG_Key" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP DNS TSIG key", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm dns tsig-key" + }, + "Pointer_DNS_Zone": { + "description": "Reference to a DNS zone", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to DNS zone declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "DNS_Zone" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP DNS zone", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm dns zone" + }, + "Pointer_Enforcement_Format_Script": { + "description": "Reference to a format script", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to format script declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Format_Script" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP format script", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem reporting format-script" + }, + "Pointer_Enforcement_Forwarding_Endpoint": { + "description": "Reference to a forwarding endpoint", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to forwarding endpoint declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Forwarding_Endpoint" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP forwarding endpoint", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem forwarding-endpoint" + }, + "Pointer_Enforcement_Interception_Endpoint": { + "description": "Reference to a interception endpoint", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to interception endpoint declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Interception_Endpoint" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP interception endpoint", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem interception-endpoint" + }, + "Pointer_Enforcement_iRule": { + "description": "Reference to a enforcement iRule", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP PEM iRule", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem irule" + }, + "Pointer_Enforcement_Policy": { + "description": "Reference to a enforcement policy", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to enforcement policy declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Policy" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP PEM policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem policy" + }, + "Pointer_Enforcement_Diameter_Endpoint_Profile": { + "description": "Reference to a enforcement profile diameter endpoint", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to enforcement profile diameter endpoint declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Diameter_Endpoint_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP enforcement profile diameter endpoint", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem profile diameter-endpoint" + }, + "Pointer_Enforcement_Profile_Gx": { + "description": "Reference to a enforcement profile gx", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP enforcement profile gx", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem protocol profile gx" + }, + "Pointer_Enforcement_Radius_AAA_Profile": { + "description": "Reference to a enforcement profile radius aaa", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to enforcement profile radius aaa declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Radius_AAA_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP enforcement profile radius aaa", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem profile radius-aaa" + }, + "Pointer_Enforcement_Profile": { + "description": "Reference to a enforcement profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to enforcement profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP PEM spm policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem profile spm" + }, + "Pointer_Enforcement_Rating_Group": { + "description": "Reference to a quota rating group", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP quota rating group", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem quota-mgmt rating-group" + }, + "Pointer_Enforcement_Service_Chain_Endpoint": { + "description": "Reference to a service chain endpoint", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to service chain endpoint declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Service_Chain_Endpoint" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP service chain endpoint", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem service-chain-endpoint" + }, + "Pointer_Enforcement_Subscriber_Management_Profile": { + "description": "Reference to a enforcement subscriber management profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to enforcement subscriber management profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Enforcement_Subscriber_Management_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP PEM subscriber-mgmt policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem profile subscriber-mgmt" + }, + "Pointer_Enforcement_Protocol_Profile_Radius": { + "description": "Reference to a radius protocol profile", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP radius protocol profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query pem protocol profile radius" + }, + "Pointer_IP_Other_Profile": { + "description": "Reference to a ipother profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to ipother profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "IP_Other_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP ipother profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile ipother" + }, + "Pointer_Log_Publisher": { + "description": "Reference to a log publisher", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to log publisher declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Log_Publisher" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP log publisher", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query sys log-config publisher" + }, + "Pointer_Radius_Profile": { + "description": "Reference to a radius profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to radius profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Radius_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP radius profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile radius" + }, + "Pointer_Persist": { + "description": "Reference to a persistence profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to persistence profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Persist" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP persistence profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm persistence" + }, + "Pointer_Pool": { + "description": "Reference to a pool", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to pool declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Pool" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm pool" + }, + "Pointer_FIX_Profile": { + "description": "Reference to a FIX profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to FIX profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "FIX_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP FIX profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile fix" + }, + "Pointer_TCP_Profile": { + "description": "Reference to a TCP profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to TCP profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "TCP_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP TCP profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile tcp" + }, + "Pointer_Route_Domain": { + "description": "Reference to a route domain", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP route domain", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query net route-domain" + }, + "Pointer_SNAT_Pool": { + "description": "Reference to a snat pool", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to snat pool declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "SNAT_Pool" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP snat pool", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm snatpool" + }, + "Pointer_Service": { + "description": "Reference to a service", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to service declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "Service_HTTPS", + "Service_HTTP", + "Service_TCP", + "Service_UDP", + "Service_L4", + "Service_Generic" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP virtual server", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm virtual" + }, + "Pointer_UDP_Profile": { + "description": "Reference to a UDP profile", + "type": "object", + "properties": { + "use": { + "description": "AS3 pointer to UDP profile declaration", + "type": "string", + "minLength": 1, + "f5pointsTo": { + "properties": { + "class": { + "enum": [ + "UDP_Profile" + ] + } + }, + "required": [ + "class" + ] + } + }, + "bigip": { + "description": "Pathname of existing BIG-IP UDP profile", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query ltm profile udp" + }, + "Pointer_VLAN": { + "description": "Reference to a VLAN", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP VLAN", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query net vlan" + }, + "Pointer_WAF_Policy": { + "description": "Reference to a WAF policy", + "type": "object", + "properties": { + "bigip": { + "description": "Pathname of existing BIG-IP WAF policy", + "type": "string", + "format": "f5bigip" + } + }, + "additionalProperties": false, + "minProperties": 1, + "maxProperties": 1, + "f5bigComponent": "query asm policy" + } + } +} \ No newline at end of file diff --git a/schema/as3-request-schema-3.5.0-3.json b/schema/as3-request-schema-3.5.0-3.json new file mode 100644 index 00000000..2353be22 --- /dev/null +++ b/schema/as3-request-schema-3.5.0-3.json @@ -0,0 +1,159 @@ +{ + "$id": "urn:uuid:85626792-9ee7-46bb-8fc8-4ba708cfdc1d", + "$schema": "http://json-schema.org/draft-07/schema#", + + "title": "AS3 Request", + "description": "AS3 request body", + "type": "object", + + "properties": { + "class": { + "title": "Class", + "description": "Indicates the structure of this request", + "type": "string", + "enum": [ "AS3" ] + }, + "action": { + "title": "Action", + "description": "Indicates desired action: 'deploy' means deploy the included declaration to targetHost; 'dry-run' does NOT deploy the declaration but does do everything short of changing targetHost's configuration; 'patch' modifies the declaration based on the provided set of commands and then deploys the updated declaration; 'redeploy' causes an old declaration from targetHost's declaration history to be re-deployed (property redeployAge (default 0) selects the old declaration, and note redeployUpdateMode as well); 'retrieve' returns a copy of a previously-deployed declaration; 'remove' deletes the declaration or declaration component." , + "type": "string", + "enum": [ "deploy", "dry-run", "patch", "redeploy", "retrieve", "remove" ], + "default": "deploy" + }, + "redeployAge": { + "title": "Redeploy age", + "description": "For action=redeploy (only), chooses which old declaration to deploy again. Value 0 (default) means re-deploy the most recent declaration (the one which set the current configuration of targetHost-- useful to erase changes introduced by manual configuration). Value 1 means re-deploy the declaration prior to the most-recent one, etc. Note that whenever re-deploying an old declaration causes ADC configuration changes, that declaration becomes the current declaration (age 0) and the ages of all other declarations in the history increase (0 => 1, 1 => 2, u.s.w.)", + "type": "integer", + "minimum": 0, + "maximum": 15, + "default": 0 + }, + "redeployUpdateMode": { + "title": "Redeploy update mode", + "description": "Value 'original' (default) means re-deploy the chosen declaration using its original updateMode (which if not explicitly specified in that declaration will default to 'selective'). Otherwise, forces the updateMode for re-deployment to 'complete' or 'selective' as specified. Remember, 'selective' updates do not affect Tenants not explicitly named. To simply roll-back the targetHost configuration to the state it had immediately after deploying some earlier declaration, put 'complete' here (that will remove Tenants created later than the redeployAge declaration). To use action=redeploy as a simple roll-back facility, always deploy (updateMode=)complete declarations.", + "type": "string", + "enum": [ "original", "complete", "selective" ], + "default": "original" + }, + "persist": { + "title": "Persist on device", + "description": "When true (default) make the whole working configuration persistent on targetHost after (and only if) this request deploys any changes. If false, leave the working configuration in memory only (if targetHost restart, you may lose the configuration from memory)", + "type": "boolean", + "default": true + }, + "syncToGroup": { + "title": "Sync to device group", + "description": "Name (like /Common/my_dg) of the config-sync group TO which the system should synchronize the targetHost configuration after (and only if) this request deploys any changes. When empty (default) this request will not affect config-sync at all. Leave undefined or empty whenever you use auto-sync or manage configuration synchronization separately", + "type": "string", + "default": "" + }, + "historyLimit": { + "title": "History limit", + "description": "This value (default 4) limits the number of previously-deployed declarations saved on targetHost for review using GET and for use with POST action=redeploy and redeployAge=N. The limit includes the current and immediately-previous declarations so may not be less than two", + "type": "number", + "minimum": 2, + "maximum": 15, + "default": 4 + }, + + "logLevel": { + "title": "Log level", + "description": "Controls level of detail in logs using RFC 5424 severity levels (default is 'warning'). Portions of declaration may use different logLevels", + "type": "string", + "enum": [ + "emergency", "alert", "critical", "error", + "warning", "notice", "info", "debug" + ], + "default": "warning" + }, + "trace": { + "title": "Trace", + "description": "If true, AS3 creates a detailed trace of the configuration process for subsequent analysis (default false). May be overridden on a per-Declaration and/or per-Tenant basis. Warning: trace files may contain sensitive configuration data", + "type": "boolean", + "default": false + }, + "retrieveAge": { + "title": "Retrieve age", + "description": "Use this property with action=retrieve. You can usually get a copy of the declaration most recently deployed to targetHost, and often copies of previously-deployed declarations are also available. Value 0 (default) means 'the last-deployed declaration,' value 1 means 'the declaration previous to 0' and so-forth. To get a list of available declarations, set value 'list'", + "type": [ "integer", "string" ], + "minimum": 0, + "pattern": "^list$", + "default": 0 + }, + "targetHost": { + "title": "Target host", + "description": "Hostname or IP address of ADC to which request applies (default localhost)", + "type": "string", + "anyOf": [ + { "format": "hostname" }, + { "format": "f5ip" } + ], + "default": "localhost" + }, + "targetPort": { + "title": "Target port", + "description": "TCP port number of management service on targetHost; default 0 means auto-discover", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 0 + }, + "targetUsername": { + "title": "Target username", + "description": "Username of principal authorized to modify configuration of targetHost (may not include the character ':'). NOTE: this is generally not required to configure 'localhost' because client authentication and authorization precede invocation of AS3. It is also not required for any targetHost if you populate targetTokens", + "type": "string", + "pattern": "^[^:]{0,254}$" + }, + "targetPassphrase": { + "title": "Target passphrase", + "description": "Passphrase for targetUsername account. This is generally not required to configure 'localhost' and is not required when you populate targetTokens", + "type": "string", + "pattern": "^.{0,254}$" + }, + "targetTokens": { + "title": "Target tokens", + "description": "One or more HTTP headers (each a property, like 'X-F5-Auth-Token': 'MF6APSRUYKTMSDBEOOEWLCNSO2') you want to send with queries to the targetHost management service as authentication/authorization tokens", + "type": "object", + "patternProperties": { + "^[^\\x00-\\x20:\\x7f-\\xff]{1,254}$": { + "title": "HTTP header", + "type": "string", + "pattern": "^[^\\x00-\\x1f\\x7f-\\xff]{0,8192}$" + } + }, + "additionalProperties": false + }, + "targetTimeout": { + "title": "Target timeout", + "description": "Maximum delay allowed while communicating with targetHost device (seconds, default 150)", + "type": "integer", + "minimum": 1, + "maximum": 900, + "default": 150 + }, + "resourceTimeout": { + "title": "Resource timeout", + "description": "Maximum delay allowed while communicating with URL resources (seconds, default 5)", + "type": "integer", + "minimum": 1, + "maximum": 900, + "default": 5 + }, + + "declaration": { + "title": "Declaration", + "description": "Declaration to deploy to targetHost", + "type": "object", + "$comment": "See adc-schema.json" + }, + + "patchBody": { + "title": "Patch Body", + "description": "An array containing the patch operations to apply on the declaration", + "type": "array", + "$comment": "Refer to docs for additional information on patch request syntax" + } + }, + + "required": [ "class" ] +}