Configuration Resources
Action Program
URI Endpoint: /api/tm/8.3/config/active/action_programs
This is a program or script that can be referenced and used by actions of type 'Program'
Property |
Description |
There are no properties to display for this resource. |
Admin SSL Trusted Certificate
URI Endpoint: /api/tm/8.3/config/active/ssl/admin_cas
The conf/ssl/admin_cas directory contains SSL certificate authority certificates (CAs) and certificate revocation lists (CRLs) which can be used when validating connections made by the admin server for user authentication. CAs and CRLs can be managed under the Catalogs > SSL > Admin CAs and CRLs section of the Admin Server UI or by using functions under the Catalog.SSL.AdminCertificateAuthorities section of the SOAP API and CLI.
Property |
Description |
There are no properties to display for this resource. |
Alerting Action
URI Endpoint: /api/tm/8.3/config/active/actions
A response to an event occurring in your traffic manager. An example of an action might be sending an email or writing a line to a log file.
Property |
Description |
note |
A description of the action. •Type: FreeformString •Required: false •Default value: <none> |
syslog_msg_len_limit |
Maximum length in bytes of a message sent to the remote syslog. Messages longer than this will be truncated before they are sent. •Type: UInt •Required: false •Default value: "2048" |
timeout |
How long the action can run for before it is stopped automatically (set to 0 to disable timeouts). •Type: UInt •Required: false •Default value: "60" |
type |
The action type. •Type: Enum(String) •Required: true •Default value: <none> •Permitted values: "email": E-Mail "log": Log to File "program": Program "soap": SOAP Callback "syslog": Log to Syslog "trap": SNMP Notify or Trap |
verbose |
Enable or disable verbose logging for this action. •Type: Boolean •Required: false •Default value: false |
Properties for the "email" section: |
|
from |
The e-mail address from which messages will appear to originate. •Type: String •Required: false •Default value: "vTM@%hostname%" |
server |
The SMTP server to which messages should be sent. This must be a valid IPv4 address or resolvable hostname (with optional port). •Type: String •Required: false •Default value: <none> |
to |
A set of e-mail addresses to which messages will be sent. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "log" section: |
|
file |
The full path of the file to log to. The text %zeushome% will be replaced with the location where the software is installed. •Type: String •Required: false •Default value: <none> |
Properties for the "program" section: |
|
arguments |
A table containing arguments and argument values to be passed to the event handling program. •Type: Table •Required: false •Primary key: •name (String): The name of the argument to be passed to the event handling program. (Required) •Sub keys: •value (String): The value of the argument to be passed to the event handling program. (Required) •description (String): A description for the argument provided to the program. |
program |
The program to run. •Type: String •Required: false •Default value: <none> |
Properties for the "soap" section: |
|
additional_data |
Additional information to send with the SOAP call. •Type: String •Required: false •Default value: <none> |
password |
The password for HTTP basic authentication. •Type: Password •Required: false •Default value: <none> |
proxy |
The address of the server implementing the SOAP interface (For example, https://example.com). •Type: String •Required: false •Default value: <none> |
username |
Username for HTTP basic authentication. Leave blank if you do not wish to use authentication. •Type: String •Required: false •Default value: <none> |
Properties for the "syslog" section: |
|
sysloghost |
The host and optional port to send syslog messages to (if empty, messages will be sent to localhost). •Type: String •Required: false •Default value: <none> |
Properties for the "trap" section: |
|
auth_password |
The authentication password for sending a Notify over SNMPv3. Blank to send unauthenticated traps. •Type: Password •Required: false •Default value: <none> |
community |
The community string to use when sending a Trap over SNMPv1 or a Notify over SNMPv2c. •Type: String •Required: false •Default value: <none> |
hash_algorithm |
The hash algorithm for SNMPv3 authentication. •Type: Enum(String) •Required: false •Default value: "md5" •Permitted values: "md5": MD5 "sha1": SHA-1 |
priv_password |
The encryption password to encrypt a Notify message for SNMPv3. Requires that authentication also be configured. Blank to send unencrypted traps. •Type: Password •Required: false •Default value: <none> |
traphost |
The hostname or IPv4 address and optional port number that should receive traps. •Type: String •Required: false •Default value: <none> |
username |
The SNMP username to use to send the Notify over SNMPv3. •Type: String •Required: false •Default value: <none> |
version |
The SNMP version to use to send the Trap/Notify. •Type: Enum(String) •Required: false •Default value: "snmpv1" •Permitted values: "snmpv1": SNMPv1 "snmpv2c": SNMPv2c "snmpv3": SNMPv3 |
Aptimizer Application Scope
URI Endpoint: /api/tm/8.3/config/active/aptimizer/scopes
Application scopes define criteria that match URLs to specific logical web applications hosted by a virtual server.
Property |
Description |
canonical_hostname |
If the hostnames for this scope are aliases of each other, the canonical hostname will be used for requests to the server. •Type: String •Required: false •Default value: <none> |
hostnames |
The hostnames to limit acceleration to. •Type: Set(String) •Required: false •Default value: <none> |
root |
The root path of the application defined by this application scope. •Type: String •Required: false •Default value: "/" |
BGP Neighbor
URI Endpoint: /api/tm/8.3/config/active/bgpneighbors
The conf/bgpneighbors directory contains configuration files for BGP neighbors. The name of a file is the name of the neighbor configuration that it defines. BGP neighbors can be managed under the System > Fault Tolerance > BGP Neighbors section of the Admin UI, or by using functions under the BGPNeighbors section of the SOAP API and CLI.
Property |
Description |
address |
The IP address of the BGP neighbor •Type: String •Required: false •Default value: <none> |
advertisement_interval |
The minimum interval between the sending of BGP routing updates to neighbors. Note that as a result of jitter, as defined for BGP, the interval during which no advertisements are sent will be between 75% and 100% of this value. •Type: UInt •Required: false •Default value: "5" |
as_number |
The AS number for the BGP neighbor •Type: UInt •Required: false •Default value: "65534" |
authentication_password |
The password to be used for authentication of sessions with neighbors •Type: String •Required: false •Default value: <none> |
holdtime |
The period after which the BGP session with the neighbor is deemed to have become idle - and requires re-establishment - if the neighbor falls silent. •Type: UInt •Required: false •Default value: "90" |
keepalive |
The interval at which messages are sent to the BGP neighbor to keep the mutual BGP session established. •Type: UInt •Required: false •Default value: "30" |
machines |
The traffic managers that are to use this neighbor •Type: Set(String) •Required: false •Default value: <none> |
Bandwidth Class
URI Endpoint: /api/tm/8.3/config/active/bandwidth
A Bandwidth class, which can be assigned to a virtual server or pool in order to limit the number of bytes per second used by inbound or outbound traffic.
Property |
Description |
maximum |
The maximum bandwidth to allocate to connections that are associated with this bandwidth class (in kbits/second). •Type: UInt •Required: false •Default value: "10000" |
note |
A description of this bandwidth class. •Type: FreeformString •Required: false •Default value: <none> |
sharing |
The scope of the bandwidth class. •Type: Enum(String) •Required: false •Default value: "cluster" •Permitted values: "cluster": Bandwidth is shared across all traffic managers "connection": Each connection can use the maximum rate "machine": Bandwidth is shared per traffic manager |
Cloud Credentials
URI Endpoint: /api/tm/8.3/config/active/cloud_api_credentials
Cloud credentials used in cloud API calls
Property |
Description |
api_server |
The vCenter server hostname or IP address. •Type: String •Required: false •Default value: <none> |
cloud_api_timeout |
The traffic manager creates and destroys nodes via API calls. This setting specifies (in seconds) how long to wait for such calls to complete. •Type: UInt •Required: false •Default value: "200" |
cred1 |
The first part of the credentials for the cloud user. Typically this is some variation on the username concept. •Type: String •Required: false •Default value: <none> |
cred2 |
The second part of the credentials for the cloud user. Typically this is some variation on the password concept. •Type: Password •Required: false •Default value: <none> |
cred3 |
The third part of the credentials for the cloud user. Typically this is some variation on the authentication token concept. •Type: Password •Required: false •Default value: <none> |
script |
The script to call for communication with the cloud API. •Type: String •Required: false •Default value: <none> |
update_interval |
The traffic manager will periodically check the status of the cloud through an API call. This setting specifies the interval between such updates. •Type: UInt •Required: false •Default value: "30" |
Custom configuration set
URI Endpoint: /api/tm/8.3/config/active/custom
Custom configuration sets store arbitrary named values. These values can be read by SOAP or REST clients.
Property |
Description |
string_lists |
This table contains named lists of strings •Type: Table •Required: false •Primary key: •name (String): Name of list (Required) •Sub keys: •value (List(String)): Named list of user-specified strings. (Required) |
DNS Zone
URI Endpoint: /api/tm/8.3/config/active/dns_server/zones
The conf/dnsserver/zones/ file contains zone metadata
Property |
Description |
origin |
The domain origin of this Zone. •Type: String •Required: true •Default value: <none> |
zonefile |
The Zone File encapsulated by this Zone. •Type: String •Required: true •Default value: <none> |
DNS Zone File
URI Endpoint: /api/tm/8.3/config/active/dns_server/zone_files
The conf/dnsserver/zonefiles/ directory contains files that define DNS zones.
Property |
Description |
There are no properties to display for this resource. |
Event Type
URI Endpoint: /api/tm/8.3/config/active/event_types
Configuration that ties actions to a set of events that trigger them.
Property |
Description |
actions |
The actions triggered by events matching this event type, as a list of action references. •Type: List(Reference(config-event-action)) •Required: false •Default value: <none> |
built_in |
If set to Yes this indicates that this configuration is built-in (provided as part of the software) and must not be deleted or edited. •Type: Boolean •Required: false •Default value: false |
note |
A description of this event type. •Type: FreeformString •Required: false •Default value: <none> |
Properties for the "cloudcredentials" section: |
|
event_tags |
Cloud credentials event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Cloud credentials object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "config" section: |
|
event_tags |
Configuration file event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "faulttolerance" section: |
|
event_tags |
Fault tolerance event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "general" section: |
|
event_tags |
General event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "glb" section: |
|
event_tags |
GLB service event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
GLB service object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "java" section: |
|
event_tags |
Java event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "licensekeys" section: |
|
event_tags |
License key event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
License key object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "locations" section: |
|
event_tags |
Location event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Location object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "monitors" section: |
|
event_tags |
Monitor event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Monitors object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "pools" section: |
|
event_tags |
Pool key event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Pool object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "protection" section: |
|
event_tags |
Service protection class event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Service protection class object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "rules" section: |
|
event_tags |
Rule event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Rule object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "slm" section: |
|
event_tags |
SLM class event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
SLM class object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "ssl" section: |
|
event_tags |
SSL event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "sslhw" section: |
|
event_tags |
SSL hardware event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "trafficscript" section: |
|
event_tags |
TrafficScript event tags •Type: List(String) •Required: false •Default value: <none> |
Properties for the "vservers" section: |
|
event_tags |
Virtual server event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Virtual server object names •Type: List(String) •Required: false •Default value: <none> |
Properties for the "zxtms" section: |
|
event_tags |
Traffic manager event tags •Type: List(String) •Required: false •Default value: <none> |
objects |
Traffic manager object names •Type: List(String) •Required: false •Default value: <none> |
Extra File
URI Endpoint: /api/tm/8.3/config/active/extra_files
A user-uploaded file. Such files can be used in TrafficScript code using the resource.get function.
Property |
Description |
There are no properties to display for this resource. |
GLB Service
URI Endpoint: /api/tm/8.3/config/active/glb_services
A global load balancing service is used by a virtual server to modify DNS requests in order load balance data across different GLB locations.
Property |
Description |
algorithm |
Defines the global load balancing algorithm to be used. •Type: Enum(String) •Required: false •Default value: "hybrid" •Permitted values: "chained": Sends traffic to one location at a time, until that location fails where the next one in the chain is used. "geo": Distributes traffic based solely on the geographic location of each client. "hybrid": Distribute traffic based on both the load and geographic location. "load": Distributes traffic based on the current load to each location. "round_robin": Distributes traffic by assigning each request to a new location in turn. Over a period of time, all locations will receive the same number of requests. "weighted_random": Distributes traffic in a random way, but according to a weighted policy defined by individual location weights |
all_monitors_needed |
Do all monitors assigned to a location need to report success in order for it to be considered healthy? •Type: Boolean •Required: false •Default value: true |
autorecovery |
The last location to fail will be available as soon as it recovers. •Type: Boolean •Required: false •Default value: true |
chained_auto_failback |
Enable/Disable automatic failback mode. •Type: Boolean •Required: false •Default value: false |
chained_location_order |
The locations this service operates for and defines the order in which locations fail. •Type: List(String) •Required: false •Default value: <none> |
disable_on_failure |
Locations recovering from a failure will become disabled. •Type: Boolean •Required: false •Default value: false |
dnssec_keys |
A table mapping domains to the private keys that authenticate them •Type: Table •Required: false •Primary key: •domain (String): A domain authenticated by the associated private keys. (Required) •Sub keys: •ssl_key (Set(String)): Private keys that authenticate the associated domain. (Required) |
domains |
The domains shown here should be a list of Fully Qualified Domain Names that you would like to balance globally. Responses from the back end DNS servers for queries that do not match this list will be forwarded to the client unmodified. Note: "*" may be used as a wild card. •Type: Set(String) •Required: false •Default value: <none> |
enabled |
Enable/Disable our response manipulation of DNS. •Type: Boolean •Required: false •Default value: false |
geo_effect |
How much should the locality of visitors affect the choice of location used? This value is a percentage, 0% means that no locality information will be used, and 100% means that locality will always control which location is used. Values between the two extremes will act accordingly. •Type: UInt •Required: false •Default value: "50" |
last_resort_response |
The response to be sent in case there are no locations available. •Type: Set(String) •Required: false •Default value: <none> |
location_draining |
This is the list of locations for which this service is draining. A location that is draining will never serve any of its service IP addresses for this domain. This can be used to take a location off-line. •Type: Set(String) •Required: false •Default value: <none> |
location_settings |
Table containing location specific settings. •Type: Table •Required: false •Primary key: •location (String): Location to which the associated settings apply. (Required) •Sub keys: •weight (UInt): Weight for this location, for use by the weighted random algorithm. •ips (Set(String)): The IP addresses that are present in a location. If the Global Load Balancer decides to direct a DNS query to this location, then it will filter out all IPs that are not in this list. (Required) •monitors (Set(String)): The monitors that are present in a location. |
return_ips_on_fail |
Return all or none of the IPs under complete failure. •Type: Boolean •Required: false •Default value: true |
rules |
Response rules to be applied in the context of the service, in order, comma separated. •Type: List(Reference(config-trafficscript)) •Required: false •Default value: <none> |
ttl |
The TTL for the DNS resource records handled by the GLB service. •Type: Int •Required: false •Default value: "-1" |
Properties for the "log" section: |
|
enabled |
Log connections to this GLB service? •Type: Boolean •Required: false •Default value: false |
filename |
The filename the verbose query information should be logged to. Appliances will ignore this. •Type: String •Required: false •Default value: "%zeushome%/zxtm/log/services/%g.log" |
format |
The format of the log lines. •Type: String •Required: false •Default value: "%t, %s, %l, %q, %g, %n, %d, %a" |
Global Settings
URI Endpoint: /api/tm/8.3/config/active/global_settings
General settings that apply to every machine in the cluster.
Property |
Description |
accepting_delay |
How often, in milliseconds, each traffic manager child process (that isn't listening for new connections) checks to see whether it should start listening for new connections. •Type: UInt •Required: false •Default value: "50" |
afm_enabled |
Is the application firewall enabled. •Type: Boolean •Required: false •Default value: false |
chunk_size |
The default chunk size for reading/writing requests. •Type: UInt •Required: false •Default value: "16384" |
client_first_opt |
Whether or not your traffic manager should make use of TCP optimisations to defer the processing of new client-first connections until the client has sent some data. •Type: Boolean •Required: false •Default value: false |
cluster_identifier |
Cluster identifier. Generally supplied by Services Director. •Type: String •Required: false •Default value: <none> |
license_servers |
A list of license servers for FLA licensing. A license server should be specified as a <ip/host>:<port> pair. •Type: Set(String) •Required: false •Default value: <none> |
max_fds |
The maximum number of file descriptors that your traffic manager will allocate. •Type: UInt •Required: false •Default value: "1048576" |
max_tcp_buff_mem |
The maximum amount of memory allowed to be used to buffer network data in user space for all TCP connections. The TCP data buffered are either received from clients but before sending to pool nodes, or recevied from pool nodes but before sending to clients. This is specified as either a percentage of system RAM, 5% for example, or an absolute size such as 1024MB and 2GB. A numeric value without suffix MB, GB or % defaults to MB. A value of 800 means 800MB. A value of 0 means unlimited. •Type: String •Required: false •Default value: <none> |
monitor_memory_size |
The maximum number of each of nodes, pools or locations that can be monitored. The memory used to store information about nodes, pools and locations is allocated at start-up, so the traffic manager must be restarted after changing this setting. •Type: UInt •Required: false •Default value: "4096" |
rate_class_limit |
The maximum number of Rate classes that can be created. Approximately 100 bytes will be pre-allocated per Rate class. •Type: UInt •Required: false •Default value: "25000" |
shared_pool_size |
The size of the shared memory pool used for shared storage across worker processes (e.g. bandwidth shared data).This is specified as either a percentage of system RAM, 5% for example, or an absolute size such as 10MB. •Type: String •Required: false •Default value: "10MB" |
slm_class_limit |
The maximum number of SLM classes that can be created. Approximately 100 bytes will be pre-allocated per SLM class. •Type: UInt •Required: false •Default value: "1024" |
so_rbuff_size |
The size of the operating system's read buffer. A value of 0 (zero) means to use the OS default; in normal circumstances this is what should be used. •Type: UInt •Required: false •Default value: <none> |
so_wbuff_size |
The size of the operating system's write buffer. A value of 0 (zero) means to use the OS default; in normal circumstances this is what should be used. •Type: UInt •Required: false •Default value: <none> |
socket_optimizations |
Whether or not the traffic manager should use potential network socket optimisations. If set to auto, a decision will be made based on the host platform. •Type: Enum(String) •Required: false •Default value: "auto" •Permitted values: "auto": Decide based on local platform "no": Disable socket optimizations "yes": Enable socket optimizations |
tip_class_limit |
The maximum number of Traffic IP Groups that can be created. •Type: UInt •Required: false •Default value: "10000" |
Properties for the "admin" section: |
|
honor_fallback_scsv |
Whether or not the admin server, the internal control port and the config daemon honor the Fallback SCSV to protect connections against downgrade attacks. •Type: Boolean •Required: false •Default value: true |
ssl3_allow_rehandshake |
Whether or not SSL3/TLS re-handshakes should be supported for admin server and internal connections. •Type: Enum(String) •Required: false •Default value: "rfc5746" •Permitted values: "always": Always allow "never": Never allow "rfc5746": Only if client uses RFC 5746 (Secure Renegotiation Extension) "safe": Allow safe re-handshakes |
ssl3_ciphers |
The SSL ciphers to use for admin server and internal connections. For information on supported ciphers see the online help. •Type: String •Required: false •Default value: <none> |
ssl3_diffie_hellman_key_length |
The length in bits of the Diffie-Hellman key for ciphers that use Diffie-Hellman key agreement for admin server and internal connections. •Type: Enum(UInt) •Required: false •Default value: "dh_2048" •Permitted values: "dh_1024": Use 1024 bit keys for Diffie-Hellman ciphers. "dh_2048": Use 2048 bit keys for Diffie-Hellman ciphers. "dh_3072": Use 3072 bit keys for Diffie-Hellman ciphers. "dh_4096": Use 4096 bit keys for Diffie-Hellman ciphers. |
ssl3_min_rehandshake_interval |
If SSL3/TLS re-handshakes are supported on the admin server, this defines the minimum time interval (in milliseconds) between handshakes on a single SSL3/TLS connection that is permitted. To disable the minimum interval for handshakes the key should be set to the value 0. •Type: UInt •Required: false •Default value: "1000" |
ssl_elliptic_curves |
The SSL elliptic curve preference list for admin and internal connections. The named curves P256, P384 and P521 may be configured. •Type: List(String) •Required: false •Default value: <none> |
ssl_insert_extra_fragment |
Whether or not SSL3 and TLS1 use one-byte fragments as a BEAST countermeasure for admin server and internal connections. •Type: Boolean •Required: false •Default value: false |
ssl_max_handshake_message_size |
The maximum size (in bytes) of SSL handshake messages that the admin server and internal connections will accept. To accept any size of handshake message the key should be set to the value 0. •Type: UInt •Required: false •Default value: "10240" |
ssl_signature_algorithms |
The SSL signature algorithms preference list for admin and internal connections using TLS version 1.2 or higher. For information on supported algorithms see the online help. •Type: String •Required: false •Default value: <none> |
support_ssl3 |
Whether or not SSL3 support is enabled for admin server and internal connections. •Type: Boolean •Required: false •Default value: false |
support_tls1 |
Whether or not TLS1.0 support is enabled for admin server and internal connections. •Type: Boolean •Required: false •Default value: true |
support_tls1_1 |
Whether or not TLS1.1 support is enabled for admin server and internal connections. •Type: Boolean •Required: false •Default value: true |
support_tls1_2 |
Whether or not TLS1.2 support is enabled for admin server and internal connections. •Type: Boolean •Required: false •Default value: true |
support_tls1_3 |
Whether or not TLS1.3 support is enabled for admin server and internal connections. •Type: Boolean •Required: false •Default value: true |
Properties for the "appliance" section: |
|
bootloader_password |
The password used to protect the bootloader. An empty string means there will be no protection. •Type: Password •Required: false •Default value: <none> |
return_path_routing_enabled |
Whether or not the traffic manager will attempt to route response packets back to clients via the same route on which the corresponding request arrived. Note that this applies only to the last hop of the route - the behaviour of upstream routers cannot be altered by the traffic manager. •Type: Boolean •Required: false •Default value: false |
Properties for the "aptimizer" section: |
|
max_dependent_fetch_size |
The maximum size of a dependent resource that can undergo Web Accelerator optimization. Any content larger than this size will not be optimized. Units of KB and MB can be used, no postfix denotes bytes. A value of 0 disables the limit. •Type: String •Required: false •Default value: "2MB" |
max_original_content_buffer_size |
The maximum size of unoptimized content buffered in the traffic manager for a single backend response that is undergoing Web Accelerator optimization. Responses larger than this will not be optimized. Note that if the backend response is compressed then this setting pertains to the compressed size, before Web Accelerator decompresses it. Units of KB and MB can be used, no postfix denotes bytes. Value range is 1 - 128MB. •Type: String •Required: false •Default value: "2MB" |
watchdog_interval |
The period of time (in seconds) after which a previous failure will no longer count towards the watchdog limit. •Type: UInt •Required: false •Default value: "300" |
watchdog_limit |
The maximum number of times the Web Accelerator sub-process will be started or restarted within the interval defined by the aptimizer!watchdog_interval setting. If the process fails this many times, it must be restarted manually from the Diagnose page. Zero means no limit. •Type: UInt •Required: false •Default value: "3" |
Properties for the "auditlog" section: |
|
via_eventd |
Whether to mirror the audit log to EventD. •Type: Boolean •Required: false •Default value: false |
via_syslog |
Whether to output audit log message to the syslog. •Type: Boolean •Required: false •Default value: false |
Properties for the "auth" section: |
|
saml_key_lifetime |
Lifetime in seconds of cryptographic keys used to decrypt SAML SP sessions stored externally (client-side). •Type: UInt •Required: false •Default value: "86400" |
saml_key_rotation_interval |
Rotation interval in seconds for cryptographic keys used to encrypt SAML SP sessions stored externally (client-side). •Type: UInt •Required: false •Default value: "14400" |
Properties for the "autoscaler" section: |
|
verbose |
Whether or not detailed messages about the autoscaler's activity are written to the error log. •Type: Boolean •Required: false •Default value: false |
Properties for the "bgp" section: |
|
as_number |
The number of the BGP AS in which the traffic manager will operate. Must be entered in decimal. •Type: UInt •Required: false •Default value: "65534" |
enabled |
Whether BGP Route Health Injection is enabled •Type: Boolean •Required: false •Default value: false |
Properties for the "cluster_comms" section: |
|
allow_update_default |
The default value of allow_update for new cluster members. If you have cluster members joining from less trusted locations (such as cloud instances) this can be set to false in order to make them effectively "read-only" cluster members. •Type: Boolean •Required: false •Default value: true |
allowed_update_hosts |
The hosts that can contact the internal administration port on each traffic manager. This should be a list containing IP addresses, CIDR IP subnets, and localhost; or it can be set to all to allow any host to connect. •Type: List(String) •Required: false •Default value: "all" |
state_sync_interval |
How often to propagate the session persistence and bandwidth information to other traffic managers in the same cluster. Set this to 0 (zero) to disable propagation. Note that a cluster using "unicast" heartbeat messages cannot turn off these messages. •Type: UInt •Required: false •Default value: "3" |
state_sync_timeout |
The maximum amount of time to wait when propagating session persistence and bandwidth information to other traffic managers in the same cluster. Once this timeout is hit the transfer is aborted and a new connection created. •Type: UInt •Required: false •Default value: "6" |
Properties for the "connection" section: |
|
idle_connections_max |
The maximum number of unused HTTP keepalive connections with back-end nodes that the traffic manager should maintain for re-use. Setting this to 0 (zero) will cause the traffic manager to auto-size this parameter based on the available number of file-descriptors. •Type: UInt •Required: false •Default value: <none> |
idle_timeout |
How long an unused HTTP keepalive connection should be kept before it is discarded. •Type: UInt •Required: false •Default value: "10" |
listen_queue_size |
The listen queue size for managing incoming connections. It may be necessary to increase the system's listen queue size if this value is altered. If the value is set to 0 then the default system setting will be used. •Type: UInt •Required: false •Default value: <none> |
max_accepting |
Number of processes that should accept new connections. Only this many traffic manager child processes will listen for new connections at any one time. Setting this to 0 (zero) will cause your traffic manager to select an appropriate default value based on the architecture and number of CPUs. •Type: UInt •Required: false •Default value: <none> |
multiple_accept |
Whether or not the traffic manager should try to read multiple new connections each time a new client connects. This can improve performance under some very specific conditions. However, in general it is recommended that this be set to 'false'. •Type: Boolean •Required: false •Default value: false |
udp_read_multiple |
Whether or not the traffic manager should try to read multiple UDP packets from clients each time the kernel reports data received from clients. This can improve performance for the situation with high UDP traffic throughput from clients to the traffic manager. Therefore, in general it is recommended that this be set to 'Yes'. •Type: Boolean •Required: false •Default value: true |
Properties for the "dns" section: |
|
max_ttl |
Maximum Time To Live (expiry time) for entries in the DNS cache. •Type: UInt •Required: false •Default value: "86400" |
min_ttl |
Minimum Time To Live (expiry time) for entries in the DNS cache. •Type: UInt •Required: false •Default value: "86400" |
negative_expiry |
Expiry time for failed lookups in the DNS cache. •Type: UInt •Required: false •Default value: "60" |
size |
Maximum number of entries in the DNS cache. •Type: UInt •Required: false •Default value: "10867" |
timeout |
Timeout for receiving a response from a DNS server. •Type: UInt •Required: false •Default value: "12" |
Properties for the "ec2" section: |
|
access_key_id |
Deprecated: This key is unused. Amazon authentication credentials are now extracted from IAM Roles assigned to an EC2 instance. •Type: String •Required: false •Default value: <none> |
awstool_timeout |
The maximum amount of time requests to the AWS Query API can take before timing out. •Type: UInt •Required: false •Default value: "10" |
metadata_server |
URL for the EC2 metadata server, http://169.254.169.254/latest/meta-data for example. •Type: String •Required: false •Default value: <none> |
query_server |
URL for the Amazon EC2 endpoint, https://ec2.amazonaws.com/ for example. •Type: String •Required: false •Default value: <none> |
secret_access_key |
Deprecated: This key is unused. Amazon authentication credentials are now extracted from IAM Roles assigned to an EC2 instance. •Type: Password •Required: false •Default value: <none> |
verify_query_server_cert |
Whether to verify Amazon EC2 endpoint's certificate using CA(s) present in SSL Certificate Authorities Catalog. •Type: Boolean •Required: false •Default value: false |
Properties for the "eventing" section: |
|
mail_interval |
The minimum length of time that must elapse between alert emails being sent. Where multiple alerts occur inside this timeframe, they will be retained and sent within a single email rather than separately. •Type: UInt •Required: false •Default value: "30" |
max_attempts |
The number of times to attempt to send an alert email before giving up. •Type: UInt •Required: false •Default value: "10" |
Properties for the "fault_tolerance" section: |
|
arp_count |
The number of ARP packets a traffic manager should send when an IP address is raised. •Type: UInt •Required: false •Default value: "10" |
auto_failback |
Whether or not traffic IPs automatically move back to machines that have recovered from a failure and have dropped their traffic IPs. •Type: Boolean •Required: false •Default value: true |
autofailback_delay |
Configure the delay of automatic failback after a previous failover event. This setting has no effect if autofailback is disabled. •Type: UInt •Required: false •Default value: "10" |
child_timeout |
How long the traffic manager should wait for status updates from any of the traffic manager's child processes before assuming one of them is no longer servicing traffic. •Type: UInt •Required: false •Default value: "5" |
frontend_check_ips |
The IP addresses used to check front-end connectivity. The text %gateway% will be replaced with the default gateway on each system. Set this to an empty string if the traffic manager is on an Intranet with no external connectivity. •Type: Set(String) •Required: false •Default value: "%gateway%" |
heartbeat_method |
The method traffic managers should use to exchange cluster heartbeat messages. •Type: Enum(String) •Required: false •Default value: "unicast" •Permitted values: "multicast": multicast "unicast": unicast |
igmp_interval |
The interval between unsolicited periodic IGMP Membership Report messages for Multi-Hosted Traffic IP Groups. •Type: UInt •Required: false •Default value: "30" |
monitor_interval |
The frequency, in milliseconds, that each traffic manager machine should check and announce its connectivity. •Type: UInt •Required: false •Default value: "500" |
monitor_timeout |
How long, in seconds, each traffic manager should wait for a response from its connectivity tests or from other traffic manager machines before registering a failure. •Type: UInt •Required: false •Default value: "5" |
multicast_address |
The multicast address and port to use to exchange cluster heartbeat messages. •Type: String •Required: false •Default value: "239.100.1.1:9090" |
unicast_port |
The unicast UDP port to use to exchange cluster heartbeat messages. •Type: UInt •Required: false •Default value: "9090" |
use_bind_ip |
Whether or not cluster heartbeat messages should only be sent and received over the management network. •Type: Boolean •Required: false •Default value: false |
verbose |
Whether or not a traffic manager should log all connectivity tests. This is very verbose, and should only be used for diagnostic purposes. •Type: Boolean •Required: false •Default value: false |
Properties for the "fips" section: |
|
enabled |
Enable FIPS Mode (requires software restart). •Type: Boolean •Required: false •Default value: false |
Properties for the "ftp" section: |
|
data_bind_low |
Whether or not the traffic manager should permit use of FTP data connection source ports lower than 1024. If No the traffic manager can completely drop root privileges, if Yes some or all privileges may be retained in order to bind to low ports. •Type: Boolean •Required: false •Default value: false |
Properties for the "glb" section: |
|
verbose |
Write a message to the logs for every DNS query that is load balanced, showing the source IP address and the chosen datacenter. •Type: Boolean •Required: false •Default value: false |
Properties for the "historical_activity" section: |
|
keep_days |
Number of days to store historical traffic information, if set to 0 the data will be kept indefinitely. •Type: UInt •Required: false •Default value: "90" |
Properties for the "ip" section: |
|
appliance_returnpath |
A table of MAC address/network interface to IP address mappings for each router where return path routing is required. •Type: Table •Required: false •Primary key: •mac (String): The MAC address/network interface of a router the software is connected to. (Required) •Sub keys: •ipv4 (String): The MAC address/network interface to IPv4 address mapping of a router the software is connected to. The value is the IPv4 address, the * (asterisk) in the key name is the MAC address and an optional network interface name, for example, 00:50:56:a6:24:3d or 00:50:56:a6:24:3d#eth0. •ipv6 (String): The MAC address/network interface to IPv6 address mapping of a router the software is connected to. The value is the IPv6 address, the * (asterisk) in the key name is the MAC address and an optional network interface name, for example, 00:50:56:a6:24:3d or 00:50:56:a6:24:3d#eth0. |
Properties for the "java" section: |
|
classpath |
CLASSPATH to use when starting the Java runner. •Type: String •Required: false •Default value: <none> |
command |
Java command to use when starting the Java runner, including any additional options. •Type: String •Required: false •Default value: "java -server" |
enabled |
Whether or not Java support should be enabled. If this is set to No, then your traffic manager will not start any Java processes. Java support is only required if you are using the TrafficScript java.run() function. •Type: Boolean •Required: false •Default value: false |
lib |
Java library directory for additional jar files. The Java runner will load classes from any .jar files stored in this directory, as well as the * jar files and classes stored in traffic manager's catalog. •Type: String •Required: false •Default value: <none> |
max_connections |
Maximum number of simultaneous Java requests. If there are more than this many requests, then further requests will be queued until the earlier requests are completed. This setting is per-CPU, so if your traffic manager is running on a machine with 4 CPU cores, then each core can make this many requests at one time. •Type: UInt •Required: false •Default value: "256" |
session_age |
Default time to keep a Java session. •Type: UInt •Required: false •Default value: "86400" |
Properties for the "kerberos" section: |
|
verbose |
Whether or not a traffic manager should log all Kerberos related activity. This is very verbose, and should only be used for diagnostic purposes. •Type: Boolean •Required: false •Default value: false |
Properties for the "log" section: |
|
error_level |
The minimum severity of events/alerts that should be logged to disk. INFO will log all events; a higher severity setting will log fewer events. More fine-grained control can be achieved using events and actions. •Type: Enum(UInt) •Required: false •Default value: "info" •Permitted values: "fatal": Only fatal errors are logged "info": All events are logged to disk "serious": Only serious errors or worse "warn": Only warnings and errors are logged |
flush_time |
How long to wait before flushing the request log files for each virtual server. •Type: UInt •Required: false •Default value: "5" |
log_file |
The file to log event messages to. •Type: String •Required: false •Default value: "%zeushome%/zxtm/log/errors" |
rate |
The maximum number of connection errors logged per second when connection error reporting is enabled. •Type: UInt •Required: false •Default value: "50" |
reopen |
How long to wait before re-opening request log files, this ensures that log files will be recreated in the case of log rotation. •Type: UInt •Required: false •Default value: "30" |
time |
The minimum time between log messages for log intensive features such as SLM. •Type: UInt •Required: false •Default value: "60" |
Properties for the "log_export" section: |
|
auth_hec_token |
The HTTP Event Collector token to use for HTTP authentication with a Splunk server. •Type: String •Required: false •Default value: <none> |
auth_http |
The HTTP authentication method to use when exporting log entries. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "basic": Basic (Username and Password) "none": None "splunk": Splunk (HEC token) |
auth_password |
The password to use for HTTP basic authentication. •Type: Password •Required: false •Default value: <none> |
auth_username |
The username to use for HTTP basic authentication. •Type: String •Required: false •Default value: <none> |
enabled |
Monitor log files and export entries to the configured endpoint. •Type: Boolean •Required: false •Default value: false |
endpoint |
The URL to which log entries should be sent. Entries are sent using HTTP(S) POST requests. •Type: String •Required: false •Default value: <none> |
request_timeout |
The number of seconds after which HTTP requests sent to the configured endpoint will be considered to have failed if no response is received. A value of 0 means that HTTP requests will not time out. •Type: UInt •Required: false •Default value: "30" |
tls_verify |
Whether the server certificate should be verified when connecting to the endpoint. If enabled, server certificates that do not match the server name, are self-signed, have expired, have been revoked, or that are signed by an unknown CA will be rejected. •Type: Boolean •Required: false •Default value: true |
Properties for the "ospfv2" section: |
|
area |
The OSPF area in which the traffic manager will operate. May be entered in decimal or IPv4 address format. •Type: String •Required: false •Default value: "0.0.0.1" |
area_type |
The type of OSPF area in which the traffic manager will operate. This must be the same for all routers in the area, as required by OSPF. •Type: Enum(String) •Required: false •Default value: "normal" •Permitted values: "normal": Normal area "nssa": Not So Stubby Area (RFC3101) "stub": Stub area |
authentication_key_id_a |
OSPFv2 authentication key ID. If set to 0, which is the default value, the key is disabled. •Type: UInt •Required: false •Default value: <none> |
authentication_key_id_b |
OSPFv2 authentication key ID. If set to 0, which is the default value, the key is disabled. •Type: UInt •Required: false •Default value: <none> |
authentication_shared_secret_a |
OSPFv2 authentication shared secret (MD5). If set to blank, which is the default value, the key is disabled. •Type: String •Required: false •Default value: <none> |
authentication_shared_secret_b |
OSPFv2 authentication shared secret (MD5). If set to blank, which is the default value, the key is disabled. •Type: String •Required: false •Default value: <none> |
dead_interval |
The number of seconds before declaring a silent router down. •Type: UInt •Required: false •Default value: "40" |
enabled |
Whether OSPFv2 Route Health Injection is enabled •Type: Boolean •Required: false •Default value: false |
hello_interval |
The interval at which OSPF "hello" packets are sent to the network. •Type: UInt •Required: false •Default value: "10" |
Properties for the "protection" section: |
|
conncount_size |
The amount of shared memory reserved for an inter-process table of combined connection counts, used by all Service Protection classes that have per_process_connection_count set to No. The amount is specified as an absolute size, eg 20MB. •Type: String •Required: false •Default value: "20MB" |
Properties for the "recent_connections" section: |
|
max_per_process |
How many recently closed connections each traffic manager process should save. These saved connections will be shown alongside currently active connections when viewing the Connections page. You should set this value to 0 in a benchmarking or performance-critical environment. •Type: UInt •Required: false •Default value: "500" |
retain_time |
The amount of time for which snapshots will be retained on the Connections page. •Type: UInt •Required: false •Default value: "60" |
snapshot_size |
The maximum number of connections each traffic manager process should show when viewing a snapshot on the Connections page. This value includes both currently active connections and saved connections. If set to 0 all active and saved connection will be displayed on the Connections page. •Type: UInt •Required: false •Default value: "500" |
Properties for the "remote_licensing" section: |
|
comm_channel_enabled |
Whether to create a Communications Channel agent to send and receive messages from the Services Director Registration Server. This will be disabled when performing self-registration with a Services Director which does not support this feature. •Type: Boolean •Required: false •Default value: true |
comm_channel_port |
The port number the Services Director instance is using for access to the traffic manager Communications Channel. •Type: UInt •Required: false •Default value: "8102" |
owner |
The Owner of a Services Director instance, used for self-registration. •Type: String •Required: false •Default value: <none> |
owner_secret |
The secret associated with the Owner. •Type: String •Required: false •Default value: <none> |
policy_id |
The auto-accept Policy ID that this instance should attempt to use. •Type: String •Required: false •Default value: <none> |
registration_server |
A Services Director address for self-registration. A registration server should be specified as a <ip/host>:<port> pair. •Type: String •Required: false •Default value: <none> |
server_certificate |
The certificate of a Services Director instance, used for self-registration. •Type: String •Required: false •Default value: <none> |
Properties for the "rest_api" section: |
|
auth_timeout |
The length of time after a successful request that the authentication of a given username and password will be cached for an IP address. A setting of 0 disables the cache forcing every REST request to be authenticated which will adversely affect performance. •Type: UInt •Required: false •Default value: "120" |
enabled |
Whether or not the REST service is enabled. •Type: Boolean •Required: false •Default value: true |
http_max_header_length |
The maximum allowed length in bytes of a HTTP request's headers. •Type: UInt •Required: false •Default value: "4096" |
maxfds |
Maximum number of file descriptors that the REST API will allocate. The REST API must be restarted for a change to this setting to take effect. •Type: UInt •Required: false •Default value: "1048576" |
replicate_absolute |
Configuration changes will be replicated across the cluster after this period of time, regardless of whether additional API requests are being made. •Type: UInt •Required: false •Default value: "20" |
replicate_lull |
Configuration changes made via the REST API will be propagated across the cluster when no further API requests have been made for this period of time. •Type: UInt •Required: false •Default value: "5" |
replicate_timeout |
The period of time after which configuration replication across the cluster will be cancelled if it has not completed. •Type: UInt •Required: false •Default value: "10" |
Properties for the "security" section: |
|
login_banner |
Banner text displayed on the Admin Server login page and before logging in to appliance SSH servers. •Type: FreeformString •Required: false •Default value: <none> |
login_banner_accept |
Whether or not users must explicitly agree to the displayed login_banner text before logging in to the Admin Server. •Type: Boolean •Required: false •Default value: false |
login_delay |
The number of seconds before another login attempt can be made after a failed attempt. •Type: UInt •Required: false •Default value: "4" |
max_login_attempts |
The number of sequential failed login attempts that will cause a user account to be suspended. Setting this to 0 disables this feature. To apply this to users who have never successfully logged in, track_unknown_users must also be enabled. •Type: UInt •Required: false •Default value: <none> |
max_login_external |
Whether or not usernames blocked due to the max_login_attempts limit should also be blocked from authentication against external services (such as LDAP and RADIUS). •Type: Boolean •Required: false •Default value: false |
max_login_suspension_time |
The number of minutes to suspend users who have exceeded the max_login_attempts limit. •Type: UInt •Required: false •Default value: "15" |
password_allow_consecutive_chars |
Whether or not to allow the same character to appear consecutively in passwords. •Type: Boolean •Required: false •Default value: true |
password_changes_per_day |
The maximum number of times a password can be changed in a 24-hour period. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_min_alpha_chars |
Minimum number of alphabetic characters a password must contain. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_min_length |
Minimum number of characters a password must contain. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_min_numeric_chars |
Minimum number of numeric characters a password must contain. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_min_special_chars |
Minimum number of special (non-alphanumeric) characters a password must contain. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_min_uppercase_chars |
Minimum number of uppercase characters a password must contain. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
password_reuse_after |
The number of times a password must have been changed before it can be reused. Set to 0 to disable this restriction. •Type: UInt •Required: false •Default value: <none> |
post_login_banner |
Banner text to be displayed on the appliance console after login. •Type: String •Required: false •Default value: <none> |
track_unknown_users |
Whether to remember past login attempts from usernames that are not known to exist (should be set to false for an Admin Server accessible from the public Internet). This does not affect the audit log. •Type: Boolean •Required: false •Default value: false |
ui_page_banner |
Banner text to be displayed on all Admin Server pages. •Type: String •Required: false •Default value: <none> |
Properties for the "session" section: |
|
asp_cache_size |
The maximum number of entries in the ASP session persistence cache. This is used for storing session mappings for ASP session persistence. Approximately 100 bytes will be pre-allocated per entry. •Type: UInt •Required: false •Default value: "32768" |
ip_cache_expiry |
IP session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout. •Type: UInt •Required: false •Default value: <none> |
ip_cache_size |
The maximum number of entries in the IP session persistence cache. This is used to provide session persistence based on the source IP address. Approximately 100 bytes will be pre-allocated per entry. •Type: UInt •Required: false •Default value: "32768" |
j2ee_cache_expiry |
J2EE session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout. •Type: UInt •Required: false •Default value: <none> |
j2ee_cache_size |
The maximum number of entries in the J2EE session persistence cache. This is used for storing session mappings for J2EE session persistence. Approximately 100 bytes will be pre-allocated per entry. •Type: UInt •Required: false •Default value: "32768" |
ssl_cache_size |
The maximum number of entries in the SSL session persistence cache. This is used to provide session persistence based on the SSL session ID. Approximately 200 bytes will be pre-allocated per entry. •Type: UInt •Required: false •Default value: "32768" |
universal_cache_expiry |
Universal session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout. •Type: UInt •Required: false •Default value: <none> |
universal_cache_size |
The maximum number of entries in the global universal session persistence cache. This is used for storing session mappings for universal session persistence. Approximately 100 bytes will be pre-allocated per entry. •Type: UInt •Required: false •Default value: "32768" |
Properties for the "snmp" section: |
|
user_counters |
The number of user defined SNMP counters. Approximately 100 bytes will be pre-allocated at start-up per user defined SNMP counter. •Type: UInt •Required: false •Default value: "10" |
Properties for the "soap" section: |
|
idle_minutes |
The number of minutes that the SOAP server should remain idle before exiting. The SOAP server has a short startup delay the first time a SOAP request is made, subsequent SOAP requests don't have this delay. •Type: UInt •Required: false •Default value: "10" |
Properties for the "ssl" section: |
|
allow_rehandshake |
Whether or not SSL/TLS re-handshakes should be supported. Enabling support for re-handshakes can expose services to Man-in-the-Middle attacks. It is recommended that only "safe" handshakes be permitted, or none at all. •Type: Enum(String) •Required: false •Default value: "safe" •Permitted values: "always": Always allow "never": Never allow "rfc5746": Only if client uses RFC 5746 (Secure Renegotiation Extension) "safe": Allow safe re-handshakes |
cache_enabled |
Whether or not the SSL server session cache is enabled, unless overridden by virtual server settings. •Type: Boolean •Required: false •Default value: true |
cache_expiry |
How long the SSL session IDs for SSL decryption should be stored for. •Type: UInt •Required: false •Default value: "1800" |
cache_per_virtualserver |
Whether an SSL session created by a given virtual server can only be resumed by a connection to the same virtual server. •Type: Boolean •Required: false •Default value: true |
cache_size |
How many entries the SSL session ID cache should hold. This cache is used to cache SSL sessions to help speed up SSL handshakes when performing SSL decryption. Each entry will allocate approximately 1.75kB of metadata. •Type: UInt •Required: false •Default value: "6151" |
cipher_suites |
The SSL/TLS cipher suites preference list for SSL/TLS connections, unless overridden by virtual server or pool settings. For information on supported cipher suites see the online help. •Type: String •Required: false •Default value: <none> |
client_cache_enabled |
Whether or the SSL client cache will be used, unless overridden by pool settings. •Type: Boolean •Required: false •Default value: true |
client_cache_expiry |
How long in seconds SSL sessions should be stored in the client cache for, by default. Servers returning session tickets may also provide a lifetime hint, which will be used if it is less than this value. •Type: UInt •Required: false •Default value: "14400" |
client_cache_size |
How many entries the SSL client session cache should hold, per child. This cache is used to cache SSL sessions to help speed up SSL handshakes when performing SSL encryption. Each entry will require approx 100 bytes of memory plus space for either an SSL session id or an SSL session ticket, which may be as small as 16 bytes or may be as large as a few kilobytes, depending upon the server behavior. •Type: UInt •Required: false •Default value: "1024" |
client_cache_tickets_enabled |
Whether or not session tickets, including TLS >= 1.3 PSKs, may be requested and stored in the SSL client cache. •Type: Boolean •Required: false •Default value: true |
crl_mem_size |
How much shared memory to allocate for loading Certificate Revocation Lists. This should be at least 3 times the total size of all CRLs on disk. This is specified as either a percentage of system RAM, 1% for example, or an absolute size such as 10MB. •Type: String •Required: false •Default value: "5MB" |
diffie_hellman_modulus_size |
The size in bits of the modulus for the domain parameters used for cipher suites that use finite field Diffie-Hellman key agreement. •Type: Enum(UInt) •Required: false •Default value: "dh_2048" •Permitted values: "dh_1024": 1024 bit modulus "dh_2048": 2048 bit modulus "dh_3072": 3072 bit modulus "dh_4096": 4096 bit modulus |
elliptic_curves |
The SSL/TLS elliptic curve preference list for SSL/TLS connections using TLS version 1.0 or higher, unless overridden by virtual server or pool settings. For information on supported curves see the online help. •Type: List(String) •Required: false •Default value: <none> |
honor_fallback_scsv |
Whether or not ssl-decrypting Virtual Servers honor the Fallback SCSV to protect connections against downgrade attacks. •Type: Boolean •Required: false •Default value: true |
insert_extra_fragment |
Whether or not SSL3 and TLS1 use one-byte fragments as a BEAST countermeasure. •Type: Boolean •Required: false •Default value: false |
log_keys |
Whether SSL connection key logging should be available via the ssl.sslkeylogline() TrafficScript function. If this setting is disabled then ssl.sslkeylogline() will always return the empty string. •Type: Boolean •Required: false •Default value: false |
max_handshake_message_size |
The maximum size (in bytes) of SSL handshake messages that SSL connections will accept. To accept any size of handshake message the key should be set to the value 0. •Type: UInt •Required: false •Default value: "10240" |
middlebox_compatibility |
Whether or not TLS 1.3 middlebox compatibility mode as described in RFC 8446 appendix D.4 will be used in connections to pool nodes, unless overridden by pool settings. •Type: Boolean •Required: false •Default value: true |
min_rehandshake_interval |
If SSL3/TLS re-handshakes are supported, this defines the minimum time interval (in milliseconds) between handshakes on a single SSL3/TLS connection that is permitted. To disable the minimum interval for handshakes the key should be set to the value 0. •Type: UInt •Required: false •Default value: "1000" |
ocsp_cache_size |
The maximum number of cached client certificate OCSP results stored. This cache is used to speed up OCSP checks against client certificates by caching results. Approximately 1040 bytes are pre-allocated per entry. •Type: UInt •Required: false •Default value: "2048" |
ocsp_stapling_default_refresh_interval |
How long to wait before refreshing requests on behalf of the store of certificate status responses used by OCSP stapling, if we don't have an up-to-date OCSP response. •Type: UInt •Required: false •Default value: "60" |
ocsp_stapling_maximum_refresh_interval |
Maximum time to wait before refreshing requests on behalf of the store of certificate status responses used by OCSP stapling. (0 means no maximum.) •Type: UInt •Required: false •Default value: "864000" |
ocsp_stapling_mem_size |
How much shared memory to allocate for the store of certificate status responses for OCSP stapling. This should be at least 2kB times the number of certificates configured to use OCSP stapling. This is specified as either a percentage of system RAM, 1% for example, or an absolute size such as 10MB. •Type: String •Required: false •Default value: "1MB" |
ocsp_stapling_time_tolerance |
How many seconds to allow the current time to be outside the validity time of an OCSP response before considering it invalid. •Type: UInt •Required: false •Default value: "30" |
ocsp_stapling_verify_response |
Whether the OCSP response signature should be verified before the OCSP response is cached. •Type: Boolean •Required: false •Default value: false |
signature_algorithms |
The SSL/TLS signature algorithms preference list for SSL/TLS connections using TLS version 1.2 or higher, unless overridden by virtual server or pool settings. For information on supported algorithms see the online help. •Type: String •Required: false •Default value: <none> |
support_ssl3 |
Whether or not SSL3 support is enabled. •Type: Boolean •Required: false •Default value: false |
support_tls1 |
Whether or not TLS1.0 support is enabled. •Type: Boolean •Required: false •Default value: true |
support_tls1_1 |
Whether or not TLS1.1 support is enabled. •Type: Boolean •Required: false •Default value: true |
support_tls1_2 |
Whether or not TLS1.2 support is enabled. •Type: Boolean •Required: false •Default value: true |
support_tls1_3 |
Whether or not TLS1.3 support is enabled. •Type: Boolean •Required: false •Default value: true |
tickets_enabled |
Whether or not session tickets will be issued to and accepted from clients that support them, unless overridden by virtual server settings. •Type: Boolean •Required: false •Default value: true |
tickets_reissue_policy |
When an SSL session ticket will be reissued (ie when a new ticket will be generated for the same SSL session). •Type: Enum(String) •Required: false •Default value: "never" •Permitted values: "always": always "never": never |
tickets_ticket_expiry |
The length of time for which an SSL session ticket will be accepted by a virtual server after the ticket is created. If a ticket is reissued (if ssl!tickets!reissue_policy is set to 'always') this time starts at the time when the ticket was reissued. •Type: UInt •Required: false •Default value: "14400" |
tickets_ticket_key_expiry |
The length of time for which an auto-generated SSL ticket key will be used to decrypt old session ticket, before being deleted from memory. This setting is ignored if there are any entries in the (REST-only) SSL ticket keys catalog. •Type: UInt •Required: false •Default value: "86400" |
tickets_ticket_key_rotation |
The length of time for which an auto-generated SSL ticket key will be used to encrypt new session tickets, before a new SSL ticket key is generated. The ticket encryption key will be held in memory for ssl!tickets!ticket_key_expiry, so that tickets encrypted using the key can still be decrypted and used. This setting is ignored if there are any entries in the (REST-only) SSL ticket keys catalog. •Type: UInt •Required: false •Default value: "14400" |
tickets_time_tolerance |
How many seconds to allow the current time to be outside the validity time of an SSL ticket before considering it invalid. •Type: UInt •Required: false •Default value: "30" |
validate_server_certificates_catalog |
Whether the traffic manager should validate that SSL server certificates form a matching key pair before the certificate gets used on an SSL decrypting virtual server. •Type: Boolean •Required: false •Default value: true |
Properties for the "ssl_hardware" section: |
|
accel |
Whether or not the SSL hardware is an "accelerator" (faster than software). By default the traffic manager will only use the SSL hardware if a key requires it (i.e. the key is stored on secure hardware and the traffic manager only has a placeholder/identifier key). With this option enabled, your traffic manager will instead try to use hardware for all SSL decrypts. •Type: Boolean •Required: false •Default value: false |
azure_client_id |
The client identifier used when accessing the Microsoft Azure Key Vault. •Type: String •Required: false •Default value: <none> |
azure_client_secret |
The client secret used when accessing the Microsoft Azure Key Vault. •Type: Password •Required: false •Default value: <none> |
azure_vault_url |
The URL for the REST API of the Microsoft Azure Key Vault. •Type: String •Required: false •Default value: <none> |
azure_verify_rest_api_cert |
Whether or not the Azure Key Vault REST API certificate should be verified. •Type: Boolean •Required: false •Default value: true |
driver_pkcs11_debug |
Print verbose information about the PKCS11 hardware security module to the event log. •Type: Boolean •Required: false •Default value: false |
driver_pkcs11_lib |
The location of the PKCS#11 library for your SSL hardware if it is not in a standard location. The traffic manager will search the standard locations by default. •Type: String •Required: false •Default value: <none> |
driver_pkcs11_slot_desc |
The label of the SSL Hardware slot to use. Only required if you have multiple HW accelerator slots. •Type: String •Required: false •Default value: <none> |
driver_pkcs11_slot_type |
The type of SSL hardware slot to use. •Type: Enum(String) •Required: false •Default value: "operator" •Permitted values: "module": Module Protected "operator": Operator Card Set "softcard": Soft Card |
driver_pkcs11_user_pin |
The User PIN for the PKCS token (PKCS#11 devices only). •Type: Password •Required: false •Default value: <none> |
failure_count |
The number of consecutive failures from the SSL hardware that will be tolerated before the traffic manager assumes its session with the device is invalid and tries to log in again. This is necessary when the device reboots following a power failure. •Type: UInt •Required: false •Default value: "5" |
library |
The type of SSL hardware to use. The drivers for the SSL hardware should be installed and accessible to the traffic manager software. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "azure": Microsoft Azure Key Vault "none": None "pkcs11": PKCS#11 |
Properties for the "telemetry" section: |
|
enabled |
Allow the reporting of anonymized usage data for product improvement and customer support purposes. •Type: Boolean •Required: false •Default value: true |
Properties for the "trafficscript" section: |
|
data_local_size |
The maximum amount of memory available to store TrafficScript data.local.set() information. This can be specified as a percentage of system RAM, 5% for example; or an absolute size such as 200MB. •Type: String •Required: false •Default value: "5%" |
data_size |
The maximum amount of memory available to store TrafficScript data.set() information. This can be specified as a percentage of system RAM, 5% for example; or an absolute size such as 200MB. •Type: String •Required: false •Default value: "5%" |
execution_time_warning |
Raise an event if a TrafficScript rule runs for more than this number of milliseconds in a single invocation. If you get such events repeatedly, you may want to consider re-working some of your TrafficScript rules. A value of 0 means no warnings will be issued. •Type: UInt •Required: false •Default value: "500" |
max_instr |
The maximum number of instructions a TrafficScript rule will run. A rule will be aborted if it runs more than this number of instructions without yielding, preventing infinite loops. •Type: UInt •Required: false •Default value: "100000" |
memory_warning |
Raise an event if a TrafficScript rule requires more than this amount of buffered network data. If you get such events repeatedly, you may want to consider re-working some of your TrafficScript rules to use less memory or to stream the data that they process rather than storing it all in memory. This setting also limits the amount of data that can be returned by request.GetLine(). •Type: UInt •Required: false •Default value: "1048576" |
regex_cache_size |
The maximum number of regular expressions to cache in TrafficScript. Regular expressions will be compiled in order to speed up their use in the future. •Type: UInt •Required: false •Default value: "57" |
regex_match_limit |
The maximum number of ways TrafficScript will attempt to match a regular expression at each position in the subject string, before it aborts the rule and reports a TrafficScript error. •Type: UInt •Required: false •Default value: "10000000" |
regex_match_warn_percentage |
The percentage of regex_match_limit at which TrafficScript reports a performance warning. •Type: UInt •Required: false •Default value: "5" |
variable_pool_use |
Allow the pool.use and pool.select TrafficScript functions to accept variables instead of requiring literal strings. Enabling this feature has the following effects1. Your traffic manager may no longer be able to know whether a pool is in use.2. Errors for pools that aren't in use will not be hidden.3. Some settings displayed for a Pool may not be appropriate for the type of traffic being managed.4. Pool usage information on the pool edit pages and config summary may not be accurate.5. Monitors will run for all pools (with this option disabled monitors will only run for Pools that are used). •Type: Boolean •Required: false •Default value: false |
Properties for the "transaction_export" section: |
|
enabled |
Export metadata about transactions processed by the traffic manager to an external location. •Type: Boolean •Required: false •Default value: false |
endpoint |
The endpoint to which transaction metadata should be exported. The endpoint is specified as a hostname or IP address with a port. •Type: String •Required: false •Default value: <none> |
tls |
Whether the connection to the specified endpoint should be encrypted. •Type: Boolean •Required: false •Default value: true |
tls_verify |
Whether the server certificate presented by the endpoint should be verified, preventing a connection from being established if the certificate does not match the server name, is self-signed, is expired, is revoked, or has an unknown CA. •Type: Boolean •Required: false •Default value: true |
Properties for the "watchdog" section: |
|
timeout |
The maximum time in seconds a process can fail to update its heartbeat, before the watchdog considers it to have stalled. •Type: UInt •Required: false •Default value: "5" |
Properties for the "web_cache" section: |
|
avg_path_length |
The estimated average length of the path (including query string) for resources being cached. An amount of memory equal to this figure multiplied by max_file_num will be allocated for storing the paths for cache entries. This setting can be increased if your web site makes extensive use of long URLs. •Type: UInt •Required: false •Default value: "512" |
disk |
Whether or not to use a disk-backed (typically SSD) cache. If set to Yes cached web pages will be stored in a file on disk. This enables the traffic manager to use a cache that is larger than available RAM. The size setting should also be adjusted to select a suitable maximum size based on your disk space. Note that the disk caching is optimized for use with SSD storage. •Type: Boolean •Required: false •Default value: false |
disk_dir |
If disk caching is enabled, this sets the directory where the disk cache file will be stored. The traffic manager will create a file called webcache.data in this location. Note that the disk caching is optimized for use with SSD storage. •Type: String •Required: false •Default value: "%zeushome%/zxtm/internal" |
max_file_num |
Maximum number of entries in the cache. Approximately 0.9 KB will be pre-allocated per entry for metadata, this is in addition to the memory reserved for the content cache and for storing the paths of the cached resources. •Type: UInt •Required: false •Default value: "10000" |
max_file_size |
Largest size of a cacheable object in the cache. This is specified as either a percentage of the total cache size, 2% for example, or an absolute size such as 20MB. •Type: String •Required: false •Default value: "2%" |
max_path_length |
The maximum length of the path (including query string) for the resource being cached. If the path exceeds this length then it will not be added to the cache. •Type: UInt •Required: false •Default value: "2048" |
normalize_query |
Enable normalization (lexical ordering of the parameter-assignments) of the query string. •Type: Boolean •Required: false •Default value: true |
size |
The maximum size of the HTTP web page cache. This is specified as either a percentage of system RAM, 20% for example, or an absolute size such as 200MB. •Type: String •Required: false •Default value: "20%" |
verbose |
Add an X-Cache-Info header to every HTTP response, showing whether the request and/or the response was cacheable. •Type: Boolean •Required: false •Default value: false |
Kerberos Configuration File
URI Endpoint: /api/tm/8.3/config/active/kerberos/krb5confs
A Kerberos krb5.conf file that provides the raw configuration for a Kerberos principal.
Property |
Description |
There are no properties to display for this resource. |
Kerberos Keytab
URI Endpoint: /api/tm/8.3/config/active/kerberos/keytabs
A Kerberos keytab file contains credentials to authenticate as (a number of) Kerberos principals.
Property |
Description |
There are no properties to display for this resource. |
Kerberos Principal
URI Endpoint: /api/tm/8.3/config/active/kerberos/principals
A Kerberos principal can be used by the traffic manager to participate in a Kerberos realm.
Property |
Description |
kdcs |
A list of <hostname/ip>:<port> pairs for Kerberos key distribution center (KDC) services to be explicitly used for the realm of the principal. If no KDCs are explicitly configured, DNS will be used to discover the KDC(s) to use. •Type: List(String) •Required: false •Default value: <none> |
keytab |
The name of the Kerberos keytab file containing suitable credentials to authenticate as the specified Kerberos principal. •Type: String •Required: true •Default value: <none> |
krb5conf |
The name of an optional Kerberos configuration file (krb5.conf). •Type: String •Required: false •Default value: <none> |
realm |
The Kerberos realm where the principal belongs. •Type: String •Required: false •Default value: <none> |
service |
The service name part of the Kerberos principal name the traffic manager should use to authenticate itself. •Type: String •Required: true •Default value: <none> |
License
URI Endpoint: /api/tm/8.3/config/active/license_keys
A license key is an encoded text file that controls what functionality is available from each traffic manager in the cluster. Every production traffic manager must have a valid licence key in order to function; a traffic manager without a license will operate as Community Edition, which provides most of the functionality, but places restrictions on bandwidth and cluster size.
Property |
Description |
There are no properties to display for this resource. |
Location
URI Endpoint: /api/tm/8.3/config/active/locations
These are geographic locations as used by Global Load Balancing services. Such a location may not necessarily contain a traffic manager; instead it could refer to the location of a remote datacenter.
Property |
Description |
id |
The identifier of this location. •Type: UInt •Required: true •Default value: <none> |
latitude |
The latitude of this location. •Type: Float •Required: false •Default value: "0.0" |
longitude |
The longitude of this location. •Type: Float •Required: false •Default value: "0.0" |
note |
A note, used to describe this location. •Type: FreeformString •Required: false •Default value: <none> |
type |
Does this location contain traffic managers and configuration or is it a recipient of GLB requests? •Type: Enum(String) •Required: false •Default value: "config" •Permitted values: "config": Configuration "glb": GLB |
Log Export
URI Endpoint: /api/tm/8.3/config/active/log_export
Definitions of log files which should be exported to the analytics engine
Property |
Description |
appliance_only |
Whether entries from the specified log files should be exported only from appliances. •Type: Boolean •Required: false •Default value: false |
enabled |
Export entries from the log files included in this category. •Type: Boolean •Required: false •Default value: false |
files |
The set of files to export as part of this category, specified as a list of glob patterns. •Type: Set(String) •Required: false •Default value: <none> |
history |
How much historic log activity should be exported. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "all": Export all historic entries "none": Do not export any historic entries "recent": Export recent historic entries, according to the 'history_period' setting |
history_period |
The number of days of historic log entries that should be exported. •Type: UInt •Required: false •Default value: "10" |
metadata |
This is table 'metadata' •Type: Table •Required: false •Primary key: •name (String): The name of a metadata item which should be sent to the analytics engine along with entries from these log files. (Required) •Sub keys: •value (String): Additional metadata to include with the log entries when exporting them to the configured endpoint. Metadata can be used by the system that is receiving the exported data to categorise and parse the log entries. (Required) |
note |
A description of this category of log files. •Type: String •Required: false •Default value: <none> |
Monitor
URI Endpoint: /api/tm/8.3/config/active/monitors
Monitors check important remote services are running, by periodically sending them traffic and checking the response is correct. They are used by virtual servers to detect the failure of backend nodes.
Property |
Description |
back_off |
Should the monitor slowly increase the delay after it has failed? •Type: Boolean •Required: false •Default value: true |
delay |
The minimum time between calls to a monitor. •Type: UInt •Required: false •Default value: "3" |
failures |
The number of times in a row that a node must fail execution of the monitor before it is classed as unavailable. •Type: UInt •Required: false •Default value: "3" |
health_only |
Should this monitor only report health (ignore load)? •Type: Boolean •Required: false •Default value: false |
machine |
The machine to monitor, where relevant this should be in the form <hostname>:<port>, for "ping" monitors the :<port> part must not be specified. •Type: String •Required: false •Default value: <none> |
note |
A description of the monitor. •Type: FreeformString •Required: false •Default value: <none> |
scope |
A monitor can either monitor each node in the pool separately and disable an individual node if it fails, or it can monitor a specific machine and disable the entire pool if that machine fails. GLB location monitors must monitor a specific machine. •Type: Enum(String) •Required: false •Default value: "pernode" •Permitted values: "pernode": Node: Monitor each node in the pool separately "poolwide": Pool/GLB: Monitor a specified machine |
timeout |
The maximum runtime for an individual instance of the monitor. •Type: UInt •Required: false •Default value: "3" |
type |
The internal monitor implementation of this monitor. •Type: Enum(String) •Required: false •Default value: "ping" •Permitted values: "connect": TCP Connect monitor "http": HTTP monitor "ping": Ping monitor "program": External program monitor "rtsp": RTSP monitor "sip": SIP monitor "tcp_transaction": TCP transaction monitor |
use_ssl |
Whether or not the monitor should connect using SSL. •Type: Boolean •Required: false •Default value: false |
verbose |
Whether or not the monitor should emit verbose logging. This is useful for diagnosing problems. •Type: Boolean •Required: false •Default value: false |
Properties for the "http" section: |
|
authentication |
The HTTP basic-auth <user>:<password> to use for the test HTTP request. •Type: String •Required: false •Default value: <none> |
body_regex |
A regular expression that the HTTP response body must match. If the response body content doesn't matter then set this to .* (match anything). •Type: String •Required: false •Default value: <none> |
host_header |
The host header to use in the test HTTP request. •Type: String •Required: false •Default value: <none> |
path |
The path to use in the test HTTP request. This must be a string beginning with a / (forward slash). •Type: String •Required: false •Default value: "/" |
status_regex |
A regular expression that the HTTP status code must match. If the status code doesn't matter then set this to .* (match anything). •Type: String •Required: false •Default value: "^[234][0-9][0-9]$" |
Properties for the "rtsp" section: |
|
body_regex |
The regular expression that the RTSP response body must match. •Type: String •Required: false •Default value: <none> |
path |
The path to use in the RTSP request (some servers will return 500 Internal Server Error unless this is a valid media file). •Type: String •Required: false •Default value: "/" |
status_regex |
The regular expression that the RTSP response status code must match. •Type: String •Required: false •Default value: "^[234][0-9][0-9]$" |
Properties for the "script" section: |
|
arguments |
A table containing arguments and argument values to be passed to the monitor program. •Type: Table •Required: false •Primary key: •name (String): The name of the argument to be passed to the monitor program. (Required) •Sub keys: •value (String): The value of the argument to be passed to the monitor program. (Required) •description (String): A description for the argument provided to the program. |
program |
The program to run. This must be an executable file, either within the monitor scripts directory or specified as an absolute path to some other location on the filesystem. •Type: String •Required: false •Default value: <none> |
Properties for the "sip" section: |
|
body_regex |
The regular expression that the SIP response body must match. •Type: String •Required: false •Default value: <none> |
status_regex |
The regular expression that the SIP response status code must match. •Type: String •Required: false •Default value: "^[234][0-9][0-9]$" |
transport |
Which transport protocol the SIP monitor will use to query the server. •Type: Enum(String) •Required: false •Default value: "udp" •Permitted values: "tcp": TCP "udp": UDP |
Properties for the "tcp" section: |
|
close_string |
An optional string to write to the server before closing the connection. •Type: String •Required: false •Default value: <none> |
max_response_len |
The maximum amount of data to read back from a server, use 0 for unlimited. Applies to TCP and HTTP monitors. •Type: UInt •Required: false •Default value: "2048" |
response_regex |
A regular expression to match against the response from the server. Applies to TCP monitors only. •Type: String •Required: false •Default value: ".+" |
write_string |
The string to write down the TCP connection. •Type: String •Required: false •Default value: <none> |
Properties for the "udp" section: |
|
accept_all |
If this monitor uses UDP, should it accept responses from any IP and port? •Type: Boolean •Required: false •Default value: false |
Monitor Program
URI Endpoint: /api/tm/8.3/config/active/monitor_scripts
An executable program that can be used to by external program monitors to report the health of backend services.
Property |
Description |
There are no properties to display for this resource. |
NAT Configuration
URI Endpoint: /api/tm/8.3/config/active/appliance/nat
The NAT configuration file stores rules controlling NAT on an appliance.
Property |
Description |
many_to_one_all_ports |
This is table 'many_to_one_all_ports' •Type: Table •Required: false •Primary key: •rule_number (String): A unique rule identifier (Required) •Sub keys: •pool (String): Pool of a "many to one overload" type NAT rule. (Required) •tip (String): TIP Group of a "many to one overload" type NAT rule. (Required) |
many_to_one_port_locked |
This is table 'many_to_one_port_locked' •Type: Table •Required: false •Primary key: •rule_number (String): A unique rule identifier (Required) •Sub keys: •pool (String): Pool of a "many to one port locked" type NAT rule. (Required) •port (UInt): Port number of a "many to one port locked" type NAT rule. (Required) •protocol (Enum(String)): Protocol of a "many to one port locked" type NAT rule. (Required) Permitted values: "icmp": ICMP "sctp": SCTP "tcp": TCP "udp": UDP "udplite": UDPLITE •tip (String): TIP Group of a "many to one port locked" type NAT rule. (Required) |
one_to_one |
This is table 'one_to_one' •Type: Table •Required: false •Primary key: •rule_number (String): A unique rule identifier (Required) •Sub keys: •enable_inbound (Boolean): Enabling the inbound part of a "one to one" type NAT rule. (Required) •ip (String): IP Address of a "one to one" type NAT rule. (Required) •tip (String): TIP group of a "one to one" type NAT rule. (Required) |
port_mapping |
This is table 'port_mapping' •Type: Table •Required: false •Primary key: •rule_number (String): A unique rule identifier (Required) •Sub keys: •dport_first (UInt): First port of the dest. port range of a "port mapping" rule. (Required) •dport_last (UInt): Last port of the dest. port range of a "port mapping" rule. (Required) •virtual_server (String): Target Virtual Server of a "port mapping" rule. (Required) |
Pool
URI Endpoint: /api/tm/8.3/config/active/pools
The conf/pools directory contains configuration files for backend node pools. The name of a file is the name of the pool it defines. Pools can be configured under the Services > Pools section of the Admin Server UI or by using functions under the Pool section of the SOAP API and CLI.
Property |
Description |
bandwidth_class |
The Bandwidth Management Class this pool uses, if any. •Type: Reference(config-bandwidth) •Required: false •Default value: <none> |
failure_pool |
If all of the nodes in this pool have failed, then requests can be diverted to another pool. •Type: Reference(config-pool) •Required: false •Default value: <none> |
max_connection_attempts |
The maximum number of nodes to which the traffic manager will attempt to send a request before returning an error to the client. Requests that are non-retryable will be attempted against only one node. Zero signifies no limit. •Type: UInt •Required: false •Default value: <none> |
max_idle_connections_pernode |
The maximum number of unused HTTP keepalive connections that should be maintained to an individual node. Zero signifies no limit. •Type: UInt •Required: false •Default value: "50" |
max_timed_out_connection_attempts |
The maximum number of connection attempts the traffic manager will make where the server fails to respond within the time limit defined by the max_reply_time setting. Zero signifies no limit. •Type: UInt •Required: false •Default value: "2" |
monitors |
The monitors assigned to this pool, used to detect failures in the back end nodes. •Type: Set(Reference(config-monitor)) •Required: false •Default value: <none> |
node_close_with_rst |
Whether or not connections to the back-end nodes should be closed with a RST packet, rather than a FIN packet. This avoids the TIME_WAIT state, which on rare occasions allows wandering duplicate packets to be safely ignored. •Type: Boolean •Required: false •Default value: false |
node_connection_attempts |
The number of times the software will attempt to connect to the same back-end node before marking it as failed. This is only used when passive_monitoring is enabled. •Type: UInt •Required: false •Default value: "3" |
node_delete_behavior |
Specify the deletion behavior for nodes in this pool. •Type: Enum(String) •Required: false •Default value: "immediate" •Permitted values: "drain": Allow existing connections to the node to finish before deletion. "immediate": All connections to the node are closed immediately. |
node_drain_to_delete_timeout |
The maximum time that a node will be allowed to remain in a draining state after it has been deleted. A value of 0 means no maximum time. •Type: UInt •Required: false •Default value: <none> |
nodes_table |
A table of all nodes in this pool. A node should be specified as a <ip>:<port> pair, and has a state, weight and priority. •Type: Table •Required: false •Primary key: •node (String): A node is a combination of an ip address and port (Required) •Sub keys: •priority (UInt): The priority of the node, higher values signify higher priority. If a priority is not specified for a node it is assumed to be 1. •state (Enum(String)): The state of the pool, which can either be Active, Draining or Disabled Permitted values: "active": The node is is active. "disabled": The node is disabled. "draining": The node is draining. •weight (Int): Weight for the node. The actual value in isolation does not matter: As long as it is a valid integer 1-100, the per-node weightings are calculated on the relative values between the nodes. •source_ip (String): The source address the Traffic Manager uses to connect to this node. |
note |
A description of the pool. •Type: String •Required: false •Default value: <none> |
passive_monitoring |
Whether or not the software should check that 'real' requests (i.e. not those from monitors) to this pool appear to be working. This should normally be enabled, so that when a node is refusing connections, responding too slowly, or sending back invalid data, it can mark that node as failed, and stop sending requests to it. If this is disabled, you should ensure that suitable health monitors are configured to check your servers instead, otherwise failed requests will not be detected and subsequently retried. •Type: Boolean •Required: false •Default value: true |
persistence_class |
The default Session Persistence class this pool uses, if any. •Type: Reference(config-persistence) •Required: false •Default value: <none> |
transparent |
Whether or not connections to the back-ends appear to originate from the source client IP address. •Type: Boolean •Required: false •Default value: false |
Properties for the "auto_scaling" section: |
|
addnode_delaytime |
The time in seconds from the creation of the node which the traffic manager should wait before adding the node to the autoscaled pool. Set this to allow applications on the newly created node time to intialize before being sent traffic. •Type: UInt •Required: false •Default value: <none> |
cloud_credentials |
The Cloud Credentials object containing authentication credentials to use in cloud API calls. •Type: Reference(cloud-api) •Required: false •Default value: <none> |
cluster |
The ESX host or ESX cluster name to put the new virtual machine instances on. •Type: String •Required: false •Default value: <none> |
data_center |
The name of the logical datacenter on the vCenter server. Virtual machines will be scaled up and down under the datacenter root folder. •Type: String •Required: false •Default value: <none> |
data_store |
The name of the datastore to be used by the newly created virtual machine. •Type: String •Required: false •Default value: <none> |
enabled |
Are the nodes of this pool subject to autoscaling? If yes, nodes will be automatically added and removed from the pool by the chosen autoscaling mechanism. •Type: Boolean •Required: false •Default value: false |
external |
Whether or not autoscaling is being handled by an external system. Set this value to Yes if all aspects of autoscaling are handled by an external system, such as RightScale. If set to No, the traffic manager will determine when to scale the pool and will communicate with the cloud provider to create and destroy nodes as necessary. •Type: Boolean •Required: false •Default value: true |
extraargs |
Any extra arguments to the autoscaling API. Each argument can be separated by comma. E.g in case of EC2, it can take extra parameters to the Amazon's RunInstance API say DisableApiTermination=false,Placement.Tenancy=default. •Type: String •Required: false •Default value: <none> |
hysteresis |
The time period in seconds for which a change condition must persist before the change is actually instigated. •Type: UInt •Required: false •Default value: "20" |
imageid |
The identifier for the image of the instances to create. •Type: String •Required: false •Default value: <none> |
ips_to_use |
Which type of IP addresses on the node to use. Choose private IPs if the traffic manager is in the same cloud as the nodes, otherwise choose public IPs. •Type: Enum(String) •Required: false •Default value: "publicips" •Permitted values: "private_ips": Private IP addresses "publicips": Public IP addresses |
last_node_idle_time |
The time in seconds for which the last node in an autoscaled pool must have been idle before it is destroyed. This is only relevant if min_nodes is 0. •Type: UInt •Required: false •Default value: "3600" |
max_nodes |
The maximum number of nodes in this autoscaled pool. •Type: UInt •Required: false •Default value: "4" |
min_nodes |
The minimum number of nodes in this autoscaled pool. •Type: UInt •Required: false •Default value: "1" |
name |
The beginning of the name of nodes in the cloud that are part of this autoscaled pool. •Type: String •Required: false •Default value: <none> |
port |
The port number to use for each node in this autoscaled pool. •Type: UInt •Required: false •Default value: "80" |
refractory |
The time period in seconds after the instigation of a re-size during which no further changes will be made to the pool size. •Type: UInt •Required: false •Default value: "180" |
response_time |
The expected response time of the nodes in ms. This time is used as a reference when deciding whether a node's response time is conforming. All responses from all the nodes will be compared to this reference and the percentage of conforming responses is the base for decisions about scaling the pool up or down. •Type: UInt •Required: false •Default value: "1000" |
scale_down_level |
The fraction, in percent, of conforming requests above which the pool size is decreased. If the percentage of conforming requests exceeds this value, the pool is scaled down. •Type: UInt •Required: false •Default value: "95" |
scale_up_level |
The fraction, in percent, of conforming requests below which the pool size is increased. If the percentage of conforming requests drops below this value, the pool is scaled up. •Type: UInt •Required: false •Default value: "40" |
securitygroupids |
List of security group IDs to associate to the new EC2 instance. •Type: Set(String) •Required: false •Default value: <none> |
size_id |
The identifier for the size of the instances to create. •Type: String •Required: false •Default value: <none> |
subnetids |
List of subnet IDs where the new EC2-VPC instance(s) will be launched. Instances will be evenly distributed among the subnets. If the list is empty, instances will be launched inside EC2-Classic. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "connection" section: |
|
max_connect_time |
How long the pool should wait for a connection to a node to be established before giving up and trying another node. •Type: UInt •Required: false •Default value: "4" |
max_connections_per_node |
The maximum number of concurrent connections allowed to each back-end node in this pool per machine. A value of 0 means unlimited connections. •Type: UInt •Required: false •Default value: <none> |
max_queue_size |
The maximum number of connections that can be queued due to connections limits. A value of 0 means unlimited queue size. •Type: UInt •Required: false •Default value: <none> |
max_reply_time |
How long the pool should wait for a response from the node before either discarding the request or trying another node (retryable requests only). •Type: UInt •Required: false •Default value: "30" |
max_transactions_per_node |
The maximum number of concurrent transactions allowed to each back-end node in this pool per machine. A value of 0 means unlimited transactions. Idle connections kept alive for reuse do not count against this limit. A transaction begins by allocating a connection for sending the request, and ends (for the purposes of queuing) after a complete response has been received from the node. •Type: UInt •Required: false •Default value: <none> |
queue_timeout |
The maximum time to keep a connection queued in seconds. •Type: UInt •Required: false •Default value: "10" |
Properties for the "dns_autoscale" section: |
|
enabled |
When enabled, the Traffic Manager will periodically resolve the hostnames in the "hostnames" list using a DNS query, and use the results to automatically add, remove or update the IP addresses of the nodes in the pool. •Type: Boolean •Required: false •Default value: false |
hostnames |
A list of hostnames which will be used for DNS-derived autoscaling •Type: Set(String) •Required: false •Default value: <none> |
port |
The port number to use for each node when using DNS-derived autoscaling •Type: UInt •Required: false •Default value: "80" |
Properties for the "ftp" section: |
|
support_rfc_2428 |
Whether or not the backend IPv4 nodes understand the EPRT and EPSV command from RFC 2428. It is always assumed that IPv6 nodes support these commands. •Type: Boolean •Required: false •Default value: false |
Properties for the "http" section: |
|
keepalive |
Whether or not the pool should maintain HTTP keepalive connections to the nodes. •Type: Boolean •Required: false •Default value: true |
keepalive_non_idempotent |
Whether or not the pool should maintain HTTP keepalive connections to the nodes for non-idempotent requests. •Type: Boolean •Required: false •Default value: false |
Properties for the "kerberos_protocol_transition" section: |
|
principal |
The Kerberos principal the traffic manager should use when performing Kerberos Protocol Transition. •Type: String •Required: false •Default value: <none> |
target |
The Kerberos principal name of the service this pool targets. •Type: String •Required: false •Default value: <none> |
Properties for the "load_balancing" section: |
|
algorithm |
The load balancing algorithm that this pool uses to distribute load across its nodes. •Type: Enum(String) •Required: false •Default value: "round_robin" •Permitted values: "fastest_response_time": The Response Time algorithm monitors the response times for recent requests to each node. It sends each new request to the node that has recently been responding the most quickly. "least_connections": This algorithm sends each new request to the node with the fewest currently active connections. "perceptive": The Perceptive algorithm uses a combination of response time data and connection counts to predict which node is likely to have the fastest response time for each request. "random": This algorithm chooses a random node for each request. "round_robin": This algorithm distributes traffic by assigning each request to a new node in turn. "weighted_least_connections": This algorithm works in a similar way to the Least Connections algorithm, but assigns more requests to nodes with a greater 'weight'. "weighted_round_robin": Weighted Round Robin works in a similar way to Round Robin, but assigns more requests to nodes with a greater 'weight'. |
priority_enabled |
Enable priority lists. •Type: Boolean •Required: false •Default value: false |
priority_nodes |
Minimum number of highest-priority active nodes. •Type: UInt •Required: false •Default value: "1" |
Properties for the "node" section: |
|
close_on_death |
Close all connections to a node once we detect that it has failed. •Type: Boolean •Required: false •Default value: false |
retry_fail_time |
The amount of time, in seconds, that a traffic manager will wait before re-trying a node that has been marked as failed by passive monitoring. •Type: UInt •Required: false •Default value: "60" |
Properties for the "service_discovery" section: |
|
enabled |
Are the nodes of this pool determined by a Service Discovery plugin? If yes, nodes will be automatically added and removed from the pool by the traffic manager. •Type: Boolean •Required: false •Default value: false |
interval |
The minimum time before rerunning the Service Discovery plugin •Type: UInt •Required: false •Default value: "10" |
plugin |
The plugin script a Service Discovery autoscaled pool should use to retrieve the list of nodes. •Type: String •Required: false •Default value: <none> |
plugin_args |
The arguments for the script specified in "service_discovery!plugin", e.g. a common instance tag, or name of a managed group of cloud instances. •Type: String •Required: false •Default value: <none> |
timeout |
The maximum time a plugin should be allowed to run before timing out. Set to 0 for no timeout. •Type: UInt •Required: false •Default value: <none> |
Properties for the "smtp" section: |
|
send_starttls |
If we are encrypting traffic for an SMTP connection, should we upgrade to SSL using STARTTLS. •Type: Boolean •Required: false •Default value: true |
Properties for the "ssl" section: |
|
cipher_suites |
The SSL/TLS cipher suites to allow for connections to a back-end node. Leaving this empty will make the pool use the globally configured cipher suites, see configuration key ssl!cipher_suites in the Global Settings section of the System tab. See there for how to specify SSL/TLS cipher suites. •Type: String •Required: false •Default value: <none> |
client_auth |
Whether or not a suitable certificate and private key from the SSL Client Certificates catalog be used if the back-end server requests client authentication. •Type: Boolean •Required: false •Default value: false |
common_name_match |
A list of names against which the 'common name' of the certificate is matched; these names are used in addition to the node's hostname or IP address as specified in the config file or added by the autoscaler process. •Type: Set(String) •Required: false •Default value: <none> |
elliptic_curves |
The SSL elliptic curve preference list for SSL connections from this pool using TLS version 1.0 or higher. Leaving this empty will make the pool use the globally configured preference list. The named curves P256, P384 and P521 may be configured. •Type: List(String) •Required: false •Default value: <none> |
enable |
Whether or not the pool should encrypt data before sending it to a back-end node. •Type: Boolean •Required: false •Default value: false |
enhance |
SSL protocol enhancements allow your traffic manager to prefix each new SSL connection with information about the client. This enables Pulse Secure Virtual Traffic Manager virtual servers referenced by this pool to discover the original client's IP address. Only enable this if you are using nodes for this pool which are Pulse Secure vTMs, whose virtual servers have the ssl_trust_magic setting enabled. •Type: Boolean •Required: false •Default value: false |
middlebox_compatibility |
Whether or not TLS 1.3 middlebox compatibility mode as described in RFC 8446 appendix D.4 will be used in connections to pool nodes. Choosing the global setting means the value of configuration key ssl!middlebox_compatibility from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable use of middlebox compatibility "enabled": Enable use of middlebox compatibility "use_default": Use the global setting for use of middlebox compatibility |
send_close_alerts |
Whether or not to send an SSL/TLS "close alert" when initiating a socket disconnection. •Type: Boolean •Required: false •Default value: true |
server_name |
Whether or not the software should use the TLS 1.0 server_name extension, which may help the back-end node provide the correct certificate. Enabling this setting will force the use of at least TLS 1.0. •Type: Boolean •Required: false •Default value: false |
session_cache_enabled |
Whether or not the SSL client cache will be used for this pool. Choosing the global setting means the value of the configuration key ssl!client_cache!enabled from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable use of the session cache "enabled": Enable use of the session cache "use_default": Use the global setting for use of the session cache |
session_tickets_enabled |
Whether or not SSL session tickets, including TLS >= 1.3 PSKs, will be used for this pool if the session cache is also enabled. Choosing the global setting means the value of the configuration key ssl!client_cache!tickets_enabled from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable use of session tickets "enabled": Enable use of session tickets "use_default": Use the global setting for use of session tickets |
signature_algorithms |
The SSL signature algorithms preference list for SSL connections from this pool using TLS version 1.2 or higher. Leaving this empty will make the pool use the globally configured preference list, signature_algorithms in the ssl section of the global_settings resource. See there and in the online help for how to specify SSL signature algorithms. •Type: String •Required: false •Default value: <none> |
ssl_fixed_client_certificate |
An entry in the SSL client certificates catalog, containing a certificate and private key to be used whenever client authentication is requested. If set, this overrides server request parameters. •Type: String •Required: false •Default value: <none> |
strict_verify |
Whether or not strict certificate verification should be performed. This will turn on checks to disallow server certificates that don't match the server name or a name in the ssl_common_name_match list, are self-signed, expired, revoked, or have an unknown CA. •Type: Boolean •Required: false •Default value: false |
support_ssl3 |
Whether or not SSLv3 is enabled for this pool. Choosing the global setting means the value of the configuration key ssl!support_ssl3 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable SSLv3 "enabled": Enable SSLv3 "use_default": Use the global setting for SSLv3 |
support_tls1 |
Whether or not TLSv1.0 is enabled for this pool. Choosing the global setting means the value of the configuration key ssl!support_tls1 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.0 "enabled": Enable TLSv1.0 "use_default": Use the global setting for TLSv1.0 |
support_tls1_1 |
Whether or not TLSv1.1 is enabled for this pool. Choosing the global setting means the value of the configuration key ssl!support_tls1_1 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.1 "enabled": Enable TLSv1.1 "use_default": Use the global setting for TLSv1.1 |
support_tls1_2 |
Whether or not TLSv1.2 is enabled for this pool. Choosing the global setting means the value of the configuration key ssl!support_tls1_2 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.2 "enabled": Enable TLSv1.2 "use_default": Use the global setting for TLSv1.2 |
support_tls1_3 |
Whether or not TLSv1.3 is enabled for this pool. Choosing the global setting means the value of the configuration key ssl!support_tls1_3 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.3 "enabled": Enable TLSv1.3 "use_default": Use the global setting for TLSv1.3 |
Properties for the "tcp" section: |
|
nagle |
Whether or not Nagle's algorithm should be used for TCP connections to the back-end nodes. •Type: Boolean •Required: false •Default value: true |
Properties for the "udp" section: |
|
accept_from |
The IP addresses and ports from which responses to UDP requests should be accepted. If set to accept responses from a specific set of IP addresses, you will need to enter a CIDR Mask (such as 10.100.0.0/16). •Type: Enum(String) •Required: false •Default value: "dest_only" •Permitted values: "all": Any IP address and any port. "dest_ip_only": Only the IP address to which the request was sent, but from any port. "dest_only": Only the IP address and port to which the request was sent. "ip_mask": Only a specific set of IP addresses, but from any port. |
accept_from_mask |
The CIDR mask that matches IPs we want to receive responses from. •Type: String •Required: false •Default value: <none> |
response_timeout |
The maximum length of time that a node is permitted to take after receiving a UDP request packet before sending a reply packet. Zero indicates that there is no maximum, preventing a node that does not send replies from being presumed to have failed. •Type: UInt •Required: false •Default value: <none> |
Protection Class
URI Endpoint: /api/tm/8.3/config/active/protection
A protection class specifies the level of protection against network attacks for a virtual server.
Property |
Description |
debug |
Whether or not to output verbose logging. •Type: Boolean •Required: false •Default value: false |
enabled |
Enable or disable this service protection class. •Type: Boolean •Required: false •Default value: true |
log_time |
Log service protection messages at these intervals. If set to 0 no messages will be logged and no alerts will be sent. •Type: UInt •Required: false •Default value: "60" |
note |
A description of the service protection class. •Type: String •Required: false •Default value: <none> |
rule |
A TrafficScript rule that will be run on the connection after the service protection criteria have been evaluated. This rule will be executed prior to normal rules configured for the virtual server. •Type: Reference(config-trafficscript) •Required: false •Default value: <none> |
testing |
Place the service protection class into testing mode. (Log when this class would have dropped a connection, but allow all connections through). •Type: Boolean •Required: false •Default value: false |
Properties for the "access_restriction" section: |
|
allowed |
Always allow access to these IP addresses. This overrides the connection limits for these machines, but does not stop other restrictions such as HTTP validity checks. •Type: Set(String) •Required: false •Default value: <none> |
banned |
Disallow access to these IP addresses. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "concurrent_connections" section: |
|
max_10_connections |
Additional limit on maximum concurrent connections from the top 10 busiest connecting IP addresses combined. The value should be between 1 and 10 times the max_1_connections limit. (This limit is disabled if per_process_connection_count is No, or max_1_connections is 0, or min_connections is 0.) •Type: UInt •Required: false •Default value: "200" |
max_1_connections |
Maximum concurrent connections each connecting IP address is allowed. Set to 0 to disable this limit. •Type: UInt •Required: false •Default value: "30" |
min_connections |
Entry threshold for the max_10_connections limit: the max_10_connections limit is not applied to connecting IP addresses with this many or fewer concurrent connections. Setting to 0 disables both the max_1_connections and max_10_connections limits, if per_process_connection_count is Yes. (If per_process_connection_count is No, this setting is ignored.) •Type: UInt •Required: false •Default value: "4" |
per_process_connection_count |
Whether concurrent connection counting and limits are per-process. (Each Traffic Manager typically has several processes: one process per available CPU core.) If Yes, a connecting IP address may make that many connections to each process within a Traffic Manager. If No, a connecting IP address may make that many connections to each Traffic Manager as a whole. •Type: Boolean •Required: false •Default value: true |
Properties for the "connection_rate" section: |
|
max_connection_rate |
Maximum number of new connections each connecting IP address is allowed to make in the rate_timer interval. Set to 0 to disable this limit. If applied to an HTTP Virtual Server each request sent on a connection that is kept alive counts as a new connection. The rate limit is per process: each process within a Traffic Manager accepts new connections from the connecting IP address at this rate. (Each Traffic Manager typically has several processes: one process per available CPU core). •Type: UInt •Required: false •Default value: <none> |
rate_timer |
How frequently the max_connection_rate is assessed. For example, a value of 1 (second) will impose a limit of max_connection_rate connections per second; a value of 60 will impose a limit of max_connection_rate connections per minute. The valid range is 1-99999 seconds. •Type: UInt •Required: false •Default value: "60" |
Properties for the "http" section: |
|
check_rfc2396 |
Whether or not requests with poorly-formed URLs be should be rejected. This tests URL compliance as defined in RFC2396. Note that enabling this may block some older, non-conforming web browsers. •Type: Boolean •Required: false •Default value: false |
max_body_length |
Maximum permitted length of HTTP request body data, set to 0 to disable the limit. •Type: UInt •Required: false •Default value: <none> |
max_header_length |
Maximum permitted length of a single HTTP request header (key and value), set to 0 to disable the limit. •Type: UInt •Required: false •Default value: <none> |
max_request_length |
Maximum permitted size of all the HTTP request headers, set to 0 to disable the limit. •Type: UInt •Required: false •Default value: <none> |
max_url_length |
Maximum permitted URL length, set to 0 to disable the limit. •Type: UInt •Required: false •Default value: <none> |
reject_binary |
Whether or not URLs and HTTP request headers that contain binary data (after decoding) should be rejected. •Type: Boolean •Required: false •Default value: false |
send_error_page |
This setting tells the traffic manager to send an HTTP error message if a connection fails the service protection tests, instead of just dropping it. Details of which HTTP response will be sent when particular tests fail can be found in the Help section for this page. •Type: Boolean •Required: false •Default value: true |
Pulse Secure Virtual Web Application Firewall
URI Endpoint: /api/tm/8.3/config/active/application_firewall
The conf/zeusafm.conf file contains configuration files for the application firewall. Some keys present in the zeusafm.conf are not documented here. Refer to the Pulse Secure Web Application Firewall documentation for further details. The configuration can be edited under the System > Application Firewall section of the Administration Server or by using functions under the AFM section of the SOAP API and CLI.
Property |
Description |
There are no properties to display for this resource. |
Rate Shaping Class
URI Endpoint: /api/tm/8.3/config/active/rate
A rate shaping class restricts the number of connections being processed by a virtual server at once.
Property |
Description |
max_rate_per_minute |
Requests that are associated with this rate class will be rate-shaped to this many requests per minute, set to 0 to disable the limit. •Type: UInt •Required: false •Default value: <none> |
max_rate_per_second |
Although requests will be rate-shaped to the max_rate_per_minute, the traffic manager will also rate limit per-second. This smooths traffic so that a full minute's traffic will not be serviced in the first second of the minute, set this to 0 to disable the per-second limit. •Type: UInt •Required: false •Default value: <none> |
note |
A description of the rate class. •Type: FreeformString •Required: false •Default value: <none> |
Rule
URI Endpoint: /api/tm/8.3/config/active/rules
TrafficScript rules allow traffic inspection and modification.
Property |
Description |
There are no properties to display for this resource. |
SLM Class
URI Endpoint: /api/tm/8.3/config/active/service_level_monitors
Service level monitoring is used to produce alerts when an application's performance is degraded. This is done by monitoring the response time of connections to a virtual server.
Property |
Description |
note |
A description for the SLM class. •Type: FreeformString •Required: false •Default value: <none> |
response_time |
Responses that start being sent to the client within this time limit, expressed in milliseconds, are treated as conforming. •Type: UInt •Required: false •Default value: "1000" |
serious_threshold |
When the percentage of conforming responses drops below this level, a serious error level message will be emitted. •Type: UInt •Required: false •Default value: <none> |
warning_threshold |
When the percentage of conforming responses drops below this level, a warning message will be emitted. •Type: UInt •Required: false •Default value: "50" |
SSL Client Key Pair
URI Endpoint: /api/tm/8.3/config/active/ssl/client_keys
SSL Client Certificates are used when connecting to backend nodes that require client certificate authentication.
Property |
Description |
note |
Notes for this certificate •Type: FreeformString •Required: true •Default value: <none> |
private |
Private key for certificate •Type: FreeformString •Required: true •Default value: <none> |
public |
Public certificate •Type: FreeformString •Required: true •Default value: <none> |
request |
Certificate Signing Request for certificate •Type: FreeformString •Required: true •Default value: <none> |
SSL Key Pair
URI Endpoint: /api/tm/8.3/config/active/ssl/server_keys
SSL Server Certificates are presented to clients by virtual servers when SSL decryption is enabled.
Property |
Description |
note |
Notes for this certificate •Type: FreeformString •Required: true •Default value: <none> |
private |
Private key for certificate •Type: FreeformString •Required: true •Default value: <none> |
public |
Public certificate •Type: FreeformString •Required: true •Default value: <none> |
request |
Certificate Signing Request for certificate •Type: FreeformString •Required: true •Default value: <none> |
SSL Ticket Key
URI Endpoint: /api/tm/8.3/config/active/ssl/ticket_keys
Configuration for SSL ticket encryption keys when managed externally via the ssl/ticket_keys REST API endpoints.
Property |
Description |
algorithm |
The algorithm used to encrypt session tickets. The algorithm determines the length of the key that must be provided. •Type: Enum(String) •Required: false •Default value: "aes_256_cbc_hmac_sha256" •Permitted values: "aes_256_cbc_hmac_sha256": AES-256 CBC with HMAC-SHA256. Requires a total of 64 bytes of key material. |
id |
A 16-byte key identifier, with each byte encoded as two hexadecimal digits. Key identifiers are transmitted in plaintext at the beginning of a TLS session ticket, and are used to identify the ticket encryption key that was used to encrypt a ticket. (They correspond to the 'key_name' field in RFC 5077.) They are required to be unique across the set of SSL ticket encryption keys. •Type: String •Required: true •Default value: <none> |
key |
The session ticket encryption key, with each byte encoded as two hexadecimal digits. The required key length is determined by the chosen key algorithm. See the documentation for the 'algorithm' field for more details. •Type: Password •Required: true •Default value: <none> |
validity_end |
The latest time at which this key may be used to encrypt new session tickets. Given as number of seconds since the epoch (1970-01-01T00:00:00Z). •Type: UInt •Required: true •Default value: <none> |
validity_start |
The earliest time at which this key may be used to encrypt new session tickets. Given as number of seconds since the epoch (1970-01-01T00:00:00Z). •Type: UInt •Required: true •Default value: <none> |
SSL Trusted Certificate
URI Endpoint: /api/tm/8.3/config/active/ssl/cas
SSL certificate authority certificates (CAs) and certificate revocation lists (CRLs) can be used when validating server and client certificates.
Property |
Description |
There are no properties to display for this resource. |
Security Settings
URI Endpoint: /api/tm/8.3/config/active/security
Security settings that restrict remote administration for the cluster. Additional security options can be found in Global Settings.
Property |
Description |
access |
Access to the admin server and REST API is restricted by usernames and passwords. You can further restrict access to just trusted IP addresses, CIDR IP subnets or DNS wildcards. These access restrictions are also used when another traffic manager initially joins the cluster, after joining the cluster these restrictions are no longer used. Care must be taken when changing this setting, as it can cause the administration server to become inaccessible.Access to the admin UI will not be affected until it is restarted. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "ssh_intrusion" section: |
|
bantime |
The amount of time in seconds to ban an offending host for. •Type: UInt •Required: false •Default value: "600" |
blacklist |
The list of hosts to permanently ban, identified by IP address or DNS hostname in a space-separated list. •Type: Set(String) •Required: false •Default value: <none> |
enabled |
Whether or not the SSH Intrusion Prevention tool is enabled. •Type: Boolean •Required: false •Default value: true |
findtime |
The window of time in seconds the maximum number of connection attempts applies to. More than (maxretry) failed attempts in this time span will trigger a ban. •Type: UInt •Required: false •Default value: "600" |
maxretry |
The number of failed connection attempts a host can make before being banned. •Type: UInt •Required: false •Default value: "6" |
whitelist |
The list of hosts to never ban, identified by IP address, DNS hostname or subnet mask, in a space-separated list. •Type: Set(String) •Required: false •Default value: <none> |
Service Discovery Plugins
URI Endpoint: /api/tm/8.3/config/active/servicediscovery
The conf/servicediscovery directory contains plugins for use with Service Discovery for pool nodes.
Property |
Description |
There are no properties to display for this resource. |
Session Persistence Class
URI Endpoint: /api/tm/8.3/config/active/persistence
A session persistence class is used to identify the session a new connection belongs too and deliver it to the same backend node.
Property |
Description |
cookie |
The cookie name to use for tracking session persistence. •Type: String •Required: false •Default value: <none> |
delete |
Whether or not the session should be deleted when a session failure occurs. (Note, setting a failure mode of 'choose a new node' implicitly deletes the session.) •Type: Boolean •Required: false •Default value: true |
failure_mode |
The action the pool should take if the session data is invalid or it cannot contact the node specified by the session. •Type: Enum(String) •Required: false •Default value: "new_node" •Permitted values: "close": Close the connection (using error_file on Virtual Servers > Edit > Protocol Settings) "new_node": Choose a new node to use "url": Redirect the user to a given URL |
note |
A description of the session persistence class. •Type: FreeformString •Required: false •Default value: <none> |
subnet_prefix_length_v4 |
When using IP-based session persistence, ensure all requests from this IPv4 subnet, specified as a prefix length, are sent to the same node. If set to 0, requests from different IPv4 addresses will be load-balanced individually. •Type: Int •Required: false •Default value: <none> |
subnet_prefix_length_v6 |
When using IP-based session persistence, ensure all requests from this IPv6 subnet, specified as a prefix length, are sent to the same node. If set to 0, requests from different IPv6 addresses will be load-balanced individually. •Type: Int •Required: false •Default value: <none> |
transparent_always_set_cookie |
Whether or not the cookie should be inserted in every response sent to the client when using transparent session affinity. If set to No then the cookie is inserted only if the corresponding request did not already contain a matching cookie. •Type: Boolean •Required: false •Default value: false |
transparent_directives |
The cookie directives to include in the cookie sent when using transparent session affinity. If more than one directive is included, the semi-colon separator between them must be included in this string. The semi-colon separator between the cookie value and the first directive should not be included in this string. •Type: String •Required: false •Default value: <none> |
type |
The type of session persistence to use. •Type: Enum(String) •Required: false •Default value: "ip" •Permitted values: "asp": ASP and ASP.NET session persistence "cookie": Monitor application cookies "ip": IP-based persistence "j2ee": J2EE session persistence "named": Named Node session persistence "ssl": SSL Session ID persistence "transparent": Transparent session affinity "universal": Universal session persistence "x_zeus": X-Zeus-Backend cookies |
url |
The redirect URL to send clients to if the session persistence is configured to redirect users when a node dies. •Type: String •Required: false •Default value: <none> |
Traffic IP Group
URI Endpoint: /api/tm/8.3/config/active/traffic_ip_groups
Traffic IP groups are sets of IP addresses that are distributed across a cluster for fault tolerance.
Property |
Description |
enabled |
If set to No, the traffic IP group will be disabled and none of the traffic IP addresses will be raised. •Type: Boolean •Required: false •Default value: true |
hash_source_port |
Whether or not the source port should be taken into account when deciding which traffic manager should handle a request. •Type: Boolean •Required: false •Default value: false |
ip_assignment_mode |
Configure how traffic IPs are assigned to traffic managers in Single-Hosted mode •Type: Enum(String) •Required: false •Default value: "balanced" •Permitted values: "alphabetic": Alphabetical order of traffic manager hostnames "balanced": Approximately balanced between traffic managers |
ip_mapping |
A table assigning traffic IP addresses to machines that should host them. Traffic IP addresses not specified in this table will automatically be assigned to a machine. •Type: Table •Required: false •Primary key: •ip (String): A traffic IP address (from the ipaddresses property). (Required) •Sub keys: •traffic_manager (String): The name of the traffic manager that should host the IP address. (Required) |
ipaddresses |
The IP addresses that belong to the Traffic IP group. •Type: Set(String) •Required: false •Default value: <none> |
keeptogether |
If set to Yes then all the traffic IPs will be raised on a single traffic manager. By default they're distributed across all active traffic managers in the traffic IP group. •Type: Boolean •Required: false •Default value: false |
location |
The location in which the Traffic IP group is based. •Type: Int •Required: false •Default value: <none> |
machines |
The traffic managers that can host the traffic IP group's IP addresses. •Type: Set(Reference(config-tm)) •Required: false •Default value: <none> |
mode |
The method used to distribute traffic IPs across machines in the cluster. If "multihosted" is used then multicast must be set to an appropriate multicast IP address. •Type: Enum(String) •Required: false •Default value: "singlehosted" •Permitted values: "ec2elastic": Use an EC2-Classic Elastic IP address. "ec2vpcelastic": Use an EC2-VPC Elastic IP address. "ec2vpcprivate": Use an EC2-VPC Private IP address. "gceexternal": Use GCE External IP addresses. "multihosted": Raise each address on every machine in the group (Multi-Hosted mode) - IPv4 only "rhi": Use route health injection to route traffic to the active machine - IPv4 only "singlehosted": Raise each address on a single machine (Single-Hosted mode) |
multicast |
The multicast IP address used to duplicate traffic to all traffic managers in the group. •Type: String •Required: false •Default value: <none> |
note |
A note, used to describe this Traffic IP Group •Type: String •Required: false •Default value: <none> |
rhi_bgp_metric_base |
The base BGP routing metric for this Traffic IP group. This is the advertised routing cost for the active traffic manager in the cluster. It can be used to set up inter-cluster failover. •Type: UInt •Required: false •Default value: "10" |
rhi_bgp_passive_metric_offset |
The BGP routing metric offset for this Traffic IP group. This is the difference between the advertised routing cost for the active and passive traffic manager in the cluster. •Type: UInt •Required: false •Default value: "10" |
rhi_ospfv2_metric_base |
The base OSPFv2 routing metric for this Traffic IP group. This is the advertised routing cost for the active traffic manager in the cluster. It can be used to set up inter-cluster failover. •Type: UInt •Required: false •Default value: "10" |
rhi_ospfv2_passive_metric_offset |
The OSPFv2 routing metric offset for this Traffic IP group. This is the difference between the advertised routing cost for the active and passive traffic manager in the cluster. •Type: UInt •Required: false •Default value: "10" |
rhi_protocols |
A list of protocols to be used for RHI. Currently must be 'ospf' or 'bgp' or both. The default, if empty, is 'ospf', which means that it is not possible to specify no protocol. •Type: String •Required: false •Default value: "ospf" |
slaves |
A list of traffic managers that are in 'passive' mode. This means that in a fully working environment, they will not have any traffic IP addresses assigned to them. •Type: Set(Reference(config-tm)) •Required: false •Default value: <none> |
Traffic Manager
URI Endpoint: /api/tm/8.3/config/active/traffic_managers
The conf/zxtms directory contains a configuration file for each traffic manager in your cluster. The name of each file is the hostname of the traffic manager it represents. These files contain host-specific configuration data and on each installation of the software, the conf/../global.cfg file is sym-linked to the host's own configuration in the conf/zxtms directory. The files may contain a variety of configuration options that are configured in various locations under the System section of the Admin Server UI and the System section of the SOAP API and CLI.
Property |
Description |
adminMasterXMLIP |
The Application Firewall master XML IP. •Type: String •Required: false •Default value: "0.0.0.0" |
adminSlaveXMLIP |
The Application Firewall slave XML IP. •Type: String •Required: false •Default value: "0.0.0.0" |
appliance_card |
The table of network cards of a hardware appliance •Type: Table •Required: false •Primary key: •name (String): Network card PCI ID (Required) •Sub keys: •interfaces (List(String)): The order of the interfaces of a network card (Required) •label (String): The labels of the installed network cards |
appliance_sysctl |
Custom kernel parameters applied by the user with sysctl interface •Type: Table •Required: false •Primary key: •sysctl (String): The name of the kernel parameter, e.g. net.ipv4.forward (Required) •Sub keys: •description (String): Associated optional description for the sysctl •value (String): The value of the kernel parameter (Required) |
authenticationServerIP |
The Application Firewall Authentication Server IP. •Type: String •Required: false •Default value: "0.0.0.0" |
cloud_platform |
Cloud platform where the traffic manager is running. •Type: String •Required: false •Default value: <none> |
location |
This is the location of the local traffic manager is in. •Type: String •Required: false •Default value: <none> |
nameip |
Replace Traffic Manager name with an IP address. •Type: String •Required: false •Default value: <none> |
num_aptimizer_threads |
How many worker threads the Web Accelerator process should create to optimise content. By default, one thread will be created for each CPU on the system. •Type: UInt •Required: false •Default value: <none> |
num_children |
The number of worker processes the software will run. By default, one child process will be created for each CPU on the system. You may wish to reduce this to effectively "reserve" CPU(s) for other processes running on the host system. •Type: UInt •Required: false •Default value: <none> |
numberOfCPUs |
The number of Application Firewall decider process to run. •Type: UInt •Required: false •Default value: <none> |
restServerPort |
The Application Firewall REST Internal API port, this port should not be accessed directly •Type: UInt •Required: false •Default value: <none> |
trafficip |
A table mapping interfaces to networks, used by the traffic manager to select which interface to raise a Traffic IP on. •Type: Table •Required: false •Primary key: •name (String): A network interface. (Required) •Sub keys: •networks (Set(String)): A set of IP/masks to which the network interface maps. (Required) |
updaterIP |
The Application Firewall Updater IP. •Type: String •Required: false •Default value: "0.0.0.0" |
Properties for the "admin" section: |
|
hsts_enable |
Whether or not HSTS (RFC 6797) is enabled for admin server connections. •Type: Boolean •Required: false •Default value: false |
hsts_max_age |
The number of seconds that the HSTS header field max-age will be set to •Type: UInt •Required: false •Default value: "31536000" |
Properties for the "appliance" section: |
|
disable_kpti |
Whether the traffic manager appliance should run without kernel page table isolation (KPTI). KPTI provides protection to prevent unprivileged software from being potentially able to read arbitrary memory from the kernel (i.e. the Meltdown attack, CVE-2017-5754); however this protection incurs a general system performance penalty. If you are running trusted software on the appliance, and the trade-off between performance at the cost of 'defense in depth' favors the former in your deployment, you may wish to enable this configuration key. If you are unsure, it is recommended that you leave this key disabled, which is also the default. •Type: Boolean •Required: false •Default value: false |
dnscache |
The DNS cache setting the appliance should use and place in /etc/systemd/resolved.conf. •Type: Boolean •Required: false •Default value: true |
dnssec |
The DNSSEC setting the appliance should use and place in /etc/systemd/resolved.conf. •Type: Enum(String) •Required: false •Default value: "no" •Permitted values: "allow_downgrade": Use DNSSEC when available "no": DNSSEC disabled "yes": DNSSEC enabled |
gateway_ipv4 |
The default gateway. •Type: String •Required: false •Default value: <none> |
gateway_ipv6 |
The default IPv6 gateway. •Type: String •Required: false •Default value: <none> |
hostname |
Name (hostname.domainname) of the appliance. •Type: String •Required: false •Default value: <none> |
hosts |
A table of hostname to static ip address mappings, to be placed in the /etc/hosts file. •Type: Table •Required: false •Primary key: •name (String): The name of a host. (Required) •Sub keys: •ip_address (String): The static IP address of the host. (Required) |
if |
A table of network interface specific settings. •Type: Table •Required: false •Primary key: •name (String): A network interface name. (Required) •Sub keys: •autoneg (Boolean): Whether auto-negotiation should be enabled for the interface. •bmode (Enum(String)): The trunking mode used for the interface (only 802.3ad is currently supported). Permitted values: "802_3ad": IEEE 802.3ad "balance_alb": Adaptive Load Balancing •bond (String): The trunk of which the interface should be a member. •duplex (Boolean): Whether full-duplex should be enabled for the interface. •mode (Enum(String)): Set the configuriation mode of an interface, the interface name is used in place of the * (asterisk). Permitted values: "dhcp": DHCP "static": Static •mtu (UInt): The maximum transmission unit (MTU) of the interface. •speed (Enum(String)): The speed of the interface. Permitted values: "10": 10Mbs "100": 100Mbs "1000": 1Gbs "10000": 10Gbs "100000": 100Gbs "40000": 40Gbs |
ip |
A table of network interfaces and their network settings. •Type: Table •Required: false •Primary key: •name (String): A network interface name. (Required) •Sub keys: •addr (String): The IP address for the interface. (Required) •isexternal (Boolean): Whether the interface is externally facing. •mask (String): The IP mask (netmask) for the interface. (Required) |
ipmi_lan_access |
Whether IPMI LAN access should be enabled or not. •Type: Boolean •Required: false •Default value: false |
ipmi_lan_addr |
The IP address of the appliance IPMI LAN channel. •Type: String •Required: false •Default value: <none> |
ipmi_lan_gateway |
The default gateway of the IPMI LAN channel. •Type: String •Required: false •Default value: "0.0.0.0" |
ipmi_lan_ipsrc |
The addressing mode the IPMI LAN channel operates. •Type: Enum(String) •Required: false •Default value: "static" •Permitted values: "dhcp": Address obtained by DHCP "static": Static IP Address |
ipmi_lan_mask |
Set the IP netmask for the IPMI LAN channel. •Type: String •Required: false •Default value: <none> |
ipv4_forwarding |
Whether or not IPv4 forwarding is enabled. •Type: Boolean •Required: false •Default value: false |
ipv6_forwarding |
Whether or not IPv6 forwarding is enabled. •Type: Boolean •Required: false •Default value: false |
licence_agreed |
Whether or not the license agreement has been accepted. This determines whether or not the Initial Configuration wizard is displayed. •Type: Boolean •Required: false •Default value: false |
manageazureroutes |
Whether or not the software manages the Azure policy routing. •Type: Boolean •Required: false •Default value: true |
manageec2conf |
Whether or not the software manages the EC2 config. •Type: Boolean •Required: false •Default value: true |
managegceroutes |
Whether or not the software manages the GCE routing. •Type: Boolean •Required: false •Default value: true |
manageiptrans |
Whether or not the software manages the IP transparency •Type: Boolean •Required: false •Default value: true |
managereservedports |
Whether or not the software manages the system configuration for reserved ports •Type: Boolean •Required: false •Default value: true |
managereturnpath |
Whether or not the software manages return path routing. If disabled, the appliance won't modify iptables / rules / routes for this feature. •Type: Boolean •Required: false •Default value: true |
manageservices |
Whether or not the software manages the system services •Type: Boolean •Required: false •Default value: true |
managevpcconf |
Whether or not the software manages the EC2-VPC secondary IPs. •Type: Boolean •Required: false •Default value: true |
name_servers |
The IP addresses of the nameservers the appliance should use and place in /etc/systemd/resolved.conf. •Type: Set(String) •Required: false •Default value: <none> |
ntpservers |
The NTP servers the appliance should use to synchronize its clock. •Type: List(String) •Required: false •Default value: "0.zeus.pool.ntp.org 1.zeus.pool.ntp.org 2.zeus.pool.ntp.org 3.zeus.pool.ntp.org" |
routes |
A table of destination IP addresses and routing details to reach them. •Type: Table •Required: false •Primary key: •name (String): A destination IP address. (Required) •Sub keys: •gw (String): The gateway IP to configure for the route. (Required) •if (String): The network interface to configure for the route. (Required) •mask (String): The netmask to apply to the IP address. (Required) |
search_domains |
The search domains the appliance should use and place in /etc/systemd/resolved.conf. •Type: Set(String) •Required: false •Default value: <none> |
ssh_enabled |
Whether or not the SSH server is enabled on the appliance. •Type: Boolean •Required: false •Default value: true |
ssh_password_allowed |
Whether or not the SSH server allows password based login. •Type: Boolean •Required: false •Default value: true |
ssh_port |
The port that the SSH server should listen on. •Type: UInt •Required: false •Default value: "22" |
timezone |
The timezone the appliance should use. This must be a path to a timezone file that exists under /usr/share/zoneinfo/. •Type: String •Required: false •Default value: "US/Pacific" |
vlans |
The VLANs the software should raise. A VLAN should be configured using the format <dev>.<vlanid>, where <dev> is the name of a network device that exists in the host system, eth0.100 for example. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "cluster_comms" section: |
|
allow_update |
Whether or not this instance of the software can send configuration updates to other members of the cluster. When not clustered this key is ignored. When clustered the value can only be changed by another machine in the cluster that has allow_update set to true. If set to false then it will not be possible to log into the admin server for this instance. •Type: Boolean •Required: false •Default value: true |
bind_ip |
The IP address that the software should bind to for internal administration communications. See also port. If the software is not part of a cluster the default is to use 127.0.0.1 and there should be no reason to touch this setting. If the software is part of a cluster then the default is to listen on all raised IPs, in this case an alternative configuration is to listen on a single IP address. This may be useful if you have a separate management network and wish to restrict control messages to it. It is important to ensure that the allowed_update_hosts (in the Global Settings resource) is compatible with the IP configured here. •Type: String •Required: false •Default value: "*" |
external_ip |
This is the optional external ip of the traffic manager, which is used to circumvent natting when traffic managers in a cluster span different networks. •Type: String •Required: false •Default value: <none> |
port |
The port that the software should listen on for internal administration communications. See also bind_ip. •Type: UInt •Required: false •Default value: "9080" |
Properties for the "ec2" section: |
|
trafficips_public_enis |
List of MAC addresses of interfaces which the traffic manager can use to associate the EC2 elastic IPs (Traffic IPs) to the instance. •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "fault_tolerance" section: |
|
bgp_router_id |
The BGP router id If set to empty, then the IPv4 address used to communicate with the default IPv4 gateway is used instead. Specifying 0.0.0.0 will stop the traffic manager routing software from running the BGP protocol. •Type: String •Required: false •Default value: <none> |
ospfv2_ip |
The traffic manager's permanent IPv4 address which the routing software will use for peering and transit traffic, and as its OSPF router ID. If set to empty, then the address used to communicate with the default IPv4 gateway is used instead. Specifying 0.0.0.0 will stop the traffic manager routing software from running the OSPF protocol. •Type: String •Required: false •Default value: <none> |
ospfv2_neighbor_addrs |
The IP addresses of routers which are expected to be found as OSPFv2 neighbors of the traffic manager. A warning will be reported if some of the expected routers are not peered, and an error will be reported if none of the expected routers are peered. An empty list disables monitoring. The special value %gateway% is a placeholder for the default gateway. •Type: Set(String) •Required: false •Default value: "%gateway%" |
Properties for the "iptables" section: |
|
config_enabled |
Whether the Traffic Manager should configure the iptables built-in chains to call Traffic Manager defined rules (e.g. the IP transparency chain). This should only be disabled in case of conflict with other software that manages iptables, e.g. firewalls. When disabled, you will need to add rules manually to use these features - see the user manual for details. •Type: Boolean •Required: false •Default value: true |
Properties for the "iptrans" section: |
|
fwmark |
The netfilter forwarding mark to use for IP transparency rules •Type: UInt •Required: false •Default value: "320" |
iptables_enabled |
Whether IP transparency may be used via netfilter/iptables. This requires the iptables socket extension. •Type: Boolean •Required: false •Default value: true |
routing_table |
The special routing table ID to use for IP transparency rules •Type: UInt •Required: false •Default value: "320" |
Properties for the "java" section: |
|
port |
The port the Java Extension handler process should listen on. This port will be bound for localhost communications only. •Type: UInt •Required: false •Default value: "9060" |
Properties for the "remote_licensing" section: |
|
email_address |
The e-mail address sent as part of a remote licensing request. •Type: String •Required: false •Default value: <none> |
message |
A free-text field sent as part of a remote licensing request. •Type: String •Required: false •Default value: <none> |
Properties for the "rest_api" section: |
|
bind_ips |
A list of IP Addresses which the REST API will listen on for connections. The list should contain IP addresses (IPv4 or IPv6) or a single entry containing an asterisk (*). This indicates that the REST API should listen on all IP Addresses. •Type: Set(String) •Required: false •Default value: "*" |
port |
The port on which the REST API should listen for requests. •Type: UInt •Required: false •Default value: "9070" |
Properties for the "snmp" section: |
|
allow |
Restrict which IP addresses can access the SNMP command responder service. The value can be all, localhost, or a list of IP CIDR subnet masks. For example 10.100.0.0/16 would allow connections from any IP address beginning with 10.100. •Type: Set(String) •Required: false •Default value: "all" |
auth_password |
The authentication password. Required (minimum length 8 characters) if security_level includes authentication. •Type: Password •Required: false •Default value: <none> |
bind_ip |
The IP address the SNMP service should bind its listen port to. The value * (asterisk) means SNMP will listen on all IP addresses. •Type: String •Required: false •Default value: "*" |
community |
The community string required for SNMPv1 and SNMPv2c commands. (If empty, all SNMPv1 and SNMPv2c commands will be rejected). •Type: String •Required: false •Default value: "public" |
enabled |
Whether or not the SNMP command responder service should be enabled on this traffic manager. •Type: Boolean •Required: false •Default value: false |
hash_algorithm |
The hash algorithm for authenticated SNMPv3 communications. •Type: Enum(String) •Required: false •Default value: "md5" •Permitted values: "md5": MD5 "sha1": SHA-1 |
port |
The port the SNMP command responder service should listen on. The value default denotes port 161 if the software is running with root privileges, and 1161 otherwise. •Type: String •Required: false •Default value: "default" |
priv_password |
The privacy password. Required (minimum length 8 characters) if security_level includes privacy (message encryption). •Type: Password •Required: false •Default value: <none> |
security_level |
The security level for SNMPv3 communications. •Type: Enum(String) •Required: false •Default value: "noauthnopriv" •Permitted values: "authnopriv": Authentication only "authpriv": Authentication and Privacy "noauthnopriv": No Authentication, No Privacy |
username |
The username required for SNMPv3 commands. (If empty, all SNMPv3 commands will be rejected). •Type: String •Required: false •Default value: <none> |
TrafficScript Authenticator
URI Endpoint: /api/tm/8.3/config/active/rule_authenticators
TrafficScript authenticators define remote authentication services that can be queried via a TrafficScript rule.
Property |
Description |
host |
The hostname or IP address of the remote authenticator. •Type: String •Required: false •Default value: <none> |
note |
A description of the authenticator. •Type: FreeformString •Required: false •Default value: <none> |
port |
The port on which the remote authenticator should be contacted. •Type: UInt •Required: false •Default value: "389" |
Properties for the "ldap" section: |
|
attributes |
A list of attributes to return from the search. If blank, no attributes will be returned. If set to '*' then all user attributes will be returned. •Type: Set(String) •Required: false •Default value: <none> |
bind_dn |
The distinguished name (DN) of the 'bind' user. The traffic manager will connect to the LDAP server as this user when searching for user records. •Type: String •Required: false •Default value: <none> |
bind_password |
The password for the bind user. •Type: Password •Required: false •Default value: <none> |
filter |
The filter used to locate the LDAP record for the user being authenticated. Any occurrences of '%u' in the filter will be replaced by the name of the user being authenticated. •Type: String •Required: false •Default value: <none> |
filter_base_dn |
The base distinguished name (DN) under which user records are located on the server. •Type: String •Required: false •Default value: <none> |
ssl_cert |
The SSL certificate that the traffic manager should use to validate the remote server. If no certificate is specified then no signature validation will be performed. •Type: Reference(config-ssl-cacrl) •Required: false •Default value: <none> |
ssl_enabled |
Whether or not to enable SSL encryption to the LDAP server. •Type: Boolean •Required: false •Default value: false |
ssl_type |
The type of LDAP SSL encryption to use. •Type: Enum(String) •Required: false •Default value: "ldaps" •Permitted values: "ldaps": LDAPS "starttls": Start TLS |
Trusted SAML Identity Provider
URI Endpoint: /api/tm/8.3/config/active/saml/trustedidps
Configuration for SAML IDP trust relationships.
Property |
Description |
add_zlib_header |
Whether or not to add the zlib header when compressing the AuthnRequest •Type: Boolean •Required: false •Default value: false |
certificate |
The certificate used to verify Assertions signed by the identity provider •Type: String •Required: true •Default value: <none> |
entity_id |
The entity id of the IDP •Type: String •Required: true •Default value: <none> |
strict_verify |
Whether or not SAML responses will be verified strictly •Type: Boolean •Required: false •Default value: true |
url |
The IDP URL to which Authentication Requests should be sent •Type: String •Required: true •Default value: <none> |
User Authenticator
URI Endpoint: /api/tm/8.3/config/active/user_authenticators
A user authenticator is used to allow access to the UI and REST API by querying a remote authentication service.
Property |
Description |
description |
A description of the authenticator. •Type: String •Required: false •Default value: <none> |
enabled |
Whether or not this authenticator is enabled. •Type: Boolean •Required: false •Default value: false |
type |
The type and protocol used by this authentication service. •Type: Enum(String) •Required: true •Default value: <none> •Permitted values: "ldap": LDAP "radius": RADIUS "tacacs_plus": TACACS+ |
Properties for the "ldap" section: |
|
base_dn |
The base DN (Distinguished Name) under which directory searches will be applied. The entries for your users should all appear under this DN. An example of a typical base DN is: OU=users, DC=mycompany, DC=local •Type: String •Required: false •Default value: <none> |
bind_dn |
Template to construct the bind DN (Distinguished Name) from the username. The string %u will be replaced by the username. Examples: %[email protected] for Active Directory or cn=%u, dc=mycompany, dc=local for both LDAP and Active Directory. •Type: String •Required: false •Default value: <none> |
dn_method |
The bind DN (Distinguished Name) for a user can either be searched for in the directory using the base distinguished name and filter values, or it can be constructed from the username. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "construct": Construct "none": No setting configured "search": Search |
fallback_group |
If the group attribute is not defined, or returns no results for the user logging in, the group named here will be used. If not specified, users will be denied access to the traffic manager if no groups matching a Permission Group can be found for them in the directory. •Type: String •Required: false •Default value: <none> |
filter |
A filter that can be used to extract a unique user record located under the base DN (Distinguished Name). The string %u will be replaced by the username. This filter is used to find a user's bind DN when dn_method is set to "Search", and to extract group information if the group filter is not specified. Examples: sAMAccountName=%u for Active Directory, or uid=%u for some Unix LDAP schemas. •Type: String •Required: false •Default value: <none> |
group_attribute |
The LDAP attribute that gives a user's group. If there are multiple entries for the attribute all will be extracted and they'll be lexicographically sorted, then the first one to match a Permission Group name will be used. •Type: String •Required: false •Default value: <none> |
group_field |
The sub-field of the group attribute that gives a user's group. For example, if group_attribute is memberOf and this retrieves values of the form CN=mygroup, OU=groups, OU=users, DC=mycompany, DC=local you would set group_field to CN. If there are multiple matching fields only the first matching field will be used. •Type: String •Required: false •Default value: <none> |
group_filter |
If the user record returned by filter does not contain the required group information you may specify an alternative group search filter here. This will usually be required if you have Unix/POSIX-style user records. If multiple records are returned the list of group names will be extracted from all of them. The string %u will be replaced by the username. Example: (&(memberUid=%u)(objectClass=posixGroup)) •Type: String •Required: false •Default value: <none> |
port |
The port to connect to the LDAP server on. •Type: UInt •Required: false •Default value: "389" |
search_dn |
The bind DN (Distinguished Name) to use when searching the directory for a user's bind DN. You can leave this blank if it is possible to perform the bind DN search using an anonymous bind. •Type: String •Required: false •Default value: <none> |
search_password |
If binding to the LDAP server using search_dn requires a password, enter it here. •Type: Password •Required: false •Default value: <none> |
server |
The IP or hostname of the LDAP server. •Type: String •Required: false •Default value: <none> |
ssl |
The type of TLS encryption, if any, to use. Usually STARTTLS will be used with port 389, and LDAPS with port 636. A Certificate Authority that the LDAP server's certificate chains back to must be present in the "Admin Certificate Authorities and Certificate Revocation Lists Catalog" under "SSL catalogs", otherwise the connection will fail. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "ldaps": LDAPS "none": None "starttls": STARTTLS |
timeout |
Connection timeout in seconds. •Type: UInt •Required: false •Default value: "30" |
Properties for the "radius" section: |
|
fallback_group |
If no group is found using the vendor and group identifiers, or the group found is not valid, the group specified here will be used. •Type: String •Required: false •Default value: <none> |
group_attribute |
The RADIUS identifier for the attribute that specifies an account's group. May be left blank if fallback group is specified. •Type: UInt •Required: false •Default value: "1" |
group_vendor |
The RADIUS identifier for the vendor of the RADIUS attribute that specifies an account's group. Leave blank if using a standard attribute (i.e. for Filter-Id set group_attribute to 11). •Type: UInt •Required: false •Default value: "7146" |
nas_identifier |
This value is sent to the RADIUS server. •Type: String •Required: false •Default value: <none> |
nas_ip_address |
This value is sent to the RADIUS server, if left blank the address of the interfaced used to connect to the server will be used. •Type: String •Required: false •Default value: <none> |
port |
The port to connect to the RADIUS server on. •Type: UInt •Required: false •Default value: "1812" |
secret |
Secret key shared with the RADIUS server. •Type: Password •Required: false •Default value: <none> |
server |
The IP or hostname of the RADIUS server. •Type: String •Required: false •Default value: <none> |
timeout |
Connection timeout in seconds. •Type: UInt •Required: false •Default value: "30" |
Properties for the "tacacs_plus" section: |
|
auth_type |
Authentication type to use. •Type: Enum(String) •Required: false •Default value: "pap" •Permitted values: "ascii": ASCII "pap": PAP |
fallback_group |
If group_service is not used, or no group value is provided for the user by the TACACS+ server, the group specified here will be used. If this is not specified, users with no TACACS+ defined group will be denied access. •Type: String •Required: false •Default value: <none> |
group_field |
The TACACS+ "service" field that provides each user's group. •Type: String •Required: false •Default value: "permission-group" |
group_service |
The TACACS+ "service" that provides each user's group field. •Type: String •Required: false •Default value: "zeus" |
port |
The port to connect to the TACACS+ server on. •Type: UInt •Required: false •Default value: "49" |
secret |
Secret key shared with the TACACS+ server. •Type: Password •Required: false •Default value: <none> |
server |
The IP or hostname of the TACACS+ server. •Type: String •Required: false •Default value: <none> |
timeout |
Connection timeout in seconds. •Type: UInt •Required: false •Default value: "30" |
User Group
URI Endpoint: /api/tm/8.3/config/active/user_groups
Permission groups specify permissions for groups of users. These groups can be given read-write or read-only access to different parts of the configuration hierarchy. Each group will contain a table of permissions. Each table entry has a name that corresponds to a part of the configuration hierarchy, and a corresponding access level. The access level may have values of either none, ro (read only, this is the default), or full. Some permissions have sub-permissions, these are denoted by following the parent permission name with a colon (:) followed by the sub-permission name. The built-in admin group has a special permission key of all with the value full, this must not be altered for the admin group but can be used in other group configuration files to change the default permission level for the group.
Property |
Description |
description |
A description for the group. •Type: String •Required: false •Default value: <none> |
password_expire_time |
Members of this group must renew their passwords after this number of days. To disable password expiry for the group set this to 0 (zero). Note that this setting applies only to local users. •Type: UInt •Required: false •Default value: <none> |
permissions |
A table defining which level of permission this group has for specific configuration elements. •Type: Table •Required: false •Primary key: •name (String): Configuration element to which this group has a level of permission. (Required) •Sub keys: •access_level (String): Permission level for the configuration element (none, ro or full) (Required) |
timeout |
Inactive UI sessions will timeout after this number of seconds. To disable inactivity timeouts for the group set this to 0 (zero). •Type: UInt •Required: false •Default value: "30" |
Virtual Server
URI Endpoint: /api/tm/8.3/config/active/virtual_servers
The conf/vservers directory contains configuration files that define virtual servers. The name of a file is the name of the virtual server it defines. Virtual servers can be configured under the Services > Virtual Servers section of the Admin Server UI or by using functions under the VirtualServer section of the SOAP API and CLI.
Property |
Description |
bandwidth_class |
The bandwidth management class that this server should use, if any. •Type: Reference(config-bandwidth) •Required: false •Default value: <none> |
completion_rules |
Rules that are run at the end of a transaction, in order, comma separated. •Type: List(String) •Required: false •Default value: <none> |
connect_timeout |
The time, in seconds, for which an established connection can remain idle waiting for some initial data to be received from the client. The initial data is defined as a complete set of request headers for HTTP, SIP and RTSP services, or the first byte of data for all other services. A value of 0 will disable the timeout. •Type: UInt •Required: false •Default value: "10" |
enabled |
Whether the virtual server is enabled. •Type: Boolean •Required: false •Default value: false |
glb_services |
The associated GLB services for this DNS virtual server. •Type: Set(String) •Required: false •Default value: <none> |
listen_on_any |
Whether to listen on all IP addresses •Type: Boolean •Required: false •Default value: true |
listen_on_hosts |
Hostnames and IP addresses to listen on •Type: Set(String) •Required: false •Default value: <none> |
listen_on_traffic_ips |
Traffic IP Groups to listen on •Type: Set(String) •Required: false •Default value: <none> |
max_concurrent_connections |
The maximum number of concurrent TCP connections that will be handled by this virtual server. If set to a non-zero value, the traffic manager will limit the number of concurrent TCP connections that this virtual server will accept to the value specified. When the limit is reached, new connections to this virtual server will not be accepted. If set to 0 the number of concurrent TCP connections will not be limited. •Type: UInt •Required: false •Default value: <none> |
note |
A description for the virtual server. •Type: FreeformString •Required: false •Default value: <none> |
pool |
The default pool to use for traffic. •Type: Reference(config-pool) •Required: true •Default value: <none> |
port |
The port on which to listen for incoming connections. •Type: UInt •Required: true •Default value: <none> |
protection_class |
The service protection class that should be used to protect this server, if any. •Type: String •Required: false •Default value: <none> |
protocol |
The protocol that the virtual server is using. •Type: Enum(String) •Required: false •Default value: "http" •Permitted values: "client_first": Generic client first "dns": DNS (UDP) "dns_tcp": DNS (TCP) "ftp": FTP "http": HTTP "https": SSL (HTTPS) "imaps": SSL (IMAPS) "imapv2": IMAPv2 "imapv3": IMAPv3 "imapv4": IMAPv4 "ldap": LDAP "ldaps": SSL (LDAPS) "pop3": POP3 "pop3s": SSL (POP3S) "rtsp": RTSP "server_first": Generic server first "siptcp": SIP (TCP) "sipudp": SIP (UDP) "smtp": SMTP "ssl": SSL "stream": Generic streaming "telnet": Telnet "udp": UDP "udpstreaming": UDP - Streaming |
proxy_protocol |
Expect connections to the traffic manager to be prefixed with a PROXY protocol header. If enabled, the information contained in the PROXY header will be available in TrafficScript. Connections that are not prefixed with a valid PROXY protocol header will be discarded. •Type: Boolean •Required: false •Default value: false |
request_rules |
Rules to be applied to incoming requests, in order, comma separated. •Type: List(String) •Required: false •Default value: <none> |
response_rules |
Rules to be applied to responses, in order, comma separated. •Type: List(Reference(config-trafficscript)) •Required: false •Default value: <none> |
slm_class |
The service level monitoring class that this server should use, if any. •Type: Reference(config-slm) •Required: false •Default value: <none> |
ssl_decrypt |
Whether or not the virtual server should decrypt incoming SSL traffic. •Type: Boolean •Required: false •Default value: false |
transparent |
Whether or not bound sockets should be configured for transparent proxying. •Type: Boolean •Required: false •Default value: false |
Properties for the "aptimizer" section: |
|
enabled |
Whether the virtual server should optimize web content. •Type: Boolean •Required: false •Default value: false |
profile |
A table of Aptimizer profiles and the application scopes that apply to them. •Type: Table •Required: false •Primary key: •name (String): The name of an Aptimizer acceleration profile. (Required) •Sub keys: •urls (Set(String)): The application scopes which apply to the acceleration profile. (Required) |
Properties for the "auth" section: |
|
saml_idp |
Name of the Trusted Identity Provider configuration to use. To create Identity Providers, please visit section Trusted Identity Providers •Type: String •Required: false •Default value: <none> |
saml_nameid_format |
The NameID format to request and expect from the identity provider. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "emailaddress": emailAddress "none": none "unspecified": unspecified |
saml_sp_acs_url |
The 'Assertion Consumer Service' endpoint for the SAML service provider on this virtual server, ie the endpoint to which the identity provider will cause the user agent to send SAML assertions. This should be an HTTPS URL, must be in the same cookie domain as all hostnames used by the end user to access the virtual server (see cookie configuration) and the port must be the port on which this virtual server is listening. It must match the URI placed by the identity provider in the 'Recipient' attribute in the SAML assertion, if present. •Type: String •Required: false •Default value: <none> |
saml_sp_entity_id |
The entity ID to be used by the SAML service provider function on this virtual server. This should usually be a URL, or a URN, however it may be any string. It must match the entity ID placed by the identity provider in the 'Audience' field in the SAML assertion. •Type: String •Required: false •Default value: <none> |
saml_time_tolerance |
Time tolerance on authentication checks. When checking time-stamps and expiry dates against the current time on the system, allow a tolerance of this many seconds. For example, if a SAML response contains a 'NotOnOrAfter' that is 4 seconds in the past according to the local time, and the tolerance is set to 5 seconds, it will still be accepted. This is to prevent a lack of clock synchronization from resulting in rejection of SAML responses. •Type: UInt •Required: false •Default value: "5" |
session_cookie_attributes |
Attributes of cookie used for authentication session. •Type: String •Required: false •Default value: "HttpOnly; SameSite=Strict" |
session_cookie_name |
Name of cookie used for authentication session. •Type: String •Required: false •Default value: "VS_SamlSP_Auth" |
session_log_external_state |
Whether or not to include state of authentication sessions stored encrypted on the client as plaintext in the logs. •Type: Boolean •Required: false •Default value: false |
session_timeout |
Timeout on authentication session. •Type: UInt •Required: false •Default value: "7200" |
type |
Type of authentication to apply to requests to the virtual server. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "none": None "saml_sp": SAML Service Provider |
verbose |
Whether or not detailed messages about virtual server authentication should be written to the error log. •Type: Boolean •Required: false •Default value: false |
Properties for the "connection" section: |
|
keepalive |
Whether or not the virtual server should use keepalive connections with the remote clients. •Type: Boolean •Required: false •Default value: true |
keepalive_timeout |
The length of time that the virtual server should keep an idle keepalive connection before discarding it. A value of 0 (zero) will mean that the keepalives are never closed by the traffic manager. •Type: UInt •Required: false •Default value: "10" |
max_client_buffer |
The amount of memory, in bytes, that the virtual server should use to store data sent by the client through one TCP connection or HTTP/2 stream. Larger values will use more memory, but will minimise the number of read() and write() system calls that the traffic manager must perform. •Type: UInt •Required: false •Default value: "65536" |
max_server_buffer |
The amount of memory, in bytes, that the virtual server should use to store data returned by the server through one TCP connection. Larger values will use more memory, but will minimise the number of read() and write() system calls that the traffic manager must perform. •Type: UInt •Required: false •Default value: "65536" |
max_transaction_duration |
The total amount of time a transaction can take, counted from the first byte being received until the transaction is complete. For HTTP, this can mean all data has been written in both directions, or the connection has been closed; in most other cases it is the same as the connection being closed. The default value of 0 means there is no maximum duration, i.e., transactions can take arbitrarily long if none of the other timeouts occur. •Type: UInt •Required: false •Default value: <none> |
server_first_banner |
If specified, the traffic manager will use the value as the banner to send for server-first protocols such as FTP, POP, SMTP and IMAP. This allows rules to use the first part of the client data (such as the username) to select a pool. The banner should be in the correct format for the protocol, e.g. for FTP it should start with "220 " •Type: String •Required: false •Default value: <none> |
timeout |
A connection should be closed if no additional data has been received for this period of time. A value of 0 (zero) will disable this timeout. •Type: UInt •Required: false •Default value: "300" |
Properties for the "connection_errors" section: |
|
error_file |
The error message to be sent to the client when the traffic manager detects an internal or backend error for the virtual server. •Type: Reference(config-extra-file) •Required: false •Default value: "Default" |
Properties for the "cookie" section: |
|
domain |
The way in which the traffic manager should rewrite the domain portion of any cookies set by a back-end web server. •Type: Enum(UInt) •Required: false •Default value: "no_rewrite" •Permitted values: "no_rewrite": Do not rewrite the domain "set_to_named": Rewrite the domain to the named domain value "set_to_request": Rewrite the domain to the host header of the request |
new_domain |
The domain to use when rewriting a cookie's domain to a named value. •Type: String •Required: false •Default value: <none> |
path_regex |
If you wish to rewrite the path portion of any cookies set by a back-end web server, provide a regular expression to match the path: •Type: String •Required: false •Default value: <none> |
path_replace |
If cookie path regular expression matches, it will be replaced by this substitution. Parameters $1-$9 can be used to represent bracketed parts of the regular expression. •Type: String •Required: false •Default value: <none> |
secure |
Whether or not the traffic manager should modify the "secure" tag of any cookies set by a back-end web server. •Type: Enum(UInt) •Required: false •Default value: "no_modify" •Permitted values: "no_modify": Do not modify the 'secure' tag "set_secure": Set the 'secure' tag "unset_secure": Unset the 'secure' tag |
Properties for the "dns" section: |
|
edns_client_subnet |
Enable/Disable use of EDNS client subnet option •Type: Boolean •Required: false •Default value: true |
edns_udpsize |
EDNS UDP size advertised in responses. •Type: UInt •Required: false •Default value: "4096" |
max_udpsize |
Maximum UDP answer size. •Type: UInt •Required: false •Default value: "4096" |
rrset_order |
Response record ordering. •Type: Enum(String) •Required: false •Default value: "fixed" •Permitted values: "cyclic": Cyclic "fixed": Fixed |
verbose |
Whether or not the DNS Server should emit verbose logging. This is useful for diagnosing problems. •Type: Boolean •Required: false •Default value: false |
zones |
The DNS zones •Type: Set(String) •Required: false •Default value: <none> |
Properties for the "ftp" section: |
|
data_source_port |
The source port to be used for active-mode FTP data connections. If 0, a random high port will be used, otherwise the specified port will be used. If a port below 1024 is required you must first explicitly permit use of low ports with the data_bind_low global setting. •Type: UInt •Required: false •Default value: <none> |
force_client_secure |
Whether or not the virtual server should require that incoming FTP data connections from the client originate from the same IP address as the corresponding client control connection. •Type: Boolean •Required: false •Default value: true |
force_server_secure |
Whether or not the virtual server should require that incoming FTP data connections from the nodes originate from the same IP address as the node. •Type: Boolean •Required: false •Default value: true |
port_range_high |
If non-zero, then this controls the upper bound of the port range to use for FTP data connections. •Type: UInt •Required: false •Default value: <none> |
port_range_low |
If non-zero, then this controls the lower bound of the port range to use for FTP data connections. •Type: UInt •Required: false •Default value: <none> |
ssl_data |
Use SSL on the data connection as well as the control connection (if not enabled it is left to the client and server to negotiate this). •Type: Boolean •Required: false •Default value: true |
Properties for the "gzip" section: |
|
compress_level |
Compression level (1-9, 1=low, 9=high). •Type: UInt •Required: false •Default value: "1" |
enabled |
Compress web pages sent back by the server. •Type: Boolean •Required: false •Default value: false |
etag_rewrite |
How the ETag header should be manipulated when compressing content. •Type: Enum(String) •Required: false •Default value: "wrap" •Permitted values: "delete": Delete the ETag header "ignore": Leave the ETag unchanged "weaken": Change the ETag header to specify a weak match "wrap": Wrap the ETag, and attempt to unwrap safe conditional requests |
include_mime |
MIME types to compress. Complete MIME types can be used, or a type can end in a '*' to match multiple types. •Type: Set(String) •Required: false •Default value: "text/html text/plain" |
max_size |
Maximum document size to compress (0 means unlimited). •Type: UInt •Required: false •Default value: "10000000" |
min_size |
Minimum document size to compress. •Type: UInt •Required: false •Default value: "1000" |
no_size |
Compress documents with no given size. •Type: Boolean •Required: false •Default value: true |
Properties for the "http" section: |
|
add_cluster_ip |
Whether or not the virtual server should add an "X-Cluster-Client-Ip" header to the request that contains the remote client's IP address. •Type: Boolean •Required: false •Default value: true |
add_x_forwarded_for |
Whether or not the virtual server should append the remote client's IP address to the X-Forwarded-For header. If the header does not exist, it will be added. •Type: Boolean •Required: false •Default value: false |
add_x_forwarded_proto |
Whether or not the virtual server should add an "X-Forwarded-Proto" header to the request that contains the original protocol used by the client to connect to the traffic manager. •Type: Boolean •Required: false •Default value: false |
autodetect_upgrade_headers |
Whether the traffic manager should check for HTTP responses that confirm an HTTP connection is transitioning to the WebSockets protocol. If that such a response is detected, the traffic manager will cease any protocol-specific processing on the connection and just pass incoming data to the client/server as appropriate. •Type: Boolean •Required: false •Default value: true |
chunk_overhead_forwarding |
Handling of HTTP chunk overhead. When vTM receives data from a server or client that consists purely of protocol overhead (contains no payload), forwarding of such segments is delayed until useful payload data arrives (setting "lazy"). Changing this key to "eager" will make vTM incur the overhead of immediately passing such data on; it should only be used with HTTP peers whose chunk handling requires it. •Type: Enum(String) •Required: false •Default value: "lazy" •Permitted values: "eager": Forward all data, even when no new payload information is available. "lazy": Only forward segments when useful payload data is available. |
location_regex |
If the 'Location' header matches this regular expression, rewrite the header using the 'location_replace' pattern. •Type: String •Required: false •Default value: <none> |
location_replace |
If the 'Location' header matches the 'location_regex' regular expression, rewrite the header with this pattern (parameters such as $1-$9 can be used to match parts of the regular expression): •Type: String •Required: false •Default value: <none> |
location_rewrite |
The action the virtual server should take if the "Location" header does not match the location_regex regular expression. •Type: Enum(UInt) •Required: false •Default value: "if_host_matches" •Permitted values: "always": Rewrite the hostname to the request's "Host" header, and rewrite the protocol and port if necessary; "if_host_matches": Do not rewrite the hostname. Rewrite the protocol and port if the hostname matches the request's "Host" header. "never": Nothing; |
mime_default |
Auto-correct MIME types if the server sends the "default" MIME type for files. •Type: String •Required: false •Default value: "text/plain" |
mime_detect |
Auto-detect MIME types if the server does not provide them. •Type: Boolean •Required: false •Default value: false |
strip_x_forwarded_proto |
Whether or not the virtual server should strip the 'X-Forwarded-Proto' header from incoming requests. •Type: Boolean •Required: false •Default value: true |
Properties for the "http2" section: |
|
connect_timeout |
The time, in seconds, to wait for a request on a new HTTP/2 connection. If no request is received within this time, the connection will be closed. This setting overrides the connect_timeout setting. If set to 0 (zero), the value of connect_timeout will be used instead. •Type: UInt •Required: false •Default value: <none> |
data_frame_size |
This setting controls the preferred frame size used when sending body data to the client. If the client specifies a smaller maximum size than this setting, the client's maximum size will be used. Every data frame sent has at least a 9-byte header, in addition to this frame size, prepended to it. •Type: UInt •Required: false •Default value: "4096" |
enabled |
This setting allows the HTTP/2 protocol to be used by a HTTP virtual server. Unless use of HTTP/2 is negotiated by the client, the virtual server will fall back to HTTP 1.x automatically. •Type: Boolean •Required: false •Default value: true |
header_table_size |
This setting controls the amount of memory allowed for header compression on each HTTP/2 connection. •Type: UInt •Required: false •Default value: "4096" |
headers_index_blacklist |
A list of header names that should never be compressed using indexing. •Type: Set(String) •Required: false •Default value: <none> |
headers_index_default |
The HTTP/2 HPACK compression scheme allows for HTTP headers to be compressed using indexing. Sensitive headers can be marked as "never index", which prevents them from being compressed using indexing. When this setting is Yes, only headers included in http2!headers_index_blacklist are marked as "never index". When this setting is No, all headers will be marked as "never index" unless they are included in http2!headers_index_whitelist. •Type: Boolean •Required: false •Default value: true |
headers_index_whitelist |
A list of header names that can be compressed using indexing when the value of http2!headers_index_default is set to No. •Type: Set(String) •Required: false •Default value: <none> |
headers_size_limit |
The maximum size, in bytes, of decompressed headers for an HTTP/2 request. If the limit is exceeded, the connection on which the request was sent will be dropped. A value of 0 disables the limit check. If a service protection class with http!max_header_length configured is associated with this service then that setting will take precedence. •Type: UInt •Required: false •Default value: "262144" |
http2_client_buffer_multiplier |
The amount of memory, in multiples of the value specified by max_client_buffer, that the virtual server should use to store data sent by a client through a HTTP/2 connection. The value specified can be between 0 and 200. The value of 0 means unlimited. This setting limits buffer size for a HTTP/2 connection and does not affect buffer size for HTTP/1 connections or TCP stream connections. The number of HTTP/2 streams that can be opened in a single HTTP/2 connection is given by the http2!max_concurrent_streams. An overall cap to the amount of memory allocated for buffers for all TCP connections is given by the global max_tcp_buff_mem setting. •Type: UInt •Required: false •Default value: <none> |
http2_server_buffer_multiplier |
The amount of memory, in multiples of the value specified by max_server_buffer, that the virtual server should use to store data sent to a client through HTTP/2 connection. The value specified can be between 0 and 200. The value of 0 means unlimited. This setting limits buffer size for a HTTP/2 connection and does not affect buffer size for HTTP/1 connections or TCP stream connections. The number of HTTP/2 streams that can be opened in a single HTTP/2 connection is given by the http2!max_concurrent_streams. An overall cap to the amount of memory allocated for buffers for all TCP connections is given by the global max_tcp_buff_mem setting. •Type: UInt •Required: false •Default value: <none> |
idle_timeout_no_streams |
The time, in seconds, to wait for a new HTTP/2 request on a previously used HTTP/2 connection that has no open HTTP/2 streams. If an HTTP/2 request is not received within this time, the connection will be closed. A value of 0 (zero) will disable the timeout. •Type: UInt •Required: false •Default value: "120" |
idle_timeout_open_streams |
The time, in seconds, to wait for data on an idle HTTP/2 connection, which has open streams, when no data has been sent recently (e.g. for long-polled requests). If data is not sent within this time, all open streams and the HTTP/2 connection will be closed. A value of 0 (zero) will disable the timeout. •Type: UInt •Required: false •Default value: "600" |
max_concurrent_streams |
This setting controls the number of streams a client is permitted to open concurrently on a single connection. •Type: UInt •Required: false •Default value: "200" |
max_frame_size |
This setting controls the maximum HTTP/2 frame size clients are permitted to send to the traffic manager. •Type: UInt •Required: false •Default value: "16384" |
max_header_padding |
The maximum size, in bytes, of the random-length padding to add to HTTP/2 header frames. The padding, a random number of zero bytes up to the maximum specified. •Type: UInt •Required: false •Default value: <none> |
merge_cookie_headers |
Whether Cookie headers received from an HTTP/2 client should be merged into a single Cookie header using RFC6265 rules before forwarding to an HTTP/1.1 server. Some web applications do not handle multiple Cookie headers correctly. •Type: Boolean •Required: false •Default value: true |
stream_window_size |
This setting controls the flow control window for each HTTP/2 stream. This will limit the memory used for buffering when the client is sending body data faster than the pool node is reading it. •Type: UInt •Required: false •Default value: "65535" |
Properties for the "kerberos_protocol_transition" section: |
|
enabled |
Whether or not the virtual server should use Kerberos Protocol Transition. •Type: Boolean •Required: false •Default value: false |
principal |
The Kerberos principal this virtual server should use to perform Kerberos Protocol Transition. •Type: String •Required: false •Default value: <none> |
target |
The Kerberos principal name of the service this virtual server targets. •Type: String •Required: false •Default value: <none> |
Properties for the "log" section: |
|
client_connection_failures |
Should the virtual server log failures occurring on connections to clients. •Type: Boolean •Required: false •Default value: false |
enabled |
Whether or not to log connections to the virtual server to a disk on the file system. •Type: Boolean •Required: false •Default value: false |
filename |
The name of the file in which to store the request logs. The filename can contain macros which will be expanded by the traffic manager to generate the full filename. •Type: String •Required: false •Default value: "%zeushome%/zxtm/log/%v.log" |
format |
The log file format. This specifies the line of text that will be written to the log file when a connection to the traffic manager is completed. Many parameters from the connection can be recorded using macros. •Type: String •Required: false •Default value: "%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"" |
save_all |
Whether to log all connections by default, or log no connections by default. Specific connections can be selected for addition to or exclusion from the log using the TrafficScript function requestlog.include(). •Type: Boolean •Required: false •Default value: true |
server_connection_failures |
Should the virtual server log failures occurring on connections to nodes. •Type: Boolean •Required: false •Default value: false |
session_persistence_verbose |
Should the virtual server log session persistence events. •Type: Boolean •Required: false •Default value: false |
ssl_failures |
Should the virtual server log failures occurring on SSL secure negotiation. •Type: Boolean •Required: false •Default value: false |
ssl_resumption_failures |
Should the virtual server log messages when attempts to resume SSL sessions (either from the session cache or a session ticket) fail. Note that failure to resume an SSL session does not result in the SSL connection being closed, but it does cause a full SSL handshake to take place. •Type: Boolean •Required: false •Default value: false |
Properties for the "recent_connections" section: |
|
enabled |
Whether or not connections handled by this virtual server should be shown on the Activity > Connections page. •Type: Boolean •Required: false •Default value: true |
save_all |
Whether or not all connections handled by this virtual server should be shown on the Connections page. Individual connections can be selectively shown on the Connections page using the recentconns.include() TrafficScript function. •Type: Boolean •Required: false •Default value: false |
Properties for the "request_tracing" section: |
|
enabled |
Record a trace of major connection processing events for each request and response. •Type: Boolean •Required: false •Default value: false |
trace_io |
Include details of individual I/O events in request and response traces. Requires request tracing to be enabled. •Type: Boolean •Required: false •Default value: false |
Properties for the "rtsp" section: |
|
streaming_port_range_high |
If non-zero this controls the upper bound of the port range to use for streaming data connections. •Type: UInt •Required: false •Default value: <none> |
streaming_port_range_low |
If non-zero this controls the lower bound of the port range to use for streaming data connections. •Type: UInt •Required: false •Default value: <none> |
streaming_timeout |
If non-zero data-streams associated with RTSP connections will timeout if no data is transmitted for this many seconds. •Type: UInt •Required: false •Default value: "30" |
Properties for the "sip" section: |
|
dangerous_requests |
The action to take when a SIP request with body data arrives that should be routed to an external IP. •Type: Enum(String) •Required: false •Default value: "node" •Permitted values: "forbid": Send a 403 Forbidden response to the client "forward": Forward the request to its target URI (dangerous) "node": Send the request to a back-end node |
follow_route |
Should the virtual server follow routing information contained in SIP requests. If set to No requests will be routed to the chosen back-end node regardless of their URI or Route header. •Type: Boolean •Required: false •Default value: true |
max_connection_mem |
SIP clients can have several pending requests at one time. To protect the traffic manager against DoS attacks, this setting limits the amount of memory each client can use. When the limit is reached new requests will be sent a 413 response. If the value is set to 0 (zero) the memory limit is disabled. •Type: UInt •Required: false •Default value: "65536" |
mode |
The mode that this SIP virtual server should operate in. •Type: Enum(String) •Required: false •Default value: "sip_gateway" •Permitted values: "full_gateway": All SIP requests and responses and all session data will pass through vTM. A port range to use for the session data and a timeout value for inactive data connections can be specified in the additional settings that are displayed when the Full Gateway mode is selected. "route": The first SIP request in a session will pass through vTM, along with its responses, but all future requests that are part of the same session will go directly to the back-end node that was chosen by the traffic manager. "sip_gateway": All SIP requests and responses will pass through the traffic manager. |
rewrite_uri |
Replace the Request-URI of SIP requests with the address of the selected back-end node. •Type: Boolean •Required: false •Default value: false |
streaming_port_range_high |
If non-zero this controls the upper bound of the port range to use for streaming data connections. •Type: UInt •Required: false •Default value: <none> |
streaming_port_range_low |
If non-zero, then this controls the lower bound of the port range to use for streaming data connections. •Type: UInt •Required: false •Default value: <none> |
streaming_timeout |
If non-zero a UDP stream will timeout when no data has been seen within this time. •Type: UInt •Required: false •Default value: "60" |
timeout_messages |
When timing out a SIP transaction, send a 'timed out' response to the client and, in the case of an INVITE transaction, a CANCEL request to the server. •Type: Boolean •Required: false •Default value: true |
transaction_timeout |
The virtual server should discard a SIP transaction when no further messages have been seen within this time. •Type: UInt •Required: false •Default value: "30" |
udp_associate_by_source |
Require that SIP datagrams which are part of the same transaction are received from the same address and port. •Type: Boolean •Required: false •Default value: true |
Properties for the "smtp" section: |
|
expect_starttls |
Whether or not the traffic manager should expect the connection to start off in plain text and then upgrade to SSL using STARTTLS when handling SMTP traffic. •Type: Boolean •Required: false •Default value: true |
Properties for the "ssl" section: |
|
add_http_headers |
Whether or not the virtual server should add HTTP headers to each request to show the SSL connection parameters. •Type: Boolean •Required: false •Default value: false |
ca_sites |
This is table 'ca_sites' •Type: Table •Required: false •Primary key: •host (String): The host'keygivesthehostnameorIPdestinationaddressusedtomatchincomingTLSconnectionstokeysoftable'ca_sites'.ThehostcanbeaspecificDNSnameforusewiththeSNIextension,aspecificdestinationIPaddresswhennoSNImatches,oreitherofthosewithwildcard*/?characters.(Required)' •Sub keys: •cert_headers (Enum(String)): Which parts of the client certificate, if any, should be inserted into requests to a back-end node, as header fields. The same fields as for ssl_client_cert_headers are made available, and optionally the base64 encoded certificate itself. (Required) Permitted values: "all": Fields and PEM "none": None "simple": Fields •client_cas (Set(String)): The certificate authorities used to verify client certificates for a particular destination site IP or SNI hostname. The specific site replaces the * (asterisk) in the key name, the value must be a valid file name in the conf/ssl/cas directory. The key can be specified multiple times to cover multiple IP addresses or SNI hostnames. (Required) •request_cert (Enum(UInt)): Whether or not the virtual server should request an identifying certificate from each client connecting to particular destination IP address or SNI hostname. If a client certificate is requested this setting also determines whether the TLS handshake can continue successfully if the client does not present a certificate. (Required) Permitted values: "dont_request": No "request": Yes, allow if absent "require": Yes, deny if absent |
cipher_suites |
The SSL/TLS cipher suites to allow for connections to this virtual server. Leaving this empty will make the virtual server use the globally configured cipher suites, see configuration key ssl!cipher_suites in the Global Settings section of the System tab. See there for how to specify SSL/TLS cipher suites. •Type: String •Required: false •Default value: <none> |
client_cert_cas |
The certificate authorities that this virtual server should trust to validate client certificates. If no certificate authorities are selected, and client certificates are requested, then all client certificates will be accepted. •Type: Set(String) •Required: false •Default value: <none> |
client_cert_headers |
What HTTP headers the virtual server should add to each request to show the data in the client certificate. •Type: Enum(String) •Required: false •Default value: "none" •Permitted values: "all": Certificate fields and certificate text "none": No data "simple": Certificate fields |
elliptic_curves |
The SSL elliptic curve preference list for SSL connections to this virtual server using TLS version 1.0 or higher. Leaving this empty will make the virtual server use the globally configured curve preference list. The named curves P256, P384 and P521 may be configured. •Type: List(String) •Required: false •Default value: <none> |
honor_fallback_scsv |
Whether or not the Fallback SCSV sent by TLS clients is honored by this virtual server. Choosing the global setting means the value of configuration key ssl!honor_fallback_scsv from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable Fallback SCSV "enabled": Enable Fallback SCSV "use_default": Use the global setting for Fallback SCSV |
issued_certs_never_expire |
When the virtual server verifies certificates signed by these certificate authorities, it doesn't check the 'not after' date, i.e., they are considered valid even after their expiration date has passed (but not if they have been revoked). •Type: Set(String) •Required: false •Default value: <none> |
issued_certs_never_expire_depth |
This setting gives the number of certificates in a certificate chain beyond those listed as issued_certs_never_expire whose certificate expiry will not be checked. For example "0" will result in the expiry checks being made for certificates issued by issued_certs_never_expire certificates, "1" will result in no expiry checks being performed for the certificates directly issued by issued_certs_never_expire certificates, "2" will avoid checking expiry for certificates issued by certificates issued by the issued_certs_never_expire certificates as well, and so on. •Type: UInt •Required: false •Default value: "1" |
ocsp_enable |
Whether or not the traffic manager should use OCSP to check the revocation status of client certificates. •Type: Boolean •Required: false •Default value: false |
ocsp_issuers |
A table of certificate issuer specific OCSP settings. •Type: Table •Required: false •Primary key: •issuer (String): The name of an issuer (or DEFAULT for default OCSP settings). (Required) •Sub keys: •aia (Boolean): Whether the traffic manager should use AIA information contained in a client certificate to determine which OCSP responder to contact. •nonce (Enum(String)): How to use the OCSP nonce extension, which protects against OCSP replay attacks. Some OCSP servers do not support nonces. Permitted values: "off": No nonce check "on": Use nonce, server does not have to reply with nonce "strict": Use nonce, server must reply with nonce •required (Enum(String)): Whether we should do an OCSP check for this issuer, and whether it is required or optional. Permitted values: "none": None "optional": OCSP check optional "strict": OCSP check required •responder_cert (String): The expected responder certificate. •signer (String): The certificate with which to sign the request, if any. •url (String): Which OCSP responders this virtual server should use to verify client certificates. |
ocsp_max_response_age |
The number of seconds for which an OCSP response is considered valid if it has not yet exceeded the time specified in the 'nextUpdate' field. If set to 0 (zero) then OCSP responses are considered valid until the time specified in their 'nextUpdate' field. •Type: UInt •Required: false •Default value: <none> |
ocsp_stapling |
If OCSP URIs are present in certificates used by this virtual server, then enabling this option will allow the traffic manager to provide OCSP responses for these certificates as part of the handshake, if the client sends a TLS status_request extension in the ClientHello. •Type: Boolean •Required: false •Default value: false |
ocsp_time_tolerance |
The number of seconds outside the permitted range for which the 'thisUpdate' and 'nextUpdate' fields of an OCSP response are still considered valid. •Type: UInt •Required: false •Default value: "30" |
ocsp_timeout |
The number of seconds after which OCSP requests will be timed out. •Type: UInt •Required: false •Default value: "10" |
request_client_cert |
Whether or not the virtual server should request an identifying SSL certificate from each client. •Type: Enum(UInt) •Required: false •Default value: "dont_request" •Permitted values: "dont_request": Do not request a client certificate "request": Request, but do not require a client certificate "require": Require a client certificate |
send_close_alerts |
Whether or not to send an SSL/TLS "close alert" when the traffic manager is initiating an SSL socket disconnection. •Type: Boolean •Required: false •Default value: true |
server_cert_alt_certificates |
The SSL certificates and corresponding private keys. •Type: List(String) •Required: false •Default value: <none> |
server_cert_default |
The default SSL certificate to use for this virtual server. •Type: String •Required: false •Default value: <none> |
server_cert_host_mapping |
Host specific SSL server certificate mappings. •Type: Table •Required: false •Primary key: •host (String): Host which this entry refers to. (Required) •Sub keys: •certificate (String): The SSL server certificate for a particular destination site IP. (Required) •alt_certificates (List(String)): The SSL server certificates for a particular destination site IP. |
session_cache_enabled |
Whether or not use of the session cache is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!session_cache_enabled from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable use of the session cache "enabled": Enable use of the session cache "use_default": Use the global setting for use of the session cache |
session_tickets_enabled |
Whether or not use of session tickets is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!tickets!enabled from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable use of the session tickets "enabled": Enable use of the session tickets "use_default": Use the global setting for use of session tickets |
signature_algorithms |
The SSL signature algorithms preference list for SSL connections to this virtual server using TLS version 1.2 or higher. Leaving this empty will make the virtual server use the globally configured preference list, signature_algorithms in the ssl section of the global_settings resource. See there and in the online help for how to specify SSL signature algorithms. •Type: String •Required: false •Default value: <none> |
support_ssl3 |
Whether or not SSLv3 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_ssl3 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable SSLv3 "enabled": Enable SSLv3 "use_default": Use the global setting for SSLv3 |
support_tls1 |
Whether or not TLSv1.0 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.0 "enabled": Enable TLSv1.0 "use_default": Use the global setting for TLSv1.0 |
support_tls1_1 |
Whether or not TLSv1.1 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_1 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.1 "enabled": Enable TLSv1.1 "use_default": Use the global setting for TLSv1.1 |
support_tls1_2 |
Whether or not TLSv1.2 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_2 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.2 "enabled": Enable TLSv1.2 "use_default": Use the global setting for TLSv1.2 |
support_tls1_3 |
Whether or not TLSv1.3 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_3 from the Global Settings section of the System tab will be enforced. •Type: Enum(String) •Required: false •Default value: "use_default" •Permitted values: "disabled": Disable TLSv1.3 "enabled": Enable TLSv1.3 "use_default": Use the global setting for TLSv1.3 |
trust_magic |
If the traffic manager is receiving traffic sent from another traffic manager, then enabling this option will allow it to decode extra information on the true origin of the SSL connection. This information is supplied by the first traffic manager. •Type: Boolean •Required: false •Default value: false |
Properties for the "syslog" section: |
|
enabled |
Whether or not to log connections to the virtual server to a remote syslog host. •Type: Boolean •Required: false •Default value: false |
format |
The log format for the remote syslog. This specifies the line of text that will be sent to the remote syslog when a connection to the traffic manager is completed. Many parameters from the connection can be recorded using macros. •Type: String •Required: false •Default value: "%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"" |
ip_end_point |
The remote host and port (default is 514) to send request log lines to. •Type: String •Required: false •Default value: <none> |
msg_len_limit |
Maximum length in bytes of a message sent to the remote syslog. Messages longer than this will be truncated before they are sent. •Type: UInt •Required: false •Default value: "2048" |
Properties for the "tcp" section: |
|
close_with_rst |
Whether or not connections from clients should be closed with a RST packet, rather than a FIN packet. This avoids the TIME_WAIT state, which on rare occasions allows wandering duplicate packets to be safely ignored. •Type: Boolean •Required: false •Default value: false |
nagle |
Whether or not Nagle's algorithm should be used for TCP connections. •Type: Boolean •Required: false •Default value: false |
proxy_close |
If set to Yes the traffic manager will send the client FIN to the back-end server and wait for a server response instead of closing the connection immediately. This is only necessary for protocols that require half-close support to function correctly, such as "rsh". If the traffic manager is responding to the request itself, setting this key to Yes will cause the traffic manager to continue writing the response even after it has received a FIN from the client. •Type: Boolean •Required: false •Default value: false |
Properties for the "transaction_export" section: |
|
brief |
Whether to export a restricted set of metadata about transactions processed by this virtual server. If enabled, more verbose information such as client and server headers and request tracing events will be omitted from the exported data. •Type: Boolean •Required: false •Default value: false |
enabled |
Export metadata about transactions handled by this service to the globally configured endpoint. Data will be exported only if the global transaction_export!enabled setting is enabled. •Type: Boolean •Required: false •Default value: true |
hi_res |
Whether the transaction processing timeline included in the metadata export is recorded with a high, microsecond, resolution. If set to No, timestamps will be recorded with a resolution of milliseconds. •Type: Boolean •Required: false •Default value: false |
http_header_blacklist |
The set of HTTP header names for which corresponding values should be redacted from the metadata exported by this virtual server. •Type: Set(String) •Required: false •Default value: "Authorization" |
Properties for the "udp" section: |
|
end_point_persistence |
Whether UDP datagrams received from the same IP address and port are sent to the same pool node if they match an existing UDP session. Sessions are defined by the protocol being handled, for example SIP datagrams are grouped based on the value of the Call-ID header. •Type: Boolean •Required: false •Default value: true |
port_smp |
Whether or not UDP datagrams should be distributed across all traffic manager processes, if this behaviour is not normally selected automatically due to other settings. •Type: Boolean •Required: false •Default value: false |
rbuff_size |
If this setting is non-zero, the virtual server will set the socket receive buffer size to this number of bytes. If set, this will override the so_rbuff_size setting. An OS-specified limit on socket buffer sizes such as given by sysctl net.core.rmem_max can be exceeded using this setting. •Type: UInt •Required: false •Default value: <none> |
response_datagrams_expected |
The virtual server should discard any UDP connection and reclaim resources when the node has responded with this number of datagrams. For simple request/response protocols this can be often set to 1. If set to -1, the connection will not be discarded until the timeout is reached. •Type: Int •Required: false •Default value: "1" |
smp_mode |
Whether the traffic manager should try to use SO_REUSEPORT for distributing incoming UDP datagrams across multiple processes (if kernel support is detected) or whether the legacy (pre-20.2) multi-processing mode should be used. •Type: Enum(String) •Required: false •Default value: "auto" •Permitted values: "auto": auto "legacy": legacy |
timeout |
The virtual server should discard any UDP connection and reclaim resources when no further UDP traffic has been seen within this time. •Type: UInt •Required: false •Default value: "7" |
wbuff_size |
If this setting is non-zero, the virtual server will set the socket send buffer size to this number of bytes. If set, this will override the so_wbuff_size setting. An OS-specified limit on socket buffer sizes such as given by sysctl net.core.wmem_max can be exceeded using this setting. •Type: UInt •Required: false •Default value: <none> |
Properties for the "web_cache" section: |
|
control_out |
The "Cache-Control" header to add to every cached HTTP response, no-cache or max-age=600 for example. •Type: String •Required: false •Default value: <none> |
enabled |
If set to Yes the traffic manager will attempt to cache web server responses. •Type: Boolean •Required: false •Default value: false |
error_page_time |
Time period to cache error pages for. •Type: UInt •Required: false •Default value: "30" |
max_time |
Maximum time period to cache web pages for. •Type: UInt •Required: false •Default value: "600" |
refresh_time |
If a cached page is about to expire within this time, the traffic manager will start to forward some new requests on to the web servers. A maximum of one request per second will be forwarded; the remainder will continue to be served from the cache. This prevents "bursts" of traffic to your web servers when an item expires from the cache. Setting this value to 0 will stop the traffic manager updating the cache before it expires. •Type: UInt •Required: false •Default value: "2" |
Web Accelerator Profile
URI Endpoint: /api/tm/8.3/config/active/aptimizer/profiles
A Web Accelerator profile can be applied to an HTTP virtual server to enable automatic web content optimization.
Property |
Description |
background_after |
If Web Accelerator can finish optimizing the resource within this time limit then serve the optimized content to the client, otherwise complete the optimization in the background and return the original content to the client. If set to 0, Web Accelerator will always wait for the optimization to complete before sending a response to the client. •Type: UInt •Required: false •Default value: <none> |
background_on_additional_resources |
If a web page contains resources that have not yet been optimized, fetch and optimize those resources in the background and send a partially optimized web page to clients until all resources on that page are ready. •Type: Boolean •Required: false •Default value: false |
mode |
Set the Web Accelerator mode to turn acceleration on or off. •Type: Enum(String) •Required: false •Default value: "active" •Permitted values: "active": On - Web Accelerator acceleration is enabled "idle": Off - Acceleration is disabled, but requests for Web Accelerator resources are served "stealth": Stealth - Acceleration is controlled by a cookie |
show_info_bar |
Show the Web Accelerator information bar on optimized web pages. This requires HTML optimization to be enabled in the acceleration settings. •Type: Boolean •Required: false •Default value: false |