In a previous article, I highlighted a proof-of-concept where we fully automated the deployment of BIG-IP in AWS using the web interfaces of BIG-IP inconjunction with Ansible.  The goal of this article is to focus in more detail on the use of iControlREST within that project, in order to show how it can be extremely useful for automating various aspects of your ITOM workflows.

There are four main workflows we execute in order to configure BIG-IP in AWS and to deploy services.  This breakown is provided below.  

For now, we avoid the discussion about which configuration elements are part of the infrastructure deployment or the application deployment.  This is an important discussion, but one that can only take place after we understand how to provision the elements that will be a part of either workflow. 

For each of these workflows, we have provided the log output which shows REST calls and responses.  To gain from these examples, it is important to understand the following:

  • These iControlREST calls were scraped from an execution of the aws-deployments code where we captured log output. In that project, we have written a custom Ansible module called 'bigip_config' (see /library/bigip_config.py in the project directory of Github).  This module is used to provision config objects within TMOS using iControlREST.
  • In order to make it easier to use this 'bigip_config' Ansible module, we aimed to make it idempotent.  This means that we need only identify the resources we wish to create or update, and identify the state of the resource after our module is run.  We don't need to worry about whether the object exists when calling our module, or the procedural set of calls that should be made it order to get it there.  An example might be like: "create iApp service 'my_app' with parameters X, Y, and Z".  We don't care whether 'my_app' already exists.  In order to implement such behavior, the module internally does an HTTP GET against the resource or collection it is modifying. Subsequently, if the resource already exists, a PATCH call is made, otherwise a POST call is made. 
  • In many cases in the code, we repeat a call until it returns successfully or returns the state we are expecting.  You can see this in the examples, where the same call seems to be made repeatedly. 

Basic system configuration

  • The examples below show how we are configuring basic device settings with REST.
  • First, because BIG-IP was just started, we wait until the first iCR call, "GET mgmt/tm/sys/db", succeeds before we continue.
  • The final step the workflow involves provisioning modules on BIG-IP. Note the 30 second wait between provisioning of AVR and ASM reflected in the timestamps.
2015-11-12 09:46:03 : Disabling Setup Utility in GUI
GET mgmt/tm/sys/db ""
2015-11-12 09:46:10 : Disabling Setup Utility in GUI
GET mgmt/tm/sys/db ""
2015-11-12 09:46:17 : Disabling Setup Utility in GUI
GET mgmt/tm/sys/db ""
Method GET mgmt/tm/sys/db returned: {"kind":"tm:sys:db:dbcollectionstate","selfLink":"https://localhost/mgmt/tm/sys/db?ver=11.6.0","items":[....<a whole bunch of database variables>...]}

2015-11-12 09:46:19 : Disabling Setup Utility in GUI
PATCH mgmt/tm/sys/db/setup.run?ver=11.6.0 {"value": "false"}
Method PATCH mgmt/tm/sys/db/setup.run?ver=11.6.0 returned: {"kind":"tm:sys:db:dbstate","name":"setup.run","fullPath":"setup.run","generation":62,"selfLink":"https://localhost/mgmt/tm/sys/db/setup.run?ver=11.6.0","defaultValue":"true","scfConfig":"false","value":"false","valueRange":"false true"}

2015-11-12 09:46:22 : Configuring NTP servers
PATCH mgmt/tm/sys/ntp {"timezone": "America/Los_Angeles", "servers": ["0.pool.ntp.org", "1.pool.ntp.org"]}
Method PATCH mgmt/tm/sys/ntp returned: {"kind":"tm:sys:ntp:ntpstate","selfLink":"https://localhost/mgmt/tm/sys/ntp?ver=11.6.0","servers":["0.pool.ntp.org","1.pool.ntp.org"],"timezone":"America/Los_Angeles","restrictReference":{"link":"https://localhost/mgmt/tm/sys/ntp/restrict?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:46:25 : Configuring syslog logging destinations
PATCH mgmt/tm/sys/syslog {"include": "destination loghost { udp( 10.0.3.32 port (514));};"}
Method PATCH mgmt/tm/sys/syslog returned: {"kind":"tm:sys:syslog:syslogstate","selfLink":"https://localhost/mgmt/tm/sys/syslog?ver=11.6.0","authPrivFrom":"notice","authPrivTo":"emerg","consoleLog":"enabled","cronFrom":"warning","cronTo":"emerg","daemonFrom":"notice","daemonTo":"emerg","include":"destination loghost { udp( 10.0.3.32 port (514));};","isoDate":"disabled","kernFrom":"debug","kernTo":"emerg","local6From":"notice","local6To":"emerg","mailFrom":"notice","mailTo":"emerg","messagesFrom":"notice","messagesTo":"warning","userLogFrom":"notice","userLogTo":"emerg"}

2015-11-12 09:46:28 : Configuring HTTP mgmt access
PATCH mgmt/tm/sys/httpd {"allow": ["ALL"]}
Method PATCH mgmt/tm/sys/httpd returned: {"kind":"tm:sys:httpd:httpdstate","selfLink":"https://localhost/mgmt/tm/sys/httpd?ver=11.6.0","allow":["ALL"],"authName":"BIG-IP","authPamDashboardTimeout":"off","authPamIdleTimeout":1200,"authPamValidateIp":"on","fastcgiTimeout":300,"hostnameLookup":"off","logLevel":"warn","maxClients":10,"redirectHttpToHttps":"disabled","requestBodyMaxTimeout":0,"requestBodyMinRate":500,"requestBodyTimeout":60,"requestHeaderMaxTimeout":40,"requestHeaderMinRate":500,"requestHeaderTimeout":20,"sslCertfile":"/etc/httpd/conf/ssl.crt/server.crt","sslCertkeyfile":"/etc/httpd/conf/ssl.key/server.key","sslCiphersuite":"DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP","sslOcspDefaultResponder":"http://127.0.0.1","sslOcspEnable":"off","sslOcspOverrideResponder":"off","sslOcspResponderTimeout":300,"sslOcspResponseMaxAge":-1,"sslOcspResponseTimeSkew":300,"sslProtocol":"all -SSLv2 -SSLv3","sslVerifyClient":"no","sslVerifyDepth":10}

2015-11-12 09:46:31 : Configuring SSH mgmt access
PATCH mgmt/tm/sys/sshd {"allow": ["ALL"]}
Method PATCH mgmt/tm/sys/sshd returned: {"kind":"tm:sys:sshd:sshdstate","selfLink":"https://localhost/mgmt/tm/sys/sshd?ver=11.6.0","allow":["ALL"],"banner":"disabled","inactivityTimeout":0,"logLevel":"info","login":"enabled"}

2015-11-12 09:46:33 : Configuring SNMP access
PATCH mgmt/tm/sys/snmp {"allowedAddresses": ["172.16.0.0/16"]}
Method PATCH mgmt/tm/sys/snmp returned: {"kind":"tm:sys:snmp:snmpstate","selfLink":"https://localhost/mgmt/tm/sys/snmp?ver=11.6.0","agentAddresses":["tcp6:161","udp6:161"],"agentTrap":"enabled","allowedAddresses":["172.16.0.0/16"],"authTrap":"disabled","bigipTraps":"enabled","l2forwardVlan":"none","loadMax1":12,"loadMax15":12,"loadMax5":12,"sysContact":"Customer Name <admin@customer.com>","sysLocation":"Network Closet 1","sysServices":78,"trapCommunity":"public","trapSource":"none","communitiesReference":{"link":"https://localhost/mgmt/tm/sys/snmp/communities?ver=11.6.0","isSubcollection":true},"diskMonitors":[{"name":"root","partition":"Common","minspace":2000,"minspaceType":"size","path":"/"},{"name":"var","partition":"Common","minspace":10000,"minspaceType":"size","path":"/var"}],"processMonitors":[{"name":"bigd","partition":"Common","maxProcesses":"1","minProcesses":1,"process":"bigd"},{"name":"chmand","partition":"Common","maxProcesses":"1","minProcesses":1,"process":"chmand"},{"name":"httpd","partition":"Common","maxProcesses":"infinity","minProcesses":1,"process":"httpd"},{"name":"mcpd","partition":"Common","maxProcesses":"1","minProcesses":1,"process":"mcpd"},{"name":"sod","partition":"Common","maxProcesses":"1","minProcesses":1,"process":"sod"},{"name":"tmm","partition":"Common","maxProcesses":"infinity","minProcesses":1,"process":"tmm"}],"trapsReference":{"link":"https://localhost/mgmt/tm/sys/snmp/traps?ver=11.6.0","isSubcollection":true},"usersReference":{"link":"https://localhost/mgmt/tm/sys/snmp/users?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:46:36 : Configuring FastL4 profiles ... fastL4-route-friendly
GET mgmt/tm/ltm/profile/fastl4 ""
Method GET mgmt/tm/ltm/profile/fastl4 returned: {"kind":"tm:ltm:profile:fastl4:fastl4collectionstate","selfLink":"https://localhost/mgmt/tm/ltm/profile/fastl4?ver=11.6.0","items":[{"kind":"tm:ltm:profile:fastl4:fastl4state","name":"fastL4","partition":"Common","fullPath":"/Common/fastL4","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/fastl4/~Common~fastL4?ver=11.6.0","clientTimeout":30,"explicitFlowMigration":"disabled","hardwareSynCookie":"enabled","idleTimeout":"300","ipTosToClient":"pass-through","ipTosToServer":"pass-through","keepAliveInterval":"disabled","lateBinding":"disabled","linkQosToClient":"pass-through","linkQosToServer":"pass-through","looseClose":"disabled","looseInitialization":"disabled","mssOverride":0,"priorityToClient":"pass-through","priorityToServer":"pass-through","pvaAcceleration":"full","pvaDynamicClientPackets":1,"pvaDynamicServerPackets":0,"pvaFlowAging":"enabled","pvaFlowEvict":"enabled","pvaOffloadDynamic":"enabled","pvaOffloadState":"embryonic","reassembleFragments":"disabled","receiveWindowSize":0,"resetOnTimeout":"enabled","rttFromClient":"disabled","rttFromServer":"disabled","serverSack":"disabled","serverTimestamp":"disabled","softwareSynCookie":"disabled","synCookieWhitelist":"disabled","tcpCloseTimeout":"5","tcpGenerateIsn":"disabled","tcpHandshakeTimeout":"5","tcpStripSack":"disabled","tcpTimestampMode":"preserve","tcpWscaleMode":"preserve","timeoutRecovery":"disconnect"}]}

2015-11-12 09:46:37 : Configuring FastL4 profiles ... fastL4-route-friendly
POST mgmt/tm/ltm/profile/fastl4 {"looseClose": "enabled", "resetOnTimeout": "disabled", "name": "fastL4-route-friendly", "looseInitialization": "enabled"}
Method POST mgmt/tm/ltm/profile/fastl4 returned: {"kind":"tm:ltm:profile:fastl4:fastl4state","name":"fastL4-route-friendly","fullPath":"fastL4-route-friendly","generation":68,"selfLink":"https://localhost/mgmt/tm/ltm/profile/fastl4/fastL4-route-friendly?ver=11.6.0","clientTimeout":30,"defaultsFrom":"/Common/fastL4","explicitFlowMigration":"disabled","hardwareSynCookie":"enabled","idleTimeout":"300","ipTosToClient":"pass-through","ipTosToServer":"pass-through","keepAliveInterval":"disabled","lateBinding":"disabled","linkQosToClient":"pass-through","linkQosToServer":"pass-through","looseClose":"enabled","looseInitialization":"enabled","mssOverride":0,"priorityToClient":"pass-through","priorityToServer":"pass-through","pvaAcceleration":"full","pvaDynamicClientPackets":1,"pvaDynamicServerPackets":0,"pvaFlowAging":"enabled","pvaFlowEvict":"enabled","pvaOffloadDynamic":"enabled","pvaOffloadState":"embryonic","reassembleFragments":"disabled","receiveWindowSize":0,"resetOnTimeout":"disabled","rttFromClient":"disabled","rttFromServer":"disabled","serverSack":"disabled","serverTimestamp":"disabled","softwareSynCookie":"disabled","synCookieWhitelist":"disabled","tcpCloseTimeout":"5","tcpGenerateIsn":"disabled","tcpHandshakeTimeout":"5","tcpStripSack":"disabled","tcpTimestampMode":"preserve","tcpWscaleMode":"preserve","timeoutRecovery":"disconnect"}

2015-11-12 09:46:39 : Configuring TCP profiles ... ssl-wan-optimized
GET mgmt/tm/ltm/profile/tcp ""
Method GET mgmt/tm/ltm/profile/tcp returned: {"kind":"tm:ltm:profile:tcp:tcpcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp?ver=11.6.0","items":[{"kind":"tm:ltm:profile:tcp:tcpstate","name":"mptcp-mobile-optimized","partition":"Common","fullPath":"/Common/mptcp-mobile-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~mptcp-mobile-optimized?ver=11.6.0","abc":"disabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"illinois","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"enabled","finWaitTimeout":5,"hardwareSynCookie":"disabled","idleTimeout":300,"initCwnd":16,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"enabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"enabled","receiveWindowSize":131072,"resetOnTimeout":"disabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":262144,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp","partition":"Common","fullPath":"/Common/tcp","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":49152,"proxyBufferLow":32768,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-lan-optimized","partition":"Common","fullPath":"/Common/tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-legacy","partition":"Common","fullPath":"/Common/tcp-legacy","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-legacy?ver=11.6.0","abc":"enabled","ackOnPush":"disabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":16384,"proxyBufferLow":4096,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":32768,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":32768,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-mobile-optimized","partition":"Common","fullPath":"/Common/tcp-mobile-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-mobile-optimized?ver=11.6.0","abc":"disabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"enabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":16,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":131072,"resetOnTimeout":"disabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":131072,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-wan-optimized","partition":"Common","fullPath":"/Common/tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wam-tcp-lan-optimized","partition":"Common","fullPath":"/Common/wam-tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wam-tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-lan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":16,"initRwnd":16,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wam-tcp-wan-optimized","partition":"Common","fullPath":"/Common/wam-tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wam-tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":10,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":8,"pktLossIgnoreRate":10000,"proxyBufferHigh":196608,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"enabled","sendBufferSize":458752,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":300000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wom-tcp-lan-optimized","partition":"Common","fullPath":"/Common/wom-tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wom-tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"disabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-lan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wom-tcp-wan-optimized","partition":"Common","fullPath":"/Common/wom-tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wom-tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":8,"pktLossIgnoreRate":10000,"proxyBufferHigh":196608,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":458752,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"enabled","sendBufferSize":458752,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":300000}]}

2015-11-12 09:46:39 : Configuring TCP profiles ... ssl-wan-optimized
POST mgmt/tm/ltm/profile/tcp {"ackOnPush": "disabled", "nagle": "disabled", "delayedAcks": "disabled", "name": "tcp-ssl-wan-optimized", "defaultsFrom": "/Common/tcp-wan-optimized"}
Method POST mgmt/tm/ltm/profile/tcp returned: {"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-ssl-wan-optimized","fullPath":"tcp-ssl-wan-optimized","generation":69,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/tcp-ssl-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"disabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000}

2015-11-12 09:46:41 : Configuring TCP profiles ... ssl-lan-optimized
GET mgmt/tm/ltm/profile/tcp ""
Method GET mgmt/tm/ltm/profile/tcp returned: {"kind":"tm:ltm:profile:tcp:tcpcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp?ver=11.6.0","items":[{"kind":"tm:ltm:profile:tcp:tcpstate","name":"mptcp-mobile-optimized","partition":"Common","fullPath":"/Common/mptcp-mobile-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~mptcp-mobile-optimized?ver=11.6.0","abc":"disabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"illinois","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"enabled","finWaitTimeout":5,"hardwareSynCookie":"disabled","idleTimeout":300,"initCwnd":16,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"enabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"enabled","receiveWindowSize":131072,"resetOnTimeout":"disabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":262144,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp","partition":"Common","fullPath":"/Common/tcp","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":49152,"proxyBufferLow":32768,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-lan-optimized","partition":"Common","fullPath":"/Common/tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-legacy","partition":"Common","fullPath":"/Common/tcp-legacy","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-legacy?ver=11.6.0","abc":"enabled","ackOnPush":"disabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":16384,"proxyBufferLow":4096,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":32768,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":32768,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-mobile-optimized","partition":"Common","fullPath":"/Common/tcp-mobile-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-mobile-optimized?ver=11.6.0","abc":"disabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"enabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":16,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":131072,"resetOnTimeout":"disabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":131072,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-ssl-wan-optimized","partition":"Common","fullPath":"/Common/tcp-ssl-wan-optimized","generation":69,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-ssl-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"disabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-wan-optimized","partition":"Common","fullPath":"/Common/tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wam-tcp-lan-optimized","partition":"Common","fullPath":"/Common/wam-tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wam-tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-lan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"enabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":16,"initRwnd":16,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wam-tcp-wan-optimized","partition":"Common","fullPath":"/Common/wam-tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wam-tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":10,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":8,"pktLossIgnoreRate":10000,"proxyBufferHigh":196608,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"enabled","sendBufferSize":458752,"slowStart":"enabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":300000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wom-tcp-lan-optimized","partition":"Common","fullPath":"/Common/wom-tcp-lan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wom-tcp-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"disabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-lan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000},{"kind":"tm:ltm:profile:tcp:tcpstate","name":"wom-tcp-wan-optimized","partition":"Common","fullPath":"/Common/wom-tcp-wan-optimized","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/~Common~wom-tcp-wan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"enabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-wan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":600,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"enabled","pktLossIgnoreBurst":8,"pktLossIgnoreRate":10000,"proxyBufferHigh":196608,"proxyBufferLow":131072,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":458752,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"enabled","sendBufferSize":458752,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":300000}]}

2015-11-12 09:46:42 : Configuring TCP profiles ... ssl-lan-optimized
POST mgmt/tm/ltm/profile/tcp {"ackOnPush": "disabled", "nagle": "disabled", "delayedAcks": "disabled", "name": "tcp-ssl-lan-optimized", "defaultsFrom": "/Common/tcp-lan-optimized"}
Method POST mgmt/tm/ltm/profile/tcp returned: {"kind":"tm:ltm:profile:tcp:tcpstate","name":"tcp-ssl-lan-optimized","fullPath":"tcp-ssl-lan-optimized","generation":70,"selfLink":"https://localhost/mgmt/tm/ltm/profile/tcp/tcp-ssl-lan-optimized?ver=11.6.0","abc":"enabled","ackOnPush":"disabled","closeWaitTimeout":5,"cmetricsCache":"enabled","congestionControl":"high-speed","defaultsFrom":"/Common/tcp-lan-optimized","deferredAccept":"disabled","delayWindowControl":"disabled","delayedAcks":"disabled","dsack":"disabled","earlyRetransmit":"disabled","ecn":"disabled","finWaitTimeout":5,"hardwareSynCookie":"enabled","idleTimeout":300,"initCwnd":0,"initRwnd":0,"ipTosToClient":"0","keepAliveInterval":1800,"limitedTransmit":"enabled","linkQosToClient":"0","maxRetrans":8,"maxSegmentSize":1460,"md5Signature":"disabled","minimumRto":0,"mptcp":"disabled","mptcpCsum":"disabled","mptcpCsumVerify":"disabled","mptcpDebug":"disabled","mptcpFallback":"reset","mptcpFastjoin":"disabled","mptcpIdleTimeout":300,"mptcpJoinMax":5,"mptcpMakeafterbreak":"disabled","mptcpNojoindssack":"disabled","mptcpRtomax":5,"mptcpRxmitmin":1000,"mptcpSubflowmax":6,"mptcpTimeout":3600,"nagle":"disabled","pktLossIgnoreBurst":0,"pktLossIgnoreRate":0,"proxyBufferHigh":131072,"proxyBufferLow":98304,"proxyMss":"disabled","proxyOptions":"disabled","ratePace":"disabled","receiveWindowSize":65535,"resetOnTimeout":"enabled","selectiveAcks":"enabled","selectiveNack":"disabled","sendBufferSize":65535,"slowStart":"disabled","synCookieWhitelist":"disabled","synMaxRetrans":3,"synRtoBase":0,"tailLossProbe":"disabled","timeWaitRecycle":"enabled","timeWaitTimeout":2000,"timestamps":"enabled","verifiedAccept":"disabled","zeroWindowTimeout":20000}

2015-11-12 09:46:44 : 
PATCH mgmt/tm/sys/provision/asm {"level": "nominal"}
Method PATCH mgmt/tm/sys/provision/asm returned: {"kind":"tm:sys:provision:provisionstate","name":"asm","fullPath":"asm","generation":71,"selfLink":"https://localhost/mgmt/tm/sys/provision/asm?ver=11.6.0","cpuRatio":0,"diskRatio":0,"level":"nominal","memoryRatio":0}

2015-11-12 09:47:18 : 
PATCH mgmt/tm/sys/provision/avr {"level": "nominal"}
Method PATCH mgmt/tm/sys/provision/avr returned: {"kind":"tm:sys:provision:provisionstate","name":"avr","fullPath":"avr","generation":114,"selfLink":"https://localhost/mgmt/tm/sys/provision/avr?ver=11.6.0","cpuRatio":0,"diskRatio":0,"level":"nominal","memoryRatio":0}

AWS-specific System Configuration

  • This next workflow is very small and simple.  We are adding some variables to global-settings which are only necessary because BIG-IP is running in AWS. 
  • We've obfuscated the AWS Access Key and Secret Key in the output. 
2015-11-12 09:48:12 : Adding/updating AWS access and secret keys
PATCH mgmt/tm/sys/global-settings {"awsAccessKey": "...<my access key>...", "awsSecretKey": "...<my secret key>..."}
Method PATCH mgmt/tm/sys/global-settings returned: {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":"https://localhost/mgmt/tm/sys/global-settings?ver=11.6.0","awsAccessKey":"...<my access key>...","awsApiMaxConcurrency":1,"awsSecretKey":"...<my secret key>...","consoleInactivityTimeout":0,"customAddr":"none","failsafeAction":"go-offline-restart-tm","fileLocalPathPrefix":"{/shared/} {/tmp/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility.\n\nLog in with your username and password using the fields on the left.","guiSetup":"disabled","hostAddrMode":"management","hostname":"ip-172-16-11-77.ec2.internal","lcdDisplay":"enabled","mgmtDhcp":"enabled","netReboot":"disabled","passwordPrompt":"Password","quietBoot":"enabled","usernamePrompt":"Username"}

Network Attachment

  • Setup of self-IPs, VLANs, and other network specific configuration is relatively straight forward. 
2015-11-12 09:48:15 : Disabling dhcp
PATCH mgmt/tm/sys/db/dhclient.mgmt {"value": "disable"}
Method PATCH mgmt/tm/sys/db/dhclient.mgmt returned: {"kind":"tm:sys:db:dbstate","name":"dhclient.mgmt","fullPath":"dhclient.mgmt","generation":154,"selfLink":"https://localhost/mgmt/tm/sys/db/dhclient.mgmt?ver=11.6.0","defaultValue":"disable","scfConfig":"true","value":"disable","valueRange":"disable enable"}

2015-11-12 09:48:18 : Adding/updating internal vlan
GET mgmt/tm/net/vlan ""
Method GET mgmt/tm/net/vlan returned: {"kind":"tm:net:vlan:vlancollectionstate","selfLink":"https://localhost/mgmt/tm/net/vlan?ver=11.6.0"}

2015-11-12 09:48:19 : Adding/updating internal vlan
POST mgmt/tm/net/vlan {"interfaces": "1.2", "name": "private"}
Method POST mgmt/tm/net/vlan returned: {"kind":"tm:net:vlan:vlanstate","name":"private","fullPath":"private","generation":167,"selfLink":"https://localhost/mgmt/tm/net/vlan/private?ver=11.6.0","autoLasthop":"default","cmpHash":"default","dagRoundRobin":"disabled","dagTunnel":"outer","failsafe":"disabled","failsafeAction":"failover-restart-tm","failsafeTimeout":90,"ifIndex":80,"learning":"enable-forward","mtu":1500,"sflow":{"pollInterval":0,"pollIntervalGlobal":"yes","samplingRate":0,"samplingRateGlobal":"yes"},"sourceChecking":"disabled","tag":4094,"interfacesReference":{"link":"https://localhost/mgmt/tm/net/vlan/~Common~private/interfaces?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:48:21 : Adding/updating external vlan
GET mgmt/tm/net/vlan ""
Method GET mgmt/tm/net/vlan returned: {"kind":"tm:net:vlan:vlancollectionstate","selfLink":"https://localhost/mgmt/tm/net/vlan?ver=11.6.0","items":[{"kind":"tm:net:vlan:vlanstate","name":"private","partition":"Common","fullPath":"/Common/private","generation":167,"selfLink":"https://localhost/mgmt/tm/net/vlan/~Common~private?ver=11.6.0","autoLasthop":"default","cmpHash":"default","dagRoundRobin":"disabled","dagTunnel":"outer","failsafe":"disabled","failsafeAction":"failover-restart-tm","failsafeTimeout":90,"ifIndex":80,"learning":"enable-forward","mtu":1500,"sflow":{"pollInterval":0,"pollIntervalGlobal":"yes","samplingRate":0,"samplingRateGlobal":"yes"},"sourceChecking":"disabled","tag":4094,"interfacesReference":{"link":"https://localhost/mgmt/tm/net/vlan/~Common~private/interfaces?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:48:22 : Adding/updating external vlan
POST mgmt/tm/net/vlan {"interfaces": "1.1", "name": "public"}
Method POST mgmt/tm/net/vlan returned: {"kind":"tm:net:vlan:vlanstate","name":"public","fullPath":"public","generation":172,"selfLink":"https://localhost/mgmt/tm/net/vlan/public?ver=11.6.0","autoLasthop":"default","cmpHash":"default","dagRoundRobin":"disabled","dagTunnel":"outer","failsafe":"disabled","failsafeAction":"failover-restart-tm","failsafeTimeout":90,"ifIndex":96,"learning":"enable-forward","mtu":1500,"sflow":{"pollInterval":0,"pollIntervalGlobal":"yes","samplingRate":0,"samplingRateGlobal":"yes"},"sourceChecking":"disabled","tag":4093,"interfacesReference":{"link":"https://localhost/mgmt/tm/net/vlan/~Common~public/interfaces?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:48:24 : Adding/updating internal selfip
GET mgmt/tm/net/self ""
Method GET mgmt/tm/net/self returned: {"kind":"tm:net:self:selfcollectionstate","selfLink":"https://localhost/mgmt/tm/net/self?ver=11.6.0"}

2015-11-12 09:48:24 : Adding/updating internal selfip
POST mgmt/tm/net/self {"allowService": "default", "vlan": "private", "trafficGroup": "traffic-group-local-only", "name": "private", "address": "172.16.12.44/24"}
Method POST mgmt/tm/net/self returned: {"kind":"tm:net:self:selfstate","name":"private","fullPath":"private","generation":177,"selfLink":"https://localhost/mgmt/tm/net/self/private?ver=11.6.0","address":"172.16.12.44/24","floating":"disabled","inheritedTrafficGroup":"false","trafficGroup":"/Common/traffic-group-local-only","unit":0,"vlan":"/Common/private","allowService":["default"]}

2015-11-12 09:48:26 : Adding/updating external selfip
GET mgmt/tm/net/self ""
Method GET mgmt/tm/net/self returned: {"kind":"tm:net:self:selfcollectionstate","selfLink":"https://localhost/mgmt/tm/net/self?ver=11.6.0","items":[{"kind":"tm:net:self:selfstate","name":"private","partition":"Common","fullPath":"/Common/private","generation":177,"selfLink":"https://localhost/mgmt/tm/net/self/~Common~private?ver=11.6.0","address":"172.16.12.44/24","floating":"disabled","inheritedTrafficGroup":"false","trafficGroup":"/Common/traffic-group-local-only","unit":0,"vlan":"/Common/private","allowService":["default"]}]}

2015-11-12 09:48:27 : Adding/updating external selfip
POST mgmt/tm/net/self {"allowService": ["tcp:4353"], "vlan": "public", "trafficGroup": "traffic-group-local-only", "name": "public", "address": "172.16.13.83/24"}
Method POST mgmt/tm/net/self returned: {"kind":"tm:net:self:selfstate","name":"public","fullPath":"public","generation":178,"selfLink":"https://localhost/mgmt/tm/net/self/public?ver=11.6.0","address":"172.16.13.83/24","floating":"disabled","inheritedTrafficGroup":"false","trafficGroup":"/Common/traffic-group-local-only","unit":0,"vlan":"/Common/public","allowService":["tcp:4353"]}

2015-11-12 09:48:29 : Setting default route using default_gateway or gateway_pool
GET /mgmt/tm/net/route ""
Method GET /mgmt/tm/net/route returned: {"kind":"tm:net:route:routecollectionstate","selfLink":"https://localhost/mgmt/tm/net/route?ver=11.6.0"}

2015-11-12 09:48:29 : Setting default route using default_gateway or gateway_pool
POST /mgmt/tm/net/route {"gw": "172.16.13.1", "name": "default_route", "network": "default"}
Method POST /mgmt/tm/net/route returned: {"kind":"tm:net:route:routestate","name":"default_route","fullPath":"default_route","generation":0,"selfLink":"https://localhost/mgmt/tm/net/route/default_route?ver=11.6.0"}

Application Service Provisioning

This workflow is where things really get interesting.  Let's break it down.

  • We are deploying two sets of virtual servers (the pool members are the same, but the VIP is different). 
  • For virtual 1 (VIP = 172.16.13.128), we use an iApp to deploy a HTTPS virtual with an ASM policy. To do so, we:
    • Deploy all resources that are needed to support the iApp deployment:
      • ​A high-speed logging pool
      • An LTM logging profile (which will send logs to Splunk on port 514)
      • An ASM logging profile (which will send logs to Splunk on port 515)
      • An analytics profile, in case we want to inspect traffic with AVR on-box
      • Base64 encoded images to an iRule data-group
      • iRules to support a sorry page and the analytics profile
      • An ASM policy (we've encoded the XML policy file into base64). Deploying the ASM policies requires first making a new policy via a POST command, then importing the policy over the defaults for the one we have just created. 
        • ​Note that we check the status of the asynchronous REST tasks which are started during the policy 'create' and 'apply' steps. 
      • An LTM policy which attaches the ASM policy above using a ruleset. 
    • Deploy the iApp template (look here to understand how we built the JSON payload for the iApp template). 
    • Finally, deploy the iApp service, an instantiation of the template that references all the above content (look here to understand how we built the JSON payload for the iApp service). 
  • For virtual 2 (VIP = 172.16.13.124), just deploy the web server pool, iRule, and virtual server directly (without an iApp).

2015-11-12 09:49:13 : Deploying/updating Webserver Pool
GET mgmt/tm/ltm/pool ""
Method GET mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/pool?ver=11.6.0"}

2015-11-12 09:49:14 : Deploying/updating Webserver Pool
POST mgmt/tm/ltm/pool {"name": "Vip1_pool", "members": [{"description": "Name=/boring_lovelace,ContainerHostname=a0085832ad28,Image=mutzel/all-in-one-hackazon:postinstall", "name": "172.16.14.87:80", "address": "172.16.14.87"}], "monitor": "http"}
Method POST mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolstate","name":"Vip1_pool","fullPath":"Vip1_pool","generation":236,"selfLink":"https://localhost/mgmt/tm/ltm/pool/Vip1_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/http ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip1_pool/members?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:49:18 : Deploying/updating High Speed Logging pool to send to Analytics Server
GET mgmt/tm/ltm/pool ""
Method GET mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/pool?ver=11.6.0","items":[{"kind":"tm:ltm:pool:poolstate","name":"Vip1_pool","partition":"Common","fullPath":"/Common/Vip1_pool","generation":236,"selfLink":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip1_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/http ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip1_pool/members?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:49:19 : Deploying/updating High Speed Logging pool to send to Analytics Server
POST mgmt/tm/ltm/pool {"name": "syslog_pool", "members": [{"name": "172.16.14.180:514", "address": "172.16.14.180"}], "monitor": "tcp"}
Method POST mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolstate","name":"syslog_pool","fullPath":"syslog_pool","generation":239,"selfLink":"https://localhost/mgmt/tm/ltm/pool/syslog_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/tcp ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~syslog_pool/members?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:49:21 : Deploying/updating ASM Logging Profile to send to Remote Analytics Server
GET mgmt/tm/security/log/profile ""
Method GET mgmt/tm/security/log/profile returned: {"kind":"tm:security:log:profile:profilecollectionstate","selfLink":"https://localhost/mgmt/tm/security/log/profile?ver=11.6.0","items":[{"kind":"tm:security:log:profile:profilestate","name":"\"/Common/Log all requests\"","fullPath":"\"/Common/Log all requests\"","generation":1,"selfLink":"https://localhost/mgmt/tm/security/log/profile/%22~Common~Log%20all%20requests%22?ver=11.6.0","description":"Default logging profile for all requests","applicationReference":{"link":"https://localhost/mgmt/tm/security/log/profile/%22~Common~Log%20all%20requests%22/application?ver=11.6.0","isSubcollection":true}},{"kind":"tm:security:log:profile:profilestate","name":"\"/Common/Log illegal requests\"","fullPath":"\"/Common/Log illegal requests\"","generation":1,"selfLink":"https://localhost/mgmt/tm/security/log/profile/%22~Common~Log%20illegal%20requests%22?ver=11.6.0","description":"Default logging profile for illegal requests","applicationReference":{"link":"https://localhost/mgmt/tm/security/log/profile/%22~Common~Log%20illegal%20requests%22/application?ver=11.6.0","isSubcollection":true}},{"kind":"tm:security:log:profile:profilestate","name":"global-network","partition":"Common","fullPath":"/Common/global-network","generation":1,"selfLink":"https://localhost/mgmt/tm/security/log/profile/~Common~global-network?ver=11.6.0","description":"Default logging profile for network events","applicationReference":{"link":"https://localhost/mgmt/tm/security/log/profile/~Common~global-network/application?ver=11.6.0","isSubcollection":true}},{"kind":"tm:security:log:profile:profilestate","name":"local-dos","partition":"Common","fullPath":"/Common/local-dos","generation":1,"selfLink":"https://localhost/mgmt/tm/security/log/profile/~Common~local-dos?ver=11.6.0","description":"Default logging profile for Application DoS attacks","applicationReference":{"link":"https://localhost/mgmt/tm/security/log/profile/~Common~local-dos/application?ver=11.6.0","isSubcollection":true},"dosApplication":[{"name":"local-dos","localPublisher":"/Common/local-db-publisher"}]}]}

2015-11-12 09:49:21 : Deploying/updating ASM Logging Profile to send to Remote Analytics Server
POST mgmt/tm/security/log/profile {"application": [{"guaranteeLogging": "enabled", "guaranteeResponseLogging": "disabled", "logicOperation": "or", "protocol": "tcp", "name": "asm_log_to_splunk", "format": {"fieldDelimiter": ",", "type": "predefined"}, "reportAnomalies": "disabled", "facility": "local0", "partition": "Common", "filter": [{"values": ["all"], "name": "protocol"}, {"values": ["all"], "name": "request-type"}, {"name": "search-all"}], "maximumHeaderSize": "any", "localStorage": "enabled", "maximumQuerySize": "any", "maximumEntryLength": "2k", "servers": [{"name": "172.16.14.180:515"}], "remoteStorage": "splunk", "maximumRequestSize": "any", "responseLogging": "none"}], "name": "asm_log_to_splunk"}
Method POST mgmt/tm/security/log/profile returned: {"kind":"tm:security:log:profile:profilestate","name":"asm_log_to_splunk","fullPath":"asm_log_to_splunk","generation":240,"selfLink":"https://localhost/mgmt/tm/security/log/profile/asm_log_to_splunk?ver=11.6.0","applicationReference":{"link":"https://localhost/mgmt/tm/security/log/profile/~Common~asm_log_to_splunk/application?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:49:23 : Deploying/updating Analytics Profile
GET mgmt/tm/ltm/profile/analytics ""
Method GET mgmt/tm/ltm/profile/analytics returned: {"kind":"tm:ltm:profile:analytics:analyticscollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/profile/analytics?ver=11.6.0","items":[{"kind":"tm:ltm:profile:analytics:analyticsstate","name":"analytics","partition":"Common","fullPath":"/Common/analytics","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~analytics?ver=11.6.0","capturedTrafficExternalLogging":"disabled","capturedTrafficInternalLogging":"disabled","collectGeo":"disabled","collectIp":"disabled","collectMaxTpsAndThroughput":"disabled","collectMethods":"enabled","collectPageLoadTime":"disabled","collectResponseCodes":"enabled","collectSubnets":"disabled","collectUrl":"disabled","collectUserAgent":"disabled","collectUserSessions":"disabled","collectedStatsExternalLogging":"disabled","collectedStatsInternalLogging":"enabled","notificationByEmail":"disabled","notificationBySnmp":"disabled","notificationBySyslog":"disabled","publishIruleStatistics":"disabled","sampling":"enabled","sessionCookieSecurity":"ssl-only","sessionTimeoutMinutes":"5","alertsReference":{"link":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~analytics/alerts?ver=11.6.0","isSubcollection":true},"trafficCaptureReference":{"link":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~analytics/traffic-capture?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:49:24 : Deploying/updating Analytics Profile
POST mgmt/tm/ltm/profile/analytics {"collectPageLoadTime": "enabled", "notificationBySnmp": "disabled", "defaultsFrom": "/Common/analytics", "capturedTrafficInternalLogging": "disabled", "collectResponseCodes": "enabled", "capturedTrafficExternalLogging": "disabled", "collectMethods": "enabled", "collectIp": "enabled", "collectGeo": "enabled", "sessionTimeoutMinutes": "5", "publishIruleStatistics": "disabled", "collectedStatsExternalLogging": "disabled", "notificationBySyslog": "disabled", "collectMaxTpsAndThroughput": "enabled", "sampling": "enabled", "collectUrl": "enabled", "name": "Vip1-demo_analytics", "collectSubnets": "enabled", "collectUserSessions": "enabled", "partition": "Common", "notificationByEmail": "disabled", "collectUserAgent": "enabled", "collectedStatsInternalLogging": "enabled", "sessionCookieSecurity": "ssl-only"}
Method POST mgmt/tm/ltm/profile/analytics returned: {"kind":"tm:ltm:profile:analytics:analyticsstate","name":"Vip1-demo_analytics","partition":"Common","fullPath":"/Common/Vip1-demo_analytics","generation":241,"selfLink":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~Vip1-demo_analytics?ver=11.6.0","capturedTrafficExternalLogging":"disabled","capturedTrafficInternalLogging":"disabled","collectGeo":"enabled","collectIp":"enabled","collectMaxTpsAndThroughput":"enabled","collectMethods":"enabled","collectPageLoadTime":"enabled","collectResponseCodes":"enabled","collectSubnets":"enabled","collectUrl":"enabled","collectUserAgent":"enabled","collectUserSessions":"enabled","collectedStatsExternalLogging":"disabled","collectedStatsInternalLogging":"enabled","defaultsFrom":"/Common/analytics","notificationByEmail":"disabled","notificationBySnmp":"disabled","notificationBySyslog":"disabled","publishIruleStatistics":"disabled","sampling":"enabled","sessionCookieSecurity":"ssl-only","sessionTimeoutMinutes":"5","alertsReference":{"link":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~Vip1-demo_analytics/alerts?ver=11.6.0","isSubcollection":true},"trafficCaptureReference":{"link":"https://localhost/mgmt/tm/ltm/profile/analytics/~Common~Vip1-demo_analytics/traffic-capture?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:49:26 : Uploading Datagroup ... background for sorry page
GET mgmt/tm/ltm/data-group/internal ""
Method GET mgmt/tm/ltm/data-group/internal returned: {"kind":"tm:ltm:data-group:internal:internalcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal?ver=11.6.0","items":[{"kind":"tm:ltm:data-group:internal:internalstate","name":"aol","partition":"Common","fullPath":"/Common/aol","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~aol?ver=11.6.0","type":"ip","records":[{"name":"64.12.96.0/19"},{"name":"195.93.16.0/20"},{"name":"195.93.48.0/22"},{"name":"195.93.64.0/19"},{"name":"195.93.96.0/19"},{"name":"198.81.0.0/22"},{"name":"198.81.8.0/23"},{"name":"198.81.16.0/20"},{"name":"202.67.65.128/25"},{"name":"205.188.112.0/20"},{"name":"205.188.146.144/30"},{"name":"205.188.192.0/20"},{"name":"205.188.208.0/23"},{"name":"207.200.112.0/21"}]},{"kind":"tm:ltm:data-group:internal:internalstate","name":"images","partition":"Common","fullPath":"/Common/images","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~images?ver=11.6.0","type":"string","records":[{"name":".bmp"},{"name":".gif"},{"name":".jpg"}]},{"kind":"tm:ltm:data-group:internal:internalstate","name":"private_net","partition":"Common","fullPath":"/Common/private_net","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~private_net?ver=11.6.0","type":"ip","records":[{"name":"10.0.0.0/8"},{"name":"172.16.0.0/12"},{"name":"192.168.0.0/16"}]}]}

2015-11-12 09:49:26 : Uploading Datagroup ... background for sorry page
POST mgmt/tm/ltm/data-group/internal {"records": [{"name": "...<base64 image>..."}], "type": "string", "name": "background_images"}
Method POST mgmt/tm/ltm/data-group/internal returned: {"kind":"tm:ltm:data-group:internal:internalstate","name":"background_images","fullPath":"background_images","generation":244,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/background_images?ver=11.6.0","type":"string","records":[{"name":"....large base64 image...."}]}

2015-11-12 09:49:29 : Uploading Datagroup ... image for sorry page
GET mgmt/tm/ltm/data-group/internal ""
Method GET mgmt/tm/ltm/data-group/internal returned: {"kind":"tm:ltm:data-group:internal:internalcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal?ver=11.6.0","items":[{"kind":"tm:ltm:data-group:internal:internalstate","name":"aol","partition":"Common","fullPath":"/Common/aol","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~aol?ver=11.6.0","type":"ip","records":[{"name":"64.12.96.0/19"},{"name":"195.93.16.0/20"},{"name":"195.93.48.0/22"},{"name":"195.93.64.0/19"},{"name":"195.93.96.0/19"},{"name":"198.81.0.0/22"},{"name":"198.81.8.0/23"},{"name":"198.81.16.0/20"},{"name":"202.67.65.128/25"},{"name":"205.188.112.0/20"},{"name":"205.188.146.144/30"},{"name":"205.188.192.0/20"},{"name":"205.188.208.0/23"},{"name":"207.200.112.0/21"}]},{"kind":"tm:ltm:data-group:internal:internalstate","name":"background_images","partition":"Common","fullPath":"/Common/background_images","generation":244,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~background_images?ver=11.6.0","type":"string","records":[{"name":"...<base64 image>..."}]},{"kind":"tm:ltm:data-group:internal:internalstate","name":"images","partition":"Common","fullPath":"/Common/images","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~images?ver=11.6.0","type":"string","records":[{"name":".bmp"},{"name":".gif"},{"name":".jpg"}]},{"kind":"tm:ltm:data-group:internal:internalstate","name":"private_net","partition":"Common","fullPath":"/Common/private_net","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/~Common~private_net?ver=11.6.0","type":"ip","records":[{"name":"10.0.0.0/8"},{"name":"172.16.0.0/12"},{"name":"192.168.0.0/16"}]}]}

2015-11-12 09:49:30 : Uploading Datagroup ... image for sorry page
POST mgmt/tm/ltm/data-group/internal {"records": [{"name": "...<base64 image>..."}], "type": "string", "name": "sorry_images"}
Method POST mgmt/tm/ltm/data-group/internal returned: {"kind":"tm:ltm:data-group:internal:internalstate","name":"sorry_images","fullPath":"sorry_images","generation":245,"selfLink":"https://localhost/mgmt/tm/ltm/data-group/internal/sorry_images?ver=11.6.0","type":"string","records":[{"name":"....base 64 image...."}]}

2015-11-12 09:49:32 : Uploading iRules ... sorry_page_rule
GET mgmt/tm/ltm/rule ""
Method GET mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulecollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/rule?ver=11.6.0","items":[<a whole bunch of irules>]}

2015-11-12 09:49:33 : Uploading iRules ... sorry_page_rule
POST mgmt/tm/ltm/rule {"apiAnonymous": "when HTTP_REQUEST {\n  set VSPool [LB::server pool]\n  if { [active_members $VSPool] < 1 } {\n    log local0. \"Client [IP::client_addr] requested [HTTP::uri] no active nodes available...\"\n    if { [HTTP::uri] ends_with \"sorry.png\" } {\n      HTTP::respond 200 content [b64decode [class element -name 0 sorry_images]] \"Content-Type\" \"image/png\"\n    } else {\n      if { [HTTP::uri] ends_with \"background.png\" } {\n        HTTP::respond 200 content [b64decode [class element -name 0 background_images]] \"Content-Type\" \"image/png\"\n      } else {\n        HTTP::respond 200 content \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD XHTML 1.0 Transitional//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\\">\n<html xml:lang=\\\"en\\\" xmlns=\\\"http://www.w3.org/1999/xhtml\\\" lang=\\\"en\\\"><head>\n\n    <meta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=UTF-8\\\">\n    <title>Oouchhh!</title>\n\n\n<style type=\\\"text/css\\\">\nbody {\n    background: #f7f4f1 url(background.png) repeat top left;\n}\n\n#MainContent {\n    background: url(sorry.png) no-repeat top right;\n    height: 500px;\n    font-family: Verdana, Helvetica, Arial, sans;\n    font-size: 14px;\n    color: #625746;\n    position: absolute;\n    top: 100px;\n    left: 80px;\n    width: 800px;\n}\n\n#MainContent p {\n    width: 450px;\n}\n\na {\n    color:#60A2B9;\n}\na:hover {\n    text-decoration: none;\n}\n</style>\n</head><body>\n    <div id=\\\"MainContent\\\">\n        <p><strong>Ouchhhhh! Snap! Something went terribly wrong!!!</strong></p>\n        <p>In the mean while, go <a href=\\\"http://www.funnyordie.com\\\">here</a> to entertain yourself while we figure out what just happened :-)</p>\n\n        <p>Wish us luck!</p>\n    </div>\n</body></html>\"\n      }\n    }\n  }\n}", "name": "irule_sorry_page"}
Method POST mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulestate","name":"irule_sorry_page","fullPath":"irule_sorry_page","generation":246,"selfLink":"https://localhost/mgmt/tm/ltm/rule/irule_sorry_page?ver=11.6.0","apiAnonymous":"when HTTP_REQUEST {\n  set VSPool [LB::server pool]\n  if { [active_members $VSPool] < 1 } {\n    log local0. \"Client [IP::client_addr] requested [HTTP::uri] no active nodes available...\"\n    if { [HTTP::uri] ends_with \"sorry.png\" } {\n      HTTP::respond 200 content [b64decode [class element -name 0 sorry_images]] \"Content-Type\" \"image/png\"\n    } else {\n      if { [HTTP::uri] ends_with \"background.png\" } {\n        HTTP::respond 200 content [b64decode [class element -name 0 background_images]] \"Content-Type\" \"image/png\"\n      } else {\n        HTTP::respond 200 content \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD XHTML 1.0 Transitional//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\\">\n<html xml:lang=\\\"en\\\" xmlns=\\\"http://www.w3.org/1999/xhtml\\\" lang=\\\"en\\\"><head>\n\n    <meta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=UTF-8\\\">\n    <title>Oouchhh!</title>\n\n\n<style type=\\\"text/css\\\">\nbody {\n    background: #f7f4f1 url(background.png) repeat top left;\n}\n\n#MainContent {\n    background: url(sorry.png) no-repeat top right;\n    height: 500px;\n    font-family: Verdana, Helvetica, Arial, sans;\n    font-size: 14px;\n    color: #625746;\n    position: absolute;\n    top: 100px;\n    left: 80px;\n    width: 800px;\n}\n\n#MainContent p {\n    width: 450px;\n}\n\na {\n    color:#60A2B9;\n}\na:hover {\n    text-decoration: none;\n}\n</style>\n</head><body>\n    <div id=\\\"MainContent\\\">\n        <p><strong>Ouchhhhh! Snap! Something went terribly wrong!!!</strong></p>\n        <p>In the mean while, go <a href=\\\"http://www.funnyordie.com\\\">here</a> to entertain yourself while we figure out what just happened :-)</p>\n\n        <p>Wish us luck!</p>\n    </div>\n</body></html>\"\n      }\n    }\n  }\n}"}

2015-11-12 09:49:35 : Uploading iRules ... demo_analytics_rule
GET mgmt/tm/ltm/rule ""
Method GET mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulecollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/rule?ver=11.6.0","items":[<a whole bunnch of irules>]}

2015-11-12 09:49:36 : Uploading iRules ... demo_analytics_rule
POST mgmt/tm/ltm/rule {"apiAnonymous": "when CLIENT_ACCEPTED {\n    set client [IP::client_addr]\n}\n\nwhen HTTP_REQUEST {\n    set vhost [HTTP::host]:[TCP::local_port]\n    set url [HTTP::uri]\n    set method [HTTP::method]\n    set http_version [HTTP::version]\n    set user_agent [HTTP::header \"User-Agent\"]\n    set tcp_start_time [clock clicks -milliseconds]\n    set req_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"]\n    set req_elapsed_time 0\n    set virtual_server [LB::server]\n\n    if { [HTTP::header Content-Length] > 0 } then {\n        set req_length [HTTP::header \"Content-Length\"]\n        if {$req_length > 4000000} then {\n            set $req_length 4000000\n        }\n        HTTP::collect $req_length\n    } else {\n        set req_length 0\n    }\n\n    if { [HTTP::header \"Referer\"] ne \"\" } then {\n        set referer [HTTP::header \"Referer\"]\n    } else {\n        set referer -\n    }\n}\n\nwhen HTTP_REQUEST_DATA {\n    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]\n    HTTP::release\n}\n\nwhen HTTP_RESPONSE {\n    set hsl [HSL::open -proto TCP -pool syslog_pool]\n    set resp_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"]\n    set node [IP::server_addr]:[TCP::server_port]\n    set status [HTTP::status]\n    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]\n\n    if { [HTTP::header Content-Length] > 0 } then {\n        set response_length [HTTP::header \"Content-Length\"]\n    } else {\n        set response_length 0\n    }\n\n    HSL::send $hsl \"<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\\\"$url\\\"|HTTP/$http_version|$user_agent|\\\"$referer\\\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\\r\\n\"\n}", "name": "irule_demo_analytics"}
Method POST mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulestate","name":"irule_demo_analytics","fullPath":"irule_demo_analytics","generation":249,"selfLink":"https://localhost/mgmt/tm/ltm/rule/irule_demo_analytics?ver=11.6.0","apiAnonymous":"when CLIENT_ACCEPTED {\n    set client [IP::client_addr]\n}\n\nwhen HTTP_REQUEST {\n    set vhost [HTTP::host]:[TCP::local_port]\n    set url [HTTP::uri]\n    set method [HTTP::method]\n    set http_version [HTTP::version]\n    set user_agent [HTTP::header \"User-Agent\"]\n    set tcp_start_time [clock clicks -milliseconds]\n    set req_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"]\n    set req_elapsed_time 0\n    set virtual_server [LB::server]\n\n    if { [HTTP::header Content-Length] > 0 } then {\n        set req_length [HTTP::header \"Content-Length\"]\n        if {$req_length > 4000000} then {\n            set $req_length 4000000\n        }\n        HTTP::collect $req_length\n    } else {\n        set req_length 0\n    }\n\n    if { [HTTP::header \"Referer\"] ne \"\" } then {\n        set referer [HTTP::header \"Referer\"]\n    } else {\n        set referer -\n    }\n}\n\nwhen HTTP_REQUEST_DATA {\n    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]\n    HTTP::release\n}\n\nwhen HTTP_RESPONSE {\n    set hsl [HSL::open -proto TCP -pool syslog_pool]\n    set resp_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"]\n    set node [IP::server_addr]:[TCP::server_port]\n    set status [HTTP::status]\n    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]\n\n    if { [HTTP::header Content-Length] > 0 } then {\n        set response_length [HTTP::header \"Content-Length\"]\n    } else {\n        set response_length 0\n    }\n\n    HSL::send $hsl \"<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\\\"$url\\\"|HTTP/$http_version|$user_agent|\\\"$referer\\\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\\r\\n\"\n}"}

2015-11-12 09:49:38 : Create the ASM policy
GET mgmt/tm/asm/policies ""
Method GET mgmt/tm/asm/policies returned: {"selfLink":"https://localhost/mgmt/tm/asm/policies","kind":"tm:asm:policies:policycollectionstate","totalItems":0,"items":[]}

2015-11-12 09:49:39 : Create the ASM policy
POST mgmt/tm/asm/policies {"caseInsensitive": true, "name": "linux_high-Vip1", "applicationLanguage": "utf-8"}
Method POST mgmt/tm/asm/policies returned: {"historyRevisionReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/history-revisions","isSubCollection":true},"responsePageReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/response-pages","isSubCollection":true},"policyBuilderReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/policy-builder"},"vulnerabilityAssessmentReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/vulnerability-assessment"},"cookieReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/cookies","isSubCollection":true},"blockingSettingReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/blocking-settings","isSubCollection":true},"hostNameReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/host-names","isSubCollection":true},"selfLink":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg","versionDeviceName":"ip-172-16-11-77.ec2.internal","dataGuardReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/data-guard"},"stagingSettings":{"signatureStaging":true,"enforcementReadinessPeriod":7},"signatureReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/signatures","isSubCollection":true},"filetypeReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/filetypes","isSubCollection":true},"createdDatetime":"2015-11-12T17:49:39Z","modifierName":"","manualVirtualServers":[],"id":"qnU5A8PUMuPurLRLUt8VHg","versionDatetime":"2015-11-12T17:49:43Z","geolocationEnforcementReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/geolocation-enforcement"},"subPath":"/Common","sessionTrackingStatusReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/session-tracking-statuses","isSubCollection":true},"versionLastChange":" Security Policy /Common/linux_high-Vip1 [add]: Encoding Selected was set to true.\nApplication Language was set to utf-8.\nCase Sensitivity was set to Case Insensitive. { audit: username = rest_admin, client IP = 50.206.82.175 }","active":false,"name":"linux_high-Vip1","caseInsensitive":true,"loginPageReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/login-pages","isSubCollection":true},"fullPath":"/Common/linux_high-Vip1","description":"","trustXff":false,"policyBuilderEnabled":false,"IpIntelligenceReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/ip-intelligence"},"attributes":{"pathParameterHandling":"as-parameters","triggerAsmIruleEvent":"disabled","maskCreditCardNumbersInRequest":true,"inspectHttpUploads":false,"maximumHttpHeaderLength":"8192","maximumCookieHeaderLength":"8192","useDynamicSessionIdInUrl":false},"partition":"Common","xmlProfileReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/xml-profiles","isSubCollection":true},"sessionTrackingReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/session-tracking"},"csrfProtectionReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/csrf-protection"},"methodReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/methods","isSubCollection":true},"vulnerabilityReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/vulnerabilities","isSubCollection":true},"redirectionProtectionReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/redirection-protection"},"customXffHeaders":[],"creatorName":"rest_admin","kind":"tm:asm:policies:policystate","urlReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/urls","isSubCollection":true},"virtualServers":[],"headerReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/headers","isSubCollection":true},"protocolIndependent":false,"xmlValidationFileReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/xml-validation-files","isSubCollection":true},"lastUpdateMicros":0,"signatureSetReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/signature-sets","isSubCollection":true},"jsonProfileReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/json-profiles","isSubCollection":true},"parameterReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/parameters","isSubCollection":true},"allowedResponseCodes":[400,401,404,407,417,503],"bruteForceAttackPreventionReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/brute-force-attack-preventions","isSubCollection":true},"applicationLanguage":"utf-8","enforcementMode":"transparent","loginEnforcementReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/login-enforcement"},"characterSetReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/character-sets","isSubCollection":true},"extractionReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/extractions","isSubCollection":true},"isModified":false,"navigationParameterReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/navigation-parameters","isSubCollection":true},"gwtProfileReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/gwt-profiles","isSubCollection":true},"sensitiveParameterReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/sensitive-parameters","isSubCollection":true},"whitelistIpReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg/whitelist-ips","isSubCollection":true},"versionPolicyName":"/Common/linux_high-Vip1"}

2015-11-12 09:49:53 : Import our policy over the one existing above 
POST mgmt/tm/asm/tasks/import-policy {"policyReference": {"link": "https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"}, "isBase64": true, "file": "...<base64 policy file>...","lastUpdateMicros":1.447350597e+15,"selfLink":"https://localhost/mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law","kind":"tm:asm:tasks:import-policy:import-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"startTime":"2015-11-12T17:49:57Z","id":"hP37L9EM650WeWKkgX7law"}

2015-11-12 09:50:00 : Determine whether the asm policy import task is complete
GET mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law ""
Method GET mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law returned: {"isBase64":true,"status":"STARTED","file":"...<base64 policy file>...","lastUpdateMicros":1.447350597e+15,"selfLink":"https://localhost/mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law","kind":"tm:asm:tasks:import-policy:import-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"startTime":"2015-11-12T17:49:57Z","id":"hP37L9EM650WeWKkgX7law"}

2015-11-12 09:50:05 : Determine whether the asm policy import task is complete
GET mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law ""
Method GET mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law returned: {"isBase64":true,"status":"COMPLETED","file":"...<base64 policy file>...","lastUpdateMicros":1.447350605e+15,"selfLink":"https://localhost/mgmt/tm/asm/tasks/import-policy/hP37L9EM650WeWKkgX7law","kind":"tm:asm:tasks:import-policy:import-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"endTime":"2015-11-12T17:50:05Z","startTime":"2015-11-12T17:49:57Z","id":"hP37L9EM650WeWKkgX7law","result":{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"message":"Security policy version information will be ignored, since the file has been modified since it was exported.\nSignature Set linux-high (previously used in this security policy) was added to this system.\nThe operation was completed successfully. The security policy name is '/Common/linux_high-Vip1'."}}

2015-11-12 09:50:08 : Apply the ASM policy
POST mgmt/tm/asm/tasks/apply-policy {"policyReference": {"link": "https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"}}
Method POST mgmt/tm/asm/tasks/apply-policy returned: {"selfLink":"https://localhost/mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg","kind":"tm:asm:tasks:apply-policy:apply-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"status":"NEW","lastUpdateMicros":1.447350608e+15,"startTime":"2015-11-12T17:50:08Z","id":"38B8slfPm1_lBBRG1STNeg"}

2015-11-12 09:50:10 : Determine whether the asm policy apply task is complete
GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg ""
Method GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg returned: {"selfLink":"https://localhost/mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg","kind":"tm:asm:tasks:apply-policy:apply-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"status":"STARTED","lastUpdateMicros":1.447350608e+15,"startTime":"2015-11-12T17:50:08Z","id":"38B8slfPm1_lBBRG1STNeg"}

2015-11-12 09:50:14 : Determine whether the asm policy apply task is complete
GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg ""
Method GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg returned: {"selfLink":"https://localhost/mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg","kind":"tm:asm:tasks:apply-policy:apply-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"status":"STARTED","lastUpdateMicros":1.447350608e+15,"startTime":"2015-11-12T17:50:08Z","id":"38B8slfPm1_lBBRG1STNeg"}

2015-11-12 09:50:18 : Determine whether the asm policy apply task is complete
GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg ""
Method GET mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg returned: {"status":"COMPLETED","lastUpdateMicros":1.447350616e+15,"selfLink":"https://localhost/mgmt/tm/asm/tasks/apply-policy/38B8slfPm1_lBBRG1STNeg","kind":"tm:asm:tasks:apply-policy:apply-policy-taskstate","policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/qnU5A8PUMuPurLRLUt8VHg"},"endTime":"2015-11-12T17:50:16Z","startTime":"2015-11-12T17:50:08Z","id":"38B8slfPm1_lBBRG1STNeg"}

2015-11-12 09:50:20 : Create an LTM policy for use with by iApp which associates the ASM policy
GET mgmt/tm/ltm/policy ""
Method GET mgmt/tm/ltm/policy returned: {"kind":"tm:ltm:policy:policycollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/policy?ver=11.6.0","items":[{"kind":"tm:ltm:policy:policystate","name":"_sys_CEC_SSL_client_policy","partition":"Common","fullPath":"/Common/_sys_CEC_SSL_client_policy","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_SSL_client_policy?ver=11.6.0","controls":["classification"],"hints":["no-write","no-delete","no-exclusion"],"requires":["ssl-persistence"],"strategy":"/Common/first-match","rulesReference":{"link":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_SSL_client_policy/rules?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:policy:policystate","name":"_sys_CEC_SSL_server_policy","partition":"Common","fullPath":"/Common/_sys_CEC_SSL_server_policy","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_SSL_server_policy?ver=11.6.0","controls":["classification"],"hints":["no-write","no-delete","no-exclusion"],"requires":["ssl-persistence"],"strategy":"/Common/first-match","rulesReference":{"link":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_SSL_server_policy/rules?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:policy:policystate","name":"_sys_CEC_video_policy","partition":"Common","fullPath":"/Common/_sys_CEC_video_policy","generation":1,"selfLink":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_video_policy?ver=11.6.0","controls":["classification"],"hints":["no-write","no-delete","no-exclusion"],"requires":["http"],"strategy":"/Common/first-match","rulesReference":{"link":"https://localhost/mgmt/tm/ltm/policy/~Common~_sys_CEC_video_policy/rules?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:50:23 : Create an LTM policy for use with by iApp which associates the ASM policy
POST mgmt/tm/ltm/policy {"name": "ltm_policy_w_asm_linux_high-Vip1", "rules": [{"ordinal": 1, "conditions": [], "name": "rule-1", "actions": [{"status": 0, "enable": true, "name": "0", "request": true, "vlanId": 0, "code": 0, "policy": "/Common/linux_high-Vip1", "port": 0, "asm": true}]}], "partition": "Common", "controls": ["asm"], "strategy": "/Common/first-match", "requires": ["http"]}
Method POST mgmt/tm/ltm/policy returned: {"kind":"tm:ltm:policy:policystate","name":"ltm_policy_w_asm_linux_high-Vip1","partition":"Common","fullPath":"/Common/ltm_policy_w_asm_linux_high-Vip1","generation":318,"selfLink":"https://localhost/mgmt/tm/ltm/policy/~Common~ltm_policy_w_asm_linux_high-Vip1?ver=11.6.0","controls":["asm"],"requires":["http"],"strategy":"/Common/first-match","rulesReference":{"link":"https://localhost/mgmt/tm/ltm/policy/~Common~ltm_policy_w_asm_linux_high-Vip1/rules?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:50:25 : Deploy the iApp template, since we are not using a default iApp on box
GET mgmt/tm/sys/application/template ""
Method GET mgmt/tm/sys/application/template returned: {"kind":"tm:sys:application:template:templatecollectionstate","selfLink":"https://localhost/mgmt/tm/sys/application/template?ver=11.6.0","items":[...<list of iApp templates on the box>...]}

2015-11-12 09:50:26 : Deploy the iApp template, since we are not using a default iApp on box
POST mgmt/tm/sys/application/template {"name": "f5.http.backport.1.1.2", "actions": [{"implementation": "package require iapp 1.1.2\niapp::template start\n\nset DEFAULT_ANSWER    /#default#\nset DO_NOT_USE_ANSWER /#do_not_use#\nset CREATE_NEW_ANSWER /#create_new#\n\nproc v11_4_main {} {\n    package require iapp 1.1.2\n    set app $tmsh::app_name\n    set is_v11_4 [expr {[iapp::tmos_version >= 11.4]}]\n    set is_v11_5 [expr {[iapp::tmos_version >= 11.5]}]\n    set is_v11_6 [expr {[iapp::tmos_version >= 11.6]}]\n    set lb_lcm_licensed [expr {[string first ltm_lb_least_conn [tmsh::show sys license detail]] != -1}]\n    set cookie_licensed [expr {[string first ltm_persist_cookie [tmsh::show sys license detail]] != -1}]\n    set is_admin 1\n    set use_apm  [expr {[iapp::get_provisioned apm] && [iapp::is ::apm__use_apm yes]}]\n    set asm_security_logging \"\"\n\n    # CLIENT-SIDE VLAN SELECTION\n    set advanced [expr { [iapp::is ::ssl_encryption_questions__advanced yes] \\\n                 || [iapp::is ::ssl_encryption_questions__legacy_advanced yes]}]\n    set select_vlans [iapp::is ::net__vlan_mode enabled disabled]\n\n    # array keys: $advanced,$select_vlans\n    array set vlan_arr {\n        1,1 { vlans-$::net__vlan_mode vlans replace-all-with \\{ $::net__client_vlan \\} }\n        *   { vlans-disabled vlans none }\n    }\n\n    # SNATPOOL PARAMETERS\n    set do_snat      [expr { [iapp::is ::net__same_subnet  yes] \\\n                     || ![iapp::is ::net__route_to_bigip yes] || !$advanced}]\n    set do_automap   [expr { [iapp::is ::net__snat_type automap] || !$advanced}]\n    set new_snatpool [iapp::is ::net__snatpool $::CREATE_NEW_ANSWER]\n\n    # array keys: $do_snat,$do_automap,$new_snatpool\n    array set snatpool_arr {\n        1,1,1 { snat automap }\n        1,1,0 { snat automap }\n        1,0,1 { snatpool [iapp::conf create ltm snatpool ${app}_snatpool \\\n                members replace-all-with \\{ [string map \\\n                {\"addr \" \"\" \\{ \"\" \\} \"\"} $::net__snatpool_members] \\} ]}\n        1,0,0 { snatpool $::net__snatpool }\n        *     { snat none }\n    }\n\n    # CLIENT TCP OPTIMIZATION PROFILE\n    # In order to show the correct recommendation per the chosen topology,\n    # the presentation of client tcp optimization has a split presentation.\n    # Only one of tcp_lan_opt or tcp_wan_opt contains the user's selection.\n    # This statement identifies whether the user has selected the recommended\n    # option from this split presentation.\n\n    # array keys: $::net__client_mode,$::net__server_mode\n    array set best_tcp_profile {\n        lan,lan    tcp-lan-optimized\n        lan,wan    tcp-lan-optimized\n        wan,lan    tcp-wan-optimized\n        wan,wan    tcp-wan-optimized\n        lan,tunnel wom-tcp-lan-optimized\n        *          wom-tcp-wan-optimized\n    }\n\n    set new_client_tcp [expr { !$advanced || ( \\\n                       [iapp::is ::net__client_mode lan] ? \\\n                       [iapp::is ::client__tcp_lan_opt $::CREATE_NEW_ANSWER] : \\\n                       [iapp::is ::client__tcp_wan_opt $::CREATE_NEW_ANSWER] )}]\n\n    # array keys: $new_client_tcp,$::net__client_mode\n    array set client_tcp_arr {\n        0,lan    $::client__tcp_lan_opt\n        0,wan    $::client__tcp_wan_opt\n        0,tunnel $::client__tcp_wan_opt\n        *        { [iapp::conf create ltm profile tcp ${app}_[iapp::substa \\\n                   best_tcp_profile($::net__client_mode,$::net__server_mode)] \\\n                   defaults-from [iapp::substa \\\n                   best_tcp_profile($::net__client_mode,$::net__server_mode)] \\\n                 ]}\n    }\n\n\n    # SERVER TCP OPTIMIZATION PROFILE\n    # See above comments regarding the client tcp optimization array.\n    set new_server_tcp [expr { !$advanced || ( \\\n                       [iapp::is ::net__server_mode lan] ? \\\n                       [iapp::is ::server__tcp_lan_opt $::CREATE_NEW_ANSWER] : \\\n                       [iapp::is ::server__tcp_wan_opt $::CREATE_NEW_ANSWER] )}]\n\n    # array keys: $new_server_tcp,$::net__server_mode\n    array set server_tcp_arr {\n        0,lan    $::server__tcp_lan_opt\n        0,wan    $::server__tcp_wan_opt\n        0,tunnel $::server__tcp_wan_opt\n        *        { [iapp::conf create ltm profile tcp ${app}_[iapp::substa \\\n                   best_tcp_profile($::net__server_mode,$::net__client_mode)] \\\n                   defaults-from [iapp::substa \\\n                   best_tcp_profile($::net__server_mode,$::net__client_mode)] \\\n                    ]}\n    }\n\n    # CLIENT SSL\n    set do_client_ssl [iapp::is ::ssl__mode client_ssl client_ssl_server_ssl]\n    set ssl_pass_thru [iapp::is ::ssl__mode pass_thru]\n\n    set new_client_ssl [expr { !$advanced || [iapp::is \\\n                       ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] }]\n    set do_chain_cert  [expr { $advanced && \\\n                       [info exists ::ssl__use_chain_cert] && \\\n                       ![iapp::is ::ssl__use_chain_cert $::DO_NOT_USE_ANSWER] }]\n    set cssl_cmd \\\n        \"ltm profile client-ssl ${app}_client-ssl defaults-from clientssl\"\n\n    # array keys: $do_client_ssl,$new_client_ssl,$do_chain_cert\n    array set client_ssl_arr {\n        1,1,1 { [iapp::conf create $cssl_cmd key $::ssl__key cert $::ssl__cert \\\n              chain $::ssl__use_chain_cert] \\{ context clientside \\} }\n        1,1,0 { [iapp::conf create $cssl_cmd key $::ssl__key cert $::ssl__cert \\\n              chain none] \\{ context clientside \\} }\n        1,0,1 { $::ssl__client_ssl_profile \\{ context clientside \\} }\n        1,0,0 { $::ssl__client_ssl_profile \\{ context clientside \\} }\n        *     {}\n    }\n\n    # SERVER SSL PROFILE\n    set do_server_ssl [iapp::is ::ssl__mode server_ssl client_ssl_server_ssl]\n    set default_server [expr { !$advanced || \\\n                       [iapp::is ::ssl__server_ssl_profile $::DEFAULT_ANSWER] }]\n\n    # array keys: $do_server_ssl,$default_server\n    array set server_ssl_arr {\n        1,1 { [iapp::conf create ltm profile server-ssl ${app}_server-ssl \\\n              defaults-from serverssl] \\{ context serverside \\} }\n        1,0 { $::ssl__server_ssl_profile \\{ context serverside \\} }\n        *   {}\n    }\n\n    set apm_profiles \"\"\n\n    # HTTP PROFILE\n    set new_http [expr { !$advanced || \\\n                 [iapp::is ::pool__http $::CREATE_NEW_ANSWER] }]\n    set xff_cmd  [expr { (!$advanced || [iapp::is ::pool__xff yes]) \\\n                 ? \"insert-xforwarded-for enabled\" \\\n                 : \"insert-xforwarded-for disabled\" }]\n\n    # array keys: $ssl_pass_thru,$new_http,$do_client_ssl\n    array set http_arr {\n        0,0,0 { $::pool__http }\n        0,0,1 { $::pool__http }\n        0,1,0 { [iapp::conf create ltm profile http ${app}_http \\\n                 defaults-from http  \\\n                 redirect-rewrite none $xff_cmd] }\n        0,1,1 { [iapp::conf create ltm profile http ${app}_http \\\n                 defaults-from http   \\\n                 redirect-rewrite matching $xff_cmd] }\n        *     { }\n    }\n\n    # COMPRESSION PROFILE\n    set do_compress  [expr { !$ssl_pass_thru && \\\n        [info exists ::client__http_compression] && \\\n        ![iapp::is ::client__http_compression $::DO_NOT_USE_ANSWER] }]\n    set new_compress [iapp::is ::client__http_compression $::CREATE_NEW_ANSWER]\n\n    # array keys: $do_compress,$new_compress\n    array set compress_arr {\n        1,1 { [iapp::conf create ltm profile http-compression \\\n              ${app}_wan-optimized-compression \\\n              defaults-from wan-optimized-compression \\\n              content-type-include replace-all-with \\{ $::HTTP_CONTENT_TYPES \\} \\\n              ] }\n        1,0 { $::client__http_compression }\n        *   {}\n    }\n\n    # AAM APPLICATION\n    # The purpose of the embedded string map is to remove the table column names\n    set perf_monitor  [iapp::is ::client__enable_perf_monitor yes]\n    set wam_cmd \"wam application ${app}_aam hosts replace-all-with \\{ \\\n             [string map {\"name \" \"\"} [join [join [expr { [info exists \\\n             ::pool__hosts] ? \"$::pool__hosts\" : \"\"}]]]] \\}\"\n\n    # array keys: $advanced,$perf_monitor,$ssl_pass_thru\n    # \"do_configure_wa\" need not be keyed here since this is called from\n    # caching_arr, which is already keyed on \"do_configure_wa\".\n    array set wam_arr {\n        1,1,0 { [iapp::conf create $wam_cmd policy \\\"$::client__policy\\\" \\\n                 info-header $::client__x_wa_info_header \\\n                 perf-monitor enabled \\\n                 perf-monitor-data-retention-period \\\n                 $::client__data_retention_period] }\n        1,0,0 { [iapp::conf create $wam_cmd policy \\\"$::client__policy\\\" \\\n                 info-header $::client__x_wa_info_header \\\n                 perf-monitor disabled \\\n                 perf-monitor-data-retention-period 0] }\n        0,1,0 { [iapp::conf create $wam_cmd \\\n                 policy \\\"/Common/Generic Policy - Enhanced\\\" \\\n                 info-header none \\\n                 perf-monitor enabled \\\n                 perf-monitor-data-retention-period \\\n                 $::client__data_retention_period] }\n        0,0,0 { [iapp::conf create $wam_cmd \\\n                 policy \\\"/Common/Generic Policy - Enhanced\\\" \\\n                 info-header none \\\n                 perf-monitor disabled \\\n                 perf-monitor-data-retention-period 0] }\n        *     {}\n    }\n\n    # CACHING PROFILE\n    set do_configure_wa [expr { !$ssl_pass_thru && [iapp::get_provisioned am] && \\\n        [iapp::is ::client__use_wa yes] }]\n    set do_caching [expr { !$ssl_pass_thru && ($do_configure_wa || \\\n        ![iapp::is ::client__standard_caching_without_wa $::DO_NOT_USE_ANSWER])}]\n    set new_caching [expr { !$advanced || \\\n        ($do_configure_wa && \\\n        [iapp::is ::client__standard_caching_with_wa $::CREATE_NEW_ANSWER]) || \\\n        (!$do_configure_wa && \\\n        [iapp::is ::client__standard_caching_without_wa $::CREATE_NEW_ANSWER])}]\n\n    # array keys: $do_caching,$new_caching,$do_configure_wa\n    array set caching_arr {\n        1,1,1 { [iapp::conf create ltm profile web-acceleration \\\n              ${app}_optimized-acceleration \\\n              defaults-from optimized-acceleration  \\\n              applications replace-all-with \\{ [iapp::substa \\\n              wam_arr($advanced,$perf_monitor,$ssl_pass_thru)] \\}] }\n        1,1,0 { [iapp::conf create ltm profile web-acceleration \\\n              ${app}_optimized-caching defaults-from optimized-caching \\\n              applications none cache-size 10  \\\n              cache-object-max-size 2000000] }\n        1,0,1 $::client__standard_caching_with_wa\n        1,0,0 $::client__standard_caching_without_wa\n        *     {}\n    }\n\n    # ONECONNECT PROFILE\n    set do_oneconnect  [expr { !$ssl_pass_thru && (!$advanced || \\\n                       ![iapp::is ::server__oneconnect $::DO_NOT_USE_ANSWER])}]\n    set new_oneconnect [expr { !$advanced || \\\n                       [iapp::is ::server__oneconnect $::CREATE_NEW_ANSWER] }]\n    set one_cmd \"ltm profile one-connect ${app}_oneconnect \\\n                 defaults-from oneconnect source-mask\"\n\n    # array keys: $do_oneconnect,$new_oneconnect,$do_snat\n    array set oneconnect_arr {\n        1,1,1 { [iapp::conf create $one_cmd 255.255.255.255] }\n        1,1,0 { [iapp::conf create $one_cmd 0.0.0.0] }\n        1,0,1 $::server__oneconnect\n        1,0,0 $::server__oneconnect\n        *     {}\n    }\n\n    # NTLM PROFILE\n    # array keys: $do_oneconnect,$advanced\n    array set ntlm_arr {\n        1,1  $::server__ntlm\n        *    /#do_not_use#\n    }\n\n    # Note: app-service is forced. See BZ448758.\n    # array keys: $is_admin,$ntlm_arr($do_oneconnect,$advanced)\n    array set ntlm_cmd {\n        0,/#create_new# { [error \"Non-admin user cannot create an NTLM profile\"] }\n        1,/#create_new# { [iapp::conf create ltm profile \\\n                          ntlm [tmsh::pwd]/${app}_ntlm \\\n                          defaults-from ntlm \\\n                          app-service $app] }\n        0,/#do_not_use# { }\n        1,/#do_not_use# { }\n        *               { [iapp::substa ntlm_arr($do_oneconnect,$advanced)] }\n}\n    # PERSISTENCE\n    set discourage_persist [iapp::is ::ssl_encryption_questions__version 2013]\n\n    # array keys: $discourage_persist,$advanced,$ssl_pass_thru,$cookie_licensed\n    array set persist_arr {\n        0,0,0,0 /#source#\n        0,0,0,1 /#cookie#\n        0,0,1,0 /#source#\n        0,0,1,1 /#source#\n        0,1,0,0 $::pool__persist\n        0,1,0,1 $::pool__persist\n        0,1,1,0 $::pool__pass_thru_persist\n        0,1,1,1 $::pool__pass_thru_persist\n        1,1,0,0 $::pool__discourage_persist\n        1,1,0,1 $::pool__discourage_persist\n        1,1,1,0 $::pool__pass_thru_discourage_persist\n        1,1,1,1 $::pool__pass_thru_discourage_persist\n        *       /#do_not_use#\n    }\n\n    array set persist_cmd {\n        /#cookie#     { persist replace-all-with \\{ \\\n                        [iapp::conf create $cookie_cmd] \\}\\\n                        fallback-persistence [iapp::conf create $source_cmd] }\n        /#source#     { persist replace-all-with \\{ \\\n                        [iapp::conf create $source_cmd] \\}\\\n                        fallback-persistence none }\n        /#do_not_use# { persist none \\\n                        fallback-persistence none }\n        *             { persist replace-all-with \\{ [iapp::substa \\\n        persist_arr($discourage_persist,$advanced,$ssl_pass_thru,$cookie_licensed)] \\} \\\n                        fallback-persistence none }\n    }\n\n    set cookie_cmd \"ltm persistence cookie ${app}_cookie-persistence \"\n    set cm_sync_status_details [lindex [tmsh::get_status cm sync-status] 0]\n    set cm_sync_status [tmsh::get_field_value $cm_sync_status_details status]\n    set mirror_action  [expr { $cm_sync_status eq \"Standalone\" && [iapp::is \\\n                       ::pool__mirror enabled] ? \"enabled\" : \"disabled\" }]\n    set source_cmd     \"ltm persistence source-addr \\\n                       ${app}_source-addr-persistence mirror $mirror_action\"\n\n    # ISESSION\n    set do_isession   [expr { [iapp::is ::net__server_mode tunnel]\n                      && [iapp::get_provisioned am] }]\n    set new_isession  [iapp::is ::client__isession_profile $::CREATE_NEW_ANSWER]\n\n    # array keys: $do_isession,$advanced,$new_isession\n    array set isession_arr {\n        1,1,1 { [iapp::conf create wom profile isession ${app}_isession \\\n              data-encryption $::client__isession__encryption \\\n              compression $::client__isession__compression \\\n              deduplication $::client__isession__deduplication] \\\n              \\{ context serverside \\} }\n        1,1,0 { $::client__isession_profile \\{ context serverside \\} }\n        1,0,1 { /Common/isession \\{ context serverside \\} }\n        1,0,0 { /Common/isession \\{ context serverside \\} }\n        *     {}\n    }\n\n    # IRULES\n    set stats_irule {\nwhen HTTP_REQUEST {\n  set reqtime [clock clicks]\n}\nwhen HTTP_RESPONSE {\n  ISTATS::set \"sys.application.service <APP> string app-rtt\" [expr {[clock clicks] - $reqtime}]\n  ISTATS::set \"sys.application.service <APP> string tcp-rtt\" [TCP::rtt]\n}\n    }\n\n    set irule_names [expr { !$ssl_pass_thru && [iapp::is ::rtt_stats enabled] \\\n        ? [iapp::conf create ltm rule ${app}_stats_irule \\\n          [string map \"<APP> [tmsh::pwd]/$app\" $stats_irule]] : \"\" }]\n\n    append irule_names [expr { $advanced && [info exists ::irules__irules] \\\n        ? \" $::irules__irules\" : \"\" }]\n\n    # array key: [llength $irule_names]\n    array set irule_arr {\n        0 { rules none }\n        * { rules \\{ $irule_names \\} }\n    }\n\n    if { [info exists ::pool__port_secure] } {\n        set redirect_rule [string map [list _PORT $::pool__port_secure] {\nwhen HTTP_REQUEST {\n    HTTP::redirect https://[getfield [HTTP::host] : 1]:_PORT[HTTP::uri]\n}}]\n    }\n\n    # array keys: $::pool__port_secure\n    array set redirect_irule {\n        443  { _sys_https_redirect }\n        *    { [iapp::conf create ltm rule ${app}_https_redirect $redirect_rule] }\n    }\n\n    # ASM PROFILE\n    # extra info exists test benefits BIG-IQ apps that bypass presentation\n    set do_asm [expr { [iapp::get_provisioned asm] && \\\n        $is_v11_4 && \\\n        !$ssl_pass_thru && ![iapp::is ::asm__use_asm $::DO_NOT_USE_ANSWER] }]\n    set asm_security_logging [expr { $do_asm &&  [info exists ::asm__security_logging] &&  ![iapp::is ::asm__security_logging $::DO_NOT_USE_ANSWER]  ? \"\\\"$::asm__security_logging\\\"\" : \"\" }]\n\n    # array key: $is_v11_4,$do_asm\n    array set asm_policy {\n        1,1 { policies replace-all-with { $::asm__use_asm } }\n        1,0 { policies none }\n        *   { }\n    }\n\n    # FIREWALL (AFM) POLICY\n    # beware: syntactically correct AFM commands fail when AFM is not provisioned\n    # extra info exists test benefits BIG-IQ apps that bypass presentation\n\n    set afm_allowed [expr { $is_v11_4 && $is_admin && [iapp::get_provisioned afm] }]\n\n    set do_firewall [expr { $afm_allowed && [info exists ::afm__policy] && \\\n        ![iapp::is ::afm__policy $::DO_NOT_USE_ANSWER] }]\n    set new_firewall [iapp::is ::afm__policy $::DEFAULT_ANSWER]\n    set do_ip_intel [expr { $do_firewall && [iapp::is ::afm__restrict_by_reputation \"warn\" \"reject\" \"select\"] }]\n    set new_ip_intel [iapp::is ::afm__restrict_by_reputation \"warn\" \"reject\"]\n\n    set staging_policy [expr { $do_firewall && \\\n        ![iapp::is ::afm__staging_policy $::DO_NOT_USE_ANSWER] \\\n        ? \"$::afm__staging_policy\" : \"none\" }]\n\n    set afm_security_logging [expr { $do_firewall && \\\n        ![iapp::is ::afm__security_logging $::DO_NOT_USE_ANSWER] \\\n        ? \"\\\"$::afm__security_logging\\\"\" : \"\" }]\n    set security_logging [expr { $is_admin \\\n        ? \"security-log-profiles replace-all-with \\{ $asm_security_logging $afm_security_logging \\}\" : \"\" }]\n\n    set do_dos_security [expr { $afm_allowed && $advanced && \\\n        ![iapp::is ::afm__dos_security_profile $::DO_NOT_USE_ANSWER] }]\n    set do_protocol_security [expr { $afm_allowed && $advanced && \\\n        ![iapp::is ::afm__protocol_security_profile $::DO_NOT_USE_ANSWER] }]\n\n    # array key: $afm_allowed,$do_firewall,$new_firewall\n    array set firewall_arr {\n        1,1,1 { fw-enforced-policy \\\n                [iapp::conf create security firewall policy ${app}_firewall \\\n                rules replace-all-with \\{ \\\n                  acceptPackets \\{ \\\n                    action accept \\\n                    log no \\\n                    ip-protocol tcp \\\n                    status enabled \\\n                    source \\{ [iapp::substa afm_restrict($::afm__restrict_by_addr)] \\}\\} \\\n                  dropPackets \\{ \\\n                    action drop \\\n                    log yes \\\n                    ip-protocol tcp \\\n                    status enabled \\\n                    source \\{ addresses replace-all-with \\{ any/any \\}\\} \\\n                  \\}\\}] \\\n                fw-staged-policy [subst $staging_policy] }\n        1,1,0 { fw-enforced-policy $::afm__policy \\\n                fw-staged-policy [subst $staging_policy] }\n        1,0,1 { fw-enforced-policy none \\\n                fw-staged-policy none }\n        1,0,0 { fw-enforced-policy none \\\n                fw-staged-policy none }\n        *     { }\n    }\n\n    # array key: $::afm__restrict_by_addr\n    array set afm_restrict {\n        /#create_new# {addresses replace-all-with \\{ $::afm__allowed_addr \\}}\n        /#do_not_use# {addresses replace-all-with \\{ any/any \\}}\n        *         {address-lists replace-all-with \\{ $::afm__restrict_by_addr \\}}\n    }\n\n    # ip-intelligence was a profile in 11.4, is a policy in 11.5\n    # array keys:\n    # $afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,policy/profile\n    array set ip_intelligence_arr {\n        1,1,1,0,profile { [iapp::conf create security ip-intelligence \\\n             profile           ${app}_ip_intelligence \\\n             defaults-from     ip-intelligence \\\n             botnets           $::afm__restrict_by_reputation \\\n             denial-of-service $::afm__restrict_by_reputation \\\n             infected-sources  $::afm__restrict_by_reputation \\\n             phishing          $::afm__restrict_by_reputation \\\n             proxy             $::afm__restrict_by_reputation \\\n             scanners          $::afm__restrict_by_reputation \\\n             spam-sources      $::afm__restrict_by_reputation \\\n             web-attacks       $::afm__restrict_by_reputation \\\n             windows-exploits  $::afm__restrict_by_reputation] }\n        1,0,0,1,policy { ip-intelligence-policy none }\n        1,0,1,1,policy { ip-intelligence-policy none }\n        1,1,0,1,policy { ip-intelligence-policy $::afm__ip_intelligence_policy }\n        1,1,1,1,policy { \\\n             ip-intelligence-policy [iapp::conf create security ip-intelligence \\\n             policy             ${app}_ip_intelligence \\\n             default-action     $action($::afm__restrict_by_reputation) \\\n             blacklist-categories replace-all-with \\{ \\\n                 botnets \\{ action use-policy-setting \\} \\\n                 cloud_provider_networks \\{ action use-policy-setting \\} \\\n                 denial_of_service \\{ action use-policy-setting \\} \\\n                 illegal_websites \\{ action use-policy-setting \\} \\\n                 infected_sources \\{ action use-policy-setting \\} \\\n                 phishing \\{ action use-policy-setting \\} \\\n                 proxy \\{ action use-policy-setting \\} \\\n                 scanners \\{ action use-policy-setting \\} \\\n                 spam_sources \\{ action use-policy-setting \\} \\\n                 web_attacks \\{ action use-policy-setting \\} \\\n                 windows_exploits \\{ action use-policy-setting \\}\\}] }\n        *    { }\n    }\n\n    # array key: $::afm__restrict_by_reputation\n    array set action {\n        accept { accept default-log-blacklist-hit-only no }\n        reject { drop   default-log-blacklist-hit-only yes }\n        warn   { accept default-log-blacklist-hit-only yes }\n    }\n\n    # ANALYTICS (AVR) PROFILE\n    # extra info exists test benefits BIG-IQ apps that bypass presentation\n    set do_analytics  [expr { $advanced && [iapp::get_provisioned avr] \\\n        && !$ssl_pass_thru && [info exists ::stats__analytics] && \\\n        ![iapp::is ::stats__analytics $::DO_NOT_USE_ANSWER] }]\n    set new_analytics [iapp::is ::stats__analytics $::CREATE_NEW_ANSWER]\n\n    # array keys: $do_analytics,$new_analytics\n    array set analytics_arr {\n        1,1 { [iapp::conf create ltm profile analytics ${app}_analytics \\\n            defaults-from analytics] }\n        1,0 $::stats__analytics\n        *   {}\n    }\n\n    # REQUEST LOGGING\n    # extra info exists test benefits BIG-IQ apps that bypass presentation\n    set do_logging [expr { $advanced && !$ssl_pass_thru && \\\n                   [info exists ::stats__request_logging] && \\\n                   ![iapp::is ::stats__request_logging $::DO_NOT_USE_ANSWER] }]\n\n    # array keys: $do_logging\n    array set logging_arr {\n        1 { $::stats__request_logging }\n        0 {}\n    }\n\n    # MONITOR SEND STRING\n    # only the first FQDN in the hosts table is used for monitoring\n    set hostname   [lindex [join [join [expr { [info exists ::pool__hosts] \\\n                   ? \"$::pool__hosts\" : \"\" }]]] 1]\n    set http10     [expr {$advanced && [iapp::is ::monitor__http_version http10]}]\n    set http_post  [expr {$advanced && [iapp::is ::monitor__http_method POST]}]\n    set ntlm_creds 0\n\n    # array keys: $http10,$http_post,$ntlm_creds\n    array set send_string_arr {\n        1,1,1 { 'POST $::monitor__uri HTTP/1.0\\\\r\\\\nContent-Length: [string length $::monitor__post_body]\\\\r\\\\nConnection: Keep-Alive\\\\r\\\\n\\\\r\\\\n$::monitor__post_body' }\n        1,1,0 { 'POST $::monitor__uri HTTP/1.0\\\\r\\\\nContent-Length: [string length $::monitor__post_body]\\\\r\\\\n\\\\r\\\\n$::monitor__post_body' }\n        1,0,1 { 'GET $::monitor__uri HTTP/1.0\\\\r\\\\nConnection: Keep-Alive\\\\r\\\\n\\\\r\\\\n' }\n        1,0,0 { 'GET $::monitor__uri HTTP/1.0\\\\r\\\\n\\\\r\\\\n' }\n        0,1,1 { 'POST $::monitor__uri HTTP/1.1\\\\r\\\\nHost: $hostname\\\\r\\\\nContent-Length: [string length $::monitor__post_body]\\\\r\\\\n$::monitor__post_body' }\n        0,1,0 { 'POST $::monitor__uri HTTP/1.1\\\\r\\\\nHost: $hostname\\\\r\\\\nContent-Length: [string length $::monitor__post_body]\\\\r\\\\nConnection: Close\\\\r\\\\n\\\\r\\\\n$::monitor__post_body' }\n        0,0,1 { 'GET $::monitor__uri HTTP/1.1\\\\r\\\\nHost: $hostname\\\\r\\\\n' }\n        *     { 'GET $::monitor__uri HTTP/1.1\\\\r\\\\nHost: $hostname\\\\r\\\\nConnection: Close\\\\r\\\\n\\\\r\\\\n'}\n    }\n\n    # MONITOR\n    set new_pool [expr {( $::net__server_mode ne \"tunnel\" && \\\n                 [iapp::is ::pool__pool_to_use $::CREATE_NEW_ANSWER] ) || \\\n                        ( $::net__server_mode eq \"tunnel\" && \\\n                 [iapp::is ::pool__pool_to_use_wom $::CREATE_NEW_ANSWER] )}]\n    set new_monitor   [iapp::is ::monitor__monitor $::CREATE_NEW_ANSWER]\n    set http_or_https [expr { $do_server_ssl || $ssl_pass_thru ?{https}:{http} }]\n\n    # array keys: $new_pool,$new_monitor,$advanced\n    array set monitor_arr {\n        1,1,1 { monitor [iapp::conf create ltm monitor $http_or_https \\\n              ${app}_${http_or_https}_monitor \\\n              defaults-from $http_or_https \\\n              interval $::monitor__frequency \\\n              timeout [expr { $::monitor__frequency * 3 + 1 } ] \\\n              [expr { [iapp::is ::monitor__anonymous \"no\"] || \\\n                      [iapp::is ::monitor__credentials \"basic\"] || \\\n                      [iapp::is ::monitor__credentials \"ntlm\"] ? \\\n              \"username $::monitor__user \\\n               password [iapp::make_safe_password $::monitor__passwd]\" : \"\" }] \\\n              send [iapp::substa send_string_arr($http10,$http_post,$ntlm_creds)]\\\n              recv '$::monitor__response'] }\n        1,1,0 { monitor [iapp::conf create ltm monitor $http_or_https \\\n              ${app}_${http_or_https}_monitor \\\n              defaults-from $http_or_https \\\n              interval 30 \\\n              timeout 91 \\\n              send [iapp::substa send_string_arr($http10,$http_post,$ntlm_creds)]\\\n              recv '$::monitor__response'] }\n        1,0,1 { monitor $::monitor__monitor }\n        1,0,0 { monitor $::monitor__monitor }\n        *     { monitor none }\n    }\n\n    # GENERAL POOL PARAMETERS 1\n    set do_slow_ramp [iapp::is ::server__use_slow_ramp yes]\n    set do_pga       [iapp::is ::pool__use_pga yes]\n\n    # array keys: $advanced,$do_slow_ramp,$do_pga\n    array set pool_ramp_pga_arr {\n        1,1,1 { slow-ramp-time $::server__slow_ramp_setvalue \\\n              min-active-members $::pool__min_active_members }\n        1,1,0 { slow-ramp-time $::server__slow_ramp_setvalue \\\n              min-active-members 0 }\n        1,0,1 { slow-ramp-time 10 \\\n              min-active-members $::pool__min_active_members }\n        1,0,0 { slow-ramp-time 10 min-active-members 0 }\n        *     { slow-ramp-time 300 min-active-members 0 }\n    }\n\n    # GENERAL POOL PARAMETERS 2\n    set tcp_queuing [iapp::is ::server__tcp_req_queueing yes]\n\n    # array keys: $advanced,$lb_lcm_licensed,$tcp_queuing\n    array set pool_lb_queue_arr {\n        1,1,1 { load-balancing-mode $::pool__lb_method \\\n                queue-on-connection-limit enabled \\\n                queue-depth-limit $::server__tcp_queue_length \\\n                queue-time-limit  $::server__tcp_queue_timeout }\n        1,0,1 { load-balancing-mode $::pool__lb_method \\\n                queue-on-connection-limit enabled \\\n                queue-depth-limit $::server__tcp_queue_length \\\n                queue-time-limit  $::server__tcp_queue_timeout }\n        1,1,0 { load-balancing-mode $::pool__lb_method \\\n                queue-on-connection-limit disabled }\n        1,0,0 { load-balancing-mode $::pool__lb_method \\\n                queue-on-connection-limit disabled }\n        0,0,1 { load-balancing-mode round-robin \\\n                queue-on-connection-limit disabled }\n        0,0,0 { load-balancing-mode round-robin \\\n                queue-on-connection-limit disabled }\n        *     { load-balancing-mode least-connections-member \\\n                queue-on-connection-limit disabled }\n    }\n\n    # POOL\n    set no_pool [expr {( $::net__server_mode ne \"tunnel\" && \\\n                [iapp::is ::pool__pool_to_use $::DO_NOT_USE_ANSWER] ) || \\\n                       ( $::net__server_mode eq \"tunnel\" && \\\n                [iapp::is ::pool__pool_to_use_wom $::DO_NOT_USE_ANSWER] )}]\n\n    # array keys: $new_pool,$no_pool\n    array set pool_arr {\n        1,0 { [iapp::conf create ltm pool ${app}_pool \\\n              [iapp::substa pool_ramp_pga_arr($advanced,$do_slow_ramp,$do_pga)] \\\n              [iapp::substa pool_lb_queue_arr($advanced,$lb_lcm_licensed,$tcp_queuing)] \\\n              [iapp::substa monitor_arr($new_pool,$new_monitor,$advanced)] \\\n              [iapp::pool_members $::pool__members]] \\\n              translate-address enabled }\n        0,0 { [expr { $::net__server_mode ne \"tunnel\" ? \\\n              $::pool__pool_to_use : $::pool__pool_to_use_wom }] \\\n              translate-address enabled }\n        *   { none translate-address disabled }\n    }\n\n    # VIRTUAL SERVERS\n    set secure_client [expr { $do_client_ssl || $ssl_pass_thru }]\n    set do_redirect [expr { [iapp::is ::pool__redirect_to_https yes] || \\\n             !$advanced}]\n    set mask [expr { $advanced && $::pool__mask ne \"\" \\\n             ? $::pool__mask : [iapp::destination -mask $::pool__addr] }]\n\n    # array keys: $secure_client,$do_redirect\n    array set vs_arr {\n        1,1 { [iapp::conf create ltm virtual ${app}_vs \\\n            destination [iapp::destination $::pool__addr $::pool__port_secure] \\\n            mask $mask \\\n            $vs_params \\\n            ip-protocol tcp \\\n            mirror $mirror_action \\\n            profiles replace-all-with \\{ $vs_profiles \\}] \\\n            \\\n            [iapp::conf create ltm virtual ${app}_redir_vs \\\n            destination [iapp::destination $::pool__addr [expr {[info exists \\\n            ::pool__redirect_port] ? $::pool__redirect_port : 80}]] \\\n            mask $mask \\\n            $redir_vs_params \\\n            ip-protocol tcp \\\n            mirror $mirror_action \\\n            profiles replace-all-with \\{ $tcp_profiles http \\} \\\n            rules \\{ [iapp::substa redirect_irule($::pool__port_secure)] \\}]}\n        1,0 { [iapp::conf create ltm virtual ${app}_vs \\\n            destination [iapp::destination $::pool__addr $::pool__port_secure] \\\n            mask $mask \\\n            $vs_params \\\n            ip-protocol tcp \\\n            mirror $mirror_action \\\n            profiles replace-all-with \\{ $vs_profiles \\}] }\n        *   { [iapp::conf create ltm virtual ${app}_vs \\\n            destination [iapp::destination $::pool__addr $::pool__port] \\\n            mask $mask \\\n            $vs_params \\\n            ip-protocol tcp \\\n            mirror $mirror_action \\\n            profiles replace-all-with \\{ $vs_profiles \\}] }\n    }\n\n    # MAIN\n    # Array contents (including TCL code) are evaluated during the\n    # assignments below. TMSH parameters and profile names are collected\n    # for use in subsequent calls including the creation of the virtual\n    # server(s). Many parameters are shared between the redirect virtual\n    # server and the main virtual server. This builds the redirect\n    # parameters first, then re-uses them when constructing the main\n    # virtual parameter list.\n    set redir_vs_params \\\n    \"[iapp::substa vlan_arr($advanced,$select_vlans)] \\\n     [iapp::substa snatpool_arr($do_snat,$do_automap,$new_snatpool)] \\\n     [iapp::substa firewall_arr($afm_allowed,$do_firewall,$new_firewall)] \\\n     [iapp::substa \\\n     ip_intelligence_arr($afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,policy)]\"\n\n    set vs_params \"$redir_vs_params $security_logging \\\n        [iapp::substa persist_cmd([iapp::substa \\\n        persist_arr($discourage_persist,$advanced,$ssl_pass_thru,$cookie_licensed)])] \\\n        pool [set pool_name [iapp::substa pool_arr($new_pool,$no_pool)]] \\\n        [iapp::substa irule_arr([llength $irule_names])] \\\n        [iapp::substa asm_policy($is_v11_4,$do_asm)]\"\n\n    # TMSH syntax dictates that a profile may only be mentioned once.\n    # If the same profile is used in 2 contexts, then specify \"context all\".\n    set client_tcp [iapp::substa \\\n        client_tcp_arr($new_client_tcp,$::net__client_mode)]\n    set server_tcp [iapp::substa \\\n        server_tcp_arr($new_server_tcp,$::net__server_mode)]\n\n    if { $client_tcp eq $server_tcp } {\n        set tcp_profiles \"$client_tcp \\{ context all \\} \"\n    } else {\n        set tcp_profiles \"$client_tcp \\{ context clientside \\} \\\n                               $server_tcp \\{ context serverside \\} \"\n    }\n\n    # Order is important to the \"context clientside\" and \"context serverside\"\n    # parameters, so those parameters without context must come after those\n    # with context. For example, HTTP must come after TCP and SSL.\n    set http_name [iapp::substa http_arr($ssl_pass_thru,$new_http,$do_client_ssl)]\n\n    set vs_profiles \"[iapp::substa \\\n            client_ssl_arr($do_client_ssl,$new_client_ssl,$do_chain_cert)] \\\n        [iapp::substa server_ssl_arr($do_server_ssl,$default_server)] \\\n        [iapp::substa isession_arr($do_isession,$advanced,$new_isession)] \\\n        $tcp_profiles $http_name \\\n        [iapp::substa ip_intelligence_arr($afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,profile)] \\\n        [expr { $do_dos_security ? \"$::afm__dos_security_profile\" : \"\" }] \\\n        [expr { $do_protocol_security ? \"$::afm__protocol_security_profile\" : \"\" }] \\\n        [iapp::substa compress_arr($do_compress,$new_compress)] \\\n        [iapp::substa \\\n            caching_arr($do_caching,$new_caching,$do_configure_wa)] \\\n        [iapp::substa \\\n            oneconnect_arr($do_oneconnect,$new_oneconnect,$do_snat)]  \\\n        [iapp::substa ntlm_cmd($is_admin,[iapp::substa ntlm_arr($do_oneconnect,$advanced)])] \\\n        [iapp::substa analytics_arr($do_analytics,$new_analytics)]  \\\n        [expr { $do_asm && $is_v11_4 ? \"websecurity \" : \"\" }] \\\n        [iapp::substa logging_arr($do_logging)] \\\n        $apm_profiles\"\n\n    set vs_name [iapp::substa vs_arr($secure_client,$do_redirect)]\n\n    if { [iapp::is ::app_stats enabled] } {\n        # START EMBEDDED ICALL SCRIPT\n        set icall_script_tmpl {\n\n            set app APP\n            set folder FOLDER\n            tmsh::cd $folder\n\n            set aso             \"sys.application.service ${folder}/$app\"\n            set virtual_path    \"ltm virtual VS\"\n            set http_path       \"ltm profile http HTTP\"\n            set pool_path       \"ltm pool POOL\"\n\n            # these lists represent strings taken from \"show ... field-fmt\"\n            set http_stats { get-reqs number-reqs post-reqs resp-5xx-cnt }\n            set virtual_stats {\n                clientside.bits-in clientside.bits-out clientside.cur-conns\n                clientside.max-conns clientside.pkts-in clientside.pkts-out\n                clientside.tot-conns status.availability-state status.enabled-state\n                status.status-reason\n            }\n            set pool_stats {\n                active-member-cnt serverside.bits-in serverside.bits-out\n                serverside.cur-conns serverside.max-conns serverside.pkts-in\n                serverside.pkts-out serverside.tot-conns\n            }\n\n            if { [catch {\n                # loop over each type of object we want to look at, building the name\n                # of the path and the stats for it as needed\n                foreach type { HTYPE virtual PTYPE } {\n                    # making this its own variable made the Tcl validator stop throwing\n                    # a warning - though it _should_ be fine to move it inline w/its use\n                    set path [set ${type}_path]\n                    set objs [tmsh::get_status $path raw]\n                    if { [llength $objs] == 0 } {\n                        puts \"no object found for: $type\"\n                        continue\n                    }\n                    set obj [lindex $objs 0]\n                    foreach stat [set ${type}_stats] {\n                        set value [tmsh::get_field_value $obj $stat]\n                        # associate the iStat with the app service\n                        istats::set \"$aso string $stat\" $value\n                    }\n                }\n\n                # Set an additional iStat for the size of the pool, updated on\n                # each iCall iteration in case the size of an external pool changes.\n                # Check first that the pool is configured with at least one member.\n                set pool_size 0\n                if { \"POOL\" ne \"none\" && [string first \"members\" [tmsh::list $pool_path]] != -1 } {\n                    set pools [tmsh::get_config $pool_path]\n                    if { [llength $pools] == 1 } {\n                        set pool [lindex $pools 0]\n                        set pool_size [llength [tmsh::get_field_value $pool members]]\n                    }\n                }\n                istats::set \"$aso string total-member-cnt\" $pool_size\n            } err] } {\n                istats::set \"$aso string app_stats.publish\" \"Failure in iCall script ${folder}/publish_stats while collecting application statistics: $err\"\n            } else {\n                istats::set \"$aso string app_stats.publish\" \"Published\"\n            }\n        }; # END EMBEDDED ICALL SCRIPT\n\n        # used to fill in variables within iCall script\n        set script_map [list    APP         $tmsh::app_name \\\n                                FOLDER      [tmsh::pwd] \\\n                                VS          [lindex $vs_name 0] \\\n                                HTTP        [lindex $http_name 0] \\\n                                POOL        [lindex $pool_name 0] \\\n            HTYPE       [expr { $ssl_pass_thru ? {} : {http} }] \\\n            PTYPE       [expr { $no_pool ? {} : {pool} }]] \n\n        set icall_script_src [string map $script_map $icall_script_tmpl]\n        iapp::conf create sys icall script publish_stats \\\n            definition \\{ $icall_script_src \\}\n        iapp::conf create sys icall handler periodic publish_stats \\\n            interval 60 script publish_stats\n        set aso \"sys.application.service ${app}.app/$app\"\n        catch { exec istats set \"$aso string app_stats.publish\" \"Starting\" } err\n    }\n}\n\n# This array customizes the assignment of old variables to the vx and tx arrays,\n# which are used to construct the new variables in tmsh. Since the old variable\n# name is almost always used during this assignment, \"##\" may be used as an\n# abbreviation. The assignment of ssl_encryption_questions__legacy_advanced\n# is long, but it merely sets the new template context to \"basic\" or \"advanced\"\n# based on the complexity of the user's application.\narray set upgrade_var_arr {\n    ::ssl_encryption_questions__offload_ssl { \\\n         [set vx(offload_history) ##] \\\n         [set vx(ssl_encryption_questions__offload_ssl) \"legacy\"] \\\n         [set vx(ssl_encryption_questions__legacy_advanced) [expr { \\\n           ( ![iapp::get_provisioned avr] || \\\n             [iapp::is ::analytics__add_analytics {No}] ) && \\\n             [iapp::is ::basic__snat              {No}]   && \\\n             [iapp::is ::basic__need_snatpool     {No}]   && \\\n             [iapp::is ::basic__using_ntlm        {No}]   && \\\n             [iapp::is ::server_pools__tcp_request_queuing_enable_question \\\n                                                  {No}]   && \\\n           ( [iapp::is ::server_pools__create_new_monitor {Use Monitor...}] || \\\n           ( [string equal -length 3 $::server_pools__monitor_send   {GET}] && \\\n             [iapp::is ::server_pools__monitor_http_version  {Version 1.0}] )) \\\n             ?no:yes}]]}\n    ::ssl_encryption_questions__offload_ssl_1    {[set vx(ssl__mode)        ##]}\n    ::ssl_encryption_questions__offload_ssl_2    {[set vx(ssl__mode)        ##]}\n    ::ssl_encryption_questions__cert             {[set vx(ssl__cert)        ##]}\n    ::ssl_encryption_questions__key              {[set vx(ssl__key)         ##]}\n    ::analytics__add_analytics                   {[set vx(stats__analytics) \\\n        [expr { ## eq {No} ? {No} : \\\n        [expr { $::analytics__create_new_analytics eq {Yes} ? {Yes} : \\\n        $::analytics__analytics_profile }] }] ]}\n    ::basic__addr                       {[set vx(pool__addr)                ##]}\n    ::basic__port                       {[set vx(pool__port)                ##]}\n    ::basic__secure_port                {[set vx(pool__port_secure)         ##]}\n    ::basic__create_redir               {[set vx(pool__redirect_to_https)   ##]}\n    ::basic__redir_port                 {[set vx(pool__redirect_port)       ##]}\n    ::basic__snat                       {[set vx(net__same_subnet)          ##]}\n    ::basic__need_snatpool              {[set vx(net__snat_type)            ##]\\\n                                         [set vx(net__snatpool)             ##]}\n    ::basic__snatpool_members           {[set tx(net__snatpool_members)     ##]}\n    ::basic__using_ntlm                 {[set vx(server__ntlm)              ##]}\n    ::server_pools__create_new_pool     {[set vx(pool__pool_to_use)         ##]}\n    ::server_pools__lb_method_choice    {[set vx(pool__lb_method)           ##]}\n    ::server_pools__tcp_request_queuing_enable_question \\\n                                        {[set vx(server__tcp_req_queueing)  ##]}\n    ::server_pools__tcp_request_queue_length \\\n                                        {[set vx(server__tcp_queue_length)  ##]}\n    ::server_pools__tcp_request_queue_timeout \\\n                                        {[set vx(server__tcp_queue_timeout) ##]}\n    ::server_pools__create_new_monitor  {[set vx(monitor__monitor) \\\n     [expr { ## eq {Use Monitor...} ?$::server_pools__reuse_monitor_name:## }]]}\n    ::server_pools__servers             {[set tx(pool__members)             ##]}\n    ::server_pools__monitor_interval    {[set vx(monitor__frequency)        ##]}\n    ::server_pools__monitor_send  {[set vx(monitor__http_method) [lindex ## 0]]\\\n                                   [set vx(monitor__uri)     [lrange ## 1 end]]}\n    ::server_pools__monitor_http_version    {[set vx(monitor__http_version) ##]}\n    ::server_pools__monitor_dns_name { \\\n                                   [set tx(pool__hosts) [subst {{ name ## }}] ]}\n    ::server_pools__monitor_recv        {[set vx(monitor__response)         ##]}\n    ::optimizations__lan_or_wan         {[set vx(net__client_mode)          ##]\\\n                                         [set vx(client__tcp_lan_opt)       ##]\\\n                                         [set vx(client__tcp_wan_opt)       ##]\\\n                                         [set vx(client__http_compression)  ##]}\n    ::optimizations__use_wa { \\\n                     [expr { [iapp::get_provisioned am]  \\\n                     ? [set vx(client__use_wa) ##] : { }}]\\\n                     [set vx(client__standard_caching_with_wa)              ##]\\\n                     [set vx(client__standard_caching_without_wa)           ##]}\n    ::optimizations__x_wa_info_header {[set vx(client__x_wa_info_header)    ##]}\n    ::optimizations__perf_monitor     {[set vx(client__enable_perf_monitor) ##]}\n    ::optimizations__policy           {[set vx(client__policy)              ##]}\n    ::optimizations__use_asm          {[expr { [iapp::get_provisioned asm] && \\\n                                       ![iapp::get_provisioned am] \\\n                                       ? [set vx(asm__use_asm) ##] : { }}]}\n    ::optimizations__use_wa_or_asm    { \\\n          [set vx(client__use_wa) \\\n              [expr { [iapp::get_provisioned am] && [iapp::get_provisioned asm]\\\n             && [iapp::is ::optimizations__use_wa_or_asm \"Use WAM\"] ?yes:no }]]\\\n          [set vx(client__standard_caching_with_wa) \\\n              [expr { [iapp::get_provisioned am] && [iapp::get_provisioned asm]\\\n             && [iapp::is ::optimizations__use_wa_or_asm \"Use WAM\"] ?yes:no }]]\\\n          [set vx(client__standard_caching_without_wa) \\\n              [expr { [iapp::get_provisioned am] && [iapp::get_provisioned asm]\\\n             && [iapp::is ::optimizations__use_wa_or_asm \"Use WAM\"] ?yes:no }]]\\\n          [set vx(asm__use_asm) \\\n              [expr { [iapp::get_provisioned am] && [iapp::get_provisioned asm]\\\n             && [iapp::is ::optimizations__use_wa_or_asm \"Use ASM\"] ?yes:no }]]}\n    ::optimizations__language         {[set vx(asm__language)               ##]}\n}\n\n# Two types of translation are supported in this array. If the key is literal,\n# then the translation is applied to all ASO variables. If the key is a variable\n# name, then the translation is applied only to that variable.\n\narray set upgrade_trans_arr [subst {\n    {Create New Pool}     $CREATE_NEW_ANSWER\n    {Create New Monitor}  $CREATE_NEW_ANSWER\n    {Use Default Profile} $::DEFAULT_ANSWER\n    Yes                   yes\n    No                    no\n    enabled               yes\n    disabled              no\n    {Version 1.0}         http10\n    {Version 1.1}         http11\n    LAN                   lan\n    WAN                   wan\n    offload_history {\n        Yes  Yes\n        No   No\n    }\n    net__snat_type {\n        Yes  snatpool\n        No   automap\n    }\n    net__need_snatpool {\n        Yes  $CREATE_NEW_ANSWER\n        No   no\n    }\n    ssl__mode {\n        Yes  client_ssl\n        No   no_ssl\n    }\n    server__ntlm {\n        Yes  /Common/ntlm\n        No   $DO_NOT_USE_ANSWER\n    }\n    monitor__response {\n        none { }\n    }\n    stats__analytics {\n        Yes  $CREATE_NEW_ANSWER\n        No   $DO_NOT_USE_ANSWER\n    }\n}]\n\narray set downgrade_tbl_arr {\n    ::pool__members         server_pools__servers\n    ::pool__hosts           optimizations__hosts\n    ::net__snatpool_members basic__snatpool_members\n}\n\n# ABOUT LEGACY MODE, UPGRADE, AND DOWNGRADE\n#\n# The variable ::ssl_encryption_questions__offload_ssl is inherited from the\n# v11.3 F5.HTTP template and is used to determine whether a template originated\n# in a prior release. The purpose is to maintain the user's original selections\n# while making the legacy option unavailable for new applications.\n#\n# Values of ::ssl_encryption_questions__offload_ssl:\n#     - does not exist => template in v11.4 mode\n#     - \"Yes\" or \"No\" => template in v11.3 mode\n#     - \"legacy\" => template created v11.3, now in v11.4 mode\n#\n# The variable ssl_encryption_questions__advanced allows the user to select\n# the complexity of the options presented in the template. If the template\n# was originally created pre v11.3, then a different choice variable is used\n# which provides the additional option of returning to the legacy mode.\n#\n# Values of ::ssl_encryption_questions__advanced:\n#     - \"yes\" => v11.4 advanced configuration mode\n#     - \"no\" => v11.4 basic configuration mode\n#\n# Values of ::ssl_encryption_questions__legacy_advanced:\n#     - \"yes\" => v11.4 advanced configuration mode\n#     - \"no\" => v11.4 basic configuration mode\n#     - \"legacy\" => v11.4 user chooses to return to v11.3 view.\n#       This option is not available to virgin v11.4 applications.\n#\n# When a user upgrades this template from v11.3 to v11.4 mode, the value\n# of ::ssl_encryption_questions__offload_ssl is stored in ::offload_history.\n# This value is recovered if the user later opts to return to v11.3 mode.\n\nset do_v11_3  [expr { [iapp::is ssl_encryption_questions__offload_ssl Yes] \\\n                   || [iapp::is ssl_encryption_questions__offload_ssl No] }]\nset upgrade   [iapp::is ssl_encryption_questions__upgrade Yes]\nset downgrade [iapp::is ssl_encryption_questions__legacy_advanced legacy]\n\n# array keys: $do_v11_3,$upgrade,$downgrade\narray set main {\n    0,0,0 { [v11_4_main] }\n    0,1,0 { [v11_4_main] }\n    0,1,1 { [iapp::downgrade_template ssl_encryption_questions__offload_ssl \\\n             ssl_encryption_questions__upgrade downgrade_tbl_arr] }\n    0,0,1 { [iapp::downgrade_template ssl_encryption_questions__offload_ssl \\\n             ssl_encryption_questions__upgrade downgrade_tbl_arr] }\n    1,1,0 { [iapp::upgrade_template upgrade_var_arr upgrade_trans_arr] }\n    1,1,1 { [iapp::upgrade_template upgrade_var_arr upgrade_trans_arr] }\n    *     { [package require iapp::legacy 1.0.0] \\\n            [tmsh::include \"f5.app_utils\"] \\\n            [iapp::legacy::http::configure_http_deployment \"\"] }\n}\n\niapp::substa main($do_v11_3,$upgrade,$downgrade)\niapp::template stop", "roleAcl": ["admin", "manager", "resource-admin"], "presentation": "include \"/Common/f5.apl_common\"\n\nsection intro {\n\n        # APL choice values may be set even if the optional\n        # clause is not true. This trick is useful for setting\n        # values that APL otherwise would not have access to.\n        # Here, system provisioning values are recalled, and later\n        # used to customize messages displayed within the template.\n        optional ( \"HIDE\" == \"THIS\" ) {\n            choice am_provisioned tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::get_provisioned am] ? \"yes\" : \"no\"}]\n            }\n            choice apm_provisioned tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::get_provisioned apm] ? \"yes\" : \"no\"}]\n            }\n            choice asm_provisioned tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::get_provisioned asm] ? \"yes\" : \"no\"}]\n            }\n            choice asm_policy tcl {\n                 package require iapp 1.1.2\n                 return [expr {[iapp::get_items -nocomplain -filter controls =~ asm ltm policy] ne \"\" ? \"yes\" : \"no\"}]\n            }\n            choice afm_allowed tcl {\n                package require iapp 1.1.2\n                return [expr { [iapp::get_provisioned afm] ? \"yes\" : \"no\"}]\n            }\n            choice analytics_provisioned tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::get_provisioned avr] ? \"yes\" : \"no\"}]\n            }\n            choice is_admin tcl {\n                package require iapp 1.1.2\n                return yes\n            }\n            choice is_v11_4 tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::tmos_version >= 11.4] ? \"yes\" : \"no\"}]\n            }\n            choice is_v11_6 tcl {\n                package require iapp 1.1.2\n                return [expr {[iapp::tmos_version >= 11.6] ? \"yes\" : \"no\"}]\n            }\n        }\n\n        message hello\n        message check_for_updates\n\n        optional ( am_provisioned == \"no\" ) {\n            message am_not_provisioned\n        }\n        optional ( analytics_provisioned == \"no\" ) {\n            message analytics_not_provisioned\n        }\n        optional ( asm_provisioned == \"no\" ) {\n            message asm_not_provisioned\n        }\n\n    }\n\n    section ssl_encryption_questions {\n\n        # If this variable is present, then the user is re-parenting from\n        # a v11.3 or earlier template. This condition causes the system\n        # to display the old template along with an offer to upgrade.\n        optional ( \"HIDE\" == \"THIS\" ) {\n            choice offload_ssl default \"no_legacy\" { \"Yes\", \"No\", \"legacy\", \"no_legacy\" }\n        }\n\n        # For v11.3 applications\n        optional ( offload_ssl == \"Yes\" || offload_ssl == \"No\" ) {\n            message deprecated\n\n            choice upgrade default \"No\" display \"small\"\n\n            message gap_1 \"\"\n            message gap_2 \"\"\n            message section_head \"\"\n        }\n        optional ( offload_ssl == \"Yes\" ) {\n            choice offload_ssl_1 default \"Yes\"\n        }\n        optional ( offload_ssl == \"No\" ) {\n            choice offload_ssl_2 default \"No\"\n        }\n        optional ((ssl_encryption_questions.offload_ssl == \"Yes\"\n                && ssl_encryption_questions.offload_ssl_1 == \"Yes\" )\n                || (ssl_encryption_questions.offload_ssl == \"No\"\n                && ssl_encryption_questions.offload_ssl_2 == \"Yes\" )) {\n\n            choice cert default \"/Common/default.crt\" display \"xxlarge\" tcl {\n                package require iapp 1.1.2\n                set ::choices [iapp::get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert]\n                return $::choices\n            }\n\n            choice key default \"/Common/default.key\" display \"xxlarge\" tcl {\n                package require iapp 1.1.2\n                set ::choices [iapp::get_items -norecursive sys file ssl-key]\n                return $::choices\n            }\n        }\n\n        # For v11.4 applications\n        optional ( offload_ssl == \"legacy\" || offload_ssl == \"no_legacy\" ) {\n\n            choice help display \"xxlarge\" default \"hide\"\n            optional ( help == \"max\" ) {\n                message help_max\n            }\n            optional ( offload_ssl == \"legacy\" ) {\n                choice legacy_advanced display \"xxlarge\" default \"no\"\n                optional ( legacy_advanced == \"legacy\" ) {\n                    message legacy_warning\n                }\n            }\n            optional ( offload_ssl == \"no_legacy\" ) {\n                choice advanced display \"xxlarge\" default \"no\"\n                optional ( help == \"max\" ) {\n                    message conf_mode_max\n                }\n\n            }\n        }\n    }\n\n    # For post-v11.4 applications\n    optional ( ssl_encryption_questions.offload_ssl == \"legacy\"\n             || ssl_encryption_questions.offload_ssl == \"no_legacy\" ) {\n\n        section net {\n            choice client_mode display \"xxlarge\" default \"wan\" tcl {\n\n                package require iapp 1.1.2\n                set rval \"Local area network  (LAN)\\tlan\\nWide area network  (WAN)\\twan\\n\"\n                if { [iapp::get_provisioned am] } {\n                    append rval \"WAN through another BIG-IP system\\ttunnel\\n\"\n                }\n\n                return $rval\n            }\n\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message client_mode_max\n            }\n            optional ( client_mode == \"tunnel\" ) {\n                message tunnel_max1\n                message tunnel_max2\n            }\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                choice vlan_mode display \"xxlarge\" default \"enabled\"\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message vlan_max\n                }\n                optional ( vlan_mode != \"all\" ) {\n                    multichoice client_vlan default tcl {\n                        package require iapp 1.1.2\n                        set ::choices [iapp::get_items net vlan]\n                        return $::choices\n                    } tcl {\n                        package require iapp 1.1.2\n                        set ::choices [iapp::get_items net vlan]\n                        return $::choices\n                    }\n                    optional ( vlan_mode == \"disabled\" ) {\n                        message disabled_vlan_max\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message client_vlan_max\n                    }\n                }\n            }\n\n            choice server_mode display \"xxlarge\" default \"lan\" tcl {\n\n                package require iapp 1.1.2\n                set rval \"Local area network  (LAN)\\tlan\\nWide area network  (WAN)\\twan\\n\"\n                if { [iapp::get_provisioned am] } {\n                    append rval \"WAN through another BIG-IP system\\ttunnel\\n\"\n                }\n                return $rval\n            }\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message server_mode_max\n            }\n            optional ( server_mode == \"tunnel\" ) {\n                message tunnel_max3\n                message tunnel_max4\n            }\n\n            optional ( ssl_encryption_questions.legacy_advanced != \"no\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                choice same_subnet display \"xxlarge\" default \"no\"\n\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message subnet_1_max\n                    message subnet_2_max\n                    message subnet_3_max\n                }\n\n                optional ( same_subnet == \"no\" ) {\n                    choice route_to_bigip display \"xxlarge\" default \"no\"\n\n\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message def_rt_1_max\n                        message def_rt_2_max\n                        message def_rt_3_max\n                    }\n                }\n\n                optional ( same_subnet == \"yes\"\n                         ||  ( same_subnet == \"no\"\n                          && route_to_bigip == \"no\" )) {\n                    choice snat_type display \"xxlarge\" default \"automap\"\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message snat_max\n                    }\n                    optional ( snat_type == \"snatpool\" ) {\n                        choice snatpool display \"xxlarge\" default \"/#create_new#\" tcl {\n                            package require iapp 1.1.2\n                            set ::choices \"Create a new SNAT pool\\t/#create_new#\\n[iapp::get_items ltm snatpool]\"\n                            return $::choices\n                        }\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message snatpool_max\n                        }\n\n\n                        optional ( snatpool == \"/#create_new#\" ) {\n                            table snatpool_members {\n                                string addr required validator \"IpAddress\"\n                                    display \"xlarge\"\n                            }\n\n\n                            optional ( ssl_encryption_questions.help == \"max\" ) {\n                                message snatpool_members_max\n                            }\n                        }\n\n                    }\n\n                }\n            }\n        }\n\n        section ssl {\n\n                choice mode display \"xxlarge\" default \"no_ssl\"\n\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message mode_1_max\n                message mode_2_max\n                message mode_3_max\n                message mode_7_max\n                message mode_4_max\n                message mode_5_max\n                message mode_6_max\n            }\n\n            optional ( mode == \"client_ssl\" || mode == \"client_ssl_server_ssl\"  ) {\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n                    choice client_ssl_profile display \"xxlarge\"\n                        default \"/#create_new#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Create a new Client SSL profile\\t/#create_new#\\n[iapp::get_items ltm profile client-ssl]\"\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message client_ssl_profile_max\n                    }\n                }\n                optional (( ssl_encryption_questions.legacy_advanced == \"no\"\n                         && ssl_encryption_questions.advanced == \"no\" )\n                         || client_ssl_profile == \"/#create_new#\" ) {\n                    choice cert default \"/Common/default.crt\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices [iapp::get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert]\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message cert_max\n                        message cert1_max\n                    }\n                    choice key default \"/Common/default.key\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices [iapp::get_items -norecursive sys file ssl-key]\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message key_max\n                    }\n                    optional ( cert == \"/Common/default.crt\"\n                            || key == \"/Common/default.key\" ) {\n                        message ssl_warn_1\n\n                    }\n\n                    optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                            || ssl_encryption_questions.advanced == \"yes\" ) {\n                        choice use_chain_cert display \"xxlarge\"\n                                default \"/#do_not_use#\" tcl {\n                            package require iapp 1.1.2\n                            set ::choices \"Do not use an intermediate certificate\\t/#do_not_use#\\n[iapp::get_items -norecursive sys file ssl-cert]\"\n                            return $::choices\n                        }\n\n\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message use_chain_cert_1_max\n                            message use_chain_cert_2_max\n                        }\n                    }\n                }\n            }\n\n\n            optional ( mode == \"server_ssl\" || mode == \"client_ssl_server_ssl\" ) {\n                choice server_ssl_profile display \"xxlarge\" default \"/#default#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a new Server SSL profile based on serverssl (recommended)\\t/#default#\\n[iapp::get_items ltm profile server-ssl]\"\n                    return $::choices\n                }\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message server_ssl_profile_max\n                }\n            }\n        }\n\n        optional ( intro.asm_provisioned == \"yes\" && intro.is_v11_4 == \"yes\" && ( ssl.mode != \"pass_thru\"  )) {\n                section asm {\n                    choice use_asm default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Do not use Application Security Manager\\t/#do_not_use#\\n[iapp::get_items -nocomplain -filter controls =~ asm ltm policy]\"\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message asm_1_max \"The BIG-IP Application Security Manager (ASM) module is an advanced web application firewall that significantly reduces and mitigates the risk of loss or damage to data, intellectual property, and web applications. BIG-IP ASM can help secure your web deployment.\"\n                    }\n                    optional ( use_asm != \"/#do_not_use#\" ) {\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message asm_2_max \"If you choose to use ASM, the iApp template assigns the ASM-enabled LTM policy you select here to the BIG-IP HTTP virtual server.  You must have correctly configured an ASM policy appropriate for your application, and an LTM policy with ASM rules enabled, before it will appear in this list.\"\n                        }\n\n                        optional ( intro.is_admin == \"yes\" ) {\n                            choice security_logging default \"/#do_not_use#\" display \"xxlarge\" tcl {\n\n                                # Menu should display all log profiles with \"network none\".\n                                # iapp::get_items will not filter security log profiles,\n                                # so the filter has been written inline here.\n                                set ::choices \"Do not use a logging profile\\t/#do_not_use#\\n\"\n                                if { [catch {\n                                    set profile_list [tmsh::list security log profile all-properties recursive]\n                                } err] } {\n                                    set profile_list \" \"\n                                }\n                                array set profiles  [string map {\"security log profile\" \"\"} $profile_list]\n                                foreach name [array names profiles] {\n                                    array set subprofile $profiles($name)\n                                    if { [info exists subprofile(application)] &&  $subprofile(application) != \"none\" } {\n                                        append ::choices \"$name\\n\"\n                                    }\n                                }\n                                return $::choices\n                            }\n                            optional ( ssl_encryption_questions.help == \"max\" ) {\n                                message security_logging_max\n                            }\n                        }\n                    }\n                    optional ( intro.asm_policy == \"no\" )  {\n                         message asm_3_warning \"You have ASM provisioned, but no ASM-enabled policies exist on this system.  You must create at least one ASM policy before you can deploy ASM for this application.\"\n                    }\n                }\n           }\n\n        optional ( intro.afm_allowed == \"yes\" && intro.is_admin == \"yes\" && intro.is_v11_4 == \"yes\" ) {\n            section afm {\n                choice policy default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Yes, use network firewall and IP Intelligence\\t/#default#\\nNo, do not use network firewall or IP Intelligence\\t/#do_not_use#\\n[iapp::get_items -nocomplain security firewall policy]\"\n                    return $::choices\n                }\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message policy_max\n                }\n                optional ( policy == \"/#default#\" ) {\n\n                    choice restrict_by_addr default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"No, do not forbid client addresses (allow all)\\t/#do_not_use#\\nYes, forbid specific client addresses\\t/#create_new#\\n[iapp::get_items -nocomplain security firewall address-list]\"\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message restrict_max\n                    }\n                    optional ( restrict_by_addr == \"/#create_new#\" ) {\n                        string allowed_addr display \"xxlarge\" required\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message allowed_addr_max\n                        }\n                    }\n                }\n                optional ( policy != \"/#do_not_use#\" ) {\n                    choice restrict_by_reputation default \"accept\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set choices \"Accept all connections and log nothing\\taccept\\nReject connections from IP addresses with poor reputations\\treject\\nAccept all connections but log those from suspicious networks\\twarn\"\n                        if { [iapp::tmos_version >= 11.5] } {\n                            append choices \"\\nSelect an IP Intelligence policy\\tselect\"\n                        }\n                        return $choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message restrict_by_reputation_max\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" && restrict_by_reputation != \"accept\" ) {\n                        message restrict_by_reputation_log\n                    }\n                    optional ( restrict_by_reputation == \"select\" ) {\n                        choice ip_intelligence_policy display \"xxlarge\" tcl {\n                            package require iapp 1.1.2\n                            set ::choices \"[iapp::get_items -nocomplain security ip-intelligence policy]\"\n                            return $::choices\n                        }\n\t\t\t\t\t\toptional ( ssl_encryption_questions.help == \"max\" ) {\n\t\t\t\t\t\t\tmessage ip_intelligence_policy_max\n\t\t\t\t\t\t}\n                    }\n                    message restrict_by_reputation_warn\n\n                    choice staging_policy default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Do not apply a staging policy\\t/#do_not_use#\\n[iapp::get_items -nocomplain security firewall policy]\"\n                        return $::choices\n                    }\n                    message staging_policy1_max\n\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message staging_policy_max\n                    }\n                    choice security_logging default \"/#do_not_use#\" display \"xxlarge\" tcl {\n\n                        # Menu should display all log profiles with \"network none\".\n                        # iapp::get_items will not filter security log profiles,\n                        # so the filter has been written inline here.\n                        set ::choices \"Do not use a logging profile\\t/#do_not_use#\\n\"\n                        if { [catch {\n                            set profile_list [tmsh::list security log profile all-properties recursive]\n                        } err] } {\n                            set profile_list \" \"\n                        }\n                        array set profiles \\\n                            [string map {\"security log profile\" \"\"} $profile_list]\n                        foreach name [array names profiles] {\n                            array set subprofile $profiles($name)\n                            if { [info exists subprofile(network)] && \\\n                                $subprofile(network) != \"none\" } {\n                                append ::choices \"$name\\n\"\n                            }\n                        }\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message security_logging_max\n                        message security_logging1_max\n                    }\n                }\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n                    choice dos_security_profile default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Do not use a DoS profile\\t/#do_not_use#\\n[iapp::get_items -nocomplain security dos profile]\"\n                        return $::choices\n                    }\n\t\t\t\t\toptional ( ssl_encryption_questions.help == \"max\" ) {\n                        message dos_security_profile_max\n                    }\n                    choice protocol_security_profile default \"/#do_not_use#\" display \"xxlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Do not use an HTTP protocol security profile\\t/#do_not_use#\\n[iapp::get_items -nocomplain security http profile]\"\n                        return $::choices\n                    }\n\t\t\t\t\toptional ( ssl_encryption_questions.help == \"max\" ) {\n                        message protocol_security_profile_max\n                    }\n                }\n            }\n        }\n        section pool {\n            string addr display \"xxlarge\" required validator \"IpAddress\"\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message addr_max\n            }\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                string mask display \"xxlarge\" validator \"IpAddress\"\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message mask_max\n                }\n            }\n\n            optional ( ssl.mode != \"client_ssl\" && ssl.mode != \"pass_thru\"\n                && ssl.mode != \"client_ssl_server_ssl\" ) {\n                string port display \"medium\" validator \"PortNumber\"\n                    default \"80\" required\n            }\n            optional ( ssl.mode == \"client_ssl\" || ssl.mode == \"pass_thru\"\n                || ssl.mode == \"client_ssl_server_ssl\" ) {\n                string port_secure display \"medium\" validator \"PortNumber\"\n                    default \"443\" required\n            }\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message port_max\n            }\n\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                optional ( \"HIDE\" == \"THIS\" ) {\n                    choice is_ha tcl {\n                        set sync_status [lindex [tmsh::get_status cm sync-status] 0]\n                        set status [tmsh::get_field_value $sync_status status]\n                        return $status\n                    }\n                }\n\n                optional ( is_ha != \"Standalone\" ) {\n                    choice mirror display \"xxlarge\" default \"disabled\"\n\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message mirror_max\n                    }\n                }\n            }\n\n            table hosts {\n                string name required validator \"FQDN\" display \"xlarge\"\n            }\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message fqdn_max\n            }\n\n            optional (( ssl_encryption_questions.legacy_advanced == \"yes\"\n                     || ssl_encryption_questions.advanced == \"yes\" )\n                     && ( ssl.mode == \"client_ssl\"\n                     || ssl.mode == \"client_ssl_server_ssl\"\n                     || ssl.mode == \"pass_thru\" )) {\n\n                choice redirect_to_https display \"xxlarge\" default \"yes\"\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message redirect_max\n                    }\n                optional ( redirect_to_https == \"yes\" ) {\n                    string redirect_port display \"medium\"\n                        validator \"PortNumber\" default \"80\"\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message redirect_port_max\n                    }\n                }\n            }\n\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n\n                optional ( ssl.mode != \"pass_thru\"  ) {\n                    choice http display \"xxlarge\" default \"/#create_new#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Create a new HTTP profile (recommended)\\t/#create_new#\\n[iapp::get_items ltm profile http]\"\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message http_max\n                    }\n\n                    optional ( http == \"/#create_new#\" ) {\n                        choice xff display \"xxlarge\" default \"yes\"\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message xff_max\n                        }\n                    }\n                }\n\n                optional ( ssl.mode != \"pass_thru\" ) {\n                    choice persist display \"xxlarge\" default \"/#cookie#\" tcl {\n                        package require iapp 1.1.2\n                        if { [iapp::get_items -exists -local -norecursive ltm persistence cookie /Common/cookie] } {\n                            set ::choices \"Use cookie persistence (recommended)\\t/#cookie#\\nUse source address persistence\\t/#source#\\nDo not use persistence\\t/#do_not_use#\\n[iapp::get_items ltm persistence cookie]\"\n                        } else {\n                            set ::choices \"Use source address persistence\\t/#source#\\nDo not use persistence\\t/#do_not_use#\"\n                        }\n                        append ::choices \"\\n[iapp::get_items ltm persistence source-addr]\\n[iapp::get_items ltm persistence ssl]\\n[iapp::get_items ltm persistence universal]\"\n                        return $::choices\n                    }\n                }\n                optional ( ssl.mode == \"pass_thru\" ) {\n                    choice pass_thru_persist display \"xxlarge\" default \"/#source#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Use source address persistence\\t/#source#\\nDo not use persistence\\t/#do_not_use#\\n[iapp::get_items ltm persistence source-addr]\\n[iapp::get_items ltm persistence ssl]\"\n                        return $::choices\n                    }\n                }\n\n                optional ( ssl_encryption_questions.help == \"max\" && ssl.mode != \"pass_thru\" ) {\n                    message persist_max\n                }\n                optional ( ssl_encryption_questions.help == \"max\" && ssl.mode == \"pass_thru\" ) {\n                        message pass_thru_persist_max\n                    }\n            }\n\n            optional ( net.server_mode != \"tunnel\" ) {\n                choice pool_to_use display \"xxlarge\" default \"/#create_new#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a new pool\\t/#create_new#\\nDo not use a pool\\t/#do_not_use#\\n[iapp::get_items ltm pool]\"\n                    return $::choices\n                }\n            }\n            optional ( net.server_mode == \"tunnel\" ) {\n                choice pool_to_use_wom display \"xxlarge\" default \"/#do_not_use#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a new pool\\t/#create_new#\\nDo not use a pool\\t/#do_not_use#\\n[iapp::get_items ltm pool]\"\n                    return $::choices\n                }\n            }\n\n\n        optional ( ssl_encryption_questions.help == \"max\" ) {\n            message pool_max\n        }\n\n        optional (( net.server_mode != \"tunnel\" && pool_to_use == \"/#create_new#\" )\n        || ( net.server_mode == \"tunnel\" && pool_to_use_wom == \"/#create_new#\" )) {\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                lb_method lb_method\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message lb_method_max\n                }\n\n                choice use_pga default \"no\" display \"xxlarge\"\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message pga_max\n                }\n                optional ( use_pga == \"yes\" ) {\n                    string min_active_members display \"medium\" default \"0\"\n                        required validator \"NonNegativeNumber\"\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message min_active_members_max\n                        }\n                    }\n            }\n\n            table members {\n                editchoice addr display \"large\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices [iapp::get_items ltm node]\n                    return $::choices\n                }\n\n                optional ( ssl.mode == \"client_ssl\"\n                         || ssl.mode == \"no_ssl\" ) {\n                    string port display \"small\" required default \"80\"\n                        validator \"PortNumber\"\n                }\n                optional ( ssl.mode == \"server_ssl\"\n                         || ssl.mode == \"client_ssl_server_ssl\"\n                         || ssl.mode == \"pass_thru\" ) {\n                    string port_secure display \"small\" required\n                        default \"443\" validator \"PortNumber\"\n                }\n\n\n                string connection_limit display \"small\" required\n                        default \"0\" validator \"NonNegativeNumber\"\n                optional ( lb_method == \"ratio-member\"\n                        || lb_method == \"ratio-node\"\n                        || lb_method == \"ratio-session\"\n                        || lb_method == \"ratio-least-connections-member\"\n                        || lb_method == \"ratio-least-connections-node\"\n                        || lb_method == \"dynamic-ratio-member\"\n                        || lb_method == \"dynamic-ratio-node\" ) {\n                    string ratio default \"1\" validator \"NonNegativeNumber\"\n                        display \"small\"\n                }\n\n                optional (( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" )\n                        && use_pga == \"yes\" ) {\n                    string priority default \"0\" required\n                        validator \"NonNegativeNumber\" display \"small\"\n                }\n            }\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message members_max\n            }\n        }\n    }\n\n    optional (( ssl_encryption_questions.legacy_advanced == \"yes\"\n            || ssl_encryption_questions.advanced == \"yes\" )\n            || ( ssl.mode != \"pass_thru\"  )) {\n        section client {\n            optional ( ssl.mode != \"pass_thru\"  ) {\n                optional ( intro.am_provisioned == \"yes\" ) {\n                    # If the template user decides to use AAM, the Web\n                    # Acceleration question in the Virtual Server  ( basic )\n                    # section are modified to disallow \"Do not use\" as an option.\n                    choice use_wa default \"yes\" display \"xxlarge\"\n\n                    optional ( ssl_encryption_questions.help == \"max\" && intro.am_provisioned == \"yes\" ) {\n                        message standard_caching_with_wa_max\n                    }\n                }\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n                    # If the template user elects to use AAM in the\n                    # preceding section, the user must *not* be presented with\n                    # an option for \"Do not use a Web Acceleration profile\" here.\n\n                    optional ( intro.am_provisioned == \"yes\"\n                             && use_wa == \"yes\" ) {\n\n                        choice standard_caching_with_wa display \"xxlarge\"\n                                 default \"/#create_new#\" tcl {\n                            package require iapp 1.1.2\n                            set ::choices \"Create a profile based on optimized-acceleration (recommended)\\t/#create_new#\\n[iapp::get_items -filter applications ne none ltm profile web-acceleration]\"\n                            return $::choices\n                        }\n                        optional ( standard_caching_with_wa != \"/#create_new#\" &&\n                                ssl_encryption_questions.help == \"max\" ) {\n                            message standard_caching_with_wa_not_default_max\n                        }\n\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message about_custom_caching_max_1\n                        }\n                        optional ( ssl_encryption_questions.help == \"max\" && use_wa == \"yes\") {\n                            message about_custom_caching_max_2\n                        }\n                    }\n\n                    optional ( intro.am_provisioned == \"no\" || use_wa != \"yes\" ) {\n                        choice standard_caching_without_wa display \"xxlarge\" default \"/#create_new#\" tcl {\n                            package require iapp 1.1.2\n                            set prof_list [iapp::get_items -filter applications eq none -list ltm profile web-acceleration]\n                            set purge_item [lsearch $prof_list \"/Common/optimized-acceleration\"]\n                            if { $purge_item != -1 } {\n                                set prof_list [lreplace $prof_list $purge_item $purge_item]\n                            }\n                            set ::choices \"Create a profile based on optimized-caching (recommended)\\t/#create_new#\\nDo not use caching\\t/#do_not_use#\\n[join $prof_list \\n]\"\n                            return $::choices\n                        }\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message about_custom_caching_max_1a\n                            message about_custom_caching_max_3\n                        }\n                    }\n                }\n\n                optional ( intro.am_provisioned == \"yes\" && ( ssl.mode != \"pass_thru\"  )) {\n                    optional ( use_wa == \"yes\" && (\n                               ( ssl_encryption_questions.legacy_advanced == \"no\"\n                               && ssl_encryption_questions.advanced == \"no\" )\n                          || ( ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                               || ssl_encryption_questions.advanced == \"yes\" )\n                             && standard_caching_with_wa == \"/#create_new#\" )) ) {\n                        optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                                || ssl_encryption_questions.advanced == \"yes\" ) {\n                            choice x_wa_info_header default \"none\" display \"xxlarge\"\n\n\n                            optional ( ssl_encryption_questions.help == \"max\" ) {\n                                message x_wa_info_max\n                            }\n\n                            choice enable_perf_monitor display \"xxlarge\" default \"no\"\n\n                            optional ( ssl_encryption_questions.help == \"max\" ) {\n                                message enable_perf_monitor_max\n                            }\n\n                            optional ( enable_perf_monitor == \"yes\" ) {\n                                string data_retention_period default \"30\" required\n                                    validator \"NonNegativeNumber\" display \"medium\"\n                            }\n\n                            optional ( use_wa == \"yes\" ) {\n                                choice policy display \"xxlarge\"\n                                        default \"/Common/Generic Policy - Enhanced\" tcl {\n                                    package require iapp 1.1.2\n                                    set ::choices \"/Common/Generic Policy - Complete\\n/Common/Generic Policy - Enhanced\\n/Common/Generic Policy - Extension Based\\n/Common/Generic Policy - Fundamental\\n[string map {\"\\\"\" \"\"} [iapp::get_items -nocomplain -norecursive -filter predefined == no wam policy predefined]]\"\n                                    return $::choices\n                                }\n                            }\n\n\n                            optional ( ssl_encryption_questions.help == \"max\" ) {\n                                optional ( policy == \"/Common/Generic Policy - Complete\" ) {\n                                    message policy_complete_about_max\n                                }\n\n                                optional ( policy == \"/Common/Generic Policy - Enhanced\" ) {\n                                    message policy_enhanced_about_max\n                                }\n\n                                optional ( policy == \"/Common/Generic Policy - Extension Based\" ) {\n                                    message policy_extension_about_max\n                                }\n\n                                optional ( policy == \"/Common/Generic Policy - Fundamental\" ) {\n                                    message policy_fundamental_about_max\n                                }\n\n                            }\n                        }\n                    }\n                }\n\n                choice http_compression display \"xxlarge\" default \"/#create_new#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a profile based on wan-optimized-compression (recommended)\\t/#create_new#\\nDo not compress HTTP responses\\t/#do_not_use#\\n[iapp::get_items ltm profile http-compression]\"\n                    return $::choices\n                }\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message comp_max\n                    message comp1_max\n                }\n            }\n\n            optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                    || ssl_encryption_questions.advanced == \"yes\" ) {\n                optional ( net.client_mode == \"lan\" ) {\n                    choice tcp_lan_opt display \"xxlarge\" default \"/#create_new#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Create a profile based on tcp-lan-optimized (recommended)\\t/#create_new#\\n[iapp::get_items ltm profile tcp]\"\n                        return $::choices\n                    }\n                }\n\n                optional ( net.client_mode != \"lan\" ) {\n                    choice tcp_wan_opt display \"xxlarge\" default \"/#create_new#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Create a profile based on tcp-wan-optimized (recommended)\\t/#create_new#\\n[iapp::get_items ltm profile tcp]\"\n                        return $::choices\n                    }\n                }\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message tcp_max\n                }\n                optional ( net.server_mode == \"tunnel\"\n                    && intro.am_provisioned == \"yes\" ) {\n                    choice isession_profile display \"xxlarge\" default \"/Common/isession\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"New iSession profile\\t/#create_new#\\n[iapp::get_items -nocomplain wom profile isession]\"\n                        return $::choices\n                    }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message isession_profile_max\n                    }\n                    optional ( isession_profile == \"/#create_new#\" ) {\n                        row isession {\n                            choice encryption default \"disabled\" display \"small\"\n                                { \"Yes\" => \"enabled\", \"No\" => \"disabled\" }\n                            choice compression default \"enabled\" display \"small\"\n                                { \"Yes\" => \"enabled\", \"No\" => \"disabled\" }\n                            choice deduplication default \"enabled\" display \"small\"\n                                { \"Yes\" => \"enabled\", \"No\" => \"disabled\" }\n                        }\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message isession_max\n                        }\n                    }\n                }\n            }\n        }\n    }\n\n    optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n            || ssl_encryption_questions.advanced == \"yes\" ) {\n        section server {\n            optional ( ssl.mode != \"pass_thru\"  ) {\n                choice oneconnect display \"xxlarge\" default \"/#create_new#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a profile based on the oneconnect parent (recommended)\\t/#create_new#\\nDo not use OneConnect\\t/#do_not_use#\\n[iapp::get_items ltm profile one-connect]\"\n                    return $::choices\n                }\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message oc_max\n                }\n\n            optional ( oneconnect != \"/#do_not_use#\" ) {\n                choice ntlm display \"xxlarge\" default \"/#do_not_use#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create an NTLM profile\\t/#create_new#\\nDo not use NTLM  (recommended)\\t/#do_not_use#\\n[iapp::get_items ltm profile ntlm]\"\n                    return $::choices\n                }\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message ntlm_max\n                }\n            }\n\n            }\n\n            optional ( net.server_mode == \"lan\" ) {\n                choice tcp_lan_opt display \"xxlarge\" default \"/#create_new#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a profile based on tcp-lan-optimized (recommended)\\t/#create_new#\\n[iapp::get_items ltm profile tcp]\"\n                    return $::choices\n                }\n            }\n\n            optional ( net.server_mode != \"lan\" ) {\n                choice tcp_wan_opt display \"xxlarge\" default \"/#create_new#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Create a profile based on tcp-wan-optimized (recommended)\\t/#create_new#\\n[iapp::get_items ltm profile tcp]\"\n                    return $::choices\n                }\n            }\n\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message tcp_max\n            }\n\n            choice tcp_req_queueing display \"xxlarge\" default \"no\"\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message tcp_request_queue_2_max\n            }\n            optional ( tcp_req_queueing == \"yes\" ) {\n            message tcp_request_queue_1_max\n            string tcp_queue_length display \"medium\"\n                validator \"NonNegativeNumber\" required\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message tcp_queue_length_max\n                }\n            string tcp_queue_timeout display \"medium\"\n                validator \"NonNegativeNumber\" required\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message tcp_queue_timeout_max\n                }\n            }\n\n            optional ( pool.pool_to_use == \"/#create_new#\" ) {\n                choice use_slow_ramp default \"yes\" display \"xxlarge\"\n                optional ( use_slow_ramp == \"yes\" ) {\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message slow_ramp_max\n                    }\n\n                    string slow_ramp_setvalue display \"medium\"\n                        default \"300\" required validator \"NonNegativeNumber\"\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message slow_ramp_setvalue_max\n                    }\n                }\n            }\n        }\n    }\n\n    optional (( net.server_mode != \"tunnel\" && pool.pool_to_use == \"/#create_new#\" )\n    || ( net.server_mode == \"tunnel\" && pool.pool_to_use_wom == \"/#create_new#\" )) {\n        section monitor {\n\n            choice monitor display \"xxlarge\" default \"/#create_new#\" tcl {\n                package require iapp 1.1.2\n                set ::choices \"Create a new health monitor\\t/#create_new#\\n[iapp::get_items ltm monitor http]\\n[iapp::get_items ltm monitor https]\\n[iapp::get_items -filter NAME != \"external\" ltm monitor external]\"\n                return $::choices\n            }\n\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message monitor_max\n            }\n\n            optional ( monitor == \"/#create_new#\" ) {\n\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n                    string frequency display \"medium\" required default \"30\"\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message freq_max\n                    }\n                    choice http_method display \"xxlarge\" default \"GET\"\n                        { \"GET\", \"POST\" }\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message method_max\n                    }\n                }\n\n                string uri display \"xxlarge\" required default \"/\"\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message uri_max\n                }\n\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n                    choice http_version display \"xxlarge\" default \"http11\"\n\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message version_max\n                    }\n\n\n                    optional ( http_method == \"POST\" ) {\n                        string post_body display \"xxlarge\" required\n\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message body_max\n                        }\n                    }\n                }\n                string response display \"xxlarge\"\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message response_max\n                }\n\n                optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n                        || ssl_encryption_questions.advanced == \"yes\" ) {\n\n                    choice anonymous display \"xxlarge\" default \"yes\"\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message anonymous_max\n                    }\n                    optional ( anonymous == \"no\" ) {\n                        string user required display \"xxlarge\"\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message user_max\n                        }\n                        password passwd required display \"xxlarge\"\n                        optional ( ssl_encryption_questions.help == \"max\" ) {\n                            message passwd_max\n                        }\n                    }\n\n                }\n            }\n        }\n    }\n\n    optional ( ssl_encryption_questions.legacy_advanced == \"yes\"\n            || ssl_encryption_questions.advanced == \"yes\" ) {\n        section irules {\n        message note\n            optional ( ssl_encryption_questions.help == \"max\" ) {\n                message irule_2_max\n                message irule_3_max\n            }\n\n            multichoice irules display \"xlarge\" tcl {\n                package require iapp 1.1.2\n                set ::choices [iapp::get_items -filter NAME !~ \"^_sys\" ltm rule]\n                return $::choices\n            }\n        }\n\n        optional ( ssl.mode != \"pass_thru\"  ) {\n            section stats {\n                optional ( intro.analytics_provisioned == \"yes\" ) {\n                    choice analytics display \"xxlarge\" default \"/#do_not_use#\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices \"Do not enable Application Visibility Reporting\\t/#do_not_use#\\nCreate a profile based on analytics\\t/#create_new#\\n[iapp::get_items -nocomplain ltm profile analytics]\"\n                        return $::choices\n                    }\n                    message avr_1_max\n                    optional ( ssl_encryption_questions.help == \"max\" ) {\n                        message avr_2_max\n                        message avr_3_max\n                    }\n                }\n\n                choice request_logging display \"xxlarge\" default \"/#do_not_use#\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"Do not enable HTTP request logging\\t/#do_not_use#\\n[iapp::get_items ltm profile request-log]\"\n                    return $::choices\n                }\n\n                optional ( ssl_encryption_questions.help == \"max\" ) {\n                    message req_log_max\n                }\n            }\n        }\n    }\n\n    optional ( ssl_encryption_questions.help == \"max\" ) {\n        section extra {\n            message dns\n            message web_servers\n            optional (( ssl.mode == \"client_ssl\"\n                     || ssl.mode == \"client_ssl_server_ssl\" )\n                     && ( ssl.cert == \"/Common/default.crt\"\n                     || ssl.cert == \"/Common/ca-bundle.crt\"\n                     || ssl.cert == \"/Common/f5-irule.crt\"\n                     || ssl.key == \"/Common/default.key\" )) {\n                message critical\n            }\n        }\n    }\n}\n\n# Legacy template rendering continues here.\n\noptional ( ssl_encryption_questions.offload_ssl == \"Yes\"\n        || ssl_encryption_questions.offload_ssl == \"No\" ) {\n    optional ( intro.analytics_provisioned == \"yes\" ) {\n        section analytics {\n            choice add_analytics default \"No\" display \"small\"\n            optional ( add_analytics == \"Yes\" ) {\n                message about_analytics_profiles\n                choice create_new_analytics default \"Select a Custom Profile\" display \"xlarge\"\n                optional ( create_new_analytics == \"Select a Custom Profile\" ) {\n                    choice analytics_profile display \"xlarge\" tcl {\n                        package require iapp 1.1.2\n                        set ::choices [iapp::get_items -nocomplain ltm profile analytics]\n                        return $::choices\n                    }\n                }\n            }\n        }\n    }\n\n    section basic {\n        string addr required validator \"IpAddress\"\n        optional ((ssl_encryption_questions.offload_ssl == \"Yes\"\n                && ssl_encryption_questions.offload_ssl_1 == \"No\" )\n                || (ssl_encryption_questions.offload_ssl == \"No\"\n                && ssl_encryption_questions.offload_ssl_2 == \"No\" )) {\n            string port default \"80\" required validator \"PortNumber\" display \"small\"\n        }\n        optional ((ssl_encryption_questions.offload_ssl == \"Yes\"\n                && ssl_encryption_questions.offload_ssl_1 == \"Yes\" )\n                || (ssl_encryption_questions.offload_ssl == \"No\"\n                && ssl_encryption_questions.offload_ssl_2 == \"Yes\" )) {\n            string secure_port default \"443\" required validator \"PortNumber\" display \"small\"\n\n            choice create_redir default \"Yes\" display \"small\"\n            optional ( create_redir == \"Yes\" ) {\n                string redir_port default \"80\" required validator \"PortNumber\" display \"small\"\n            }\n        }\n\n        choice snat default \"No\" display \"small\"\n        optional ( snat == \"No\" ) {\n            choice need_snatpool default \"No\" display \"small\"\n            optional ( need_snatpool == \"Yes\" ) {\n                table snatpool_members {\n                    string addr required validator \"IpAddress\"\n                }\n            }\n        }\nchoice using_ntlm default \"No\" display \"small\"\n    }\n\n    section server_pools {\n        choice create_new_pool default \"Create New Pool\" display \"large\"\n        optional ( create_new_pool == \"Create New Pool\" ) {\n            lb_method lb_method_choice\n            table servers {\n                string addr required validator \"IpAddress\"\n                string port default \"80\" required validator \"PortNumber\"\n                    display \"small\"\n                string connection_limit default \"0\" required\n                    validator \"NonNegativeNumber\" display \"small\"\n                optional ( lb_method_choice == \"ratio-member\" ||\n                           lb_method_choice == \"ratio-node\" ||\n                           lb_method_choice == \"ratio-session\" ||\n                           lb_method_choice == \"ratio-least-connections-member\" ||\n                           lb_method_choice == \"ratio-least-connections-node\" ||\n                           lb_method_choice == \"dynamic-ratio-member\" ||\n                           lb_method_choice == \"dynamic-ratio-node\" ) {\n                    string ratio default \"1\" validator \"NonNegativeNumber\"\n                        display \"small\"\n                }\n            }\n\n            choice tcp_request_queuing_enable_question default \"No\" display \"small\"\n            optional ( tcp_request_queuing_enable_question == \"Yes\" ) {\n                message note\n\n                string tcp_request_queue_length required\n                    validator \"NonNegativeNumber\" display \"small\"\n                string tcp_request_queue_timeout required\n                    validator \"NonNegativeNumber\" display \"small\"\n            }\n\n            choice create_new_monitor default \"Create New Monitor\" display \"xlarge\"\n            optional ( create_new_monitor == \"Create New Monitor\" ) {\n                string monitor_interval default \"30\" required\n                    validator \"NonNegativeNumber\" display \"small\"\n\n                string monitor_send default \"GET /\" required display \"xlarge\"\n\n                choice monitor_http_version default \"Version 1.0\"\n                optional ( monitor_http_version == \"Version 1.1\" ) {\n                    string monitor_dns_name required validator \"FQDN\"\n                        display \"large\"\n                }\n\n                string monitor_recv display \"xlarge\"\n            }\n\n            optional ( create_new_monitor == \"Use Monitor...\" ) {\n                choice reuse_monitor_name display \"xlarge\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"[iapp::get_items ltm monitor http]\\n[iapp::get_items ltm monitor https]\"\n                    return $::choices\n                }\n            }\n        }\n\n        optional ( create_new_pool == \"Use Pool...\" ) {\n            choice reuse_pool_name display \"xlarge\" tcl {\n                package require iapp 1.1.2\n                set ::choices [iapp::get_items ltm pool]\n                return $::choices\n            }\n        }\n    }\n\n    section optimizations {\n        choice lan_or_wan default \"WAN\"\n\n        optional ( intro.am_provisioned == \"yes\" ) {\n            choice use_wa default \"No\" display \"small\"\n            optional ( use_wa == \"Yes\" ) {\n                table hosts {\n                    string host required validator \"FQDN\" display \"xlarge\"\n                }\n\n                choice x_wa_info_header default \"None\"\n                choice perf_monitor default \"disabled\"\n                optional ( perf_monitor == \"enabled\" ) {\n                    string data_retention_period default \"30\" required\n                        validator \"NonNegativeNumber\"\n                }\n\n                choice policy display \"xlarge\"\n                        default \"/Common/Generic Policy - Enhanced\" tcl {\n                    package require iapp 1.1.2\n                    set ::choices \"/Common/Generic Policy - Complete\\n/Common/Generic Policy - Enhanced\\n/Common/Generic Policy - Extension Based\\n/Common/Generic Policy - Fundamental\\n[iapp::get_items -nocomplain -norecursive -filter predefined == no wam policy predefined]\"\n                    return $::choices\n                }\n            }\n        }\n\n    }\n}\n\ntext {\n    intro \"Welcome to the iApp template for web applications\"\n\n    intro.hello \"Introduction\" \"Configure security, high availability, and acceleration for web applications. This template supports basic web services. For detailed information and configuration assistance, see http://www.f5.com/pdf/deployment-guides/iapp-http-dg.pdf.\"\n\n    intro.check_for_updates \"Check for Updates\" \"Check for new versions of this template on the AskF5 Knowledge Base website (http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13422.html).\"\n\n    intro.am_not_provisioned \"Additional features available\" \"This system is not currently provisioned to run the BIG-IP Application Acceleration Manager (AAM). Provisioning AAM provides acceleration and optimization for your web applications.\"\n\n    intro.analytics_not_provisioned \"Additional features available\" \"The system is not currently provisioned to run the BIG-IP Application Visibility Reporting Module (AVR). Activating this module provides rich application statistics and reporting for your deployment.\"\n\n    ssl_encryption_questions \"Template Options\"\n\n    ssl_encryption_questions.help \"Do you want to see inline help?\" {\n\n            \"Yes, show inline help\" => \"max\",\n            \"No, do not show inline help\" => \"hide\"\n    }\n\n    ssl_encryption_questions.help_max \"\" \"Inline help is available to provide contextual descriptions to aid in the completion of this configuration.  Select to show or hide the inline help in this template. Important notes and warnings are always visible, no matter which selection you make here. \"\n\n    ssl_encryption_questions.legacy_advanced \"Which configuration mode do you want to use?\" {\n\n            \"Basic - Use F5's recommended settings\" => \"no\",\n            \"Advanced - Configure advanced options\" => \"yes\",\n            \"Legacy - Return to the deprecated template\" => \"legacy\"\n\n    }\n\n    ssl_encryption_questions.legacy_warning \"NOTE\" \"Downgrading to the legacy template will temporarily take your application offline and return all non-table entries to their pre-upgrade values. Any changes made after the upgrade will be lost. To complete the downgrade, click Finished, then Reconfigure, then Finished.\"\n\n    ssl_encryption_questions.advanced \"Which configuration mode do you want to use?\" {\n            \"Basic - Use F5's recommended settings\" => \"no\",\n            \"Advanced - Configure advanced options\" => \"yes\"\n    }\n\n    ssl_encryption_questions.conf_mode_max \"\" \"This template supports basic and advanced configurations modes. Basic mode exposes the most commonly used settings, and automatically configures the rest of the options based on F5's recommended settings.  Advanced mode allows you to review and change all settings. If you are unsure, select Basic.\"\n\n    net \"Network\"\n\n    net.client_mode \"What type of network connects clients to the BIG-IP system?\"\n    net.client_mode_max \"\" \"Select the type of network that connects the clients to the BIG-IP system. This is used to determine the client-side TCP optimizations the system uses (in the case of WAN or LAN), or if the system will use an iSession tunnel (in the case of WAN through another BIG-IP system).\"\n    net.vlan_mode \"Do you want to restrict client traffic to specific VLANs?\" {\n        \"Enable traffic on all VLANs and Tunnels\" => \"all\",\n        \"Yes, enable traffic only on the VLANs I specify\" => \"enabled\",\n        \"Yes, disable traffic only on the VLANs I specify\" => \"disabled\"\n    }\n\n    net.vlan_max \"\" \"You can optionally configure the BIG-IP system to accept or deny client traffic from specific VLANs you have configured. If you leave the default, the BIG-IP system accepts traffic from all VLANs configured on the system. If you select to enable or disable traffic on specific VLANs, you must specify the VLANs in the next question. The VLAN objects must already be configured on this BIG-IP system before you can select them.\"\n\n    net.client_vlan \"On which VLANs should traffic be enabled or disabled?\"\n\n    net.client_vlan_max \"\" \"Because you selected you want to enable or disable traffic on specific VLANs in the previous question, use this section to specify the VLANs. By default, all VLANs on the BIG-IP system appear in the Selected box. Click any applicable VLANs and then use the Move buttons (<<) and (>>) to adjust list membership. The Selected box lists the VLANs and tunnels that are specifically enabled or disabled.\"\n\n    net.disabled_vlan_max \"WARNING\" \"By default, all VLANs on the box are in the Selected list.  Because you selected to disable client traffic from specific VLANs, if you do not move any of the VLANs to the Options list, traffic will be denied from ALL VLANs, and this configuration will not pass any traffic.\"\n\n    net.server_mode \"What type of network connects servers to the BIG-IP system?\"\n    net.server_mode_max \"\" \"Select the type of network that connects the servers to the BIG-IP system. This is used to determine the server-side TCP optimizations the system uses (in the case of WAN or LAN), or if the system will use an iSession tunnel (in the case of WAN through another BIG-IP system).\"\n\n    net.tunnel_max1 \"NOTE\" \"Selecting 'WAN Network through another BIG-IP system' enables this iApp to create a secure and optimized iSession tunnel between this BIG-IP system and the remote BIG-IP system. Note that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings.\"\n\n    net.tunnel_max2 \"IMPORTANT\" \"To use this feature, you must have Local Endpoint and Listener objects created on both BIG-IP systems. See the deployment guide or BIG-IP documentation for information on creating these objects.\"\n\n    net.tunnel_max3 \"NOTE\" \"Selecting 'WAN Network through another BIG-IP system' enables this iApp to create a secure and optimized iSession tunnel between this BIG-IP system and the remote BIG-IP system. Note that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings.\"\n\n    net.tunnel_max4 \"IMPORTANT\" \"To use this feature, you must have Local Endpoint and Listener objects created on both BIG-IP systems. See the deployment guide or BIG-IP documentation for information on creating these objects.\"\n\n    net.same_subnet \"Where will the virtual servers be in relation to the web servers?\" {\n        \"BIG-IP virtual server IP and web servers are on different subnets\" => \"no\",\n        \"BIG-IP virtual server IP and web servers are on the same subnet\"   => \"yes\"\n    }\n\n    net.subnet_1_max \"\" \"It is important to ensure that responses to client requests made using the BIG-IP virtual server address are returned through the BIG-IP system. If the client receives a response directly from the web server, the connection is dropped. The way the BIG-IP system handles this depends on your network topology.\"\n\n    net.subnet_2_max \"\" \"For environments in which the virtual server IP address is on a subnet different from the web servers, select BIG-IP virtual server IP and the web servers are on different subnets.\"\n\n    net.subnet_3_max \"\" \"For environments in which the virtual server IP address provided is on the same subnet as the web servers in the associated pool, select BIG-IP virtual server IP and the web servers are on the same subnet. This enables Secure Network Address Translation (SNAT Auto Map). This configuration results in the BIG-IP system replacing the client IP address of an incoming connection with its self IP address  (using floating addresses when available), ensuring the server response returns through the BIG-IP system.\"\n\n\n    net.route_to_bigip \"How have you configured routing on your web servers?\" {\n        \"Servers have a route to clients through the BIG-IP system\"           => \"yes\",\n        \"Servers do not have a route to clients through the BIG-IP system\"    => \"no\"\n    }\n\n    net.def_rt_1_max \"\" \"For environments in which the virtual server IP is on a subnet different from the web servers, information regarding the IP setting of the web servers is required to ensure the correct BIG-IP system configuration.\"\n\n    net.def_rt_2_max \"\" \"If the web servers use the BIG-IP system as their default gateway, select Web servers have a route for clients through the BIG-IP system. In this scenario, no configuration is needed to support your environment to ensure correct server response handling.\"\n\n    net.def_rt_3_max \"\" \"If the web servers do not have a route through the BIG-IP system, select Web servers do not have a route for clients through the BIG-IP system. This enables Secure Network Address Translation  (SNAT Auto Map). This configuration results in the BIG-IP system replacing the client IP address of an incoming connection with its self IP address (using floating addresses when available) ensuring the server response returns through the BIG-IP system. \"\n\n    net.snat_type \"How many connections do you expect to each web server?\" {\n                  \"Fewer than 64,000 concurrent connections\" => \"automap\",\n                  \"More than 64,000 concurrent connections\" => \"snatpool\"\n    }\n\n    net.snat_max \"\" \"For environments with fewer than 64,000 concurrent connections per server, the BIG-IP system enables SNAT Auto Map, which uses a unique IP:port combination for each client request it sends to the web server. For environments with more than 64,000 concurrent connections per web server, the BIG-IP system enables a SNAT pool, and additional IP addresses are reserved to ensure the system has enough unique combinations. If the system exhausts all combinations, new client connections are refused until one is available.\"\n\n    net.snatpool \"Create a new SNAT pool or use an existing one?\"\n    net.snatpool_max \"\" \"Choose whether you want the iApp template to create a new SNAT Pool for this implementation. If you have already created a custom SNAT Pool, you can select it from the list.\"\n\n    net.snatpool_members \"What are the IP addresses you want to use for the SNAT pool?\"\n\n    net.snatpool_members.addr \"IP\"\n\n    net.snatpool_members_max \"\" \"Type the IP addresses you want to use for the SNAT Pool.  These addresses should be available IP addresses, not the self IP address(es) of the BIG-IP system.\"\n\n\n    ssl \"SSL Encryption\"\n\n    ssl.mode \"How should the BIG-IP system handle SSL traffic?\" {\n        \"Terminate SSL from clients, plaintext to servers (SSL offload)\"         => \"client_ssl\",\n        \"Terminate SSL from clients, re-encrypt to servers (SSL bridging)\"\n                                                 => \"client_ssl_server_ssl\",\n        \"Encrypted traffic is forwarded without decryption (SSL pass-through)\"\n                                                 => \"pass_thru\",\n        \"Plaintext to and from clients, encrypt to servers\"         => \"server_ssl\",\n        \"Plaintext to and from both clients and servers\"            => \"no_ssl\"\n    }\n\n    ssl.mode_1_max \"\" \"SSL is a cryptographic protocol used to secure client to server communications. Select how you want the BIG-IP system to handle encrypted traffic. For encryption between client and BIG-IP system:\"\n\n    ssl.mode_2_max \"\" \"If your application requires encryption and session persistence (which ensures requests from a single user are always distributed to the server on which they started) , we recommend you configure the BIG-IP system for terminating SSL for client requests. This allows the system to more accurately persist connections based on granular protocol or application-specific variables.\"\n\n    ssl.mode_3_max \"\" \"If security requirements do not allow the BIG-IP system to decrypt client connections, select to re-encrypt to the web servers. With this selection the system will use SSL ID or Client/Server IP to enforce session persistence. Because these parameters are less granular, using them may result in inconsistent distribution of client requests.\"\n\n    ssl.mode_4_max \"\" \"Encryption between BIG-IP system and web servers:\"\n\n    ssl.mode_5_max \"\" \"Encryption and decryption of SSL is computationally intensive and consumes server CPU resources. In environments that do not require encryption between the BIG-IP system and the web servers, select SSL Offload to terminate the SSL session from the client at the BIG-IP system and provide clear text communication from the BIG-IP system to the web servers.\"\n\n    ssl.mode_6_max \"\" \"For environments that require encryption between the BIG-IP system and the web servers, select SSL re-encryption to terminate the SSL session from the client at the BIG-IP system and re-encrypt it for communication between the BIG-IP system and the web servers.\"\n\n    ssl.mode_7_max \"\" \"If you do not want the BIG-IP system to do anything with encrypted traffic and simply send it to the web servers, select SSL pass-through. This differs from SSL re-encryption because the system is not decrypting and re-encrypting the traffic, only sending the traffic through without modification. \"\n\n    ssl.cert \"Which SSL certificate do you want to use?\"\n    ssl.cert_max \"\" \"To establish encrypted communication, a client and server negotiate security parameters that are used for the session. As part of this handshake, a certificate is provided by the server to the client to identify itself. The client can then validate the certificate with an authority for authenticity before sending data. When the BIG-IP system is decrypting communication between the client and server, an SSL certificate and key pair for each fully-qualified DNS name related to this application instance must be configured on the system.\"\n    ssl.cert1_max \"\" \"Select the SSL certificate you imported for this deployment.  Importing certificates and keys is not a part of this template, see System > File Management > SSL Certificate List. To select any new certificates and keys you import, you need to restart or reconfigure this template.\"\n\n    ssl.key \"Which SSL private key do you want to use?\"\n    ssl.key_max \"\" \"Select the associated SSL key you imported.\"\n\n    ssl.use_chain_cert \"Which intermediate certificate do you want to use?\"\n    ssl.use_chain_cert_1_max \"\" \"Intermediate certificates, also called intermediate certificate chains or chain certificates, are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown.\"\n\n    ssl.use_chain_cert_2_max \"\" \"Intermediate certificates must be created or imported onto this BIG-IP system prior to running this iApp. See http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html for help on creating an intermediate certificate chain.\"\n\n    ssl.ssl_warn_1 \"WARNING:\" \"The BIG-IP system's default certificate and key are not secure. For proper security, acquire a certificate and key from a trusted certificate authority, and then import it onto the BIG-IP system.\"\n\n    ssl.client_ssl_profile \"Which Client SSL profile do you want to use?\"\n    ssl.client_ssl_profile_max \"\" \"If you have already created an Client SSL profile that includes the appropriate certificate and key, you can select it from the list.  Otherwise, the iApp creates a new Client SSL profile. \"\n\n    ssl.server_ssl_profile \"Which Server SSL profile do you want to use?\"\n    ssl.server_ssl_profile_max \"\" \"If you have already created an Server SSL profile on this BIG-IP system, you can select it from the list. Otherwise, the iApp creates a new Server SSL profile.\"\n\n    intro.asm_not_provisioned \"Additional features available\" \"This system is not currently provisioned to run the BIG-IP Application Security Module (ASM). Provisioning ASM can help to secure your web applications.\"\n    asm \"Application Security Manager (BIG-IP ASM)\"\n    asm.use_asm \"Do you want to deploy BIG-IP Application Security Manager?\"\n    asm.asm_1_max \"\"\n    asm.asm_2_max \"\"\n    asm.asm_3_warning \"WARNING:\"\n    asm.security_logging \"Which logging profile would you like to use?\"\n    asm.security_logging_max \"\" \"The logging profile enables you to log detailed information about BIG-IP ASM events and store those logs on the BIG-IP system or a remote logging server (syslog or Splunk). If you want to use a logging profile, we recommend creating one outside this template. Only logging profiles with Application Security enabled appear in the list.\"\n\n\n    afm \"Advanced Firewall Manager (BIG-IP AFM)\"\n    afm.policy \"Do you want to use AFM network firewall and IP Intelligence to protect your application?\"\n    afm.policy_max \"\" \"BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.  BIG-IP AFM must be fully licensed and provisioned to use this functionality. If you have already created an AFM Network Firewall Policy on this BIG-IP system for this implementation, you can select it from the list.\"\n    afm.restrict_by_addr \"Do you want to forbid access to your application from specific networks or IP addresses?\"\n    afm.restrict_max \"\" \"You can use the BIG-IP AFM to restrict access to your application by either IP address or network address. If enabled, the system will only allow access to the virtual server from the address(es) you specify.\"\n    afm.allowed_addr \"What IP or network addresses should be allowed to access your application?\"\n    afm.allowed_addr_max \"\" \"Specify the IP or network address that should have access to the application.  You can use a single IP address, a list of IP addresses separated by spaces, a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), a single network address, such as 192.0.2.200/24, or any combination of these.\"\n    afm.restrict_by_reputation \"How should the system control connections from networks suspected of malicious activity?\"\n    afm.restrict_by_reputation_max \"\" \"The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Select the way you want the system to handle possibly malicious networks with a poor reputation score.\"\n    afm.restrict_by_reputation_log \"\" \"By default, IP Intelligence events are logged to Security > Event Logs > Network > IP Intelligence.  For the best performance, F5 recommends creating a remote logging profile to log IP Intelligence events. \"\n    afm.restrict_by_reputation_warn \"IMPORTANT\" \"You must have an active IP Intelligence license for IP reputation-based access control to function correctly. \"\n    afm.ip_intelligence_policy \"Which IP Intelligence policy do you want to use?\"\n\tafm.ip_intelligence_policy_max \"\" \"Select the custom IP intelligence policy you created for this implementation.\"\n    afm.staging_policy \"Would you like to stage a policy for testing purposes?\"\n    afm.staging_policy_max \"\" \"A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.  You must already have a policy on the system in order to select it from the list.  For specific information on creating a staging policy, see the AFM documentation.\"\n    afm.staging_policy1_max \"CRITICAL\" \"A policy in Staging mode does not block any traffic, and only logs what would be blocked if the policy were placed into production.\"\n    afm.security_logging \"Which logging profile would you like to use?\"\n    afm.security_logging_max \"\" \"The logging profile enables you to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (syslog or Splunk). If you want to use a logging profile, we recommend creating one outside this template. Only logging profiles with Network Firewall enabled appear in the list. \"\n    afm.security_logging1_max \"\" \"If you are also using BIG-IP ASM, and the logging profile you created has both Application Security and Network Firewall enabled in the same profile, you must also select that profile here. See the BIG-IP AFM documentation for specific information on Logging profiles.\"\n    afm.dos_security_profile \"Which Denial-of-Service profile do you want to use?\"\n\tafm.dos_security_profile_max \"\" \"The Denial-of-Service (DoS) profile can enable Layer 7 application DoS protection of HTTP traffic and Layer 7 DoS protection for SIP and DNS traffic. The iApp template does not create a DoS profile, if you want to use this functionality, you must create a custom DoS Profile outside the template.\"\n    afm.protocol_security_profile \"Which HTTP protocol security profile do you want to use?\"\n\tafm.protocol_security_profile_max \"\" \"The HTTP protocol security profile consists of many different security checks for the various components of HTTP traffic. The iApp template does not create a HTTP Security profile, if you want to use this functionality, you must create a custom HTTP Security profile outside the template.\"\n\n    pool \"Virtual Server and Pools\"\n    pool.addr \"What IP address do you want to use for the virtual server?\"\n    pool.addr_max \"\" \"This IP address, combined with the port you specify below, becomes the BIG-IP virtual server address and port, which clients use to access the application. The system intercepts requests to this IP:Port and distributes them to the web servers.\"\n    pool.mask \"If using a network virtual address, what is the IP mask?\"\n    pool.mask_max \"\" \"If you specified a network address for the virtual server (allowing the virtual server to handle multiple IP addresses), you must enter the full network mask that represents the address range. If you specified a single address for the virtual server, you may leave this field blank.\"\n    pool.port \"What port do you want to use for the virtual server?\"\n    pool.port_max \"\" \"Specify the service port you want to use for the virtual server. The default value displayed here is based your answer to the question asking how the system should handle SSL traffic.\"\n    pool.mirror \"Do you want to enable connection and persistence mirroring?\" {\n        \"Do not enable connection/persistence mirroring\" => \"disabled\",\n        \"Enable connection/persistence mirroring\"        => \"enabled\"\n    }\n    pool.port_secure \"What port do you want to use for the virtual server?\"\n    pool.hosts \"What FQDNs will clients use to access the servers?\"\n    pool.hosts.name \"Host\"\n\n    pool.redirect_to_https \"Do you want to redirect inbound HTTP traffic to HTTPS?\" {\n        \"Redirect HTTP to HTTPS\"        => \"yes\",\n        \"Do not redirect HTTP to HTTPS\" => \"no\"\n    }\n\n    pool.mirror_max \"\" \"Connection and persistence mirroring allows you to configure the BIG-IP system to duplicate connection and persistence information to the standby unit of a redundant pair. This setting provides higher reliability, but might affect system performance. For more information, see http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13478.html\"\n\n    pool.redirect_port \"From which port should HTTP traffic be redirected?\"\n\n    pool.redirect_max \"\" \"It is common for users to mistakenly attempt insecure access  (HTTP)  to a secure application  (HTTPS). The BIG-IP system can automatically redirect these connections to use an encrypted connection.\"\n\n    pool.redirect_port_max \"\" \"Specify the port from which you want users redirected.  The most common port for HTTP is 80.\"\n\n\n    pool.fqdn_max \"\" \"Clients can use the FQDN (Fully Qualified Domain Name) you enter here to access the web servers. For each FQDN, your DNS administrator must configure a DNS entry  that resolves to the IP address you entered for the BIG-IP virtual server.\"\n\n    pool.http \"Which HTTP profile do you want to use?\"\n    pool.http_max \"\" \"The HTTP profile contains settings that tell the BIG-IP system how to handle the HTTP protocol. If you have created a custom HTTP profile for this application, you can select it from the list.\"\n\n    pool.xff \"Should the BIG-IP system insert the X-Forwarded-For header?\" {\n             \"Insert X-Forwarded-For HTTP header\"        => \"yes\",\n             \"Do not insert X-Forwarded-For HTTP header\" => \"no\"\n    }\n\n    pool.xff_max \"\" \"If you choose to insert the X-Forwarded-For header, the BIG-IP system inserts the original client IP address in the HTTP header for logging purposes. Additional configuration may be required on the web server to log the value of the X-Forwarded-For header.\"\n\n    pool.persist \"Which persistence profile do you want to use?\"\n\n    pool.pass_thru_persist \"Which persistence profile do you want to use?\"\n\n    pool.pass_thru_persist_max \"\" \"With persistence, the BIG-IP system tracks and stores session data, such as the specific pool member that serviced a client request. For SSL pass-through, the F5 recommended method is source address persistence, where the source address of the client is used for persistence. You can also choose not to use persistence, or to select a custom persistence profile you have already created.\"\n\n    pool.persist_max \"\" \"With persistence, the BIG-IP system tracks and stores session data, such as the specific pool member that serviced a client request. The F5 recommended method is Cookie persistence, which inserts a cookie in the HTTP header of a client request after an initial load balancing decision is made. The BIG-IP system uses this cookie to direct all subsequent requests from a given client to the same web server in the configured pool.  An alternative method is source address persistence, where the source address of the client is used for persistence. You can also choose not to use persistence, or to select a custom persistence profile you have already created. \"\n\n    pool.pool_to_use \"Do you want to create a new pool or use an existing one?\"\n    pool.pool_to_use_wom \"Do you want to create a new pool or use an existing one?\"\n    pool.pool_max \"\" \"A load balancing pool is a logical set of devices, such as web servers, grouped together to receive and process traffic. When clients attempt to access the application via the BIG-IP virtual server, the BIG-IP system distributes requests to any of the servers that are members of that pool.\"\n\n    pool.members \"Which web servers should be included in this pool?\"\n    pool.members_max \"\" \"Specify the IP address(es) of your web servers. If you have existing nodes on this BIG-IP system, you can select them from the list, otherwise type the addresses. Click Add to include additional servers.\"\n    pool.members.addr \"Node/IP address\"\n    pool.members.port \"Port\"\n    pool.members.port_secure \"Port\"\n    pool.members.connection_limit \"Connection limit\"\n    pool.members.ratio \"Ratio\"\n    pool.members.priority \"Priority\"\n    pool.lb_method \"Which load balancing method do you want to use?\"\n    pool.lb_method_max \"\" \"A load balancing method is an algorithm that the BIG-IP system uses to select a pool member for processing a request. F5 recommends the Least Connections load balancing method, where new connections are routed to the node that has the least number of current connections. This is ideal for environments in which pool members have similar performance and capacity capabilities.\"\n\n    pool.use_pga \"Do you want to give priority to specific groups of servers?\" {\n                 \"Do not use Priority Group Activation (recommended)\" => \"no\",\n                 \"Use Priority Group Activation\"        => \"yes\"\n    }\n\n    pool.pga_max \"\" \"Priority Group Activation allows you to segment your servers into priority groups.  With Priority Group Activation, the BIG-IP system load balances traffic according to the priority number you assign to the pool members. A higher number indicates higher priority. Traffic is only sent to the servers with the highest priority, unless the number of available servers in that priority group falls below the value you specify as the minimum. The BIG-IP system then sends traffic to the group of servers with the next highest priority, and so on. See the BIG-IP documentation for more details.\"\n\n    pool.min_active_members \"What is the minimum number of active members in a group?\"\n    pool.min_active_members_max \"\" \"Specify the minimum number of servers which must be available before the system sends traffic to servers with a lower priority.\"\n\n    client \"Delivery Optimization\"\n    client.use_wa \"Use the BIG-IP Application Acceleration Manager?\" {\n                  \"Yes, use BIG-IP AAM (recommended)\" => \"yes\",\n                  \"No, do not use BIG-IP AAM\" => \"no\"\n    }\n    client.x_wa_info_header \"Do you want to insert the X-WA-Info header?\" {\n        \"Do not insert the header (recommended)\"   => \"none\",\n        \"Insert the Standard header\" => \"standard\",\n        \"Insert the Debug header\"    => \"debug\"\n    }\n    client.x_wa_info_max \"\" \"By default, the AAM X-WA-info header is not included in the response from the BIG-IP system. This header is useful for debugging AAM behavior. If you choose to enable this header, you have two options, Standard and Debug. In Standard mode, the BIG-IP system  inserts an HTTP header that includes numeric codes which indicate if and how each object was cached. In Debug mode, the BIG-IP system includes additional information which may help for extended troubleshooting.\"\n    client.enable_perf_monitor \"Do you want to use the legacy AAM performance monitor?\" {\n         \"Do not enable the legacy performance monitor (recommended)\" => \"no\",\n         \"Enable the legacy performance monitor\"        => \"yes\"\n    }\n    client.enable_perf_monitor_max \"\" \"Enabling the legacy AAM performance monitor can adversely affect system performance. This monitor is primarily used for legacy AAM performance monitoring and debugging purposes. The BIG-IP Dashboard provides performance graphs and statistics related to AAM.\"\n    client.data_retention_period \"For how many days should the BIG-IP system retain the data?\"\n    client.policy \"Which acceleration policy do you want to use?\"\n    client.policy_complete_about_max \"\" \"In this predefined acceleration policy, HTML pages are cached and Intelligent Browser Referencing is enabled.\"\n    client.policy_enhanced_about_max \"\" \"In this predefined acceleration policy, HTML pages are cached and Intelligent Browser Referencing is enabled for includes.\"\n    client.policy_extension_about_max \"\" \"This predefined acceleration policy is ideal for High Performance policy for Ecommerce applications that use File Extensions instead of mime-types. This application policy is ideal if response-based matching is not required.\"\n    client.policy_fundamental_about_max \"\" \"In this predefined acceleration policy, HTML pages are always proxied and Intelligent Browser Referencing is disabled.\"\n\n    client.http_compression \"Which compression profile do you want to use?\"\n    client.standard_caching_with_wa \"Which Web Acceleration profile do you want to use for caching?\"\n    client.standard_caching_with_wa_max \"\" \"You can use the BIG-IP Application Acceleration Manager (AAM, formerly WebAccelerator) to accelerate your application traffic.\"\n    client.standard_caching_with_wa_not_default_max \"\" \"You have selected a BIG-IP AAM enabled Web Acceleration profile with an AAM application already attached, so an AAM application will not be created by this template. If you would rather have this template produce the AAM application, then choose 'Use F5's recommended Web Acceleration profile' above.\"\n    client.standard_caching_without_wa \"Which Web Acceleration profile do you want to use for caching?\"\n    client.about_custom_caching_max_1 \"\" \"Caching is the local storage of data for re-use. Once an item is cached on the BIG-IP system, subsequent requests for the same data are served from local storage. This can improve client request response times and improve server scalability by reducing load associated with processing subsequent requests.\"\n    client.about_custom_caching_max_1a \"\" \"Caching is the local storage of data for re-use. Once an item is cached on the BIG-IP system, subsequent requests for the same data are served from local storage. This can improve client request response times and improve server scalability by reducing load associated with processing subsequent requests.\"\n\n    client.about_custom_caching_max_2 \"\" \"If you want to select a custom Web Acceleration profile for caching you have already created, it must have an AAM application enabled, otherwise it does not appear in the list of caching profiles. If you want access to all Web Acceleration profiles on the box, then you must choose No to the use BIG-IP AAM question. Use a custom Web Acceleration profile only if you need to define specific URIs that should or should not be cached. \"\n    client.about_custom_caching_max_3 \"\" \"Use a custom Web Acceleration profile only if you need to define specific URIs that should or should not be cached.\"\n\n    client.tcp_lan_opt \"How do you want to optimize client-side connections?\"\n    client.tcp_wan_opt \"How do you want to optimize client-side connections?\"\n    client.comp_max \"\" \"Compression improves performance and end user experience for Web applications that suffer from WAN latency and throughput bottlenecks. Compression reduces the amount of traffic sent to the client to complete a transaction. \"\n    client.comp1_max \"\" \"To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Services : HTTP Compression to create an HTTP Compression profile. To select any new profiles you create, you need to restart or reconfigure this template.\"\n\n    client.tcp_max \"\" \"The client-side TCP profile optimizes the communication between the BIG-IP system and the client by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency.\"\n\n    client.isession_profile \"Create a new iSession tunnel profile or use an existing one?\"\n    client.isession_profile_max \"\" \"The iSession profile contains the settings for the secure and optimized tunnel between this BIG-IP system and the remote BIG-IP system. Remember that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings. F5 recommends using the default 'isession' profile, unless you have already created one on this system. The iApp can also create a new iSession profile.\"\n\n    client.isession \"Which iSession features do you want to use?\"\n    client.isession_max \"\" \"The three major options of the iSession profile are WAN encryption, Adaptive Compression, and Deduplication.  WAN encryption specifies whether the traffic on the outbound connection is encrypted. Adaptive Compression selects and adjusts the optimal compression algorithm for the current traffic, based on link speed. Deduplication specifies whether the system optimizes traffic using symmetric data deduplication (locating byte patterns that were previously sent over the WAN, and replacing them with references).\"\n\n    client.isession.encryption \"WAN encryption\"\n    client.isession.compression \"Adaptive Compression\"\n    client.isession.deduplication \"Deduplication\"\n\n        server \"Server Offload\"\n    server.oneconnect \"Which OneConnect profile do you want to use?\"\n    server.oc_max \"\" \"OneConnect  (connection pooling or multiplexing)  improves server scalability by reducing load associated with concurrent connections and connection rate to web servers. When enabled, the BIG-IP system maintains one connection to each web server which is used to send requests from multiple clients.\"\n\n    server.ntlm \"Which NTLM profile do you want to use?\"\n    server.ntlm_max \"\" \"In environments that use the NTLM security protocol with OneConnect, an NTLM profile is also required. This profile ensures a connection between the BIG-IP system and an application server is established and reused on a per-user basis, eliminating the possibility that user data is incorrectly accessible.\"\n\n    server.tcp_lan_opt \"How do you want to optimize server-side connections?\"\n    server.tcp_wan_opt \"How do you want to optimize server-side connections?\"\n    server.tcp_max \"\" \"The server-side TCP profile optimizes the communication between the BIG-IP system and the server by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency.\"\n\n    server.tcp_req_queueing \"Should the BIG-IP system queue TCP requests?\" {\n                        \"Yes, enable TCP request queuing\" => \"yes\",\n                        \"No, do not enable TCP request queuing  (recommended) \" => \"no\"\n                    }\n\n    server.tcp_queue_length \"What is the maximum number of TCP requests for the queue?\"\n\n    server.tcp_queue_length_max \"\" \"Specify a number for the length of the queue.  You should not use a value of '0', which indicates an unlimited queue length, and is only constrained by available memory.\"\n\n    server.tcp_queue_timeout \"How many milliseconds should requests stay in the queue?\"\n\n    server.tcp_queue_timeout_max \"\" \"Specify a number of milliseconds that requests should remain in the queue before timing out.\"\n\n    server.tcp_request_queue_1_max \"WARNING\" \"Improper use or misconfiguration of TCP Request Queuing/Connection Limits can result in unwanted application behavior and poor performance of your BIG-IP system. For this reason we recommended you verify these settings impact prior to deployment in a production environment. You MUST add a Connection Limit to your pool members for TCP Request Queuing.\"\n\n    server.tcp_request_queue_2_max \"\" \"TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, pool member, or node, as determined by the connection limit. If you enable TCP request queuing, you must specify a queue length and timeout for queued requests based on server capability, load, and need for shared resources.\"\n\n    server.use_slow_ramp \"Use a Slow Ramp time for newly added servers?\" {\n                        \"Yes, use Slow Ramp  (recommended) \" => \"yes\",\n                        \"No, do not use Slow Ramp\" => \"no\"\n                    }\n\n    server.slow_ramp_max \"\" \"With Slow Ramp, the BIG-IP system gradually adds connections to a newly-enabled or newly-added HTTP server over a time period you specify, rather than sending a full proportion of the traffic immediately. Slow Ramp is essential when using load balancing methods like Least Connections, as the BIG-IP system would otherwise send all new connections to a new server immediately, potentially overwhelming that server. The time period you select for Slow Ramp is highly dependent on the speed of your server hardware and the behavior of your web services.\"\n\n    server.slow_ramp_setvalue \"How many seconds should Slow Ramp time last?\"\n    server.slow_ramp_setvalue_max \"\" \"Specify the duration (in seconds) for Slow Ramp time (the amount of time the system sends less traffic to a newly-enabled pool member). The default setting of 300 seconds  (5 minutes) is very conservative in most cases. \"\n\n    monitor \"Application Health\"\n    monitor.monitor_max \"\" \"Monitors are used to determine the health of the application on each web server. If an application instance does not respond or responds incorrectly, the system will cease to send client requests to that web server. The system will continue to monitor the instance and will begin sending requests once the application responds correctly.\"\n\n    monitor.monitor \"Create a new health monitor or use an existing one?\"\n    monitor.http_method \"What type of HTTP request should be sent to the servers?\"\n    monitor.uri \"What HTTP URI should be sent to the servers?\"\n\n    monitor.http_version \"Which HTTP version do your servers expect clients to use?\" {\n                                \"HTTP/1.0\" => \"http10\",\n                                \"HTTP/1.1\" => \"http11\"\n    }\n    monitor.version_max \"\" \"The HTTP version can be customized so it matches what a typical client would be using, in order to detect failures in the most meaningful way. HTTP/1.0 and HTTP/1.1 are the most common.  HTTP/1.0 is more simple, while HTTP/1.1 offers more features.\"\n\n    monitor.frequency \"How many seconds should pass between health checks?\"\n    monitor.freq_max \"\" \"This is the duration, in seconds, of a single monitor cycle. At this interval, the system checks the health of the application instance on each web server configured in the web server pool.\"\n\n    monitor.response \"What is the expected response to the HTTP request?\"\n    monitor.method_max \"\" \"The HTTP request type determines which HTTP method the monitor sends to the web server. GET is the most common request type for web applications.\"\n\n    monitor.uri_max \"\" \"The HTTP URI is used to specify the resource on the web server for a given request. This parameter can be customized to request a specific part of an application, which can indicate the health of the application on a granular level.\"\n\n\n    monitor.post_body \"What HTTP POST body do you want to use for this monitor?\"\n    monitor.body_max \"\" \"POST requests require an HTTP POST body to send to the web server.\"\n\n    monitor.response_max \"\" \"When the HTTP response arrives for a monitor request, its contents are searched for the value specified here. If it is not found, the monitoring attempt fails.\"\n\n    monitor.anonymous \"Should the health monitor require credentials?\"\n        { \"No, allow anonymous access\" => \"yes\", \"Yes, require credentials\" => \"no\" }\n    monitor.anonymous_max \"\" \"You can configure system to attempt to authenticate to the <APP_LABEL> implementation as a part of the health monitor. If you choose to require credentials, we recommend you create a user account specifically for this health monitor which has no other privileges, and has a password set to never expire.\"\n\n    monitor.user \"What user name should the monitor use?\"\n    monitor.user_max \"\" \"Specify the user name for the account you want to use as a part of the health monitor.\"\n    monitor.passwd \"What is the associated password?\"\n    monitor.passwd_max \"\" \"Specify the associated password. The password for this account should be set to never expire, otherwise servers could be improperly marked as unavailable when the password expires.\"\n\n    irules \"iRules\"\n    irules.irules \"Do you want to add any custom iRules to this configuration?\"\n    irules.note \"WARNING:\" \"Improper use or misconfigurations of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. For this reason we recommended you verify the impact of an iRule prior to deployment in a production environment.\"\n    irules.irule_2_max \"\" \"The BIG-IP system supports a scripting language to allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. An iRule contains the set of instructions the system uses to process data flowing through it, either in the header or payload of a packet.\"\n\n\n    irules.irule_3_max \"\" \"Correct event priority is critical when assigning multiple iRules. For more information about iRule event priority, see https://devcentral.f5.com/wiki/iRules.priority.ashx\"\n\n    stats \"Statistics and Logging\"\n    stats.analytics \"Do you want to enable Analytics for application statistics?\"\n    stats.request_logging \"Which HTTP request logging profile do you want to use?\"\n    stats.avr_1_max \"IMPORTANT\" \"Enabling Analytics may affect overall system performance.  If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data.\"\n    stats.avr_2_max \"\" \"The Application Visibility Reporting  (AVR)  module allows you to view statistics specific to your web application. \"\n    stats.avr_3_max \"\" \"While this template includes a default Analytics profile, for full functionality and flexibility, we recommend you create a custom Analytics profile for this application service. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Analytics. Once you have created an Analytics profile, you can select it from the list below. To select any new profiles you create, you need to restart or reconfigure this template.\"\n\n\n    stats.req_log_max \"\" \"HTTP request logging enables customizable log messages to be sent to a syslog server for each HTTP request processed by this application. Successful usage of this feature requires creation and association of a request logging profile. Creating a request logging profile is not a part of this template. See Local Traffic>>Profiles: Other: Request Logging.  To select any new profiles you create, you need to restart or reconfigure this template. The performance impact of using this feature should be thoroughly tested in a staging environment prior to enabling it on a production deployment.\"\n\n    extra \"Additional Steps\"\n    extra.dns \"DNS\" \"You must configure a DNS entry for each fully qualified host name that the clients use to access the web servers.  Each DNS record must resolve to the IP address you configured for the BIG-IP virtual server defined in the High Availability section.\"\n    extra.web_servers \"Web servers\" \"Depending on your web service and application software, you may have to perform additional steps on your web application to enable SSL Offloading. If you are performing SSL offload on the BIG-IP system, you may need to configure your web servers not to expect SSL to avoid redirect loops and needless redirects. Also, the web server software may need to be configured to handle any HTTP/1.1 Host headers you specified during monitor creation.\"\n    extra.critical \"Default SSL certificate and key\" \"You have selected a default BIG-IP certificate and/or key. This application service configuration is incomplete and will not be secure until you import and assign a trusted certificate and key that are valid for all fully qualified domain names used to access the application. See Local Traffic >> SSL Certificate List for importing certificates and keys. To select any new certificates and keys you import, you need to restart or reconfigure this template.\"\n\n# For v11.3 applications\n    ssl_encryption_questions.deprecated \"PLEASE UPGRADE\" \"This template has been deprecated. It is highly recommended that you upgrade this deployment to the current template version. To upgrade, choose Yes below. Note that this process will temporarily take your application offline.\"\n    ssl_encryption_questions.upgrade \"Do you want to upgrade this template?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    ssl_encryption_questions.gap_1 \" \"\n    ssl_encryption_questions.gap_2 \" \"\n    ssl_encryption_questions.section_head \"SSL Encryption Questions\"\n    ssl_encryption_questions.offload_ssl_1 \"Do you want the BIG-IP system to offload SSL processing from the web servers?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    ssl_encryption_questions.offload_ssl_2 \"Do you want the BIG-IP system to offload SSL processing from the web servers?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    ssl_encryption_questions.cert \"Which certificate do you want the BIG-IP system to use to authenticate the server? (You may need to import a certificate before deploying this Template.)\"\n    ssl_encryption_questions.key \"Which key do you want the BIG-IP system to use for encryption? (You may need to import a key before deploying this Template.)\"\n\n    analytics \"Analytics\"\n    analytics.add_analytics \"Do you want to enable Analytics so that you can view application statistics? (This may affect system performance.)\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    analytics.about_analytics_profiles \"About creating your own Analytics profiles:\" \"For full functionality and flexibility, we recommend that you create a custom Analytics profile for each iApp under Local Traffic > Profiles > Analytics. Once you have created an Analytics profile, you will be able to select it from the list below.\"\n    analytics.create_new_analytics \"Do you want to use a default Analytics profile or select a custom profile?\" {\n        \"Select a Custom Profile\" => \"Select a Custom Profile\",\n        \"Use Default Profile\" => \"Use Default Profile\"\n    }\n    analytics.analytics_profile \"Which Analytics profile do you want to use?\"\n\n    basic \"Virtual Server Questions\"\n    basic.addr \"What IP address do you want to use for this virtual server?\"\n    basic.port \"What port do you want to use for this virtual server?\"\n    basic.secure_port \"What port do you want to use for this virtual server?\"\n    basic.create_redir \"Do you want to redirect traffic that comes in as HTTP to HTTPS?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    basic.redir_port \"What port do you want to use for the redirect virtual server?\"\n    basic.snat \"Do the web servers have a route back to application clients via this BIG-IP system?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    basic.need_snatpool \"Will you have more than 64,000 connections at one time? If so, you will need to enter at least one IP address for each 64,000 connections. \"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    basic.snatpool_members \"Enter IP addresses that can be used for a SNAT pool. Enter one IP address for each 64,000 connections \"\n    basic.snatpool_members.addr \"Address: \"\n\n    basic.using_ntlm \"Are the web servers configured to use NTLM authentication?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n\n\n    server_pools \"HTTP Server Pool, Load Balancing, and Service Monitor Questions\"\n    server_pools.create_new_pool \"Do you want to create a new pool or use an existing one?\" {\n        \"Create New Pool\" => \"Create New Pool\",\n        \"Use Pool...\" => \"Use Pool...\"\n    }\n    server_pools.lb_method_choice \"Which load balancing method do you want to use?\"\n    server_pools.servers \"Which servers do you want this virtual server to reference? (The virtual server will not be available until at least one server is added.)\"\n    server_pools.servers.addr \"Address\"\n    server_pools.servers.port \"Port\"\n    server_pools.servers.ratio \"Ratio\"\n    server_pools.servers.connection_limit \"Connection Limit\"\n    server_pools.tcp_request_queuing_enable_question \"Do you want the BIG-IP system to queue TCP requests?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    server_pools.note \"NOTE:\" \"TCP request queuing requires you to have a Connection Limit on your pool members.\"\n    server_pools.tcp_request_queue_length \"Specify the TCP request queue length. Choose 0 for unlimited.\"\n    server_pools.tcp_request_queue_timeout \"Specify a timeout for TCP request queuing in milliseconds. Choose 0 for unlimited.\"\n    server_pools.reuse_pool_name \"Choose a pool from the list of available pools.\"\n    server_pools.create_new_monitor \"Do you want to create a new health monitor or use an existing one?\" {\n        \"Create New Monitor\" => \"Create New Monitor\",\n        \"Use Monitor...\" => \"Use Monitor...\"\n    }\n    server_pools.monitor_interval \"How often (in seconds) do you want the BIG-IP system to check on the health of each web server? \"\n    server_pools.monitor_send \"What HTTP request should be sent to check the health of each web server?\"\n\n    server_pools.monitor_http_version \"What HTTP version do your web servers expect clients to use?\"\n        { \"Version 1.0\", \"Version 1.1\" }\n\n    server_pools.monitor_dns_name \"What fully qualified DNS name are HTTP 1.1 clients expected to use to access the web servers?\"\n    server_pools.monitor_recv \"What string can the BIG-IP system expect to see within the health check response for the server to be considered healthy?\"\n    server_pools.reuse_monitor_name \"Choose a monitor from the list of available monitors.\"\n\n\n    optimizations \"Protocol Optimization Questions\"\n    optimizations.lan_or_wan \"Will clients be connecting to this virtual server primarily over a LAN or a WAN?\" {\n        \"WAN\" => \"WAN\",\n        \"LAN\" => \"LAN\"\n    }\n\n    optimizations.use_wa \"Do you want to use the BIG-IP AAM module to accelerate your traffic?\"\n        { \"Yes\" => \"Yes\", \"No\"  => \"No\" }\n    optimizations.hosts \"What fully qualified DNS names will your end users use to access the web Virtual Server (e.g., site.f5.com).\"\n    optimizations.hosts.host \"Host\"\n    optimizations.policy \"Select the AAM policy to use.\"\n    optimizations.x_wa_info_header \"Do you want to insert the X-WA-Info Header?\" {\n        \"None\" => \"none\",\n        \"Standard\" => \"standard\",\n        \"Debug\" => \"debug\"\n    }\n    optimizations.perf_monitor \"Do you want to enable the AAM performance monitor?\" {\n        \"Enabled\" => \"enabled\",\n        \"Disabled\" => \"disabled\"\n    }\n    optimizations.data_retention_period \"How many days to you want to keep AAM performance data?\"\n\n}", "name": "definition", "htmlHelp": "<p><strong>web iApp Template</strong></p>\n\n<p>This template creates a complete configuration optimized for managing web traffic. <br>Before you start: </p>\n<ul>\n    <li>All of the help for this iApp template is found inline. Select <b>Yes, show inline help</b> from the inline help question.</li>\n    <li>For a complete walkthrough of this web iApp, as well as detailed information and help, see http://www.f5.com/pdf/deployment-guides/iapp-http-dg.pdf</li>\n    <li>Check System :: Resource Provisioning to ensure that LTM (Local Traffic Manager) is provisioned.</li>\n    <li>Set up VLANs and Self IP addresses on the networks you use for client-side and server-side traffic.</li>\n    <li>If configuring SSL Offload on the BIG-IP system, before running the iApp, import the proper SSL certificate(s) that corresponds to the DNS names used by the clients.</li>\n    <li>If you plan to use the iApp to deploy any of the optional modules, the modules must be fully licensed and provisioned before running the iApp.</li>\n</ul>"}], "totalSigningStatus": "not-all-signed", "ignoreVerification": "false", "requiresBigipVersionMin": "11.6.0", "verificationStatus": "none"}
Method POST mgmt/tm/sys/application/template returned: {"kind":"tm:sys:application:template:templatestate","name":"f5.http.backport.1.1.2","fullPath":"f5.http.backport.1.1.2","generation":321,"selfLink":"https://localhost/mgmt/tm/sys/application/template/f5.http.backport.1.1.2?ver=11.6.0","ignoreVerification":"false","requiresBigipVersionMin":"11.6.0","totalSigningStatus":"not-all-signed","verificationStatus":"none","actionsReference":{"link":"https://localhost/mgmt/tm/sys/application/template/~Common~f5.http.backport.1.1.2/actions?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:50:30 : Deploy the iApp service from the f5 http backport template
GET mgmt/tm/sys/application/service ""
Method GET mgmt/tm/sys/application/service returned: {"kind":"tm:sys:application:service:servicecollectionstate","selfLink":"https://localhost/mgmt/tm/sys/application/service?ver=11.6.0"}

2015-11-12 09:50:30 : Deploy the iApp service from the f5 http backport template
POST mgmt/tm/sys/application/service {"tables": [{"name": "basic__snatpool_members"}, {"name": "net__snatpool_members"}, {"name": "optimizations__hosts"}, {"columnNames": ["name"], "rows": [{"row": ["demo.example.com"]}], "name": "pool__hosts"}, {"name": "pool__members"}, {"name": "server_pools__servers"}], "templateModified": "no", "name": "Vip1_iApp", "strictUpdates": "enabled", "partition": "Common", "lists": [{"encrypted": "no", "name": "irules__irules", "value": ["/Common/irule_demo_analytics", "/Common/irule_sorry_page"]}], "inheritedDevicegroup": "true", "template": "/Common/f5.http.backport.1.1.2", "variables": [{"encrypted": "no", "name": "asm__security_logging", "value": "asm_log_to_splunk"}, {"encrypted": "no", "name": "asm__use_asm", "value": "/Common/ltm_policy_w_asm_linux_high-Vip1"}, {"encrypted": "no", "name": "client__http_compression", "value": "/#do_not_use#"}, {"encrypted": "no", "name": "client__standard_caching_without_wa", "value": "/#do_not_use#"}, {"encrypted": "no", "name": "client__tcp_wan_opt", "value": "/Common/tcp-ssl-wan-optimized"}, {"encrypted": "no", "name": "net__client_mode", "value": "wan"}, {"encrypted": "no", "name": "net__route_to_bigip", "value": "no"}, {"encrypted": "no", "name": "net__same_subnet", "value": "no"}, {"encrypted": "no", "name": "net__server_mode", "value": "lan"}, {"encrypted": "no", "name": "net__snat_type", "value": "automap"}, {"encrypted": "no", "name": "net__vlan_mode", "value": "all"}, {"encrypted": "no", "name": "pool__addr", "value": "172.16.13.144"}, {"encrypted": "no", "name": "pool__http", "value": "/#create_new#"}, {"encrypted": "no", "name": "pool__mask", "value": ""}, {"encrypted": "no", "name": "pool__persist", "value": "/#cookie#"}, {"encrypted": "no", "name": "pool__pool_to_use", "value": "/Common/Vip1_pool"}, {"encrypted": "no", "name": "pool__port_secure", "value": "443"}, {"encrypted": "no", "name": "pool__redirect_port", "value": "80"}, {"encrypted": "no", "name": "pool__redirect_to_https", "value": "yes"}, {"encrypted": "no", "name": "pool__xff", "value": "yes"}, {"encrypted": "no", "name": "server__oneconnect", "value": "/#do_not_use#"}, {"encrypted": "no", "name": "server__tcp_lan_opt", "value": "/Common/tcp-wan-optimized"}, {"encrypted": "no", "name": "server__tcp_req_queueing", "value": "no"}, {"encrypted": "no", "name": "ssl__cert", "value": "/Common/default.crt"}, {"encrypted": "no", "name": "ssl__client_ssl_profile", "value": "/#create_new#"}, {"encrypted": "no", "name": "ssl__key", "value": "/Common/default.key"}, {"encrypted": "no", "name": "ssl__mode", "value": "client_ssl"}, {"encrypted": "no", "name": "ssl__use_chain_cert", "value": "/#do_not_use#"}, {"encrypted": "no", "name": "ssl_encryption_questions__advanced", "value": "yes"}, {"encrypted": "no", "name": "ssl_encryption_questions__help", "value": "hide"}, {"encrypted": "no", "name": "stats__analytics", "value": "/Common/Vip1-demo_analytics"}, {"encrypted": "no", "name": "stats__request_logging", "value": "/#do_not_use#"}], "inheritedTrafficGroup": "true"}
Method POST mgmt/tm/sys/application/service returned: {"kind":"tm:sys:application:service:servicestate","name":"Vip1_iApp","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp","generation":323,"selfLink":"https://localhost/mgmt/tm/sys/application/service/~Common~Vip1_iApp.app~Vip1_iApp?ver=11.6.0","deviceGroup":"none","inheritedDevicegroup":"true","inheritedTrafficGroup":"true","strictUpdates":"enabled","template":"/Common/f5.http.backport.1.1.2","templateModified":"no","trafficGroup":"/Common/traffic-group-1","lists":[{"name":"irules__irules","encrypted":"no","value":["/Common/irule_demo_analytics","/Common/irule_sorry_page"]}],"tables":[{"name":"basic__snatpool_members"},{"name":"net__snatpool_members"},{"name":"optimizations__hosts"},{"name":"pool__hosts","columnNames":["name"],"rows":[{"row":["demo.example.com"]}]},{"name":"pool__members"},{"name":"server_pools__servers"}],"variables":[{"name":"asm__security_logging","encrypted":"no","value":"asm_log_to_splunk"},{"name":"asm__use_asm","encrypted":"no","value":"/Common/ltm_policy_w_asm_linux_high-Vip1"},{"name":"client__http_compression","encrypted":"no","value":"/#do_not_use#"},{"name":"client__standard_caching_without_wa","encrypted":"no","value":"/#do_not_use#"},{"name":"client__tcp_wan_opt","encrypted":"no","value":"/Common/tcp-ssl-wan-optimized"},{"name":"net__client_mode","encrypted":"no","value":"wan"},{"name":"net__route_to_bigip","encrypted":"no","value":"no"},{"name":"net__same_subnet","encrypted":"no","value":"no"},{"name":"net__server_mode","encrypted":"no","value":"lan"},{"name":"net__snat_type","encrypted":"no","value":"automap"},{"name":"net__vlan_mode","encrypted":"no","value":"all"},{"name":"pool__addr","encrypted":"no","value":"172.16.13.144"},{"name":"pool__http","encrypted":"no","value":"/#create_new#"},{"name":"pool__mask","encrypted":"no","value":"none"},{"name":"pool__persist","encrypted":"no","value":"/#cookie#"},{"name":"pool__pool_to_use","encrypted":"no","value":"/Common/Vip1_pool"},{"name":"pool__port_secure","encrypted":"no","value":"443"},{"name":"pool__redirect_port","encrypted":"no","value":"80"},{"name":"pool__redirect_to_https","encrypted":"no","value":"yes"},{"name":"pool__xff","encrypted":"no","value":"yes"},{"name":"server__oneconnect","encrypted":"no","value":"/#do_not_use#"},{"name":"server__tcp_lan_opt","encrypted":"no","value":"/Common/tcp-wan-optimized"},{"name":"server__tcp_req_queueing","encrypted":"no","value":"no"},{"name":"ssl__cert","encrypted":"no","value":"/Common/default.crt"},{"name":"ssl__client_ssl_profile","encrypted":"no","value":"/#create_new#"},{"name":"ssl__key","encrypted":"no","value":"/Common/default.key"},{"name":"ssl__mode","encrypted":"no","value":"client_ssl"},{"name":"ssl__use_chain_cert","encrypted":"no","value":"/#do_not_use#"},{"name":"ssl_encryption_questions__advanced","encrypted":"no","value":"yes"},{"name":"ssl_encryption_questions__help","encrypted":"no","value":"hide"},{"name":"stats__analytics","encrypted":"no","value":"/Common/Vip1-demo_analytics"},{"name":"stats__request_logging","encrypted":"no","value":"/#do_not_use#"}]}

2015-11-12 09:51:37 : Deploying/updating webserver pool
GET mgmt/tm/ltm/pool ""
Method GET mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/pool?ver=11.6.0","items":[{"kind":"tm:ltm:pool:poolstate","name":"Vip1_pool","partition":"Common","fullPath":"/Common/Vip1_pool","generation":236,"selfLink":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip1_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/http ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip1_pool/members?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:pool:poolstate","name":"syslog_pool","partition":"Common","fullPath":"/Common/syslog_pool","generation":239,"selfLink":"https://localhost/mgmt/tm/ltm/pool/~Common~syslog_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/tcp ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~syslog_pool/members?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:51:37 : Deploying/updating webserver pool
POST mgmt/tm/ltm/pool {"name": "Vip2_pool", "members": [{"description": "Name=/boring_lovelace,ContainerHostname=a0085832ad28,Image=mutzel/all-in-one-hackazon:postinstall", "name": "172.16.14.87:80", "address": "172.16.14.87"}], "monitor": "http"}
Method POST mgmt/tm/ltm/pool returned: {"kind":"tm:ltm:pool:poolstate","name":"Vip2_pool","fullPath":"Vip2_pool","generation":352,"selfLink":"https://localhost/mgmt/tm/ltm/pool/Vip2_pool?ver=11.6.0","allowNat":"yes","allowSnat":"yes","ignorePersistedWeight":"disabled","ipTosToClient":"pass-through","ipTosToServer":"pass-through","linkQosToClient":"pass-through","linkQosToServer":"pass-through","loadBalancingMode":"round-robin","minActiveMembers":0,"minUpMembers":0,"minUpMembersAction":"failover","minUpMembersChecking":"disabled","monitor":"/Common/http ","queueDepthLimit":0,"queueOnConnectionLimit":"disabled","queueTimeLimit":0,"reselectTries":0,"serviceDownAction":"none","slowRampTime":10,"membersReference":{"link":"https://localhost/mgmt/tm/ltm/pool/~Common~Vip2_pool/members?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:51:39 : Uploading iRules ... irule_random_snat
GET mgmt/tm/ltm/rule ""
Method GET mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulecollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/rule?ver=11.6.0","items":[...<list of irules on the box>...]}

2015-11-12 09:51:40 : Uploading iRules ... irule_random_snat
POST mgmt/tm/ltm/rule {"apiAnonymous": "when RULE_INIT {\n    expr srand(\"[clock clicks]\")\n    set static::TARGET_VIP \"/Common/Vip1_iApp.app/Vip1_iApp_vs\"\n}\nwhen CLIENT_ACCEPTED {\n\n    set a [expr int(223*rand())]\n    set b [expr int(255*rand())]\n    set c [expr int(255*rand())]\n    set d [expr int(255*rand())]\n\n    while { $a == 192 || $a == 172 || $a == 10 } {\n        #log local0. \"changing first octet from $a\"\n        set a [expr int(223*rand())]\n    }\n    #log local0. $a.$b.$c.$d\n    snat $a.$b.$c.$d\n\n    virtual $static::TARGET_VIP\n}", "name": "irule_random_snat"}
Method POST mgmt/tm/ltm/rule returned: {"kind":"tm:ltm:rule:rulestate","name":"irule_random_snat","fullPath":"irule_random_snat","generation":354,"selfLink":"https://localhost/mgmt/tm/ltm/rule/irule_random_snat?ver=11.6.0","apiAnonymous":"when RULE_INIT {\n    expr srand(\"[clock clicks]\")\n    set static::TARGET_VIP \"/Common/Vip1_iApp.app/Vip1_iApp_vs\"\n}\nwhen CLIENT_ACCEPTED {\n\n    set a [expr int(223*rand())]\n    set b [expr int(255*rand())]\n    set c [expr int(255*rand())]\n    set d [expr int(255*rand())]\n\n    while { $a == 192 || $a == 172 || $a == 10 } {\n        #log local0. \"changing first octet from $a\"\n        set a [expr int(223*rand())]\n    }\n    #log local0. $a.$b.$c.$d\n    snat $a.$b.$c.$d\n\n    virtual $static::TARGET_VIP\n}"}

2015-11-12 09:51:42 : Setup the HTTP virtual server
GET mgmt/tm/ltm/virtual ""
Method GET mgmt/tm/ltm/virtual returned: {"kind":"tm:ltm:virtual:virtualcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/virtual?ver=11.6.0","items":[{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_redir_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_redir_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":3,"rules":["/Common/_sys_https_redirect"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:443","enabled":true,"fallbackPersistence":"/Common/Vip1_iApp.app/Vip1_iApp_source-addr-persistence","gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip1_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":2,"rules":["/Common/irule_demo_analytics","/Common/irule_sorry_page"],"securityLogProfiles":["/Common/asm_log_to_splunk"],"persist":[{"name":"Vip1_iApp_cookie-persistence","partition":"Common","subPath":"Vip1_iApp.app","tmDefault":"yes"}],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/profiles?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:51:43 : Setup the HTTP virtual server
POST mgmt/tm/ltm/virtual {"name": "Vip2_http", "rules": ["/Common/irule_random_snat"], "translateAddress": "enabled", "destination": "/Common/172.16.13.145:80", "mask": "255.255.255.255", "sourceAddressTranslation": {"type": "automap"}, "profiles": [{"name": "http"}, {"name": "tcp-wan-optimized", "context": "clientside"}, {"name": "tcp-lan-optimized", "context": "serverside"}], "translatePort": "enabled", "ipProtocol": "tcp", "pool": "/Common/Vip2_pool"}
Method POST mgmt/tm/ltm/virtual returned: {"kind":"tm:ltm:virtual:virtualstate","name":"Vip2_http","fullPath":"Vip2_http","generation":355,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/Vip2_http?ver=11.6.0","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.145:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip2_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":4,"rules":["/Common/irule_random_snat"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/profiles?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:51:45 : Setup the HTTPS virtual server
GET mgmt/tm/ltm/virtual ""
Method GET mgmt/tm/ltm/virtual returned: {"kind":"tm:ltm:virtual:virtualcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/virtual?ver=11.6.0","items":[{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_redir_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_redir_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":3,"rules":["/Common/_sys_https_redirect"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:443","enabled":true,"fallbackPersistence":"/Common/Vip1_iApp.app/Vip1_iApp_source-addr-persistence","gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip1_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":2,"rules":["/Common/irule_demo_analytics","/Common/irule_sorry_page"],"securityLogProfiles":["/Common/asm_log_to_splunk"],"persist":[{"name":"Vip1_iApp_cookie-persistence","partition":"Common","subPath":"Vip1_iApp.app","tmDefault":"yes"}],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip2_http","partition":"Common","fullPath":"/Common/Vip2_http","generation":355,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http?ver=11.6.0","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.145:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip2_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":4,"rules":["/Common/irule_random_snat"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/profiles?ver=11.6.0","isSubcollection":true}}]}

2015-11-12 09:51:45 : Setup the HTTPS virtual server
POST mgmt/tm/ltm/virtual {"name": "Vip2_https", "rules": ["/Common/irule_random_snat"], "translateAddress": "enabled", "destination": "/Common/172.16.13.145:443", "mask": "255.255.255.255", "sourceAddressTranslation": {"type": "automap"}, "profiles": [{"name": "tcp-ssl-wan-optimized", "context": "clientside"}, {"name": "tcp-ssl-lan-optimized", "context": "serverside"}], "translatePort": "enabled", "ipProtocol": "tcp", "pool": "/Common/Vip2_pool"}
Method POST mgmt/tm/ltm/virtual returned: {"kind":"tm:ltm:virtual:virtualstate","name":"Vip2_https","fullPath":"Vip2_https","generation":356,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/Vip2_https?ver=11.6.0","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.145:443","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip2_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":5,"rules":["/Common/irule_random_snat"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_https/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_https/profiles?ver=11.6.0","isSubcollection":true}}

2015-11-12 09:51:47 : 
GET mgmt/tm/ltm/virtual ""
Method GET mgmt/tm/ltm/virtual returned: {"kind":"tm:ltm:virtual:virtualcollectionstate","selfLink":"https://localhost/mgmt/tm/ltm/virtual?ver=11.6.0","items":[{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_redir_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_redir_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":3,"rules":["/Common/_sys_https_redirect"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_redir_vs/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip1_iApp_vs","partition":"Common","subPath":"Vip1_iApp.app","fullPath":"/Common/Vip1_iApp.app/Vip1_iApp_vs","generation":323,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs?ver=11.6.0","addressStatus":"yes","appService":"/Common/Vip1_iApp.app/Vip1_iApp","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.144:443","enabled":true,"fallbackPersistence":"/Common/Vip1_iApp.app/Vip1_iApp_source-addr-persistence","gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip1_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":2,"rules":["/Common/irule_demo_analytics","/Common/irule_sorry_page"],"securityLogProfiles":["/Common/asm_log_to_splunk"],"persist":[{"name":"Vip1_iApp_cookie-persistence","partition":"Common","subPath":"Vip1_iApp.app","tmDefault":"yes"}],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip1_iApp.app~Vip1_iApp_vs/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip2_http","partition":"Common","fullPath":"/Common/Vip2_http","generation":355,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http?ver=11.6.0","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.145:80","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip2_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":4,"rules":["/Common/irule_random_snat"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_http/profiles?ver=11.6.0","isSubcollection":true}},{"kind":"tm:ltm:virtual:virtualstate","name":"Vip2_https","partition":"Common","fullPath":"/Common/Vip2_https","generation":356,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_https?ver=11.6.0","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/172.16.13.145:443","enabled":true,"gtmScore":0,"ipProtocol":"tcp","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","pool":"/Common/Vip2_pool","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"source":"0.0.0.0/0","sourceAddressTranslation":{"type":"automap"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"enabled","translatePort":"enabled","vlansDisabled":true,"vsIndex":5,"rules":["/Common/irule_random_snat"],"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_https/policies?ver=11.6.0","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~Vip2_https/profiles?ver=11.6.0","isSubcollection":true}}]}

 

Deploying an iApp template using iControlREST

Because we recognize that it may be not obvious how we are deploying iApp templates using iControlREST, we break it down into more detail here.

First, note that there is no 'import' action we can invoke via REST to import the iApp template which mirrors the action in the Configuration Utility (GUI). This means that we need to create the JSON payload containing the iApp and POST it. 

Given an iApp template, like those found on DevCentral, here are the steps to create the JSON body.

 

  1. On a pre-existing BIG-IP install (or one have created in your build process for your code)
    1. Import the iApp template in the Configuration Utility in the 'Common' partition
    2. Do an HTTP GET to retrieve the iApp template payload. Make sure that you use the expandSubcollections=True as a query parameter, as we want to include the stuff in the 'actionsReference' sub-collection.
      1. curl -sku <user>:<password> -X GET  https://<management ip>/mgmt/tm/sys/application/template/~Common~<name of your iApp>?expandSubcollections=true
    3. You should get something back that looks like the following (which is the payload for the f5.http backport iApp).  I have truncated the 'implementation', 'presentation' and 'htmlHelp' actions:
      1. {
            "actionsReference": {
                "isSubcollection": true,
                "items": [
                    {
                        "fullPath": "definition",
                        "generation": 4672,
                        "htmlHelp": "....",
                        "implementation": "...",
                        "kind": "tm:sys:application:template:actions:actionsstate",
                        "name": "definition",
                        "presentation": "...",
                        "roleAcl": [
                            "admin",
                            "manager",
                            "resource-admin"
                        ],
                        "selfLink": "https://localhost/mgmt/tm/sys/application/template/~Common~f5.http.backport.1.1.2/actions/definition?ver=11.6.0"
                    }
                ],
                "link": "https://localhost/mgmt/tm/sys/application/template/~Common~f5.http.backport.1.1.2/actions?ver=11.6.0"
            },
            "fullPath": "/Common/f5.http.backport.1.1.2",
            "generation": 4672,
            "ignoreVerification": "false",
            "kind": "tm:sys:application:template:templatestate",
            "name": "f5.http.backport.1.1.2",
            "partition": "Common",
            "requiresBigipVersionMin": "11.6.0",
            "selfLink": "https://localhost/mgmt/tm/sys/application/template/~Common~f5.http.backport.1.1.2?expandSubcollections=true&ver=11.6.0",
            "totalSigningStatus": "not-all-signed",
            "verificationStatus": "none"
        }
      2. Before we can POST this payload back to any BIG-IP, we need to cleanup a few things:
        1. Remove any of the extraneous fields including 'verificationStatus', 'totalSigningStatus', 'selfLink', 'partition', 'kind', 'generation', 'fullPath'.
        2. Make a new top-level key in the payload called 'actions'.  The value for this key should everything in the 'items' array under the top-level key 'actionsReference'.  Finally, delete the 'actionsReference' key/value pair from the JSON body. The final JSON payload should look like:
          1. {
              "actions": [
                {
                  "htmlHelp": "....",
                  "implementation": "...",
                  "name": "definition",
                  "presentation": "...",
                  "roleAcl": [
                    "admin",
                    "manager",
                    "resource-admin"
                  ]
                }
              ],
              "ignoreVerification": "false",
              "name": "f5.http.backport.1.1.2",
              "requiresBigipVersionMin": "11.6.0",
              "totalSigningStatus": "not-all-signed"
            }
      3. Finally, we can use this to deploy an iApp template on BIG-IP.  In the example below, the iApp_template.json file is formatted like the above. I have also attached it to this page for inspection. 
        1. curl -sku rest_admin:<obfuscated> -H "Content-type: application/json" -X POST -d@./iApp_template.json https://52.23.149.16//mgmt/tm/sys/application/template

Before you go POSTing iApps to any old version of TMOS, be aware that there are still some remaining issues you might have to solve.  Some of the official iApps found on DevCentral are prepended with a TCL library that defines functions used within the iApp.  The iApp solutions team made this design decision so that newer iApps will work against older versions of TMOS.  For example, see the 'F5 HTTP', which starts with the library definition on line 0: "cli script f5.iapp.1.3.0.cli {....".  When you export the iApp template to JSON using REST as we have documented above, this library will not be included in the payload. Because newer versions of BIG-IP (11.6) might already include a version of this 'iApp' library, you can work around this issue by updating the function references to use the existing library on-box.  Here are the high-level steps:

  1. Downloading the iApp from DevCentral
  2. Change the function references to leverage the library that is installed on your BIG-IP.  See an example of this by comparing the F5 HTTP template on the codeshare with the one attached to this page. 
    1. You'll probably have to do some "find and replace" like the following:
    2. f5.iapp.1.3.0.cli:iapp_get_provisioned -> iapp::get_provisioned
    3. There may be some references to functions that do not exist yet.  These will have to be dealt with on a case-by-case basis. 
  3. Uploading the iApp to BIG-IP and exporting we documented above.  

Deploying an iApp service using iControlREST

Fortunately, using iControlREST to manage instances of iApps (also known as iApp services) is much easier than managing templates.  The high-level steps are similar: 

  1. Deploy an iApp service via the Configuration Utility.
  2. Do an HTTP GET to acquire the JSON representation (notice the URL formatting!).
    1. curl -sku <user>:<password> -X GET https://<management ip>/mgmt/tm/sys/application/service/~Common~<your iapp name>.app~<your iapp name> 
  3. Depending on the variables presented by the iApp template, the JSON payload for the iApp service might look something like:
    1.  {
          "deviceGroup": "none",
          "fullPath": "/Common/Vip1_iApp.app/Vip1_iApp",
          "generation": 4674,
          "inheritedDevicegroup": "true",
          "inheritedTrafficGroup": "true",
          "kind": "tm:sys:application:service:servicestate",
          "lists": [
              {
                  "encrypted": "no",
                  "name": "irules__irules",
                  "value": [
                      "/Common/irule_demo_analytics",
                      "/Common/irule_sorry_page"
                  ]
              }
          ],
          "name": "Vip1_iApp",
          "partition": "Common",
          "selfLink": "https://localhost/mgmt/tm/sys/application/service/~Common~Vip1_iApp.app~Vip1_iApp?ver=11.6.0",
          "strictUpdates": "enabled",
          "subPath": "Vip1_iApp.app",
          "tables": [
              {
                  "name": "basic__snatpool_members"
              },
              {
                  "name": "net__snatpool_members"
              },
              {
                  "name": "optimizations__hosts"
              },
              {
                  "columnNames": [
                      "name"
                  ],
                  "name": "pool__hosts",
                  "rows": [
                      {
                          "row": [
                              "demo.example.com"
                          ]
                      }
                  ]
              },
              {
                  "name": "pool__members"
              },
              {
                  "name": "server_pools__servers"
              }
          ],
          "template": "/Common/f5.http.backport.1.1.2",
          "templateModified": "yes",
          "trafficGroup": "/Common/traffic-group-1",
          "variables": [
              {
                  "encrypted": "no",
                  "name": "asm__security_logging",
                  "value": "asm_log_to_splunk"
              },
              {
                  "encrypted": "no",
                  "name": "asm__use_asm",
                  "value": "/Common/ltm_policy_w_asm_linux_high-Vip1"
              },
              {
                  "encrypted": "no",
                  "name": "client__http_compression",
                  "value": "/#do_not_use#"
              },
              {
                  "encrypted": "no",
                  "name": "client__standard_caching_without_wa",
                  "value": "/#do_not_use#"
              },
              {
                  "encrypted": "no",
                  "name": "client__tcp_wan_opt",
                  "value": "/Common/tcp-ssl-wan-optimized"
              },
              {
                  "encrypted": "no",
                  "name": "net__client_mode",
                  "value": "wan"
              },
              {
                  "encrypted": "no",
                  "name": "net__route_to_bigip",
                  "value": "no"
              },
              {
                  "encrypted": "no",
                  "name": "net__same_subnet",
                  "value": "no"
              },
              {
                  "encrypted": "no",
                  "name": "net__server_mode",
                  "value": "lan"
              },
              {
                  "encrypted": "no",
                  "name": "net__snat_type",
                  "value": "automap"
              },
              {
                  "encrypted": "no",
                  "name": "net__vlan_mode",
                  "value": "all"
              },
              {
                  "encrypted": "no",
                  "name": "pool__addr",
                  "value": "172.16.13.128"
              },
              {
                  "encrypted": "no",
                  "name": "pool__http",
                  "value": "/#create_new#"
              },
              {
                  "encrypted": "no",
                  "name": "pool__mask",
                  "value": "none"
              },
              {
                  "encrypted": "no",
                  "name": "pool__persist",
                  "value": "/#cookie#"
              },
              {
                  "encrypted": "no",
                  "name": "pool__pool_to_use",
                  "value": "/Common/Vip1_pool"
              },
              {
                  "encrypted": "no",
                  "name": "pool__port_secure",
                  "value": "443"
              },
              {
                  "encrypted": "no",
                  "name": "pool__redirect_port",
                  "value": "80"
              },
              {
                  "encrypted": "no",
                  "name": "pool__redirect_to_https",
                  "value": "yes"
              },
              {
                  "encrypted": "no",
                  "name": "pool__xff",
                  "value": "yes"
              },
              {
                  "encrypted": "no",
                  "name": "server__oneconnect",
                  "value": "/#do_not_use#"
              },
              {
                  "encrypted": "no",
                  "name": "server__tcp_lan_opt",
                  "value": "/Common/tcp-wan-optimized"
              },
              {
                  "encrypted": "no",
                  "name": "server__tcp_req_queueing",
                  "value": "no"
              },
              {
                  "encrypted": "no",
                  "name": "ssl__cert",
                  "value": "/Common/default.crt"
              },
              {
                  "encrypted": "no",
                  "name": "ssl__client_ssl_profile",
                  "value": "/#create_new#"
              },
              {
                  "encrypted": "no",
                  "name": "ssl__key",
                  "value": "/Common/default.key"
              },
              {
                  "encrypted": "no",
                  "name": "ssl__mode",
                  "value": "client_ssl"
              },
              {
                  "encrypted": "no",
                  "name": "ssl__use_chain_cert",
                  "value": "/#do_not_use#"
              },
              {
                  "encrypted": "no",
                  "name": "ssl_encryption_questions__advanced",
                  "value": "yes"
              },
              {
                  "encrypted": "no",
                  "name": "ssl_encryption_questions__help",
                  "value": "hide"
              },
              {
                  "encrypted": "no",
                  "name": "stats__analytics",
                  "value": "/Common/Vip1-demo_analytics"
              },
              {
                  "encrypted": "no",
                  "name": "stats__request_logging",
                  "value": "/#do_not_use#"
              }
          ]
      }
  4. As ealier, remove some of the fields that don't make sense to re-post. This includes 'deviceGroup', 'fullPath', 'generation', 'kind', 'partition', 'selfLink', and 'subPath'.
  5. You can now use this JSON body with updates to the variable values as needed.  

Example python code for deploying iApp Templates

In addition to the above procedures, we'd like you point you to some python examples which show how to push iApp templates using REST. Hitesh Patel, another monster F5er, has put together the following code:

https://github.com/0xHiteshPatel/appsvcs_integration_iapp/tree/80cc40dcf85e352a25c7ec44d9e4dcc253e51e69/scripts

In his words: "that's 152 lines of awesome right there".

His examples run against 11.5.x, 11.6.x and 12.0. 

Debugging

When trying to create or update an instance of an iApp via REST, you will get error messages in the HTTP response if your POST is unsuccessful.  In addition to the HTTP payload in the response, the following debug steps can be helpful:

1) Set the scriptd log level to debug:

modify sys scriptd log-level debug

2) Look at the TMSH output from the iApp printed to /var/log/scriptd.out.  Typically the last line will show the error that has occured. 

In closing

The above examples should bring you one step closer to automating the delivery of advanced network services for your applications.  We're looking forward to doing future posts on how to automate your deployment.  Finally, if you haven't checked out the Application Services Integration iApp, also by Hitesh, you should probably do so now: https://github.com/0xHiteshPatel/appsvcs_integration_iapp.

Cheers!