slb template policy

Configure a template of Policy-Based SLB (PBSLB) settings.

policy Specification

Type Collection
Object Key(s) name
Collection Name policy-list
Collection URI /axapi/v3/slb/template/policy/
Element Name policy
Element URI /axapi/v3/slb/template/policy/{name}
Element Attributes policy_attributes
Schema policy schema

Operations Allowed:

Operation Method URI Payload

Create Object

POST

/axapi/v3/slb/template/policy/

policy Attributes

Create List

POST

/axapi/v3/slb/template/policy/

policy Attributes

Get Object

GET

/axapi/v3/slb/template/policy/{name}

policy Attributes

Get List

GET

/axapi/v3/slb/template/policy/

policy-list

Modify Object

POST

/axapi/v3/slb/template/policy/{name}

policy Attributes

Replace Object

PUT

/axapi/v3/slb/template/policy/{name}

policy Attributes

Replace List

PUT

/axapi/v3/slb/template/policy/

policy-list

Delete Object

DELETE

/axapi/v3/slb/template/policy/{name}

policy Attributes

policy-list

policy-list is JSON List of policy Attributes

policy-list : [

policy Attributes

bw-list-id

Description: bw-list-id is a JSON List . Please see below for bw-list-id

Type: List

bw-list-name

Description: Specifies the action to take for clients in the black/white list:

  • id - Group ID in the black/white list.
  • service-group-name - Sends clients to the SLB service group associated with this group ID on the ACOS device.
  • drop - Drops connections for IP addresses that are in the specified group.
  • reset - Resets connections for IP addresses that are in the specified group.
  • logging - [minutes] [ fail ] – Enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by frequent recurring messages.

Type: string

Format: string-rlx

class-list

Description: class-list is a JSON Block . Please see below for class-list

Type: Object

Reference Object: /axapi/v3/slb/template/policy/{name}/class-list

forward-policy

Description: forward-policy is a JSON Block . Please see below for forward-policy

Type: Object

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy

full-domain-tree

Description: Share counters between geo-location and sub regions

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

interval

Description: Specifies the log interval in minutes.

Type: number

Range: 1-255

name

Description: Name of the template.

Type: string

Format: string-rlx

Required: Yes

over-limit

Description: Specifies the action to take for traffic that is over the limit.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

over-limit-lockup

Description: – Continues to apply the over-limit action to all new connection attempts from the client, for the specified number of minutes.

Type: number

Range: 1-127

over-limit-logging

Description: Generates a log message when traffic goes over the limit.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

over-limit-reset

Description: Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

overlap

Description: Enables overlap matching mode. If there are overlapping addresses in the black/white-list, use this option to enable the ACOS device to find the most precise match.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

share

Description: Include all virtual servers and virtual ports that use the template. This causes the following counters to be shared:

  • Permit
  • Deny
  • Connection number
  • Connection limit

Note: A10 Networks recommends you enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

timeout

Description: Specifies the number of minutes dynamic black/white-list client entries can remain idle before aging out.

Type: number

Range: 1-127

Default: 5

use-destination-ip

Description: Matches black/white list entries based on the client’s destination IP address, instead of matching by client source address. By default, matching is based on the client’s source IP address. Generally, this option is applicable when wildcard VIPs are used.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

forward-policy

Specification
Type object

action-list

Description: action-list is a JSON List . Please see below for l196_action-list

Type: List

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/action/{name}

filtering

Description: filtering is a JSON List . Please see below for l196_filtering

Type: List

no-client-conn-reuse

Description: Inspects only first request of a connection

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

source-list

Description: source-list is a JSON List . Please see below for l196_source-list

Type: List

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/source/{name}

uuid

Description: uuid of the object

Type: string

forward-policy.action-list

Specification
Type list
Block object keys

action1

Description: ‘forward-to-internet’: Forward request to Internet; ‘forward-to-service-group’: Forward request to service group; ‘drop’: Drop request;

Type: string

Supported Values: forward-to-internet, forward-to-service-group, drop

drop-message

Description: drop-message sent to the client as webpage(html tags are included and quotation marks are required for white spaces)

Type: string

Format: string-rlx

Mutual Exclusion: drop-message and drop-redirect-url are mutually exclusive

drop-redirect-url

Description: Specify URL to which client request is redirected upon being dropped

Type: string

Format: string-rlx

Mutual Exclusion: drop-redirect-url and drop-message are mutually exclusive

fake-sg

Description: service group to forward the packets to Internet

Type: string

fall-back

Description: Fallback service group for Internet

Type: string

fall-back-snat

Description: Source NAT pool or pool group for fallback server

Type: string

forward-snat

Description: Source NAT pool or pool group

Type: string

http-status-code

Description: ‘301’: Moved permanently; ‘302’: Found;

Type: string

Supported Values: 301, 302

Default: 302

log

Description: enable logging

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

name

Description: Action policy name

Type: string

Required: Yes

proxy-chaining

Description: Enable proxy chaining feature

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

real-sg

Description: service group to forward the packets

Type: string

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

forward-policy.action-list.sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hits’: Number of requests matching this destination rule;

Type: string

Supported Values: all, hits

forward-policy.filtering

Specification
Type list
Block object keys

ssli-url-filtering

Description: ‘bypassed-sni-disable’: Disable SNI filtering for bypassed URL’s(enabled by default); ‘intercepted-sni-enable’: Enable SNI filtering for intercepted URL’s(disabled by default); ‘intercepted-http-disable’: Disable HTTP(host/URL) filtering for intercepted URL’s(enabled by default); ‘no-sni-allow’: Allow connection if SNI filtering is enabled and SNI header is not present(Drop by default);

Type: string

Supported Values: bypassed-sni-disable, intercepted-sni-enable, intercepted-http-disable, no-sni-allow

forward-policy.source-list

Specification
Type list
Block object keys

class-list-next

Description: Class List Name

Type: string

Reference Object: /axapi/v3/class-list

destination

Description: destination is a JSON Block . Please see below for l196_destination

Type: Object

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/source/{name}/destination

match-any

Description: Match any source

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: match-any and match-class-list are mutually exclusive

match-class-list

Description: Class List Name

Type: string

Mutual Exclusion: match-class-list and match-any are mutually exclusive

Reference Object: /axapi/v3/class-list

name

Description: source destination match rule name

Type: string

Required: Yes

operation

Description: ‘or’: Logical OR on source class list;

Type: string

Supported Values: or

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

forward-policy.source-list.destination

Specification
Type object

any

Description: any is a JSON Block . Please see below for l196_any

Type: Object

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/source/{name}/destination/any

class-list-list

Description: class-list-list is a JSON List . Please see below for l196_class-list-list

Type: List

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/source/{name}/destination/class-list/{dest-class-list}

web-category-list-list

Description: web-category-list-list is a JSON List . Please see below for l196_web-category-list-list

Type: List

Reference Object: /axapi/v3/slb/template/policy/{name}/forward-policy/source/{name}/destination/web-category-list/{web-category-list}

forward-policy.source-list.destination.class-list-list

Specification
Type list
Block object keys

action

Description: Action to be performed

Type: string

dest-class-list

Description: Destination Class List Name

Type: string

Reference Object: /axapi/v3/class-list

priority

Description: Priority value of the action(higher the number higher the priority)

Type: number

Range: 1-1024

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

type

Description: ‘host’: Match hostname; ‘url’: match URL;

Type: string

Supported Values: host, url

uuid

Description: uuid of the object

Type: string

forward-policy.source-list.destination.class-list-list.sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hits’: Number of requests matching this destination rule;

Type: string

Supported Values: all, hits

forward-policy.source-list.destination.web-category-list-list

Specification
Type list
Block object keys

action

Description: Action to be performed

Type: string

priority

Description: Priority value of the action(higher the number higher the priority)

Type: number

Range: 1-1024

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

type

Description: ‘host’: Match hostname; ‘url’: match URL;

Type: string

Supported Values: host, url

uuid

Description: uuid of the object

Type: string

web-category-list

Description: Destination Class List Name

Type: string

Format: string-rlx

Reference Object: /axapi/v3/web-category/category-list

forward-policy.source-list.destination.web-category-list-list.sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hits’: Number of requests matching this destination rule;

Type: string

Supported Values: all, hits

forward-policy.source-list.destination.any

Specification
Type object

action

Description: Action to be performed

Type: string

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

uuid

Description: uuid of the object

Type: string

forward-policy.source-list.destination.any.sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hits’: Number of requests matching this destination rule;

Type: string

Supported Values: all, hits

forward-policy.source-list.sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hits’: Number of requests matching this source rule; ‘destination-match-not-found’: Number of requests without matching destination rule; ‘no-host-info’: Failed to parse ip or host information from request;

Type: string

Supported Values: all, hits, destination-match-not-found, no-host-info

class-list

Specification
Type object

client-ip-l3-dest

Description: Use destination IP as client IP address

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: client-ip-l3-dest and client-ip-l7-header are mutually exclusive

client-ip-l7-header

Description: Use extract client IP address from L7 header

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: client-ip-l7-header and client-ip-l3-dest are mutually exclusive

header-name

Description: Specify L7 header name

Type: string

lid-list

Description: lid-list is a JSON List . Please see below for l196_lid-list

Type: List

Reference Object: /axapi/v3/slb/template/policy/{name}/class-list/lid/{lidnum}

name

Description: Class list name or geo-location-class-list name

Type: string

Format: string-rlx

Required: Yes

uuid

Description: uuid of the object

Type: string

class-list.lid-list

Specification
Type list
Block object keys

action-value

Description: ‘forward’: Forward the traffic even it exceeds limit; ‘reset’: Reset the connection when it exceeds limit;

Type: string

Supported Values: forward, reset

bw-per

Description: Per (Specify interval in number of 100ms)

Type: number

Range: 1-65535

bw-rate-limit

Description: Specify bandwidth rate limit (Bandwidth rate limit in bytes)

Type: number

Range: 1-2147483647

conn-limit

Description: Connection limit

Type: number

Range: 0-1048575

conn-per

Description: Per (Specify interval in number of 100ms)

Type: number

Range: 1-65535

conn-rate-limit

Description: Specify connection rate limit

Type: number

Range: 1-2147483647

dns64

Description: dns64 is a JSON Block . Please see below for l196_dns64

Type: Object

interval

Description: Specify log interval in minutes, by default system will log every over limit instance

Type: number

Range: 1-255

lidnum

Description: Specify a limit ID

Type: number

Range: 1-31

lockout

Description: Don’t accept any new connection for certain time (Lockout duration in minutes)

Type: number

Range: 1-1023

log

Description: Log a message

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

over-limit-action

Description: Set action when exceeds limit

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

request-limit

Description: Request limit (Specify request limit)

Type: number

Range: 1-1048575

request-per

Description: Per (Specify interval in number of 100ms)

Type: number

Range: 1-65535

request-rate-limit

Description: Request rate limit (Specify request rate limit)

Type: number

Range: 1-4294967295

response-code-rate-limit

Description: response-code-rate-limit is a JSON List . Please see below for l196_response-code-rate-limit

Type: List

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

class-list.lid-list.dns64

Specification
Type object

disable

Description: Disable

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

exclusive-answer

Description: Exclusive Answer in DNS Response

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

prefix

Description: IPv6 prefix

Type: string

Format: ipv6-address-plen

class-list.lid-list.response-code-rate-limit

Specification
Type list
Block object keys

code-range-end

Description: server response code range end

Type: number

Range: 100-600

code-range-start

Description: server response code range start

Type: number

Range: 100-600

period

Description: seconds

Type: number

Range: 1-127

threshold

Description: the times of getting the response code

Type: number

Range: 1-15

bw-list-id

Specification
Type list
Block object keys

action-interval

Description: Specify logging interval in minute (default is 3)

Type: number

Range: 0-60

Default: 3

bw-list-action

Description: ‘drop’: drop the packet; ‘reset’: Send reset back;

Type: string

Supported Values: drop, reset

Mutual Exclusion: bw-list-action and service-group are mutually exclusive

fail

Description: Only log unsuccessful connections

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

id

Description: Specify id that maps to service group (The id number)

Type: number

Range: 0-31

logging-drp-rst

Description: Configure PBSLB logging

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

pbslb-interval

Description: Specify logging interval in minutes

Type: number

Range: 0-60

Default: 3

pbslb-logging

Description: Configure PBSLB logging

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

service-group

Description: Specify a service group (Specify the service group name)

Type: string

Format: string-rlx

Mutual Exclusion: service-group and bw-list-action are mutually exclusive

Reference Object: /axapi/v3/slb/service-group

sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘fwd-policy-dns-unresolved’: Forward-policy unresolved DNS queries; ‘fwd-policy-dns-outstanding’: Forward-policy current DNS outstanding requests; ‘fwd-policy-snat-fail’: Forward-policy source-nat translation failure; ‘fwd-policy-hits’: Number of forward-policy requests for this policy template; ‘fwd-policy-forward-to-internet’: Number of forward-policy requests forwarded to internet; ‘fwd-policy-forward-to-service-group’: Number of forward-policy requests forwarded to service group; ‘fwd-policy-policy-drop’: Number of forward-policy requests dropped; ‘fwd-policy-source-match-not-found’: Forward-policy requests without matching source rule; ‘exp_client_hello_not_found’: Expected Client HELLO requests not found;

Type: string

Supported Values: all, fwd-policy-dns-unresolved, fwd-policy-dns-outstanding, fwd-policy-snat-fail, fwd-policy-hits, fwd-policy-forward-to-internet, fwd-policy-forward-to-service-group, fwd-policy-policy-drop, fwd-policy-source-match-not-found, exp_client_hello_not_found

stats data

Counter Size Description
fwd-policy-dns-unresolved 8 Forward-policy unresolved DNS queries
fwd-policy-hits 8 Number of forward-policy requests for this policy template
fwd-policy-policy-drop 8 Number of forward-policy requests dropped
fwd-policy-forward-to-service-group 8 Number of forward-policy requests forwarded to service group
fwd-policy-forward-to-internet 8 Number of forward-policy requests forwarded to internet
fwd-policy-dns-outstanding 8 Forward-policy current DNS outstanding requests
fwd-policy-source-match-not-found 8 Forward-policy requests without matching source rule
fwd-policy-snat-fail 8 Forward-policy source-nat translation failure
exp_client_hello_not_found 8 Expected Client HELLO requests not found