A10 Thunder AX 271-P1 aFleX Ref-2013.07.02 PDF

aFleXScriptingLanguageReference
A10 Thunder Series and AX Series

Document No.: D-030-01-00-0007
aFleX Engine Ver. 2.0 7/2/2013
Note: This edition applies to ACOS 2.7.1.
2013 A10 Networks, Inc. - All Rights Reserved
Information in this document is subject to change without notice.

Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Thunder, Unified Service
Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All
other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA),
provided later in this document or available separately. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks products and services are subject to A10 Networks standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series aFleX Reference

End User License Agreement

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10
NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.
A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT TO YOU ONLY UPON
THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS
LICENSE AGREEMENT. BY DOWNLOADING OR INSTALLING THE SOFTWARE,
OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE
BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT
(COLLECTIVELY, "CUSTOMER") TO THIS AGREEMENT. IF YOU DO NOT
AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10 NETWORKS
IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
The following terms of this End User License Agreement ("Agreement") govern Customer's access and use of the Software, except to the extent there is a separate
signed agreement between Customer and A10 Networks governing Customer's use
of the Software
License. Conditioned upon compliance with the terms and conditions of this Agreement, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Networks Inc. ("A10 Networks"), grants to Customer a nonexclusive and
nontransferable license to use for Customer's business purposes the Software and
the Documentation for which Customer has paid all required fees. "Documentation"
means written information (whether contained in user or technical manuals, training
materials, specifications or otherwise) specifically pertaining to the product or products and made available by A10 Networks in any manner (including on CD-Rom, or
on-line).
Unless otherwise expressly provided in the Documentation, Customer shall use the
Software solely as embedded in or for execution on A10 Networks equipment owned
or leased by Customer and used for Customer's business purposes.
General Limitations. This is a license, not a transfer of title, to the Software and
Documentation, and A10 Networks retains ownership of all copies of the Software
and Documentation. Customer acknowledges that the Software and Documentation
contain trade secrets of A10 Networks, its suppliers or licensors, including but not
limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided
under this Agreement, Customer shall have no right, and Customer specifically
agrees not to:
a.
transfer, assign or sublicense its license rights to any other person or entity,
or use the Software on unauthorized or secondhand A10 Networks equipment
b.
make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do
the same
Customer Driven Innovation

Doc. No.: D-030-01-00-0007 - aFleX 2.0, ACOS 2.7.1 7/2/2013
3 of 304

c.
reverse engineer or decompile, decrypt, disassemble or otherwise reduce

the Software to human readable form, except to the extent otherwise
expressly permitted under applicable law notwithstanding this restriction
d.
disclose, provide, or otherwise make available trade secrets contained

within the Software and Documentation in any form to any third party without the prior written consent of A10 Networks. Customer shall implement
reasonable security measures to protect such trade secrets.
Software, Upgrades and Additional Products or Copies. For purposes of this

Agreement, "Software" and Products shall include (and the terms and conditions of
this Agreement shall apply to) computer programs, including firmware and hardware, as provided to Customer by A10 Networks or an authorized A10 Networks
reseller, and any upgrades, updates, bug fixes or modified versions thereto (collectively, "Upgrades") or backup copies of the Software licensed or provided to Customer by A10 Networks or an authorized A10 Networks reseller.
OTHER PROVISIONS OF THIS AGREEMENT:
a.
CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL

COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF
ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID
LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES
b.
USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR

WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR
LEASEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE
SOFTWARE WHICH IS BEING UPGRADED
c.
THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
Term and Termination. This Agreement and the license granted herein shall remain
effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination
of this Agreement.
Export. Software and Documentation, including technical data, may be subject to
U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges
that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation.
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS,
aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE,
IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products are protected by one or more of the following US patents and patents
pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419,
20110239289, 20110093522, 20100235880, 20100217819, 20090049537, 20080229418,
20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598,
4 of 304


20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Limited Warranty
Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS
OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT,
OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE
DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE
PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS
OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
In no event shall A10 Networks or its suppliers' or licensors' liability to Customer,
whether in contract, (including negligence), breach of warranty, or otherwise, exceed
the price paid by Customer for the Software that gave rise to the claim or if the Software is part of another Product, the price paid for such other Product.
Customer agrees that the limitations of liability and disclaimers set forth herein will
apply regardless of whetherCustomer has accepted the Software or any other product or service delivered by A10 Networks. Customer acknowledges and agrees that
A10 Networks has set its prices and entered into this Agreement in reliance upon the
disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the parties (including the risk that a contract
remedy may fail of its essential purpose and cause consequential loss), and that the
same form an essential basis of the bargain between the parties.
The Warranty and the End User License shall be governed by and construed in
accordance with the laws of the State of California, without reference to or application of choice of law rules or principles. If any portion hereof is found to be void or
unenforceable, the remaining provisions of the Agreement shall remain in full force
and effect. This Agreement constitutes the entire and sole agreement between the
parties with respect to the license of the use of A10 Networks Products unless otherwise supersedes by a written signed agreement.

5 of 304

6 of 304


Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

Your A10 Networks device provides a simple method to collect configuration and status information for Technical Support to use when diagnosing
system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. Log into the GUI.
2. On the main page (Monitor Mode > Overview > Summary), click
. This option downloads a text log file.
3. Email the file as an attachment to support@a10networks.com.

7 of 304

USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture output generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a text file.
6. Email the file as an attachment to support@a10networks.com.
Note:
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
Additional Information Required

In addition to the ACOS device information gathered using the procedures
above, please also provide the following information:
Windows platform (XP/Vista/Windows)
Service pack level
Problem description
Copy of the aFleX script (if applicable)
8 of 304


About This Document
About This Document

This document describes features of the A10 Networks Advanced Core
Operating System (ACOS). These features are supported on the following
product lines:
A10 ThunderTM Series Unified Application Service Gateway
AX Series Advanced Traffic Manager / Application Delivery Controller.
FIGURE 1
A10 Thunder 6430
FIGURE 2
AX 5630
For details about feature support on specific models, see the release notes.

9 of 304

About This Document
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
Installation Guides
System Configuration and Administration Guide
Security Guides
Management Access Security Guide
Application Access Management and DDoS Mitigation Guide
Web Application Firewall Guide
Application Delivery Guides

Application Delivery and Server Load Balancing Guide
Global Server Load Balancing Guide
References
LOM Reference
GUI Reference
CLI Reference
aFleX Reference
MIB Reference
aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your devices Lights Out
Management (LOM) interface, if applicable.
Note:
10 of 304
Some guides include GUI configuration examples. In these examples,

some GUI pages may have new options that are not shown in the example
screen images. In these cases, the new options are not applicable to the
examples. For information about any option in the GUI, see the GUI Reference or the GUI online help.


About This Document
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application
Delivery Community (VirtualADC). The VirtualADC is an interactive
forum where you can find detailed information from product specialists.
You also can ask questions and leave comments. To access the VirtualADC,
navigate here:
http://www.a10networks.com/adc/

11 of 304

About This Document
12 of 304


Contents
Collecting System Information.............................................................................................................. 7

Additional Information Required........................................................................................................... 8
About This Document
User Documentation............................................................................................................................. 10
Audience................................................................................................................................................ 11
Documentation Updates ...................................................................................................................... 11
A10 Virtual Application Delivery Community..................................................................................... 11
aFleX Basics
25
Overview................................................................................................................................................ 25
Advantages of Using aFleX Policies ........................................................................................... 26
Example: a Simple aFleX Script .................................................................................................. 26
aFleX Script Editor ........................................................................................................................ 26
aFleX Configuration Prerequisites .............................................................................................. 27
aFleX Processing Order ............................................................................................................... 27
Support for Multiple aFleX Policies on a Single Virtual Port .................................................... 28
When aFleX Policy Changes Take Effect ................................................................................... 29
Maximum Filesize of aFleX Scripts ............................................................................................. 29
Maximum Number of aFleX Scripts ............................................................................................ 30
aFleX Online Help ......................................................................................................................... 30
aFleX Script Rename .................................................................................................................... 32
Copy aFleX Script ......................................................................................................................... 33
aFleX Syntax ......................................................................................................................................... 33
Tcl Symbols ................................................................................................................................... 34
aFleX Context Clientside or Serverside ................................................................................... 35
aFleX Script Components .................................................................................................................... 36
aFleX Events ................................................................................................................................. 36
aFleX Operators ............................................................................................................................ 39
aFleX Commands .......................................................................................................................... 39
Examples ..................................................................................................................................... 40
Command Summary by Type ...................................................................................................... 42

13 of 304

Contents
aFleX Script Editor
63
Overview ................................................................................................................................................63
aFleX Script Editor ....................................................................................................................... 63
Installing and Starting aFleX Script Editor ................................................................................ 65
aFleX Script Editor Features ....................................................................................................... 66
Editing aFleX Scripts Getting Started ..............................................................................................66
Create an aFleX Script ................................................................................................................. 66
aFleX Templates ......................................................................................................................... 67
Connect to an AX Device aFleX File Transfer ......................................................................... 69
View aFleX Scripts ....................................................................................................................... 69
Menu Functions.....................................................................................................................................71
Overview ....................................................................................................................................... 71
File Functions ............................................................................................................................... 71
Connect AX / Disconnect AX ...................................................................................................... 71
New aFleX .................................................................................................................................. 72
Upload ......................................................................................................................................... 72
Download .................................................................................................................................... 72
Delete Rule ................................................................................................................................. 73
Save ............................................................................................................................................ 73
Import .......................................................................................................................................... 73
Export .......................................................................................................................................... 73
Rename ...................................................................................................................................... 73
Reset ........................................................................................................................................... 74
Exit .............................................................................................................................................. 74
Edit Menu Functions .................................................................................................................... 74
Undo / Redo ................................................................................................................................ 74
Cut / Copy / Paste / Delete .......................................................................................................... 74
Select All ..................................................................................................................................... 74
Search Menu Functions ............................................................................................................... 75
Find / Find Next / Find Previous .................................................................................................. 75
Replace ....................................................................................................................................... 75
Go to Line ................................................................................................................................... 76
View Menu Functions ................................................................................................................... 77
View Line Number ....................................................................................................................... 77
View Indention Guides ................................................................................................................ 77
View Margin ................................................................................................................................ 77
View Fold Margin ........................................................................................................................ 77
View Word Wrap ......................................................................................................................... 77
View White Space ....................................................................................................................... 78
View End of Line ......................................................................................................................... 78
View Book Marks ........................................................................................................................ 78
14 of 304


Contents
View Status Bar ........................................................................................................................... 78

View Output Window ................................................................................................................... 78
Options Menu Functions .............................................................................................................. 79
Font ............................................................................................................................................. 79
Set Line Number Color ................................................................................................................ 79
Set Comment Color ..................................................................................................................... 79
Set Text Color ............................................................................................................................. 79
Set Keyword Color ...................................................................................................................... 79
Set Background Color ................................................................................................................. 79
My Last Setting ............................................................................................................................ 79
Help Menu Functions ........................................................................................................................... 80
About aFleX Editor ....................................................................................................................... 80
Other aFleX Script Editor Functions................................................................................................... 80
Drag and Drop File Function ....................................................................................................... 80
Status Window .............................................................................................................................. 80
Applying aFleX Scripts To Virtual Ports
81
Pre-Loaded aFleX Scripts .................................................................................................................... 81

Using the CLIUsing an Imported aFleX Script................................................................................ 82
Using the CLICreating an aFleX Script in the CLI .......................................................................... 86
aFleX Configuration ...................................................................................................................... 87
Syntax Check .............................................................................................................................. 87
Cancelling the aFleX Input Session ............................................................................................ 87
CLI Example ................................................................................................................................ 88
Troubleshooting aFleX Syntax Errors ........................................................................................ 88
Using the GUI ........................................................................................................................................ 89
Events
93
Global Events ................................................................................................................................ 93

RULE_INIT .................................................................................................................................. 93
LB_FAILED ................................................................................................................................. 94
LB_SELECTED ........................................................................................................................... 94
HTTP Events .................................................................................................................................. 95
HTTP_REQUEST ........................................................................................................................ 95
HTTP_REQUEST_DATA ............................................................................................................ 96
HTTP_REQUEST_SEND ............................................................................................................ 97
HTTP_RESPONSE ..................................................................................................................... 97
HTTP_RESPONSE_CONTINUE ................................................................................................ 98
HTTP_RESPONSE_DATA ......................................................................................................... 98

15 of 304

Contents
IP, TCP, and UDP Events ............................................................................................................. 99

CLIENT_ACCEPTED .................................................................................................................. 99
CLIENT_CLOSED ..................................................................................................................... 100
CLIENT_DATA .......................................................................................................................... 100
SERVER_CLOSED ................................................................................................................... 101
SERVER_CONNECTED ........................................................................................................... 102
SERVER_DATA ........................................................................................................................ 102
RAM Caching Events ................................................................................................................. 103
CACHE_REQUEST .................................................................................................................. 103
CACHE_RESPONSE ................................................................................................................ 103
DNS Events ................................................................................................................................. 104
DNS_REQUEST ....................................................................................................................... 104
DNS_RESPONSE ..................................................................................................................... 104
FIX Events ................................................................................................................................... 105
FIX_REQUEST ......................................................................................................................... 105
FIX_RESPONSE ....................................................................................................................... 105
Diameter Load Balancing Events ............................................................................................. 106
DIAMETER_REQUEST ............................................................................................................ 106
DIAMETER_ANSWER .............................................................................................................. 106
DIAMETER_REQUEST_SEND ................................................................................................ 107
DIAMETER_ANSWER_SEND .................................................................................................. 107
SSL Events .................................................................................................................................. 108
CLIENTSSL_CLIENTCERT ...................................................................................................... 108
CLIENTSSL_HANDSHAKE ...................................................................................................... 108
SERVERSSL_HANDSHAKE .................................................................................................... 108
SIP Events ................................................................................................................................... 109
SIP_REQUEST ......................................................................................................................... 109
SIP_REQUEST_SEND ............................................................................................................. 110
SIP_RESPONSE ...................................................................................................................... 110
DBLB Events ............................................................................................................................... 111
DB_QUERY .............................................................................................................................. 111
DB_COMMAND ........................................................................................................................ 111
Operators
113
Relational Operators .................................................................................................................. 113

contains ..................................................................................................................................... 113
ends_with .................................................................................................................................. 113
equals ....................................................................................................................................... 114
matches .................................................................................................................................... 115
matches_regex ......................................................................................................................... 116
starts_with ................................................................................................................................. 116
16 of 304


Contents
Logical Operators ....................................................................................................................... 117

and ............................................................................................................................................ 117
not ............................................................................................................................................. 117
or ............................................................................................................................................... 118
Commands
119
GLOBAL Commands .......................................................................................................................... 119

active_members ........................................................................................................................ 119
b64decode ................................................................................................................................. 119
b64encode ................................................................................................................................. 120
clientside ................................................................................................................................... 120
cpu ............................................................................................................................................. 121
discard ....................................................................................................................................... 121
domain ....................................................................................................................................... 122
drop ........................................................................................................................................... 122
encoding .................................................................................................................................... 123
event .......................................................................................................................................... 123
findstr ......................................................................................................................................... 124
getfield ....................................................................................................................................... 125
htonl ........................................................................................................................................... 125
htons .......................................................................................................................................... 126
log .............................................................................................................................................. 126
md5 ........................................................................................................................................... 127
members ................................................................................................................................... 128
nexthop ...................................................................................................................................... 128
node .......................................................................................................................................... 129
ntohl ........................................................................................................................................... 130
ntohs .......................................................................................................................................... 130
persist ........................................................................................................................................ 131
pool ............................................................................................................................................ 134
use ............................................................................................................................................. 135
reject .......................................................................................................................................... 136
serverside .................................................................................................................................. 136
session ...................................................................................................................................... 137
set encode ................................................................................................................................. 138
sha1 ........................................................................................................................................... 138
snatpool ..................................................................................................................................... 139
substr ......................................................................................................................................... 140
switch ........................................................................................................................................ 141
virtual ......................................................................................................................................... 144
when .......................................................................................................................................... 144
whereis ...................................................................................................................................... 144

17 of 304

Contents
Global Variable Commands ....................................................................................................... 149

set ............................................................................................................................................. 149
incre .......................................................................................................................................... 150
get ............................................................................................................................................. 150
unset ......................................................................................................................................... 150
array .......................................................................................................................................... 151
Table Commands.................................................................................................................................151
table set .................................................................................................................................... 152
table add ................................................................................................................................... 152
table replace ............................................................................................................................. 153
table lookup ............................................................................................................................... 153
table incr ................................................................................................................................... 154
table append ............................................................................................................................. 154
table delete ............................................................................................................................... 154
table timeout ............................................................................................................................. 155
table lifetime .............................................................................................................................. 155
table keys .................................................................................................................................. 156
Class List Commands.........................................................................................................................158
CLASS::exists ........................................................................................................................... 158
CLASS::match .......................................................................................................................... 158
CLASS::names ......................................................................................................................... 161
CLASS::type ............................................................................................................................. 161
LID Commands ....................................................................................................................................162
LID::conn_limit .......................................................................................................................... 162
LID::conn_rate_limit .................................................................................................................. 163
LID::exists ................................................................................................................................. 163
LID::nat_pool ............................................................................................................................. 164
LID::request_limit ...................................................................................................................... 164
LID::request_rate_limit .............................................................................................................. 165
LID::type .................................................................................................................................... 165
Link Commands ..................................................................................................................................166
LINK::lasthop ............................................................................................................................ 166
LINK::nexthop ........................................................................................................................... 166
LINK::vlan_id ............................................................................................................................. 167
18 of 304


Contents
Load-balancing (LB) Commands ...................................................................................................... 167

LB::down ................................................................................................................................... 167
LB::reselect ............................................................................................................................... 168
LB::server .................................................................................................................................. 172
LB::status node ......................................................................................................................... 174
LB::status pool ........................................................................................................................... 175
HTTP Commands................................................................................................................................ 176
HTTP::close ............................................................................................................................... 176
HTTP::collect ............................................................................................................................. 176
HTTP::cookie ............................................................................................................................. 178
HTTP::fallback ........................................................................................................................... 181
HTTP::header ............................................................................................................................ 181
HTTP::host ................................................................................................................................ 183
HTTP::is_keepalive ................................................................................................................... 184
HTTP::is_redirect ...................................................................................................................... 184
HTTP::method ........................................................................................................................... 185
HTTP::path ................................................................................................................................ 185
HTTP::payload .......................................................................................................................... 186
HTTP::query .............................................................................................................................. 187
HTTP::redirect ........................................................................................................................... 188
HTTP::release ........................................................................................................................... 188
HTTP::request ........................................................................................................................... 189
HTTP::request_num .................................................................................................................. 189
HTTP::respond .......................................................................................................................... 190
HTTP::retry ................................................................................................................................ 191
HTTP::status ............................................................................................................................. 191
HTTP::stream ............................................................................................................................ 192
HTTP::uri ................................................................................................................................... 193
HTTP::version ........................................................................................................................... 194
Compression Commands .................................................................................................................. 195
COMPRESS::disable ................................................................................................................ 195
COMPRESS::enable ................................................................................................................. 195
COMPRESS::gzip ..................................................................................................................... 196
AES Commands.................................................................................................................................. 196
AES::decrypt ............................................................................................................................. 196
AES::encrypt ............................................................................................................................. 197
AES::key .................................................................................................................................... 198

19 of 304

Contents
IP Commands ......................................................................................................................................199
IP::addr ..................................................................................................................................... 199
IP::client_addr ........................................................................................................................... 200
IP::local_addr ............................................................................................................................ 200
IP::protocol ................................................................................................................................ 201
IP::remote_addr ........................................................................................................................ 202
IP::server_addr ......................................................................................................................... 202
IP::stats ..................................................................................................................................... 203
IP::tos ........................................................................................................................................ 203
IP::ttl .......................................................................................................................................... 204
IP::version ................................................................................................................................. 205
DNS Commands ..................................................................................................................................205
DNS::additional ......................................................................................................................... 205
DNS::answer ............................................................................................................................. 206
DNS::authority ........................................................................................................................... 207
DNS::header ............................................................................................................................. 208
DNS::len .................................................................................................................................... 210
DNS::query ............................................................................................................................... 210
DNS::question ........................................................................................................................... 211
DNS::class ................................................................................................................................ 212
DNS::name ............................................................................................................................... 213
DNS::rdata ................................................................................................................................ 213
DNS::rr ...................................................................................................................................... 214
DNS::ttl ...................................................................................................................................... 215
DNS::type .................................................................................................................................. 215
DNS::return ............................................................................................................................... 216
DNS::cache ............................................................................................................................... 217
DNS::is_dnssec ......................................................................................................................... 218
DNS::opt ................................................................................................................................... 218
DNS Example ............................................................................................................................ 219
SIP Commands ....................................................................................................................................222
SIP::call_id ................................................................................................................................ 222
SIP::from ................................................................................................................................... 222
SIP::header ............................................................................................................................... 222
SIP::header insert ..................................................................................................................... 223
SIP::method .............................................................................................................................. 223
SIP::respond ............................................................................................................................. 224
SIP::response ........................................................................................................................... 224
SIP::to ....................................................................................................................................... 225
SIP::uri ...................................................................................................................................... 225
SIP::via ...................................................................................................................................... 225
SIP Command Examples .......................................................................................................... 227
20 of 304


Contents
Policy-Based SLB Commands .......................................................................................................... 233

POLICY::bwlist id ...................................................................................................................... 233
RAM Caching Commands.................................................................................................................. 234
CACHE::age .............................................................................................................................. 234
CACHE::disable ........................................................................................................................ 234
CACHE::enable ......................................................................................................................... 235
CACHE::expire .......................................................................................................................... 235
CACHE::headers ....................................................................................................................... 236
CACHE::hits .............................................................................................................................. 237
Diameter Load Balancing Commands .............................................................................................. 238
DIAMETER::app_id ................................................................................................................... 238
DIAMETER::avp ........................................................................................................................ 238
DIAMETER::cmd_code ............................................................................................................. 241
DIAMETER::length .................................................................................................................... 242
DIAMETER::version .................................................................................................................. 242
RADIUS Message Load-balancing Commands................................................................................ 243
RADIUS::avp ............................................................................................................................. 243
RADIUS::code ........................................................................................................................... 244
RADIUS::id ................................................................................................................................ 244
RADIUS::length ......................................................................................................................... 245
SSL Commands .................................................................................................................................. 245
SSL::cert .................................................................................................................................... 246
SSL::cert count .......................................................................................................................... 247
SSL::cert issuer ......................................................................................................................... 247
SSL::cert mode .......................................................................................................................... 247
SSL::cipher ................................................................................................................................ 248
SSL::sessionid ........................................................................................................................... 249
SSL::verify_result ...................................................................................................................... 250
SSL::disable .............................................................................................................................. 250
SSL::enable ............................................................................................................................... 251
SSL::mode ................................................................................................................................. 251
SSL::sessionid ........................................................................................................................... 252
SSL::template ............................................................................................................................ 252
SSL::session invalidate ............................................................................................................. 253

21 of 304

Contents
X509 Commands .................................................................................................................................254

X509::extensions ...................................................................................................................... 254
X509::hash ................................................................................................................................ 256
X509::issuer .............................................................................................................................. 256
X509::not_valid_after ................................................................................................................ 257
X509::not_valid_before ............................................................................................................. 258
X509::serial_number ................................................................................................................. 258
X509::signature_algorithm ........................................................................................................ 259
X509::subject ............................................................................................................................ 259
X509::subject_public_key ......................................................................................................... 260
X509::subject_public_key_RSA_bits ........................................................................................ 260
X509::subject_public_key_type ................................................................................................. 261
X509::text .................................................................................................................................. 261
X509::verify_cert_error_string ................................................................................................... 262
X509::version ............................................................................................................................ 262
X509::whole .............................................................................................................................. 263
STATS Commands...............................................................................................................................264
STATS::clear ............................................................................................................................. 264
STATS::get ............................................................................................................................... 265
TCP Commands...................................................................................................................................267
TCP::client_port ........................................................................................................................ 267
TCP::close ................................................................................................................................ 267
TCP::collect ............................................................................................................................... 268
TCP::local_port ......................................................................................................................... 273
TCP::mss .................................................................................................................................. 274
TCP::rtt ...................................................................................................................................... 274
TCP::offset ................................................................................................................................ 275
TCP::payload ............................................................................................................................ 276
TCP::release ............................................................................................................................. 277
TCP::remote_port ...................................................................................................................... 277
TCP::server_port ....................................................................................................................... 278
TCP::respond ............................................................................................................................ 278
TIME Commands .................................................................................................................................279
TIME::clock ............................................................................................................................... 279
22 of 304


Contents
UDP Commands.................................................................................................................................. 280

UDP::client_port ........................................................................................................................ 280
UDP::local_port ......................................................................................................................... 280
UDP::payload ............................................................................................................................ 281
UDP::remote_port ..................................................................................................................... 282
UDP::server_port ....................................................................................................................... 282
UDP::respond ............................................................................................................................ 283
URI Commands................................................................................................................................... 284
URI::decode .............................................................................................................................. 284
URI::encode .............................................................................................................................. 285
URI::basename ......................................................................................................................... 286
URI::path ................................................................................................................................... 286
URI::query ................................................................................................................................. 287
Financial Information eXchange Commands................................................................................... 288
FIX::begin_string ....................................................................................................................... 288
FIX::body_length ....................................................................................................................... 288
FIX::msg_seq_num ................................................................................................................... 289
FIX::msg_type ........................................................................................................................... 289
FIX::sender_compid .................................................................................................................. 290
FIX::sending_time ..................................................................................................................... 290
FIX::target_compid .................................................................................................................... 291
Database Load Balancing (DBLB) Commands ................................................................................ 292
DB::Query .................................................................................................................................. 292
DB::Command ........................................................................................................................... 292
Template Commands.......................................................................................................................... 293
TEMPLATE::exists .................................................................................................................... 293
TEMPLATE::cache .................................................................................................................... 294
TEMPLATE::client_ssl ............................................................................................................... 295
TEMPLATE::conn_reuse ........................................................................................................... 296
TEMPLATE::http ....................................................................................................................... 296
TEMPLATE::ssl ......................................................................................................................... 297
TEMPLATE::tcp ......................................................................................................................... 298
TEMPLATE::udp ....................................................................................................................... 299
Deprecated and Disabled Commands
301
Deprecated Commands .............................................................................................................. 301

Disabled Tcl Commands ............................................................................................................ 302

23 of 304

Contents
24 of 304


aFleX Basics
aFleX Basics
Overview
The aFleX scripting language is a powerful inline custom scripting engine
that provides in-depth, granular control of inspection and redirection policies (filter, drop, redirect).
The aFleX scripting language is based on the Tool Command Language
(Tcl) programming standard for simplicity and familiarity.
For an aFleX policy to work, it must be bound to a virtual port on the ACOS
device. Then the aFleX policy can make policy decisions by inspecting the
payload packets from all traffic going through the virtual port.
FIGURE 3
aFleX overview

25 of 304

aFleX Basics
Advantages of Using aFleX Policies

aFleX policies allow you to exercise more granular control of packet
inspection and traffic load balancing.
aFleX policies can redirect traffic to a group of servers bound to a vir-
tual port, to one specific server in a pool (service group), or to individual

ports and URIs on a specific pool member (server).
aFleX policies provide complete flexibility, supporting both simple and
sophisticated content-switching needs.

aFleX policies can search packet headers or even the actual packet con-
tent, and direct packets based on the search results.

aFleX policies can maintain persistence
Tcl scripts created using leading competitors scripting engines often
can be easily converted into aFleX scripts, providing backwards compatibility for customized solutions.
Example: a Simple aFleX Script

when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool my_pool
}
}
aFleX Script Editor

The aFleX Script Editor makes it easy to write an aFleX script (see aFleX
Script Editor on page 63). You also can create aFleX scripts using the
ACOS GUI GUI or CLI, or a third-party text editor.
Note:
To create an aFleX script in a non-English language (for example, Japanese), save the script in Unicode UTF-8 format. You can use the ACOS
GUI or another editor to create the aFleX file. If you plan to create aFleX
scripts in the ACOS GUI, set the language in the GUI as Unicode (UTF8).
To set the language in the GUI to UTF-8, configure the browser so that
you can view UTF-8 encoding. In Internet Explorer, select
View > Encoding > Unicode.
The A10 aFleX Script Editor does not support UTF-8 format in the current release. Use the ACOS GUI or a third-party editor instead.
26 of 304


aFleX Basics
aFleX Configuration Prerequisites

For an aFleX policy to take effect, you must bind it to a virtual port on
the ACOS device.

The virtual port must be processing the application type that the Event
Declaration in the aFleX policy is triggering on.

Example:
If the aFleX policy includes an event declaration for HTTP_REQUEST,
then the policy can only bind to the virtual port that can process HTTP
traffic. In other words, the virtual ports service type must be fast-http or
http.
If no aFleX policy is assigned to the virtual port, the AX device will
continue to redirect traffic to the default server pool (SLB service group)
assigned to the virtual port.
Once an aFleX policy is bound to a virtual port, the policy is triggered
whenever the AX device encounters the Event Declaration.

Example:
If an aFleX policy includes the event declaration
CLIENT_ACCEPTED, then the policy is triggered whenever the AX
device accepts a client request.
Note:
For virtual port type fast-HTTP, aFleX commands that change the HTTP
header or payload are not supported.
aFleX Processing Order

aFleX policies have higher priority than most templates, except cookie persistence templates. Here is the complete SLB processing order for virtual
port traffic.
Packet Processing Order for Layer 4 Virtual Ports
For Layer 4 virtual ports (TCP, UDP, or Others), template parameters are
processed in the following order:
1. DNS template
2. Policy template
3. All other types of templates

27 of 304

aFleX Basics
Packet Processing Order for Layer 7 Virtual Ports
For Layer 7 virtual ports (for example: HTTP), template parameters are processed in the following order:
1. Layer 4 packet processing (described above in Packet Processing
Order for Layer 4 Virtual Ports on page 27)
2. Layer 7 server selection:
a. Cookie persistence template
b. aFleX policy (script)
c. All other types of templates
Example:
A virtual port is bound to an aFleX policy and two application templates, a
URL switching template and a cookie persistence template.
Both the URL switching template and the aFleX policy are applicable to a
clients traffic. The URL switching template chooses server server10, but
the aFleX policy chooses another server, server20. Since the aFleX policy
has higher priority, the traffic is directed to server20. However, if the cookie
persistence template selects server30, the traffic ultimately will be directed
to server30.
Note:
Beginning with AX Release 2.7.0, server template limits are applied for
both service-group and server selection. Commands that call for server
selection (i.e., node, pool, persist, etc.) will enforce server template
limits on the selected server. As a result, new connections that match a
persist uie entry may be unable to use the rport and a default server selection will occur instead. To prevent default server selection, use the no
def-selection-if-pref-failed command for the vport.
Support for Multiple aFleX Policies on a Single Virtual Port

You can bind up to 8 aFleX scripts to be bound to a single virtual port.
When multiple aFleX scripts are bound to a virtual port, the scripts are processed from the top down, beginning with the first script bound to the virtual port and ending with the last script bound to the virtual port.
The multiple scripts are processed exactly as if they were concatenated
together into a single aFleX script. Multiple events of the same type are executed sequentially (top to bottom), as though they were all in the same
script.
28 of 304


aFleX Basics
When aFleX Policy Changes Take Effect

aFleX policy changes do not affect traffic that is already active on a virtual
port.
For example, if you bind an aFleX policy to a virtual port on which some
traffic sessions are already active, the aFleX policy does not affect those
sessions. The aFleX policy only affects sessions that begin after the aFleX
policy is applied to the virtual port.
Likewise, if you change an aFleX policy that is already bound to a virtual
port, the changes do not apply to sessions that are active when you change
the policy. The active sessions are still processed using the aFleX policy as
it was before the changes. The policy changes apply only to sessions that
begin after the policy changes are saved.
Maximum Filesize of aFleX Scripts

By default, the maximum filesize supported on an AX device for an aFleX
script is 32 Kbytes. On the ACOS device, you can change the maximum
script size, to 16-256 Kbytes.
If Role-Based Administration (RBA) is configured on the device, the maximum applies to the shared partition and all private partitions.
Note:
In AX releases earlier than 2.4.3-P2, the maximum supported filesize is

128 K.
USING THE GUI

1. Select Config Mode > Service > SLB > Global.
2. Edit the number in the Maximum Size aFleX field. You can specify
16-256.
3. Click OK.
USING THE CLI

To change the maximum aFleX file size, use the following command at the
global configuration level of the CLI:
[no] aflex max-filesize KBytes

29 of 304

aFleX Basics
Maximum Number of aFleX Scripts

By default, the ACOS device can have a maximum of 1024 aFleX scripts.
If Role-Based Administration (RBA) is configured on the device, each private partition can have 32 aFleX scripts by default. Partition admins can
change the maximum number of aFleX scripts allowed in a partition, to
1-128.
USING THE GUI

1. Select Config Mode > System > Admin.
2. On the menu bar, select Partition.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Edit the number in the Max aFleX File field. You can specify 1-128.
5. Click OK.
USING THE CLI

Use the following command at the global configuration level of the CLI:
[no] partition partition-name max-aflex-file num
You can specify 1-128.
aFleX Online Help

Beginning with AX Release 2.7.0, you can access aFleX help information
through the ACOS CLI.
Note:
aFleX help information is available through the CLI only and not accessible from the GUI.
Syntax
From the configuration level of the CLI, use the following commands to
access all aFleX help information:
aflex help
Enter the following command to list the names and descriptions of all aFleX
events, global commands, or operators:
30 of 304


aFleX Basics
aflex help [events |global | operators] [string]
Optionally, use the string option to display all aFleX events or commands
that match the specified string:
To display the full length description of a command, enter the specific command name for string.
Output Examples
This example displays help information for aFleX TIME commands:
AX2500(config)#aflex help time
TIME::clock seconds
- Returns the current time in the unit of seconds. The function is used in SMP
environment for high-performance processing.
TIME::clock milliseconds
- Returns the current time in the unit of milliseconds. The function is used
in SMP environment for high-performance processing. Note: The lowest resolution
of the timer is 4 milliseconds.
The following example displays help information for POLICY::bwlist:

AX2500(config)#aflex help policy::bwlist
POLICY::bwlist id <ip> [<bwlist_name>]
- Returns the group id of the specified ip address on the black-white list.
If the bwlist_name is not specified, the binded bwlist on the vport is used.

31 of 304

aFleX Basics
aFleX Script Rename

Beginning with this release, you do not need to unbind an aFleX script
before renaming it, and rebind it afterward. The ACOS device automatically
updates the configuration everywhere the renamed script is applied.
USING THE GUI

1. Navigate to Config Mode > Service > aFleX. The list of configured
aFleX scripts appears.
2. Click on the aFleX name to display the configuration page for it.
3. Edit the name in the Name field.
4. Click OK.
The list of aFleX scripts reappears, showing the new name. The GUI also
automatically updates the aFleX name everywhere the script is used. For
example, if the script is already bound to a virtual port, the scripts name is
automatically updated in the virtual ports configuration. You do not need to
manually update the virtual port configuration.
USING THE CLI

To rename an aFleX script on the ACOS device, use the following command at the global configuration level of the CLI:
aflex rename old-name new-name
32 of 304


aFleX Basics
Copy aFleX Script

Beginning with AX Release 2.7.0, you have the ability to easily copy an
existing aFleX script to a new file name.
USING THE GUI

The current release does not support this option using the GUI.
USING THE CLI

From the configuration level of the CLI, use the following command:
aflex copy script-name destination-script-name
Note:
Scripts that contain syntax errors cannot be copied. The CLI console notifies you if copy failure is due to a syntax error.
aFleX Syntax
An aFleX script is a Tcl-like script. Every command call has the following
form: command arg1 arg2 arg3 ...
The aFleX interpreter takes each word of command call and evaluates it.
After evaluation of each word, the first word (command) is considered to be
a function name. The function is executed with the rest of the words as arguments.
If a word is surrounded by curly braces { }, this word is unaffected and
substitution is thus not applicable. Inside the braces, there may be spaces
and carriage returns. The { } may also be nested.
In the following example, notice how the line breaks are placed inside the
{ }.
if {$c
log
} else
log
}
== "Exit"} {
"Bye!"
{
"Rock On!"

33 of 304

aFleX Basics
The aFleX interpreter sees this script as 5 words:
1. 'if' is the first word. There is nothing to be evaluated.
2. '$c == "Exit"' is the second word. Because of the surrounding curly
braces, there is no further evaluation on this word.
3. 'log "Bye!"' is the third word. For the same reason as the second
word, no further evaluation is needed.
4. 'else' is the fourth word. There is nothing to be evaluated.
5. 'log "Rock On!"' is the fifth word. No further evaluation is needed.
The first word, 'if', is taken as the command and this command is executed
with the 4 following words as parameters. Later, the condition '$c ==
"Exit"' is evaluated, during the execution of the if command.
Tcl Symbols
The Tcl symbols listed in Table 1 have special meanings.
TABLE 1
Tcl Symbols Supported in aFleX Policies
Delimiter
$
Description
Variable substitution.
Example: $argv0 could be replaced by /usr/bin/somescript.tcl
Subcommand substitution.
Example: [pwd] could be replaced by /home/joe
Word grouping with substitutions.
{ }
Example "you are $user" is one word. Substitution still occurs.

Word grouping without substitutions.
Example: {you are $user} is one word. $user is not replaced.

Backslash substitution/escape or statement continuation.
#
;
: :
By default, a statement ends with the end of the line.

Comment. This symbol can be used only at the beginning of a statement.
Statement separator.
Namespace path separator for variables or commands.
[ ]
Example: ::foo::bar
For information about standard Tcl syntax, see the following:

http://en.wikibooks.org/wiki/Programming:Tcl
Note:
34 of 304
Also see Deprecated and Disabled Commands on page 301.


aFleX Basics
aFleX Context Clientside or Serverside

aFleX scripts support context for specifying either client or server side:
Each event has a default context of either client-side or server-side.
Key words: clientside or serverside
Only specify the context keywords if you want to change default con-
text.
Example:
This aFleX script uses the default CLIENT side association to the
REMOTE_ADDR. Because CLIENT_ACCEPTED has a default context of
clientside, the remote_addr field is automatically assigned to clientside.
if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ]
pool my_pool }
}
} {
To change the default context of any aFleX script, use the clientside or serverside key words.
Example:
This aFleX policy switches the remote_addr field to the clientside from the
default serverside association with the SERVER_CONNECTED event.
if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80 ] } {
pool my_pool2
}
}

35 of 304

aFleX Basics
aFleX Script Components

aFleX scripts consist of the following element types:
Events
Operators
Commands
aFleX Events
aFleX scripts are event-driven. The AX device triggers an aFleX policy
based on a specified event. For example, if an aFleX policy is configured to
be triggered by the HTTP_REQUEST event, the ACOS device triggers the
aFleX policy when an HTTP request is received.
Event declarations are made with the when keyword followed by the
event name.
Example:
}
if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ]
pool my_pool }
}
} {
Table 2 lists the event declarations supported in aFleX policies.

TABLE 2
aFleX Event Declarations
Event Type
Global
Event Name and Description
RULE_INIT
Triggered when used in an aFleX policy.
LB_FAILED
Triggered when the ACOS device can not select a node (server) for the incoming request; for
example, if all nodes in the pool are down or all their connection limits have been reached.
LB_SELECTED
Triggered when the system selects a pool member.
36 of 304


aFleX Basics
TABLE 2
aFleX Event Declarations (Continued)
Event Type
IP, TCP, UDP
CLIENT_ACCEPTED
Triggered when a client establishes a connection.
CLIENT_DATA
Triggered when a client receives new data while the connection is in collect state.
CLIENT_CLOSED
Triggered when the client-side connection closes.
SERVER_CLOSED
Triggered when the server side connection closes.
SERVER_CONNECTED
Triggered when the AX device establishes a connection with the target node.
SERVER_DATA
Triggered when the AX device has received new data from the target node while the connection is in hold state.
HTTP
HTTP_REQUEST
Triggered when the AX device fully parses a complete client request header.
HTTP_RESPONSE
Triggered when the AX device parses all of the response status and header lines from the
server response.
HTTP_RESPONSE_CONTINUE
Triggered whenever the AX device receives a 100 Continue response from the server.
HTTP_REQUEST_DATA
Triggered whenever the request receives new HTTP content data.
HTTP_RESPONSE_DATA
Triggered whenever the AX device receives new HTTP content data from the response.
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. Server-side event.
RAM Caching
CACHE_REQUEST
Triggered when a VIP receives a request for a cached object.
CACHE_RESPONSE
Triggered immediately prior to sending a cache response.
DNS
DNS_REQUEST
Triggered when the DNS request packet arrives.
DNS_RESPONSE
Triggered when the DNS reply packet arrives.
FIX
FIX_REQUEST
Triggered when the system receives a FIX request.
FIX_RESPONSE
Triggered when the system receives a FIX response.

37 of 304

aFleX Basics
TABLE 2
aFleX Event Declarations (Continued)
Event Type
Diameter load
balancing

DIAMETER_REQUEST
Triggered when the system fully parses a complete Diameter request message.
DIAMETER_ANSWER
Triggered when the system fully parses a complete Diameter answer message.
DIAMETER_REQUEST_SEND
Triggered immediately before a Diameter request is sent by the ACOS device.
DIAMETER_ANSWER_SEND
Triggered immediately before a Diameter answer is sent by the ACOS device.
SSL
CLIENTSSL_CLIENTCERT
Triggered when an SSL client certificate is received.
CLIENTSSL_HANDSHAKE
Triggered when an SSL handshake on the client side is completed.
SERVERSS_HANDSHAKE
Triggered when an SSL handshake on the server side is completed.
SIP
SIP_REQUEST
Triggered when the ACOS system receives a full SIP request header from the client.
SIP_REQUEST_SEND
Triggered when the ACOS system sends the SIP request to the server.
SIP_RESPONSE
Triggered when the ACOS system receives a full SIP response from the server.
DBLB
DB_QUERY
Triggered when the ACOS system receives a full SQL query from the client side.
DB_COMMAND
Triggered when the ACOS system receives an SQL command from the client side.
38 of 304


aFleX Basics
aFleX Operators
aFleX policies use operators to compare operands in an expression.
Table 3 lists the operators supported in aFleX policies.
TABLE 3
aFleX Operators
Operator Type
Relational
Operator Name and Description
contains
Tests whether one string (string1) contains another string (string2).
ends_with
Tests whether one string (string1) ends with another string (string2).
equals
Tests whether one string equals another string.
matches
Tests whether one string matches another string.
matches_regex
Tests whether one string matches a regular expression.
starts_with
Tests whether one string (string1) starts with another string (string2).
Logical
and
Performs a logical and comparison between two values.
or
Performs a logical or comparison between two values.
not
Performs a logical not on a value.
aFleX Commands
aFleX commands can perform the following types of operations:
Global Performs actions such as selecting a pool (SLB service group)
or node (server).
Query commands:
IP packet header query Returns information from the IP header.
IP, TCP, or UDP packet data query Returns information from the
payload.
HTTP packet header or content query Returns information from
the HTTP header or payload.
39 of 304

aFleX Basics
Header and content manipulation:
HTTP cookie manipulation Changes cookies.
TCP header and content manipulation Changes TCP headers or
content.
HTTP header and content manipulation Changes HTTP headers or
content.
SSL and X.509 query Returns information from or about certificates.
Deep packet inspection Returns strings from packets.
Examples
Example: Pool Selection
This aFleX script uses the if command to determine which pool to send traffic to based on the file type gif or jpg.
when HTTP_REQUEST {
if { [HTTP::uri] ends_with ".gif" } {
pool gif_pool
} elseif { [HTTP::uri] ends_with ".jpg" } {
pool jpg_pool }
}
Example: Node Selection

This aFleX script uses the node command to select one specific server to send
the traffic to.
when HTTP_REQUEST {
node 192.168.100.10 80
}
}
Example: IP Packet Header Query IP Address

This example shows that the traffic from client in 192.168.0.0/16 subnet
direct to a special pool 192.168_pool.
if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
pool 192.168_pool
} else {
pool other_pool
}
}
40 of 304


aFleX Basics
Example: IP Packet Header Query Protocol Number
This example shows the protocol field being inspected for clientside protocol value of 6.
when CLIENT_ACCEPTED{
if { [IP::protocol] == 6 } {
pool tcp_pool
} else {
pool slow_pool
}
}
}
Example: IP Packet Header Query ToS Level

This example shows the ToS field being inspected for clientside ToS value
of 16.
if { [IP::tos] == 16 } {
pool tos16_pool
} else {
pool other_pool
}}
Example: TCP Query

This aFleX script uses the payload field to check for the words XYZ or
ABC to properly redirect traffic.
when CLIENT_DATA {
if { [TCP::payload] contains "XYZ" } {
pool xyz_servers
} elseif { [substr[TCP::payload] 50, 3] =="ABC" } {
pool abc_servers
} else {
pool web_servers
}
}

41 of 304

aFleX Basics
Command Summary by Type

Table 4 lists the aFleX commands according to the types of operations they
perform. For more information about the aFleX commands, see Commands on page 119, where they are listed alphabetically.
TABLE 4
aFleX Commands
Command
Type
Global
42 of 304
Command Name and Description

active_members <pool_name> [partition shared]
Returns the number of active members in the pool. By default, this command acts upon the
service groups (pools) located in the partition that contains the aFleX policy. The partition
shared option causes the aFleX policy to act upon service groups in the shared partition
instead. This option is useful in aFleX policies that are located in a private partition, when you
want the aFleX policy to act upon service groups in the shared partition instead.
b64decode <string>
Returns the specified string, decoded from base-64. Returns NULL if there is an error.
b64encode <string>
Returns the specified string, encoded as base-64. Returns NULL if there is an error.
clientside {<aFleX commands>}
Causes the specified aFleX commands to be evaluated under the client-side context. This command has no effect if the aFleX policy is already being evaluated under the client-side context.
cpu usage [1sec | 5secs | 15secs | 1min | 5mins | 15mins |
all_seconds | all_minutes]
Returns the average CPU load for the given interval. All averages are exponential weighted
moving averages over the interval.
discard
Causes the current packet or connection (depending on the context of the event) to be discarded. This statement must be conditionally associated with an if statement.


aFleX Basics
TABLE 4
Command
Type
Global
(cont.)
aFleX Commands (Continued)

domain <string> <count>
Parses the specified string as a dotted domain name and returns the last <count> portions of
the domain name.
drop
Same as the discard command.
encoding {convertfrom | convertto} <encoding>
Converts the character encoding of a payload to the specified encodiing.
event [<name>] [enable | disable] | [enable all | disable all]
Discontinues evaluating the specified aFleX event, or all aFleX events, on a connection. However, the aFleX script continues to run.
htonl <hostlong>
Converts the unsigned integer from host byte order to network byte order.
htons <hostshort>
Converts the unsigned short integer from host byte order to network byte order.
if { <expression> } {<statement_command>}
elseif { <expression> } {<statement_command>}
Asks a true or false question and, depending on the answer, takes some action.
Note: The maximum number of if statements that you can nest in an aFleX policy is 100.
log [<facility> <level>} <message>
Generates and logs the specified message to the Syslog facility. The statement does this by
performing variable expansion on the message as defined for the Header Insert HTTP profile
attribute. If not used appropriately, a log statement can produce large amounts of output.
md5
Returns the RSA MD5 Message Digest Algorithm message digest of the specified string.
members
Counts or lists all members in a service group.
nexthop
Sets the next hop for a connection.
node <addr> [<port>]
Causes the identified server node to be used directly, thus bypassing any load-balancing.
ntohl <netlong>
Converts the unsigned integer from network byte order to host byte order.
ntohs <netshort>
Converts the unsigned short integer from network byte order to host byte order.
persist uie <string> [<timeout>]
persist add uie <key> [timeout]
persist lookup uie <key> [all | node | port | pool]
persist delete uie <key>
persist size uie [global]
Configures persistence of clients with SLB resources.

43 of 304

aFleX Basics
TABLE 4
Command
Type
Global
(cont.)

pool <pool_name> [member <addr> [<port>]]
[partition shared]
Causes the ACOS device to load balance traffic to the named pool. This statement must be
conditionally associated with an if statement. Optionally, you can specify a specific pool member to which you want to direct the traffic.
By default, this command acts upon the service groups (pools) located in the partition that contains the aFleX policy. The partition shared option causes the aFleX policy to act upon
service groups in the shared partition instead. This option is useful in aFleX policies that are
located in a private partition, when you want the aFleX policy to act upon service groups in the
shared partition instead.
reject
Causes the connection to be rejected, returning a reset as appropriate for the protocol.
return [<expression>]
Terminates execution of the aFleX event and optionally return the result of evaluating
<expression>.
serverside {<aFleX commands>}
Causes the specified aFleX commands to be evaluated under the server-side context. This
command has no effect if the aFleX policy is already being evaluated under the server-side
context.
session add ssl <key> <data> [<timeout>]
Creates a table to store SSL information. If an SSL table already exists, the command adds an
entry to the table. Generally, the <key> is the session ID and the data is the SSL verify_result
or the SSL certificate.
session delete ssl <key>
Deletes an SSL entry.
session lookup ssl <key>
Searches the SSL table for information about the specified key.
set encode "<encoding>"
Sets the character encoding for data payloads.
sha1
Returns the Secure Hash Algorithm version 1.0 (SHA1) message digest of the specified string.
snatpool <snatpool_name>
Uses the specified pool of IP addresses as translation addresses to create a SNAT.
substr <string> <skip_count> [<terminator>]
Returns a sub-string named <string>, based on the values of the <skip_count> and <terminator> arguments.
switch
Built-in Tcl command. Evaluates one of several scripts, depending on a given value.
virtual name
Returns the name of the associated virtual server that the connection is flowing through.
when <event_name>
Specify an event in an aFleX script. All aFleX events begin with a when command. You can
specify multiple when commands within a single aFleX script.
44 of 304


aFleX Basics
TABLE 4
Command
Type
Global
(cont.)
Table
Commands
Time
Commands

whereis <ipaddr>
Returns geo-location information for a given IP address.
set <global_variable> <value>
Sets the <global_variable> to the specified <value>. If the variable does not exist, this command will create a new variable.
incre <global_variable>
Increments the <global_variable> by a value of 1.
get <global_variable>
Returns the value of the specified <global_variable>.
unset <global_variable>
Deletes the value for the <global_variable>.
array <global_array>
Sets or returns elements in a global array.
table set <name> <key> <value>
Sets a <value> in the table for the existing <key>.
table add <name> <key> <value>
Adds a <value> to the table for the specified <key>. If the key already exists, a key is not
inserted and the existing value is returned.
table replace <name> <key> <value>
Replaces the value in the table with the specified <key> or <value>.
table lookup <name> [-notouch] <key>
Returns the value associated with the specified key.
table incr [-notouch] <key> [<num>]
Increments the value associated with the specified key. If you do not specify a value for
<num>, 1 is used by default.
table append <name> [-notouch] <key> <string>
Appends a string to the value associated with the specified key.
table delete <name> <key>|-all
Deletes the <key> or value pair with the specified key. If -all is specified in addition to a
table name, all keys and value pairs for that table are deleted.
table timeout <name> <key> [<value>]
Returns the timeout for the specified key.
table timeout <name> [-remaining] <key>
Returns the remaining time before the expiration timeout, instead of the timeout itself.
table lifetime <name> <key> [<value>]
Returns the lifetime for the specified key.
table lifetime <name> [-remaining] <key>
Returns the remaining time before the expired lifetime, instead of the total lifetime.
table keys <name> [-count|-notouch]
Returns a list of keys in the specified table.
TIME::clock [seconds | milliseconds]
Returns the system time, in seconds or milliseconds.

45 of 304

aFleX Basics
TABLE 4
Command
Type
Link
Commands
Advanced
Encryption
Standard (AES)
Operations
IP Packet
Header Query
46 of 304

LINK::lasthop
Returns the MAC address of the last hop.
LINK::nexthop
Returns the MAC address of the next hop.
LINK::vlan_id
Returns the VLAN tag of the packet.
AES::decrypt <key> <data>
Decrypts data using an AES key.
AES::encrypt <key> <data>
Encrypts data using an AES key.
AES::key <passphrase> [256 | 192 | 128]
Creates a random key of length 256, 192, or 128 bits (default) to use for encrypting/decrypting
data using AES.
IP::addr <addr1>[/<mask>] equals <addr2>[/<mask>]
Performs comparison of IP address/subnet/supernet to IP address/subnet/supernet. Returns 0 if
no match, 1 for a match.
IP::remote_addr
Returns the remote IP address of a connection.
IP::local_addr
Returns the local IP address of a connection.
IP::client_addr
Returns the client IP address of a connection. This command is equivalent to the command clientside { IP::remote_addr }.
IP::server_addr
Returns the servers IP address. This command is equivalent to the command serverside
{ IP::remote_addr }.
IP::protocol
Returns the IP protocol value.
IP::stats {pkts in | pkts out | pkts | bytes in | bytes out |
bytes | age}
Supplies information about the number of packets or bytes being sent or received in a given
connection.
IP::tos
Returns the value of the IP protocols Type of Service (ToS) field.
IP::ttl
Returns the TTL of the current packet being acted upon.
IP::version
Return the version (e.g., IPv4/IPv6) of the current packet.


aFleX Basics
TABLE 4
Command
Type
TCP Packet
Header and
Content Query

TCP::remote_port
Returns the remote TCP port/service number.
TCP::local_port
Returns the local TCP port/service number.
TCP::client_port
Returns the clients TCP port/service number. Equivalent to the command clientside
{ TCP::remote_port }.
TCP::collect <length>
Causes TCP to start collecting the specified amount of content data.
TCP::server_port
Returns the server TCP port/service number. Equivalent to the command serverside
{ TCP::remote_port }.
TCP::payload [<size>]
Returns the accumulated TCP data content.
TCP::mss
Returns the on-wire Maximum Segment Size (MSS) for a TCP connection.
TCP::offset
Returns the position in the TCP data stream in which the collected TCP data starts.
TCP::release
Causes TCP to resume processing the connection and flush collected data.
TCP::respond <data>
Sends the specified data directly to the peer. This command can be used to complete a protocol
handshake.
TCP::rtt
Returns the smoothed round-trip time (RTT) estimate for a TCP connection.

47 of 304

aFleX Basics
TABLE 4
Command
Type
UDP Packet
Header and
Content Query

UDP::remote_port
Returns the remotes UDP port/service number.
UDP::local_port
Returns the local UDP port/service number.
UDP::client_port
Returns the clients UDP port/service number.
Note: This command is equivalent to the command
clientside {UDP::remote_port}.
UDP::server_port
Returns the server UDP port/service number.
Statistics
48 of 304
Note: This command is equivalent to the command serverside

{ UDP::remote_port }.
UDP::respond <data>
Sends the specified data directly to the peer. This command can be used to complete a protocol
handshake.
UDP::payload [<size>]
Returns the current UDP payload content.
UDP::payload length
Returns the amount of UDP payload content in bytes.
UDP::payload <offset> <size>
Returns the content of the current UDP payload from <offset>.
UDP::payload <offset> <size> <new_data>
Stating at <offset>, replaces the <size> of the collected payload with the specified
<new_data>.
STATS::get server <server-name | ipaddr>
[<port-num> <tcp | udp>]
current-connection | total-connection | request-pkt |
response-pkt
[partition shared]
Retrieves statistics for a node, virtual server, or pool.
STATS::clear server <server-name | ipaddr>
response-pkt
[partition shared]
Clears statistics for a node, virtual server, or pool.


aFleX Basics
TABLE 4
Command
Type
Load Balancing
(LB)
LID Header and

Content Query

LB::down
Temporarily marks the current real port down for 30 seconds.
LB::reselect [pool <pool-name> [<member>]]
Reperforms server selection.
LB::server [pool | addr | port]
Returns the result of pool and node selection.
LB::status node <ipaddr> [port <port_num> {tcp | udp}]
Returns the health status of a node.
LB::status pool <pool_name> [member <ipaddr> [<port_num>]]
[partition shared]
Returns the health status of a pool.
LID::conn_limit <lid-id>
Returns a list of conn-limit and LID type, one each for a matching LID where conn-limit is
configured.
LID::conn_rate_limit <param>
Returns a list of conn-rate-limit values and LID type, one each for a matching LID where
conn-rate-limit is configured.
LID::exists <lid-id>
Returns a Boolean value that indicates whether the specified LID exists.
LID::nat_pool <lid-id>
Returns a list of string and LID type, one each for a matching LID where nat-pool is configured.
LID::request_limit <param>
Returns a list of request-limit and LID type, one each for a matching LID where request-limit
is configured.
LID::request_rate_limit <param>
Returns a list of list request-rate limit values and LID type, one each for a matching LID where
conn-rate limit is configured.
LID::type <param>
Returns a list of LIDs of the specified type.

49 of 304

aFleX Basics
TABLE 4
Command
Type
Class Header
and Content
Query

CLASS::exists <list-name>
Returns a Boolean value that indicates whether the class list exists.
CLASS::match <param> <list-name> [ip | dns]
Returns whether <param> matches an [ip | dns] entry in class list <list-name>.
CLASS::match <param> <list-name> <key> [ip | dns]
Returns key of match when <param> matches an [ip | dns] entry in class list <list-name>.
CLASS::match <param> <list-name> <lid> [ip | dns]
Returns LID of match (only if configured) when <param> matches an [ip | dns] entry in
classlist <list-name>.
CLASS::match <param> <operator> <list-name>
Returns whether <param> matches an entry in class list <classname>..
CLASS::match <param> <operator> <list-name> <key>
Returns key of match when <param> matches an entry in class list <list-name>.
CLASS::match <param> <operator> <list-name> <lid>
Returns LID of match when <param> matches an entry in class list <list-name>.
CLASS::match <param> <operator> <list-name> <value>
Returns LID of match when <param> matches an entry in class list <list-name>.
CLASS::names
Returns a list of class-list names.
CLASS::type <list-name>
Returns the type of the specified class list.
50 of 304


aFleX Basics
TABLE 4
Command
Type
HTTP Packet
Header and
Content Query

HTTP::header [value] <name>
Returns value of the HTTP header named <name>. You can omit the <value> argument if the
header name does not collide with any of the subcommands.
HTTP::header names
Returns a list of all the headers present on the request or response.
HTTP::header count
Returns the number of HTTP headers present on the request or response.
HTTP::header at <index>
Returns the HTTP header that the system finds at the zero-based index value.
HTTP::header exists <name>
Returns true if the named header is present on the request or response.
HTTP::header at <index> [nvp]
Returns the HTTP header that the ACOS device finds at the zero-based index value. The nvp
option returns the entire header as a name-value-pair (NVP).
HTTP::header values <name>
Returns value(s) of the HTTP header named <name>.
HTTP::fallback <host>
Specifies or overrides the fallback host specified in the HTTP profile.
HTTP::host
Returns the host name (and port, if specified) of the HTTP request.
HTTP::method
Returns the type of HTTP request method.
HTTP::path [<string>]
Returns the path part of the HTTP request.

51 of 304

aFleX Basics
TABLE 4
Command
Type
HTTP Packet
Header and
Content Query
(cont.)

HTTP::status
Returns the response status code.
HTTP::version ["0.9" | "1.0" | "1.1"]
Returns the HTTP version of the request or response.
HTTP::stream replace <old-string> <new-string>
Returns the string in an HTTP response.
HTTP::uri [<string>]
Returns the complete URI of the request.
HTTP::query [<string>]
Returns the query part of the HTTP request.
HTTP::is_redirect
Returns a true value if the response is a certain type of redirect.
HTTP::is_keepalive
Returns a true value if this is a Keep-Alive connection.
HTTP::collect [<length>]
Collects the amount of data that you specify with the [length] argument. When the system
collects the specified amount of data, it calls the Tcl event HTTP_REQUEST_DATA or
HTTP_RESPONSE_DATA.
Note: Use great caution when omitting the value of the content length. Even though this is
allowed in certain cases; doing so or using a value larger than the size of the actual length can
stall the connection.
HTTP::release
Releases the collected data. There is no need to use the HTTP::release command inside of the
HTTP_REQUEST_DATA and HTTP_RESPONSE_DATA events, since in these cases, the
data is implicitly released.
HTTP::payload [<size>]
Returns the content that the HTTP::collect command has collected thus far. If you do not
specify a size, the system returns the collected content.
HTTP::payload length
Returns the size of the content that the command has collected thus far, not including the
HTTP headers.
HTTP::payload <offset> <length> <string>
Replaces the amount of content that you specified with the <length> argument, starting at
<offset> with <string>.
HTTP::close
Inserts a Connection: Close header and close the HTTP connection.
52 of 304


aFleX Basics
TABLE 4
Command
Type
TCP Header and
Content
Manipulation
HTTP Header
and Content
Manipulation

TCP::release
Causes TCP to resume processing the connection and to flush collected data.
TCP::payload replace <offset> <length><data>
Replaces collected payload with the given data.
TCP::close
Closes the connection.
HTTP::header insert ["lws"] <name> <value>
Inserts the named HTTP header and its value into the end of the HTTP request or response. If
you specify "lws", the system adds linear white space to long header values.
HTTP::header insert ["lws"] {n1, v1, n2, v2, n3,v3, }
Passes a Tcl list to insert into a header. In such cases, the system treats the list as a list of name/
value pairs. If you specify "lws", the system adds linear white space to long header values.
HTTP::header [value] <name> <string>
Sets the value of the named header. If the header is present, the command replaces the header;
otherwise, the command adds the header. You can omit the <value> argument if the header
name does not collide with any other values.
HTTP::header replace <name> [<string>]
Replaces the last occurrence of the named header with the string <string>. This command performs a header insertion if the header was not present.
HTTP::header remove <name>
Removes the last occurrence of the named header from the request or response.
HTTP::redirect <url>
Redirects a HTTP request or response to the specified URL. Note that this command sends the
response to the client immediately. Therefore, you cannot specify this command multiple
times in an aFleX, nor can you specify any other commands that modify header or content,
after you specify this command.
HTTP::respond <status code> [content <content Value>]
[<Header name> <Header Value>]+
This is a powerful API that allows users to generate or rewrite a client request or a server
response. When the system runs the command on the client side, it sends the response to the
client without any load balancing taking place. If the system runs the command on the server
side, the content from the actual server is discarded and replaced with the information provided to this API. Note that because the system sends the response data immediately after this
aFleX policy runs, we recommend that you not run any more aFleX policy after this API.
HTTP::header sanitize <header name>+
Removes all but the headers you specify. The exception to this is some essential HTTP headers.
HTTP::request_num
Returns the number of HTTP requests that a client made on the connection.

53 of 304

aFleX Basics
TABLE 4
Command
Type
HTTP Cookie
Manipulation
for Request
Messages
54 of 304

HTTP::cookie names
Returns the names of all the cookies present in the HTTP header.
HTTP::cookie count
Returns the number of cookies present in the HTTP header.
HTTP::cookie [value] <name> [string]
Sets or gets the cookie value of the given name. You can omit the value of this command if the
cookie name does not collide with any of the other commands.
HTTP::cookie version <name> [version]
Sets or gets the version of the cookie.
HTTP::cookie path <name> [path]
Sets or gets the cookie path.
HTTP::cookie domain <name> [domain]
Sets or gets the cookie domain.
HTTP::cookie ports <name> [portlist]
Sets or gets the cookie port lists for V1 cookies.
HTTP::cookie insert <name> <value> [path<path>]
[domain <domain>] [version <0 | 1 | 2>]
Adds or replaces a cookie. The default value for the version is 0.
HTTP::cookie remove <name>
Removes a cookie.
HTTP::cookie sanitize [attribute]+
Removes all but the specified attributes from the cookie.
HTTP::cookie exists <name>
Returns a true value if the cookie exists.


aFleX Basics
TABLE 4
Command
Type
HTTP Cookie
Manipulation
for Response
Messages

HTTP::cookie names
HTTP::cookie count
Sets or gets the cookie value of the given name. You can omit the value of this command if the
cookie name does not collide with any of the other commands.
Sets/Gets the cookie domain.
Sets/Gets the cookie port lists for Version 1 cookies.
HTTP::cookie insert <name> <value> [path] [domain]
[version]
Adds or replaces a cookie. The default value for the version is 0. cookies.
Removes a cookie.
HTTP::cookie maxage <name> [seconds]
Sets or gets the max-age. Applies to Version 1 cookies only.
HTTP::cookie expires <name> [seconds]
[absolute | relative]
Sets or gets the expires attribute. Applies to Version 0 cookies only. If you specify the absolute
argument, the seconds value represents number of seconds since the UNIX epoch (January 1,
1970). The default number of seconds is relative, which is the number of seconds from the current time.
HTTP::cookie comment <name> [comment]
Sets or gets the cookie comment. Applicable only to Version 1 cookies.
HTTP::cookie secure <name> [enable | disable]
Sets or gets the secure attribute.
HTTP::cookie commenturl <name> [commenturl]
Sets or gets the comment URL. Applicable only to Version 1 cookies.
HTTP::cookie discard <name> [enable | disable]
Sets or gets the discard attribute. Applicable only to Version 1 cookies.
Removes from the cookie all but the attributes you specify.

55 of 304

aFleX Basics
TABLE 4
Command
Type
HTTP Requests
Compression
URI
encode / decode
URI Return
path / basename
DNS
56 of 304

HTTP::request
Returns a raw HTTP request.
HTTP::retry
Resends an HTTP request to the server.
COMPRESS::disable
Disables compression for the current HTTP response.
COMPRESS::enable
Enables compression for the current HTTP response.
COMPRESS::gzip
Sets the compression level for HTTP compression.
URI::decode
Returns a decoded version of a given URI.
URI::encode
Returns an encoded version of a given URI.
URI::basename <uri>
Returns the basename portion of the given URI.
URI::path <uri>
Returns the path portion of the given URI.
DNS::additional [[insert | remove rr_obj] | clear]
Returns, inserts, removes, or clears RRs from the Additional section.
DNS::answer [[insert | remove rr_obj] | clear]
Returns, inserts, removes, or clears RRs from the Answer section.
DNS::authority [[insert | remove rr_obj] | clear]
Returns, inserts, removes, or clears RRs from the Authority section.
HTTP::header <id | qr | opcode | aa | tc | rd | ra | ad | cd |
rcode | qdcount | ancount | nscount | arcount> [value]
Gets or sets simple bits or byte fields.
DNS::len
Returns the DNS packet message length.
DNS::return
Skips all further processing after tcl execution and sends the DNS packet in the opposite
direction.
DNS::query <target> <name> <type> [dnssec]
Returns a tcl list of RR tcl objects lists, one for each section: Answer, Authority, and
Additional.
DNS::question <name | type | class> [value]
Gets or sets the question field value.


aFleX Basics
TABLE 4
Command
Type
DNS

DNS::class <rr_obj> [value]
Gets or sets the resource record class field.
DNS::name <rr_obj> [value]
Gets or sets the resource record name field (FQDN).
DNS::rdata <rr_obj> [value]
Gets or sets the resource record rdata field.
DNS::rr <name> <type> <class> <ttl> <rdata...> | <string>>
Creates a new resource record object with the specified attributes or as a complete string.
DNS::ttl <rr_obj> [value]
Gets or sets the resource record TTL field.
DNS::type <rr_obj> [value]
Gets or sets the resource record type field.
DNS::cache <enable | disable>
Enables or disables the DNS cache for the current DNS session.
DNS::cache update
Updates the DNS cache with content changed through aFleX.
DNS::is_dnssec
Checks the DNSSEC query or reply.
DNS::opt <do | udpsize | rcode | version> [value]
Gets or sets the parameters of a DNS OPT record.

57 of 304

aFleX Basics
TABLE 4
Command
Type
SIP Header
Query and
Manipulation
58 of 304

SIP::call_id
Returns the value of the Call-ID header in a SIP request.
SIP::header
Returns the value of the From header in a SIP request.
SIP::header [<value>] header-name [<index>]
Returns SIP header header-name. The <value> option specifies the header value. The
<index> option indicates the header to act upon, in cases where there are multiple header levels. Without the <index> option, the first instance of the header is acted upon by the aFleX policy.
SIP::method
Returns the type of the SIP request method.
SIP::respond code <"phrase" <"header-name" "header-value">>
Sends back a response with the specified code, phrase, and header-name:header-value pair.
SIP::response code
Gets the SIP response code.
SIP::response phrase
Gets the response phrase.
SIP::response rewrite code <phrase>
Rewrites the response code and phrase, if specified.
SIP::to
Returns the value of the To header in the SIP request.
SIP::uri
SIP::via [<index>]
Gets the information in the SIP via header. If you specify the <index>, only the information
at the specified index level is returned.
SIP::via proto [<index>]
Gets the protocol part of the SIP via at the specified index level. If you specify the <index>,
only the information at the specified index level is returned.
SIP::via sent_by [<index>]
Gets the sent_by part of the SIP via at the specified index level. If you specify the <index>,


aFleX Basics
TABLE 4
Command
Type
SIP Header
Query and
Manipulation
(cont.)
Policy-Based
SLB Query
RAM Caching
Diameter load
balancing

SIP::via received [<index>]
Gets the retrieved attribute of the SIP via at the specified index level. If you specify the
<index>, only the information at the specified index level is returned.
SIP::via branch [<index>]
Gets the branch attribute of the SIP via at the specified index level. If you specify the <index>,
SIP::via maddr [<index>]
Gets the maccadr attribute of the SIP via at the specified index level.
SIP::via ttl [<index>]
Gets the TTL attribute of the SIP via at the specified index level. If you specify the <index>,
POLICY::bwlist id id <ip> [<bwlist_name>]
Returns the group ID associated with an IP address in a black/white list.
CACHE::age
Returns the age of a cached object. The age is the number of seconds the object has been in the
cache.
CACHE::disable
Disables caching for the current HTTP request
CACHE::enable [<age>]
Forces caching of an object.
CACHE::expire aFleX Script Editor
Forces a cached object to be revalidated from the server.
CACHE::headers
Returns the HTTP headers of a cached object.
CACHE::hits
Returns the number of cache hits for a cached object.
DIAMETER::app_id
Returns the application ID in a Diameter message.
DIAMETER::avp <options>
Reads, writes, or deletes AVPs.
DIAMETER::cmd_code [name]
Returns the command code, or its name, of a Diameter message.
DIAMETER::length
Returns the length of a Diameter message.
DIAMETER::version
Returns the version of a Diameter message.

59 of 304

aFleX Basics
TABLE 4
Command
Type
RADIUS
message load
balancing
SSL

RADIUS::avp [<attr>]
Returns RADIUS attribute-value pairs (AVPs).
RADIUS::code
Returns the RADIUS message code.
RADIUS::id
Returns the RADIUS message ID.
RADIUS::length
Returns the RADIUS message length.
SSL::cert <level>
Returns SSL certificate with the specified level in the certificate chain. Level is 0-based.
SSL::cert count
Returns the number of certificates in the certificate chain.
SSL::cert issuer <level>
Returns the issuer of the certificate with the specified level.
SSL::cert mode <request | require | ignore | auto>
Sets the certificate mode. This setting overrides the mode setting in the template.
Only the client side is supported.
SSL::cipher {name | version | bits}
Returns SSL cipher information.
SSL::sessionid
Returns the current SSL session ID.
SSL::verify_result [<result_code>]
If <result_code> is not specified, returns the result code of the peer certificate verification. If
<result_code> is specified, sets the result code.
SSL::disable [clientside | serverside]
Disables SSL on either the client or server side.
SSL::enable [clientside | serverside]
Enables SSL on either the client or server side.
SSL::mode
Returns a 1 when SSL is enabled or a 0 when SSL is disabled.
SSL::sessionid
Returns the current SSL session ID number.
SSL::template [clientside | serverside] <templatename>
Applies an SSL template for specifically the client or server side.
SSL::session invalidate
Disables reuse of the SSL Session ID for the client.
60 of 304


aFleX Basics
TABLE 4
Command
Type
X.509
Deep packet
inspection

X509::extensions <X509 certificate>
Returns the X.509 extensions set on the specified X.509 certificate.
X509::hash <X509 certificate>
Returns the MD5 or sh1 hash (fingerprint) of the specified X.509 certificate.
X509::issuer
Returns the issuer of the X.509 certificate.
X509::not_valid_after
Returns the not-valid-after date of an X.509 certificate.
X509::not_valid_before
Returns the not-valid-before date of an X.509 certificate.
X509::serial_number
Returns the serial number of an X.509 certificate.
X509::signature_algorithm <X509 certificate>
Returns the signature algorithm of the specified X.509 certificate.
X509::subject
Returns the subject of the certificate.
X509::subject_public_key <X509 certificate>
Returns the subjects public key of the specified X.509 certificate.
X509::subject_public_key_RSA_bits <X509 certificate>
Returns the size of the subjects public RSA key of an X.509 certificate.
X509::subject_public_key_type <X509 certificate>
Returns the subjects public key type of the specified X.509 certificate. The returned value can
be RSA, DSA, or unknown.
X509::text
Return a certificate in human-readable (text) format.
X509::verify_cert_error_string
Returns the error string for the specified error code, as an OpenSSL X509 error string.
HTTP::version
Returns the version number of an X.509 certificate.
X509::whole <X509 certificate>
findstr
Finds the string <search_string> within <string> and returns a sub-string based on the
<skip_count> and <terminator> from the matched location.
substr
Returns a sub-string <string> based on the values of <skip_count> and <terminator>.
getfield
Splits a string on a character, and returns the string corresponding to the specific field.
domain
Parses the string <string> as a dotted domain name and return the last <count> portions of the
domain name.

61 of 304

aFleX Basics
TABLE 4
Command
Type
Financial Information
eXchange (FIX)
load balancing
Database Load
Balancing
(DBLB)
Template
Commands

FIX::begin_string
Returns the value of the BeginString tag.
FIX::body_length
Returns the value of the BodyLength tag.
FIX::msg_seq_num
Returns the integer message sequence number.
FIX::msg_type
Returns the value of the MsgType tag. The MsgType tag defines the message type, which is a
string that is one or two characters in length. It is always the third field in the message and is
always unencrypted.
FIX::sender_compid
Returns the value of the SenderCompID tag.
FIX::target_compid
Returns the value of the TargetCompID tag.
FIX::sending_time
Returns the value of the time of message transmission, always expressed in UTC time.
DB::Query
Gets a string that holds the entire SQL query which was sent by the client.
DB::Command
Gets a numeric value that represents the command number.
TEMPLATE::exists type
Determines if a template of the specified type is bound to a virtual server.
TEMPLATE::cache <setting>
Returns the value for the specified <setting>
TEMPLATE::client_ssl <setting>
TEMPLATE::conn_reuse <setting>
TEMPLATE::http <setting>
TEMPLATE::ssl <setting>
TEMPLATE::tcp <setting>
TEMPLATE::udp <setting>
62 of 304
in the assigned RAM cache template.

in the assigned client SSL template.
in the assigned connection reuse template.
in the assigned HTTP template.
in the assigned server SSL template.
in the assigned TCP template.
in the assigned UDP template.


aFleX Script Editor
aFleX Script Editor

Overview
aFleX Script Editor is an application that enables you to easily create and
edit aFleX scripts. The editor also retrieves existing aFleX scripts from an
AX device as well as saves aFleX scripts back to the AX device after editing. aFleX Script Editor is supported only on Windows platform systems.
aFleX Script Editor

aFleX Script Editor provides a separate programming environment for offline development of aFleX policies and is PC-based for easy support.
aFleX Script Editor also provides templates to quickly create new scripts,
and features the following functions:
Download
Upload
New
Delete
Save
Import
Export
Reset

63 of 304

aFleX Script Editor
FIGURE 4
aFleX Script Editor new aFleX name field and template list
Edit Functions
Cut, Copy, Paste, Delete, Select All, Undo, Redo
Search Functions
Find, Find Next, Find Previous, Replace, Go To Line
View Functions
Line Numbers, Indentation Guide, Margin, Fold Margin, Word
Wrap
White Space, End of Line, Bookmarks, Auto Complete, Hot Spots
Status Bar, Output Window
64 of 304


aFleX Script Editor
FIGURE 5
aFleX Script Editor main editor screen
Installing and Starting aFleX Script Editor

aFleX Script Editor Installation
1. Copy the directory aFleXEditor from the A10 Thunder Series/AX
Series Documentation CD to the Program Files directory on a Windows platform PC.
2. You can create a shortcut to aFleX Script Editor by dragging the existing
shortcut from the copied folder to wherever you want the shortcut to be;
for example to the taskbar or desktop.
3. Optionally, you can put the directory aFleXEditor wherever you like
on any Windows system and modify the shortcut or create a new shortcut accordingly.
To start aFleX Script Editor: Click on the shortcut to start aFleX Script
Editor.

65 of 304

aFleX Script Editor
aFleX Script Editor Features

Working with aFleX Script Editor, you can:
Download aFleX scripts from the ACOS device.
Edit scripts and upload them back onto the ACOS device.
Create new aFleX scripts.
Use aFleX Script Editor templates to simplify script creation.
Save aFleX scripts to a local workstation.
When you exit, the aFleX list in the Local Files frame is saved.
Below the menu and icons, the aFleX Script Editor window has the following main parts:
Menu bar to select menu-based aFleX Script Editor commands
Icon bar to select icon-based aFleX Script Editor commands
Download Files (top-left frame) to access aFleX files on an ACOS
device
Local Files (lower-left frame) to access aFleX files on a workstation
Editor (top-right frame) panel in which to edit aFleX files
Output (lower-right frame) shows the status of file transfers and more
Status bar (bottom bar) shows the current aFleX Script Editor status
Editing aFleX Scripts Getting Started

Create an aFleX Script
To begin using aFleX Script Editor to create an aFleX script, click the New
icon or select File > New aFleX. (See Figure 6.)
The aFleX Template window appears where you can select from a list of
aFleX templates.
66 of 304


aFleX Script Editor
FIGURE 6
aFleX Script Editor main editor screen
aFleX Templates
The aFleX Template window offers a list of aFleX templates. These templates offer pre-configured aFleX command modules required for typical
ACOS applications and are named accordingly. With the addition of parameters for your specific ACOS application, an aFleX policy can be quickly
constructed.
To use a template to create a new aFleX policy, enter a unique name into the
name field of the aFleX Template window, select a template from the list
below the name field, and click the OK button.

67 of 304

aFleX Script Editor
FIGURE 7
aFleX Script Editor templates
Need a function not shown in the aFleX Templates?

You can create a custom aFleX script. Enter a unique name for the new
script, select the BLANK template, and then click OK. The new script is
added to the Local Files list and is opened in the Editor frame. The new
script will be empty because the BLANK template was selected. You can
then begin scripting using the aFleX commands.
The rest of this chapter explains how to use the editor itself.
To better understand templates, open one and look up its commands in the
reference chapter: Commands on page 119.
68 of 304


aFleX Script Editor
Connect to an AX Device aFleX File Transfer

Use aFleX Script Editors Connect AX, File Download/Upload, or Import/
Export options to transfer aFleX scripts between an AX device and the editor. You must enter the AX hostname or IP address, and admin username
and password, to log onto the AX device.
FIGURE 8
Connection to the ACOS device
View aFleX Scripts

To view scripts in the aFleX Script Editor, use the File/Download function
to access the file within the aFleX Script Editor.
FIGURE 9
Download aFleX policy from AX device

69 of 304

aFleX Script Editor
Downloaded files can be seen in the AX Files list. Click on a file name in
the AX Files list to view its contents in the Editor frame.
FIGURE 10
70 of 304
Viewing an aFleX policy in the Editor frame


aFleX Script Editor
Menu Functions
Overview
This section provides a list of all menu items. Detailed descriptions of the
functions follow.
File Menu
The editor includes the following script handling functions in the File menu:
Connect/Disconnect, New aFleX, Upload, Download, Delete aFleX,
Save, Import aFleX, Export aFleX, Rename, Reset, Exit

Edit Menu
Undo, Redo, Cut, Copy, Paste, Delete, Select All
Search Menu
Find, Find Next, Find Previous, Replace, Go To Line
View Menu
Line Numbers, Indentation Guides, Margin, Fold Margin, Word Wrap,
White Space, End of Line, Book Marks, Auto Complete, Status Bar,
Output Window
Options Menu
Font, Set Line Number Color, Set Comment Color, Set Text Color, Set
Keyword Color, Set Background Color, Last Setting

Help Menu
About aFlex Editor
File Functions
Connect AX / Disconnect AX
If you select File > Connect AX, a window pops up and asks you to enter
the hostname or IP address, and admin username and password. After you
click OK, the connection status changes to Connected and all the aFleX
policies on the AX device are automatically shown in the Download Files

71 of 304

aFleX Script Editor
frame. From this point on, you can manipulate aFleX policies on the AX
device.
After you are connected, the Connect menu option and button both change
to Disconnect. If you select File > Disconnect or click the Disconnect button, all the aFleX policies previously shown in the Download Files frame
disappear and the connection status is changed to Disconnected.
New aFleX
File > New aFleX
Note:
For information on aFleX scripts and commands, see the Commands on

page 119.
Using an aFleX Template
If you click the New icon, a window will pop up where you can select an
aFleX Template. (See Figure 6 on page 67.) After you select a template,
type the new aFleX policy name and click OK. The Local Files window
generates the new file and opens it in the editor frame.
Using the BLANK aFleX Template
You can also create aFleX scripts from the BLANK template. Enter a
unique name for the new aFleX, select the BLANK template from the
list of templates, then click OK. The new aFleX policy is added to the
Local Files list and is opened in the editor frame.
Upload
File > Upload
If you click Upload, the currently selected Local File is uploaded to the AX
device and listed in the AX Files frame. If the AX device is disconnected,
the Upload menu item is disabled.
Download
File > Download
If you click Download and the AX device is disconnected, a window pops
up to ask you to input the hostname or IP address, and username and password, to re-establish the connection to the AX.
If the current status of the AX is Connected, no window will pop up. The
file list in the Local Files frame is updated.
72 of 304


aFleX Script Editor
Delete Rule
File > Delete Rule
If no aFleX file is currently selected, nothing is deleted.
If an aFleX file is currently selected within the Local Files frame, the
selected file is deleted from the local workstation, and the next item in the
list is automatically selected.
If an aFleX file is currently selected in the AX Files frame, it is deleted from
the AX file list. If the response message from the AX system indicates success, the file will also be deleted from the Local Files.
Save
File > Save
If a currently selected aFleX file is located in the AX Files frame, it is saved
to the AX device.
If a currently selected aFleX file is located in the Local Files frame, it is
saved to the local workstation.
Import
File > Import
If you click Import, a window pops up where you can select a file and
import it into the aFleX Script Editor. The Local Files frame adds the file
and opens it in the Editor frame.
Export
File > Export
If you click Export, a window pops up where you can select a local path to
which to export the currently selected file.
Rename
File > Rename
If you click Rename, the currently selected aFleX file can be renamed. The
new name should not be equal to the existing name shown in the aFleX
Script Editor, or equal to the name of another file.

73 of 304

aFleX Script Editor
Reset
File > Reset
Restores the currently selected file to its state before user modifications.
If the currently selected file is located in the AX Files frame, the Reset command resets it to the initial file state when last downloaded.
If the currently selected file is located in the Local Files frame, it resets to
the initial file state just generated through the New action.
Exit
File > Exit
If you click File > Exit, an alert window pops up.
To exit aFleX Script Editor, click Yes.
To continue working in aFleX Script Editor, click No.
Edit Menu Functions

Undo / Redo
Edit > Undo / Redo
The Undo and Redo actions are for undo or redo of changes to text. Standard Windows keyboard shortcuts can also be used for these commands, if
the cursor is active within the Editor frame.
Cut / Copy / Paste / Delete

Edit > Cut / Copy / Paste / Delete
The Cut, Copy, Paste, and Delete commands are for modifying text. Standard Windows keyboard shortcuts can also be used for these commands, if
the cursor is active within the Editor frame.
Select All
Edit > Select All
Select Edit > Select All or ctrl+A to select all text in the Editor frame.
74 of 304


aFleX Script Editor
Search Menu Functions

Find / Find Next / Find Previous
Search > Find / Find Next / Find Previous
If you select Search > Find or press ctrl+F, a Find window pops up. You can
type a string of up to 250 characters in the Find what field. Click the Find or
Mark All button:
If the term can be found in the text, it will be highlighted.
If the term can not be found, an alert window will pop up.
The find window will close. If you want to find the next occurrence of the
string, press F3.
To find the previous occurrence of the string, press shift+F3.
FIGURE 11
Search > Find
Replace
Search > Replace
If you select Search > Replace, the Search and Replace window pops up. In
the Search for field, type the string you want to replace. In the Replace with
field, type the new string.
You can click the Next match or the Previous match button to locate another
occurrence of the string to be replaced.

75 of 304

aFleX Script Editor
If the string is found, it will be highlighted. Click either Replace or
Replace All.
If the term can not be found, an alert indicates that no match could be
found.
FIGURE 12
Search > Replace
Replaces options include:

Match case searches for text in case-sensitive mode.
Match whole word does not find words where the search string is only
part of the word.

Regular expressions searches for regular expressions (regex) entered
into the Search for field.

Replace in selection only select search text before starting, replaces
only within the selection.
Go to Line
Search > Go To Line
If you select Go To Line, a window pops up where you can type a line number into the Go To Line field. Click OK to navigate to that line in the currently open file.
76 of 304


aFleX Script Editor
FIGURE 13
Search > Go To Line
View Menu Functions

View Line Number
View > Line Number
Use this menu command to display or hide Line Numbers in the editor.
View Indention Guides

View > Indentation Guides
Use this menu command to display or hide the Indentation Guides.
View Margin
View > Margin
Use this menu command to display or hide the Editor frame Margin
between the Editor frames Line Numbers column and its Fold Margin column.
View Fold Margin

View > Fold Margin
Use this menu command to display or hide the Fold Margin where the +/symbols can be use to expand and collapse aFleX events.
View Word Wrap

View > Word Wrap
This menu command enables/disables word wrap in the Editor frames.
77 of 304

aFleX Script Editor
View White Space

View > White Space
This menu command enables/disables marking of white space in the Editor
frame.
View End of Line

View > End of Line
This menu command enables/disables display of End of Line (LF and
CRLF) markers in the Editor frame.
View Book Marks

View > Book Marks
This menu command enables/disables bookmarks in the Editor frame.
The bookmarks can be displayed only when you update an aFleX policy on
the AX device. If an aFleX policy has a syntax error or definition error, the
bookmarks indicate the line that contains the error.
View Status Bar

View > Status Bar
This menu command enables/disables display of the Editor frames status
bar.
View Output Window

View > Output Window
This menu command enables/disables display of the Output frame.
78 of 304


aFleX Script Editor
Options Menu Functions

Font
Options > Font
This menu command is used to set the font style for the Editor frame text.
Set Line Number Color

Options > Set Line Number Color
This menu command is used to set the Editor frames font color for the line numbers.
Set Comment Color

Options > Set Comment Color
This menu command is used to set the Editor frames font color for comment text.
Set Text Color

Options > Set Text Color
This menu command is used to set the Editor frames font color for the main text.
Set Keyword Color

Options > Set Keyword Color
This menu command is used to set the Editor frames font color for keyword text.
Set Background Color

Options > Set Background Color
This menu command is used to set the Editor frames color for the background.
My Last Setting
Options > My Last Setting
This menu command restores your last setting from your previous session.

79 of 304

aFleX Script Editor
Help Menu Functions

About aFleX Editor
Help > About aFleX Editor
This command displays the aFleX Script Editor version and contact information.
Other aFleX Script Editor Functions

Drag and Drop File Function
You can drag-and-drop files between the AX Files frame and the Local Files
frame to upload and download.
Download
Dragging a file from the AX Files frame to the Local Files frame is equivalent to using the download command to copy a file from the AX device to
the local workstation.
Upload
Dragging a file from the Local Files frame to the AX Files frame is equivalent to using the upload command to copy a file to the AX device from the
local workstation.
Status Window
When you perform an action such as Download, Upload, Delete, or Reset,
the status bar displays a status message to indicate the result of that action.
80 of 304



To use an aFleX policy:
1. Create the aFleX policy. You can create the aFleX policy using the
aFleX Script Editor, by typing it into a GUI tab or CLI session, or using
a text editor on a PC.
2. Import the aFleX policy onto the ACOS device. You can use aFleX
Script Editor, the GUI, or the CLI to import the aFleX policy.
3. Bind the aFleX policy to one or more virtual ports. You can bind the
aFleX policy to a virtual port using the GUI or CLI.
The following sections show examples for the CLI and GUI. For information about using the aFleX Script Editor, see aFleX Script Editor on
page 63.
Note:
Beginning with this release, you do not need to unbind an aFleX script
before renaming it, or rebind it afterward. The ACOS device automatically updates the configuration everywhere the renamed script is used.
For more information, see aFleX Script Rename on page 32.
Pre-Loaded aFleX Scripts

Beginning with AX Release 2.7.0, sample aFleX scripts are pre-loaded onto
the ACOS device. This allows you to immediately apply aFleX scripts and
build from the provided code.
Note:
These scripts are intended for educational purposes to assist new users.
A10 Networks does not guarantee the sample scripts will work in all contexts and is not liable for damages that result from the misapplication of
pre-loaded aFleX scripts.

81 of 304

See Table 5 for a list of pre-loaded aFleX scripts.
TABLE 5
Pre-Loaded aFleX Scripts
Column
host_switching
http_payload_re
place
logging_clients
redirect1
redirect2
redirect_rewrite
Description
This aFleX example illustrates the use of Tcl associative
arrays to implement host switching.
Collects the HTTP response and then replaces all instances
of the pattern http:// in the payload with https://.
Logs Client/Server IP/Port information for security when
using Source NAT.
Redirects HTTP requests to an HTTPS URL
Uses HTTP::respond to do a redirect with a cookie set.
Rewrites relative and absolute redirects to absolute HTTPS
redirects.
Using the CLIUsing an Imported aFleX Script

1. On a PC that supports TFTP, FTP, SCP, SFTP, or RCP, use any text editor to create an aFleX script and save it locally. Use extension .afx at
the end of the file name. Example: /aflex/test.afx
2. On the ACOS device, use the CLI command import aflex to import the
aFleX policy file onto the ACOS device.
3. Use the following command at the configuration level for the virtual
port to bind the aFleX script to the virtual port:
aflex aflex-name
You can specify one script with the command. Repeat the command for
each additional script to add.
The scripts will be processed in the order you add them, starting with the
first script you add. To re-order the scripts, do either of the following:
Use the GUI. (See Using the GUI on page 89.)
In the CLI, use the no aflex aflex-name command to remove the scripts
from the virtual port, then re-add them in the correct order.
82 of 304


CLI Example
This example shows how to import an aFleX policy onto the ACOS device
and bind it to a virtual port. For this example, the following aFleX policy is
imported:
when RULE_INIT {
array set ::SG_ARRAY [list "youtube.com" "sg1" "google.com" "sg2" "zynga.com"
"sg2"]
}
when HTTP_REQUEST {
set host [HTTP::host]
if { [info exists ::SG_ARRAY($host)] } {
log "host $host -> pool $::SG_ARRAY($host)"
pool $::SG_ARRAY($host)
}
}
1. Log onto the ACOS device through the CLI, with an admin account that
has read-write privileges.
A CLI prompt appears:
ACOS>
Note:
See the A10 Thunder Series and AX Series CLI Reference if you need
information on using the CLI.
2. Access the Privileged EXEC mode:
ACOS>enable
Password:***
ACOS#
3. Access the configuration mode:

ACOS#config
ACOS(config)#

83 of 304

4. Configure nodes (real servers and server ports):
ACOS(config)#slb
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config)#slb
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config)#slb
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config)#slb
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config-real
ACOS(config)#
server node100 10.10.9.100

server)#port 80 tcp
server-node port)#health-check
server-node port)#exit
server)#exit
server node101 10.10.9.101
server)#port 80 tcp
server)#exit
server node102 10.10.9.102
server)#port 80 tcp
server)#exit
server node103 10.10.9.103
server)#port 80 tcp
server)#exit
no
no
no
no
5. Configure service groups:

ACOS(config)#slb service-group http-sg1 tcp
ACOS(config-slb service group)#member node100:80
ACOS(config-slb service group)#exit
ACOS(config)#slb service-group http-sg2 tcp
ACOS(config-slb service group)#exit
ACOS(config)#
6. Use the import command to import the aFleX policy (test.afx) onto
the ACOS device and rename it my_aflex:
ACOS(config)#import aflex my_aflex scp://192.168.1.118/aflex/
host_switching.afx
User name []?***
Password []?***
Importing ... Done.
ACOS(config)#
While importing the aFleX policy, the ACOS device checks for syntax
errors. If any syntax errors are found, error messages are displayed. You
can modify an aFleX policy and import it again until it passes the syntax
check.
84 of 304


7. Use the show aflex command to list the aFleX policies imported onto
the ACOS device:
ACOS(config)#show aflex
Total aFleX number: 1
Max aFlex file size: 32K
Name
Syntax
Virtual port
-----------------------------------------------------------my_aflex
Check
No
8. To display the aFleX policy, use the show aflex aflex-name command:
ACOS(config)#show aflex my_aflex
when RULE_INIT {
array set ::SG_ARRAY [list "youtube.com" "sg1" "google.com" "sg2" "zynga.com"
"sg2"]
}
when HTTP_REQUEST {
set host [HTTP::host]
if { [info exists ::SG_ARRAY($host)] } {
log "host $host -> pool $::SG_ARRAY($host)"
pool $::SG_ARRAY($host)
}
}
9. Configure a virtual server and bind the aFleX policy to a virtual port on
the virtual server:
ACOS(config)#slb virtual-server v30 10.10.8.30
ACOS(config-slb virtual server)#port 80 http
ACOS(config-slb virtual server-slb virtua...)#aflex my_aflex
ACOS(config-slb virtual server-slb virtua...)#exit
ACOS(config-slb virtual server)#exit
ACOS(config)#
10. Show the aFleX policy list again to verify that the aFleX policy is now
bound to a virtual port:
ACOS(config)#show aflex
Total aFleX number: 1
Max aFlex file size: 32K
Name
Syntax
Virtual port
-----------------------------------------------------------my_aflex
Check
Yes

85 of 304

11. Show the running-config:
ACOS(config)#show running-config
...
slb server node100 10.10.9.100
port 80 tcp
health-check no
port 80 tcp
health-check no
port 80 tcp
health-check no
port 80 tcp
health-check no
!
slb service-group http-sg1 tcp
member node100:80
member node101:80
slb service-group http-sg2 tcp
member node102:80
member node103:80
!
slb virtual-server v30 10.10.8.30
port 80 http
aflex my_aflex
!
...
ACOS(config)#
Using the CLICreating an aFleX Script in the CLI

Beginning in AX Release 2.6.1, you can create aFleX policies using the
CLI. This feature is especially useful for quickly typing or copy-and-pasting
short aFleX scripts.
Note:
86 of 304
Regardless of how an aFleX script is added to the ACOS device, the script
does not take effect until you apply it to a virtual port.


aFleX Configuration
To configure an aFleX policy using the CLI:
1. Enter the following command at the global configuration level of the
CLI:
aflex create aflex-name
The CLI enters the input mode for the script text.
2. Type or copy-and-paste the script. If you type the script, use the Enter
key at the end of each line.
3. To complete the input process, type . (period) on a separate line and
press Enter.
Note:
You do not need to save the configuration (write memory) to save the
aFleX script. The script is automatically added to a persistent data folder
and remains available across reboots.
Syntax Check
After you finish entering the script text, the CLI performs a syntax check
and displays one of the following messages:
aFleX aflex-name created; syntax check passed.
Indicates the syntax is valid.

aFleX aflex-name created; syntax check failed.
Indicates the syntax is not valid. In this case, see Troubleshooting

aFleX Syntax Errors on page 88.
This aFleX already exists. Indicates that another aFleX
script with the same name is already on the ACOS device.

The same name can be used in different Role-Based Administration
(RBA) partitions but must be unique within a given partition.
Cancelling the aFleX Input Session

To cancel an aFleX script input session before you finish entering the script
text, use Ctrl+C. In this case, none of the script is saved.

87 of 304

CLI Example
The following commands create an aFleX script named test:
AX(config)#aflex create test
Type in your aFleX script (type . on a line by itself when done)
if {[IP::addr [IP::client_addr] equals 192.168.217.11/24]} {
node 10.10.10.30 80
}
}
.
aFleX test created; syntax check passed.
AX(config)#
The following command verifies the script information:

AX(config)#show aflex test
Name:
test
Syntax:
Check
Virtual port:
No
Content:
if {[IP::addr [IP::client_addr] equals 192.168.217.11/24]} {
node 10.10.10.30 80
}
}
The following commands apply the aFleX script to a virtual port:

ACOS(config)#slb virtual-server vip1 10.10.10.100
ACOS(config-slb virtual server)#port 80 http
ACOS(config-slb virtual server-slb virtua...)#aflex test
Troubleshooting aFleX Syntax Errors

After you finish entering the text for an aFleX script, the CLI automatically
performs a syntax check. If the check fails, the following message is displayed:
aFleX aflex-name created; syntax check failed.
In this case, you can fix the script in either of the following ways.
88 of 304


USING THE CLI

1. At the global configuration level, use the aflex check aflex-name command to display syntax error information.
2. Use the aflex delete aflex-name command to delete the script.
3. Use the aflex create aflex-name command to reenter the script. (See
aFleX Configuration on page 87.)
USING THE GUI

Use the GUI to display and edit the script:
1. Select Config Mode > Service > aFleX. The aFleX script table appears.
2. Click on the aFleX name to display the configuration page for the script.
3. Edit the script text.
4. Click OK.
5. The aFleX script table reappears. If the script still contains syntax errors,
the errors are displayed above the table.
Using the GUI

1. Select Config Mode > Service > aFleX
The aFleX tab appears. (See Figure 14.)
..
2. Enter a name for the aFleX policy in the Name field.

3. Enter the aFleX policy text into the Definition field.
4. Click OK to save the aFleX policy.
Note:
You can click on the name of an existing aFleX policy to edit it in the
GUI. You can delete an existing aFleX policy by selecting the checkbox
located on the left of its name, then clicking the Delete button.
5. To bind the aFleX policy to a virtual port:
a. Access the configuration settings for the virtual port. You can access
them in either of the following ways:

89 of 304

Select Config Mode > Service > SLB > Virtual Server, click on
b.
c.
d.
e.
f.
the virtual server name, select the checkbox next to the port, and
click Edit. (See Figure 15.)
Select Config Mode > Service > SLB > Virtual Service, and
click on the virtual port name.
Next to the aFleX drop-down list, select the Multiple checkbox.
Select an aFleX script from the drop-down list and click Add.
Repeat for the other scripts to add to the virtual port.
The scripts will be processed in the order listed, starting with the
script at the top. To move a script up or down, click on the script
name, then click Move up or Move down.
Click OK.
FIGURE 14
90 of 304
Config Mode > Service > aFleX > New


FIGURE 15
Config Mode > Service > SLB > Virtual Server > Port

91 of 304

92 of 304


Events -
Events
The following chapter describes the aFleX events.
Global Events
RULE_INIT
Initializes global system variables. Within an aFleX policy, the RULE_INIT
event can initialize a system variable on a global basis for all aFleX policies,
or exclusively for that particular aFleX policy.
The prefix placed before RULE_INIT specifies whether to initialize the
variable for all aFleX policies, or only the current aFleX policy.
Prefix
Scope
Applies only to the current aFleX policy.
::
This variable cannot be set or read by any other

aFleX policies. Once the variable is defined, it can
be removed only by an unset command.
::global::
Applies to all aFleX policies. This variable can be

set or read by all aFleX policies on the ACOS
device.
Notes:
Unbinding an aFleX policy will not remove the variable.
In the current release, it is recommended to avoid using the unset
command to unset global variables. Doing so may cause a problem.

93 of 304

Events Example:
when RULE_INIT {
# define per-aFleX global variable ::request_count
# This variable is to count the # of HTTP_REQUEST hits by this aFleX policy
set ::request_count 0
# define per-system global variable ::global::ax_request_count
# This variable is to count the total number of HTTP_REQUEST hits
# in the ACOS system
set ::global::ax_request_count 0
}
when HTTP_REQUEST {
incr ::request_count
incr ::global::ax_request_count
}
LB_FAILED
This Event is triggered when the ACOS device can not select a node for the
incoming request; for example, if all nodes in the pool are down or all their
connection limits have been reached.
Example:
when LB_FAILED {
pool errorPool
}
Related Information
Available Commands:
LB::reselect, LB::server
LB_SELECTED
Triggered when the system selects a pool member.
Example:
when LB_SELECTED {
if { [IP::addr [IP::remote_addr] equals "10.0.0.1"] } {
snat VIPsnat
}
}
94 of 304


Events Related Information
Available Commands:
IP::local_addr, LB::reselect, LB::server
HTTP Events
HTTP_REQUEST
Triggered when the system fully parses a complete client request header
(that is, the method, URI, version, and all headers, not including the body).
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "secure"} {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}
Example:
If a client request URI contains the string "secure", redirect to the client to HTTPS.
when HTTP_REQUEST {
HTTP::redirect https://
[HTTP::host][HTTP::uri]
}
}
Example:
If a client request uri contains the string "Webdir", use service group
app-pool. If the request URI contains the string "Docdir", use service
group doc-pool.
when HTTP_REQUEST {
if { [HTTP::uri] contains "Webdir" } {
pool app-pool
} elseif { [HTTP::uri] contains "Docdir" } {
pool doc-pool
}
}

95 of 304

Events Related Information
Available Commands:
HTTP::cookie, HTTP::disable, HTTP::fallback,
HTTP::header, HTTP::host, HTTP::is_keepalive,
HTTP::is_redirect, HTTP::method, HTTP::path,
HTTP::payload, HTTP::query, HTTP::redirect,
HTTP::release, HTTP::request, HTTP::request_num,
HTTP::respond, HTTP::uri, HTTP::version, pool,
snat, URI::basename, URI::compare, URI::decode,
URI::encode, URI::host, URI::path, URI::port,
URI::protocol, URI::query
HTTP_REQUEST_DATA
Triggered whenever an HTTP::collect command finishes processing,
after collecting the requested amount of request data.
Example:
when HTTP_REQUEST_DATA {
set rpc_id [findstr [HTTP::payload] Authorization: 14 20]
persist uie $rpc_id
log local0. WE RECORDED $rpc_id AS THE PERSIST VARIABLE
HTTP::release
}
Related Information
Available Commands:
HTTP::fallback, HTTP::host, HTTP::is_keepalive,
HTTP::is_redirect, HTTP::method, HTTP::path,
HTTP::query, HTTP::redirect, HTTP::release,
HTTP::request, HTTP::request_num, HTTP::respond,
HTTP::uri, HTTP::version
96 of 304


Events -
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. This is a serverside event.
Example:
when HTTP_REQUEST_SEND {
TCP::collect 12
}
Related Information
Available Commands:
HTTP::header, HTTP::payload, IP::local_addr,
IP::server_addr
HTTP_RESPONSE
Triggered when the system parses all of the response status and header lines
from the server response.
Note:
HTTP_RESPONSE is specific to a SERVER response passing through

the load balancer, and is not triggered for locally-generated responses.
Example:
when HTTP_RESPONSE {
if { [HTTP::status] contains "404"} {
HTTP::redirect "http://www.siterequest.com/"
}
}
Related Information
Available Commands:
HTTP::cookie, HTTP::header, HTTP::host,
HTTP::is_keepalive, HTTP::is_redirect,
HTTP::payload, HTTP::redirect, HTTP::release,
HTTP::request_num, HTTP::respond, HTTP::retry,
HTTP::status, HTTP::version, IP::local_addr,
IP::server_addr, URI::query

97 of 304

Events -
HTTP_RESPONSE_CONTINUE
Triggered whenever the system receives a 100 Continue response from the
server.
Example:
when HTTP_RESPONSE_CONTINUE {
if { [HTTP::version] != 1.1 }
log Buggy server: sent 100-Continue to non-1.1 client!
}
}
HTTP_RESPONSE_DATA
Triggered whenever an HTTP::collect command finishes processing
on the server side of a connection, after collecting the requested amount of
response data. Also triggered if the server closes the connection before the
HTTP:collect command finishes processing.
Example:
when HTTP_RESPONSE_DATA {
regsub "oursite" [HTTP::payload] "oursitedev" fixeddata
log "Replacing payload with fixed data."
HTTP::payload replace 0 $clen $fixeddata
HTTP::release
}
Example:
HTTP::collect [HTTP::header Content-Length]
}
set clen [HTTP::payload length]
set newdata "Sorry, This website is
temporarily unavailable."
HTTP::payload replace 0 $clen $newdata
HTTP::respond 200 content [HTTP::payload]
}
Related Information
Available Commands:
HTTP::is_keepalive, HTTP::is_redirect,
HTTP::redirect, HTTP::release, HTTP::request_num,
HTTP::respond, HTTP::retry, HTTP::status,
HTTP::version
98 of 304


Events -
IP, TCP, and UDP Events

CLIENT_ACCEPTED
Triggered when a client has established a connection.
Note:
For UDP (and only UDP), the CLIENT_ACCEPTED event is triggered

on the first UDP packet received.
Note:
For TCP, the CLIENT_ACCEPTED event is triggered as follows:

For L4, without syn-cookie, it is triggered on the first packet.
For L4 with syn-cookie, and L7, it is triggered when a TCP hand-
shake is completed.
Example:
set curtime [TIME::clock seconds]
set formattedtime [clock format $curtime -format {%H:%S} ]
log "the time is: $formattedtime"
}
Example:
if { [IP::addr [client_addr] == 192.168.217.0/24] } {
discard
log "discard client from 192.168.217.0/24 "
}
}
Related Information
Available Commands:
IP::client_addr, IP::local_addr, IP::protocol,
IP::remote_addr, IP::server_addr, IP::tos, pool,
serverside, TCP::collect

99 of 304

Events -
CLIENT_CLOSED
Triggered at the end of any client connection, regardless of protocol.
Example:
when CLIENT_CLOSED {
if { [info exists ::active_clients($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}
Related Information
Available Commands:
IP::local_addr
CLIENT_DATA
Triggered when new data is received from the client while the connection is
in a collect state.
Note:
For UDP (and only UDP), the CLIENT_DATA event is automatically

triggered for each UDP packet received.
Example:
when CLIENT_DATA {
if { [UDP::payload 50] contains "XYZ" } {
pool xyz_servers
}
}
100 of 304


Events Example:
If a DNS request contains "abc", select service group abc-dns. If the

request contains "xyz", select service group xyz-dns.
when CLIENT_DATA {
log "UDP::payload 12 12 = [UDP::payload 12 12]"
if { [UDP::payload 12 12] contains "abc" } {
pool abc-dns
log " select pool abc-dns"
} elseif { [UDP::payload 12 12] contains "xyz" } {
pool xyz-dns
log " select pool xyz-dns"
}
}
Related Information
Available Commands:
pool
SERVER_CLOSED
Triggered when the server-side connection closes.
Example:
when SERVER_CLOSED {
log local0. "Server [IP::server_addr] has closed the connection"
}
Related Information
Available Commands:
IP::local_addr, IP::server_addr

101 of 304

Events -
SERVER_CONNECTED
Triggered when a connection has been established with the target node.
Example:
set vip [IP::local_addr] : [TCP::local_port]
}
when SERVER_CONNECTED {
set client [IP::client_addr]:[TCP::client_port]
set node [IP::server_addr]:[TCP::server_port]
}
when CLIENT_CLOSED {
# log connection info
log local0.info Client $client -> VIP: $vip -> Node: $node
}
Related Information
Available Commands:
IP::local_addr, IP::server_addr, snatpool
SERVER_DATA
Triggered when new data is received from the target node while the connection is in a hold state.
Note:
For UDP, the SERVER_DATA event is triggered for every packet. For
TCP, you need to issue a TCP::collect.
Example:
when SERVER_DATA {
set payload (TCP::payload)
}
Related Information
Available Commands:
AES::encrypt,AES::key,AES::decrypt,
RADIUS::avp,RADIUS::code,RADIUS::id,
RADIUS::length,TCP::payload, TCP::respond,
UDP::client_port,UDP::local_port,UDP::payload,
UDP::remote_port,UDP::server_port,UDP::respond,
pool, whereis
102 of 304


Events -
RAM Caching Events

CACHE_REQUEST
Triggered when a VIP receives a request for a cached object.
Example:
when CACHE_REQUEST {
if { [CACHE::age] > 60 } {
CACHE::expire
log local0. "Expiring content: Age > 60 seconds"
}
}
Related Information
Available Commands:
CACHE::age, CACHE::disable, CACHE::expire,
CACHE::hits
CACHE_RESPONSE
Triggered immediately prior to sending a cache response.
Example:
when CACHE_RESPONSE {
if { $::expired == 1 } {
CACHE::expire
log "cache expire"
set ::expired 0
}
}
Related Information
Available Commands:
CACHE::age, CACHE::disable, CACHE::expire,
CACHE::hits

103 of 304

Events -
DNS Events
DNS-related operations use the following events.
DNS_REQUEST
Triggered when the DNS request packet arrives.
Example:
when DNS_REQUEST {
set len [DNS::len]
log dns query pkt len = $len
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
DNS_RESPONSE
Triggered when the DNS reply packet arrives.
Example:
when DNS_RESPONSE {
set len [DNS::len]
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
104 of 304


Events -
FIX Events
Financial Information eXchange (FIX) load balancing uses the following
events.
FIX_REQUEST
Triggered when the system receives a FIX request.
Example:
when FIX_REQUEST {
if { [FIX::sender_compid] eq CLIENT1} {
pool sg2
}
}
Related Information
Available Commands:
FIX::begin_string, FIX::body_length,
FIX::msg_seq_num, FIX::msg_type,
FIX::sender_compid, FIX::target_compid,
FIX::sending_time
FIX_RESPONSE
Triggered when the system receives a FIX response.
Example:
when FIX_RESPONSE {
log [FIX::sender_compid] -> [FIX::target_compid]
}
Related Information
Available Commands:
FIX::begin_string, FIX::body_length,
FIX::msg_seq_num, FIX::msg_type,
FIX::sender_compid, FIX::target_compid,
FIX::sending_time

105 of 304

Events -
Diameter Load Balancing Events

Diameter load balancing uses the following events.
DIAMETER_REQUEST
Triggered when the system fully parses a complete Diameter request message.
Example:
when DIAMETER_REQUEST {
log "DIAMETER::cmd_code = [DIAMETER::cmd_code]"
}
Related Information
Available Commands:
DIAMETER::app_id, DIAMETER::avp,
DIAMETER::cmd_code, DIAMETER::length,
DIAMETER::version, pool
DIAMETER_ANSWER
Triggered when the system fully parses a complete Diameter answer message.
Example:
when DIAMETER_ANSWER {
}
Related Information
Available Commands:
DIAMETER::version, pool
106 of 304


Events -
DIAMETER_REQUEST_SEND
Triggered immediately before a Diameter request is sent by the ACOS
device.
Example:
when DIAMETER_REQUEST_SEND {
}
Related Information
Available Commands:
DIAMETER::version
DIAMETER_ANSWER_SEND
Triggered immediately before a Diameter answer is sent.
Example:
when DIAMETER_ANSWER_SEND {
}
Related Information
Available Commands:
DIAMETER::version

107 of 304

Events -
SSL Events
CLIENTSSL_CLIENTCERT
Triggered when the ACOS device receives an SSL client certificate.
Example:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject [X509::subject $cert]
}
Related Information
Available Commands:
SSL::cert, SSL::sessionid, SSL::verify_result,
X509::subject, X509::verify_cert_error_string
CLIENTSSL_HANDSHAKE
Triggered when an SSL handshake on the client side is completed.
Example:
when CLIENTSSL_HANDSHAKE {
set subject {X509::subject $cert]
}
Related Information
Available Commands:
SSL::cert, SSL::sessionid, SSL::verify_result,
X509::subject, X509::verify_cert_error_string
SERVERSSL_HANDSHAKE
Triggered when an SSL handshake on the server side is completed.
Note:
108 of 304
The new SSL commands for ACOS 2.7.1 are supported for the
SERVERSSL_HANDSHAKE event only.


Events Example:
when SERVERSSL_HANDSHAKE {
set subject {X509::subject $cert]
}
Valid Commands
SSL::cert,SSL::sessionid,
SSL::verify_result,X509::subject,
Required Release: ACOS 2.7.1 or higher
SIP Events
Beginning with AX Release 2.7.0, Session Initiation Protocol (SIP) events
are supported for the following:
SIP Session Initiation Protocol over UDP
SIP-TCP SIP over TCP
SIPS Secure SIP over TLS
Note:
For previous releases, only SIP over UDP is supported.
SIP_REQUEST
Triggered when the ACOS system receives a full SIP request header from
the client.
Example:
when SIP_REQUEST {
log sip id: [ SIP::call_id ]
}
Related Information
Available Commands:
SIP::call_id, SIP::from, SIP::header,
SIP::header_insert, SIP::method, SIP::respond,
SIP::response, SIP::to, SIP::uri, SIP::via,
snatpool

109 of 304

Events -
SIP_REQUEST_SEND
Triggered when the ACOS system sends the SIP request to the server.
Example:
when SIP_REQUEST_SEND {
log sip method: [ SIP::method ]
}
Related Information
Available Commands:
SIP::response, SIP::to, SIP::uri, SIP::via
SIP_RESPONSE
Triggered when the ACOS system receives a full SIP response from the
server.
Example:
when SIP_RESPONSE {
log response code: [SIP::response code]
}
Related Information
Available Commands:
SIP::response, SIP::to, SIP::uri, SIP::via,
snatpool
110 of 304


Events -
DBLB Events
DB_QUERY
Triggered when the ACOS receives a full SQL query from the client side.
Example:
when DB_QUERY {
set ret [ DB::query ]
log "aflex script got query $ret"
pool mssqlgroup
}
Valid Commands
All
DB_COMMAND
Triggered when the client sends an SQL command.
Example:
when DB_COMMAND {
set ret [ DB::command ]
log "aflex script got command number $ret"
pool mssqlgroup
}
Valid Commands
Al

111 of 304

Events -
112 of 304


Operators -
Operators
The following chapter describes the FleX operators.
Relational Operators
contains
Tests whether one string (string1) contains another string (string2).
Syntax
<string1> contains <string2>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "aol" } {
pool aol_pool
} else {
pool all_pool
}
}
Related Information
Valid Events: All
ends_with
Tests whether one string (string1) ends with another string (string2).
Syntax
<string1> ends_with <string2>
Example:
when HTTP_REQUEST {
set uri [HTTP::uri]
if { $uri ends_with ".gif" } {
pool my_pool
} elseif { $uri ends_with ".jpg" } {
pool your_pool
}
}

113 of 304

Operators Related Information
Valid Events: All
equals
Tests whether one string equals another string.
Syntax
<string1> equals <string2>
Example:
if { [matchclass [IP::remote_addr] equals $::aol] } {
pool aol_pool
} else {
pool all_pool
}
}
Related Information
Valid Events: All
114 of 304


Operators -
matches
Tests whether one string matches another string.
Syntax
<string1> matches <string2>
Note:
The "matches" operator uses the same comparison as the Tcl "string
match" command, which functions like a cut-down regular expression.
For the two strings to match, their contents must be identical except that the
following special sequences may appear in the pattern:
* Matches any sequence of characters in string, including a null string.
? Matches any single character in string.
[chars] Matches any character in the set given by chars. If a sequence
of the form x-y appears in chars, then any character between x and y,
inclusive, will match. When used with -nocase, the end points of the
range are converted to lower case first. Whereas {[A-z]} matches '_'
when matching case-sensitively ('_' falls between the 'Z' and 'a'), with
-nocase this is considered to be like {[A-Za-z]}. (This is probably what
was meant in the first place).
\x Matches the single character x. This provides a way of avoiding the
special interpretation of the characters *?[]\ in a pattern.

Example:
when HTTP_REQUEST {
if { [HTTP::uri] matches {*\\aol\\[a-z].html} } {
pool aol_pool
} else {
pool all_pool
}
}
Related Information
Valid Events: All

115 of 304

Operators -
matches_regex
Tests whether one string matches a regular expression.
Syntax
<string1> matches_regex <regex>
<string1> matches_regex <string2>
Tests if string2 is contained within string1.
Example:
when HTTP_REQUEST {
if { [HTTP::host] matches_regex "www\.([\w]*)\.com" } {
pool com_pool
} elseif { [HTTP::host] matches_regex "www\.([\w]*)\.edu" } {
pool edu_pool
}
}
Related Information
Valid Events: All
starts_with
Tests whether one string (string1) starts with another string (string2).
Syntax
<string1> starts_with <string2>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/news" } {
pool news_pool
} elseif { [HTTP::uri] starts_with "/sports" } {
pool sports_pool
}
}
Related Information
Valid Events: All
116 of 304


Operators -
Logical Operators
and
Performs a logical and comparison between two values.
Syntax
<value1> and <value2>
Example:
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/abc") and ([HTTP::host] equals "www.company.com") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All
not
Performs a logical not on a value.
Syntax
not <value>
Example:
when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/abc") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All

117 of 304

Operators -
or
Performs a logical or comparison between two values.
Syntax
<value1> or <value2>
Example:
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/abc") or ([HTTP::uri] starts_with "/cde") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All
118 of 304


Commands - GLOBAL Commands
Commands
The following chapter describes the aFleX commands.
GLOBAL Commands
active_members
Returns number of active members in the pool.
Syntax
active_members <pool_name>
Example:
when HTTP_REQUEST {
if {[active_members pool1] >= 5} {
pool big_pool
}
}
Related Information
Valid Events: All
b64decode
Returns the specified string, decoded from base-64. Returns NULL if there
is an error.
Syntax
b64decode <string>
Example:
when HTTP_REQUEST {
set encrypted [HTTP::cookie "EncryptedCookie"]
set decrypted [b64decode $encrypted]
HTTP::cookie insert name "MyCookie" value $decrypted
}

119 of 304

Related Information
Valid Events: All
b64encode
Returns the specified string, encoded as base-64. Returns NULL if there is
an error.
Syntax
b64encode <string>
Example:
when HTTP_REQUEST {
HTTP::header insert SSLCERT [b64encode $cert]
}
Related Information
Valid Events: All
clientside
Causes the specified aFleX commands to be evaluated under the client-side
context. This command has no effect if the aFleX command is already being
evaluated under the client-side context.
Syntax
clientside {<aFleX commands>}
Example:
if { [IP::addr [clientside {IP::remote_addr}] == 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All
120 of 304


cpu
The cpu usage command returns the average CPU load for the given
interval. All averages are exponential weighted moving averages over the
interval.
Syntax
cpu usage [1sec | 5secs | 15secs | 1min | 5mins |
15mins | all_seconds | all_minutes]
Example:
when HTTP_REQUEST {
if { [cpu usage 5secs] <= 1} {
pool1
} else {
HTTP::redirect "http://anotherpool.com"
}
}
Related Information
Valid Events: All
discard
Causes the current packet or connection (depending on the context of the
event) to be discarded. This statement must be conditionally associated with
an if statement. This command performs the same function as the drop command.
Syntax
discard
Example:
if { [IP::addr [clientside {IP::remote_addr}] == 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All

121 of 304

domain
Parses the specified string as a dotted domain name and returns the last
<count> portions of the domain name.
Syntax
domain <string> <count>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with "html" } {
pool cache_pool
set key [crc32 [concat [domain [HTTP::host] 2] [HTTP::uri]]]
}
}
Related Information
Valid Events: All
drop
Causes the current packet or connection (depending on the context of the
event) to be discarded. This command must be conditionally associated with
an if command. This command performs the same function as the discard
command.
Syntax
drop
Example:
if { [IP::addr [clientside {IP::remote_addr}] drop 10.1.1.80] } {
drop
}
}
Related Information
Valid Events: All
122 of 304


encoding
Convert the character encoding of a payload to the specified encodiing.
Syntax
encoding {convertfrom | convertto} <encoding>
Example:
See set encode on page 138.
event
Discontinue evaluating the specified aFleX event, or all aFleX events, on
this connection. However, the aFleX script continues to run.
Syntax
event [<name>] [enable | disable] | [enable all |
disable all]
Example:
if { [IP::client_addr] equals "10.1.1.1" } {
event HTTP_REQUEST disable
}
}
when HTTP_REQUEST {
log "HTTP Request from [IP::client_addr]"
}
Example:
event disable
}
Related Information
Valid Events: All

123 of 304

findstr
Find a string within another string and return the string starting at the offset
specified from the match.
Syntax
findstr <string> <search_string> [<skip_count>
[<terminator>]]
Finds the string <search_string> within <string> and returns a sub-string
based on the <skip_count> and <terminator> from the matched location.
Note the following:
The <terminator> argument may be either a character or length.
If the <skip_count> argument is not specified, it defaults to zero.
If the <terminator> argument is not specified, it defaults to the end of
the string.
This command, without <skip_count> or <terminator>, is equivalent to
the following Tcl command:

string range <string> [string first <string>
<search_string>] end
Example:
when HTTP_REQUEST {
if { [findstr [HTTP::uri] "type=" 5 "&"] eq "cgi" } {
pool cgi_servers
} else {
pool web_servers
}
}
Related Information
Valid Events: All
124 of 304


getfield
Splits a string on a character or string, and returns the string corresponding
to the specific field.
Syntax
getfield <string> <split> <field_number>
Example:
To extract only the hostname from the host header (strips any trailing ":###"
port specification)
when HTTP_REQUEST {
[getfield [HTTP::host] ":" 1]
}
To redirect any request for a domain.com host to the same hostname.subdomain @ domain.org (uses a multi-character split string and field_number 1
to extract only those characters in the hostname before the split string.):
when HTTP_REQUEST {
if { [HTTP::host] contains "domain.com"} {
HTTP::redirect https://[getfield [HTTP::host] ".domain.com"
1].domain.org[HTTP::uri]
}
}
Related Information
Valid Events: All
htonl
Convert the unsigned integer from host byte order to network byte order.
Syntax
htonl <hostlong>

125 of 304

Example:
when HTTP_REQUEST {
set hostlong 12345678
set netlong [htonl $hostlong]
}
Related Information
Valid Events: All
htons
Convert the unsigned short integer from host byte order to network byte
order.
Syntax
htons <hostshort>
Example:
when HTTP_REQUEST {
set hostshort 1234
set netshort [htons $hostshort]
}
Related Information
Valid Events: All
log
Generates and logs the specified message to the Syslog utility. This command works by performing variable expansion on the message as defined
for the HTTP profile Header Insert setting.
Note:
If not used appropriately, the log command can produce large amounts of
output.
Note:
The syslog facility is limited to logging 1024 bytes per request. Longer
strings will be truncated.
Syntax
log [<facility>.<level>] <message>
The facility can be one from "local0" to "local7" (Currently only "local0" is
supported). The level can be a number from 0 to 7, or the corresponding
126 of 304


level string, "EMERG", "ALERT", "CRIT", "ERR", "WARNING",
"NOTICE", "INFO", and "DEBUG".
Note:
There is a significant behavioral difference when the optional <facility>.<level> is specified. When aFleX logs messages without the facility
and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are
textually different. However, when the <facility> and/or <level> are specified, the log messages are not rate-limited (though syslog will still perform suppression of repeated duplicates).
Example:
log local0. "Found $isCard $type CC# $card_number"
log local0.0 "Fatal error"
log local0.DEBUG "This is log message from facility local0 and level DEBUG"
Related Information
Valid Events: All
md5
Returns the RSA MD5 Message Digest Algorithm message digest of the
specified string.
Syntax
md5 <string>
Example:
set value1 [md5 1234567890]
log local0.4 md5 $value1
}
Related Information
Valid Events: All
Required AX Release: 2.4.3 or higher

127 of 304

members
Counts or lists all members in a service group.
Syntax
members [list] <pool>
The list option lists the members. If you omit this option, the command
counts the members.
Example:
log "members [members list sg1]"
}
Related Information
Valid Events: All
nexthop
Sets the next hop for a connection.
Syntax
nexthop <ipaddr>
Example:
When CLIENT_ACCEPTED {
If {[IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
nexthop 20.20.20.1
} else {
Log use default nexthop
}
}
Related Information
Valid Events: All
128 of 304


For the following events, this command overwrites the default reverse nexthop IP address:
EVENT_HTTP_RESPONSE
EVENT_HTTP_RESPONSE_CONTINUE
EVENT_HTTP_RESPONSE_DATA
EVENT_SERVER_CONNECTED
EVENT_SERVER_DATA
For other events, this command overwrites the forward next-hop IP address.
Required AX Release: 2.6 or higher
node
Causes the specified server node (that is, IP address and port number) to be
used directly, thus bypassing any load-balancing.
Syntax
node <addr> [<port>]
Note:
The node command requires that the real server (node) and service port
already be configured. They also must be configured as a member of a
service group.
Note:
Connection limiting and connection rate limiting are not applied to a node
if it is selected by this command.
Example:
when HTTP_REQUEST {
node 10.1.2.200 80
}
}

129 of 304

ntohl
Convert the unsigned integer from network byte order to host byte order.
Syntax
ntohl <netlong>
Example:
when HTTP_REQUEST{
set netlong 12345678
set hostlong [ntohl $netlong]
}
Related Information
Valid Events: All
ntohs
Convert the unsigned short integer from network byte order to host byte
order.
Syntax
ntohs <netshort>
Example:
when HTTP_REQUEST {
set netshort 1234
set hostshort [ntohs $netshort]
}
Related Information
Valid Events: All
130 of 304


persist
Set client persistence based on any value you choose.
Note:
Syntax
Sets the key for an entry on the persistence table, which maps the client
to an SLB resource (real server, real server port, or service group). If the
persistence table contains the specified key, the ACOS device uses the
SLB resource that key is mapped to in the table. Otherwise, the ACOS
device uses SLB to select a resource and creates a corresponding persistence table entry. The uie option stands for Universal Inspection
Engine, indicating that you can set persistence based on any key.
The <timeout> specifies how many seconds the persistence entry can
remain in the table after the last time traffic from the client is sent to the
server. The default is 1800 seconds. Internally, the timeout is converted
to minutes and is decremented one minute at a time.
[dont_honor_conn_rules]
Ignores server template limits for persistence server selection.
persist add uie <key> [<timeout>]
Adds an entry to the persistence table. This command differs from the
command above in that it does not first check the persistence table for an
existing entry for the key. The persist add form of the command is
useful for setting persistence based on data that is set on the server and is
therefore first observed by the ACOS device in the server response,
rather than in the client request.

131 of 304

persist lookup uie <key>
[all | node | port | pool]
Performs a lookup in the persistence table for an entry with the specified
key:
all Returns all the values listed below. (If you do not specify this
option or one of the following options, this is equivalent to specifying all.
node Returns the real server IP address.
port Returns the real service port number.
pool Returns the pool (service group) name.
persist delete uie <key>
Deletes the persistence table entry for the specified key.
<key> Syntax
The <key> specifies the data upon which the persistence is based. The
<key> can be specified with one of the following options:
<specified-value>
Persist to the same real server and port, if the traffic contains the specified
key value and is sent to the same virtual port.
{<specified-value>
[any virtual | any service | any pool]
[pool <pool-name>]}
The options provide the following behavior:
<specified-value> Key value.
any virtual Persist to the same real server and port, if the
traffic contains the specified key value and is sent to the same virtual port and service group (pool).
any service Persist to the same real server, if the traffic contains the specified key value and is sent to the same virtual server, to
any virtual port.
any pool Persist to the same real server, if the traffic contains
the specified key value.
pool <pool-name> Persist to the same real server and port, if
the traffic contains the specified key value and is sent to the same
virtual port and to the specified service group.
132 of 304


Displaying Persistent Sessions
To display the persistent sessions managed by this aFleX command, use the
following command in the CLI:
show session persist uie
Example:
The following script provides persistence on a VIP on any port.
set IP [IP::client_addr]
persist add uie { $IP any virtual } 1800
}
when HTTP_REQUEST {
set p [ persist lookup uie { $IP any service } all ]
if { $p ne "" } {
log local0. "Found in persistency-table ([lindex $p 0] [lindex
$p 1] [lindex $p 2])"
node [lindex $p 1] [lindex $p 2]
}
}
Example:
The following script provides the same persistence for a client IP address
accessing one VIP and port:
persist add uie $IP 1800
}
when HTTP_REQUEST {
persist uie $IP
}

133 of 304

Example:
The following script provides the same persistence for a client IP address
accessing any VIP and any port:
persist add uie { $IP any service } 1800
}
when HTTP_REQUEST {
set p [ persist lookup uie { $IP any service } all ]
if { $p ne "" } {
log local0. "Found in persistency-table ([lindex $p 0] [lindex
$p 1] [lindex $p 2])"
node [lindex $p 1] [lindex $p 2]
}
}
Related Information
Valid Events: All
pool
Causes the system to load balance traffic to the specified pool or pool member.
Note:
Pool / member may be selected conditionally. If multiple conditions

match, the last match will determine the pool/member to which this traffic
is load balanced.
Note:
Syntax
pool <pool_name>
pool <pool_name> [member <addr> [<port>] ]
pool <pool_name>
134 of 304


Example:
pool my_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_DATA, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, LB_FAILED,
NAME_RESOLVED
Events which do not generate an error, but are not likely valid for this command:
HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE,
HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CLOSED,
SERVER_CONNECTED, SERVER_DATA
use
This command is provided for backwards compatibility. The use statement
must be paired with certain commands such as node, and pool. However,
A10 Networks recommends using the commands node and pool directly.
Syntax
use <object> <object_name>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "aol" } {
use pool aol_pool
} else {
use pool all_pool
}
}
Related Information
Valid Events: All

135 of 304

reject
Causes the connection to be rejected, returning a reset as appropriate for the
protocol.
Syntax
reject
Example:
if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } {
drop
}
}
Related Information
Valid Events: All
serverside
Causes the specified aFleX command or commands to be evaluated under
the server-side context. This command has no effect if the aFleX policy is
already being evaluated under the server-side context.
Syntax
serverside { <aFleX command> }
Example:
if {[IP::addr [serverside {IP::remote_addr}] equals 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All
136 of 304


session
Manage SSL sessions.
Syntax
session add ssl <key> <data> [<timeout>]
session lookup ssl <key>
session delete <mode> <key>
The session add ssl command creates a table to store SSL information. If an
SSL table already exists, the command adds an entry to the table. Generally,
the <key> is the session ID and the data is the SSL verify_result or the SSL
certificate.
The session lookup ssl command Searches the SSL table for information
about the specified key.
The session delete command deletes an SSL entry.
Example:
set cert1 [SSL::cert 0]
session add ssl [SSL::sessionid] $cert1 300
}
when
HTTP_REQUEST {
set cert2 [session lookup ssl [SSL::sessionid]]

}
Related Information
Valid Events:
CLIENT_ACCEPTED, HTTP_REQUEST, HTTP_RESPONSE,
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE

137 of 304

set encode
Set the character encoding for data payloads.
Syntax
set encode "<encoding>"
Example:
Here is an example of an aFleX policy that converts payload data into Japanese encoding Shift_JIS:
if { [HTTP::header "Content-Type"] contains "Shift_JIS" } {
set encode "shiftjis"
HTTP::collect
}
}
set hoge [HTTP::payload length]
set payload [encoding convertfrom $encode [HTTP::payload]]
regsub -all "abc" $payload "xyz" newdata
set newdata3 [encoding convertto $encode $newdata]
HTTP::payload replace 0 $hoge $newdata3
HTTP::release
}
Related Information
Valid Events: All
sha1
Returns the Secure Hash Algorithm version 1.0 (SHA1) message digest of
the specified string.
Note:
If an error occurs, an empty string is returned.

Syntax
sha1 <string>
138 of 304


Related Information
Valid Events: All
snatpool
Uses the specified pool of IP addresses as translation addresses to create a
SNAT. The command uses the specified NAT pool instead of the NAT pool
that is already bound to the virtual port in the AX configuration.
Syntax
snatpool <snatpool_name>
The <snatpool_name> option specifies the name of a configured IP
address pool.
snatpool none
The none option disables the SNAT.
Note:
A NAT pool must already be bound to virtual port in the AX configuration. This is the virtual ports default NAT pool.
Note:
The IP type (IPv4 or IPv6) of the pool must be the same as the IP type of
the real servers.
Example:
if { [IP::addr [IP::local_addr] equals 10.0.0.35] } {
snatpool snat_a
} else {
snatpool snat_b
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, HTTP_REQUEST, LB_SELECTED
Valid Events added with AX Release 2.7.0:
SIP_REQUEST, SIP_RESPONSE

139 of 304

Note:
For Layer 4 virtual ports, the snatpool command must be triggered by

a CLIENT_ACCEPTED or LB_SELECTED event. For Layer 7 ports, the
snatpool command must be triggered by a HTTP_REQUEST event.
substr
Returns a sub-string named <string>, based on the values of the
<skip_count> and <terminator> arguments.
Syntax
substr <string> <skip_count> [<terminator>]
Notes
The <skip_count> and <terminator> arguments are used in the same
way as they are for the findstr command.

The <skip_count> argument is the index into <string> of the first char-
acter to be returned, where 0 indicates the first character of <string>.

The <terminator> argument can be either the substring length or the sub-
string terminating string.

If <terminator> is an integer, the returned string will include that many
characters, or up to the end of the string, whichever is shorter.

If <terminator> is a string, the returned string will include characters up
to but not including the first occurrence of the string.

If <terminator> is a string which does not occur in the search space,
from <skip_count> to the end of <string> is returned.

This command is equivalent to the Tcl string range command except that
the value of the <terminator> argument may be either a character or a

count.
140 of 304


Example:
when HTTP_REQUEST {
set uri [substr $uri 1 "?"]
log local0. "Uri Part = $uri"
}
log "[substr "abcdefghijklm" 2
"x"]"
"gh"]"
4]"
20]"
0]"
The above example logs the following:

cdefghijklm
cdef
cdef
cdefghijklm
cdefghijklm
Related Information
Valid Events: All
switch
Built-in Tcl command. Evaluates one of several scripts, depending on a
given value.
Syntax
switch ?options? string {pattern body ?pattern
body ...?}
Matches its string argument against each of the pattern arguments in order.
As soon as it finds a pattern that matches string, it evaluates the following
body argument by passing it recursively to the Tcl interpreter and returns the
result of that evaluation. If the last pattern argument is "default", then it
matches anything. If no pattern argument matches string and no default is
given, then the command returns an empty string.
If the initial arguments start with "-", then they are treated as options. The
following options are currently supported:
-exact Use exact matching when comparing string to a pattern. This is
the default.
-glob When matching string to the patterns, use glob-style matching
(the same as implemented by the string match command).

141 of 304

-regexp When matching string to the patterns, use regular expression
matching (the same as implemented by the regexp command).

-- Marks the end of options. The argument following this one will be
treated as string even if it starts with a "-".

Two syntaxes are provided for the pattern and body arguments.
The first uses a separate argument for each of the patterns and commands;
this form is convenient if substitutions are desired on some of the patterns or
commands.
The second form places all of the patterns and commands together into a
single argument; the argument must have proper list structure, with the elements of the list being the patterns and commands. The second form makes
it easy to construct multi-line commands, since the braces around the whole
list make it unnecessary to include a backslash at the end of each line. Since
the pattern arguments are in braces in the second form, no command or variable substitutions are performed on them; this makes the behavior of the
second form different than the first form in some cases.
If a body is specified as "-" it means that the body for the next pattern
should also be used as the body for this pattern (if the next pattern also has a
body of "-" then the body after that is used, and so on). This feature makes it
possible to share a single body among several patterns.
Note:
If the result of the switch evaluation is invalid, the script will stop but
no compile error will be displayed. To avoid this, make sure that all possible outcomes are valid, or consider using if ... elseif syntax instead
of switch.
For example, the following script will give a compile error, as expected:
pool $invalid-pool-name
}
However, the following script will not give a compile error:
$value = $somevalue
switch $value {
0 {
pool $invalid-pool-name
}
default {
}
}
}
142 of 304


Example:
This example will return 2:
switch abc a - b {format 1} abc {format 2} default {format 3}
This example will return 3:

switch xyz {
a
b
{format 1}
a*
{format 2}
default
{format 3}
}
This example will send traffic with host header "www.domain.com" to pool
www, host header "www.domain2.com" will cause header manipulation and
URI rewriting to take place first, and requests with any other host header
will be discarded:
switch [string tolower [HTTP::host]] {
www.domain.com { pool www }
www.domain2.com {
HTTP::header insert Header1 domain2
HTTP::header replace Host www.domain.com
[HTTP::uri] "/domain2[HTTP::uri]"
pool www
}
default { discard }
}
Related Information
Valid Events: All

143 of 304

virtual
Return the name of the associated virtual server that the connection is flowing through.
Syntax
virtual name
Example:
when HTTP_REQUEST {
log local0. "Virtual Server: [virtual name]"
}
Related Information
Valid Events: All
when
Specify an event in an aFleX script. All aFleX events begin with a when
command. You can specify multiple when commands within a single aFleX
script.
Syntax
when <event_name>
Example:
pool my_pool
}
}
Related Information
Valid Events: All
whereis
Returns geo-location information for a given IP address. The command performs a lookup in the geo-location database in use on the ACOS device. For
example, you can use this command in a script that looks up information in
a geo-location database from a third-party vendor such as MaxMind or
Neustar IP Intelligence.
144 of 304


Syntax
whereis <ipaddr>
Example:
The following example uses a geo-location database from a thirdparty vendor to look up the location of clients who send requests to a
specific VIP.
To use the geo-location database, you must import it onto the ACOS device
as a comma-separated values (.csv) file, load it to activate it, then use a template to specify the data fields to extract from the database.
This example uses a geo-location database that contains entries in the following format:
"0000000000","0016777215","","","",""
"0016777216","0016777471","AU","AUSTRALIA","OC","OCEANIA"
"0016777472","0016778239","CN","CHINA","AS","ASIA"
"0016779264","0016781311","CN","CHINA","AS","ASIA"
"0016781312","0016785407","JP","JAPAN","AS","ASIA"
"0016785408","0016793599","CN","CHINA","AS","ASIA"
"0016793600","0016809983","JP","JAPAN","AS","ASIA"
"0016809984","0016842751","TH","THAILAND","AS","ASIA"
...
"3758093312","3758094335","IN","INDIA","AS","ASIA"
"3758095360","3758095871","CN","CHINA","AS","ASIA"
"3758095872","3758096127","SG","SINGAPORE","AS","ASIA"
...
Each entry in this database has 6 fields. The aFleX script will use a GSLB
CSV template to look up the data in 4 of the fields:
ip-from, ip-to-mask, country, , , continent

145 of 304

This example uses the following aFleX script to perform lookups in the
database:
log "Country=[lindex [whereis 74.125.224.35] 0]"
log "Continent=[lindex [whereis 74.125.224.35] 1]"
}
The following steps show the AX configuration required to install the geolocation database and use the aFleX script to look up data in the database.
1. The following command imports a geo-location database file in .csv
format onto the ACOS device:
AX#import geo-location ipligence-lite.csv use-mgmt-port scp://
root@192.168.209.80:/ipligence-lite.csv
Password []********
Importing ...
2. The following commands change the CLI to the global configuration

level, and configure a template for extracting data from the geo-location
database:
AX#config
AX(config)#gslb template csv geo-lookup
AX(config-gslb template csv)#field 1 ip-from
AX(config-gslb template csv)#field 2 ip-to-mask
AX(config-gslb template csv)#field 6 continent
AX(config-gslb template csv)#field 3 country
AX(config-gslb template csv)#exit
146 of 304


3. The following commands load the geo-location database (the .csv file)
to activate it, and verify that it is loaded and activated:
AX(config)#gslb geo-location load ipligence-lite.csv geo-lookup
AX(config)#show gslb geo-location file
Per = Percentage of loading, Err/W = Error or Warning
T = T(Template)/B(Built-in)
Filename
T Template
Per Lines
Success Err/W
-------------------------------------------------------------------------------iana*
B
100% 77
77
0
ipligence-lite.csv
T test
100% 191805
191805
4
4. The following command texts the database by looking up the location

information for a client IP address:
AX(config)#show gslb geo-location ip 74.125.224.33
Last = Last Matched Client, Hits = Count of Client matched
T = Type, Sub = Count of Sub Geo-location
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)/B(built-in)
Global
Name
From
To
Last
Hits
Sub T
-------------------------------------------------------------------------------NORTH AMERICA 74.124.206.88
74.126.95.255
0
17821GR
.US

147 of 304

5. The following command adds the aFleX script to the ACOS device. In
this example, the script is copied-and-pasted into the CLI. Alternatively,
the script can be configured elsewhere and then imported as a file.
AX(config)#aflex create geo-lookup-script
Type in your aFleX script (type . on a line by itself when done)
}
.
aFleX geo-lookup-script created; syntax check passed.
6. The following commands bind the aFleX script to a virtual port.

AX(config)#slb virtual-server vip-L7-25-130 10.10.10.130
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#aflex geo-lookup-script
AX(config-slb vserver-vport)#end
148 of 304
Note:
For simplicity, the example does not show configuration of the real servers and service group. However, these also are required for a functioning
configuration. Likewise, configuration for network connectivity, such as
use of Network Address Translation (NAT), may be needed in a live network but is not shown here.
Note:
The end command is not part of the VIP configuration. The end command
simply returns the CLI prompt directly to the Privileged EXEC configuration level.


7. After some traffic is sent to the VIP, the ACOS log lists the geo-location
information for the client:
ACOS#show log
Log Buffer: 30000
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Continent=ASIA
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Country=CN
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Continent=NORTH AMERICA
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Country=US
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Continent=NORTH AMERICA
May 15 2012 04:15:37 Info
[AFLEX]:geo_test:Country=US
Related Information
Valid Events:
CLIENT_ACCEPTED, LB_FAILED, LB_SELECTED,
CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED,
SERVER_CONNECTED, SERVER_DATA, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE,
HTTP_RESPONSE_DATA
Global Variable Commands

Beginning with ACOS 2.7.1, you can use the following operators to quickly
modify global variables across multiple parameters.
set
Syntax
set <global_variable> <value>
Sets the <global_variable> to the specified <value>. If the variable does not
exist, this command will create a new variable.
Related Information
Valid Events: All

149 of 304

incre
Syntax
incre <global_variable>
Increments the <global_variable> by a value of 1.
Related Information
Valid Events: All
get
Syntax
get <global_variable>
Returns the value of the specified <global_variable>.
Related Information
Valid Events: All
unset
Syntax
unset <global_variable>
Deletes the value for the <global_variable>. This command will cause the
specified variable to return an empty string.
Related Information
Valid Events: All
150 of 304


Commands - Table Commands
array
Syntax
array set <global_array> <key> <value>
Sets the values of one or more elements in the <global_array>.
array size <global_array>
Gets the number of elements in the <global_array>.
array names <global_array>
Returns a list of names for all elements in the <global_array>.
array get <global_array> <key>
Gets a list of all pairs of elements in the <global_array>.
Related Information
Valid Events: All
Table Commands
Beginning with ACOS 2.7.1, you can use the following aFleX commands to
manage a table of data entries.
Table Entry Expiration Date
You can configure the <lifetime> and <timeout>
values to
predefine an expiration date for the table entries. The following list defines
conditions for using these options.
Set an Indefinite Expiration Time Use indefinite or indef for the
<timeout> or <lifetime> parameters to allow an entry to remain

in the table indefinitely. These entries will not expire and can only be
removed from the table explicitly or when the ACOS device is rebooted.
Apply Existing Configuration Specify the <lifetime> or
<timeout> as 0 to use existing configuration. For new entries, this

will set the <lifetime> or <timeout> to the default values.

151 of 304

Default Values
If <timeout> is not specified, the timeout is set to the default of 180
seconds.
If <lifetime> is not specified, the lifetime is set to indefinite.
Notes
By default, session table entries are synced to the peer unit.
Depending on the aFleX event used in the policy, you can track connec-
tions or requests. The CLIENT_CONNECTED event represents TCP

connections, whereas the HTTP_REQUEST event represents every
individual request.
The <lifetime> option sets the entry to expire after the specified
period of time, regardless of how many changes or lookups are performed on the entry.
An entry can have both a configured lifetime and timeout. The entry is
removed from the table for whichever expiration time comes first.
table set
Syntax
table
set
<name>
[<lifetime>]]
<key>
<value>
[<timeout>
Sets a key in the table with the specified <value>. Optionally, you can apply
a <timeout> and <lifetime> to the entry.Returns the entrys value after the
set operation is complete. This command adds a key if it does not already
exist.
Related Information
Valid Events: All
table add
Syntax
table
add
<name>
[<lifetime>]]
152 of 304
<key>
<value>
[<timeout>


Adds a key to the table with the specified <key> number and associated
<value>. Optionally, you can apply a <timeout> and <lifetime> to the entry.
If the key already exists, a key is not inserted and the existing value is
returned.
Related Information
Valid Events: All
table replace
Syntax
table replace
[<lifetime>]]
<name>
<key>
<value>
[<timeout>
Replaces the value in the table with the specified <key> or <value>. Optionally, you can apply a <timeout> and <lifetime> to the entry. This command
returns the entrys value after completing the replacement. If the specified
key does not exist, no action is taken and an empty string is returned.
Related Information
Valid Events: All
table lookup
Syntax
table lookup <name> [-notouch] <key>
Returns the value associated with the specified key. If -notouch is specified,
then any existing entries for the key will not have an updated timestamp.
Related Information
Valid Events: All

153 of 304

table incr
Syntax
table incr <name> [-notouch] <key> [<num>]
Increments the value associated with the specified key, in the specified
table. If you do not specify a value for <num>, 1 is used by default. If notouch is specified, then any existing entries for the key will not have an
updated timestamp.
Note:
This command returns the entrys value after the operation is complete. If
the specified key does not exist, then no action is taken.
Related Information
Valid Events: All
table append
Syntax
table append <name> [-notouch] <key> <string>
Appends a string to the value associated with the specified key. If
-notouch is specified, then any existing entries for the key will not have
an updated timestamp.
Note:
If the key does not exist, then no action is taken. This command returns
the entrys value after the operation is complete.
Related Information
Valid Events: All
table delete
Syntax
table delete <name> <key>|-all
154 of 304


Deletes the <key> or value pair with the specified key. If -all is specified in addition to a table name, all keys and value pairs for that table are
deleted.
Related Information
Valid Events: All
table timeout
Syntax
table timeout <name> [-remaining] <key>
table timeout <name> <key> [<value>]
Returns the timeout for the specified key. Optionally, this command also
sets the timeout for the key. Specify the -remaining option to return the
remaining time before the expiration timeout, instead of the timeout itself.
Note:
This command returns -1 if no timeout is set for the specified key or the
timeout is indefinite.
Related Information
Valid Events: All
table lifetime
Syntax
table lifetime <name> [-remaining] <key>
table lifetime <name> <key> [<value>]
Returns the lifetime for the specified key. Optionally, this command also
sets the lifetime for the key. Specify -remaining to return the remaining time
before the expiration lifetime, instead of the lifetime itself.
This command returns -1 if no lifetime is set for the specified key or the
lifetime is indefinite.

155 of 304

Related Information
Valid Events: All
table keys
Syntax
table keys <name> [-count|-notouch]
Returns a list of key and value pairs for the specified table. If -notouch is
specified, then existing entries will not have an updated timestamp. If count is specified, then the table entries will not have an updated timestamp
and the command returns the number of keys in the specified table.
Note:
A10 Networks does not recommend using this command frequently in an

aFleX policy. The table keys command provides useful debugging capabilities, but can lower system performance when used repeatedly.
Related Information
Valid Events: All
156 of 304


Example:
In this example, the aFleX policy blacklists IP addresses for 10 minutes if traffic from the IP address makes more than 100 DNS queries
per second:
when RULE_INIT {
set ::maxquery 100
set ::holdtime 600
}
set srcip [IP::remote_addr]
if { [table lookup "blacklist" $srcip] != "" } {
drop
log "$srcip is blocked, the packet is dropped."
return
}
set key "count:$srcip:$curtime"
if { [table lookup tmp_table $srcip] == "" } {
table set tmp_table $srcip 1
log "$srcip's session table is created."
}
set count [table incr tmp_table $srcip]
log "session count=$count"
table lifetime tmp_table $srcip 2
if { $count > $::maxquery } {
table add "blacklist" $srcip "blocked" indef $::holdtime
log "blacklist table is created with $srcip "
table delete tmp_table $srcip
drop
return
}
}

157 of 304

Commands - Class List Commands
Class List Commands

Notes:
The class-list must be configured and attached to the same vport as the
aFleX script using a policy template.

Class list commands require the LID to be defined in the configuration,
either globally or on the virtual-server or virtual port.

Multiple LID definitions may be available for a non-global LID. This
includes a LID in a policy template bound to a virtual port, a LID in a

DNS template bound to a virtual port, a LID in a policy template bound
to a virtual server, and a LID configured in a system-wide policy template. For more information, see LID Commands on page 162.
CLASS::exists
Returns a Boolean value that indicates whether the class list exists.
Syntax
CLASS::exists <list-name>
Example:
when HTTP_REQUEST {
log classlist1 exists: [CLASS::exists classlist1]
}
Related Information
Valid Events: All
CLASS::match
Queries class lists to check for matches and returns any component of a
matching entry.
Notes:
Queries to a string class list are case-sensitive. Queries to a DNS class
list gives no respect to character case.

In this release, string class lists can be referenced by name and exter-
nally modified. (See Example 2 on page 160.)
158 of 304


Class commands read class lists only and do not modify the entries in
any way.
Syntax for Class List of Types Other than String
CLASS::match <param> <list-name> [ip | dns]
Returns whether <param> matches an [ip | dns] entry in class list
<list-name>. Omitting the [ip | dns] argument will result in IP entries in the
class list being searched first, followed by DNS entries.
CLASS::match <param> <list-name> <key> [ip | dns]
Returns key of match when <param> matches an [ip | dns] entry in class list
<list-name>. Omitting the [ip | dns] argument will result in IP entries in the
class list being searched first, followed by DNS entries.
CLASS::match <param> <list-name> <lid> [ip | dns]
Returns LID of match (only if configured) when <param> matches an
[ip | dns] entry in classlist <list-name>. Omitting the [ip | dns] argument will
result in IP entries in the class list being searched first, followed by DNS
entries.
Example:
when HTTP_REQUEST {
log Matches: [CLASS::match abcd classlist1]
log Key of Match: [CLASS::match abcd classlist1 key]
log LID of Match: [CLASS::match abcd classlist1 lid]
}
Note:
To perform a comparison of IP address 10.10.10.1 with a list of addresses

in a class list, use either of the following lines of syntax:
[CLASS::match 10.10.10.1 $classlist ip]
or
[CLASS::match [IP::client_addr] $classlist ip]
Use of IP::addr is not necessary if the CLASS::match command is used to

perform address-to-address comparison.
Syntax for Class Lists of Type String
Returns whether <param> matches an entry in class list <classname>.
CLASS::match <param> <operator> <list-name> <key>
Returns key of match when <param> matches an entry in class list
<list-name>.

159 of 304

CLASS::match <param> <operator> <list-name> <lid>
Returns LID of match when <param> matches an entry in class list
<list-name>.
<value>
Returns value of match when <param> matches an entry in class list
<list-name>.
The <operator> can be any of the following: starts_with, ends_with, contains, equals
Note:
Beginning with AX Release 2.7.0, the maximum number of string entries

for a class list depends on the total available system memory of the ACOS
device.
Memory Size 80GB or greater 64K entries
Memory Size 7GB or less 4K entries
Example 1
when HTTP_REQUEST {
log Matches: [CLASS::match abcd starts_with classlist1]
log Key of Match: [CLASS::match abcd starts_with classlist1 key]
log LID of Match: [CLASS::match abcd starts_with classlist1 lid]
}
Example 2
This example imports the values of a string class list named cs1.
when HTTP_REQUEST {
if {[HTTP::cookie exists cookie-name]}{
set cookie_value [HTTP::cookie cookie-name]
if { $cookie_value != } {
set redirect_url [CLASS::match $cookie_value equals cs1 value]
if { $redirect_url != } {
HTTP::redirect $redirect_url
}
}
}
}
Related Information
Valid Events: All
160 of 304


CLASS::names
Returns a list of class-list names.
Syntax
CLASS::names
Example:
when HTTP_REQUEST {
log "list of class-lists: [CLASS::names]"
}
Related Information
Valid Events: All
CLASS::type
Returns the type of the specified class list.
Syntax
CLASS::type <list-name>
The type value that can be returned by aFleX depends on whether the type
was explicitly specified during class-list configuration.
Explicitly configured: dns, ipv4, ipv6, string
Implicitly configured by the ACOS device based on the class-list
entries: [], [dns], [ipv4], [ipv6], [dns, ipv4], [dns, ipv6]

If the type is a pair of empty brackets ( [] ), the class list does not contain
any entries.
Example:
when HTTP_REQUEST {
log "classlist1 type: [CLASS::type classlist1]"
}

161 of 304

Commands - LID Commands
Related Information
Valid Events: All
LID Commands
Commands for reading Limit IDs (LIDs).
Note:
Multiple LID definitions may be available for a non-global LID. This

includes a LID in a policy template bound to a virtual port, a LID in DNS
template bound to a virtual port, a LID in a policy template bound to a virtual server, and a LID configured in a system-wide policy template.
Note:
To apply these commands, the LID must be configured and attached to the
same vport as the aFleX policy using the template. If GLID is used, it
must be configured and enabled on the configuration.
LID::conn_limit
Returns a list of conn-limit and LID type, one each for a matching LID
where conn-limit is configured.
Syntax
LID::conn_limit <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 conn-limit: [LID::conn_limit glid1]"
}
Related Information
Valid Events: All
162 of 304


LID::conn_rate_limit
Returns a list of conn-rate-limit values and LID type, one each for a matching LID where conn-rate-limit is configured.
Syntax
LID::conn_rate_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 conn-rate-limit: [LID::conn_rate_limit glid1]"
}
Related Information
Valid Events: All
LID::exists
Returns a Boolean value that indicates whether the specified LID exists.
Syntax
LID::exists <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 exists: [LID::exists glid1]"
}
Related Information
Valid Events: All

163 of 304

LID::nat_pool
Returns a list of string and LID type, one each for a matching LID where
nat-pool is configured.
Syntax
LID::nat_pool <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 nat-pool: [LID::nat_pool glid1]"
}
Related Information
Valid Events: All
LID::request_limit
Returns a list of request-limit and LID type, one each for a matching LID
where request-limit is configured.
Syntax
LID::request_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 request-limit: [LID::request_limit glid1]"
}
Related Information
Valid Events: All
164 of 304


LID::request_rate_limit
Returns a list of request-rate-limit values and LID type, one each for a
matching LID where conn-rate-limit is configured.
Syntax
LID::request_rate_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 request-rate-limit: [LID::request_rate_limit glid1]"
}
Related Information
Valid Events: All
LID::type
Returns a list of LIDs of the specified type.
Syntax
LID::type <param>
Returns a list of LID types, one each for a matching LID. The type can be
one of the following: global, vport-policy, vport-dns, vserver-policy, system
policy
Example:
when HTTP_REQUEST {
log "glid1 type: [LID::type glid1]"
}
Related Information
Valid Events: All

165 of 304

Commands - Link Commands
Link Commands
LINK::lasthop
Returns the MAC address of the last hop.
Syntax
LINK::lasthop
Example:
set sip [IP::addr [IP::remote_addr]]
set lastmac [LINK::lasthop]
session add uie $sip $lastmac 180
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-GR1 or higher
LINK::nexthop
Returns the MAC address of the next hop.
Syntax
LINK::nexthop
Example:
set info "ethernet { [LINK::lasthop] -> [LINK::nexthop] tag [LINK::vlan_id] }"
log local0. $info
}
Related Information
Valid Events: All
166 of 304


Commands - Load-balancing (LB) Commands
LINK::vlan_id
Returns the VLAN tag of the packet.
Note:
In some cases, the VLAN ID may be unavailable. In these cases a value of

0 will be returned.
Syntax
LINK::vlan_id
Example:
set info "client { [IP::client_addr]:[TCP::client_port] ->
[IP::local_addr]:[TCP::local_port] }"
append info " ethernet "
append info " { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop]
0 16] "
append info "tag [LINK::vlan_id] }"
log local0. $info
}
Related Information
Valid Events: All
Load-balancing (LB) Commands

LB::down
Temporarily marks the current real port down for 30 seconds.
Syntax:
LB::down
Example:
See Example 2 in LB::reselect on page 168.
Related Information
Valid Events:
LB_FAILED, LB_SELECTED

167 of 304

LB::reselect
Reperforms server selection.
Syntax:
LB::reselect [pool <pool-name> [<member>]]
If you use the command without any of the optional parameters, SLB selects
the next available member (server and port) from the same service group
used for the initial server selection.
To specify the service group to use, use the pool <pool-name> option.
If you also use the <member> option, the specified member is selected
from the specified service group.
Notes:
This command applies to Layer 7 traffic only for HTTP and HTTPS.
Failure to execute this command will not always lead the LB_FAILED
event to be triggered.
selection (i.e., node, pool, persist, etc.) will enforce server template limits on the selected server. As a result, new connections that
match a persist uie entry may be unable to use the rport and a default
server selection will occur instead. To prevent default server selection,
use the no def-selection-if-pref-failed command for the
vport.
Example 1:
In this aFleX policy, the HTTP::retry command retries sending a clients request to a service port that replies with an HTTP 5xx status code. If
the first server continues to reply with a 5xx status code after 3 retries, the
LB::reselect command reassigns the client request to another server.
168 of 304


set retry 0
set max_retry 3
set reselect 0
}
when LB_SELECTED {
if { $retry > 0 } {
LB::reselect
incr reselect
}
}
set status [HTTP::status]
if { $retry < $max_retry } {
if { $status starts_with "5" } {
incr retry
HTTP::retry
}
}
}
Example 2:
This aFleX policy is similar to the one above, except the LB::down command in the policy marks the service port down for 30 seconds.
set retry 0
set max_retry 3
}
when HTTP_REQUEST {
log "In HTTP_REQUEST: $retry"
log "End HTTP_REQUEST"
}

169 of 304

when LB_SELECTED {
log "In LB_SELECTED: current retry count = $retry"
if { $retry > 0 } {
log "In LB_RESLECT"
LB::down
LB::reselect
}
log "End LB_SELECTED"
}
log "In HTTP_RESPONSE"
set status [HTTP::status]
log "1,$status"
if { $retry < $max_retry } {
if { $status starts_with "5" } {
log "2,$status"
incr retry
HTTP::retry
}
}
log "End HTTP_RESPONSE"
}
Example 3:
This aFleX policy uses the STATS::get command to retrieve total connection statistics two service groups, then select the service group with
fewer total connections.
After a service group is selected, the policy selects a server from the group.
If a retry occurs, the LB::reselect command selects another server from
the same service group. If the maximum number of retries has already been
reached, the other service group is selected. If both service groups have
reached the maximum number of retries, a third service group is used.
#set initial retires count equal to 0
set retries 0
# variable for the first time
set first 0
# number of retry per pool
set retry_cnt_per_pool 0
# max. number of retry per pool
set max_retry_per_pool 6
170 of 304


# number of pool retry
set num_pool_retry 0
# max. number of pool to retry
set max_pool_retry 1
# Next pool to try
set next_pool "sg-tcp80-2"
# Error status code
set error_code "500"
# Reselect counter
set reselect 0
# Total retry counter
set retry 0
}
when HTTP_REQUEST {
# Get service group 1 status
set group_data_1 [STATS::get pool sg-tcp80-1 total-connection]
# Get service group 1 status
set group_data_2 [STATS::get pool sg-tcp80-2 total-connection]
#Based on the status of each service group to decide which pool the 1st packet should
#go to.
if { $first == 0 } {
if {$group_data_1 > $group_data_2} {
pool "sg-tcp80-2"
set flag "2"
} else {
pool "sg-tcp80-1"
set flag "1"
}
}
log "End HTTP_REQUEST"
}
when LB_SELECTED {
if { $first == 0} {
set first 1
} elseif { $retries < $max_retry_per_pool} {
# select next member in the same pool
LB::reselect
incr reselect
} elseif { $num_pool_retry < $max_pool_retry } {
incr num_pool_retry
set retries 0
# select other pool

171 of 304

if {$flag equals "1"} {
LB::reselect pool sg-tcp80-2
incr reselect
} else {
LB::reselect pool sg-tcp80-1
incr reselect
}
} else {
set traffic [STATS::get pool sg-tcp80-3 member 20.20.20.37 80 current-connection]
if {$traffic < 10000} {
LB::reselect pool sg-tcp80-3 member 20.20.20.37 80
incr reselect
}
}
}
log "In HTTP_RESPONSE"
set r_status [HTTP::status]
if { $r_status starts_with "5" } {
incr retries
# reselect next member or another pool
HTTP::retry
incr retry
}
}
Related Information
Valid Events:
LB_FAILED, LB_SELECTED
LB::server
Returns the results of pool and node selection.
Syntax
LB::server [pool | addr | port]
LB::server returns a Tcl list containing the pool, node, node IP address,
and Layer 4 protocol port selected by SLB. If no server was selected when
the script was executed, or all servers are down, the command returns only
the default pool name.
LB::server pool returns the pool of the currently selected member. If
no server was selected when the script was executed, or all servers are
down, the command returns only the default pool name.
172 of 304


LB::server addr returns the IP address of the currently selected pool
member. If no server was selected when the script was executed, or all servers are down, the command returns null.
LB::server port returns the port of the currently selected pool member. If no server was selected when the script was executed, or all servers
are down, the command returns null.
LB::server name returns the name of the currently selected pool member. If no server was selected when the script was executed, or all servers
are down, the command returns null. This command is available beginning
with AX Release 2.6.2.
Example:
The following script replaces the Host header with a header that contains
the backend servers hostname:
when LB_SELECTED {
switch [LB::server addr] {
"10.0.2.18" {
HTTP::header replace Host server1.example.com
}
"10.0.2.19" {
HTTP::header replace Host server2.example.com
}
}
}
Example:
The following script takes a specified action if all servers in the default pool
are down:
when HTTP_REQUEST {
# Check if the default pool has less than one active member
if { [active_members [LB::server pool]] < 1 } {
[do something]
}
}

173 of 304

Example:
The following script will return the name of the default pool because server
selection has not taken place yet.
# Save the name of the VIP's default pool
set default_pool [LB::server pool]
}
Related Information
Valid Events:
LB_SELECTED, LB_FAILED, SERVER_CONNECTED,
LB_SELECTED, LB_FAILED, SERVER_CONNECTED,
HTTP_REQUEST, HTTP_REQUEST_DATA, CLIENT_ACCEPTED
LB::status node
Returns the health check status of a node.
Syntax
LB::status node <ipaddr>
[port <port-num> {tcp | udp}]
If you specify the node IP address only, the Layer 3 health status of the
server is returned. If you also specify a protocol port and its transport protocol, the health status of the port is also returned. If you use the port option,
the port number and the transport protocol (tcp or udp) also are required.
The health status returned by the command is up or down.
Example:
when HTTP_REQUEST {
if { [LB::status node 10.1.100.222 port 7000 tcp] equals "up"} {
log "*** Server 10.1.100.222 port 7000 is UP! ***"
} else {
log "*** Server 10.1.100.222 port 7000
is DOWN! ***"
}
}
Note:
174 of 304
In AX Release 2.4.3-P2 and later, this command supports using a variable

for the protocol port number. For example, the following is valid:


Example:
set server_ip "192.168.12.101"
set server_port "80"
if { [LB::status node $server_ip port $server_port tcp] equals "up" }
Related Information
Valid Events: All
LB::status pool
Returns the health check status of a pool.
Syntax
LB::status pool <pool_name>
[member <ipaddr> [<port_num>]] [partition shared]
If you specify the pool name only, the health status of the group is returned.
If you also specify a member (node) IP address and, optionally, service port
number, the health status of the specified member or port is returned.
The health status returned by the command is up or down.
Example:
when HTTP_REQUEST {
if { [LB::status pool svcgroup-1 member 10.1.100.222 7000] equals "up"} {
log "member 10.1.100.222 port 7000 of service group svcgroup-1 is UP!"
} else {
log "member 10.1.100.222 port 7000 of service group svcgroup-1 is DOWN!"
}
}
Related Information
Valid Events: All

175 of 304

Commands - HTTP Commands
HTTP Commands
HTTP::close
Inserts a Connection: close header and closes the HTTP connection.
Syntax
HTTP::close
Example:
HTTP::version "0.9"
HTTP::close
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE
HTTP::collect
Collects the amount of data that you specify with the <length> argument.
When the system collects the specified amount of HTTP content data, it
triggers
aFleX
event
HTTP_REQUEST_DATA
or
HTTP_RESPONSE_DATA depending on the data coming from.
You can use this command with the HTTP::request or
HTTP::payload <size> command.
Syntax
HTTP::collect
Collects data. Use caution when omitting the value of the content length.
Doing so can stall the connection.
HTTP::collect [<length>]
Collects the amount of data that you specify with the <length> argument.
Use caution when specifying a value larger than the size of the actual
length. Doing so can stall the connection.
Note:
176 of 304
If you specify length 0, the HTTP_RESPONSE_DATA event is not triggered since no data is collected.

If the <length> option is not used, the ACOS device behaves as follows:
If the packet has an HTTP Content-Length header, the ACOS device
collects as much data as specified by the header, up to the maximum

allowed, 1.25 MB.
If the packet does not have an HTTP Content-Length header, the ACOS
device will keep collecting data until one of the following occurs:
1.25 MB of data is collected (This is the maximum amount that can
be collected.)
A zero-size chunk-encoded packet is received
RST is received from the server
FIN is received from the server
Generally, a packet without a Content-Length header will be a chunkencoded packet.
Notes:
The ACOS device buffers the entire payload before replying to the client. If
the object to be collected is very large, performance can be affected.
The HTTP::collect command is not supported if RAM caching is enabled.
If the HTTP::payload replace command is used in the same aFleX policy as
the HTTP::collect command:
For packets that do not contain chuck-encoded data, the ACOS device
will replace the collected data with the specified string.

For chunk-encoded packets, the command will de-chunk the packet
first, by removing the chunk header and assembling the packet. The
ACOS device will then replace the content with the new string without
re-chunking the payload. The packet received by the client will not be
chunk-encoded.
In the current release, the HTTP::payload replace command only sup-
ports clear text replacement. If the server response is compressed (transfer-encoded, tar, gz, bz, and so on), this feature will not work properly.

177 of 304

If the server does use encoded responses, you can work around this by
using an aFleX policy to remove the Accept-Encoding header from
HTTP requests. For example:
when HTTP_REQUEST {
if { [HTTP::header exist "Accept-Encoding"] }
HTTP::header remove Accept-Encoding

}
}
Note:
Chunk-encoded responses are supported with this command only in AX

Release 2.4.2-P2 or later. Previous to this releases, the command was not
supported for responses that were not chunk encoded and also did not
have a Content-Length header.
The command supports compression only in AX Release 2.4.1 or later.
Example:
if {[HTTP::status] == 205}{
}
}
Related Information
Valid Events
HTTP_REQUEST, HTTP_RESPONSE, HTTP_REQUEST_DATA,
HTTP_RESPONSE_DATA
HTTP::cookie
Queries for or manipulates cookies in HTTP requests and responses. This
command replaces the http_cookie command.
Syntax
HTTP::cookie names
HTTP::cookie count
HTTP::cookie [value] <name> [<string>]
178 of 304


HTTP::cookie insert name <name> value <value>
[path <path>] [domain <domain>]
[version <0 | 1 | 2>]
HTTP::cookie secure <name> [enable|disable]
HTTP::cookie discard <name> [enable|disable]
HTTP::cookie names
HTTP::cookie count
Sets or gets the cookie value of the given name in an HTTP request. You
can omit the keyword "value" from this command if the cookie name does
not collide with any of the other commands.
Sets or gets the cookie domain.
Sets or gets the cookie port lists for V1 cookies.
HTTP::cookie insert name <name> value <value>
[path <path>] [domain <domain>]
[version <0 | 1 | 2>]
Adds or replaces a cookie in an HTTP response. The default value for the
version is 0.
179 of 304

Removes a cookie.
Removes all but the specified attributes from the cookie.
Sets or gets the max-age. Applies to Version 1 cookies only, and applies to
response messages only.
Sets or gets the expires attribute. Applies to Version 0 cookies only. If you
specify the absolute argument, the seconds value represents number of seconds since the UNIX epoch (January 1, 1970). The default number of seconds is relative, which is the number of seconds from the current time.
Applies to response messages only.
Sets or gets the cookie comment. Applicable only to Version 1 cookies, and
applies to response messages only.
HTTP::cookie secure <name> [enable | disable]
Sets or gets the value of the secure attribute. Applies to response messages
only.
Sets or gets the comment URL. Applicable only to Version 1 cookies, and
applies to response messages only.
HTTP::cookie discard <name> [enable | disable]
Sets or gets the value of the discard attribute. Applicable only to Version 2
cookies, and applies to response messages only.
Note:
180 of 304
When both HTTP::cookie and HTTP::header commands modify the same

header, changes made by the HTTP::header command are discarded.


Example:
when HTTP_REQUEST {
if { [HTTP::cookie exists "cookie-name"] } {
set cookie_s [HTTP::cookie "cookie-name"]
HTTP::cookie remove "cookie-name"
HTTP::cookie insert name WLSID value $cookie_s
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE
HTTP::fallback
Specifies or overrides the fallback host specified in the HTTP profile.
Syntax
HTTP::fallback <host>
Example:
when LB_FAILED {
HTTP::fallback "http://siteunavailable.mysite.com/"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::header
Queries for or manipulates an HTTP header.
Syntax
HTTP::header [value] <name>
Returns the value of the HTTP header named <name>. You can omit the
<value> argument if the header name does not collide with any of the subcommands.
HTTP::header names
Returns a list of all the headers present on the request or response.

181 of 304

HTTP::header count
Returns the number of HTTP headers present in the request or response.
HTTP::header at <index>
Returns the HTTP header that the ACOS device finds at the zero-based
index value.
HTTP::header exists <name>
Returns true if the named header is present on the request or response.
HTTP::header insert ["lws"] <name> <value>
Inserts the named HTTP header and its value into the end of the HTTP
request or response. If you specify "lws", the ACOS device adds linear
white space to long header values.
HTTP::header insert ["lws"]
{n1, v1, n2, v2, n3, v3, }
Passes a Tcl list to insert into a header. In such cases, the ACOS device
treats the list as a list of name/value pairs. If you specify "lws", the ACOS
device adds linear white space to long header values.
HTTP::header [value] <name> <string>
Sets the value of the named header. If the header is present, the command
replaces the header; otherwise, the command adds the header. You can omit
the <value> argument if the header name does not collide with any other
values.
HTTP::header replace <name> [<string>]
Replaces the last occurrence of the named header with the string <string>.
This command performs a header insertion if the header was not present.
HTTP::header remove <name>
Removes all headers names with the name <name>.
HTTP::header insert_modssl_fields
[addr | service]
Inserts the HTTP header field ClientIPAddress or ClientTCPService.
Optional arguments for these header fields are addr and service, respectively.
HTTP::header sanitize <header name>+
Removes all but the headers you specify. However, the command does not
remove essential HTTP headers.
This release supports the following new options for the HTTP::header command:
HTTP::header at <index> [nvp]
182 of 304


Returns the HTTP header that the ACOS device finds in at the zero-based
index value. The nvp option returns the entire header as a name-value-pair
(NVP).
HTTP::header values <name>
Returns value(s) of the HTTP header named <name>.
Note:
If there are multiple headers with the same name, the command returns a
list of values for all of the headers. If there is a single value for the HTTP
header, that value will be returned.
Note:
When both HTTP::cookie and HTTP::header commands modify the same

header, changes made by the HTTP::header command are discarded.
Example:
when HTTP_REQUEST {
if { [HTTP::header "Host"] starts_with "andrew" }
pool andrew_pool
} else {
pool main_pool
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE
HTTP::host
Returns the host name (and port, if specified) of the HTTP request. This
command replaces the http_host command.
Syntax
HTTP::host
Example:
when HTTP_REQUEST {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}

183 of 304

Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE
HTTP::is_keepalive
Returns a true value if this is a Keep-Alive connection.
Syntax
HTTP::is_keepalive
Example:
if {[HTTP::is_keepalive]}{
HTTP::close
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
HTTP::is_redirect
Returns a true value if the response is a certain type of redirect.
Syntax
HTTP::is_redirect
Example:
if { [HTTP::is_redirect] } {
log local0. "Request redirected."
}
}
184 of 304


Related Information
Valid Events:
HTTP_RESPONSE_DATA
HTTP::method
Returns the type of HTTP request method.
Syntax
HTTP::method
Example:
when HTTP_REQUEST {
log local0. "HTTP Method: [HTTP::method]"
}
Related Information
Valid Events:
HTTP::path
Returns the path part of the HTTP request.
Syntax
HTTP::path [<string>]
Example:
when HTTP_REQUEST {
log local0. "Host - [HTTP::host]"
log local0. "Path - [HTTP::path]"
}
Webmail redirect example:

https://webmail.company.com is redirected to
https://webmail.company.com/exchange.

185 of 304

This is the correct path for exchange. Redirected traffic then passes to the
webmail pool.
when HTTP_REQUEST {
if { [HTTP::path] equals "/" } {
HTTP::redirect "https://[HTTP::host]/exchange/"
#log local0. "redirect"
} else {
pool pool_webmail
#log local0. "using pool "
}
}
Related Information
Valid Events:
HTTP::payload
Queries for or replaces content information. With this command, you can
retrieve content, query for content size, or replace a certain amount of content.
Syntax
HTTP::payload [<size>]
Returns the content that the HTTP::collect command has collected thus far.
If you do not specify a size, the system returns the collected content.
HTTP::payload length
Returns the size of the content that the command has collected thus far, not
including the HTTP headers.
HTTP::payload <offset> <size>
Returns the content that the HTTP::collect command has collected, starting
at <offset> with size equals <size>.
HTTP::payload replace <offset> <size> <string>
Replaces the amount of content that you specified with the <size> argument, starting at <offset> with <string>.
186 of 304


Example:
if {[HTTP::status] == 205}{
}
}
HTTP::respond 200 content [HTTP::payload]
}
regsub -all "oursite" [HTTP::payload] "oursitedev" newdata
log "Replacing payload with new data."
HTTP::release
}
Related Information
Valid Events
HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
HTTP::query
Returns the query part of the HTTP request.
Syntax
HTTP::query
Example:
when HTTP_REQUEST {
log local0. "http_path [HTTP::path]"
log local0. "http_query [HTTP::query]"
}
Related Information
Valid Events:

187 of 304

HTTP::redirect
Redirects an HTTP request or response to the specified URL.
Note:
This command sends the response to the client immediately. Therefore,

you cannot specify this command multiple times in an aFleX script, nor
can you specify any other commands that modify header or content, after
you specify this command.
Syntax
HTTP::redirect <url>
Example:
}
}
Related Information
Valid Events
HTTP_RESPONSE_DATA
HTTP::release
Releases the collected data. Unless a subsequent HTTP::collect command was issued, there is no need to use the HTTP::release command
inside of the HTTP_REQUEST_DATA and HTTP_RESPONSE_DATA
events, since in these cases, the data is implicitly released.
Syntax
HTTP::release
Example:
regsub -all "oursite" [HTTP::payload] "oursitedev" newdata
log "Replacing payload with new data."
}
188 of 304


Related Information
Valid Events
HTTP_RESPONSE_DATA
HTTP::request
Returns the raw request header string. You can access the request payload
using the HTTP::collect command.
Syntax
HTTP::request
Example:
when HTTP_REQUEST {
# save original request
set req [HTTP::request]
# flag as new request needing lookup
set lookup 1
# inject lookup URI in place of original request
HTTP::uri "/page.aspx?ip=[IP::client_addr]"
# set pool to lookup server pool
pool lookup_server
}
Related Information
Valid Events:
HTTP::request_num
Returns the number of HTTP requests that a client made on the connection.
Syntax
HTTP::request_num
Example:
when HTTP_REQUEST {
log local0. "Request number [HTTP::request_num]"
}

189 of 304

Related Information
Valid Events:
HTTP_RESPONSE_DATA
HTTP::respond
Allows users to generate or rewrite a client request or a server response.
This is a powerful API that allows users to generate or rewrite a client
request or a server response. When the system runs the command on the client side, it sends the response to the client without any load balancing taking
place. If the system runs the command on the server side, the content from
the actual server is discarded and replaced with the information provided to
this API.
Note:
The maximum size response that can be sent using this command is
64 KB.
Note:
Because the system sends the response data immediately after this aFleX
script runs, A10 Networks recommends that you not run any more aFleX
scripts after this API.
Syntax
HTTP::respond <status code>
[content <content Value>]
[<Header name> <Header Value>]+
Example:
To send a redirect with a cookie set.
when HTTP_REQUEST {
set ckname "app"
set ckvalue "893"
set cookie [format "%s=%s; path=/; domain=%s" $ckname $ckvalue
".domain.org"]
HTTP::respond 302 Location "http://www.domain.org" "Set-Cookie" $cookie
}
Or to send an apology page from with in the aFleX.

when HTTP_REQUEST {
HTTP::respond 200 content "<html><head><title>Apology Page</title></
head><body>We are sorry, but the site you are looking for is temporarily out of
service<br>If you feel you have reached this page in error, please try
again.<p></body></html>"
}
190 of 304


Related Information
Valid Events
HTTP_RESPONSE_DATA, LB_FAILED
Note:
The LB_FAILED event is supported for this command in AX Release

2.6.1-GR1 or higher.
HTTP::retry
Resends an HTTP request to the server. This command triggers the
HTTP_REQUEST event.
Note:
This command is supported only for virtual port types HTTP and HTTPS.
They are not supported for fast-HTTP or any of the other virtual port
types.
Syntax:
HTTP:retry
Example:
if { [HTTP::status] equals "503"} {
HTTP::retry
}
}
Related Information
Valid Events:
HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::status
Returns the response status code.
Syntax
HTTP::status

191 of 304

Example:
}
}
Related Information
Valid Events:
HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::stream
Replaces the specified string of an HTTP response.
Note:
In the current release, this command can perform up to 32 instances of

multiple string replacements.
Output Format
The content returned by the server can be of either a content-length or chunked header format. Regardless of whether the response from the server has a
content-length or chunk-encoded header, the response format after string
replacement is always chunk-encoded (a Transfer-Encoding: chunked
header).
Syntax
HTTP::stream replace <old_string> <new_string>
Example:
HTTP::stream replace "abc" "ABC"
HTTP::stream replace "x" "XYZ"
}
Related Information
Valid Events:
HTTP_RESPONSE
192 of 304


HTTP::uri
Returns or sets the URI of the request. This command replaces the
http_uri command.
Syntax
HTTP::uri <string>
The URI string does not include the protocol (http or https) or hostname,
just the path, starting with the slash after the hostname.
HTTP::uri <string>
Changes the URI passed to the server. It should always start with a slash.
Example:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with "cgi" } {
pool cgi_pool
} elseif { [HTTP::uri] starts_with "/abc" } {
pool abc_servers
}
}
Make uri path start with /prefix if it doesn't already

when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/prefix") } {
HTTP::uri /prefix[HTTP::uri]
}
}
Related Information
Valid Events:

193 of 304

HTTP::version
Returns or sets the HTTP version of the request or response. This command
replaces the http_version command.
Syntax
HTTP::version ["0.9" | "1.0" | "1.1"]
Example:
HTTP::version "1.1"
}
Related Information
Valid Events:
HTTP_RESPONSE_DATA
194 of 304


Commands - Compression Commands
Compression Commands
COMPRESS::disable
Disables compression for the current HTTP response.
Syntax
COMPRESS::disable
Example:
COMPRESS::disable
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_DATA
COMPRESS::enable
Enables compression for the current HTTP response.
Syntax
COMPRESS::enable
Example:
when HTTP_REQUEST {
COMPRESS::enable
}
}
Related Information
Valid Events:

195 of 304

Commands - AES Commands
COMPRESS::gzip
Sets the compression level for HTTP compression.
Setting the compression level to a higher value results in more HTTP
compression, at a greater CPU cost. Additional CPU usage can outweigh
the benefit of a higher level. For example, setting compression to level 6
can provide equivalent performance to level 9. For best performance, A10
Networks recommends setting compression to level 1.
Note:
Syntax
COMPRESS::gzip level <level>
The <level> can be 1-9.
Example:
when HTTP_REQUEST {
COMPRESS::gzip level 9
}
Related Information
Valid Events:
AES Commands
Commands for performing Advanced Encryption Standard (AES) operations.
AES::decrypt
Decrypts data using an AES key.
Syntax
AES::decrypt <key> <data>
196 of 304


Example:
when HTTP_REQUEST {
set key [AES::key password 256]
set decryptedData [AES::decrypt $key $encryptedData]
log local0. "The decrypted data is $decryptedData"
}
Related Information
Valid Events: All
AES::encrypt
Encrypts data using an AES key.
Syntax
AES::encrypt <key> <data>
Example:
when SERVER_DATA {
set encryptedData [AES::decrypt $key [TCP::payload]]
log local0. "The encrypted data is $encryptedData"
}
Related Information
Valid Events: All

197 of 304

AES::key
Creates a random key to use for encrypting/decrypting data using AES.
The key returned has the following format:
<8-byte-header><16-byte-IV><16/24/32-byte-key>
The 8-byte header is of the form AES xxx where xxx is 128, 192, or 256.
The resulting key file can be 40, 48, or 56 bytes long.
Syntax
AES::key <passphrase> [256 | 192 | 128]
The [256 | 192 | 128] option specifies the key length, in bits. The
default is 128.
Example:
when SERVER_DATA {
set encryptedData [AES::decrypt $key [TCP::payload]]
log local0. "The encrypted data is $encryptedData"
}
Related Information
Valid Events: All
198 of 304


Commands - IP Commands
IP Commands
IP::addr
Performs comparison of IP address/subnet/supernet to IP address/subnet/
supernet. Returns 0 if no match, 1 for a match.
Note:
This command does NOT perform a string comparison. To perform a literal string comparison, simply compare the 2 strings with the appropriate
operator (equals, contains, starts_with, and so on) rather than using the
IP::addr comparison.
Syntax
IP::addr <addr1>[/<mask>] equals <addr2>[/<mask>]
IP::addr
Example:
To perform comparison of IP address 10.10.10.1 with subnet 10.0.0.0/8.
(Will return 1, since it is a match.)
[IP::addr 10.10.10.1 equals 10.0.0.0/8]
To perform comparison of client-side IP address with subnet 10.0.0.0/8.
(Will return 1 or 0, depending on client IP address.)
[IP::addr [IP::client_addr] equals 10.0.0.0/8]
To select a specific pool for a specific client IP address.
pool my_pool
}
}
Related Information
Valid Events: All

199 of 304

IP::client_addr
Returns the client IP address of a connection. This command is equivalent
to the command clientside { IP::remote_addr }.
Syntax
IP::client_addr
Example:
pool my_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST,
HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED,
SERVER_CONNECTED
IP::local_addr
This command is primarily useful for generic rules that are re-used. Also, it
is useful in reusing the connected endpoint in another statement or to make
routing type decisions. You can also specify the IP::client_addr and
IP::server_addr commands.
Syntax
IP::local_addr
Returns the IP address of the AX being used in the connection. In the clientside context, this is the destination IP address (virtual IP address). In the
serverside context, this is the source IP address (SNAT address if SNAT is
used, else spoofed client IP address).
200 of 304


Example:
if { [IP::addr [IP::local_addr] equals 172.16.32.2] } {
pool deprecated_site
} else {
pool current_site_pool
}
}
log local0. "Source IP address for connection to node: [IP::local_addr]"
}
Related Information
Valid Events:
SERVER_CLOSED, SERVER_CONNECTED
IP::protocol
Returns the IP protocol value.
Syntax
IP::protocol
Example:
if { [IP::protocol] == 6 } {
pool tcp_pool
} else {
pool slow_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED

201 of 304

IP::remote_addr
Returns the IP address of the host on the far end of the connection. In the
clientside context, this is the client IP address. In the serverside context this
is the node IP address. You can also specify the IP::client_addr and
IP::server_addr commands, respectively.
Syntax
IP::remote_addr
Example:
if { [IP::addr [IP::remote_addr] equals 206.0.0.0/255.0.0.0] } {
pool clients_from_206
} else {
pool other_clients_pool
}
}
log local0. "Node IP address is: [IP::remote_addr]"
}
Related Information
Valid Events:
IP::server_addr
Returns the servers (nodes) IP address, once a serverside connection has
been established. This command is equivalent to the command serverside
{IP::remote_addr}. The command returns 0 if the serverside connection has
not been made.
Syntax
IP::server_addr
Example:
log local0. "Node IP address: [IP::server_addr]"
}
202 of 304


Related Information
Valid Events:
HTTP_REQUEST_SEND, HTTP_RESPONSE, LB_SELECTED,
IP::stats
Supplies information about the number of packets or bytes being sent or
received in a given connection.
Syntax
IP::stats pkts in
Returns number of packets received
IP::stats pkts out
Returns number of packets sent
IP::stats pkts
Returns a Tcl list of packets in and packets out
IP::stats bytes in
Returns number of bytes received
IP::stats bytes out
Returns number of bytes sent
IP::stats bytes
Returns Tcl list of bytes in and bytes out
Related Information
Valid Events: All
IP::tos
Selects a different pool of servers based on the ToS level within a packet.
The Type of Service (ToS) standard is a means by which network equipment
can identify and treat traffic differently based on an identifier. As traffic
enters the site, the ACOS device can apply a rule that sends the traffic to different pools of servers based on the ToS level within a packet.
Note:
This command replaces the ip_tos command.

203 of 304

Syntax
IP::tos
Selects a different pool of servers based on the ToS level within a packet.
Example:
if { [IP::tos] == 16 } {
pool telnet_pool
} else {
pool slow_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
IP::ttl
Returns the TTL of the current packet being acted upon.
Syntax
IP::ttl
Example:
if { [IP::ttl] < 3 } {
drop
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
204 of 304


Commands - DNS Commands
IP::version
Returns the version of the current packet being acted upon.
Syntax
IP::version
Example:
if {[IP::version] eq 6} {
pool ipv6_pool
} else {
pool ipv4_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
DNS Commands
DNS::additional
Returns, inserts, removes, or clears RRs from the Additional section. With
no arguments, gets a tcl list of RR objects. With an argument, inserts/
removes RR tcl objects in the Additional section or clears all RRs from the
Additional section.
Syntax
DNS::additional [[insert | remove rr_obj] | clear]
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE

205 of 304

DNS::answer
Returns, inserts, removes, or clears RRs from the Answer section. With no
arguments, gets a tcl list of RR objects. With an argument, inserts/removes
RR tcl objects in the Answer section or clears all RRs from the Answer section.
Syntax
DNS::answer [[insert | remove rr_obj] | clear]
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
DNS::answer insert $rr
set rrs [DNS::answer]
log "rrs = '$rrs'"
}
Example:
when DNS_RESPONSE {
set i 0
foreach rr $rrs {
log "i = $i rr = '$rr'"
incr i
}
set rr1 [lindex $rrs 0]
log "remove rr1 = '$rr1'"
DNS::answer remove $rr1
set k 0
foreach rr [DNS::answer] {
log "k = $k rr = '$rr'"
incr k
}
}
Related Information
Valid Events:
206 of 304


DNS::authority
Returns, inserts, removes, or clears RRs from the Authority section. With no
arguments, gets a tcl list of RR objects. With an argument, inserts/removes
RR tcl objects in the Authority section or clears all RRs from the Authority
section.
Syntax
DNS::authority [[insert | remove rr_obj] | clear]
Example:
The following script changes the TTL of all Answer records and adds
a glue record.
when DNS_RESPONSE {
foreach rr $rrs {
DNS::ttl $rr 1234
}
set new_rr [DNS::rr "webserv1.yahoo.com. 88 IN A 1.2.3.4"]
DNS::additional insert $new_rr
}
Example:
when DNS_RESPONSE {
set i 0
foreach rr $rrs {
log " i = $i rr ='$rr'"
incr i
}
set rrs2 [DNS::authority]
set j 0
foreach rr2 $rrs2 {
log "j = $j rr2 = '$rr2'"
incr j
}
DNS::authority clear
}
when DNS_RESPONSE {
set rrs2 [DNS::authority]
set rr2 [lindex $rrs2 1]
DNS::authority remove $rr2
}

207 of 304

Related Information
Valid Events:
DNS::header
Gets or sets simple bits or byte fields. Return value is always an integer
except for successful recognition of the rcode or opcode fields, where a
string is returned.
The rcode can be one of the following:
NOERROR
FORMERR
SERVFAIL
NXDOMAIN
NOTIMPL
REFUSED
YXDOMAIN
YXRRSET
NXRRSET
NOTAUTH
NOTZONE
The opcode can be one of the following:

QUERY
IQUERY
STATUS
NOTIFY
UPDATE
208 of 304


Syntax
DNS::header
<id | qr | opcode | aa | tc | rd | ra | ad | cd |
rcode> [value]
Returns a read-only value.
DNS::header
<qdcount | ancount | nscount | arcount> [value]
Example:
These log statements can be used to see all questions and responses:
when DNS_REQUEST {
# debugging statement see all questions and request details
log local0. "Client: [IP::client_addr] Question:[DNS::question name]
Type:[DNS::question type] Class:[DNS::question class] Origin:[DNS::origin]"
set fqdn [DNS::question name]
}
when DNS_RESPONSE {
# debugging statement to see all questions and response details
log local0. "Request: $fqdn Answer: [DNS::answer] Origin:[DNS::origin] Status:
[DNS::header rcode] Flags: RD [DNS::header rd] RA [DNS::header ra]"
}
Example:
when DNS_REQUEST {
log "query id [DNS::header id] qr: [DNS::header qr] opcode: [DNS::header
opcode]"
}
when DNS_RESPONSE {
log "qr: [DNS::header qr] rcode: [DNS::header rcode] ra: [DNS::header ra]"
}
Related Information
Valid Events:

209 of 304

DNS::len
Returns the DNS packet message length.
Syntax
DNS::len
Example:
when DNS_REQUEST {
set len [DNS::len]
}
Example:
when DNS_RESPONSE {
set len [DNS::len]
log "dns reply pkt len = $len"
}
Related Information
Valid Events:
DNS::query
Returns a tcl list of RR tcl objects lists, one for each section: Answer,
Authority, and Additional.
Constructs and sends a query to the DNS-Express database for a name and
type (IN class only).
Syntax
DNS::query <target> <name> <type> [dnssec]
The <target> can be dnsx.
The <name> is the FQDN (for example, www.example.com).
The <type> specifies the record type (A, AAA, MX, NPTR, and so on).
210 of 304


The dnssec option gets DNSSEC data.
Example:
The following script inserts a DNS Express response.
when DNS_RESPONSE {
set rrsl [DNS::query dnsx nameserver.org SOA]
foreach rrs $rrsl {
foreach rr $rrs {
if { [DNS::type $rr] equals "SOA" } {
DNS::additional insert $rr
}
}
}
}
Related Information
Valid Events:
DNS::question
Gets or sets the question field value.
Note:
A question RR has no rdata and only requests with qdcount == 1 are

accepted. The return types for name, type, and class are all strings. Type
returns/accepts any of the valid DNS types defined in the RFCs. The class
returns/accepts IN, CH, and HS.
Syntax
DNS::question <name | type | class> [value]

211 of 304

Example:
when DNS_REQUEST {
if {[DNS::question name] contains www.domain1.com}{
log query name: [DNS::question name]
DNS::question name www.domain2.com
}
}
when DNS_RESPONSE {
if {[DNS::question name] contains www.domain2.com}{
log response query name: [DNS::question name]
DNS::question name www.domain1.com
}
}
Related Information
Valid Events:
DNS::class
Gets or sets the resource record class field (IN, CH, HS, and so on).
Syntax
DNS::class <rr_obj> [value]
Example:
when DNS_RESPONSE {
set old_class [DNS::type $rr]
DNS::class $rr "HS"
}
Related Information
Valid Events:
212 of 304


DNS::name
Gets or sets the resource record name field (FQDN); for example,
www.example.com.
Syntax
DNS::name <rr_obj> [value]
Example:
when DNS_RESPONSE {
set old_name [DNS::name $rr]
DNS::name $rr "yahoo.com"
}
Related Information
Valid Events:
DNS::rdata
Gets or sets the resource record rdata field.
Syntax
DNS::rdata <rr_obj> [value]
Example:
when DNS_RESPONSE {
set old_rdata [DNS::rdata $rr]
DNS::rdata $rr "10.1.1.100"
}

213 of 304

Related Information
Valid Events:
DNS::rr
Creates a new resource record object with the specified attributes or as a
complete string.
Syntax
DNS::rr <name> <type> <class> <ttl> <rdata...> |
<string>>
The <name> is the FQDN (for example, www.example.com).
The <type> specifies the record type (A, AAA, MX, NPTR, and so on).
The <class> specifies the DNS class (IN, CH, HS, and so on).
The <rdata> value depends on the type of RR. For example for an A
record, the <rdata> will be an IP address (X.X.X.X).
Example:
when DNS_RESPONSE {
set rr [DNS::rr www.domain1.com 149 IN A 255.255.255.255]
log rr = $rr
}
when DNS_RESPONSE {
set name [DNS::question name]
set rr1 [DNS::rr $name IN CNAME vip.a10.com]
DNS::answer insert $rr1
}
Related Information
Valid Events:
214 of 304


DNS::ttl
Gets or sets the resource record TTL field.
Syntax
DNS::ttl <rr_obj> [value]
Example:
The following script removes SOA records from the Answer section.
when DNS_RESPONSE {
foreach rr $rrs {
if { [DNS::type $rr] equals "SOA" } {
DNS::answer remove $rr
}
}
}
Example:
when DNS_RESPONSE {
set old_ttl [DNS::type $rr]
DNS::ttl $rr 200
}
Related Information
Valid Events:
DNS::type
Gets or sets the resource record type field (A, AAAA, MX, NPTR, and so
on).
Syntax
DNS::type <rr_obj> [value]

215 of 304

Example:
when DNS_RESPONSE {
set old_type [DNS::type $rr]
DNS::type $rr "CNAME"
}
Related Information
Valid Events:
DNS::return
Skips all further processing after tcl execution and sends the DNS packet in
the opposite direction.
Syntax
DNS::return
Example:
when DNS_REQUEST {
if { [DNS::question name] contains "a10.com" } {
DNS::header qr 1
DNS::header ra 1
set name [DNS::question name]
set rr1 [DNS::rr $name 65000 IN CNAME vip.a10.com]
DNS::answer insert $rr1
DNS::return
}
}
Related Information
Valid Events:
216 of 304


DNS::cache
Controls the DNS cache access and update for the current DNS session.
Syntax
DNS::cache <enable | disable>
Enables or disables the DNS cache for the current DNS session.
Note:
This command is only effective when global DNS cache or a DNS cache
template is enabled.
DNS::cache update
Updates the DNS cache with content changed through aFleX.
If a DNSSEC query, bypass the cached response.
Example:
when DNS_REQUEST {
if {[DNS::is_dnssec]} {
log "This is DNSSEC request!"
DNS::cache disable
}
}
Update the DNS cache with an aFleX change.
Example:
when DNS_RESPONSE {
DNS::answer remove $rr1
DNS::cache update
}
Related Information
Valid Events:

217 of 304

DNS::is_dnssec
Checks for a DNSSEC query or reply.
Syntax
DNS::is_dnssec
Returns a value of 1 if true, and 0 if false.
Example:
when DNS_REQUEST {
}
}
Related Information
Valid Events:
DNS::opt
Gets or sets the parameters of a DNS OPT record. If there is no OPT record
in the DNS content, the return value is NULL for get commands.
Syntax
DNS::opt do [value]
Gets or sets the DO value for DNSSEC in an OPT record.
DNS::opt udpsize [value]
Gets or sets the UDP size value in an OPT record.
DNS::opt rcode [value]
Gets or sets the extended RCODE value in an OPT record.
DNS::opt version [value]
Gets or sets the version in an OPT record.
218 of 304


Example:
when DNS_REQUEST {
log "The UDP bufsize = [DNS::opt udpsize]"
}
}
when DNS_RESPONSE {
if {[DNS::opt do]} {
DNS::opt udpsize 8196
}
}
Related Information
Valid Events:
DNS Example
The following script uses some of the DNS commands described above to
perform DNS blackholing of malware sites.
When a user sends a query, the script inspects the destination. The the destination matches a list of well-known malware domains, the script returns the
address of an internal site where remediation, or at least notification, can
take place. In either event, the request is not sent to the malicious destination. The user and organization are protected.
The black-listed domains can be imported into a class list. You can import
black-listed domains from the big list at the following site: mirror1.malwaredomains.com
Here is an example class list:
class-list Blacklist string
str .abbcp.cn type1
str .3dglases-panasonic-tv.com type2
The first field is the domain, and the second field is a type description. The
first will match your traffic, the second is strictly for classification purposes
and can be edited as necessary.
219 of 304

when RULE_INIT {
# Set IPV4 address that is returned for Blacklist matches for A records
set static::BL_reply_IPV4 "10.10.20.50"
# Set TTL used for all Blacklisted replies
set static::BL_ttl "300"
}
when DNS_REQUEST {
# BL_Match is used to track when a Query matches the blacklist
# (always set to 0 or false at beginning of the DNS request)
set BL_Match 0
# BL_Type is used to track why this FQDN was added to the BL_Class
set BL_Type ""
# When FQDN from DNS Query is checked against the Blacklist class
# the FQDN must start with a period. This ensures we match a FQDN and
# all names to the left of it. Prevents malware from dynamically
# prepending characters to the domain name to bypass exact matches
if {!([DNS::question name] equals ".")} {
set fqdn .[DNS::question name]
}
if { [CLASS::match $fqdn ends_with Blacklist] } {
# Client made a DNS request for a Blacklisted site.
set BL_Match 1
set BL_Type [CLASS::match $fqdn ends_with Blacklist value]
# Prevent processing by listener's pool. (To ensure we don't request
# a prohibited site and allow their server to track the source IP)
DNS::return
}
}
when DNS_RESPONSE {
if { $BL_Match } {
# This DNS request was for a Blackhole FQDN. Take different actions based on the
request type.
switch [DNS::question type] {
"A"
{
# Clear out any DNS responses and insert the custom response. RA header =
recursive answer
DNS::answer clear
DNS::answer insert "[DNS::question name]. $static::BL_ttl [DNS::question
class] [DNS::question type] $static::BL_reply_IPV4"
DNS::header ra "1"
220 of 304


# log example:
#
Blacklist: 10.1.1.148#4902 requested foo.com query type: A class IN Aresponse: 10.1.1.60
log -noname local0. "Blacklist: [IP::client_addr]#[UDP::client_port]
requested [DNS::question name] query type: [DNS::question type] class [DNS::question
class] A-response: $static::BL_reply_IPV4 BH type: $BL_Type"
}
"AAAA"
{
# Code to handle IPv6 in a similar manner omitted for clarity
...
}
default {
# For other record types, e.g. MX, NS, TXT, etc, provide a blank NOERROR
response
DNS::last_act reject
# log example:
#
Blacklist: 10.1.1.148#4902 requested foo.com query type: A class IN
unable to respond
log -noname local0. "Blackhole: [IP::client_addr]#[UDP::client_port]
requested [DNS::question name] query type: [DNS::question type] class [DNS::question
class] unable to respond BH type: $BL_Type"
}
}
}
}

221 of 304

Commands - SIP Commands
SIP Commands
SIP::call_id
Returns the value of the Call-ID header in a SIP request.
Syntax
SIP::call_id
Example:
See SIP Command Examples on page 227.

Related Information
Valid Events:
SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE
SIP::from
Returns the value of the From header in a SIP request.
Syntax
SIP::from
Example:

Related Information
Valid Events:
SIP::header
Returns SIP header header-name.
Syntax
SIP::header [<value>] header-name [<index>]
The <value> option specifies the header value. The <index> option indicates the header to act upon, in cases where there are multiple header levels.
Without the <index> option, the first instance of the header is acted upon by
the aFleX policy.
222 of 304


Example:

Related Information
Valid Events:
SIP::header insert
Inserts the specified SIP header-name:header-value pair at position
<index>.
Syntax
SIP::header insert header-name header-value
<index>
If you do not specify the <index>, the header is inserted prior to any preexisting header of the same name and value. If no such header exists, a
via header is inserted at the head of the SIP headers, and others are
inserted at the tail.
Example:

Related Information
Valid Events:
SIP::method
Returns the type of the SIP request method.
Syntax
SIP::method
Example:

Related Information
Valid Events:

223 of 304

SIP::respond
Sends back a response with the specified code, phrase, and headername:header-value pair.
Syntax
SIP::respond code <"phrase" <"header-name"
"header-value">>
Example:

Related Information
Valid Events:
SIP::response
Gets the SIP response code or response phrase, or rewrites the response
code and phrase, if specified.
Syntax
SIP::response code
Gets the SIP response code.
SIP::response phrase
Gets the response phrase.
SIP::response rewrite code <phrase>
Rewrites the response code and phrase, if specified.
Example:

Related Information
Valid Events:
224 of 304


SIP::to
Returns the value of the To header in the SIP request.
Syntax
SIP::to
Example:

Related Information
Valid Events:
SIP::uri
Syntax
SIP::uri
Example:

Related Information
Valid Events:
SIP::via
Gets SIP via information.
Syntax
SIP::via [<index>]
Gets the information in the SIP via header. If you specify the <index>,
SIP::via proto [<index>]
Gets the protocol part of the SIP via at the specified index level. If you
specify the <index>, only the information at the specified index level is
returned.

225 of 304

SIP::via sent_by [<index>]
Gets the sent_by part of the SIP via at the specified index level. If you
returned.
SIP::via received [<index>]
Gets the retrieved attribute of the SIP via at the specified index level. If
you specify the <index>, only the information at the specified index
level is returned.
SIP::via branch [<index>]
Gets the branch attribute of the SIP via at the specified index level. If
you specify the <index>, only the information at the specified index
level is returned.
SIP::via maddr [<index>]
Gets the maccadr attribute of the SIP via at the specified index level.
SIP::via ttl [<index>]
Gets the TTL attribute of the SIP via at the specified index level. If you
returned.
Example:

Related Information
Valid Events:
226 of 304


SIP Command Examples

Example 1:
when SIP_REQUEST {
if { [SIP::method] contains "SUBSCRIBE" } {
log "*****************
SIP-REQUEST
*******************"
log "SIP::call_id is [SIP::call_id]"

log "---------------------------------------------------"
log "SIP::from is [SIP::from]"
log "---------------------------------------------------"
log "SIP::header Via [SIP::header Via]"
log "SIP::header Via value index0 [SIP::header value Via 0]"
log "SIP::header Via index9 [SIP::header Via 9]"
log "SIP::header From [SIP::header From]"
log "SIP::header value From index0 [SIP::header value From 0]"
log "SIP::header From index9 <not exist> [SIP::header From 9]"
log "SIP::header To [SIP::header To]"
log "SIP::header To index0 [SIP::header To 0]"
log "SIP::header value To index9 <not exist> [SIP::header value To 9]"
log "SIP::header Call-ID [SIP::header Call-ID]"
log "SIP::header value Call-ID index0 [SIP::header value Call-ID 0]"
log "SIP::header value Call-ID index9 <not exist> [SIP::header value CallID 9]"
log "SIP::header CSeq [SIP::header CSeq]"
log "SIP::header CSeq value index0 [SIP::header value CSeq 0]"
log "SIP::header CSeq index9 <not exist> [SIP::header CSeq 9]"
log "SIP::header Contact [SIP::header Contact]"
log "SIP::header value Contact index0 [SIP::header value Contact 0]"
log "SIP::header Contact index9 <not exist> [SIP::header Contact 9]"
log "SIP::header Max-Forwards [SIP::header Max-Forwards]"
log "SIP::header Event [SIP::header Event]"
log "SIP::header User-Agent [SIP::header User-Agent]"
log "SIP::header Expires [SIP::header Expires]"
log "SIP::header Allow [SIP::header Allow]"
log "SIP::header Accept [SIP::header Accept]"
log "SIP::header Content-length [SIP::header Content-length]"

227 of 304

log "SIP::header abc <not valid header> [SIP::header abc]"
log "---------------------------------------------------"
SIP::header remove Via
log "SIP::header remove Via [SIP::header Via]"
SIP::header remove From
log "SIP::header remove From [SIP::header From]"
log "---------------------------------------------------"
log "SIP::header Via 0 (request) [SIP::header Via 0]"

log "SIP::response code [SIP::response code]"
SIP::header insert Via "SIP/10.0/UDP
ss.under.test.com:5070;maddr=3ffe:501:ffff:50::51;ttl=1;branch=z9hG4bK721e418c
4.1" 10
SIP::header insert event "SIP/2.0/UDP

ss.under.test.com:5070;maddr=3ffe:501:ffff:50::51;ttl=1;branch=z9hG4bK721e418c
4.1;received=3ffe:501:ffff:50::50" 1 #
log "Event 0 is [SIP::header
event]"
SIP::header insert From "<sip:218@mysip.com>;tag=1043119751"
log "SIP::header insert From index1 [SIP::header From]"
171.1.1.217:5060;rport;branch=z9hG4bk11229103"
log "SIP::header insert Via [SIP::header Via]"
log "SIP::header From(2) [SIP::header From]"
log "SIP::header insert xyz index9 [SIP::header insert xyz "x y z" 9]"
log "---------------------------------------------------"
log "SIP::method [SIP::method]"
log "---------------------------------------------------"
SIP::respond 401 "no way" From "future"
log "---------------------------------------------------"
log "SIP::response [SIP::response code]"
log "SIP::response phase [SIP::response phrase]"
228 of 304


SIP::response rewrite 402 "no xxx"
log "SIP::response rewrite code phrase [SIP::response code]"
log "---------------------------------------------------"
log "SIP::to [SIP::to]"
log "---------------------------------------------------"
log "SIP::uri [SIP::uri]"
log "---------------------------------------------------"
log "SIP::via [SIP::via]"
log "SIP::via index0 [SIP::via 0]"
log "SIP::via proto [SIP::via proto]"
log "SIP::via proto index0 [SIP::via proto 0]"
log "SIP::via sent_by [SIP::via sent_by]"
log "SIP::via sent_by index0 [SIP::via sent_by 0]"
log "SIP::via received [SIP::via received]"
log "SIP::via received index0 [SIP::via received 0]"
log "SIP::via branch [SIP::via branch]"
log "SIP::via branch index0 [SIP::via branch 0]"
log "SIP::via maddr [SIP::via maddr]"
log "SIP::via maddr index0 [SIP::via maddr 0]"
log "SIP::via ttl [SIP::via ttl]"
log "SIP::via ttl index0 [SIP::via ttl 0]"
}
}

229 of 304

Example 2:
when SIP_RESPONSE {
if { [SIP::response code] equals "401" } {
SIP::response rewrite 411 Phrase_Unauthorized
log "SIP::response phrase [SIP::response phrase]"}
SIP::response rewrite 511 Phrase_Not_Implemented
SIP::response rewrite 210 okok
}
Example 3:
when SIP_REQUEST_SEND {
if { [SIP::method] contains "SUBSCRIBE" } {
log "*****************
SIP-REQUEST-SEND
*******************"
log "SIP::header Via 1 (request_sent) [SIP::header Via 1]"
log "SIP::call_id is [SIP::call_id]"

log "---------------------------------------------------"
log "SIP::from is [SIP::from]"
log "---------------------------------------------------"
log "SIP::header Via [SIP::header Via]"
log "SIP::header Via value index0 [SIP::header value Via 0]"
log "SIP::header Via index9 [SIP::header Via 9]"
log "SIP::header value From index0 [SIP::header value From 0]"
log "SIP::header From index9 <not exist> [SIP::header From 9]"
log "SIP::header To [SIP::header To]"
log "SIP::header To index0 [SIP::header To 0]"
230 of 304


log "SIP::header value To index9 <not exist> [SIP::header value To 9]"
log "SIP::header Call-ID [SIP::header Call-ID]"
log "SIP::header value Call-ID index0 [SIP::header value Call-ID 0]"
log "SIP::header value Call-ID index9 <not exist> [SIP::header value CallID 9]"
log "SIP::header CSeq [SIP::header CSeq]"
log "SIP::header CSeq value index0 [SIP::header value CSeq 0]"
log "SIP::header CSeq index9 <not exist> [SIP::header CSeq 9]"
log "SIP::header Contact [SIP::header Contact]"
log "SIP::header value Contact index0 [SIP::header value Contact 0]"
log "SIP::header Contact index9 <not exist> [SIP::header Contact 9]"
log "SIP::header Max-Forwards [SIP::header Max-Forwards]"
log "SIP::header Event [SIP::header Event]"
log "SIP::header User-Agent [SIP::header User-Agent]"
log "SIP::header Expires [SIP::header Expires]"
log "SIP::header Allow [SIP::header Allow]"
log "SIP::header Accept [SIP::header Accept]"
log "SIP::header Content-length [SIP::header Content-length]"
log "SIP::header abc <not valid header> [SIP::header abc]"
log "---------------------------------------------------"
SIP::header remove Via
log "SIP::header remove Via [SIP::header Via]"

SIP::header remove abc
log "SIP::header remove index To [SIP::header abc]"
log "---------------------------------------------------"
SIP::header insert From "<sip:218@mysip.com>;tag=1043119751"
log "SIP::header insert From index1 [SIP::header From]"
171.1.1.217:5060;rport;branch=z9hG4bk11229103"

231 of 304

log "SIP::header insert Via [SIP::header Via]"
log "SIP::header From(2) [SIP::header From]"
log "SIP::header insert xyz index9 [SIP::header insert xyz "x y z" 9]"
log "---------------------------------------------------"
log "SIP::method [SIP::method]"
log "---------------------------------------------------"
SIP::respond 401 "no way" From "future"
log "---------------------------------------------------"
log "SIP::response [SIP::response code]"
log "SIP::response phase [SIP::response phrase]"
SIP::response rewrite 402 "no xxx"
log "SIP::response rewrite code phrase [SIP::response code]"
log "---------------------------------------------------"
log "SIP::to [SIP::to]"
log "---------------------------------------------------"
log "SIP::uri [SIP::uri]"
log "---------------------------------------------------"
log "SIP::via [SIP::via]"
log "SIP::via proto [SIP::via proto]"
log "SIP::via sent_by [SIP::via sent_by]"
log "SIP::via received [SIP::via received]"
log "SIP::via branch [SIP::via branch]"
log "SIP::via maddr [SIP::via maddr]"
log "SIP::via ttl [SIP::via ttl]"
}
}
232 of 304


Commands - Policy-Based SLB Commands
Policy-Based SLB Commands

POLICY::bwlist id
Returns the group ID associated with an IP address in a black/white list.
Syntax
POLICY::bwlist id <ip> [<bwlist_name>]
Specifying a black/white list name is optional. If you specify a list name, the
ACOS device looks in the specified list. If you do not specify a list name,
the ACOS device looks in the black/white list that is bound to the same virtual port to which the aFleX policy is bound.
Example:
when HTTP_REQUEST {
set client_addr [IP::client_addr]
set group_id [ POLICY::bwlist id $client_addr ]
set bwfile_group_id [ POLICY::bwlist id $client_addr bwfile ]
if { $group_id equals 10 } {
pool sg1
} elseif { $bwfile_group_id equals 20 } {
pool sg2
} else {
reject
}
}
Related Information
Valid Events: All

233 of 304

Commands - RAM Caching Commands
RAM Caching Commands

CACHE::age
Returns the age of a cached object. The age is the number of seconds the
object has been in the cache.
Syntax
CACHE::age
Example:
if { [CACHE::age] > 60 } {
CACHE::expire
log local0. "Expiring content: Age > 60 seconds"
}
}
Related Information
Valid Events:
CACHE_REQUEST, CACHE_RESPONSE
CACHE::disable
Disables caching for the current HTTP request.
Syntax
CACHE::disable
Example:
when HTTP_REQUEST {
if { not ([HTTP::uri] contains "images") } {
CACHE::disable
}
}
234 of 304


Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, CACHE_REQUEST,
CACHE_RESPONSE
CACHE::enable
Forces caching of an object.
Syntax
CACHE::enable [<age>]
The age option specifies how long (in seconds) the object should be
cached. If you do not specify an age, the age specified in the RAM caching
template is used.
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "images" } {
CACHE::enable 10000
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, CACHE_REQUEST,
CACHE_RESPONSE
CACHE::expire
Forces a cached object to be revalidated from the server.
Syntax
CACHE::expire

235 of 304

Example:
if { $expired equals 1 } {
CACHE::expire
log "cache expire"
}
}
Related Information
Valid Events:
CACHE::headers
Returns the HTTP headers of a cached object. The <name>/<value> pairs
are returned in a Tcl list.
Syntax
CACHE::headers
Example:
# log all HTTP headers sent in cache response.
log local0. [CACHE::headers]
}
Related Information
Valid Events:
236 of 304


CACHE::hits
Returns the number of cache hits for a cached object.
Syntax
CACHE::hits
Example:
log "[CACHE::hits] cache hits for document at [HTTP::uri]"
}
Related Information
Valid Events:

237 of 304

Commands - Diameter Load Balancing Commands
Diameter Load Balancing Commands

Diameter load balancing uses the following commands.
DIAMETER::app_id
Returns the application ID of a Diameter message.
Syntax
DIAMETER::app_id
Example:
log "DIAMETER::app_id = [DIAMETER::app_id]"
}
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
DIAMETER::avp
Reads, writes, or deletes AVPs.
Syntax
DIAMETER::avp count
Returns the number of AVPs.
DIAMETER::avp get_ids [<avp_code> | <name>]
Returns a list of the IDs of AVPs with matching <avp_code> or <name>. If
the <avp_code> or <name> is not specified, the IDs of all AVPs are
returned.
Note:
The order of IDs might not be the same as the order of the AVPs in the
packet.
DIAMETER::avp <id> code [name | type]
Returns the numeric AVP code of the AVP with ID <id>. If the [name] is
specified and the AVP is a standard AVP, a user-readable string is returned;
otherwise, an empty string is returned. If [type] is specified, and the AVP is
a standard AVP, its type is returned; otherwise, an empty string is returned.
238 of 304


DIAMETER::avp <id> index
Returns the index value within the packet of the AVP with ID <id>.
DIAMETER::avp <id> flags
Returns flags of the AVP with ID <id>, in the following format:
{V|-}{M|-}{P|-}
DIAMETER::avp <id> length
Returns the length of the AVP with ID <id>.
DIAMETER::avp <id> vendor_id
Returns the vendor_id of the AVP with ID <id>, if the AVP has the V flag
specified; otherwise, an empty string is returned.
DIAMETER::avp <id> value [<type>]
Returns the value of the AVP with ID <id>. If the specified <type> is
Unsigned32, Unsigned64, Integer32, Integer64, Address, or OctetString, the
value is interpreted accordingly, if it does not conflict with the AVP (example: for an Integer32 AVP Unsigned64 cannot be returned). For AVPs of
type DiameterIdentity, Grouped, Time, DiamURI, Enumerated, or
UTF8String, a byte array is returned.
DIAMETER::avp <id> delete
Deletes the AVP with ID <id>.
Note:
Once an AVP is deleted, it can not be accessed thereafter.

DIAMETER::avp [index] insert [<avp_code> |
<name>] <value> <flags> [<vendor_id>] [type
<type>]
Inserts an AVP with the specified attributes. If [index] is specified, the AVP
is inserted at that position in the packet. The [index] value must be between
0 and number of AVPs in the packet. Further, a packet can contain a maximum of 64 AVPs at any stage. If [index] is not specified, the AVP is
appended to the packet. This command also returns the ID of the inserted
AVP. If the <avp_code> is non-standard, the value is inserted as OctetString.
DIAMETER::avp <id> replace [value <value> [type
<type>]] [flags <flags> [<vendor_id>]]
Replaces the value or flags (and vendor_id if flags includes "V") or AVP at
ID <id>. The <type> can only be one of the following: Unsigned32,
Unsigned64, Integer32, Integer64, Address, or OctetString.

239 of 304

Example:
log "Number of AVPs = [DIAMETER::avp count]"
log "Ids of all AVPs = [DIAMETER::avp get_ids]"
log "Ids of AVPs of code 257 = [DIAMETER::avp get_ids 257]"
log "Ids of Session-Id AVPs = [DIAMETER::avp get_ids Session-Id]"
}
Example:
set ids [DIAMETER::avp get_ids]
for { set i 0 } { $i < [llength $ids] } { incr i } {
set id [lindex $ids $i]
log
log
log
log
log
log
log
log
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
$id
$id
$id
$id
$id
$id
$id
$id
code = [DIAMETER::avp $id code]"

code name = [DIAMETER::avp $id code name]"
code type = [DIAMETER::avp $id code type]"
index = [DIAMETER::avp $id index]"
flags = [DIAMETER::avp $id flags]"
length = [DIAMETER::avp $id length]"
vendor_id = [DIAMETER::avp $id vendor_id]"
value = [DIAMETER::avp $id value]"
}
}
Example:
set ids [DIAMETER::avp get_ids]
for { set i 0 } { $i < [llength $ids] } { incr i } {
set id [lindex $ids $i]
DIAMETER::avp $id delete
}
}
240 of 304


Example:
set newid [DIAMETER::avp insert 12345 6789 VMP 567 type Unsigned32]
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
Unsigned32]"
}
$newid
$newid
$newid
$newid
$newid
$newid
$newid
$newid
code = [DIAMETER::avp $newid code]"

code name = [DIAMETER::avp $newid code name]"
code type = [DIAMETER::avp $newid code type]"
index = [DIAMETER::avp $newid index]"
flags = [DIAMETER::avp $newid flags]"
length = [DIAMETER::avp $newid length]"
vendor_id = [DIAMETER::avp $newid vendor_id]"
value Unsigned32 = [DIAMETER::avp $newid value
Example:
set newid [DIAMETER::avp 0 insert 12345 6789 VMP 567 type Unsigned32]
DIAMETER::avp $newid replace value 12345 type Unsigned32 flags VMP 567
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
Unsigned32]"
}
$newid
$newid
$newid
$newid
$newid
index = [DIAMETER::avp $newid index]"

flags = [DIAMETER::avp $newid flags]"
length = [DIAMETER::avp $newid length]"
vendor_id = [DIAMETER::avp $newid vendor_id]"
value Unsigned32 = [DIAMETER::avp $newid value
Related Information
Valid Events:
DIAMETER::cmd_code
Returns the command code, or its name, of a Diameter message. If [name] is
specified, an empty string or one of the following is returned as appropriate:
ASR, ASA, ACR, ACA, CER, CEA, DWR, DWA, DPR, DPA, RAR, RAA,
STR, or STA.
Syntax
DIAMETER::cmd_code [name]
If you use the [name] option, the name is returned,. If you omit the [name]
option, the command code is returned instead.

241 of 304

Example:
}
Example:
log "DIAMETER::cmd_code name = [DIAMETER::cmd_code name]"
}
Related Information
Valid Events:
DIAMETER::length
Returns the length of a Diameter message.
Syntax
DIAMETER::length
Example:
log "DIAMETER::length = [DIAMETER::length]"
}
Related Information
Valid Events:
DIAMETER::version
Returns the version of a Diameter message.
Syntax
DIAMETER::version
242 of 304


Commands - RADIUS Message Load-balancing Commands
Example:
log "DIAMETER::version = [DIAMETER::version]"
}
Related Information
Valid Events:
RADIUS Message Load-balancing Commands

RADIUS::avp
Returns RADIUS attribute-value pairs (AVPs).
The virtual port that uses this FleX command should be bound to UDP port
1812.
Syntax
RADIUS::avp [<attr>]
Returns a list of AVPs in the message as {attr, len, value} tuples.
The <attr> option specifies a RADIUS attribute, 1-255 (RFC 2865). If
you use the <attr> option, only the AVP for the specified attribute is
returned. If you omit this option, the AVPs for all the attributes are returned.
Example:
when CLIENT_DATA {
set type [RADIUS::avp 40]
switch $type {
1 2 {
if { [active_members radius_test_pool] > 0 } {
pool radius_test_pool
}
}
default {
drop
}
}
}

243 of 304

Commands - RADIUS Message Load-balancing Commands
Related Information
Valid Events:
CLIENT_DATA, SERVER_DATA
RADIUS::code
Returns the RADIUS message code.
Syntax
RADIUS::code
Example:
when CLIENT_DATA {
log "RADIUS code=[RADIUS::code]"
}
Related Information
Valid Events:
RADIUS::id
Returns the RADIUS message ID.
Syntax
RADIUS::id
Example:
when CLIENT_DATA {
log "RADIUS id=[RADIUS::id]"
}
244 of 304


Commands - SSL Commands
Related Information
Valid Events:
RADIUS::length
Returns the RADIUS message length.
Syntax
RADIUS::length
Example:
when CLIENT_DATA {
log "RADIUS message length=[RADIUS::length]"
}
Related Information
Valid Events:
SSL Commands
This section describes the SSL commands.
Note:
In AX Release 2.6.1-P2 and later, the SSL::cert command returns certificates in DER format. In previous releases, this command returns certificates in text format.
To return a certificate in text format instead, X509::text on page 261.
To return a certificate in PEM format instead, X509::whole on
page 263.
Note:
ACOS 2.7.1 SSL commands are supported only on HTTP virtual port 80
and are not supported on HTTPS virtual ports or other port numbers. The
SSL commands introduced in releases previous to ACOS 2.7.1 are supported for both HTTP and HTTPS virtual ports.

245 of 304

SSL::cert
Returns the SSL certificate with the specified level in the certificate chain.
The level is 0-based.
Note:
The SSL::cert command returns certificates in DER format. In previous releases, this command returns certificates in text format.
Syntax
SSL::cert <level>
Example:
session add ssl [SSL::sessionid] $cert
}
when HTTP_REQUEST {
if { [SSL::cert count] > 5 } {
set issuer [SSL::cert issuer 2]
log "issuer $issuer"
} else {
SSL::cert mode request
}
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
246 of 304


SSL::cert count
Returns the number of certificates in the certificate chain.
Syntax
SSL::cert count
Example:
See the example for SSL::cert on page 246.
Related Information
Valid Events: See SSL::cert on page 246.
SSL::cert issuer
Returns the issuer of the certificate with the specified level.
Syntax
SSL::cert issuer <index>
Example:

Related Information
SSL::cert mode
Sets the certificate mode. This setting overrides the mode setting in the template.
Syntax
SSL::cert mode <request | require | ignore |
auto>
Example:
Related Information
247 of 304

SSL::cipher
Returns SSL cipher information.
Syntax
SSL::cipher name
Returns the current SSL cipher name using the format of the OpenSSL
SSL_CIPHER_get_name() function (for example, EDH-RSA-DESCBC3-SHA" or "RC4-MD5).
SSL::cipher version
Returns the current SSL cipher version using the format of the OpenSSL
SSL_CIPHER_get_version() function (for example, SSLv2, SSLv3, or
TLSv1).
SSL::cipher bits
Returns the number of secret bits that the current SSL cipher used, using the
format of the OpenSSL SSL_CIPHER_get_bits() function (for example,
128 or 40).
Example:
The following script checks the encryption strength and redirects to a

sorry page if the encryption is too weak.
when HTTP_REQUEST {
log "[IP::remote_addr]: SSL cipher strength is [SSL::cipher bits]"
# Check encryption strength
if { [SSL::cipher bits] < 128 } {
# Client is using a weak cipher, so redirect to a URL showing a sorry page
HTTP::respond 302 Location "http://10.10.10.10/sorry.html" Cache-Control
No-Cache Pragma No-Cache
} else {
pool web_servers
}
}
Related Information
Valid Events:
Required AX Release: 2.6.1
248 of 304


SSL::sessionid
Returns the current SSL session ID.
Syntax
SSL::sessionid
Note:
Only the client side is supported.
Example:
session add ssl [SSL::sessionid] $cert 300
}
Related Information
Valid Events

249 of 304

SSL::verify_result
If <result_code> is not specified, returns the result code of the peer certification verification. If <result_code> is specified, sets the result code of the
peer certification verification.
Syntax
SSL::verify_result [<result_code>]
Example:
set result [ X509::verify_cert_error_string [SSL::verify_result]]
log "Result is $result"
}
Related Information
Valid Events
SSL::disable
Disables SSL on either the client or server side.
Syntax
SSL::disable [clientside | serverside]
Example:
SSL::disable
SSL::disable serverside
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
CLIENTSSL_CLIENTCERT,CLIENTSSL_HANDSHAKE,
CLIENT_ACCEPTED,SERVER_CONNECTED
250 of 304


SSL::enable
Enables SSL for either the client or server side.
Syntax
SSL::enable [clientside | serverside]
Example:
SSL::enable
SSL::enable serverside
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND,CLIENTSSL_CLIENTCERT,
CLIENTSSL_HANDSHAKE,CLIENT_ACCEPTED,
SERVER_CONNECTED
SSL::mode
Returns a 1 when SSL is enabled or a 0 when SSL is disabled. This command can apply to either the client or server side.
Note:
The certificate mode, set with the command SSL::cert mode, can override
the mode set in the SSL template.
Syntax
SSL::mode
Example:
SSL::template t1
}
when HTTP_REQUEST {
log "SSL::mode = [SSL::mode]"
}

251 of 304

Valid Events
CLIENT_ACCEPTED,SERVER_CONNECTED,
SERVERSSL_HANDSHAKE
SSL::sessionid
Returns the current SSL session ID number.
Syntax
SSL::sessionid
Example:
session add ssl [SSL::sessionid] $cert 300
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND,HTTP_RESPONSE,
SSL::template
Applies an SSL template to either the client or server side of a connection.
Syntax
SSL::template <templatename>
Applies an SSL template on either the client or server side, depending
on the context of the event.
SSL::template [clientside|serverside]
<templatename>
Applies an SSL template for specifically the client or server side only.
252 of 304


Example:
SSL::template t1
SSL::template serverside t2
}
Valid Events
SERVERSSL_HANDSHAKE, LB_SELECTED
Disables reuse of the SSL Session ID for the client. This command is valid
only after the SSL handshake is complete for the client side of the connection.
Syntax
Example:
SSL::template t1
}
}
Valid Events
SERVERSSL_HANDSHAKE

253 of 304

Commands - X509 Commands
X509 Commands
This section describes the X.509 commands.
Note:
In previous releases, these commands accepted certificates only in text

format. The following X.509 commands now also accept certificates in
Distinguished Encoding Rules (DER) format as input.
X509::extensions
Returns the X.509 extensions set on the specified X.509 certificate. If an
invalid certificate is supplied, a runtime TCL error is generated.
Note:
In previous releases, the X509::extensions command returns binary

extension values as text and displays . to represent unprintable characters. In AX Release 2.7.0, X509::extensions returns a binary Byte
array to preserver all information. See the Sample Output example below.
Syntax
X509::extensions <X509-certificate>
Example:
log local0. "Client cert extensions - [X509::extensions $cert]"
}
254 of 304


Sample Output
AX3200(config-slb vserver-vport)#sh aflex ex1
Name:
ex1
Syntax:
Check
Virtual port:
Bind
vip-L7-25-130: 443
Statistics:
Event CLIENTSSL_CLIENTCERT execute 1 times (0 failures, 0 aborts)
Content:
set hash [X509::hash sha1 [SSL::cert 0]]
binary scan $hash H* sha1str
log "Cert-Thumbprint: $sha1str"
set ext [X509::extensions $cert]
regexp {.*X509v3 Extended Key Usage: \n\s*([^\n]*)\n.*} $ext -> eku
log "Cert-EKU-List: $eku"
}
AX3200(config-slb vserver-vport)#sh log
Log Buffer: 30000
Sep 04 2012 01:35:41 Info
[AFLEX]:ex1:Cert-EKU-List: TLS Web Server
Authentication, TLS Web Client Authentication
Sep 04 2012 01:35:41 Info
[AFLEX]:ex1:Cert-Thumbprint:
5fe2bf860badc8b588ee7f20d04309343f4ecb46
Sample Output (with Extended Key Usage)
Oct 22 2011 05:13:32 Info
[AFLEX]:extensions=X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Related Information
Valid Events: All

255 of 304

X509::hash
Returns the MD5 (default) or SHA1 hash (fingerprint) of the specified
X.509 certificate.
Note:
Beginning with AX Release 2.7.0, X509::hash no longer returns a text

string but the actual hash value as a Byte array. To return a text string, use
the binary scan command. See Example 2 below.
Syntax
X509::hash [md5|sha1] <X509 certificate>
Example 1
when HTTP_REQUEST {
set client_cert [SSL::cert 0]
log local0. "Cert hash - [X509::hash $client_cert]"
set cert_hash [X509::hash $client_cert]
}
Example 2
This example prints a text string of the X509::hash command output.
set hash [X509::hash sha1 [SSL::cert 0]]
binary scan $hash H* sha1str
log "X-LB-Cert-Thumbprint: $sha1str
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
X509::issuer
Returns the issuer of the X.509 certificate.
Syntax
X509::issuer
256 of 304


Example:
set issuer [X509::issuer [SSL::cert 0]]
log "Issuer: $issuer"
}
Related Information
Valid Events:
Returns the not-valid-after date of an X.509 certificate.
Syntax
Example:
set not_valid_after [X509::not_valid_after [SSL::cert 0]]
log "Not Valid After: $not_valid_after"
}
Related Information
Valid Events:

257 of 304

Returns the not-valid-before date of an X.509 certificate.
Syntax
Example:
set not_valid_before [X509::not_valid_before [SSL::cert 0]]
log "Not Valid Before: $not_valid_before"
}
Related Information
Valid Events:
X509::serial_number
Returns the serial number of an X.509 certificate.
Syntax
X509::serial_number
Example:
set serial_number [X509::serial_number [SSL::cert 0]]
log "Serial Number: $serial_number"
}
Related Information
Valid Events:
258 of 304


X509::signature_algorithm
Returns the signature algorithm of the specified X.509 certificate.
Syntax
X509::signature_algorithm <X509 certificate>
Example:
when LB_SELECTED {
log local0. "Cert signature_algorithm - [X509::signature_algorithm $cert]"
}
Related Information
Valid Events: All
X509::subject
Returns the subject of an X.509 certificate.
Syntax
X509::subject
Example:
set subject [X509::subject [SSL::cert 0]]
log "subject $subject"
}
Related Information
Valid Events

259 of 304

X509::subject_public_key
Returns the subjects public key of the specified X.509 certificate.
Syntax
X509::subject_public_key <X509 certificate>
Example:
log local0. "Cert subject - [X509::subject $client_cert]"
log local0. "Cert public key - [X509::subject_public_key $client_cert]"
}
Related Information
Valid Events: All
X509::subject_public_key_RSA_bits
Returns the size of the subjects public RSA key of an X.509 certificate.
Note:
This command is only applicable when the public key type is RSA. Otherwise, the command generates an error.
Syntax
X509::subject_public_key_RSA_bits
<X509 certificate>
Example:
log local0. "Cert public key - [X509::subject_public_key_RSA_bits $client_cert]"
}
Related Information
Valid Events: All
260 of 304


X509::subject_public_key_type
Returns the subjects public key type of the specified X.509 certificate. The
returned value can be RSA, DSA, or unknown.
Syntax
X509::subject_public_key_type <X509 certificate>
Example:
log local0. "Cert public key type - [X509::subject_public_key_type client_cert]"
if { [X509::subject_public_key_type $client_cert] equals "unknown" } {
SSL::verify_result 50
}
set error_code [SSL::verify_result]
log local0. "Cert verify result - [X509::verify_cert_error_string $error_code]"
}
Related Information
Valid Events: All
X509::text
Syntax
X509::text <X509 certificate>
Example:
set cert_text "[X509::text $client_cert]"
}
Related Information
Valid Events: All

261 of 304

Returns the error string as an OpenSSL X.509 error string.
Syntax
Example:
set result [X509::verify_cert_error_string [SSL::verify_result]]
log "result $result"
}
Related Information
Valid Events
X509::version
Returns the version number of an X.509 certificate.
Syntax
X509::version
Example:
set version [X509::version [SSL::cert 0]]
log "Version Number: $version"
}
Related Information
Valid Events:
262 of 304


X509::whole
Returns the entire X.509 certificate in PEM format.
Syntax
X509::whole <X509 certificate>
Example:
log local0. "[X509::whole $client_cert]"
}
Example:
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole
[SSL::cert 0]]
}
}
Related Information
Valid Events: All

263 of 304

Commands - STATS Commands
STATS Commands
STATS::clear
Clears statistics for a real server (node), virtual server, or service group
(pool).
Syntax Clear Real Server Statistics:
To clear statistics for a real server, use the following command:
STATS::clear server <server-name | ipaddr>
response-pkt
[partition shared]
Syntax Clear Virtual Server Statistics:

To clear statistics for a virtual server, use the following command:
STATS::clear virtual-server <vip-name| vipaddr>
[<port-num> <service-type>]
response-pkt
[partition shared]
Syntax Clear Service Group Statistics:

To clear statistics for a service group, use the following command:
STATS::clear pool <pool-name>
[member <ipaddr> <port-num>]
response-pkt
[partition shared]
Example:
when HTTP_REQUEST {
STATS::clear server rs-server-2 80 tcp total-connection
STATS::clear virtual-server vip-1 80 http total-connection
STATS::clear pool sg-tcp80 total-connection
}
Related Information
Valid Events: All
264 of 304


STATS::get
Retrieves statistics for a real server (node), virtual server, or service group
(pool).
Syntax Get Real Server Statistics:
To retrieve statistics from a real server, use the following command:
STATS::get server <server-name | ipaddr>
response-pkt
[partition shared]
You can specify the server by its name or IP address (<server-name> or

<ipaddr>).
Optionally, you can specify an individual port by its port number (0-65535)
and Layer 4 protocol (tcp or udp). By default, statistics for all the servers
real ports are returned.
To specify the types of statistics to return, use one of the following options:
current-connection
total-connection
request-pkt
response-pkt
The shared partition option applies the command to real servers in the
shared partition. By default, the STATS::get command acts only upon
the real servers located in the Role-Based Administration (RBA) partition
that contains the aFleX policy.
Syntax Get Virtual Server Statistics:
To retrieve statistics from a virtual server, use the following command:
STATS::get virtual-server <vip-name| vipaddr>
[<port-num> <service-type>]
response-pkt
[partition shared]
You can specify the virtual server by its name or VIP address (<vip-name>
or <vipaddr>).

265 of 304

Optionally, you can specify an individual port by its port number (0-65535)
and service type (tcp, udp, http, https, and so on). By default, statistics for
all the virtual servers ports are returned.
The other options are the same as those for real servers.
Syntax Get Service Group Statistics:
STATS::get pool <pool-name>
[member <ipaddr> <port-num>]
response-pkt
[partition shared]
Specify the service group by its name (pool-name).

Optionally, you can specify an individual member (server and port) by the
real server IP address and protocol port number. By default, statistics for all
the service groups members are returned.
The other options are the same as those for real servers and virtual servers.
The following policy will select a real server based on the current
connection counter:
Example:
set total1 [STATS::get server 10.10.10.10 current-connection]

set total2 [STATS::get server 10.10.10.20 current-connection]
if { $total1 > $total2 } {
node 10.10.10.20 80
} else
node 10.10.10.10 80
}
}
For another example, see Example 3 in LB::reselect on page 168.

Related Information
Valid Events: All
266 of 304


Commands - TCP Commands
TCP Commands
TCP::client_port
Returns the TCP port/service number of the specified client. This command
is equivalent to the command clientside { TCP::remote_port }
and to client_port.
Syntax
TCP::client_port
Example:
if { [TCP::client_port] > 1000 } {
pool slow_pool
}
else {
pool fast_pool
}
}
Related Information
Valid Events: All
TCP::close
Closes the TCP connection.
Syntax
TCP::close
Example:
TCP::collect
}
when CLIENT_DATA {
if {[TCP::payload] contains "abc"} {
pool abc_pool
TCP::release
} else {
TCP::close
}
}

267 of 304

TCP::collect
Syntax
The <length> parameter specifies the minimum number of bytes to collect.
Example:
TCP::collect 15
}
when CLIENT_DATA {
if { [TCP::payload 15] contains "XYZ" } {
pool xyz_servers
} else {
pool web_servers
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
Support for Generic TCP Proxy
The generic tcp-proxy service type, new in AX Release 2.6, is also supported in aFleX.
Specifically, you can use the TCP::collect [<length>] command
to collect payload data on a tcp-proxy virtual port.
The script behavior differs slightly depending on whether the <length>
option is used.
268 of 304


If the <length> option is specified:
DATA event is triggered only when more than the specified number of
data packets are collected.

Script is implicitly forced to release data and forward data packet after
the DATA event. Thus, a TCP release will be performed even if the
script does not contain the TCP::release command.
The collect flag will be disabled following the DATA event. TCP::col-
lect is not allowed again in the DATA event.

Example:
TCP::collect 1000
}
when CLIENT_DATA {
set tcplen [TCP::payload length]
log "length = ($tcplen)"
pool xyz_servers
} else {
pool web_servers
}
TCP::release
}
TCP::collect
If the <length> option is not specified:
DATA event is triggered when first data packet is received.
If the event does not contain the TCP::release command, the
ACOS device will buffer the data instead of forwarding it.

To keep collecting the next packet, the script must contain another
TCP::collect command after the TCP::release command.

If the DATA event does not have a TCP::collect command, the col-
lect flag will be disabled and no incoming packets will be collected.

269 of 304

Example:
TCP::collect
}
when CLIENT_DATA {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
TCP::collect
}
Server Selection Behavior if TCP::collect [<length>] Command

Is Not Used with Generic TCP-Proxy Traffic
For generic TCP-proxy traffic, if the TCP::collect [<length>]
command is not used, the ACOS device performs server selection after the
client session is established, and sends a SYN to the server:
1. Client sends SYN.
2. AX sends SYN-ACK.
3. Client sends ACK.
4. After receiving the ACK from the client, AX device selects a real server
and sends a SYN to the server.
5. The session flow continues with the selected server.
If the TCP::collect command is used in the CLIENT_ACCEPTED
event, the ACOS device can not initiate connection with a back-end server
following the client ACK.
270 of 304


In this case, the ACOS device waits until the aFleX collect operation is finished and the CLIENT_DATA event is triggered. Only after the collect is
finished, the ACOS device selects a real server and forwards the data.
1. Client sends SYN.
2. ACOS sends SYN-ACK.
3. Client sends ACK.
4. Client data push.
If collect operation is finished, trigger CLIENT_DATA event and
select server to establish connection.

If collect operation is not finished (collect length is specified), keep
buffering client data and forward it to the server only when the collect operation is finished.
Additional Generic TCP-Proxy Examples
The following event types are supported for this use of the command:
CLIENT_ACCEPTED
CLIENT_DATA
SERVER_CONNECTED
SERVER_DATA
Here are some examples.

Example:
Only collect first data packet and trigger DATA event.
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload ] contains "XYZ" } {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
}

271 of 304

Collect and trigger DATA event for every TCP data packet. To perform this operation, the script uses the following:
Example:
TCP::collect command in CLIENT_ACCEPTED event

TCP::release command at the end of the CLIENT_DATA event
TCP::collect command in the CLIENT_DATA event, enable the
collect flag for the next data packet

TCP::collect
}
when CLIENT_DATA {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
TCP::collect
}
Collect first 2000 bytes of data and trigger DATA event. To perform
this operation, the script uses the following:
Example:
TCP::collect command with <length> option in
CLIENT_ACCEPTED event
TCP::release command at the end of CLIENT_DATA event
TCP::collect 2000
}
when CLIENT_DATA {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
}
272 of 304


Note:
If the total TCP payload is less than the collect <length>, the ACOS
device will keep waiting for more data from the client, and can not forward to the server as expected. Make sure to specify the correct length
value in the script.
Note:
If the collect <length> is specified, aFleX does not allow TCP::collect to be used again in the DATA event.
Collect the first 3 data packets then forward to the server. To perform
this operation, the script uses the following:
Example:
TCP::collect command in CLIENT_ACCEPTED event

In the CLIENT_DATA event, TCP::release is executed only if the
number of collected packets is greater than 3.

TCP::collect
Set packet_count 0
}
when CLIENT_DATA {
set packet_count [expr $packet_count + 1]
if { $packet_count >= 3 }

pool xyz_servers
} else {
pool web_servers
}
TCP::release
}
}
TCP::local_port
Returns the local TCP port/service number. This command is equivalent to
the variable local_port.
Syntax
TCP::local_port

273 of 304

Example:
if {[IP::protocol] == 47 || [TCP::local_port] == 1723} {
# GRE used by MS PPTP server, TCP control channel
pool ms_pptp
} elseif {[IP::protocol] == 50 || [IP::protocol] == 51 || [UDP::local_port]
== 500} {
# AH and ESP used by IPSec, IKE used by IPSec
pool ipsec_pool
} elseif {[IP::protocol] == 115} {
pool l2tp_pool
# L2TP Protocol server
}
}
TCP::mss
Returns the on-wire Maximum Segment Size (MSS) for a TCP connection.
Syntax
TCP::mss
Example:
log "MSS is [TCP::mss]"
}
TCP::rtt
Returns the smoothed round-trip time (RTT) estimate for a TCP connection.
Syntax
TCP::rtt
Notes:
Divide the returned value by 2 to get the actual round-trip time in milli-
seconds.
The RTT takes some time to converge.
274 of 304


Example:
clientside { set rtt [TCP::rtt] }
if {$rtt < 1600 } {
log "Don't compress rtt=$rtt"
COMPRESS::disable
}
else {
log "compress rtt=$rtt"
COMPRESS::enable
COMPRESS::gzip level 9
}
}
Related Information
Valid Events: All
TCP::offset
Returns the position in the TCP data stream in which the collected TCP data
starts.
Syntax
TCP::offset
Example:
TCP::collect
}
when CLIENT_DATA {
if {[TCP::offset] > 1000} {
TCP::release
}
}

275 of 304

TCP::payload
Returns the accumulated TCP data content, or replaces collected payload
with the specified data.
Syntax
TCP::payload <offset> <size>
TCP::payload length
Returns the accumulated TCP data content.
TCP::payload <offset> <size>
Returns the accumulated TCP data content start from <offset>.
TCP::payload length
Returns the amount of accumulated TCP data content in bytes.
TCP::payload <offset> <size> <data>
Returns collected payload with the given data.
Note:
This command is supported for the TCP-proxy vport only.
Example:
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload] contains "flower" } {
pool http-sg2
} else {
pool http-sg3
}
}
Related Information
Valid Events
276 of 304


TCP::release
Causes TCP to resume processing the connection and flush collected data.
Syntax
TCP::release
Example:
TCP::collect 1500
}
when CLIENT_DATA {
if {[TCP::offset] > 1000} {
TCP::release
}
}
TCP::remote_port
Returns the remote TCP port/service number.
When used with the clientside command (that is,
clientside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::client_port command.
When used with the serverside command (that is,
serverside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::server_port command.
Note:
This command replaces the remote_port command.

Syntax
TCP::remote_port
Example:
log "server TCP port = [TCP::remote_port]"
}

277 of 304

TCP::server_port
Returns the TCP port/service number of the specified server. This command
is equivalent to the command serverside { TCP::remote_port }
and to the deprecated variable server_port.
Syntax
TCP::server_port
Example:
if { [TCP::server_port] > 1000 } {
pool slow_pool
}
else {
pool fast_pool
}
}
TCP::respond
Sends the specified data directly to the peer. This command can be used to
complete a protocol handshake.
Syntax
TCP::respond <data>
The <data> parameter specifies the data to send to the peer.
Example:
when HTTP_REQUEST {
if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } {
HTTP::header remove "Expect"
TCP::respond "HTTP/1.1 100 Continue\r\n\r\n"
}
}
Example:
278 of 304
The aFleX example below looks for an EHLO <hostname> command and responds with a specific error message. This script intercepts the TCP stream between a webserver that is behind the ACOS
device and an SMTP server that is external to the ACOS device.


Commands - TIME Commands
clientside { TCP::collect 4 }
}
when CLIENT_DATA {
if { [TCP::payload] starts_with "EHLO" } {
TCP::respond "500 5.3.3 Unrecognized command\r\n"
TCP::payload replace 0 [TCP::payload length] ""
}
TCP::release
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
TIME Commands
TIME::clock
Return the system time, in seconds or milliseconds. This command is used
in a SMP environment for high-performance processing.
Note:
The lowest resolution of the timer is 4 milliseconds.

Syntax
TIME::clock [seconds | milliseconds]
Example:
set formattedtime [clock format $curtime -format {%H:%S} ]
log "the time is: $formattedtime"
}
Related Information
Valid Events: All

279 of 304

Commands - UDP Commands
UDP Commands
UDP::client_port
Returns the UDP port/service number of the client system. This command is
equivalent to the command clientside { UDP::remote_port }.
Syntax
UDP::client_port
Example:
if { [UDP::client_port] equals 80 } {
pool pool-80
}
}
Related Information
Valid Events
UDP::local_port
Returns the local UDP port/service number.
Syntax
UDP::local_port
Example:
if {[IP::protocol] == 47 || [TCP::local_port] == 1723} {
# GRE used by MS PPTP server, TCP control channel
pool ms_pptp
} elseif {[IP::protocol] == 50 || [IP::protocol] == 51 || [UDP::local_port]
== 500} {
# AH and ESP used by IPSec, IKE used by IPSec
pool ipsec_pool
} elseif {[IP::protocol] == 115} {
pool l2tp_pool
# L2TP Protocol server
}
}
280 of 304


Related Information
Valid Events:
UDP::payload
Returns the content or length of the current UDP payload.
Syntax
UDP::payload [<size>]
Returns the content of the current UDP payload.
UDP::payload length
Returns the length, in bytes, of the current UDP payload.
UDP::payload <offset> <size>
Returns the content of the current UDP payload from <offset>.
UDP::payload replace <offset> <size> <new_data>
Stating at <offset>, replaces the <size> of the collected payload with
the specified <new_data>.
Note:
The <size> variable is supported only in AX Release 2.4.2 and later.
Note:
The <new_data> variable is supported only in ACOS 2.7.1 and later.
Example:
TCP::collect
}
when CLIENT_DATA {
if { [UDP::payload 12 20] contains "a10networks" } {
pool dns-sg1
} else {
pool dns-sg2
}
}

281 of 304

Example:
In the following example, the payload is emptied and filled with data
from the packetdata string sent to the server
when CLIENT_DATA {
UDP::payload replace 0 [UDP::payload length] ""
# craft a string to hold data, 0x01 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x03
0x00 0x00 0x00
set packetdata [binary format i1i1i1 1 2 3 ]
UDP::payload replace 0 0 $packetdata
}
Related Information
Valid Events
UDP::remote_port
Returns the remote UDP port/service number.
Syntax
UDP::remote_port
Example:
if { [UDP::remote_port] equals 80 } {
pool pool-80
}
}
Related Information
Valid Events:
UDP::server_port
Returns the UDP port/service number of the server. This command is equivalent to the command serverside { UDP::remote_port }.
282 of 304


Syntax
UDP::server_port
Example:
if { [UDP::server_port] equals 80 } {
log "Port 80 was selected"
}
}
Related Information
Valid Events:
UDP::respond
Sends the specified data directly to the peer. This command can be used to
complete a protocol handshake.
Syntax
UDP::respond <data>
The <data> parameter specifies the data to send to the peer.
Example:
when CLIENT_DATA {
if { [UDP::payload] contains "abc"] } {
UDP::respond "xyz"
}
}
Example:
when CLIENT_DATA {
set payload "Error: Client not allowed."
if { [IP::remote_addr] eq 10.10.10.1 } {
UDP::drop
UDP::respond $payload
}
}

283 of 304

Commands - URI Commands
Example:
set packet [binary format S {0x0000}]
UDP::respond $packet
}
Related Information
Valid Events:
URI Commands
URI::decode
Returns a decoded version of a given URI.
Syntax
URI::decode <uri>
The following script decodes URI string whoa%20%30%31%32
and writes the decoded string to the log:
Example:
when HTTP_REQUEST {
set d "whoa%20%30%31%32"
set e [URI::decode $d]
log "Decoded string=$e"
}
In this example, the following message appears in the system log:

Apr 18 2011 08:22:05 Info
Example:
[AFLEX]:Decoded string=whoa 012
The following script decodes the URIs in every HTTP request and
writes both the encoded and decoded strings to the log:
when HTTP_REQUEST {
log "The decoded version of \"[HTTP::query]\" is \"[URI::decode
[HTTP::query]]\""
}
284 of 304


In this example, the following message appears in the system log when the
ACOS device receives an HTTP request for URI whoa%20%30%31%32:
Apr 18 2011 08:22:05 Info
[AFLEX]:The decoded version of
"whoa%20%30%31%32" is "whoa 012"
Related Information
Valid Events
HTTP_RESPONSE_DATA
URI::encode
Returns an encoded version of a given URI.
Syntax
URI::encode <uri>
The following script encodes URI string this is a test (&*@#\[\])
and writes the encoded string to the log:
Example:
when HTTP_REQUEST {
set a "this is a test (&*@#\[\])"
set b [URI::encode $a]
log "Encoded string=$b"
}
In this example, the following message appears in the system log:

Apr 18 2011 08:22:05 Info
[AFLEX]:Encoded string=
this+is+a+test+%28%26%2a%40%23%5b%5d%29
Related Information
Valid Events:
HTTP_RESPONSE_DATA

285 of 304

URI::basename
The basename portion of the given URI.
For example, given the URI below:
/path/to/file.ext?=param=value
The command URI::basename returns the following:
file.ext
Syntax
URI::basename <uri>
Example:
when HTTP_REQUEST {
set uri [HTTP::uri]
log "$uri basename=[URI::basename $uri]"
}
Related Information
Valid Events:
HTTP_RESPONSE_DATA
URI::path
The path portion of the given URI.
The command URI::path returns the following:
/path/to/
Syntax:
URI:path <uri>
URI::path <uri> depth
The depth option returns the path depth.
286 of 304


Example:
when HTTP_REQUEST {
set uri [HTTP::uri]
log "$uri path=[URI::path $uri] depth=[URI::path $uri depth]"
}
Related Information
Valid Events:
HTTP_REQUEST,HTTP_REQUEST_DATA,HTTP_RESPONSE,
HTTP_RESPONSE_DATA
URI::query
The query string portion of the given URI.
The command URI::path returns the following:
param=value
Syntax
URI::query <uri>
URI::query <uri> <param>
The <param> option returns the query parameter value corresponding to the
requested parameter name.
Example:
when HTTP_REQUEST {
set query [URI::query [HTTP::uri]]
log local0. "Query portion of uri [HTTP::uri] is $query"
}
Related Information
Valid Events:
HTTP_REQUEST,HTTP_REQUEST_DATA

287 of 304

Commands - Financial Information eXchange Commands
Financial Information eXchange Commands

FIX::begin_string
Returns the value of the BeginString tag. The BeginString tag identifies the
beginning of a new FIX message and the FIX protocol version. It is always
the first field in the message and is always unencrypted.
Syntax
FIX::begin_string
Example:
when FIX_REQUEST {
log local0. "BeginString=[FIX::begin_string]"
}
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE, pool, node
Note:
pool and node commands are only available when the vport is of type
tcp-proxy.
FIX::body_length
Returns the value of the BodyLength tag. The FIX BodyLength tag gives
the message length, in bytes, forward to the CheckSum field. It is always the
second field in the FIX message and is always unencrypted.
Syntax
FIX::body_length
Example:
when FIX_REQUEST {
log local0. "BodyLength=[FIX::body_length] bytes"
}
288 of 304


Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE
FIX::msg_seq_num
Returns the integer message sequence number. It is always a positive value.
Syntax
FIX::msg_seq_num
Example:
when FIX_REQUEST {
log local0. "Message Sequence Number=[FIX::msg_seq_num]"
}
Related Information
Valid Events:
FIX::msg_type
Returns the value of the MsgType tag. The MsgType tag defines the message type, which is a string that is one or two characters in length. It is
always the third field in the message and is always unencrypted.
Note:
A U as the first character in the MsgType field (examples: U, U2, and

so on) indicates that the message format is privately defined between the
sender and receiver.
Syntax
FIX::msg_type
Example:
when FIX_REQUEST {
log local0. "Message Type=[FIX::msg_type]"
}

289 of 304

Related Information
Valid Events:
FIX::sender_compid
Returns the value of the SenderCompID tag. The SenderCompID is an
assigned string value used to identify the firm sending the FIX message.
Syntax
FIX::sender_compid
Example:
when FIX_REQUEST {
log local0. "SenderCompID=[FIX::sender_compid]"
}
Related Information
Valid Events:
FIX::sending_time
Returns the value of the time of message transmission, always expressed in
UTC time. The time is returned as a string in either of the following formats:
Whole seconds YYYYMMDD-HH:MM:SS
Milliseconds YYYYMMDD-HH:MM:SS.sss
The colons, dash, and period are required.

Note:
290 of 304
This timestamp is part of the transport level as a field in the StandardHeader and does not represent the time of a related business transaction.
A timestamp for the business transaction is conveyed with the tag 60
TransactTime.


Syntax
FIX::sending_time
Example:
when FIX_REQUEST {
log local0. "SendingTime=[FIX::sending_time]"
}
Related Information
Valid Events:
FIX::target_compid
Returns the value of the TargetCompID tag. The TargetCompID is an
assigned string value used to identify the firm receiving the FIX message.
Syntax
FIX::target_compid
Example:
when FIX_REQUEST {
log local0. "TargetCompID=[FIX::target_compid]"
}
Related Information
Valid Events:

291 of 304

Commands - Database Load Balancing (DBLB) Commands
Database Load Balancing (DBLB) Commands

DB::Query
Gets a string that holds the entire SQL query which was sent by the client.
Example:
when DB_QUERY {
set ret [ DB::query ]
log "aflex script got query $ret"
pool mssqlgroup
}
Valid Events
DB_QUERY
DB::Command
Gets a numeric value that represents the command number. For example,
the MySQL QUIT command has a value of 1.
Example:
when DB_COMMAND {
set ret [ DB::command ]
log "aflex script got command number $ret"
pool mssqlgroup
}
Valid Events
DB_COMMAND
292 of 304


Commands - Template Commands
Template Commands
The TEMPLATE:: commands enable you to access individual configuration
parameters per template.
The following commands allow you to check the existence of a certain template type on a virtual server. In addition, you can use these commands to
access the individual configuration parameters of a template.
TEMPLATE::exists
Determines if a template is bound to a virtual server.
This command returns a 1 integer value if a template is configured on the
current virtual server or a 0 if the template is not configured on the current
virtual server.
Syntax
TEMPLATE::exists [cache | client_ssl | conn_reuse
| http | server_ssl | tcp | udp]
Checks if the following type of template exists:
cache RAM Caching template
client_ssl Client SSL template
conn_reuse Connection Reuse template
http HTTP template
server_ssl Server SSL template
tcp TCP template
udp UDP template
TEMPLATE::exists persist
[cookie | src_ip | dst_ip | ssl_sid]
Checks if the following type of persistence template exists:
cookie Cookie Persistence
src_ip Source IP Persistence
dst_ip Destination IP Persistence
ssl_sid SSL Session ID Persistence

293 of 304

The following policy checks if a Client SSL template is applied to the
virtual server. If so, the command returns a 1 value, which triggers
ACOS to create a log message that a client SSL template is enabled.
Example:
if { [TEMPLATE::exists client_ssl] == 1} {
log "client SSL template enabled on virtual server"
}
}
Example:
if { [TEMPLATE::exists server_ssl] == 1} {
log "server SSL profile enabled on virtual server"
}
}
Valid Events
All
TEMPLATE::cache
Gets the current value of the parameter for a RAM cache template.
Syntax
TEMPLATE::cache <setting>
Returns the value for the specified <setting> in the assigned RAM
cache template. For <setting>, enter one of the following:
name
accept_reload_req
age
default_policy_nocache
disable_insert_age
disable_insert_via
max_cache_size
max_content_size
min_content_size
294 of 304


policy
remove_cookies
replacement_policy
verify_host
Valid Events
All
TEMPLATE::client_ssl
Gets the current value of the parameter for the client SSL template.
Syntax
TEMPLATE::client_ssl <setting>
Returns the value for the specified <setting> in the assigned client SSL
template. For <setting>, enter one of the following:
name
ca_cert
cert
chain_cert
cipher
client_certificate
close_notify
crl
key
session_cache_size
ssl_false_start_disable

295 of 304

The following example checks if a client-side SSL template exists on
the virtual port and logs the template name if the SSL template is
found.
Example:
if { [TEMPLATE::exists client_ssl] == 1 } {
log "*** Template client_ssl is configured on vport ***"
log "*** Name: [TEMPLATE::client_ssl name]"
} else {
log "template client_ssl is not configured on vport"
}
Valid Events
All
TEMPLATE::conn_reuse
Gets the current value of the parameter for the connection reuse template.
Syntax
TEMPLATE::conn_reuse <setting>
Returns the value for the specified <setting> in the assigned connection
reuse template. For <setting>, enter one of the following:
name
keep_alive_conn
limit_per_server
timeout
Valid Events
All
TEMPLATE::http
Gets the current value of the parameter for the HTTP template.
296 of 304


Syntax
TEMPLATE::http <setting>
Returns the value for the specified <setting> in the assigned HTTP
name
compress_level
compress_content_type_excludes
compress_uri_excludes
compress_enable
compress_min_size
compress_content_type
failover_url
host_switching
insert_client_ip
log_retry
redirect_rewrite
request_header_erase
reuqest_header_insert
response_header_erase
response_header_insert
retry_on_5xx
retry_on_5xx_per_req
strict_transaction_switch
term_11client_hdr_client_close
url_hash_persist
url_switching
Valid Events
All
TEMPLATE::ssl
Gets the current value of the parameter for the server SSL template.

297 of 304

Syntax
TEMPLATE::server_ssl <setting>
Returns the value for the specified <setting> in the assigned server SSL
name
ca_cert
cert
cipher
close_notify
key
version
Valid Events
All
TEMPLATE::tcp
Gets the current value of the parameter for the TCP template.
Syntax
TEMPLATE::tcp <setting>
Returns the value for the specified <setting> in the assigned TCP
name
force_delete_timeout
close_idle_timeout
half_close_idle_timeout
idle_timeout
initial_window_size
reset_fwd
reset_rev
Valid Events
All
298 of 304


TEMPLATE::udp
Gets the current value of the parameter for the UDP template.
Syntax
TEMPLATE::udp <setting>
Returns the value for the specified <setting> in the assigned UDP
name
aging
idle_timeout
qos
re_select_if_server_down
stateless_conn_timeout
Valid Events
All

299 of 304

300 of 304



Deprecated Commands
The global commands listed in Table 6 are deprecated. It is recommended
not to use these commands. Instead, please use the recommended equivalent
commands.
TABLE 6
Deprecated Commands
Deprecated Command
client_addr
client_port
http_cookie
http_header
http_host
http_method
http_uri
http_version
ip_protocol
ip_tos
local_addr
redirect
remote_addr
server_addr
server_port
use <cmd>
Recommended Equivalent Command

IP::client_addr
TCP::client_port
or
UDP::client_port
HTTP::cookie
HTTP::header
HTTP::host
HTTP::method
HTTP::uri
HTTP::version
IP::protocol
IP::tos
IP::local_addr
HTTP::redirect
IP::remote_addr
IP::server_addr
TCP::server_port
or
UDP::server_port
<cmd>
This represents any valid and supported aFleX command. Please avoid use of use in front of any command.

301 of 304

Disabled Tcl Commands

For security, the following Tcl commands are disabled in the aFleX syntax.
You cannot use these commands in aFleX scripts.
after
exec
interp
seek
auto_execok
exit
load
socket
auto_import
fblocked
memory
source
auto_load
fconfigure
namespace
tcl_findLibrary
auto_mkindex
fcopy
open
tell
auto_mkindex_old
file
package
unknown
auto_qualify
fileevent
pid
update
auto_reset
filename
pkg::create
uplevel
bgerror
flush
pkg_mkIndex
upvar
cd
gets
proc
vwait
close
glob
pwd
eof
http
rename
302 of 304


303 of 304
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr.
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
2013 A10 Networks Corporation. All rights reserved.
304

A10 Thunder AX 271-P1 aFleX Ref-2013.07.02 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 Thunder AX 271-P1 aFleX Ref-2013.07.02 PDF

Uploaded by

Copyright:

Available Formats

aFleXScriptingLanguageReference

A10 Thunder Series and AX Series

Note: This edition applies to ACOS 2.7.1.

2013 A10 Networks, Inc. - All Rights Reserved

Information in this document is subject to change without notice.

A10 Networks Inc. Software License and End User Agreement

A10 Thunder Series and AX Series aFleX Reference

End User License Agreement

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

reverse engineer or decompile, decrypt, disassemble or otherwise reduce

disclose, provide, or otherwise make available trade secrets contained

Software, Upgrades and Additional Products or Copies. For purposes of this

CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL

USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

USING THE CLI

Additional Information Required

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

About This Document

A10 Thunder 6430

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Application Delivery Guides

Some guides include GUI configuration examples. In these examples,

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

A10 Virtual Application Delivery Community

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

End User License Agreement

Obtaining Technical Assistance

Collecting System Information.............................................................................................................. 7

About This Document

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

aFleX Script Editor

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

View Status Bar ........................................................................................................................... 78

Applying aFleX Scripts To Virtual Ports

Pre-Loaded aFleX Scripts .................................................................................................................... 81

Global Events ................................................................................................................................ 93

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

IP, TCP, and UDP Events ............................................................................................................. 99

Relational Operators .................................................................................................................. 113

Customer Driven Innovation

A10 Thunder Series and AX Series aFleX Reference

Logical Operators ....................................................................................................................... 117