AX aFleX Ref v2 4 3-20100621

P e r f o r m a n c e
b y
D e s i g n
AX Series Advanced Traffic Manager
aFleX Scripting Language Reference

Document No.: D-030-01-00-0007 aFleX Engine Ver. 2.0 6/21/2010
Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support - worldwide) Tel: +1-888-822-7210 (support - toll-free in USA) Fax: +1-408-325-8666 www.a10networks.com
A10 Networks, Inc. 6/21/2010 - All Rights Reserved
Information in this document is subject to change without notice. Trademarks: A10 Networks, the A10 logo, ACOS, aFleX, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, Virtual Chassis, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. Patents Protection: A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101 A10 Networks Inc. software license and end users agreement Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential information. Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not: 1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means 2) sublicense, rent or lease the Software. Disclaimer The information presented in this document describes the specific products noted and does not imply nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes to their products and documents at any time and without prior notification. No warranty is expressed or implied; including and not limited to warranties of noninfringement, regarding programs, circuitry, descriptions and illustrations herein. Environmental Considerations Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area. Further Information For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.
AX Series - aFleX Scripting Language - Reference

About This Document
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10 Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and over the phone.
Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status information for Technical Support to use when diagnosing system issues. To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. 2. 3. 4. 5. 6. 7. Log into the GUI. Select Monitor > System > Logging. On the menu bar, click Show Tech. Click Export. The File Download dialog appears. Click Save. The Save As dialog appears. Navigate to the location where you want to save the file, and click Save. Email the file as an attachment to support@A10Networks.com.
D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010
b y
3 of 166

About This Document
USING THE CLI

1. Log into the CLI. 2. Enable logging in your terminal emulation application, to capture output generated by the CLI. 3. Enter the enable command to access the Privileged EXEC mode of the CLI. Enter your enable password at the Password prompt. 4. Enter the show techsupport command. 5. After the command output finishes, save the output in a file. 6. Email the file as an attachment to support@A10Networks.com. Note: As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using the following command: show techsupport export [use-mgmt-port] url (For syntax information, see the AX Series CLI Reference.)
Additional Information Required

In addition to the AX device information gathered using the procedures above, please also provide the following information:
Windows platform (XP/Vista/Windows) Service pack level Problem description Copy of the aFleX script (if applicable)
4 of 166
b y
D e s i g n
Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

About This Document
About This Document

This document describes the aFleX inline scripting engine and aFleX Policy Editor, used with the A10 Networks AX Series Advanced Traffic Manager. Note: The commands and options described in this edition are supported with AX Release 2.4.3 or later. Additional information is available for AX Series systems in the following documents. These documents are included on the documentation CD shipped with your AX Series system, and also are available on the A10 Networks support site:
AX Series Installation Guide AX Series Configuration Guide AX Series GUI Reference AX Series CLI Reference AX Series MIB Reference AX Series aXAPI Reference
System Description The AX Series

FIGURE 1 The AX Series Advanced Traffic Manager
The AX Series is the industrys best performing application acceleration switch that helps organizations scale and maximize application availability through the worlds most advanced application delivery platform. The AX Series Advanced Core Operating System (ACOS) accelerates and secures critical business applications, provides the highest performance and
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010 b y
5 of 166

About This Document reliability, and establishes a new industry-leading price/performance For more detailed information, see Introduction on page 13.
Audience
This document is intended for use by system administrators for provision and maintenance of the A10 Networks AX Series; specifically for reference in authoring and implementing aFleX policy scripts and using aFleX Policy Editor.
6 of 166
b y
D e s i g n

Contents
Obtaining Technical Assistance
Collecting System Information.............................................................................................................. 3 Additional Information Required........................................................................................................... 4
About This Document
System Description The AX Series .................................................................................................... 5 Audience.................................................................................................................................................. 6
aFleX Basics
15
Overview................................................................................................................................................ 15 Advantages of Using aFleX Policies ........................................................................................... 16 Example: a Simple aFleX Script .................................................................................................. 16 aFleX Policy Editor ....................................................................................................................... 16 aFleX Configuration Prerequisites .............................................................................................. 17 aFleX Processing Order ............................................................................................................... 17 When aFleX Policy Changes Take Effect ................................................................................... 18 Maximum Filesize of aFleX Scripts ............................................................................................. 18 aFleX Syntax ......................................................................................................................................... 19 Tcl Symbols ................................................................................................................................... 19 Disabled Tcl Commands .............................................................................................................. 19 aFleX Context Clientside or Serverside ................................................................................... 20 aFleX Script Components .................................................................................................................... 21 aFleX Events ................................................................................................................................. 21 aFleX Operators ............................................................................................................................ 23 aFleX Commands .......................................................................................................................... 24 Examples ..................................................................................................................................... 24 Command Summary by Type ...................................................................................................... 26
aFleX Policy Editor
39
Overview................................................................................................................................................ 39 aFleX Policy Editor ....................................................................................................................... 39 Scripting Functions ...................................................................................................................... 40 Installing and Starting aFleX Policy Editor ................................................................................ 41 aFleX Policy Editor Features ....................................................................................................... 42 Editing aFleX Scripts Getting Started.............................................................................................. 42 Create an aFleX Script .................................................................................................................. 42 aFleX Templates ......................................................................................................................... 43
b y
7 of 166

Contents
Connect to an AX Device aFleX File Transfer ......................................................................... 45 View aFleX Scripts ....................................................................................................................... 45 Menu Functions.....................................................................................................................................47 Overview ....................................................................................................................................... 47 File Functions ............................................................................................................................... 47 Connect AX / Disconnect AX ...................................................................................................... 47 New aFleX .................................................................................................................................. 48 Upload ......................................................................................................................................... 48 Download .................................................................................................................................... 48 Delete Rule ................................................................................................................................. 49 Save ............................................................................................................................................ 49 Import .......................................................................................................................................... 49 Export .......................................................................................................................................... 49 Rename ...................................................................................................................................... 49 Reset ........................................................................................................................................... 50 Exit .............................................................................................................................................. 50 Edit Menu Functions .................................................................................................................... 50 Undo / Redo ................................................................................................................................ 50 Cut / Copy / Paste / Delete .......................................................................................................... 50 Select All ..................................................................................................................................... 50 Search Menu Functions ............................................................................................................... 51 Find / Find Next / Find Previous .................................................................................................. 51 Replace ....................................................................................................................................... 51 Go to Line ................................................................................................................................... 52 View Menu Functions ................................................................................................................... 53 View Line Number ....................................................................................................................... 53 View Indention Guides ................................................................................................................ 53 View Margin ................................................................................................................................ 53 View Fold Margin ........................................................................................................................ 53 View Word Wrap ......................................................................................................................... 53 View White Space ....................................................................................................................... 54 View End of Line ......................................................................................................................... 54 View Book Marks ........................................................................................................................ 54 View Status Bar .......................................................................................................................... 54 View Output Window ................................................................................................................... 54 Options Menu Functions ............................................................................................................. 55 Font ............................................................................................................................................. 55 Set Line Number Color ................................................................................................................ 55 Set Comment Color ..................................................................................................................... 55 Set Text Color ............................................................................................................................. 55 Set Keyword Color ...................................................................................................................... 55 Set Background Color ................................................................................................................. 55 My Last Setting ........................................................................................................................... 55 8 of 166
P e r f o r m a n c e b y D e s i g n

Contents
Help Menu Functions ........................................................................................................................... 56 About aFleX Editor ....................................................................................................................... 56 Other aFleX Policy Editor Functions .................................................................................................. 56 Drag and Drop File Function ....................................................................................................... 56 Status Window .............................................................................................................................. 56
Importing and Binding aFleX Scripts
57
Using the CLI......................................................................................................................................... 57 Using the GUI ........................................................................................................................................ 61
aFleX Policy Examples
63
Simple aFleX Policy.............................................................................................................................. 63 Redirecting HTTP Requests ................................................................................................................ 63 Data Persistence................................................................................................................................... 65
Command Reference
67
Events.................................................................................................................................................... 67 Global Events ................................................................................................................................ 67 RULE_INIT .................................................................................................................................. 67 HTTP Events .................................................................................................................................. 68 HTTP_REQUEST ........................................................................................................................ 68 HTTP_REQUEST_DATA ............................................................................................................ 69 HTTP_REQUEST_SEND ............................................................................................................ 69 HTTP_RESPONSE ..................................................................................................................... 70 HTTP_RESPONSE_CONTINUE ................................................................................................ 70 HTTP_RESPONSE_DATA ......................................................................................................... 70 IP, TCP, and UDP Events ............................................................................................................. 71 CLIENT_ACCEPTED .................................................................................................................. 71 CLIENT_CLOSED ....................................................................................................................... 72 CLIENT_DATA ............................................................................................................................ 72 LB_FAILED ................................................................................................................................. 73 LB_SELECTED ........................................................................................................................... 74 SERVER_CLOSED ..................................................................................................................... 74 SERVER_CONNECTED ............................................................................................................. 74 SERVER_DATA .......................................................................................................................... 74 SSL Events .................................................................................................................................... 75 CLIENTSSL_CLIENTCERT ........................................................................................................ 75 CLIENT_HANDSHAKE ............................................................................................................... 75
b y
9 of 166

Contents
Operators ...............................................................................................................................................76 Relational Operators .................................................................................................................... 76 contains ....................................................................................................................................... 76 ends_with .................................................................................................................................... 76 equals ......................................................................................................................................... 77 matches ...................................................................................................................................... 77 matches_regex ........................................................................................................................... 78 starts_with ................................................................................................................................... 78 switch .......................................................................................................................................... 79 Logical Operators ......................................................................................................................... 81 and .............................................................................................................................................. 81 not ............................................................................................................................................... 81 or ................................................................................................................................................. 82 Commands.............................................................................................................................................83 GLOBAL Commands .................................................................................................................... 83 active_members .......................................................................................................................... 83 b64decode .................................................................................................................................. 83 b64encode .................................................................................................................................. 84 clientside ..................................................................................................................................... 84 client_addr .................................................................................................................................. 84 client_port ................................................................................................................................... 85 cpu .............................................................................................................................................. 85 detach ......................................................................................................................................... 86 discard ........................................................................................................................................ 86 dnat ............................................................................................................................................. 86 domain ........................................................................................................................................ 87 drop ............................................................................................................................................. 87 encoding ..................................................................................................................................... 88 event ........................................................................................................................................... 88 findstr .......................................................................................................................................... 88 getfield ........................................................................................................................................ 89 htonl ............................................................................................................................................ 90 htons ........................................................................................................................................... 90 http_cookie .................................................................................................................................. 91 http_header ................................................................................................................................. 91 http_host ..................................................................................................................................... 91 http_method ................................................................................................................................ 92 http_uri ........................................................................................................................................ 92 http_version ................................................................................................................................ 92 ip_protocol .................................................................................................................................. 92 ip_tos .......................................................................................................................................... 93 local_addr ................................................................................................................................... 93 log ............................................................................................................................................... 93 10 of 166

Contents
md5 ............................................................................................................................................. 94 node ............................................................................................................................................ 95 ntohl ............................................................................................................................................. 95 ntohs ............................................................................................................................................ 95 persist .......................................................................................................................................... 96 pool .............................................................................................................................................. 98 redirect ........................................................................................................................................ 99 reject ............................................................................................................................................ 99 remote_addr .............................................................................................................................. 100 serverside .................................................................................................................................. 100 server_addr ............................................................................................................................... 100 server_port ................................................................................................................................ 101 session ...................................................................................................................................... 101 set encode ................................................................................................................................. 102 sha1 ........................................................................................................................................... 102 snatpool ..................................................................................................................................... 103 substr ......................................................................................................................................... 104 virtual ......................................................................................................................................... 105 when .......................................................................................................................................... 105 LB Commands ............................................................................................................................ 106 LB::down ................................................................................................................................... 106 LB::reselect ............................................................................................................................... 106 LB::status node ......................................................................................................................... 110 LB::status pool ........................................................................................................................... 111 HTTP Commands ........................................................................................................................ 112 HTTP::close ............................................................................................................................... 112 HTTP::collect ............................................................................................................................. 112 HTTP::cookie ............................................................................................................................. 114 HTTP::fallback ........................................................................................................................... 117 HTTP::header ............................................................................................................................ 117 HTTP::host ................................................................................................................................ 119 HTTP::is_keepalive ................................................................................................................... 119 HTTP::is_redirect ...................................................................................................................... 119 HTTP::method ........................................................................................................................... 120 HTTP::path ................................................................................................................................ 120 HTTP::payload .......................................................................................................................... 121 HTTP::query .............................................................................................................................. 122 HTTP::redirect ........................................................................................................................... 123 HTTP::release ........................................................................................................................... 123 HTTP::request ........................................................................................................................... 124 HTTP::request_num .................................................................................................................. 124 HTTP::respond .......................................................................................................................... 125 HTTP::retry ................................................................................................................................ 126 HTTP::status ............................................................................................................................. 126
11 of 166

Contents
HTTP::uri ................................................................................................................................... 127 HTTP::version ........................................................................................................................... 128 IP Commands ............................................................................................................................. 128 IP::addr ..................................................................................................................................... 128 IP::client_addr ........................................................................................................................... 129 IP::local_addr ............................................................................................................................ 129 IP::protocol ................................................................................................................................ 130 IP::remote_addr ........................................................................................................................ 131 IP::server_addr ......................................................................................................................... 131 IP::stats ..................................................................................................................................... 132 IP::tos ........................................................................................................................................ 133 IP::ttl .......................................................................................................................................... 133 IP::version ................................................................................................................................. 134 SIP Commands ........................................................................................................................... 134 SIP::call_id ................................................................................................................................ 134 SIP::from ................................................................................................................................... 135 SIP::header ............................................................................................................................... 135 SIP::header insert ..................................................................................................................... 135 SIP::method .............................................................................................................................. 136 SIP::respond ............................................................................................................................. 136 SIP::response ........................................................................................................................... 137 SIP::to ....................................................................................................................................... 137 SIP::uri ...................................................................................................................................... 137 SIP::via ...................................................................................................................................... 138 SIP Command Examples .......................................................................................................... 139 Policy-Based SLB Commands .................................................................................................. 145 POLICY::bwlist id ...................................................................................................................... 145 SSL and X509 Commands ......................................................................................................... 145 SSL::cert ................................................................................................................................... 145 SSL::cert count ......................................................................................................................... 146 SSL::cert issuer ......................................................................................................................... 146 SSL::cert mode ......................................................................................................................... 147 SSL::sessionid .......................................................................................................................... 147 SSL::verify_result ...................................................................................................................... 148 X509::issuer .............................................................................................................................. 148 X509::not_valid_after ................................................................................................................ 149 X509::not_valid_before ............................................................................................................. 149 X509::serial_number ................................................................................................................. 150 X509::subject ............................................................................................................................ 150 X509::verify_cert_error_string ................................................................................................... 151 X509::version ............................................................................................................................ 151
12 of 166
b y
D e s i g n

Contents
STATS Commands ..................................................................................................................... 152 STATS::clear ............................................................................................................................. 152 STATS::get ................................................................................................................................ 153 TCP Commands .......................................................................................................................... 155 TCP::client_port ......................................................................................................................... 155 TCP::close ................................................................................................................................. 155 TCP::collect ............................................................................................................................... 156 TCP::local_port .......................................................................................................................... 156 TCP::mss ................................................................................................................................... 157 TCP::offset ................................................................................................................................ 157 TCP::payload ............................................................................................................................. 158 TCP::release ............................................................................................................................. 158 TCP::remote_port ...................................................................................................................... 159 TCP::server_port ....................................................................................................................... 159 TIME Commands ......................................................................................................................... 160 TIME::clock ................................................................................................................................ 160 use ............................................................................................................................................. 160 UDP Commands .......................................................................................................................... 161 UDP::client_port ........................................................................................................................ 161 UDP::local_port ......................................................................................................................... 161 UDP::mss .................................................................................................................................. 162 UDP::payload ............................................................................................................................ 163 UDP::remote_port ..................................................................................................................... 163 UDP::server_port ....................................................................................................................... 164
b y
13 of 166

Contents
14 of 166
b y
D e s i g n

aFleX Basics - Overview
aFleX Basics
Overview
The aFleX scripting language is a powerful inline custom scripting engine that provides in-depth, granular control of inspection and redirection policies (filter, drop, redirect). The aFleX scripting language is based on the Tool Command Language (Tcl) programming standard for simplicity and familiarity. For an aFleX policy to work, it must be bound to a virtual port on the AX device. Then the aFleX policy can make policy decisions by inspecting the payload packets from all traffic going through the virtual port. FIGURE 2 aFleX overview
b y
15 of 166

Advantages of Using aFleX Policies

aFleX policies allow you to exercise more granular control of packet inspection and traffic load balancing.
aFleX policies can redirect traffic to a group of servers bound to a vir-
tual port, to one specific server in a pool (service group), or to individual ports and URIs on a specific pool member (server).
aFleX policies provide complete flexibility, supporting both simple and
sophisticated content-switching needs.

aFleX policies can search packet headers or even the actual packet con-
tent, and direct packets based on the search results.

aFleX policies can maintain persistence Tcl scripts created using leading competitors scripting engines often
can be easily converted into aFleX scripts, providing backwards compatibility for customized solutions.
Example: a Simple aFleX Script

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool my_pool } }
aFleX Policy Editor

The aFleX Policy Editor makes it easy to write an aFleX script (see aFleX Policy Editor on page 39). You also can create aFleX scripts using the AX GUI or a third-party text editor. Note: To create an aFleX script in a non-English language (for example, Japanese), save the script in Unicode UTF-8 format. You can use the AX GUI or another editor to create the aFleX file. If you plan to create aFleX scripts in the AX GUI, set the language in the GUI as Unicode (UTF-8). To set the language in the GUI to UTF-8, configure the browser so that you can view UTF-8 encoding. In Internet Explorer, select View > Encoding > Unicode. The A10 aFleX Policy Editor does not support UTF-8 format in the current release. Use the AX GUI or a third-party editor instead.
16 of 166
b y
D e s i g n

aFleX Configuration Prerequisites

For an aFleX policy to take effect, you must bind it to a virtual port on
the AX device.
The virtual port must be processing the application type that the Event
Declaration in the aFleX policy is triggering on. Example: If the aFleX policy includes an event declaration for HTTP_REQUEST, then the policy can only bind to the virtual port that can process HTTP traffic. In other words, the virtual ports service type must be fast-http or http.
If no aFleX policy is assigned to the virtual port, the AX device will
continue to redirect traffic to the default server pool (SLB service group) assigned to the virtual port.
Once an aFleX policy is bound to a virtual port, the policy is triggered
whenever the AX device encounters the Event Declaration. Example: If an aFleX policy includes the event declaration CLIENT_ACCEPTED, then the policy is triggered whenever the AX device accepts a client request. Note: For virtual port type fast-HTTP, aFleX commands that change the HTTP header or payload are not supported.
aFleX Processing Order

Only one aFleX policy can be assigned to a virtual port. aFleX policies have higher priority than most templates, except cookie persistence templates. Here is the complete processing order: 1. Layer 4 server selection 2. Layer 7 server selection Cookie persistence template 3. Layer 7 server selection aFleX policy 4. Layer 7 server selection Other templates 5. Layer 7 server selection Service group
b y
17 of 166

aFleX Basics - Overview Example: A virtual port is bound to an aFleX policy and two application templates, a URL switching template and a cookie persistence template. Both the URL switching template and the aFleX policy are applicable to a clients traffic. The URL switching template chooses server server10, but the aFleX policy chooses another server, server20. Since the aFleX policy has higher priority, the traffic is directed to server20. However, if the cookie persistence template selects server30, the traffic ultimately will be directed to server30.
When aFleX Policy Changes Take Effect

aFleX policy changes do not affect traffic that is already active on a virtual port. For example, if you bind an aFleX policy to a virtual port on which some traffic sessions are already active, the aFleX policy does not affect those sessions. The aFleX policy only affects sessions that begin after the aFleX policy is applied to the virtual port. Likewise, if you change an aFleX policy that is already bound to a virtual port, the changes do not apply to sessions that are active when you change the policy. The active sessions are still processed using the aFleX policy as it was before the changes. The policy changes apply only to sessions that begin after the policy changes are saved.
Maximum Filesize of aFleX Scripts

By default, the maximum filesize supported on an AX device for an aFleX script is 32 Kbytes. On the AX device, you can change the maximum script size, to 16-256 Kbytes. To change the maximum aFleX file size, use the following command at the global configuration level of the CLI: [no] aflex max-filesize KBytes
18 of 166
b y
D e s i g n

aFleX Basics - aFleX Syntax
aFleX Syntax
An aFleX script is a Tcl-like script.
Tcl Symbols
The Tcl symbols listed in Table 1 have special meanings. TABLE 1
Delimiter $ [ ] { } \ # ; : :
Tcl Symbols Supported in aFleX Policies

Description Variable substitution. Example: $argv0 could be replaced by /usr/bin/somescript.tcl Subcommand substitution. Example: [pwd] could be replaced by /home/joe Word grouping with substitutions. Example "you are $user" is one word. Substitution still occurs. Word grouping without substitutions. Example: {you are $user} is one word. $user is not replaced. Backslash substitution/escape or statement continuation. By default, a statement ends with the end of the line. Comment. This symbol can be used only at the beginning of a statement. Statement separator. Namespace path separator for variables or commands. Example: ::foo::bar
For information about standard Tcl syntax, see the following: http://tmml.sourceforge.net/doc/tcl/index.html http://en.wikibooks.org/wiki/Programming:Tcl
Disabled Tcl Commands

For security, the following Tcl commands are disabled in the aFleX syntax. You cannot use these commands in aFleX scripts. after auto_execok auto_import auto_load
exec exit fblocked fconfigure

b y
interp load memory namespace
seek socket source tcl_findLibrary
19 of 166

aFleX Basics - aFleX Syntax auto_mkindex auto_mkindex_old auto_qualify auto_reset bgerror cd close eof fcopy file fileevent filename flush gets glob http open package pid pkg::create pkg_mkIndex proc pwd rename tell unknown update uplevel upvar vwait
aFleX Context Clientside or Serverside

aFleX scripts support context for specifying either client or server side:
Each event has a default context of either client-side or server-side. Key words: clientside or serverside Only specify the context keywords if you want to change default con-
text. Example: This aFleX script uses the default CLIENT side association to the REMOTE_ADDR. Because CLIENT_ACCEPTED has a default context of clientside, the remote_addr field is automatically assigned to clientside.
when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ] pool my_pool } } } {
To change the default context of any aFleX script, use the clientside or serverside key words. Example: This aFleX policy switches the remote_addr field to the clientside from the default serverside association with the SERVER_CONNECTED event.
when CLIENT_ACCEPTED { if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80 ] } { pool my_pool2 } }
20 of 166
b y
D e s i g n

aFleX Basics - aFleX Script Components
aFleX Script Components

aFleX scripts consist of the following element types:
Events Operators Commands
aFleX Events
aFleX scripts are event-driven. The AX device triggers an aFleX policy based on a specified event. For example, if an aFleX policy is configured to be triggered by the HTTP_REQUEST event, the AX device triggers the aFleX policy when an HTTP request is received. Event declarations are made with the when keyword followed by the event name. Example:
} when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ] pool my_pool } }
} {
b y
21 of 166

aFleX Basics - aFleX Script Components Table 2 lists the event declarations supported in aFleX policies. TABLE 2 aFleX Event Declarations
Event Name and Description
Event Type Global IP, TCP, UDP
RULE_INIT
Triggered when used in an aFleX policy.
CLIENT_ACCEPTED
Triggered when a client establishes a connection.
CLIENT_DATA
Triggered when a client receives new data while the connection is in collect state.
LB_FAILED
Triggered when the AX device can not select a node (server) for the incoming request; for example, if all nodes in the pool are down or all their connection limits have been reached.
LB_SELECTED
Triggered when the system selects a pool member.
CLIENT_CLOSED
Triggered when the client-side connection closes.
SERVER_CLOSED
Triggered when the server side connection closes.
SERVER_CONNECTED
Triggered when the AX device establishes a connection with the target node.
SERVER_DATA
Triggered when the AX device has received new data from the target node while the connection is in hold state. HTTP
HTTP_REQUEST
Triggered when the AX device fully parses a complete client request header.
HTTP_RESPONSE
Triggered when the AX device parses all of the response status and header lines from the server response.
HTTP_RESPONSE_CONTINUE
Triggered whenever the AX device receives a 100 Continue response from the server.
HTTP_REQUEST_DATA
Triggered whenever the request receives new HTTP content data.
HTTP_RESPONSE_DATA
Triggered whenever the AX device receives new HTTP content data from the response.
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. Server-side event.
22 of 166
b y
D e s i g n

aFleX Basics - aFleX Script Components TABLE 2 aFleX Event Declarations (Continued)
Event Name and Description Event Type SSL
CLIENTSSL_CLIENTCERT
Triggered when an SSL client certificate is received.
CLIENTSSL_HANDSHAKE
Triggered when an SSL handshake on the client side is completed.
LB_FAILED
Triggered when the AX device can not select a node (server) for the incoming request; for example, if all nodes in the pool are down or all their connection limits have been reached.
aFleX Operators
aFleX policies use operators to compare operands in an expression. Table 3 lists the operators supported in aFleX policies. TABLE 3 aFleX Operators
Operator Name and Description
Operator Type Relational
contains
Tests whether one string (string1) contains another string (string2).
ends_with
Tests whether one string (string1) ends with another string (string2).
equals
Tests whether one string equals another string.
matches
Tests whether one string matches another string.
matches_regex
Tests whether one string matches a regular expression.
starts_with
Tests whether one string (string1) starts with another string (string2).
switch
Built-in Tcl command. Evaluates one of several scripts, depending on a given value. Logical
and
Performs a logical and comparison between two values.
or
Performs a logical or comparison between two values.
not
Performs a logical not on a value.
b y
23 of 166

aFleX Commands
aFleX commands can perform the following types of operations:
Global Performs actions such as selecting a pool (SLB service group)
or node (server).
Query commands: IP packet header query Returns information from the IP header. IP, TCP, or UDP packet data query Returns information from the payload. HTTP packet header or content query Returns information from the HTTP header or payload. Header and content manipulation: HTTP cookie manipulation Changes cookies. TCP header and content manipulation Changes TCP headers or content. HTTP header and content manipulation Changes HTTP headers or content. SSL and X.509 query Returns information from or about certificates. Deep packet inspection Returns strings from packets.
Examples
Example: Pool Selection This aFleX script uses the if command to determine which pool to send traffic to based on the file type gif or jpg.
when HTTP_REQUEST { if { [HTTP::uri] ends_with ".gif" } { pool gif_pool } elseif { [HTTP::uri] ends_with ".jpg" } { pool jpg_pool } }
Example: Node Selection

This aFleX script uses the node command to select one specific server to send the traffic to. when HTTP_REQUEST { if { [HTTP::uri] ends_with ".gif" } { node 192.168.100.10 80 } }
24 of 166
b y
D e s i g n

aFleX Basics - aFleX Script Components Example: IP Packet Header Query IP Address This example shows that the traffic from client in 192.168.0.0/16 subnet direct to a special pool 192.168_pool.
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } { pool 192.168_pool } else { pool other_pool } }
Example: IP Packet Header Query Protocol Number This example shows the protocol field being inspected for clientside protocol value of 6.
when CLIENT_ACCEPTED{ if { [IP::protocol] == 6 } { pool tcp_pool } else { pool slow_pool } } }
Example: IP Packet Header Query ToS Level This example shows the ToS field being inspected for clientside ToS value of 16.
when CLIENT_ACCEPTED { if { [IP::tos] == 16 } { pool tos16_pool } else { pool other_pool }}
Example: TCP Query This aFleX script uses the payload field to check for the words XYZ or ABC to properly redirect traffic.
b y
25 of 166

when CLIENT_DATA { if { [TCP::payload] contains "XYZ" } { pool xyz_servers } elseif { [substr[TCP::payload] 50, 3] =="ABC" } { pool abc_servers } else { pool web_servers } }
Command Summary by Type

Table 4 lists the aFleX commands according to the types of operations they perform. For more information about the aFleX commands, see Command Reference on page 67, where they are listed alphabetically. TABLE 4
Command Type Global
aFleX Commands
Command Name and Description active_members <pool_name> [partition shared] Returns the number of active members in the pool. By default, this command acts upon the service groups (pools) located in the partition that contains the aFleX policy. The partition shared option causes the aFleX policy to act upon service groups in the shared partition instead. This option is useful in aFleX policies that are located in a private partition, when you want the aFleX policy to act upon service groups in the shared partition instead. b64decode <string> Returns the specified string, decoded from base-64. Returns NULL if there is an error. b64encode <string> Returns the specified string, encoded as base-64. Returns NULL if there is an error. clientside {<aFleX commands>} Causes the specified aFleX commands to be evaluated under the client-side context. This command has no effect if the aFleX policy is already being evaluated under the client-side context. cpu usage [1sec | 5secs | 15secs | 1min | 5mins | 15mins | all_seconds | all_minutes] Returns the average CPU load for the given interval. All averages are exponential weighted moving averages over the interval. detach Discontinues evaluating the aFleX event on a connection. However, the aFleX policy continues to run. discard Causes the current packet or connection (depending on the context of the event) to be discarded. This statement must be conditionally associated with an if statement. dnat {disable | enable} Disables or enables destination NAT for the current connection. The command overrides the behavior set by the no-dest-nat CLI command or equivalent GUI option on the virtual port.
26 of 166
b y
D e s i g n

aFleX Basics - aFleX Script Components TABLE 4
Command Type Global (cont.)
aFleX Commands (Continued)

Command Name and Description domain <string> <count> Parses the specified string as a dotted domain name and returns the last <count> portions of the domain name. drop Same as the discard command. encoding {convertfrom | convertto} <encoding> Converts the character encoding of a payload to the specified encodiing. event [<name>] [enable | disable] | [enable all | disable all] Discontinues evaluating the specified aFleX event, or all aFleX events, on a connection. However, the aFleX script continues to run. htonl <hostlong> Converts the unsigned integer from host byte order to network byte order. htons <hostshort> Converts the unsigned short integer from host byte order to network byte order. if { <expression> } {<statement_command>} elseif { <expression> } {<statement_command>} Asks a true or false question and, depending on the answer, takes some action. Note: The maximum number of if statements that you can nest in an aFleX policy is 100. log [<facility> <level>} <message> Generates and logs the specified message to the Syslog facility. The statement does this by performing variable expansion on the message as defined for the Header Insert HTTP profile attribute. If not used appropriately, a log statement can produce large amounts of output. md5 Returns the RSA MD5 Message Digest Algorithm message digest of the specified string. node <addr> [<port>] Causes the identified server node to be used directly, thus bypassing any load-balancing. ntohl <netlong> Converts the unsigned integer from network byte order to host byte order. ntohs <netshort> Converts the unsigned short integer from network byte order to host byte order. persist uie <string> [<timeout>] persist add uie <key> [timeout] persist lookup uie <key> [all | node | port | pool] persist delete uie <key> Configures persistence of clients with SLB resources.
b y
27 of 166

Command Type Global (cont.)

Command Name and Description pool <pool_name> [member<addr> [<port>]] [partition shared] Causes the AX device to load balance traffic to the named pool. This statement must be conditionally associated with an if statement. Optionally, you can specify a specific pool member to which you want to direct the traffic. By default, this command acts upon the service groups (pools) located in the partition that contains the aFleX policy. The partition shared option causes the aFleX policy to act upon service groups in the shared partition instead. This option is useful in aFleX policies that are located in a private partition, when you want the aFleX policy to act upon service groups in the shared partition instead. reject Causes the connection to be rejected, returning a reset as appropriate for the protocol. return [<expression>] Terminates execution of the aFleX event and optionally return the result of evaluating <expression>. serverside {<aFleX commands>} Causes the specified aFleX commands to be evaluated under the server-side context. This command has no effect if the aFleX policy is already being evaluated under the server-side context. session add ssl <key> <data> [<timeout>] Creates a table to store SSL information. If an SSL table already exists, the command adds an entry to the table. Generally, the <key> is the session ID and the data is the SSL verify_result or the SSL certificate. session delete ssl <key> Deletes an SSL entry. session lookup ssl <key> Searches the SSL table for information about the specified key. set encode "<encoding>" Sets the character encoding for data payloads. sha1 Returns the Secure Hash Algorithm version 1.0 (SHA1) message digest of the specified string. snatpool <snatpool_name> Uses the specified pool of IP addresses as translation addresses to create a SNAT. virtual name Returns the name of the associated virtual server that the connection is flowing through. when <event_name> Specify an event in an aFleX script. All aFleX events begin with a when command. You can specify multiple when commands within a single aFleX script. TIME::clock [seconds | milliseconds] Returns the system time, in seconds or milliseconds.
Time Commands
28 of 166
b y
D e s i g n

aFleX Basics - aFleX Script Components TABLE 4 aFleX Commands (Continued)
Command Name and Description IP::addr <addr1>[/<mask>] equals <addr2>[/<mask>] Performs comparison of IP address/subnet/supernet to IP address/subnet/supernet. Returns 0 if no match, 1 for a match. IP::remote_addr Returns the remote IP address of a connection. IP::local_addr Returns the local IP address of a connection. IP::client_addr Returns the client IP address of a connection. This command is equivalent to the command clientside { IP::remote_addr }. IP::server_addr Returns the servers IP address. This command is equivalent to the command serverside { IP::remote_addr }. IP::protocol Returns the IP protocol value. IP::stats {pkts in | pkts out | pkts | bytes in | bytes out | bytes | age} Supplies information about the number of packets or bytes being sent or received in a given connection. IP::tos Returns the value of the IP protocols Type of Service (ToS) field. IP::ttl Returns the TTL of the current packet being acted upon. IP::version Return the version (e.g., IPv4/IPv6) of the current packet. Command Type IP Packet Header Query
b y
29 of 166

Command Name and Description TCP::remote_port Returns the remote TCP port/service number. TCP::local_port Returns the local TCP port/service number. TCP::client_port Returns the clients TCP port/service number. Equivalent to the command clientside { TCP::remote_port }. TCP::collect <length> Causes TCP to start collecting the specified amount of content data. TCP::server_port Returns the server TCP port/service number. Equivalent to the command serverside { TCP::remote_port }. TCP::payload [<size>] Returns the accumulated TCP data content. TCP::mss Returns the on-wire Maximum Segment Size (MSS) for a TCP connection. TCP::offset Returns the position in the TCP data stream in which the collected TCP data starts. TCP::release Causes TCP to resume processing the connection and flush collected data. UDP::remote_port Returns the remotes UDP port/service number. UDP::local_port Returns the local UDP port/service number. UDP::client_port Returns the clients UDP port/service number. Note: This command is equivalent to the command clientside {UDP::remote_port}. UDP::mss Returns the on-wire Maximum Segment Size (MSS) for a UDP connection. UDP::server_port Returns the server UDP port/service number. Note: This command is equivalent to the command serverside { UDP::remote_port }. UDP::payload [<size>] Returns the current UDP payload content. UDP::payload length Returns the amount of UDP payload content in bytes.
Command Type TCP Packet Header and Content Query
UDP Packet Header and Content Query
30 of 166
b y
D e s i g n

Command Type Statistics

Command Name and Description STATS::get server <server-name | ipaddr> [<port-num> <tcp | udp>] current-connection | total-connection | request-pkt | response-pkt [partition shared] Retrieves statistics for a node, virtual server, or pool. STATS::clear server <server-name | ipaddr> [<port-num> <tcp | udp>] current-connection | total-connection | request-pkt | response-pkt [partition shared] Clears statistics for a node, virtual server, or pool. LB::down Temporarily marks the current real port down for 30 seconds. LB::reselect [pool <pool-name> [<member>]] Reperforms server selection. LB::status node <ipaddr> [port <port_num> {tcp | udp}] Returns the health status of a node. LB::status pool <pool_name> [member <ipaddr> [<port_num>]] [partition shared] Returns the health status of a pool. HTTP::header [value] <name> Returns value of the HTTP header named <name>. You can omit the <value> argument if the header name does not collide with any of the subcommands. HTTP::header names Returns a list of all the headers present on the request or response. HTTP::header count Returns the number of HTTP headers present on the request or response. HTTP::header at <index> Returns the HTTP header that the system finds at the zero-based index value. HTTP::header exists <name> Returns true if the named header is present on the request or response. HTTP::fallback <host> Specifies or overrides the fallback host specified in the HTTP profile. HTTP::host Returns the host name (and port, if specified) of the HTTP request. HTTP::method Returns the type of HTTP request method. HTTP::path [<string>] Returns the path part of the HTTP request. HTTP::status Returns the response status code.
Load Balancing (LB)
HTTP Packet Header and Content Query
b y
31 of 166

Command Name and Description HTTP::version ["0.9" | "1.0" | "1.1"] Returns the HTTP version of the request or response. HTTP::uri [<string>] Returns the complete URI of the request. HTTP::query [<string>] Returns the query part of the HTTP request. HTTP::is_redirect Returns a true value if the response is a certain type of redirect. HTTP::is_keepalive Returns a true value if this is a Keep-Alive connection. HTTP::collect [<length>] Collects the amount of data that you specify with the [length] argument. When the system collects the specified amount of data, it calls the Tcl event HTTP_REQUEST_DATA or HTTP_RESPONSE_DATA. Note: Use great caution when omitting the value of the content length. Even though this is allowed in certain cases; doing so or using a value larger than the size of the actual length can stall the connection. HTTP::release Releases the collected data. There is no need to use the HTTP::release command inside of the HTTP_REQUEST_DATA and HTTP_RESPONSE_DATA events, since in these cases, the data is implicitly released. HTTP::payload [<size>] Returns the content that the HTTP::collect command has collected thus far. If you do not specify a size, the system returns the collected content. HTTP::payload length Returns the size of the content that the command has collected thus far, not including the HTTP headers. HTTP::payload <offset> <length> <string> Replaces the amount of content that you specified with the <length> argument, starting at <offset> with <string>. HTTP::close Inserts a Connection: Close header and close the HTTP connection. TCP::collect <length> Causes TCP to start collecting the specified amount of content data. TCP::release Causes TCP to resume processing the connection and to flush collected data. TCP::payload replace <offset> <length><data> Replaces collected payload with the given data. TCP::close Closes the connection.
Command Type HTTP Packet Header and Content Query (cont.)
TCP Header and Content Manipulation
32 of 166
b y
D e s i g n

Command Name and Description HTTP::header insert ["lws"] <name> <value> Inserts the named HTTP header and its value into the end of the HTTP request or response. If you specify "lws", the system adds linear white space to long header values. HTTP::header insert ["lws"] {n1, v1, n2, v2, n3,v3, } Passes a Tcl list to insert into a header. In such cases, the system treats the list as a list of name/ value pairs. If you specify "lws", the system adds linear white space to long header values. HTTP::header [value] <name> <string> Sets the value of the named header. If the header is present, the command replaces the header; otherwise, the command adds the header. You can omit the <value> argument if the header name does not collide with any other values. HTTP::header replace <name> [<string>] Replaces the last occurrence of the named header with the string <string>. This command performs a header insertion if the header was not present. HTTP::header remove <name> Removes the last occurrence of the named header from the request or response. HTTP::redirect <url> Redirects a HTTP request or response to the specified URL. Note that this command sends the response to the client immediately. Therefore, you cannot specify this command multiple times in an aFleX, nor can you specify any other commands that modify header or content, after you specify this command. HTTP::respond <status code> [content <content Value>] [<Header name> <Header Value>]+ This is a powerful API that allows users to generate or rewrite a client request or a server response. When the system runs the command on the client side, it sends the response to the client without any load balancing taking place. If the system runs the command on the server side, the content from the actual server is discarded and replaced with the information provided to this API. Note that because the system sends the response data immediately after this aFleX policy runs, we recommend that you not run any more aFleX policy after this API. HTTP::header sanitize <header name>+ Removes all but the headers you specify. The exception to this is some essential HTTP headers. HTTP::request_num Returns the number of HTTP requests that a client made on the connection. Command Type HTTP Header and Content Manipulation
b y
33 of 166

Command Name and Description HTTP::cookie names Returns the names of all the cookies present in the HTTP header. HTTP::cookie count Returns the number of cookies present in the HTTP header. HTTP::cookie [value] <name> [string] Sets or gets the cookie value of the given name. You can omit the value of this command if the cookie name does not collide with any of the other commands. HTTP::cookie version <name> [version] Sets or gets the version of the cookie. HTTP::cookie path <name> [path] Sets or gets the cookie path. HTTP::cookie domain <name> [domain] Sets or gets the cookie domain. HTTP::cookie ports <name> [portlist] Sets or gets the cookie port lists for V1 cookies. HTTP::cookie insert <name> <value> [path<path>] [domain <domain>] [version <0 | 1 | 2>] Adds or replaces a cookie. The default value for the version is 0. HTTP::cookie remove <name> Removes a cookie. HTTP::cookie sanitize [attribute]+ Removes all but the specified attributes from the cookie. HTTP::cookie exists <name> Returns a true value if the cookie exists.
Command Type HTTP Cookie Manipulation for Request Messages
34 of 166
b y
D e s i g n

Command Name and Description HTTP::cookie names Returns the names of all the cookies present in the HTTP header. HTTP::cookie count Returns the number of cookies present in the HTTP header. HTTP::cookie [value] <name> [string] Sets or gets the cookie value of the given name. You can omit the value of this command if the cookie name does not collide with any of the other commands. HTTP::cookie version <name> [version] Sets or gets the version of the cookie. HTTP::cookie path <name> [path] Sets or gets the cookie path. HTTP::cookie domain <name> [domain] Sets/Gets the cookie domain. HTTP::cookie ports <name> [portlist] Sets/Gets the cookie port lists for Version 1 cookies. HTTP::cookie insert <name> <value> [path] [domain] [version] Adds or replaces a cookie. The default value for the version is 0. cookies. HTTP::cookie remove <name> Removes a cookie. HTTP::cookie maxage <name> [seconds] Sets or gets the max-age. Applies to Version 1 cookies only. HTTP::cookie expires <name> [seconds] [absolute | relative] Sets or gets the expires attribute. Applies to Version 0 cookies only. If you specify the absolute argument, the seconds value represents number of seconds since the UNIX epoch (January 1, 1970). The default number of seconds is relative, which is the number of seconds from the current time. HTTP::cookie comment <name> [comment] Sets or gets the cookie comment. Applicable only to Version 1 cookies. HTTP::cookie secure <name> [enable | disable] Sets or gets the secure attribute. HTTP::cookie commenturl <name> [commenturl] Sets or gets the comment URL. Applicable only to Version 1 cookies. HTTP::cookie discard <name> [enable | disable] Sets or gets the discard attribute. Applicable only to Version 1 cookies. HTTP::cookie sanitize [attribute]+ Removes from the cookie all but the attributes you specify. HTTP::cookie exists <name> Returns a true value if the cookie exists. Command Type HTTP Cookie Manipulation for Response Messages
b y
35 of 166

Command Name and Description HTTP::request Returns a raw HTTP request. HTTP::retry Resends an HTTP request to the server. SIP::call_id Returns the value of the Call-ID header in a SIP request. SIP::from Returns the value of the From header in a SIP request. SIP::header [<value>] header-name [<index>] Returns SIP header header-name. The <value> option specifies the header value. The <index> option indicates the header to act upon, in cases where there are multiple header levels. Without the <index> option, the first instance of the header is acted upon by the aFleX policy. SIP::method Returns the type of the SIP request method. SIP::respond code <"phrase" <"header-name" "header-value">> Sends back a response with the specified code, phrase, and header-name:header-value pair. SIP::response code Gets the SIP response code. SIP::response phrase Gets the response phrase. SIP::response rewrite code <phrase> Rewrites the response code and phrase, if specified. SIP::to Returns the value of the To header in the SIP request. SIP::uri Returns the complete URI of the request. SIP::via [<index>] Gets the information in the SIP via header. If you specify the <index>, only the information at the specified index level is returned. SIP::via proto [<index>] Gets the protocol part of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via sent_by [<index>] Gets the sent_by part of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via received [<index>] Gets the retrieved attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned.
Command Type HTTP Request
SIP Header Query and Manipulation
36 of 166
b y
D e s i g n

Command Name and Description SIP::via branch [<index>] Gets the branch attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via maddr [<index>] Gets the maccadr attribute of the SIP via at the specified index level. SIP::via ttl [<index>] Gets the TTL attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. POLICY::bwlist id id <ip> [<bwlist_name>] Returns the group ID associated with an IP address in a black/white list. SSL::cert <level> Returns SSL certificate with the specified level in the certificate chain. Level is 0-based. SSL::cert count Returns the number of certificates in the certificate chain. SSL::cert issuer <level> Returns the issuer of the certificate with the specified level. SSL::cert mode <request | require | ignore | auto> Sets the certificate mode. This setting overrides the mode setting in the template. Only the client side is supported. SSL::sessionid Returns the current SSL session ID. SSL::verify_result [<result_code>] If <result_code> is not specified, returns the result code of the peer certificate verification. If <result_code> is specified, sets the result code. X509::issuer Returns the issuer of the X.509 certificate. X509::not_valid_after Returns the not-valid-after date of an X.509 certificate. X509::not_valid_before Returns the not-valid-before date of an X.509 certificate. X509::serial_number Returns the serial number of an X.509 certificate. X509::subject Returns the subject of the certificate. X509::verify_cert_error_string <error_code> Returns the error string for the specified error code, as an OpenSSL X509 error string. X509::version Returns the version number of an X.509 certificate. Command Type SIP Header Query and Manipulation (cont.)
Policy-Based SLB Query SSL and X.509
b y
37 of 166

Command Type Deep packet inspection

Command Name and Description findstr Finds the string <search_string> within <string> and returns a sub-string based on the <skip_count> and <terminator> from the matched location. substr Returns a sub-string <string> based on the values of <skip_count> and <terminator>. getfield Splits a string on a character, and returns the string corresponding to the specific field. domain Parses the string <string> as a dotted domain name and return the last <count> portions of the domain name.
38 of 166
b y
D e s i g n

aFleX Policy Editor - Overview
aFleX Policy Editor

Overview
aFleX Policy Editor is an application that enables you to easily create and edit aFleX scripts. The editor also retrieve existing aFleX scripts from an AX device as well as save aFleX scripts back to the AX device after editing. aFleX Policy Editor is supported only on Windows platform systems.
aFleX Policy Editor

aFleX Policy Editor provides a separate programming environment for offline development of aFleX policies, is PC-based for easy support, and offers templates to quickly create new scripts. aFleX Policy Editor also provides templates to quickly create new scripts, and features the following functions:
Download Upload New Delete Save Import Export Reset
b y
39 of 166

aFleX Policy Editor - Overview FIGURE 3 aFleX Policy Editor new aFleX name field and template list
Scripting Functions
Edit Functions Cut, Copy, Paste, Delete, Select All, Undo, Redo Search Functions Find, Find Next, Find Previous, Replace, Go To Line View Functions Line Numbers, Indentation Guide, Margin, Fold Margin, Word
Wrap White Space, End of Line, Bookmarks, Auto Complete, Hot Spots Status Bar, Output Window
40 of 166
b y
D e s i g n

aFleX Policy Editor - Overview FIGURE 4 aFleX Policy Editor main editor screen
Installing and Starting aFleX Policy Editor

aFleX Policy Editor Installation 1. Copy the directory aFleXEditor from the AX Documentation CD to the Program Files directory on a Windows platform PC. 2. You can create a shortcut to aFleX Policy Editor by dragging the existing shortcut from the copied folder to wherever you want the shortcut to be; for example to the taskbar or desktop. 3. Optionally, you can put the directory aFleXEditor wherever you like on any Windows system and modify the shortcut or create a new shortcut accordingly. To start aFleX Policy Editor: Click on the shortcut to start aFleX Policy Editor.
b y
41 of 166

aFleX Policy Editor - Editing aFleX Scripts Getting Started
aFleX Policy Editor Features

Working with aFleX Policy Editor, you can:
Download aFleX scripts from the AX device. Edit scripts and upload them back onto the AX device. Create new aFleX scripts. Use aFleX Policy Editor templates to simplify script creation. Save aFleX scripts to a local workstation. When you exit, the aFleX list in the Local Files frame is saved.
Below the menu and icons, the aFleX Policy Editor window has the following main parts:
Menu bar to select menu-based aFleX Policy Editor commands Icon bar to select icon-based aFleX Policy Editor commands Download Files (top-left frame) to access aFleX files on an AX device Local Files (lower-left frame) to access aFleX files on a workstation Editor (top-right frame) panel in which to edit aFleX files Output (lower-right frame) shows the status of file transfers and more Status bar (bottom bar) shows the current aFleX Policy Editor status
Editing aFleX Scripts Getting Started

Create an aFleX Script
To begin using aFleX Policy Editor to create an aFleX script, click the New icon or select File > New aFleX. (See Figure 5.) The aFleX Template window appears where you can select from a list of aFleX templates.
42 of 166
b y
D e s i g n

aFleX Policy Editor - Editing aFleX Scripts Getting Started FIGURE 5 aFleX Policy Editor main editor screen
aFleX Templates
The aFleX Template window offers a list of aFleX templates. These templates offer pre-configured aFleX command modules required for typical AX Series applications and are named accordingly. With the addition of parameters for your specific AX Series application, an aFleX policy can be quickly constructed. To use a template to create a new aFleX policy, enter a unique name into the name field of the aFleX Template window, select a template from the list below the name field, and click the OK button.
b y
43 of 166

aFleX Policy Editor - Editing aFleX Scripts Getting Started FIGURE 6 aFleX Policy Editor templates
Need a function not shown in the aFleX Templates? You can create a custom aFleX script. Enter a unique name for the new script, select the BLANK template, and then click OK. The new script is added to the Local Files list and is opened in the Editor frame. The new script will be empty because the BLANK template was selected. You can then begin scripting using the aFleX commands. The rest of this chapter explains how to use the editor itself. To better understand templates, open one and look up its commands in the reference chapter: Command Reference on page 67.
44 of 166
b y
D e s i g n

aFleX Policy Editor - Editing aFleX Scripts Getting Started
Connect to an AX Device aFleX File Transfer

Use aFleX Policy Editors Connect AX, File Download/Upload, or Import/ Export options to transfer aFleX scripts between an AX device and the editor. You must enter the AX hostname or IP address, and admin username and password, to log onto the AX device. FIGURE 7 Connection to the AX device
View aFleX Scripts

To view scripts in the aFleX Policy Editor, use the File/Download function to access the file within the aFleX Policy Editor. FIGURE 8 Download aFleX policy from AX device
b y
45 of 166

aFleX Policy Editor - Editing aFleX Scripts Getting Started Downloaded files can be seen in the AX Files list. Click on a file name in the AX Files list to view its contents in the Editor frame. FIGURE 9 Viewing an aFleX policy in the Editor frame
46 of 166
b y
D e s i g n

aFleX Policy Editor - Menu Functions
Menu Functions
Overview
This section provides a list of all menu items. Detailed descriptions of the functions follow. File Menu The editor includes the following script handling functions in the File menu:
Connect/Disconnect, New aFleX, Upload, Download, Delete aFleX,
Save, Import aFleX, Export aFleX, Rename, Reset, Exit Edit Menu
Undo, Redo, Cut, Copy, Paste, Delete, Select All
Search Menu
Find, Find Next, Find Previous, Replace, Go To Line
View Menu
Line Numbers, Indentation Guides, Margin, Fold Margin, Word Wrap,
White Space, End of Line, Book Marks, Auto Complete, Status Bar, Output Window Options Menu
Font, Set Line Number Color, Set Comment Color, Set Text Color, Set
Keyword Color, Set Background Color, Last Setting Help Menu

About aFlex Editor
File Functions
Connect AX / Disconnect AX
If you select File > Connect AX, a window pops up and asks you to enter the hostname or IP address, and admin username and password. After you click OK, the connection status changes to Connected and all the aFleX policies on the AX device are automatically shown in the Download Files
b y
47 of 166

aFleX Policy Editor - Menu Functions frame. From this point on, you can manipulate aFleX policies on the AX device. After you are connected, the Connect menu option and button both change to Disconnect. If you select File > Disconnect or click the Disconnect button, all the aFleX policies previously shown in the Download Files frame disappear and the connection status is changed to Disconnected.
New aFleX
File > New aFleX Note: For information on aFleX scripts and commands, see aFleX Policy Examples on page 63 and Command Reference on page 67. Using an aFleX Template
If you click the New icon, a window will pop up where you can select an
aFleX Template. (See Figure 5 on page 43.) After you select a template, type the new aFleX policy name and click OK. The Local Files window generates the new file and opens it in the editor frame. Using the BLANK aFleX Template
You can also create aFleX scripts from the BLANK template. Enter a
unique name for the new aFleX, select the BLANK template from the list of templates, then click OK. The new aFleX policy is added to the Local Files list and is opened in the editor frame.
Upload
File > Upload If you click Upload, the currently selected Local File is uploaded to the AX device and listed in the AX Files frame. If the AX device is disconnected, the Upload menu item is disabled.
Download
File > Download If you click Download and the AX device is disconnected, a window pops up to ask you to input the hostname or IP address, and username and password, to re-establish the connection to the AX. If the current status of the AX is Connected, no window will pop up. The file list in the Local Files frame is updated.
48 of 166
b y
D e s i g n

Delete Rule
File > Delete Rule If no aFleX file is currently selected, nothing is deleted. If an aFleX file is currently selected within the Local Files frame, the selected file is deleted from the local workstation, and the next item in the list is automatically selected. If an aFleX file is currently selected in the AX Files frame, it is deleted from the AX file list. If the response message from the AX system indicates success, the file will also be deleted from the Local Files.
Save
File > Save If a currently selected aFleX file is located in the AX Files frame, it is saved to the AX device. If a currently selected aFleX file is located in the Local Files frame, it is saved to the local workstation.
Import
File > Import If you click Import, a window pops up where you can select a file and import it into the aFleX Policy Editor. The Local Files frame adds the file and opens it in the Editor frame.
Export
File > Export If you click Export, a window pops up where you can select a local path to which to export the currently selected file.
Rename
File > Rename If you click Rename, the currently selected aFleX file can be renamed. The new name should not be equal to the existing name shown in the aFleX Policy Editor, or equal to the name of another file.
b y
49 of 166

Reset
File > Reset Restores the currently selected file to its state before user modifications. If the currently selected file is located in the AX Files frame, the Reset command resets it to the initial file state when last downloaded. If the currently selected file is located in the Local Files frame, it resets to the initial file state just generated through the New action.
Exit
File > Exit If you click File > Exit, an alert window pops up.
To exit aFleX Policy Editor, click Yes. To continue working in aFleX Policy Editor, click No.
Edit Menu Functions

Undo / Redo
Edit > Undo / Redo The Undo and Redo actions are for undo or redo of changes to text. Standard Windows keyboard shortcuts can also be used for these commands, if the cursor is active within the Editor frame.
Cut / Copy / Paste / Delete

Edit > Cut / Copy / Paste / Delete The Cut, Copy, Paste, and Delete commands are for modifying text. Standard Windows keyboard shortcuts can also be used for these commands, if the cursor is active within the Editor frame.
Select All
Edit > Select All Select Edit > Select All or ctrl+A to select all text in the Editor frame.
50 of 166
b y
D e s i g n

Search Menu Functions

Find / Find Next / Find Previous
Search > Find / Find Next / Find Previous If you select Search > Find or press ctrl+F, a Find window pops up. You can type a string of up to 250 characters in the Find what field. Click the Find or Mark All button:
If the term can be found in the text, it will be highlighted. If the term can not be found, an alert window will pop up.
The find window will close. If you want to find the next occurrence of the string, press F3. To find the previous occurrence of the string, press shift+F3. FIGURE 10 Search > Find
Replace
Search > Replace If you select Search > Replace, the Search and Replace window pops up. In the Search for field, type the string you want to replace. In the Replace with field, type the new string. You can click the Next match or the Previous match button to locate another occurrence of the string to be replaced.
b y
51 of 166

If the string is found, it will be highlighted. Click either Replace or
Replace All.
If the term can not be found, an alert indicates that no match could be
found. FIGURE 11 Search > Replace
Replaces options include:

Match case searches for text in case-sensitive mode. Match whole word does not find words where the search string is only
part of the word.

Regular expressions searches for regular expressions (regex) entered
into the Search for field.

Replace in selection only select search text before starting, replaces
only within the selection.
Go to Line
Search > Go To Line If you select Go To Line, a window pops up where you can type a line number into the Go To Line field. Click OK to navigate to that line in the currently open file.
52 of 166
b y
D e s i g n

aFleX Policy Editor - Menu Functions FIGURE 12 Search > Go To Line
View Menu Functions

View Line Number
View > Line Number Use this menu command to display or hide Line Numbers in the editor.
View Indention Guides

View > Indentation Guides Use this menu command to display or hide the Indentation Guides.
View Margin
View > Margin Use this menu command to display or hide the Editor frame Margin between the Editor frames Line Numbers column and its Fold Margin column.
View Fold Margin

View > Fold Margin Use this menu command to display or hide the Fold Margin where the +/symbols can be use to expand and collapse aFleX events.
View Word Wrap

View > Word Wrap This menu command enables/disables word wrap in the Editor frames.
53 of 166

View White Space

View > White Space This menu command enables/disables marking of white space in the Editor frame.
View End of Line

View > End of Line This menu command enables/disables display of End of Line (LF and CRLF) markers in the Editor frame.
View Book Marks

View > Book Marks This menu command enables/disables bookmarks in the Editor frame. The bookmarks can be displayed only when you update an aFleX policy on the AX device. If an aFleX policy has a syntax error or definition error, the bookmarks indicate the line that contains the error.
View Status Bar

View > Status Bar This menu command enables/disables display of the Editor frames status bar.
View Output Window

View > Output Window This menu command enables/disables display of the Output frame.
54 of 166
b y
D e s i g n

Options Menu Functions

Font
Options > Font This menu command is used to set the font style for the Editor frame text.
Set Line Number Color

Options > Set Line Number Color This menu command is used to set the Editor frames font color for the line numbers.
Set Comment Color

Options > Set Comment Color This menu command is used to set the Editor frames font color for comment text.
Set Text Color

Options > Set Text Color This menu command is used to set the Editor frames font color for the main text.
Set Keyword Color

Options > Set Keyword Color This menu command is used to set the Editor frames font color for keyword text.
Set Background Color

Options > Set Background Color This menu command is used to set the Editor frames color for the background.
My Last Setting
Options > My Last Setting This menu command restores your last setting from your previous session.
b y
55 of 166

aFleX Policy Editor - Help Menu Functions
Help Menu Functions

About aFleX Editor
Help > About aFleX Editor This command displays the aFleX Policy Editor version and contact information.
Other aFleX Policy Editor Functions

Drag and Drop File Function
You can drag-and-drop files between the AX Files frame and the Local Files frame to upload and download. Download Dragging a file from the AX Files frame to the Local Files frame is equivalent to using the download command to copy a file from the AX device to the local workstation. Upload Dragging a file from the Local Files frame to the AX Files frame is equivalent to using the upload command to copy a file to the AX device from the local workstation.
Status Window
When you perform an action such as Download, Upload, Delete, or Reset, the status bar displays a status message to indicate the result of that action.
56 of 166
b y
D e s i g n

Importing and Binding aFleX Scripts - Using the CLI
Importing and Binding aFleX Scripts

To use an aFleX policy: 1. Create the aFleX policy. You can create the aFleX policy using the aFleX Policy Editor, by typing it into a GUI tab, or using a text editor on a PC. 2. Import the aFleX policy onto the AX device. You can use aFleX Policy Editor, the GUI, or the CLI to import the aFleX policy. 3. Bind the aFleX policy to one or more virtual ports. You can bind the aFleX policy to a virtual port using the GUI or CLI. The following sections show examples for the CLI and GUI. For information about using the aFleX Policy Editor, see aFleX Policy Editor on page 39.
Using the CLI

1. On a PC that supports TFTP, FTP, SCP or RCP, use any text editor to create an aFleX script and save it locally. Use extension .afx at the end of the file name. Example: /aflex/test.afx 2. On the AX device, use the CLI command import aflex to import the aFleX policy file onto the AX device. 3. Use the CLI command aflex under virtual port configuration to bind it with a virtual port. CLI Example This example shows how to import an aFleX policy onto the AX device and bind it to a virtual port. For this example, the following aFleX policy is imported:
when HTTP_REQUEST { if {[HTTP::uri] contains business} { pool http-sg1 } elseif {[HTTP::uri] contains sports} { Pool http-sg2 } }
b y
57 of 166

Importing and Binding aFleX Scripts - Using the CLI 1. Log onto the AX device through the CLI, with an admin account that has read-write privileges. A CLI prompt appears: AX> Note: See the AX Series CLI Reference if you need information on using the CLI. 2. Access the Privileged EXEC mode:
AX>enable Password:*** AX#
3. Access the configuration mode:

AX#config AX(config)#
4. Configure nodes (real servers and server ports):

AX(config)#slb AX(config-real AX(config-real AX(config-real AX(config-real AX(config)#slb AX(config-real AX(config-real AX(config-real AX(config-real AX(config)#slb AX(config-real AX(config-real AX(config-real AX(config-real AX(config)#slb AX(config-real AX(config-real AX(config-real AX(config-real AX(config)# server node100 10.10.9.100 server)#port 80 tcp server-node port)#health-check server-node port)#exit server)#exit server node101 10.10.9.101 server)#port 80 tcp server-node port)#health-check server-node port)#exit server)#exit server node102 10.10.9.102 server)#port 80 tcp server-node port)#health-check server-node port)#exit server)#exit server node103 10.10.9.103 server)#port 80 tcp server-node port)#health-check server-node port)#exit server)#exit
no
no
no
no
58 of 166
b y
D e s i g n

Importing and Binding aFleX Scripts - Using the CLI 5. Configure service groups:
AX(config)#slb service-group http-sg1 tcp AX(config-slb service group)#member node100:80 AX(config-slb service group)#member node101:80 AX(config-slb service group)#exit AX(config)#slb service-group http-sg2 tcp AX(config-slb service group)#member node102:80 AX(config-slb service group)#member node103:80 AX(config-slb service group)#exit AX(config)#
6. Use the import command to import the aFleX policy (test.afx) onto the AX device and rename it my_aflex:
AX(config)#import aflex my_aflex scp://192.168.1.118/aflex/test.afx User name []?*** Password []?*** Importing ... Done. AX(config)#
While importing the aFleX policy, the AX device checks for syntax errors. If any syntax errors are found, error messages are displayed. You can modify an aFleX policy and import it again until it passes the syntax check. 7. Use the show aflex command to list the aFleX policies imported onto the AX device:
AX(config)#show aflex Total aFleX number: 1 Name Syntax Virtual port -----------------------------------------------------------my_aflex Check No
8. To display the aFleX policy, use the show aflex aflex-name command:
AX(config)#show aflex my_aflex when HTTP_REQUEST { if {[HTTP::uri] contains business} { pool http-sg1 } elseif {[HTTP::uri] contains sports} { Pool http-sg2 } }
b y
59 of 166

Importing and Binding aFleX Scripts - Using the CLI 9. Configure a virtual server and bind the aFleX policy to a virtual port on the virtual server:
AX(config)#slb virtual-server v30 10.10.8.30 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua...)#aflex my_aflex AX(config-slb virtual server-slb virtua...)#exit AX(config-slb virtual server)#exit AX(config)#
10. Show the aFleX policy list again to verify that the aFleX policy is now bound to a virtual port:
AX(config)#show aflex Total aFleX number: 1 Name Syntax Virtual port -----------------------------------------------------------my_aflex Check Yes
11. Show the running-config:

AX(config)#show running-config ... slb server node100 10.10.9.100 port 80 tcp health-check no slb server node101 10.10.9.101 port 80 tcp health-check no slb server node102 10.10.9.102 port 80 tcp health-check no slb server node103 10.10.9.103 port 80 tcp health-check no ! slb service-group http-sg1 tcp member node100:80 member node101:80 slb service-group http-sg2 tcp member node102:80 member node103:80 ! slb virtual-server v30 10.10.8.30 port 80 http aflex my_aflex ! ... AX(config)# P e r f o r m a n c e b y D e s i g n
60 of 166

Importing and Binding aFleX Scripts - Using the GUI
Using the GUI

1. Select Config > Service > aFleX, then click New. The aFleX tab appears. (See Figure 13.) 2. Enter a name for the aFleX policy in the Name field. 3. Enter the aFleX policy text into the Definition field. 4. Click OK to save the aFleX policy. Note: You can click on the name of an existing aFleX policy to edit it in the GUI. You can delete an existing aFleX policy by selecting the checkbox located on the left of its name, then clicking the Delete button. 5. To bind the aFleX policy to a virtual port: a. Select Config > Service > Server, then select Virtual Server. b. Click on a virtual server name or click New to add a new one. c. If you are configuring a new virtual server, enter the name and IP address. d. Click Port to display the Port tab. e. Select a port and click, or click New to add a new port. The Virtual Server Port tab appears. f. Select the aFleX policy from the aFleX drop-down list. (See Figure 14.) g. Click OK. h. Click OK again. FIGURE 13 Config Mode > Service > aFleX > New
b y
61 of 166

Importing and Binding aFleX Scripts - Using the GUI FIGURE 14 Config Mode > Service > Server > Virtual Server > Port
62 of 166
b y
D e s i g n

aFleX Policy Examples - Simple aFleX Policy
aFleX Policy Examples

This section provides practical examples of aFleX policies based on real world traffic management applications. It is intended to provide an introduction to working with aFleX policies. If you would like additional assistance with scripting in aFleX, contact our support team.
Simple aFleX Policy

The following aFleX script is a simple example. Example:
when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ] } { pool my_pool } }
This aFleX policy uses the default CLIENT side association to the REMOTE_ADDR. Because the CLIENT_ACCEPTED event has a default context of clientside, the IP::remote_addr field is automatically assigned to clientside.
Redirecting HTTP Requests

aFleX scripts can be used to redirect HTTP requests to a specific location using the HTTP::redirect command. The target location can be a server name or a URI.
b y
63 of 166

aFleX Policy Examples - Redirecting HTTP Requests Example: This aFleX script specifies that the return status "Not Found" HTTP request is to be redirected to a different protocol HTTPS instead of HTTP.
when HTTP_RESPONSE { if { [HTTP::status] contains "404"} { HTTP::redirect "https://www.siterequest.com" } }
Example: This aFleX script presents an apology page if a 404 error occurs.
when HTTP_RESPONSE { if { [HTTP::status] contains "404"} { HTTP::respond 200 content "<html><head><title>Apology Page</title></ head><body>We are sorry, but the site you are looking for is temporarily out of service.<br>If you feel you have reached this page in error, please try again.<p></body></html>" } }
64 of 166
b y
D e s i g n

aFleX Policy Examples - Data Persistence
Data Persistence
when HTTP_REQUEST { if {[HTTP::cookie exists "CustomerIP"] and [HTTP::cookie exists "CustomerPort"]} { set cookie_not_exist 0 # Direct traffic by the cookie node [HTTP::cookie "CustomerIP"] [HTTP::cookie "CustomerPort"] } else { set cookie_not_exist 1 # Save the cookie path and direct the traffic by URI if {[HTTP::uri] contains "/myweb/"} { set cookie_path "/myweb" pool http-sg1 } elseif {[HTTP::uri] contains "/myprint/ "} { set cookie_path "/myprint" pool http-sg2 } else { set cookie_path "/unexpected" pool http-sg3 } } } when HTTP_RESPONSE { if {$cookie_not_exist} { # Add path to the persistent cookie HTTP::cookie insert name "CustomerIP" value [IP::server_addr] path $cookie_path HTTP::cookie insert name "CustomerPort" value [TCP::server_port] path $cookie_path } }
b y
65 of 166

aFleX Policy Examples - Data Persistence
66 of 166
b y
D e s i g n

Global Events - RULE_INIT
Command Reference
aFleX scripts consist of three basic elements:
Events Operators on page 76 Commands on page 83
These elements are described in detail in subsequent sections.
Events
The following subsections describe the aFleX events.
Global Events
RULE_INIT
Initializes global system variables. Within an aFleX policy, the RULE_INIT event can initialize a system variable on a global basis for all aFleX policies, or exclusively for that particular aFleX policy. The prefix placed before RULE_INIT specifies whether to initialize the variable for all aFleX policies, or only the current aFleX policy. Prefix :: Scope
Applies only to the current aFleX policy. This variable cannot be set or read by any other aFleX policies. Once the variable is defined, it can be removed only by an unset command.
::global::
Applies to all aFleX policies. This variable can be set or read by all aFleX policies on the AX device.
Note:
Unbinding an aFleX policy will not remove the variable.
b y
67 of 166

HTTP Events - HTTP_REQUEST Example:
when RULE_INIT { # define per-aFleX global variable ::request_count # This variable is to count the # of HTTP_REQUEST hits by this aFleX policy set ::request_count 0 # define per-system global variable ::global::ax_request_count # This variable is to count the total number of HTTP_REQUEST hits # in the AX system set ::global::ax_request_count 0 # Remove per aFleX global variable ::remove_var1 unset ::remove_var1 } when HTTP_REQUEST { incr ::request_count incr ::global::ax_request_count }
HTTP Events
HTTP_REQUEST
Triggered when the system fully parses a complete client request header (that is, the method, URI, version, and all headers, not including the body). Example:
when HTTP_REQUEST { if { [HTTP::uri] contains "secure"} { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }
Example:
If a client request URI contains the string "secure", redirect to the client to HTTPS.
when HTTP_REQUEST { if { [HTTP::uri] contains "secure"} { HTTP::redirect https:// [HTTP::host][HTTP::uri] } }
68 of 166
b y
D e s i g n

HTTP Events - HTTP_REQUEST_DATA Example: If a client request uri contains the string "Webdir", use service group app-pool. If the request URI contains the string "Docdir", use service group doc-pool.
when HTTP_REQUEST { if { [HTTP::uri] contains "Webdir" } { pool app-pool } elseif { [HTTP::uri] contains "Docdir" } { pool doc-pool } }
Related Information Available Commands HTTP::cookie, HTTP::disable, HTTP::fallback, HTTP::header, HTTP::host, HTTP::is_keepalive, HTTP::is_redirect, HTTP::method, HTTP::path, HTTP::payload, HTTP::query, HTTP::redirect, HTTP::release, HTTP::request, HTTP::request_num, HTTP::respond, HTTP::uri, HTTP::version, pool, URI::query
HTTP_REQUEST_DATA
Triggered whenever an HTTP::collect command finishes processing, after collecting the requested amount of request data. Related Information Available Commands HTTP::fallback, HTTP::host, HTTP::is_keepalive, HTTP::is_redirect, HTTP::method, HTTP::path, HTTP::query, HTTP::redirect, HTTP::release, HTTP::request, HTTP::request_num, HTTP::respond, HTTP::uri, HTTP::version
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. This is a serverside event. Example:
when HTTP_REQUEST_SEND { HTTP::collect 12 }
b y
69 of 166

HTTP Events - HTTP_RESPONSE Related Information Available Commands: HTTP::header, HTTP::payload, IP::local_addr, IP::server_addr
HTTP_RESPONSE
Triggered when the system parses all of the response status and header lines from the server response. Note: HTTP_RESPONSE is specific to a SERVER response passing through the load balancer, and is not triggered for locally-generated responses.
Example:
when HTTP_RESPONSE { if { [HTTP::status] contains "404"} { HTTP::redirect "http://www.siterequest.com/" } }
Related Information Available Commands: HTTP::cookie, HTTP::header, HTTP::host, HTTP::is_keepalive, HTTP::is_redirect, HTTP::payload, HTTP::redirect, HTTP::release, HTTP::request_num, HTTP::respond, HTTP::retry, HTTP::status, HTTP::version, IP::local_addr, IP::server_addr, URI::query
HTTP_RESPONSE_CONTINUE
Triggered whenever the system receives a 100 Continue response from the server.
HTTP_RESPONSE_DATA
Triggered whenever an HTTP::collect command finishes processing on the server side of a connection, after collecting the requested amount of response data. Also triggered if the server closes the connection before the HTTP:collect command finishes processing.
70 of 166
b y
D e s i g n

IP, TCP, and UDP Events - CLIENT_ACCEPTED Example:
when HTTP_RESPONSE_DATA { regsub "oursite" [HTTP::payload] "oursitedev" fixeddata log "Replacing payload with fixed data." HTTP::payload replace 0 $clen $fixeddata HTTP::release }
Example:
when HTTP_RESPONSE { HTTP::collect [HTTP::header Content-Length] } when HTTP_RESPONSE_DATA { set clen [HTTP::payload length] set newdata "Sorry, This website is temporarily unavailable." HTTP::payload replace 0 $clen $newdata HTTP::respond 200 content [HTTP::payload] }
Related Information Available Commands HTTP::is_keepalive, HTTP::is_redirect, HTTP::redirect, HTTP::release, HTTP::request_num, HTTP::respond, HTTP::retry, HTTP::status, HTTP::version
IP, TCP, and UDP Events

CLIENT_ACCEPTED
Triggered when a client has established a connection. Note: For UDP (and only UDP), the CLIENT_ACCEPTED event is triggered on the first UDP packet received.
Example:
when CLIENT_ACCEPTED { set curtime [TIME::clock seconds] set formattedtime [clock format $curtime -format {%H:%S} ] log "the time is: $formattedtime" }
b y
71 of 166

IP, TCP, and UDP Events - CLIENT_CLOSED Example:
when CLIENT_ACCEPTED { if { [IP::addr [client_addr] equals 192.168.217.0/24] } { discard log "discard client from 192.168.217.0/24 " } }
Related Information Available Commands IP::client_addr, IP::local_addr, IP::protocol, IP::remote_addr, IP::server_addr, IP::tos, pool, serverside, TCP::collect
CLIENT_CLOSED
This event is triggered at the end of any client connection, regardless of protocol. Example:
when CLIENT_CLOSED { if { [info exists ::active_clients($client_ip)] } { incr ::active_clients($client_ip) -1 if { $::active_clients($client_ip) <= 0 } { unset ::active_clients($client_ip) } } }
Related Information Available Commands IP::local_addr
CLIENT_DATA
Triggered when new data is received from the client while the connection is in a collect state. Note: For UDP (and only UDP), the CLIENT_DATA event is automatically triggered for each UDP packet received.
72 of 166
b y
D e s i g n

IP, TCP, and UDP Events - LB_FAILED Example:
when CLIENT_DATA { if { [UDP::payload 50] contains "XYZ" } { pool xyz_servers } }
Example:
If a DNS request contains "abc", select service group abc-dns. If the request contains "xyz", select service group xyz-dns.
when CLIENT_DATA { log "UDP::payload 12 12 = [UDP::payload 12 12]" if { [UDP::payload 12 12] contains "abc" } { pool abc-dns log " select pool abc-dns" } elseif { [UDP::payload 12 12] contains "xyz" } { pool xyz-dns log " select pool xyz-dns" } }
Related Information Available Commands pool
LB_FAILED
This Event is triggered when the AX device can not select a node for the incoming request; for example, if all nodes in the pool are down or all their connection limits have been reached. Example:
when LB_FAILED { pool errorPool }
Related Information Available Commands: LB::reselect, LB::server
b y
73 of 166

IP, TCP, and UDP Events - LB_SELECTED
LB_SELECTED
This Event is triggered when the system selects a pool member. Example:
when LB_SELECTED { if { [IP::addr [IP::remote_addr] equals "10.0.0.1"] } { snat VIPsnat } }
Related Information Available Commands: IP::local_addr, LB::reselect, LB::server
SERVER_CLOSED
This Event is triggered when the Server side connection closes. Example:
when SERVER_CLOSED { log local0. "Server [IP::server_addr] has closed the connection" }
Related Information Available Commands: IP::local_addr, IP::server_addr
SERVER_CONNECTED
Triggered when a connection has been established with the target node. Related Information Available Commands: IP::local_addr, IP::server_addr
SERVER_DATA
Triggered when new data is received from the target node while the connection is in a hold state.
74 of 166
b y
D e s i g n

SSL Events - CLIENTSSL_CLIENTCERT
SSL Events
CLIENTSSL_CLIENTCERT
Triggered when the AX device receives an SSL client certificate. Example:
when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set subject [X509::subject $cert] }
Related Information Available Commands SSL::cert, SSL::sessionid, SSL::verify_result, X509::subject, X509::verify_cert_error_string
CLIENT_HANDSHAKE
Triggered when an SSL handshake on the client side is completed. Example:
when CLIENTSSL_HANDSHAKE { set cert [SSL::cert 0] set subject {X509::subject $cert] }
Related Information Available Commands SSL::cert, SSL::sessionid, SSL::verify_result, X509::subject, X509::verify_cert_error_string
b y
75 of 166

Relational Operators - contains
Operators
The following subsections describe the FleX operators.
Relational Operators
contains
Tests whether one string (string1) contains another string (string2). Syntax <string1> contains <string2> Example:
when HTTP_REQUEST { if { [HTTP::uri] contains "aol" } { pool aol_pool } else { pool all_pool } }
ends_with
Tests whether one string (string1) ends with another string (string2). Syntax <string1> ends_with <string2> Example:
when HTTP_REQUEST { set uri [HTTP::uri] if { $uri ends_with ".gif" } { pool my_pool } elseif { $uri ends_with ".jpg" } { pool your_pool } }
Related Information Valid Events: ALL
76 of 166
b y
D e s i g n

Relational Operators - equals
equals
Tests whether one string equals another string. Syntax <string1> equals <string2> Related Information Valid Events: ALL
matches
Tests whether one string matches another string. Syntax <string1> matches <string2> Note: The "matches" operator uses the same comparison as the Tcl "string match" command, which functions like a cut-down regular expression. For the two strings to match, their contents must be identical except that the following special sequences may appear in the pattern:
* Matches any sequence of characters in string, including a null string. ? Matches any single character in string. [chars] Matches any character in the set given by chars. If a sequence
of the form x-y appears in chars, then any character between x and y, inclusive, will match. When used with -nocase, the end points of the range are converted to lower case first. Whereas {[A-z]} matches '_' when matching case-sensitively ('_' falls between the 'Z' and 'a'), with -nocase this is considered to be like {[A-Za-z]}. (This is probably what was meant in the first place).
\x Matches the single character x. This provides a way of avoiding the
special interpretation of the characters *?[]\ in a pattern. Example:

when HTTP_REQUEST { if { [HTTP::uri] matches {*\\aol\\[a-z].html} } { pool aol_pool } else { pool all_pool } }
b y
77 of 166

Relational Operators - matches_regex Related Information Valid Events: ALL
matches_regex
Tests whether one string matches a regular expression. Syntax <string1> matches_regex <regex> <string1> matches_regex <string2> Tests if string2 is contained within string1. Example:
when HTTP_REQUEST { if { [HTTP::host] matches_regex "www\.([\w]*)\.com" } { pool com_pool } elseif { [HTTP::host] matches_regex "www\.([\w]*)\.edu" } { pool edu_pool } }
starts_with
Tests whether one string (string1) starts with another string (string2). Syntax <string1> starts_with <string2> Example:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/news" } { pool news_pool } elseif { [HTTP::uri] starts_with "/sports" } { pool sports_pool } }
78 of 166
b y
D e s i g n

Relational Operators - switch Related Information Valid Events: ALL
switch
Built-in TCL command. Evaluates one of several scripts, depending on a given value. Syntax switch ?options? string {pattern body ?pattern body ...?} Matches its string argument against each of the pattern arguments in order. As soon as it finds a pattern that matches string, it evaluates the following body argument by passing it recursively to the Tcl interpreter and returns the result of that evaluation. If the last pattern argument is "default", then it matches anything. If no pattern argument matches string and no default is given, then the command returns an empty string. If the initial arguments start with "-", then they are treated as options. The following options are currently supported:
-exact Use exact matching when comparing string to a pattern. This is
the default.
-glob When matching string to the patterns, use glob-style matching
(the same as implemented by the string match command).

-regexp When matching string to the patterns, use regular expression
matching (the same as implemented by the regexp command).

-- Marks the end of options. The argument following this one will be
treated as string even if it starts with a "-". Two syntaxes are provided for the pattern and body arguments. The first uses a separate argument for each of the patterns and commands; this form is convenient if substitutions are desired on some of the patterns or commands. The second form places all of the patterns and commands together into a single argument; the argument must have proper list structure, with the elements of the list being the patterns and commands. The second form makes it easy to construct multi-line commands, since the braces around the whole list make it unnecessary to include a backslash at the end of each line. Since the pattern arguments are in braces in the second form, no command or variable substitutions are performed on them; this makes the behavior of the second form different than the first form in some cases.
b y
79 of 166

Relational Operators - switch If a body is specified as "-" it means that the body for the next pattern should also be used as the body for this pattern (if the next pattern also has a body of "-" then the body after that is used, and so on). This feature makes it possible to share a single body among several patterns. Example: This example will return 2:
switch abc a - b {format 1} abc {format 2} default {format 3} This example will return 3: switch xyz { a b {format 1} a* {format 2} default {format 3} }
This example will send traffic with host header "www.domain.com" to pool www, host header "www.domain2.com" will cause header manipulation & URI rewriting to take place first, and requests with any other host header will be discarded:
switch [string tolower [HTTP::host]] { www.domain.com { pool www } www.domain2.com { HTTP::header insert Header1 domain2 HTTP::header replace Host www.domain.com [HTTP::uri] "/domain2[HTTP::uri]" pool www } default { discard } }
80 of 166
b y
D e s i g n

Logical Operators - and
Logical Operators
and
Performs a logical and comparison between two values. Syntax <value1> and <value2> Example:
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/abc") and ([HTTP::host] equals "www.company.com") } { pool pool1 } else { pool pool2 } }
not
Performs a logical not on a value. Syntax not <value> Example:
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/abc") } { pool pool1 } else { pool pool2 } }
b y
81 of 166

Logical Operators - or
or
Performs a logical or comparison between two values. Syntax <value1> or <value2> Example:
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/abc") or ([HTTP::uri] starts_with "/cde") } { pool pool1 } else { pool pool2 } }
82 of 166
b y
D e s i g n

GLOBAL Commands - active_members
Commands
The following subsections describe the aFleX commands.
GLOBAL Commands
active_members
Returns number of active members in the pool. Syntax active_members <pool_name> Example:
when HTTP_REQUEST { if {[active_members pool1] >= 5} { pool big_pool } }
b64decode
Returns the specified string, decoded from base-64. Returns NULL if there is an error. Syntax b64decode <string> Example:
when HTTP_REQUEST { set encrypted [HTTP::cookie "EncryptedCookie"] set decrypted [b64decode $encrypted] HTTP::cookie insert name "MyCookie" value $decrypted }
b y
83 of 166

GLOBAL Commands - b64encode
b64encode
Returns the specified string, encoded as base-64. Returns NULL if there is an error. Syntax b64encode <string> Example:
when HTTP_REQUEST { set cert [SSL::cert 0] HTTP::header insert SSLCERT [b64encode $cert] }
clientside
Causes the specified aFleX commands to be evaluated under the client-side context. This command has no effect if the aFleX command is already being evaluated under the client-side context. Syntax clientside {<aFleX commands>} Example:
when SERVER_CONNECTED { if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } { discard } }
client_addr
Returns the client IP address of a connection. This is provided for backward compatibility. A10 Networks recommends using IP::client_addr instead.
84 of 166
b y
D e s i g n

GLOBAL Commands - client_port Syntax client_addr Related Information Valid Events: See IP::client_addr on page 129.
client_port
Returns the TCP port number/service of the specified client. This is provided for backward compatibility. A10 Networks recommends using TCP::client_port instead. Syntax client_port Related Information Valid Events: See TCP::client_port on page 155.
cpu
The cpu usage command returns the average CPU load for the given interval. All averages are exponential weighted moving averages over the interval. Syntax cpu usage [1sec | 5secs | 15secs | 1min | 5mins | 15mins | all_seconds | all_minutes] Example:
when HTTP_REQUEST { if { [cpu usage 5secs] <= 1} { pool1 } else { HTTP::redirect "http://anotherpool.com" } }
b y
85 of 166

GLOBAL Commands - detach
detach
Discontinue evaluating the aFleX event on a connection. The aFleX policy continues to run. Syntax detach
discard
Causes the current packet or connection (depending on the context of the event) to be discarded. This statement must be conditionally associated with an if statement. This command performs the same function as the drop command. Syntax discard Example:
when SERVER_CONNECTED { if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } { discard } }
dnat
Disables or enables destination NAT for the current connection. The command overrides the behavior set by the no-dest-nat CLI command or equivalent GUI option on the virtual port. Note: Generally, disabling destination NAT is applicable only to Layer 4 traffic. Disabling destination NAT is applicable to Layer 7 traffic only for service type HTTP, on wildcard VIP used for Transparent Cache Switching (TCS). For an example, see the Service Type HTTP Without URL Switching Rules section in the Transparent Cache Switching chapter of the AX Series Configuration Guide. Syntax dnat {disable | enable}
86 of 166
b y
D e s i g n

GLOBAL Commands - domain Example:
when HTTP_REQUEST { if { [string length [HTTP::uri]] > 32 and [HTTP::uri] ends_with ".sdp" } { dnat enable HTTP::uri /post.php?vlink=[HTTP::uri] pool sgve1 member 192.168.0.10 8888 } elseif { [HTTP::uri] contains "watch?" } { dnat enable HTTP::uri /post.php?vlink=[HTTP::uri] pool sgve2 member 192.168.0.10 8888 } else { pool sg-router } }
Related Information Valid Events: HTTP_REQUEST, CLIENT_ACCEPTED
domain
Parses the specified string as a dotted domain name and returns the last <count> portions of the domain name. Syntax domain <string> <count> Related Information Valid Events: ALL
drop
Causes the current packet or connection (depending on the context of the event) to be discarded. This command must be conditionally associated with an if command. This command performs the same function as the discard command. Syntax drop
87 of 166

GLOBAL Commands - encoding Example:
when SERVER_CONNECTED { if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } { drop } }
encoding
Convert the character encoding of a payload to the specified encodiing. Syntax encoding {convertfrom | convertto} <encoding> Example: See set encode on page 102.
event
Discontinue evaluating the specified aFleX event, or all aFleX events, on this connection. However, the aFleX script continues to run. Syntax event [<name>] [enable | disable] | [enable all | disable all] Related Information Valid Events: ALL
findstr
Find a string within another string and return the string starting at the offset specified from the match. Syntax findstr <string> <search_string> [<skip_count> [<terminator>]
88 of 166
b y
D e s i g n

GLOBAL Commands - getfield Finds the string <search_string> within <string> and returns a sub-string based on the <skip_count> and <terminator> from the matched location. Note the following:
The <terminator> argument may be either a character or length. If the <skip_count> argument is not specified, it defaults to zero. If the <terminator> argument is not specified, it defaults to the end of
the string.
This command, without <skip_count> or <terminator>, is equivalent to
the following Tcl command: string range <string> [string first <string> <search_string>] end Example:
when HTTP_REQUEST { if { [findstr [HTTP::uri] "type=" 5 "&"] eq "cgi" } { pool cgi_servers } else { pool web_servers } }
getfield
Splits a string on a character or string, and returns the string corresponding to the specific field. Syntax getfield <string> <split> <field_number> Example: To extract only the hostname from the host header (strips any trailing ":###" port specification)
when HTTP_REQUEST { [getfield [HTTP::host] ":" 1] }
b y
89 of 166

GLOBAL Commands - htonl To redirect any request for a domain.com host to the same hostname.subdomain @ domain.org (uses a multi-character split string and field_number 1 to extract only those characters in the hostname before the split string.):
when HTTP_REQUEST { if { [HTTP::host] contains "domain.com"} { HTTP::redirect https://[getfield [HTTP::host] ".domain.com" 1].domain.org[HTTP::uri] } }
htonl
Convert the unsigned integer from host byte order to network byte order. Syntax htonl <hostlong> Example:
when HTTP_REQUEST { set hostlong 12345678 set netlong [htonl $hostlong] }
htons
Convert the unsigned short integer from host byte order to network byte order. Syntax htons <hostshort> Example:
when HTTP_REQUEST { set hostshort 1234 set netshort [htons $hostshort] }
90 of 166
b y
D e s i g n

GLOBAL Commands - http_cookie Related Information Valid Events: ALL
http_cookie
Specifies the value in the Cookie: header for the specified cookie name. This is provided for backward-compatibility. A10 Networks recommends using HTTP::cookie instead. Syntax http_cookie <cookie_name> Related Information Valid Events: See HTTP::cookie on page 114.
http_header
Evaluates the string following an HTTP header tag that you specify. This command is provided for backward-compatibility. A10 Networks recommends using HTTP::header instead. Syntax http_header(header_tag_string) Related Information Valid Events: See HTTP::header on page 117.
http_host
Specifies the value in the Host: header of the HTTP request. This is provided for backward-compatibility. A10 Networks recommends using HTTP::host instead. Syntax http_host Related Information Valid Events: See HTTP::host on page 119.
b y
91 of 166

GLOBAL Commands - http_method
http_method
Specifies the action of the HTTP request. Common values are GET and POST. This command is provided for backward-compatibility. A10 Networks recommends using HTTP::method instead. Syntax http_method Related Information Valid Events: See HTTP::method on page 120.
http_uri
Specifies a URL, but does not include the protocol and the fully qualified domain name (FQDN). For example, if the URL is http://www.mysite.com/ buy.asp, then the URI is /buy.asp. This command is provided for backwardcompatibility. A10 Networks recommends using HTTP::uri instead. Syntax http_uri Related Information Valid Events: See HTTP::uri on page 127.
http_version
Specifies the HTTP protocol version. Possible values are "HTTP/1.0" or "HTTP/1.1". This is provided for backward compatibility. A10 Networks recommends using HTTP::version instead. Syntax http_version Related Information Valid Events: See HTTP::version on page 128.
ip_protocol
Selects a pool based on an IP protocol number. A10 Networks recommends using IP::protocol instead.
92 of 166
b y
D e s i g n

GLOBAL Commands - ip_tos Syntax ip_protocol Related Information Valid Events: See IP::protocol on page 130.
ip_tos
Sends the traffic to a different pool of servers based on the ToS level within a packet. The Type of Service (ToS) standard is a means by which network equipment can identify and treat traffic differently based on an identifier. As traffic enters the site, the AX device can apply a rule that sends the traffic to different pools of servers based on the ToS level within a packet. This is provided for backward-compatibility. A10 Networks recommends using IP::tos instead. Syntax ip_tos Related Information Valid Events: See IP::tos on page 133.
local_addr
Selects a pool based on a clients local IP address. For example, you can load balance traffic based on part of the clients IP address. A10 Networks recommends using IP::local_addr instead. Syntax IP::local_addr Related Information Valid Events: See IP::local_addr on page 129.
log
Generates and logs the specified message to the Syslog utility. This command works by performing variable expansion on the message as defined for the HTTP profile Header Insert setting.
b y
93 of 166

GLOBAL Commands - md5 Note: If not used appropriately, the log command can produce large amounts of output. The syslog facility is limited to logging 1024 bytes per request. Longer strings will be truncated. Syntax log [<facility>.<level>] <message> The facility can be one from "local0" to "local7" (Currently only "local0" is supported). The level can be a number from 0 to 7, or the corresponding level string, "EMERG", "ALERT", "CRIT", "ERR", "WARNING", "NOTICE", "INFO", and "DEBUG". Note: There is a significant behavioral difference when the optional <facility>.<level> is specified. When aFleX logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the <facility> and/or <level> are specified, the log messages are not rate-limited (though syslog will still perform suppression of repeated duplicates).
Note:
Example:
log local0. "Found $isCard $type CC# $card_number" log local0.0 "Fatal error" log local0.DEBUG "This is log message from facility local0 and level DEBUG"
md5
Returns the RSA MD5 Message Digest Algorithm message digest of the specified string. Syntax md5 <string> Related Information Valid Events: All
94 of 166
b y
D e s i g n

GLOBAL Commands - node
node
Causes the specified server node (that is, IP address and port number) to be used directly, thus bypassing any load-balancing. Syntax node <addr> [<port>] Note: The node command requires that the real server (node) and service port already be configured. They also must be configured as a member of a service group. Connection limiting and connection rate limiting are not applied to a node if it is selected by this command.
Note:
Example:
when HTTP_REQUEST { if { [HTTP::uri] ends_with ".gif" } { node 10.1.2.200 80 } }
ntohl
Convert the unsigned integer from network byte order to host byte order. Syntax ntohl <netlong> Example:
when HTTP_REQUEST{ set netlong 12345678 set hostlong [ntohl $netlong] }
ntohs
Convert the unsigned short integer from network byte order to host byte order.
b y
95 of 166

GLOBAL Commands - persist Syntax ntohs <netshort> Example:
when HTTP_REQUEST { set netshort 1234 set hostshort [ntohs $netshort] }
persist
Set client persistence based on any value you choose. Syntax persist uie <string> [<timeout>] Sets the key for an entry on the persistence table, which maps the client to an SLB resource (real server, real server port, or service group). If the persistence table contains the specified key, the AX device uses the SLB resource that key is mapped to in the table. Otherwise, the AX device uses SLB to select a resource but does not create a persistence table entry. The uie option stands for Universal Inspection Engine, indicating that you can set persistence based on any key. The <timeout> specifies how many seconds the persistence entry can remain in the table after the last time traffic from the client is sent to the server. The default is 1800 seconds. Internally, the timeout is converted to minutes and is decremented one minute at a time. persist add uie <key> [timeout] Adds an entry to the persistence table. This command differs from the command above in that it does not first check the persistence table for an existing entry for the key. The persist add form of the command is useful for setting persistence based on data that is set on the server and is therefore first observed by the AX device in the server response, rather than in the client request.
96 of 166
b y
D e s i g n

GLOBAL Commands - persist persist lookup uie <key> [all | node | port | pool] Performs a lookup in the persistence table for an entry with the specified key: all Returns all the values listed below. (If you do not specify this option or one of the following options, this is equivalent to specifying all.) node Returns the real server IP address. port Returns the real service port number. pool Returns the pool (service group) name. persist delete uie <key> Deletes the persistence table entry for the specified key. The <key> specifies the data, found within the HTTP header, upon which the persistence is based. The <key> can be specified with one of the following:
<specified-value> { <specified-value> [ any service | any pool ] [ pool <pool-name> ] }
Example:
when HTTP_RESPONSE { set IP [IP::client_addr] persist add uie $IP 1800 } when HTTP_REQUEST { set IP [IP::client_addr] persist uie $IP }
b y
97 of 166

GLOBAL Commands - pool Example:
when HTTP_RESPONSE { set IP [IP::client_addr] persist add uie { $IP any service } 1800 } when HTTP_REQUEST { set IP [IP::client_addr] set p [ persist lookup uie { $IP any service } all ] if { $p ne "" } { log local0. "Found in persistency-table ([lindex $p 0] [lindex $p 1] [lindex $p 2])" node [lindex $p 1] [lindex $p 2] } }
pool
Causes the system to load balance traffic to the specified pool or pool member. Note: Pool / member may be selected conditionally. If multiple conditions match, the last match will determine the pool/member to which this traffic is load balanced. Syntax pool <pool_name> pool <pool_name> [member <addr> [<port>] ] pool <pool_name> Example:
98 of 166
b y
D e s i g n

GLOBAL Commands - redirect Related Information Valid Events: CLIENT_ACCEPTED, CLIENT_DATA, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, LB_FAILED, NAME_RESOLVED Events which do not generate an error, but are not likely valid for this command: HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CLOSED, SERVER_CONNECTED, SERVER_DATA
redirect
Redirects an HTTP request to a specific location. The location can be either a host name or a URI. A10 Networks recommends using HTTP::redirect instead. Syntax redirect [<host_name> | <URI>] Related Information Valid Events: See HTTP::redirect on page 123.
reject
Causes the connection to be rejected, returning a reset as appropriate for the protocol. Syntax reject Example:
when SERVER_CONNECTED { if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } { drop } }

99 of 166

GLOBAL Commands - remote_addr
remote_addr
Selects a pool based on part of the clients IP address. A10 Networks recommends using IP::remote_addr instead. Syntax remote_addr Related Information Valid Events: See IP::remote_addr on page 131.
serverside
Causes the specified aFleX command or commands to be evaluated under the server-side context. This command has no effect if the aFleX policy is already being evaluated under the server-side context. Syntax serverside { <aFleX command> } Example:
when CLIENT_ACCEPTED { if {[IP::addr [serverside {IP::remote_addr}] equals 10.1.1.80] } { discard } }
server_addr
Returns the IP address of the server. A10 Networks recommends using IP::server_addr instead. Syntax IP::server_addr Related Information Valid Events: See IP::server_addr on page 131.
100 of 166
b y
D e s i g n

GLOBAL Commands - server_port
server_port
Returns the TCP port/service number of the specified server. A10 Networks recommends using TCP::server_port instead. Syntax TCP::server_port Related Information Valid Events: See TCP::server_port on page 159.
session
Manage SSL sessions. Syntax session add ssl <key> <data> [<timeout>] session lookup ssl <key> session delete <mode> <key> The session add ssl command creates a table to store SSL information. If an SSL table already exists, the command adds an entry to the table. Generally, the <key> is the session ID and the data is the SSL verify_result or the SSL certificate. The session lookup ssl command Searches the SSL table for information about the specified key. The session delete command deletes an SSL entry. Example:
when CLIENTSSL_HANDSHAKE { set cert1 [SSL::cert 0] session add ssl [SSL::sessionid] $cert1 300 } when } HTTP_REQUEST {
set cert2 [session lookup ssl [SSL::sessionid]]
b y
101 of 166

GLOBAL Commands - set encode Related Information Valid Events: CLIENT_ACCEPTED, HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE
set encode
Set the character encoding for data payloads.
Syntax
set encode "<encoding>"
Example: Here is an example of an aFleX policy that converts payload data into Japanese encoding Shift_JIS:
when HTTP_RESPONSE { if { [HTTP::header "Content-Type"] contains "Shift_JIS" } { set encode "shiftjis" HTTP::collect } } when HTTP_RESPONSE_DATA { set hoge [HTTP::payload length] set payload [encoding convertfrom $encode [HTTP::payload]] regsub -all "abc" $payload "xyz" newdata set newdata3 [encoding convertto $encode $newdata] HTTP::payload replace 0 $hoge $newdata3 HTTP::release }
Related Information Valid Events: The set encode command is valid with all events. The payload replace command (used in the example below) is valid only with the HTTP_RESPONSE_DATA event.
sha1
Returns the Secure Hash Algorithm version 1.0 (SHA1) message digest of the specified string.
102 of 166
b y
D e s i g n

GLOBAL Commands - snatpool Note: If an error occurs, an empty string is returned. Syntax sha1 <string> Related Information Valid Events: All
snatpool
Uses the specified pool of IP addresses as translation addresses to create a SNAT. The command uses the specified NAT pool instead of the NAT pool that is already bound to the virtual port in the AX configuration. Syntax snatpool <snatpool_name> The <snatpool_name> option specifies the name of a configured IP address pool. Note: A NAT pool must already be bound to virtual port in the AX configuration. This is the virtual ports default NAT pool. The IP type (IPv4 or IPv6) of the pool must be the same as the IP type of the real servers.
Note:
Example:
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 10.0.0.35] } { snatpool snat_a } else { snatpool snat_b } }
Related Information Valid Events: CLIENT_ACCEPTED, HTTP_REQUEST, LB_SELECTED For Layer 4 virtual ports, the snatpool command must be triggered by a CLIENT_ACCEPTED or LB_SELECTED event. For Layer 7 ports, the snatpool command must be triggered by a HTTP_REQUEST event.
b y
103 of 166

GLOBAL Commands - substr
substr
Returns a sub-string named <string>, based on the values of the <skip_count> and <terminator> arguments. Syntax substr <string> <skip_count> [<terminator>] substr <string> <skip_count> [<terminator>] Note the following:
The <skip_count> and <terminator> arguments are used in the same
way as they are for the findstr command.

The <skip_count> argument is the index into <string> of the first char-
acter to be returned, where 0 indicates the first character of <string>.

The <terminator> argument can be either the substring length or the sub-
string terminating string.

If <terminator> is an integer, the returned string will include that many
characters, or up to the end of the string, whichever is shorter.

If <terminator> is a string, the returned string will include characters up
to but not including the first occurrence of the string.

If <terminator> is a string which does not occur in the search space,
from <skip_count> to the end of <string> is returned.

This command is equivalent to the Tcl string range command except that
the value of the <terminator> argument may be either a character or a count. Example:
when HTTP_REQUEST { set uri [substr $uri 1 "?"] log local0. "Uri Part = $uri" } log "[substr "abcdefghijklm" 2 log "[substr "abcdefghijklm" 2 log "[substr "abcdefghijklm" 2 log "[substr "abcdefghijklm" 2 log "[substr "abcdefghijklm" 2
"x"]" "gh"]" 4]" 20]" 0]"
The above example logs the following: cdefghijklm cdef
104 of 166
b y
D e s i g n

GLOBAL Commands - virtual cdef cdefghijklm cdefghijklm Related Information Valid Events: ALL
virtual
Return the name of the associated virtual server that the connection is flowing through. Syntax virtual name Example:
when HTTP_REQUEST { log local0. "Virtual Server: [virtual name]" }
when
Specify an event in an aFleX script. All aFleX events begin with a when command. You can specify multiple when commands within a single aFleX script. Syntax when <event_name> Example:
b y
105 of 166

LB Commands - LB::down
LB Commands
LB::down
Temporarily marks the current real port down for 30 seconds. Syntax: LB::down Valid Events: LB_FAILED, LB_SELECTED Example: See Example 2 in LB::reselect on page 106.
LB::reselect
Reperforms server selection. Syntax: LB::reselect [pool <pool-name> [<member>]] If you use the command without any of the optional parameters, SLB selects the next available member (server and port) from the same service group used for the initial server selection. To specify the service group to use, use the pool <pool-name> option. If you also use the <member> option, the specified member is selected from the specified service group. Note: This command applies to Layer 7 traffic only for HTTP and HTTPS. Valid Events: LB_FAILED, LB_SELECTED Example 1: In this aFleX policy, the HTTP::retry command retries sending a clients request to a service port that replies with an HTTP 5xx status code. If the first server continues to reply with a 5xx status code after 3 retries, the LB::reselect command reassigns the client request to another server.
106 of 166
b y
D e s i g n

LB Commands - LB::reselect
when CLIENT_ACCEPTED { set retry 0 set max_retry 3 set reselect 0 } when LB_SELECTED { if { $retry > 0 } { LB::reselect incr reselect } } when HTTP_RESPONSE { set status [HTTP::status] if { $retry < $max_retry } { if { $status starts_with "5" } { incr retry HTTP::retry } } }
Example 2: This aFleX policy is similar to the one above, except the LB::down command in the policy marks the service port down for 30 seconds.
when CLIENT_ACCEPTED { set retry 0 set max_retry 3 } when HTTP_REQUEST { log "In HTTP_REQUEST: $retry" log "End HTTP_REQUEST" }
b y
107 of 166

when LB_SELECTED { log "In LB_SELECTED: current retry count = $retry" if { $retry > 0 } { log "In LB_RESLECT" LB::down LB::reselect } log "End LB_SELECTED" } when HTTP_RESPONSE { log "In HTTP_RESPONSE" set status [HTTP::status] log "1,$status" if { $retry < $max_retry } { if { $status starts_with "5" } { log "2,$status" incr retry HTTP::retry } } log "End HTTP_RESPONSE" }
Example 3: This aFleX policy uses the STATS::get command to retrieve total connection statistics two service groups, then select the service group with fewer total connections. After a service group is selected, the policy selects a server from the group. If a retry occurs, the LB::reselect command selects another server from the same service group. If the maximum number of retries has already been reached, the other service group is selected. If both service groups have reached the maximum number of retries, a third service group is used.
when CLIENT_ACCEPTED { #set initial retires count equal to 0 set retries 0 # variable for the first time set first 0 # number of retry per pool set retry_cnt_per_pool 0 # max. number of retry per pool set max_retry_per_pool 6
108 of 166
b y
D e s i g n

# number of pool retry set num_pool_retry 0 # max. number of pool to retry set max_pool_retry 1 # Next pool to try set next_pool "sg-tcp80-2" # Error status code set error_code "500" # Reselect counter set reselect 0 # Total retry counter set retry 0 } when HTTP_REQUEST { # Get service group 1 status set group_data_1 [STATS::get pool sg-tcp80-1 total-connection] # Get service group 1 status set group_data_2 [STATS::get pool sg-tcp80-2 total-connection] #Based on the status of each service group to decide which pool the 1st packet should #go to. if { $first == 0 } { if {$group_data_1 > $group_data_2} { pool "sg-tcp80-2" set flag "2" } else { pool "sg-tcp80-1" set flag "1" } } log "End HTTP_REQUEST" } when LB_SELECTED { if { $first == 0} { set first 1 } elseif { $retries < $max_retry_per_pool} { # select next member in the same pool LB::reselect incr reselect
b y
109 of 166

LB Commands - LB::status node
} elseif { $num_pool_retry < $max_pool_retry } { incr num_pool_retry set retries 0 # select other pool if {$flag == "1"} { LB::reselect pool sg-tcp80-2 incr reselect } else { LB::reselect pool sg-tcp80-1 incr reselect } } else { set traffic [STATS::get pool sg-tcp80-3 member 20.20.20.37 80 current-connection] if {$traffic < 10000} { LB::reselect pool sg-tcp80-3 member 20.20.20.37 80 incr reselect } } } when HTTP_RESPONSE { log "In HTTP_RESPONSE" set r_status [HTTP::status] if { $r_status starts_with "5" } { incr retries # reselect next member or another pool HTTP::retry incr retry } }
LB::status node
Returns the health check status of a node. Syntax LB::status node <ipaddr> [port <port-num> {tcp | udp}] If you specify the node IP address only, the Layer 3 health status of the server is returned. If you also specify a protocol port and its transport protocol, the health status of the port is also returned. If you use the port option, the port number and the transport protocol (tcp or udp) also are required. The health status returned by the command is Up or Down.
110 of 166
b y
D e s i g n

LB Commands - LB::status pool Example:
when HTTP_REQUEST { if { [LB::status node 10.1.100.222 port 7000 tcp] == "Up"} { log "*** Server 10.1.100.222 port 7000 is UP! ***" } else { log "*** Server 10.1.100.222 port 7000 } } is DOWN! ***"
LB::status pool
Returns the health check status of a pool. Syntax LB::status pool <pool_name> [member <ipaddr> [<port_num>]] [partition shared] If you specify the pool name only, the health status of the group is returned. If you also specify a member (node) IP address and, optionally, service port number, the health status of the specified member or port is returned. The health status returned by the command is Up or Down. Example:
when HTTP_REQUEST { if { [LB::status pool svcgroup-1 member 10.1.100.222 7000] == "up"} { log "member 10.1.100.222 port 7000 of service group svcgroup-1 is UP!" } else { log "member 10.1.100.222 port 7000 of service group svcgroup-1 is DOWN!" } }
b y
111 of 166

HTTP Commands - HTTP::close
HTTP Commands
HTTP::close
Inserts a Connection: close header and closes the HTTP connection. Syntax HTTP::close Example:
when HTTP_RESPONSE { HTTP::version "0.9" HTTP::close }
Related Information Valid Events: HTTP_REQUEST, HTTP_RESPONSE
HTTP::collect
Collects the amount of data that you specify with the <length> argument. When the system collects the specified amount of HTTP content data, it triggers aFleX event HTTP_REQUEST_DATA or HTTP_RESPONSE_DATA depending on the data coming from. You can use this command with the HTTP::request or HTTP::payload <size> command. Syntax HTTP::collect Collects data. Use caution when omitting the value of the content length. Doing so can stall the connection. HTTP::collect [<length>] Collects the amount of data that you specify with the <length> argument. Use caution when specifying a value larger than the size of the actual length. Doing so can stall the connection. Note: If you specify length 0, the HTTP_RESPONSE_DATA event is not triggered since no data is collected.
112 of 166

HTTP Commands - HTTP::collect If the <length> option is not used, the AX device behaves as follows:
If the packet has an HTTP Content-Length header, the AX device col-
lects as much data as specified by the header, up to the maximum allowed, 1.25 MB.
If the packet does not have an HTTP Content-Length header, the AX
device will keep collecting data until one of the following occurs: 1.25 MB of data is collected (This is the maximum amount that can be collected.) A zero-size chunk-encoded packet is received RST is received from the server FIN is received from the server Generally, a packet without a Content-Length header will be a chunkencoded packet. Notes: The AX device buffers the entire payload before replying to the client. If the object to be collected is very large, performance can be affected. The HTTP::collect command is not supported if RAM caching is enabled. If the HTTP::payload replace command is used in the same aFleX policy as the HTTP::collect command:
For packets that do not contain chuck-encoded data, the AX device will
replace the collected data with the specified string.

For chunk-encoded packets, the command will de-chunk the packet
first, by removing the chunk header and assembling the packet. The AX will then replace the content with the new string. The AX will not rechunk the payload. The packet received by the client will not be chunkencoded.
In the current release, the HTTP::payload replace command only sup-
ports clear text replacement. If the server response is compressed (transfer-encoded, tar, gz, bz, and so on), this feature will not work properly.
b y
113 of 166

HTTP Commands - HTTP::cookie If the server does use encoded responses, you can work around this by using an aFleX policy to remove the Accept-Encoding header from HTTP requests. For example:
when HTTP_REQUEST { if { [HTTP::header exist "Accept-Encoding"] } HTTP::header remove Accept-Encoding } } {
Example:
when HTTP_RESPONSE { if {[HTTP::status] == 205}{ HTTP::collect [HTTP::header Content-Length] } }
Related Information Valid Events HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_DATA HTTP_REQUEST_DATA,
HTTP::cookie
Queries for or manipulates cookies in HTTP requests and responses. This command replaces the http_cookie command. Syntax HTTP::cookie names HTTP::cookie count HTTP::cookie [value] <name> [<string>] HTTP::cookie version <name> [version] HTTP::cookie path <name> [path] HTTP::cookie domain <name> [domain] HTTP::cookie ports <name> [portlist] HTTP::cookie insert name <name> value <value> [path <path>] [domain <domain>] [version <0 | 1 | 2>] HTTP::cookie remove <name>
114 of 166

HTTP Commands - HTTP::cookie HTTP::cookie sanitize [attribute]+ HTTP::cookie exists <name> HTTP::cookie maxage <name> [seconds] HTTP::cookie expires <name> [seconds] [absolute | relative] HTTP::cookie comment <name> [comment] HTTP::cookie secure <name> [enable|disable] HTTP::cookie commenturl <name> [commenturl] HTTP::cookie discard <name> [enable|disable] HTTP::cookie names Returns the names of all the cookies present in the HTTP header. HTTP::cookie count Returns the number of cookies present in the HTTP header. HTTP::cookie [value] <name> [string] Sets or gets the cookie value of the given name in an HTTP request. You can omit the keyword "value" from this command if the cookie name does not collide with any of the other commands. HTTP::cookie version <name> [version] Sets or gets the version of the cookie. HTTP::cookie path <name> [path] Sets or gets the cookie path. HTTP::cookie domain <name> [domain] Sets or gets the cookie domain. HTTP::cookie ports <name> [portlist] Sets or gets the cookie port lists for V1 cookies. HTTP::cookie insert name <name> value <value> [path <path>] [domain <domain>] [version <0 | 1 | 2>] Adds or replaces a cookie in an HTTP response. The default value for the version is 0. HTTP::cookie remove <name> Removes a cookie. HTTP::cookie sanitize [attribute]+ Removes all but the specified attributes from the cookie.
b y
115 of 166

HTTP Commands - HTTP::cookie HTTP::cookie exists <name> Returns a true value if the cookie exists. HTTP::cookie maxage <name> [seconds] Sets or gets the max-age. Applies to Version 1 cookies only, and applies to response messages only. HTTP::cookie expires <name> [seconds] [absolute | relative] Sets or gets the expires attribute. Applies to Version 0 cookies only. If you specify the absolute argument, the seconds value represents number of seconds since the UNIX epoch (January 1, 1970). The default number of seconds is relative, which is the number of seconds from the current time. Applies to response messages only. HTTP::cookie comment <name> [comment] Sets or gets the cookie comment. Applicable only to Version 1 cookies, and applies to response messages only. HTTP::cookie secure <name> [enable | disable] Sets or gets the value of the secure attribute. Applies to response messages only. HTTP::cookie commenturl <name> [commenturl] Sets or gets the comment URL. Applicable only to Version 1 cookies, and applies to response messages only. HTTP::cookie discard <name> [enable | disable] Sets or gets the value of the discard attribute. Applicable only to Version 1 cookies, and applies to response messages only. Example:
when HTTP_REQUEST { if { [HTTP::cookie exists "cookie-name"] } { set cookie_s [HTTP::cookie "cookie-name"] HTTP::cookie remove "cookie-name" set cookie_a [HTTP::header cookie] HTTP::header replace "cookie" "$cookie_a; WLSID=$cookie_s" } }
Related Information Valid Events HTTP_REQUEST, HTTP_RESPONSE
116 of 166
b y
D e s i g n

HTTP Commands - HTTP::fallback
HTTP::fallback
Specifies or overrides the fallback host specified in the HTTP profile. Syntax HTTP::fallback <host> Example:
when LB_FAILED { HTTP::fallback "http://siteunavailable.mysite.com/" }
Related Information Valid Events: HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::header
Queries for or manipulates an HTTP header. Syntax HTTP::header [value] <name> Returns the value of the HTTP header named <name>. You can omit the <value> argument if the header name does not collide with any of the subcommands. HTTP::header names Returns a list of all the headers present on the request or response. HTTP::header count Returns the number of HTTP headers present in the request or response. HTTP::header at <index> Returns the HTTP header that the AX device finds at the zero-based index value. HTTP::header exists <name> Returns true if the named header is present on the request or response. HTTP::header insert ["lws"] <name> <value> Inserts the named HTTP header and its value into the end of the HTTP request or response. If you specify "lws", the AX device adds linear white space to long header values.
b y
117 of 166

HTTP Commands - HTTP::header HTTP::header insert ["lws"] {n1, v1, n2, v2, n3, v3, } Passes a Tcl list to insert into a header. In such cases, the AX device treats the list as a list of name/value pairs. If you specify "lws", the AX device adds linear white space to long header values. HTTP::header [value] <name> <string> Sets the value of the named header. If the header is present, the command replaces the header; otherwise, the command adds the header. You can omit the <value> argument if the header name does not collide with any other values. HTTP::header replace <name> [<string>] Replaces the last occurrence of the named header with the string <string>. This command performs a header insertion if the header was not present. HTTP::header remove <name> Removes all headers names with the name <name>. HTTP::header insert_modssl_fields [addr | service] Inserts the HTTP header field ClientIPAddress or ClientTCPService. Optional arguments for these header fields are addr and service, respectively. HTTP::header sanitize <header name>+ Removes all but the headers you specify. However, the command does not remove essential HTTP headers. Example:
when CLIENT_ACCEPTED { if { [HTTP::header "Host"] starts_with "andrew" } pool andrew_pool } else { pool main_pool } } {
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE
118 of 166
b y
D e s i g n

HTTP Commands - HTTP::host
HTTP::host
Returns the host name (and port, if specified) of the HTTP request. This command replaces the http_host command. Syntax HTTP::host Example:
when HTTP_REQUEST { if { [HTTP::uri] contains "secure"} { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }
Related Information Valid Events: HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE
HTTP::is_keepalive
Returns a true value if this is a Keep-Alive connection. Syntax HTTP::is_keepalive Example:
when HTTP_RESPONSE { if {[HTTP::is_keepalive]}{ HTTP::close } }
Related Information Valid Events: HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::is_redirect
Returns a true value if the response is a certain type of redirect.
b y
119 of 166

HTTP Commands - HTTP::method Syntax HTTP::is_redirect Example:
when HTTP_RESPONSE { if { [HTTP::is_redirect] } { log local0. "Request redirected." } }
HTTP::method
Returns the type of HTTP request method. This command replaces the http_method command. Syntax HTTP::method Example:
when HTTP_REQUEST { log local0. "HTTP Method: [HTTP::method]" }
HTTP::path
Returns the path part of the HTTP request. Syntax HTTP::path [<string>]
120 of 166
b y
D e s i g n

HTTP Commands - HTTP::payload Example:
when HTTP_REQUEST { log local0. "Host - [HTTP::host]" log local0. "Path - [HTTP::path]" }
Webmail redirect example: https://webmail.company.com is redirected to https://webmail.company.com/exchange. This is the correct path for exchange. Redirected traffic then passes to the webmail pool.
when HTTP_REQUEST { if { [HTTP::path] equals "/" } { HTTP::redirect "https://[HTTP::host]/exchange/" #log local0. "redirect" } else { pool pool_webmail #log local0. "using pool " } }
HTTP::payload
Queries for or replaces content information. With this command, you can retrieve content, query for content size, or replace a certain amount of content. Syntax HTTP::payload [<size>] HTTP::payload length HTTP::payload <offset> <size> HTTP::payload replace <offset> <size> <data> HTTP::payload [<size>] Returns the content that the HTTP::collect command has collected thus far. If you do not specify a size, the system returns the collected content.
b y
121 of 166

HTTP Commands - HTTP::query HTTP::payload length Returns the size of the content that the command has collected thus far, not including the HTTP headers. HTTP::payload <offset> <size> Returns the content that the HTTP::collect command has collected, starting at <offset> with size equals <size>. HTTP::payload replace <offset> <size> <string> Replaces the amount of content that you specified with the <size> argument, starting at <offset> with <string>. Example:
when HTTP_RESPONSE { if {[HTTP::status] == 205}{ HTTP::collect [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { HTTP::respond 200 content [HTTP::payload] } when HTTP_RESPONSE_DATA { regsub -all "oursite" [HTTP::payload] "oursitedev" newdata log "Replacing payload with new data." HTTP::payload replace 0 $clen $newdata HTTP::release }
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::query
Returns the query part of the HTTP request. Syntax HTTP::query Example:
when HTTP_REQUEST { log local0. "http_path [HTTP::path]" log local0. "http_query [HTTP::query]" }
122 of 166
b y
D e s i g n

HTTP Commands - HTTP::redirect Related Information Valid Events: HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::redirect
Redirects an HTTP request or response to the specified URL. Note: This command sends the response to the client immediately. Therefore, you cannot specify this command multiple times in an aFleX script, nor can you specify any other commands that modify header or content, after you specify this command. Syntax HTTP::redirect <url> Example:
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE_DATA HTTP_RESPONSE,
HTTP::release
Releases the collected data. Unless a subsequent HTTP::collect command was issued, there is no need to use the HTTP::release command inside of the HTTP_REQUEST_DATA and HTTP_RESPONSE_DATA events, since in these cases, the data is implicitly released. Syntax HTTP::release
b y
123 of 166

HTTP Commands - HTTP::request Example:
when HTTP_RESPONSE_DATA { regsub -all "oursite" [HTTP::payload] "oursitedev" newdata log "Replacing payload with new data." HTTP::payload replace 0 $clen $newdata }
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::request
Returns the raw request header string. You can access the request payload using the HTTP::collect command. Syntax HTTP::request Example:
when HTTP_REQUEST { # save original request set req [HTTP::request] # flag as new request needing lookup set lookup 1 # inject lookup URI in place of original request HTTP::uri "/page.aspx?ip=[IP::client_addr]" # set pool to lookup server pool pool lookup_server }
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::request_num
Returns the number of HTTP requests that a client made on the connection. Syntax HTTP::request_num
124 of 166
b y
D e s i g n

HTTP Commands - HTTP::respond Example:
when HTTP_REQUEST { log local0. "Request number [HTTP::request_num]" }
HTTP::respond
Allows users to generate or rewrite a client request or a server response. This is a powerful API that allows users to generate or rewrite a client request or a server response. When the system runs the command on the client side, it sends the response to the client without any load balancing taking place. If the system runs the command on the server side, the content from the actual server is discarded and replaced with the information provided to this API. Note: The maximum size response that can be sent using this command is 64 KB. Because the system sends the response data immediately after this aFleX script runs, A10 Networks recommends that you not run any more aFleX scripts after this API. Syntax HTTP::respond <status code> [content <content Value>] [<Header name> <Header Value>]+ Example: To send a redirect with a cookie set.
when HTTP_REQUEST { set ckname "app" set ckvalue "893" set cookie [format "%s=%s; path=/; domain=%s" $ckname $ckvalue ".domain.org"] HTTP::respond 302 Location "http://www.domain.org" "Set-Cookie" $cookie }
Note:
b y
125 of 166

HTTP Commands - HTTP::retry Or to send an apology page from with in the aFleX.
when HTTP_REQUEST { HTTP::respond 200 content "<html><head><title>Apology Page</title></ head><body>We are sorry, but the site you are looking for is temporarily out of service<br>If you feel you have reached this page in error, please try again.<p></body></html>" }
Related Information Valid Events HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::retry
Resends an HTTP request to the server. Note: This command is supported only for virtual port types HTTP and HTTPS. They are not supported for fast-HTTP or any of the other virtual port types. Syntax: HTTP:retry Valid Events: HTTP_RESPONSE, HTTP_RESPONSE_DATA Example: See the first example in LB::reselect on page 106.
HTTP::status
Returns the response status code. Syntax HTTP::status
126 of 166
b y
D e s i g n

HTTP Commands - HTTP::uri Example:
Related Information Valid Events: HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::uri
Returns or sets the URI of the request. This command replaces the http_uri command. Syntax HTTP::uri <string> The URI string does not include the protocol (http or https) or hostname, just the path, starting with the slash after the hostname. HTTP::uri <string> Changes the URI passed to the server. It should always start with a slash. Example:
when HTTP_REQUEST { if { [HTTP::uri] ends_with "cgi" } { pool cgi_pool } elseif { [HTTP::uri] starts_with "/abc" } { pool abc_servers } }
Make uri path start with /prefix if it doesn't already

when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/prefix") } { HTTP::uri /prefix[HTTP::uri] } }

127 of 166

IP Commands - HTTP::version
HTTP::version
Returns or sets the HTTP version of the request or response. This command replaces the http_version command. Syntax HTTP::version ["0.9" | "1.0" | "1.1"] Example:
when HTTP_RESPONSE { HTTP::version "1.1" }
IP Commands
IP::addr
Performs comparison of IP address/subnet/supernet to IP address/subnet/ supernet. Returns 0 if no match, 1 for a match. Note: This command does NOT perform a string comparison. To perform a literal string comparison, simply compare the 2 strings with the appropriate operator (equals, contains, starts_with, and so on) rather than using the IP::addr comparison. Syntax IP::addr <addr1>[/<mask>] equals <addr2>[/<mask>] IP::addr Example: To perform comparison of IP address 10.10.10.1 with subnet 10.0.0.0/8. (Will return 1, since it is a match.) [IP::addr 10.10.10.1 equals 10.0.0.0/8]
128 of 166
b y
D e s i g n

IP Commands - IP::client_addr To perform comparison of client-side IP address with subnet 10.0.0.0/8. (Will return 1 or 0, depending on client IP address.) [IP::addr [IP::client_addr] equals 10.0.0.0/8] To select a specific pool for a specific client IP address.
IP::client_addr
Returns the client IP address of a connection. This command is equivalent to the command clientside { IP::remote_addr }. Syntax IP::client_addr Example:
Related Information Valid Events: CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CONNECTED
IP::local_addr
This command is primarily useful for generic rules that are re-used. Also, it is useful in reusing the connected endpoint in another statement or to make routing type decisions. You can also specify the IP::client_addr and IP::server_addr commands.
129 of 166

IP Commands - IP::protocol Syntax IP::local_addr Returns the IP address of the AX being used in the connection. In the clientside context, this is the destination IP address (virtual IP address). In the serverside context, this is the source IP address (SNAT address if SNAT is used, else spoofed client IP address). Example:
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 172.16.32.2] } { pool deprecated_site } else { pool current_site_pool } } when SERVER_CONNECTED { log local0. "Source IP address for connection to node: [IP::local_addr]" }
Related Information Valid Events: CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CLOSED, SERVER_CONNECTED
IP::protocol
Returns the IP protocol value. Syntax IP::protocol Example:
when CLIENT_ACCEPTED { if { [IP::protocol] == 6 } { pool tcp_pool } else { pool slow_pool } }
130 of 166
b y
D e s i g n

IP Commands - IP::remote_addr Related Information Valid Events: CLIENT_ACCEPTED
IP::remote_addr
Returns the IP address of the host on the far end of the connection. In the clientside context, this is the client IP address. In the serverside context this is the node IP address. You can also specify the IP::client_addr and IP::server_addr commands, respectively. Syntax IP::remote_addr Example:
when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 206.0.0.0/255.0.0.0] } { pool clients_from_206 } else { pool other_clients_pool } } when SERVER_CONNECTED { log local0. "Node IP address is: [IP::remote_addr]" }
Related Information Valid Events: CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CLOSED, SERVER_CONNECTED
IP::server_addr
Returns the servers (nodes) IP address, once a serverside connection has been established. This command is equivalent to the command serverside {IP::remote_addr}. The command returns 0 if the serverside connection has not been made. Syntax IP::server_addr
b y
131 of 166

IP Commands - IP::stats Example:
when SERVER_CONNECTED { log local0. "Node IP address: [IP::server_addr]" }
Related Information Valid Events: HTTP_REQUEST_SEND, HTTP_RESPONSE, LB_SELECTED, SERVER_CLOSED, SERVER_CONNECTED
IP::stats
Supplies information about the number of packets or bytes being sent or received in a given connection. Syntax IP::stats pkts in IP::stats pkts out IP::stats pkts IP::stats bytes in IP::stats bytes out IP::stats bytes IP::stats age
IP::stats pkts in Returns number of packets received IP::stats pkts out Returns number of packets sent IP::stats pkts Returns a Tcl list of packets in and packets out IP::stats bytes in Returns number of bytes received IP::stats bytes out Returns number of bytes sent IP::stats bytes Returns Tcl list of bytes in and bytes out
132 of 166
b y
D e s i g n

IP Commands - IP::tos Related Information Valid Events: ALL
IP::tos
Selects a different pool of servers based on the ToS level within a packet. The Type of Service (ToS) standard is a means by which network equipment can identify and treat traffic differently based on an identifier. As traffic enters the site, the AX device can apply a rule that sends the traffic to different pools of servers based on the ToS level within a packet. Note: This command replaces the ip_tos command. Syntax IP::tos Selects a different pool of servers based on the ToS level within a packet. Example:
when CLIENT_ACCEPTED { if { [IP::tos] == 16 } { pool telnet_pool } else { pool slow_pool } }
Related Information Valid Events: CLIENT_ACCEPTED
IP::ttl
Returns the TTL of the current packet being acted upon. Syntax IP::ttl Example:
when CLIENT_ACCEPTED { if { [IP::ttl] < 3 } { drop } } P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010 b y
133 of 166

SIP Commands - IP::version Related Information Valid Events: CLIENT_ACCEPTED
IP::version
Returns the version of the current packet being acted upon. Syntax IP::version Example:
when CLIENT_ACCEPTED { if {[IP::version] eq 6} { pool ipv6_pool } else { pool ipv4_pool } }
SIP Commands
SIP::call_id
Returns the value of the Call-ID header in a SIP request. Syntax SIP::call_id Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
134 of 166
b y
D e s i g n

SIP Commands - SIP::from
SIP::from
Returns the value of the From header in a SIP request. Syntax SIP::from Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::header
Returns SIP header header-name. Syntax SIP::header [<value>] header-name [<index>] The <value> option specifies the header value. The <index> option indicates the header to act upon, in cases where there are multiple header levels. Without the <index> option, the first instance of the header is acted upon by the aFleX policy. Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::header insert
Inserts the specified SIP header-name:header-value pair at position <index>. Syntax SIP::header insert header-name header-value <index>
b y
135 of 166

SIP Commands - SIP::method If you do not specify the <index>, the header is inserted prior to any preexisting header of the same name and value. If no such header exists, a via header is inserted at the head of the SIP headers, and others are inserted at the tail. Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::method
Returns the type of the SIP request method. Syntax SIP::method Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::respond
Sends back a response with the specified code, phrase, and headername:header-value pair. Syntax SIP::respond code <"phrase" <"header-name" "header-value">> Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
136 of 166
b y
D e s i g n

SIP Commands - SIP::response
SIP::response
Gets the SIP response code or response phrase, or rewrites the response code and phrase, if specified. Syntax SIP::response code Gets the SIP response code. SIP::response phrase Gets the response phrase. SIP::response rewrite code <phrase> Rewrites the response code and phrase, if specified. Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::to
Returns the value of the To header in the SIP request. Syntax SIP::to Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::uri
Returns the complete URI of the request. Syntax SIP::uri
b y
137 of 166

SIP Commands - SIP::via Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::via
Gets SIP via information. Syntax SIP::via [<index>] Gets the information in the SIP via header. If you specify the <index>, only the information at the specified index level is returned. SIP::via proto [<index>] Gets the protocol part of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via sent_by [<index>] Gets the sent_by part of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via received [<index>] Gets the retrieved attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via branch [<index>] Gets the branch attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. SIP::via maddr [<index>] Gets the maccadr attribute of the SIP via at the specified index level. SIP::via ttl [<index>]
138 of 166
b y
D e s i g n

SIP Commands - SIP Command Examples Gets the TTL attribute of the SIP via at the specified index level. If you specify the <index>, only the information at the specified index level is returned. Example: See SIP Command Examples on page 139. Related Information Valid Events: SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP Command Examples

Example 1:
when SIP_REQUEST { if { [SIP::method] contains "SUBSCRIBE" } { log "***************** SIP-REQUEST *******************"
log "SIP::call_id is [SIP::call_id]" log "---------------------------------------------------" log "SIP::from is [SIP::from]" log "---------------------------------------------------" log "SIP::header Via [SIP::header Via]" log "SIP::header Via value index0 [SIP::header value Via 0]" log "SIP::header Via index9 [SIP::header Via 9]" log "SIP::header From [SIP::header From]" log "SIP::header value From index0 [SIP::header value From 0]" log "SIP::header From index9 <not exist> [SIP::header From 9]" log "SIP::header To [SIP::header To]" log "SIP::header To index0 [SIP::header To 0]" log "SIP::header value To index9 <not exist> [SIP::header value To 9]" log "SIP::header Call-ID [SIP::header Call-ID]" log "SIP::header value Call-ID index0 [SIP::header value Call-ID 0]" log "SIP::header value Call-ID index9 <not exist> [SIP::header value CallID 9]" log "SIP::header CSeq [SIP::header CSeq]" log "SIP::header CSeq value index0 [SIP::header value CSeq 0]" log "SIP::header CSeq index9 <not exist> [SIP::header CSeq 9]" log "SIP::header Contact [SIP::header Contact]" P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010 b y
139 of 166

SIP Commands - SIP Command Examples
log "SIP::header value Contact index0 [SIP::header value Contact 0]" log "SIP::header Contact index9 <not exist> [SIP::header Contact 9]" log "SIP::header Max-Forwards [SIP::header Max-Forwards]" log "SIP::header Event [SIP::header Event]" log "SIP::header User-Agent [SIP::header User-Agent]" log "SIP::header Expires [SIP::header Expires]" log "SIP::header Allow [SIP::header Allow]" log "SIP::header Accept [SIP::header Accept]" log "SIP::header Content-length [SIP::header Content-length]" log "SIP::header abc <not valid header> [SIP::header abc]" log "---------------------------------------------------" SIP::header remove Via log "SIP::header remove Via [SIP::header Via]" SIP::header remove From log "SIP::header remove From [SIP::header From]"
log "---------------------------------------------------"
log "SIP::header Via 0 (request) [SIP::header Via 0]" log "SIP::response code [SIP::response code]" SIP::header insert Via "SIP/10.0/UDP ss.under.test.com:5070;maddr=3ffe:501:ffff:50::51;ttl=1;branch=z9hG4bK721e418c 4.1" 10
SIP::header insert event "SIP/2.0/UDP ss.under.test.com:5070;maddr=3ffe:501:ffff:50::51;ttl=1;branch=z9hG4bK721e418c 4.1;received=3ffe:501:ffff:50::50" 1 # log "Event 0 is [SIP::header event]" SIP::header insert From "<sip:218@mysip.com>;tag=1043119751" log "SIP::header insert From index1 [SIP::header From]" log "SIP::header From [SIP::header From]" SIP::header insert Via "SIP/2.0/UDP 171.1.1.217:5060;rport;branch=z9hG4bk11229103" log "SIP::header insert Via [SIP::header Via]" log "SIP::header From(2) [SIP::header From]"
140 of 166
b y
D e s i g n

log "SIP::header insert xyz index9 [SIP::header insert xyz "x y z" 9]" log "---------------------------------------------------" log "SIP::method [SIP::method]" log "---------------------------------------------------" SIP::respond 401 "no way" From "future" log "---------------------------------------------------" log "SIP::response [SIP::response code]" log "SIP::response phase [SIP::response phrase]" SIP::response rewrite 402 "no xxx" log "SIP::response rewrite code phrase [SIP::response code]" log "---------------------------------------------------" log "SIP::to [SIP::to]" log "---------------------------------------------------" log "SIP::uri [SIP::uri]" log "---------------------------------------------------" log "SIP::via [SIP::via]" log "SIP::via index0 [SIP::via 0]" log "SIP::via index9 [SIP::via 9]" log "SIP::via proto [SIP::via proto]" log "SIP::via proto index0 [SIP::via proto 0]" log "SIP::via proto index9 [SIP::via proto 9]" log "SIP::via sent_by [SIP::via sent_by]" log "SIP::via sent_by index0 [SIP::via sent_by 0]" log "SIP::via sent_by index9 [SIP::via sent_by 9]" log "SIP::via received [SIP::via received]" log "SIP::via received index0 [SIP::via received 0]" log "SIP::via received index9 [SIP::via received 9]" log "SIP::via branch [SIP::via branch]" log "SIP::via branch index0 [SIP::via branch 0]" log "SIP::via branch index9 [SIP::via branch 9]" log "SIP::via maddr [SIP::via maddr]" log "SIP::via maddr index0 [SIP::via maddr 0]" log "SIP::via maddr index9 [SIP::via maddr 9]" log "SIP::via ttl [SIP::via ttl]" log "SIP::via ttl index0 [SIP::via ttl 0]" log "SIP::via ttl index9 [SIP::via ttl 9]" } }
b y
141 of 166

SIP Commands - SIP Command Examples Example 2:
when SIP_RESPONSE { if { [SIP::response code] equals "401" } { SIP::response rewrite 411 Phrase_Unauthorized log "SIP::response code [SIP::response code]" log "SIP::response phrase [SIP::response phrase]"} if { [SIP::response code] equals "501" } { SIP::response rewrite 511 Phrase_Not_Implemented log "SIP::response code [SIP::response code]" log "SIP::response phrase [SIP::response phrase]"} if { [SIP::response code] equals "200" } { SIP::response rewrite 210 okok log "SIP::response code [SIP::response code]" log "SIP::response phrase [SIP::response phrase]"} }
Example 3:
when SIP_REQUEST_SEND { if { [SIP::method] contains "SUBSCRIBE" } { log "***************** SIP-REQUEST-SEND *******************"
log "SIP::header Via 1 (request_sent) [SIP::header Via 1]"
log "SIP::call_id is [SIP::call_id]" log "---------------------------------------------------" log "SIP::from is [SIP::from]" log "---------------------------------------------------" log "SIP::header Via [SIP::header Via]" log "SIP::header Via value index0 [SIP::header value Via 0]" log "SIP::header Via index9 [SIP::header Via 9]" log "SIP::header From [SIP::header From]" log "SIP::header value From index0 [SIP::header value From 0]" log "SIP::header From index9 <not exist> [SIP::header From 9]" log "SIP::header To [SIP::header To]" log "SIP::header To index0 [SIP::header To 0]"
142 of 166
b y
D e s i g n

log "SIP::header value To index9 <not exist> [SIP::header value To 9]" log "SIP::header Call-ID [SIP::header Call-ID]" log "SIP::header value Call-ID index0 [SIP::header value Call-ID 0]" log "SIP::header value Call-ID index9 <not exist> [SIP::header value CallID 9]" log "SIP::header CSeq [SIP::header CSeq]" log "SIP::header CSeq value index0 [SIP::header value CSeq 0]" log "SIP::header CSeq index9 <not exist> [SIP::header CSeq 9]" log "SIP::header Contact [SIP::header Contact]" log "SIP::header value Contact index0 [SIP::header value Contact 0]" log "SIP::header Contact index9 <not exist> [SIP::header Contact 9]" log "SIP::header Max-Forwards [SIP::header Max-Forwards]" log "SIP::header Event [SIP::header Event]" log "SIP::header User-Agent [SIP::header User-Agent]" log "SIP::header Expires [SIP::header Expires]" log "SIP::header Allow [SIP::header Allow]" log "SIP::header Accept [SIP::header Accept]" log "SIP::header Content-length [SIP::header Content-length]" log "SIP::header abc <not valid header> [SIP::header abc]" log "---------------------------------------------------" SIP::header remove Via log "SIP::header remove Via [SIP::header Via]"
SIP::header remove From log "SIP::header remove From [SIP::header From]" SIP::header remove From log "SIP::header remove From [SIP::header From]" SIP::header remove abc log "SIP::header remove index To [SIP::header abc]"
log "---------------------------------------------------" SIP::header insert From "<sip:218@mysip.com>;tag=1043119751" log "SIP::header insert From index1 [SIP::header From]" log "SIP::header From [SIP::header From]" SIP::header insert Via "SIP/2.0/UDP 171.1.1.217:5060;rport;branch=z9hG4bk11229103"
b y
143 of 166

log "SIP::header insert Via [SIP::header Via]" log "SIP::header From(2) [SIP::header From]" log "SIP::header insert xyz index9 [SIP::header insert xyz "x y z" 9]" log "---------------------------------------------------" log "SIP::method [SIP::method]" log "---------------------------------------------------" SIP::respond 401 "no way" From "future" log "---------------------------------------------------" log "SIP::response [SIP::response code]" log "SIP::response phase [SIP::response phrase]" SIP::response rewrite 402 "no xxx" log "SIP::response rewrite code phrase [SIP::response code]" log "---------------------------------------------------" log "SIP::to [SIP::to]" log "---------------------------------------------------" log "SIP::uri [SIP::uri]" log "---------------------------------------------------" log "SIP::via [SIP::via]" log "SIP::via index0 [SIP::via 0]" log "SIP::via index9 [SIP::via 9]" log "SIP::via proto [SIP::via proto]" log "SIP::via proto index0 [SIP::via proto 0]" log "SIP::via proto index9 [SIP::via proto 9]" log "SIP::via sent_by [SIP::via sent_by]" log "SIP::via sent_by index0 [SIP::via sent_by 0]" log "SIP::via sent_by index9 [SIP::via sent_by 9]" log "SIP::via received [SIP::via received]" log "SIP::via received index0 [SIP::via received 0]" log "SIP::via received index9 [SIP::via received 9]" log "SIP::via branch [SIP::via branch]" log "SIP::via branch index0 [SIP::via branch 0]" log "SIP::via branch index9 [SIP::via branch 9]" log "SIP::via maddr [SIP::via maddr]" log "SIP::via maddr index0 [SIP::via maddr 0]" log "SIP::via maddr index9 [SIP::via maddr 9]" log "SIP::via ttl [SIP::via ttl]" log "SIP::via ttl index0 [SIP::via ttl 0]" log "SIP::via ttl index9 [SIP::via ttl 9]" } }
144 of 166
b y
D e s i g n

Policy-Based SLB Commands - POLICY::bwlist id
Policy-Based SLB Commands

POLICY::bwlist id
Returns the group ID associated with an IP address in a black/white list. Syntax POLICY::bwlist id <ip> [<bwlist_name>] Specifying a black/white list name is optional. If you specify a list name, the AX device looks in the specified list. If you do not specify a list name, the AX device looks in the black/white list that is bound to the same virtual port to which the aFleX policy is bound. Example:
when HTTP_REQUEST { set client_addr [IP::client_addr] set group_id [ POLICY::bwlist id $client_addr ] set bwfile_group_id [ POLICY::bwlist id $client_addr bwfile ] if { $group_id equals 10 } { pool sg1 } elseif { $bwfile_group_id equals 20 } { pool sg2 } else { reject } }
Related Information Valid Events: All
SSL and X509 Commands

SSL::cert
Returns the SSL certificate with the specified level in the certificate chain. The level is 0-based. Syntax SSL::cert <level>
145 of 166

SSL and X509 Commands - SSL::cert count Example:
when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] session add ssl [SSL::sessionid] $cert } when HTTP_REQUEST { if { [SSL::cert count] > 5 } { set issuer [SSL::cert issuer 2] log "issuer $issuer" } else { SSL::cert mode request } }
Related Information Valid Events CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
SSL::cert count
Returns the number of certificates in the certificate chain. Syntax SSL::cert count Example: See the example for SSL::cert on page 145. Related Information Valid Events: See SSL::cert on page 145.
SSL::cert issuer
Returns the issuer of the certificate with the specified level. Syntax SSL::cert issuer <index> Example: See the example for SSL::cert on page 145.
146 of 166

SSL and X509 Commands - SSL::cert mode Related Information Valid Events: See SSL::cert on page 145.
SSL::cert mode
Sets the certificate mode. This setting overrides the mode setting in the template. Syntax SSL::cert mode <request | require | ignore | auto> Example: See the example for SSL::cert on page 145. Related Information Valid Events: See SSL::cert on page 145.
SSL::sessionid
Returns the current SSL session ID. Syntax SSL::sessionid Note: Example:
when CLIENTSSL_HANDSHAKE { set cert [SSL::cert 0] session add ssl [SSL::sessionid] $cert 300 }
Only the client side is supported.
b y
147 of 166

SSL and X509 Commands - SSL::verify_result
SSL::verify_result
If <result_code> is not specified, returns the result code of the peer certification verification. If <result_code> is specified, sets the result code of the peer certification verification. Syntax SSL::verify_result [<result_code>] Example:
when CLIENTSSL_HANDSHAKE { set result [ X509::verify_cert_error_string [SSL::verify_result]] log "Result is $result" }
X509::issuer
Returns the issuer of the X.509 certificate. Syntax X509::issuer Example:
when CLIENTSSL_HANDSHAKE { set issuer [X509::issuer [SSL::cert 0]] log "Issuer: $issuer" }
Related Information Valid Events: CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
148 of 166

SSL and X509 Commands - X509::not_valid_after
X509::not_valid_after
Returns the not-valid-after date of an X.509 certificate. Syntax X509::not_valid_after Example:
when CLIENTSSL_HANDSHAKE { set not_valid_after [X509::not_valid_after [SSL::cert 0]] log "Not Valid After: $not_valid_after" }
X509::not_valid_before
Returns the not-valid-before date of an X.509 certificate. Syntax X509::not_valid_before Example:
when CLIENTSSL_HANDSHAKE { set not_valid_before [X509::not_valid_before [SSL::cert 0]] log "Not Valid Before: $not_valid_before" }
b y
149 of 166

SSL and X509 Commands - X509::serial_number
X509::serial_number
Returns the serial number of an X.509 certificate. Syntax X509::serial_number Example:
when CLIENTSSL_HANDSHAKE { set serial_number [X509::serial_number [SSL::cert 0]] log "Serial Number: $serial_number" }
X509::subject
Returns the subject of an X.509 certificate. Syntax SSL::verify_result [<result_code>] Example:
when CLIENTSSL_HANDSHAKE { set subject [X509::subject [SSL::cert 0]] log "subject $subject" }
150 of 166
b y
D e s i g n

SSL and X509 Commands - X509::verify_cert_error_string
X509::verify_cert_error_string
Returns the error string as an OpenSSL X.509 error string. Syntax X509::verify_cert_error_string <error_code> Example:
when CLIENTSSL_HANDSHAKE { set result [X509::verify_cert_error_string [SSL::verify_result]] log "result $result" }
X509::version
Returns the version number of an X.509 certificate. Syntax X509::version Example:
when CLIENTSSL_HANDSHAKE { set version [X509::version [SSL::cert 0]] log "Version Number: $version" }
b y
151 of 166

STATS Commands - STATS::clear
STATS Commands
STATS::clear
Clears statistics for a real server (node), virtual server, or service group (pool). Syntax Clear Real Server Statistics: To clear statistics for a real server, use the following command:
STATS::clear server <server-name | ipaddr> [<port-num> <tcp | udp>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
Syntax Clear Virtual Server Statistics: To clear statistics for a virtual server, use the following command:
STATS::clear virtual-server <vip-name| vipaddr> [<port-num> <service-type>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
Syntax Clear Service Group Statistics: To clear statistics for a service group, use the following command:
STATS::clear pool <pool-name> [member <ipaddr> <port-num>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
Valid Events: All events Example:

when HTTP_REQUEST { STATS::clear server rs-server-2 80 tcp total-connection STATS::clear virtual-server vip-1 80 http total-connection STATS::clear pool sg-tcp80 total-connection }
152 of 166
b y
D e s i g n

STATS Commands - STATS::get
STATS::get
Retrieves statistics for a real server (node), virtual server, or service group (pool). Syntax Get Real Server Statistics: To retrieve statistics from a real server, use the following command:
STATS::get server <server-name | ipaddr> [<port-num> <tcp | udp>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
You can specify the server by its name or IP address (<server-name> or <ipaddr>). Optionally, you can specify an individual port by its port number (0-65535) and Layer 4 protocol (tcp or udp). By default, statistics for all the servers real ports are returned. To specify the types of statistics to return, use one of the following options:
current-connection total-connection request-pkt response-pkt
The shared partition option applies the command to real servers in the shared partition. By default, the STATS::get command acts only upon the real servers located in the Role-Based Administration (RBA) partition that contains the aFleX policy. Syntax Get Virtual Server Statistics: To retrieve statistics from a virtual server, use the following command:
STATS::get virtual-server <vip-name| vipaddr> [<port-num> <service-type>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
You can specify the virtual server by its name or VIP address (<vip-name> or <vipaddr>).
b y
153 of 166

STATS Commands - STATS::get Optionally, you can specify an individual port by its port number (0-65535) and service type (tcp, udp, http, https, and so on). By default, statistics for all the virtual servers ports are returned. The other options are the same as those for real servers. Syntax Get Service Group Statistics:
STATS::get pool <pool-name> [member <ipaddr> <port-num>] current-connection | total-connection | request-pkt | response-pkt [partition shared]
Specify the service group by its name (pool-name). Optionally, you can specify an individual member (server and port) by the real server IP address and protocol port number. By default, statistics for all the service groups members are returned. The other options are the same as those for real servers and virtual servers. Valid Events: All events Example: The following policy will select a real server based on the current connection counter:
when CLIENT_ACCEPTED { set total1 [STATS::get server 10.10.10.10 current-connection] set total2 [STATS::get server 10.10.10.20 current-connection] if { $total1 > $total2 } { node 10.10.10.20 80 } else } } { node 10.10.10.10 80
For another example, see Example 3 in LB::reselect on page 106.
154 of 166
b y
D e s i g n

TCP Commands - TCP::client_port
TCP Commands
TCP::client_port
Returns the TCP port/service number of the specified client. This command is equivalent to the command clientside { TCP::remote_port } and to client_port. Syntax TCP::client_port Example:
when CLIENT_ACCEPTED { if { [TCP::client_port] > 1000 } { pool slow_pool } else { pool fast_pool } }
TCP::close
Closes the TCP connection. Syntax TCP::close Example:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if {[TCP::payload] contains "abc"} { pool abc_pool TCP::release } else { TCP::close } }
b y
155 of 166

TCP Commands - TCP::collect
TCP::collect
Causes TCP to start collecting the specified amount of content data. Syntax TCP::collect <length> The <length> parameter specifies the minimum number of bytes to collect. Example:
when CLIENT_ACCEPTED { TCP::collect 15 } when CLIENT_DATA { if { [TCP::payload 15] contains "XYZ" } { pool xyz_servers } else { pool web_servers } }
TCP::local_port
Returns the local TCP port/service number. This command is equivalent to the variable local_port. Syntax TCP::local_port
156 of 166
b y
D e s i g n

TCP Commands - TCP::mss Example:
when CLIENT_ACCEPTED { if {[IP::protocol] == 47 || [TCP::local_port] == 1723} { # GRE used by MS PPTP server, TCP control channel pool ms_pptp } elseif {[IP::protocol] == 50 || [IP::protocol] == 51 || [UDP::local_port] == 500} { # AH and ESP used by IPSec, IKE used by IPSec pool ipsec_pool } elseif {[IP::protocol] == 115} { pool l2tp_pool # L2TP Protocol server } }
TCP::mss
Returns the on-wire Maximum Segment Size (MSS) for a TCP connection. Syntax TCP::mss Example: when CLIENT_ACCEPTED { log "MSS is [TCP::mss]" }
TCP::offset
Returns the position in the TCP data stream in which the collected TCP data starts. Syntax TCP::offset Example:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if {[TCP::offset] > 1000} { TCP::release } } P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010 b y
157 of 166

TCP Commands - TCP::payload
TCP::payload
Returns the accumulated TCP data content, or replaces collected payload with the specified data. Syntax TCP::payload [<size>] TCP::payload <offset> <size> TCP::payload length TCP::payload [<size>] Returns the accumulated TCP data content. TCP::payload <offset> <size> Returns the accumulated TCP data content start from <offset>. TCP::payload length Returns the amount of accumulated TCP data content in bytes. Example:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [TCP::payload] contains "flower" } { pool http-sg2 } else { pool http-sg3 } }
Related Information Valid Events CLIENT_DATA, SERVER_DATA
TCP::release
Causes TCP to resume processing the connection and flush collected data. Syntax TCP::release
158 of 166
b y
D e s i g n

TCP Commands - TCP::remote_port Example:
when CLIENT_ACCEPTED { TCP::collect 1500 } when CLIENT_DATA { if {[TCP::offset] > 1000} { TCP::release } }
TCP::remote_port
Returns the remote TCP port/service number. When used with the clientside command (that is, clientside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::client_port command. When used with the serverside command (that is, serverside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::server_port command. Note: This command replaces the remote_port command. Syntax TCP::remote_port Example:
when SERVER_CONNECTED { log "server TCP port = [TCP::remote_port]" }
TCP::server_port
Returns the TCP port/service number of the specified server. This command is equivalent to the command serverside { TCP::remote_port } and to the BIG-IP 4.x variable server_port. Syntax TCP::server_port
b y
159 of 166

TIME Commands - TIME::clock Example:
when SERVER_CONNECTED { if { [TCP::server_port] > 1000 } { pool slow_pool } else { pool fast_pool } }
TIME Commands
TIME::clock
Return the system time, in seconds or milliseconds.
Syntax TIME::clock [seconds | milliseconds] Example:

when CLIENT_ACCEPTED { set curtime [TIME::clock seconds] set formattedtime [clock format $curtime -format {%H:%S} ] log "the time is: $formattedtime" }
use
This command is provided for backwards compatibility. The use statement must be paired with certain commands such as node, and pool. However, A10 Networks recommends using the commands node and pool directly. Syntax use <object> <object_name> Example:
when HTTP_REQUEST { if { [HTTP::uri] contains "aol" } { use pool aol_pool } else { use pool all_pool } }
160 of 166
b y
D e s i g n

UDP Commands - UDP::client_port Related Information Valid Events: ALL
UDP Commands
UDP::client_port
Returns the UDP port/service number of the client system. This command is equivalent to the command clientside { UDP::remote_port }. Syntax UDP::client_port Example:
when CLIENT_ACCEPTED { if { [UDP::client_port] equals 80 } { pool pool-80 } }
Related Information Valid Events CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA, SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
UDP::local_port
Returns the local UDP port/service number. Syntax UDP::local_port
b y
161 of 166

UDP Commands - UDP::mss Example:
when CLIENT_ACCEPTED { if {[IP::protocol] == 47 || [TCP::local_port] == 1723} { # GRE used by MS PPTP server, TCP control channel pool ms_pptp } elseif {[IP::protocol] == 50 || [IP::protocol] == 51 || [UDP::local_port] == 500} { # AH and ESP used by IPSec, IKE used by IPSec pool ipsec_pool } elseif {[IP::protocol] == 115} { pool l2tp_pool # L2TP Protocol server } }
UDP::mss
Returns the on-wire Maximum Segment Size (MSS) for a UDP connection. Syntax UDP::mss Example:
when CLIENT_ACCEPTED { log "MSS is [UDP::mss]" }
162 of 166
b y
D e s i g n

UDP Commands - UDP::payload
UDP::payload
Returns the content or length of the current UDP payload. Syntax UDP::payload [<size>] UDP::payload length UDP::payload offset size UDP::payload [<size>] Returns the content of the current UDP payload. UDP::payload length Returns the length, in bytes, of the current UDP payload. UDP::payload offset size Returns the content of the current UDP payload from <offset>. Example:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [UDP::payload 12 20] contains "a10networks" } { pool dns-sg1 } else { pool dns-sg2 } }
UDP::remote_port
Returns the remote UDP port/service number. Syntax UDP::remote_port
b y
163 of 166

UDP Commands - UDP::server_port Example:
when CLIENT_ACCEPTED { if { [UDP::remote_port] equals 80 } { pool pool-80 } }
UDP::server_port
Returns the UDP port/service number of the server. This command is equivalent to the command serverside { UDP::remote_port }. Syntax UDP::server_port Example:
when SERVER_CONNECTED { if { [UDP::server_port] equals 80 } { log "Port 80 was selected" } }
164 of 166
b y
D e s i g n
b y
D e s i g n
166
b y
D e s i g n
Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support - worldwide) Tel: +1-888-822-7210 (support - toll-free in USA) Fax: +1-408-325-8666 www.a10networks.com
166

AX aFleX Ref v2 4 3-20100621

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

AX aFleX Ref v2 4 3-20100621

Enviado por

Direitos autorais:

Formatos disponíveis

P e r f o r m a n c e

AX Series Advanced Traffic Manager

aFleX Scripting Language Reference

A10 Networks, Inc. 6/21/2010 - All Rights Reserved

AX Series - aFleX Scripting Language - Reference

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

USING THE CLI

Additional Information Required

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

About This Document

System Description The AX Series

AX Series - aFleX Scripting Language - Reference

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Obtaining Technical Assistance

Collecting System Information.............................................................................................................. 3 Additional Information Required........................................................................................................... 4

About This Document

System Description The AX Series .................................................................................................... 5 Audience.................................................................................................................................................. 6

aFleX Policy Editor

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Importing and Binding aFleX Scripts

aFleX Policy Examples

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

AX Series - aFleX Scripting Language - Reference

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Advantages of Using aFleX Policies

sophisticated content-switching needs.

tent, and direct packets based on the search results.

Example: a Simple aFleX Script

aFleX Policy Editor

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

aFleX Configuration Prerequisites

aFleX Processing Order

D e s i g n Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

When aFleX Policy Changes Take Effect

Maximum Filesize of aFleX Scripts

Document No.: D-030-01-00-0007 - aFleX Engine Ver. 2.0 6/21/2010

AX Series - aFleX Scripting Language - Reference

Tcl Symbols Supported in aFleX Policies

Disabled Tcl Commands

exec exit fblocked fconfigure

interp load memory namespace