Hi all. I have a question regarding Local Traffic Policy matching. From F5 Manual I understand, that either logical AND or logical OR can be applied when combining rules or conditions within rules. I do need some further elaboration here. Can someone please post an example of such syntax (where to put OR / AND operand). Or is there is a default between values/conditions/rules. For instance, I want to create a LTP rule, that would hit ASM policy 1 in case "http-host" header matches "site1.com" OR "site2.com".In second example, I want to create a LTP rule, that would hit ASM policy 2 in case "http-host" header matches "site3.com" AND "user-agent" equals "firefox". Thank you!!

Hi, when you add several conditions, they are combined using a logical AND. When you add several values wihtin one condition, they are combined using a logical OR. Example: 1. Rule Add two values within the condition of http-host equals "site1.com" OR "site2.com". 2. Rule Add two conditions. The first check the http-host equals to "site3.com" and the second condition checks the user-agent contains "firefox". Is this clear? Regards, svs

SVS, thank you for your quick reply. Just to clarify. For the 1st scenario, literally site1.com OR site2.com should be put in the ASM >> Rule Properties >> Conditions >> Values field? Attached is an example (the thing is, ASM allows one to put arbitrary match keywords inside "Value" field).

No, absolutely not. You put in two values, each after the other. enter "site1.com" and click "Add".enter "site2.com" and click "Add".Click "Add" below, to add the condition. Unfotunately I don't have a v11 or v12.0 running at the moment. Otherwise I would take a screenshot of the configuration. In v12.1 this looks completely different.

I am running 11.6 and honestly I am a bit confused with the GUI when using Local Traffic Policies. So how do you know that in above example, logical "OR" (|) would be used, as opposed to logical "AND" (&). What would be an alternative for scenario 2 (where logical AND was needed; http-host=="site3.com" AND user-agent=="firefox")?

keep it simple, create a policy and then four rules: 1. rule1 with host header www.abc.com pointing to asm policy1 2. rule2 with host header www.xyz.com pointing to asm policy1 3. rule3 with host header www.site3.com and a second condition the user-agent firefox pointing to asm policy2 4. a default rule if none of the above is matched

Logical operands within Local Traffic Policy

11 Replies

svs
Cirrus
Sep 05, 2016
Hi,

when you add several conditions, they are combined using a logical AND. When you add several values wihtin one condition, they are combined using a logical OR.

Example: 1. Rule Add two values within the condition of http-host equals "site1.com" OR "site2.com". 2. Rule Add two conditions. The first check the http-host equals to "site3.com" and the second condition checks the user-agent contains "firefox".

Is this clear?

Regards, svs
mm_pen_242283
Nimbostratus
Sep 05, 2016
SVS, thank you for your quick reply.

Just to clarify. For the 1st scenario, literally site1.com OR site2.com should be put in the ASM >> Rule Properties >> Conditions >> Values field? Attached is an example (the thing is, ASM allows one to put arbitrary match keywords inside "Value" field).
svs
Cirrus
Sep 05, 2016
No, absolutely not. You put in two values, each after the other.

enter "site1.com" and click "Add".
enter "site2.com" and click "Add".
Click "Add" below, to add the condition.

Unfotunately I don't have a v11 or v12.0 running at the moment. Otherwise I would take a screenshot of the configuration. In v12.1 this looks completely different.
mm_pen_242283
Nimbostratus
Sep 05, 2016
I am running 11.6 and honestly I am a bit confused with the GUI when using Local Traffic Policies. So how do you know that in above example, logical "OR" (|) would be used, as opposed to logical "AND" (&).

What would be an alternative for scenario 2 (where logical AND was needed; http-host=="site3.com" AND user-agent=="firefox")?
Stephan_Mierau
Employee
Sep 05, 2016
keep it simple, create a policy and then four rules:

1. rule1 with host header www.abc.com pointing to asm policy1

2. rule2 with host header www.xyz.com pointing to asm policy1

3. rule3 with host header www.site3.com and a second condition the user-agent firefox pointing to asm policy2

4. a default rule if none of the above is matched
brunocalcado
Nimbostratus
Apr 13, 2018
Hello everybody,

About this subject, I have a question. Actually, I must deploy the rules below :

1 - if * ---> action : use Pool-1

2 - if * ---> action : use Pool-2

My difficulty here is how to differentiate the path fd/* and /* ? Because if I don't put the correct condition, I think that the "fd/" would be interpretated as part of the stat '' of the path 1, "/*".

So, I have some examples. Conditions that selects the Pool-1 :

-----> We have here "fd/", but it doesn't start the path after the url-host, so, it enters in the case of Pool-1.

Conditions that selects the Pool-2 :

Could you please help me with this ? Is the strategy important here ? The rule that treats the "fd" case must come before the general rule "/" ?

Thanks a lot. Best regards.
- svs
  Cirrus
  Apr 13, 2018
  Basically it's up to your policy strategy, how the policy matches the rules. If your strategy is "first-match", you only need to make sure, that the order of the rules is correct and reflects your needs. So with first-match your rules should look like this:
  
  Rule 1
  Condition 1: Host Header matches
  
  Condition 2: URI starts_with /fd/
  
  Action: Pool2
  
  Rule 2
  Condition 1: Host Header matches
  
  Condition 2: URI starts_with /
  
  Action: Pool1
  
  In this the case the rules will be evaluated by order and the first rule, where the condition matches the current connection, will be processed.
  
  Maybe it would be simpler to understand Rule 2 as the default rule and don't use any conditions. Every policy I create has a default rule at the bottom, without using any conditions and only execute an action.
  
  Hope that helps and makes things more clear.
  
  Greets,
  
  svs
- brunocalcado
  Nimbostratus
  Apr 13, 2018
  Thanks a lot Sven. I will test on monday. Your solution with de default rule can help me a lot.
  
  Have a nice weekend. BC
brunocalcado_31
Nimbostratus
Apr 13, 2018
Hello everybody,

About this subject, I have a question. Actually, I must deploy the rules below :

1 - if * ---> action : use Pool-1

2 - if * ---> action : use Pool-2

My difficulty here is how to differentiate the path fd/* and /* ? Because if I don't put the correct condition, I think that the "fd/" would be interpretated as part of the stat '' of the path 1, "/*".

So, I have some examples. Conditions that selects the Pool-1 :

-----> We have here "fd/", but it doesn't start the path after the url-host, so, it enters in the case of Pool-1.

Conditions that selects the Pool-2 :

Could you please help me with this ? Is the strategy important here ? The rule that treats the "fd" case must come before the general rule "/" ?

Thanks a lot. Best regards.
- svs
  Cirrus
  Apr 13, 2018
  Basically it's up to your policy strategy, how the policy matches the rules. If your strategy is "first-match", you only need to make sure, that the order of the rules is correct and reflects your needs. So with first-match your rules should look like this:
  
  Rule 1
  Condition 1: Host Header matches
  
  Condition 2: URI starts_with /fd/
  
  Action: Pool2
  
  Rule 2
  Condition 1: Host Header matches
  
  Condition 2: URI starts_with /
  
  Action: Pool1
  
  In this the case the rules will be evaluated by order and the first rule, where the condition matches the current connection, will be processed.
  
  Maybe it would be simpler to understand Rule 2 as the default rule and don't use any conditions. Every policy I create has a default rule at the bottom, without using any conditions and only execute an action.
  
  Hope that helps and makes things more clear.
  
  Greets,
  
  svs
- brunocalcado_31
  Nimbostratus
  Apr 13, 2018
  Thanks a lot Sven. I will test on monday. Your solution with de default rule can help me a lot.
  
  Have a nice weekend. BC

Forum Discussion

Logical operands within Local Traffic Policy

11 Replies

Recent Discussions

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

Related Content

F5 Distributed Cloud - Listener Logic

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

fellow traffic

How I did it - "Remote Logging with the F5 XC Global Log Receiver and Sumo Logic"

Intermediate iRules: Validating Your Logic