Professional Documents
Culture Documents
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks products and services are subject to A10 Networks standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
transfer, assign or sublicense its license rights to any other person or entity,
or use the Software on unauthorized or secondhand A10 Networks equipment
b.
make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do
the same
3 of 304
d.
b.
c.
THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
Term and Termination. This Agreement and the license granted herein shall remain
effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination
of this Agreement.
Export. Software and Documentation, including technical data, may be subject to
U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges
that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation.
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS,
aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE,
IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products are protected by one or more of the following US patents and patents
pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419,
20110239289, 20110093522, 20100235880, 20100217819, 20090049537, 20080229418,
20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598,
4 of 304
Limited Warranty
Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS
OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT,
OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE
DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE
PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS
OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
In no event shall A10 Networks or its suppliers' or licensors' liability to Customer,
whether in contract, (including negligence), breach of warranty, or otherwise, exceed
the price paid by Customer for the Software that gave rise to the claim or if the Software is part of another Product, the price paid for such other Product.
Customer agrees that the limitations of liability and disclaimers set forth herein will
apply regardless of whetherCustomer has accepted the Software or any other product or service delivered by A10 Networks. Customer acknowledges and agrees that
A10 Networks has set its prices and entered into this Agreement in reliance upon the
disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the parties (including the risk that a contract
remedy may fail of its essential purpose and cause consequential loss), and that the
same form an essential basis of the bargain between the parties.
The Warranty and the End User License shall be governed by and construed in
accordance with the laws of the State of California, without reference to or application of choice of law rules or principles. If any portion hereof is found to be void or
unenforceable, the remaining provisions of the Agreement shall remain in full force
and effect. This Agreement constitutes the entire and sole agreement between the
parties with respect to the license of the use of A10 Networks Products unless otherwise supersedes by a written signed agreement.
5 of 304
6 of 304
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
7 of 304
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
8 of 304
FIGURE 1
FIGURE 2
AX 5630
For details about feature support on specific models, see the release notes.
9 of 304
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
Installation Guides
System Configuration and Administration Guide
Security Guides
Management Access Security Guide
Application Access Management and DDoS Mitigation Guide
Web Application Firewall Guide
References
LOM Reference
GUI Reference
CLI Reference
aFleX Reference
MIB Reference
aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your devices Lights Out
Management (LOM) interface, if applicable.
Note:
10 of 304
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
11 of 304
12 of 304
User Documentation............................................................................................................................. 10
Audience................................................................................................................................................ 11
Documentation Updates ...................................................................................................................... 11
A10 Virtual Application Delivery Community..................................................................................... 11
aFleX Basics
25
Overview................................................................................................................................................ 25
Advantages of Using aFleX Policies ........................................................................................... 26
Example: a Simple aFleX Script .................................................................................................. 26
aFleX Script Editor ........................................................................................................................ 26
aFleX Configuration Prerequisites .............................................................................................. 27
aFleX Processing Order ............................................................................................................... 27
Support for Multiple aFleX Policies on a Single Virtual Port .................................................... 28
When aFleX Policy Changes Take Effect ................................................................................... 29
Maximum Filesize of aFleX Scripts ............................................................................................. 29
Maximum Number of aFleX Scripts ............................................................................................ 30
aFleX Online Help ......................................................................................................................... 30
aFleX Script Rename .................................................................................................................... 32
Copy aFleX Script ......................................................................................................................... 33
aFleX Syntax ......................................................................................................................................... 33
Tcl Symbols ................................................................................................................................... 34
aFleX Context Clientside or Serverside ................................................................................... 35
aFleX Script Components .................................................................................................................... 36
aFleX Events ................................................................................................................................. 36
aFleX Operators ............................................................................................................................ 39
aFleX Commands .......................................................................................................................... 39
Examples ..................................................................................................................................... 40
Command Summary by Type ...................................................................................................... 42
13 of 304
63
Overview ................................................................................................................................................63
aFleX Script Editor ....................................................................................................................... 63
Installing and Starting aFleX Script Editor ................................................................................ 65
aFleX Script Editor Features ....................................................................................................... 66
Editing aFleX Scripts Getting Started ..............................................................................................66
Create an aFleX Script ................................................................................................................. 66
aFleX Templates ......................................................................................................................... 67
Connect to an AX Device aFleX File Transfer ......................................................................... 69
View aFleX Scripts ....................................................................................................................... 69
Menu Functions.....................................................................................................................................71
Overview ....................................................................................................................................... 71
File Functions ............................................................................................................................... 71
Connect AX / Disconnect AX ...................................................................................................... 71
New aFleX .................................................................................................................................. 72
Upload ......................................................................................................................................... 72
Download .................................................................................................................................... 72
Delete Rule ................................................................................................................................. 73
Save ............................................................................................................................................ 73
Import .......................................................................................................................................... 73
Export .......................................................................................................................................... 73
Rename ...................................................................................................................................... 73
Reset ........................................................................................................................................... 74
Exit .............................................................................................................................................. 74
Edit Menu Functions .................................................................................................................... 74
Undo / Redo ................................................................................................................................ 74
Cut / Copy / Paste / Delete .......................................................................................................... 74
Select All ..................................................................................................................................... 74
Search Menu Functions ............................................................................................................... 75
Find / Find Next / Find Previous .................................................................................................. 75
Replace ....................................................................................................................................... 75
Go to Line ................................................................................................................................... 76
View Menu Functions ................................................................................................................... 77
View Line Number ....................................................................................................................... 77
View Indention Guides ................................................................................................................ 77
View Margin ................................................................................................................................ 77
View Fold Margin ........................................................................................................................ 77
View Word Wrap ......................................................................................................................... 77
View White Space ....................................................................................................................... 78
View End of Line ......................................................................................................................... 78
View Book Marks ........................................................................................................................ 78
14 of 304
81
Events
93
15 of 304
Operators
113
16 of 304
Commands
119
17 of 304
18 of 304
19 of 304
IP Commands ......................................................................................................................................199
IP::addr ..................................................................................................................................... 199
IP::client_addr ........................................................................................................................... 200
IP::local_addr ............................................................................................................................ 200
IP::protocol ................................................................................................................................ 201
IP::remote_addr ........................................................................................................................ 202
IP::server_addr ......................................................................................................................... 202
IP::stats ..................................................................................................................................... 203
IP::tos ........................................................................................................................................ 203
IP::ttl .......................................................................................................................................... 204
IP::version ................................................................................................................................. 205
DNS Commands ..................................................................................................................................205
DNS::additional ......................................................................................................................... 205
DNS::answer ............................................................................................................................. 206
DNS::authority ........................................................................................................................... 207
DNS::header ............................................................................................................................. 208
DNS::len .................................................................................................................................... 210
DNS::query ............................................................................................................................... 210
DNS::question ........................................................................................................................... 211
DNS::class ................................................................................................................................ 212
DNS::name ............................................................................................................................... 213
DNS::rdata ................................................................................................................................ 213
DNS::rr ...................................................................................................................................... 214
DNS::ttl ...................................................................................................................................... 215
DNS::type .................................................................................................................................. 215
DNS::return ............................................................................................................................... 216
DNS::cache ............................................................................................................................... 217
DNS::is_dnssec ......................................................................................................................... 218
DNS::opt ................................................................................................................................... 218
DNS Example ............................................................................................................................ 219
SIP Commands ....................................................................................................................................222
SIP::call_id ................................................................................................................................ 222
SIP::from ................................................................................................................................... 222
SIP::header ............................................................................................................................... 222
SIP::header insert ..................................................................................................................... 223
SIP::method .............................................................................................................................. 223
SIP::respond ............................................................................................................................. 224
SIP::response ........................................................................................................................... 224
SIP::to ....................................................................................................................................... 225
SIP::uri ...................................................................................................................................... 225
SIP::via ...................................................................................................................................... 225
SIP Command Examples .......................................................................................................... 227
20 of 304
21 of 304
22 of 304
301
23 of 304
24 of 304
aFleX Basics
Overview
The aFleX scripting language is a powerful inline custom scripting engine
that provides in-depth, granular control of inspection and redirection policies (filter, drop, redirect).
The aFleX scripting language is based on the Tool Command Language
(Tcl) programming standard for simplicity and familiarity.
For an aFleX policy to work, it must be bound to a virtual port on the ACOS
device. Then the aFleX policy can make policy decisions by inspecting the
payload packets from all traffic going through the virtual port.
FIGURE 3
aFleX overview
25 of 304
can be easily converted into aFleX scripts, providing backwards compatibility for customized solutions.
To create an aFleX script in a non-English language (for example, Japanese), save the script in Unicode UTF-8 format. You can use the ACOS
GUI or another editor to create the aFleX file. If you plan to create aFleX
scripts in the ACOS GUI, set the language in the GUI as Unicode (UTF8).
To set the language in the GUI to UTF-8, configure the browser so that
you can view UTF-8 encoding. In Internet Explorer, select
View > Encoding > Unicode.
The A10 aFleX Script Editor does not support UTF-8 format in the current release. Use the ACOS GUI or a third-party editor instead.
26 of 304
continue to redirect traffic to the default server pool (SLB service group)
assigned to the virtual port.
Once an aFleX policy is bound to a virtual port, the policy is triggered
For virtual port type fast-HTTP, aFleX commands that change the HTTP
header or payload are not supported.
27 of 304
Beginning with AX Release 2.7.0, server template limits are applied for
both service-group and server selection. Commands that call for server
selection (i.e., node, pool, persist, etc.) will enforce server template
limits on the selected server. As a result, new connections that match a
persist uie entry may be unable to use the rport and a default server selection will occur instead. To prevent default server selection, use the no
def-selection-if-pref-failed command for the vport.
28 of 304
29 of 304
aFleX help information is available through the CLI only and not accessible from the GUI.
Syntax
From the configuration level of the CLI, use the following commands to
access all aFleX help information:
aflex help
Enter the following command to list the names and descriptions of all aFleX
events, global commands, or operators:
30 of 304
31 of 304
32 of 304
Scripts that contain syntax errors cannot be copied. The CLI console notifies you if copy failure is due to a syntax error.
aFleX Syntax
An aFleX script is a Tcl-like script. Every command call has the following
form: command arg1 arg2 arg3 ...
The aFleX interpreter takes each word of command call and evaluates it.
After evaluation of each word, the first word (command) is considered to be
a function name. The function is executed with the rest of the words as arguments.
If a word is surrounded by curly braces { }, this word is unaffected and
substitution is thus not applicable. Inside the braces, there may be spaces
and carriage returns. The { } may also be nested.
In the following example, notice how the line breaks are placed inside the
{ }.
if {$c
log
} else
log
}
== "Exit"} {
"Bye!"
{
"Rock On!"
33 of 304
Tcl Symbols
The Tcl symbols listed in Table 1 have special meanings.
TABLE 1
Delimiter
$
Description
Variable substitution.
Example: $argv0 could be replaced by /usr/bin/somescript.tcl
Subcommand substitution.
Example: [pwd] could be replaced by /home/joe
Word grouping with substitutions.
{ }
#
;
: :
[ ]
Example: ::foo::bar
34 of 304
text.
Example:
This aFleX script uses the default CLIENT side association to the
REMOTE_ADDR. Because CLIENT_ACCEPTED has a default context of
clientside, the remote_addr field is automatically assigned to clientside.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ]
pool my_pool }
}
} {
To change the default context of any aFleX script, use the clientside or serverside key words.
Example:
This aFleX policy switches the remote_addr field to the clientside from the
default serverside association with the SERVER_CONNECTED event.
when CLIENT_ACCEPTED {
if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80 ] } {
pool my_pool2
}
}
35 of 304
aFleX Events
aFleX scripts are event-driven. The AX device triggers an aFleX policy
based on a specified event. For example, if an aFleX policy is configured to
be triggered by the HTTP_REQUEST event, the ACOS device triggers the
aFleX policy when an HTTP request is received.
Event declarations are made with the when keyword followed by the
event name.
Example:
}
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 10.1.1.80 ]
pool my_pool }
}
} {
Event Type
Global
RULE_INIT
Triggered when used in an aFleX policy.
LB_FAILED
Triggered when the ACOS device can not select a node (server) for the incoming request; for
example, if all nodes in the pool are down or all their connection limits have been reached.
LB_SELECTED
Triggered when the system selects a pool member.
36 of 304
Event Type
IP, TCP, UDP
CLIENT_ACCEPTED
Triggered when a client establishes a connection.
CLIENT_DATA
Triggered when a client receives new data while the connection is in collect state.
CLIENT_CLOSED
Triggered when the client-side connection closes.
SERVER_CLOSED
Triggered when the server side connection closes.
SERVER_CONNECTED
Triggered when the AX device establishes a connection with the target node.
SERVER_DATA
Triggered when the AX device has received new data from the target node while the connection is in hold state.
HTTP
HTTP_REQUEST
Triggered when the AX device fully parses a complete client request header.
HTTP_RESPONSE
Triggered when the AX device parses all of the response status and header lines from the
server response.
HTTP_RESPONSE_CONTINUE
Triggered whenever the AX device receives a 100 Continue response from the server.
HTTP_REQUEST_DATA
Triggered whenever the request receives new HTTP content data.
HTTP_RESPONSE_DATA
Triggered whenever the AX device receives new HTTP content data from the response.
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. Server-side event.
RAM Caching
CACHE_REQUEST
Triggered when a VIP receives a request for a cached object.
CACHE_RESPONSE
Triggered immediately prior to sending a cache response.
DNS
DNS_REQUEST
Triggered when the DNS request packet arrives.
DNS_RESPONSE
Triggered when the DNS reply packet arrives.
FIX
FIX_REQUEST
Triggered when the system receives a FIX request.
FIX_RESPONSE
Triggered when the system receives a FIX response.
37 of 304
Event Type
Diameter load
balancing
SSL
CLIENTSSL_CLIENTCERT
Triggered when an SSL client certificate is received.
CLIENTSSL_HANDSHAKE
Triggered when an SSL handshake on the client side is completed.
SERVERSS_HANDSHAKE
Triggered when an SSL handshake on the server side is completed.
SIP
SIP_REQUEST
Triggered when the ACOS system receives a full SIP request header from the client.
SIP_REQUEST_SEND
Triggered when the ACOS system sends the SIP request to the server.
SIP_RESPONSE
Triggered when the ACOS system receives a full SIP response from the server.
DBLB
DB_QUERY
Triggered when the ACOS system receives a full SQL query from the client side.
DB_COMMAND
Triggered when the ACOS system receives an SQL command from the client side.
38 of 304
aFleX Operators
aFleX policies use operators to compare operands in an expression.
Table 3 lists the operators supported in aFleX policies.
TABLE 3
aFleX Operators
Operator Type
Relational
contains
Tests whether one string (string1) contains another string (string2).
ends_with
Tests whether one string (string1) ends with another string (string2).
equals
Tests whether one string equals another string.
matches
Tests whether one string matches another string.
matches_regex
Tests whether one string matches a regular expression.
starts_with
Tests whether one string (string1) starts with another string (string2).
Logical
and
Performs a logical and comparison between two values.
or
Performs a logical or comparison between two values.
not
Performs a logical not on a value.
aFleX Commands
aFleX commands can perform the following types of operations:
Global Performs actions such as selecting a pool (SLB service group)
or node (server).
Query commands:
IP packet header query Returns information from the IP header.
IP, TCP, or UDP packet data query Returns information from the
payload.
HTTP packet header or content query Returns information from
the HTTP header or payload.
Customer Driven Innovation
Doc. No.: D-030-01-00-0007 - aFleX 2.0, ACOS 2.7.1 7/2/2013
39 of 304
content.
HTTP header and content manipulation Changes HTTP headers or
content.
SSL and X.509 query Returns information from or about certificates.
Deep packet inspection Returns strings from packets.
Examples
Example: Pool Selection
This aFleX script uses the if command to determine which pool to send traffic to based on the file type gif or jpg.
when HTTP_REQUEST {
if { [HTTP::uri] ends_with ".gif" } {
pool gif_pool
} elseif { [HTTP::uri] ends_with ".jpg" } {
pool jpg_pool }
}
40 of 304
41 of 304
aFleX Commands
Command
Type
Global
42 of 304
43 of 304
Command
Type
Global
(cont.)
switch
Built-in Tcl command. Evaluates one of several scripts, depending on a given value.
virtual name
Returns the name of the associated virtual server that the connection is flowing through.
when <event_name>
Specify an event in an aFleX script. All aFleX events begin with a when command. You can
specify multiple when commands within a single aFleX script.
44 of 304
Table
Commands
Time
Commands
45 of 304
Command
Type
Link
Commands
Advanced
Encryption
Standard (AES)
Operations
IP Packet
Header Query
46 of 304
Command
Type
TCP Packet
Header and
Content Query
47 of 304
Command
Type
UDP Packet
Header and
Content Query
Statistics
48 of 304
Command
Type
Load Balancing
(LB)
49 of 304
Command
Type
Class Header
and Content
Query
50 of 304
Command
Type
HTTP Packet
Header and
Content Query
51 of 304
Command
Type
HTTP Packet
Header and
Content Query
(cont.)
52 of 304
Command
Type
TCP Header and
Content
Manipulation
HTTP Header
and Content
Manipulation
53 of 304
Command
Type
HTTP Cookie
Manipulation
for Request
Messages
54 of 304
Command
Type
HTTP Cookie
Manipulation
for Response
Messages
55 of 304
Command
Type
HTTP Requests
Compression
URI
encode / decode
URI Return
path / basename
DNS
56 of 304
57 of 304
Command
Type
SIP Header
Query and
Manipulation
58 of 304
Command
Type
SIP Header
Query and
Manipulation
(cont.)
Policy-Based
SLB Query
RAM Caching
Diameter load
balancing
59 of 304
Command
Type
RADIUS
message load
balancing
SSL
60 of 304
Deep packet
inspection
61 of 304
Command
Type
Financial Information
eXchange (FIX)
load balancing
Database Load
Balancing
(DBLB)
Template
Commands
62 of 304
63 of 304
aFleX Script Editor new aFleX name field and template list
Edit Functions
Cut, Copy, Paste, Delete, Select All, Undo, Redo
Search Functions
Find, Find Next, Find Previous, Replace, Go To Line
View Functions
Line Numbers, Indentation Guide, Margin, Fold Margin, Word
Wrap
White Space, End of Line, Bookmarks, Auto Complete, Hot Spots
Status Bar, Output Window
64 of 304
65 of 304
Below the menu and icons, the aFleX Script Editor window has the following main parts:
Menu bar to select menu-based aFleX Script Editor commands
Icon bar to select icon-based aFleX Script Editor commands
Download Files (top-left frame) to access aFleX files on an ACOS
device
Local Files (lower-left frame) to access aFleX files on a workstation
Editor (top-right frame) panel in which to edit aFleX files
Output (lower-right frame) shows the status of file transfers and more
Status bar (bottom bar) shows the current aFleX Script Editor status
66 of 304
aFleX Templates
The aFleX Template window offers a list of aFleX templates. These templates offer pre-configured aFleX command modules required for typical
ACOS applications and are named accordingly. With the addition of parameters for your specific ACOS application, an aFleX policy can be quickly
constructed.
To use a template to create a new aFleX policy, enter a unique name into the
name field of the aFleX Template window, select a template from the list
below the name field, and click the OK button.
67 of 304
68 of 304
69 of 304
70 of 304
Menu Functions
Overview
This section provides a list of all menu items. Detailed descriptions of the
functions follow.
File Menu
The editor includes the following script handling functions in the File menu:
Connect/Disconnect, New aFleX, Upload, Download, Delete aFleX,
Search Menu
Find, Find Next, Find Previous, Replace, Go To Line
View Menu
Line Numbers, Indentation Guides, Margin, Fold Margin, Word Wrap,
White Space, End of Line, Book Marks, Auto Complete, Status Bar,
Output Window
Options Menu
Font, Set Line Number Color, Set Comment Color, Set Text Color, Set
File Functions
Connect AX / Disconnect AX
If you select File > Connect AX, a window pops up and asks you to enter
the hostname or IP address, and admin username and password. After you
click OK, the connection status changes to Connected and all the aFleX
policies on the AX device are automatically shown in the Download Files
71 of 304
New aFleX
File > New aFleX
Note:
aFleX Template. (See Figure 6 on page 67.) After you select a template,
type the new aFleX policy name and click OK. The Local Files window
generates the new file and opens it in the editor frame.
Using the BLANK aFleX Template
You can also create aFleX scripts from the BLANK template. Enter a
unique name for the new aFleX, select the BLANK template from the
list of templates, then click OK. The new aFleX policy is added to the
Local Files list and is opened in the editor frame.
Upload
File > Upload
If you click Upload, the currently selected Local File is uploaded to the AX
device and listed in the AX Files frame. If the AX device is disconnected,
the Upload menu item is disabled.
Download
File > Download
If you click Download and the AX device is disconnected, a window pops
up to ask you to input the hostname or IP address, and username and password, to re-establish the connection to the AX.
If the current status of the AX is Connected, no window will pop up. The
file list in the Local Files frame is updated.
72 of 304
Delete Rule
File > Delete Rule
If no aFleX file is currently selected, nothing is deleted.
If an aFleX file is currently selected within the Local Files frame, the
selected file is deleted from the local workstation, and the next item in the
list is automatically selected.
If an aFleX file is currently selected in the AX Files frame, it is deleted from
the AX file list. If the response message from the AX system indicates success, the file will also be deleted from the Local Files.
Save
File > Save
If a currently selected aFleX file is located in the AX Files frame, it is saved
to the AX device.
If a currently selected aFleX file is located in the Local Files frame, it is
saved to the local workstation.
Import
File > Import
If you click Import, a window pops up where you can select a file and
import it into the aFleX Script Editor. The Local Files frame adds the file
and opens it in the Editor frame.
Export
File > Export
If you click Export, a window pops up where you can select a local path to
which to export the currently selected file.
Rename
File > Rename
If you click Rename, the currently selected aFleX file can be renamed. The
new name should not be equal to the existing name shown in the aFleX
Script Editor, or equal to the name of another file.
73 of 304
Reset
File > Reset
Restores the currently selected file to its state before user modifications.
If the currently selected file is located in the AX Files frame, the Reset command resets it to the initial file state when last downloaded.
If the currently selected file is located in the Local Files frame, it resets to
the initial file state just generated through the New action.
Exit
File > Exit
If you click File > Exit, an alert window pops up.
To exit aFleX Script Editor, click Yes.
To continue working in aFleX Script Editor, click No.
Select All
Edit > Select All
Select Edit > Select All or ctrl+A to select all text in the Editor frame.
74 of 304
The find window will close. If you want to find the next occurrence of the
string, press F3.
To find the previous occurrence of the string, press shift+F3.
FIGURE 11
Replace
Search > Replace
If you select Search > Replace, the Search and Replace window pops up. In
the Search for field, type the string you want to replace. In the Replace with
field, type the new string.
You can click the Next match or the Previous match button to locate another
occurrence of the string to be replaced.
75 of 304
Replace All.
If the term can not be found, an alert indicates that no match could be
found.
FIGURE 12
Go to Line
Search > Go To Line
If you select Go To Line, a window pops up where you can type a line number into the Go To Line field. Click OK to navigate to that line in the currently open file.
76 of 304
View Margin
View > Margin
Use this menu command to display or hide the Editor frame Margin
between the Editor frames Line Numbers column and its Fold Margin column.
77 of 304
78 of 304
My Last Setting
Options > My Last Setting
This menu command restores your last setting from your previous session.
79 of 304
Status Window
When you perform an action such as Download, Upload, Delete, or Reset,
the status bar displays a status message to indicate the result of that action.
80 of 304
Beginning with this release, you do not need to unbind an aFleX script
before renaming it, or rebind it afterward. The ACOS device automatically updates the configuration everywhere the renamed script is used.
For more information, see aFleX Script Rename on page 32.
These scripts are intended for educational purposes to assist new users.
A10 Networks does not guarantee the sample scripts will work in all contexts and is not liable for damages that result from the misapplication of
pre-loaded aFleX scripts.
81 of 304
Column
host_switching
http_payload_re
place
logging_clients
redirect1
redirect2
redirect_rewrite
Description
This aFleX example illustrates the use of Tcl associative
arrays to implement host switching.
Collects the HTTP response and then replaces all instances
of the pattern http:// in the payload with https://.
Logs Client/Server IP/Port information for security when
using Source NAT.
Redirects HTTP requests to an HTTPS URL
Uses HTTP::respond to do a redirect with a cookie set.
Rewrites relative and absolute redirects to absolute HTTPS
redirects.
from the virtual port, then re-add them in the correct order.
82 of 304
1. Log onto the ACOS device through the CLI, with an admin account that
has read-write privileges.
A CLI prompt appears:
ACOS>
Note:
See the A10 Thunder Series and AX Series CLI Reference if you need
information on using the CLI.
2. Access the Privileged EXEC mode:
ACOS>enable
Password:***
ACOS#
83 of 304
no
no
no
no
6. Use the import command to import the aFleX policy (test.afx) onto
the ACOS device and rename it my_aflex:
ACOS(config)#import aflex my_aflex scp://192.168.1.118/aflex/
host_switching.afx
User name []?***
Password []?***
Importing ... Done.
ACOS(config)#
While importing the aFleX policy, the ACOS device checks for syntax
errors. If any syntax errors are found, error messages are displayed. You
can modify an aFleX policy and import it again until it passes the syntax
check.
84 of 304
8. To display the aFleX policy, use the show aflex aflex-name command:
ACOS(config)#show aflex my_aflex
when RULE_INIT {
array set ::SG_ARRAY [list "youtube.com" "sg1" "google.com" "sg2" "zynga.com"
"sg2"]
}
when HTTP_REQUEST {
set host [HTTP::host]
if { [info exists ::SG_ARRAY($host)] } {
log "host $host -> pool $::SG_ARRAY($host)"
pool $::SG_ARRAY($host)
}
}
9. Configure a virtual server and bind the aFleX policy to a virtual port on
the virtual server:
ACOS(config)#slb virtual-server v30 10.10.8.30
ACOS(config-slb virtual server)#port 80 http
ACOS(config-slb virtual server-slb virtua...)#aflex my_aflex
ACOS(config-slb virtual server-slb virtua...)#exit
ACOS(config-slb virtual server)#exit
ACOS(config)#
10. Show the aFleX policy list again to verify that the aFleX policy is now
bound to a virtual port:
ACOS(config)#show aflex
Total aFleX number: 1
Max aFlex file size: 32K
Name
Syntax
Virtual port
-----------------------------------------------------------my_aflex
Check
Yes
85 of 304
86 of 304
Regardless of how an aFleX script is added to the ACOS device, the script
does not take effect until you apply it to a virtual port.
aFleX Configuration
To configure an aFleX policy using the CLI:
1. Enter the following command at the global configuration level of the
CLI:
aflex create aflex-name
The CLI enters the input mode for the script text.
2. Type or copy-and-paste the script. If you type the script, use the Enter
key at the end of each line.
3. To complete the input process, type . (period) on a separate line and
press Enter.
Note:
You do not need to save the configuration (write memory) to save the
aFleX script. The script is automatically added to a persistent data folder
and remains available across reboots.
Syntax Check
After you finish entering the script text, the CLI performs a syntax check
and displays one of the following messages:
aFleX aflex-name created; syntax check passed.
87 of 304
CLI Example
The following commands create an aFleX script named test:
AX(config)#aflex create test
Type in your aFleX script (type . on a line by itself when done)
when CLIENT_ACCEPTED {
if {[IP::addr [IP::client_addr] equals 192.168.217.11/24]} {
node 10.10.10.30 80
}
}
.
aFleX test created; syntax check passed.
AX(config)#
test
Syntax:
Check
Virtual port:
No
Content:
when CLIENT_ACCEPTED {
if {[IP::addr [IP::client_addr] equals 192.168.217.11/24]} {
node 10.10.10.30 80
}
}
88 of 304
..
You can click on the name of an existing aFleX policy to edit it in the
GUI. You can delete an existing aFleX policy by selecting the checkbox
located on the left of its name, then clicking the Delete button.
5. To bind the aFleX policy to a virtual port:
a. Access the configuration settings for the virtual port. You can access
them in either of the following ways:
89 of 304
b.
c.
d.
e.
f.
the virtual server name, select the checkbox next to the port, and
click Edit. (See Figure 15.)
Select Config Mode > Service > SLB > Virtual Service, and
click on the virtual port name.
Next to the aFleX drop-down list, select the Multiple checkbox.
Select an aFleX script from the drop-down list and click Add.
Repeat for the other scripts to add to the virtual port.
The scripts will be processed in the order listed, starting with the
script at the top. To move a script up or down, click on the script
name, then click Move up or Move down.
Click OK.
FIGURE 14
90 of 304
Config Mode > Service > SLB > Virtual Server > Port
91 of 304
92 of 304
Events
The following chapter describes the aFleX events.
Global Events
RULE_INIT
Initializes global system variables. Within an aFleX policy, the RULE_INIT
event can initialize a system variable on a global basis for all aFleX policies,
or exclusively for that particular aFleX policy.
The prefix placed before RULE_INIT specifies whether to initialize the
variable for all aFleX policies, or only the current aFleX policy.
Prefix
Scope
Applies only to the current aFleX policy.
::
::global::
Notes:
Unbinding an aFleX policy will not remove the variable.
In the current release, it is recommended to avoid using the unset
93 of 304
LB_FAILED
This Event is triggered when the ACOS device can not select a node for the
incoming request; for example, if all nodes in the pool are down or all their
connection limits have been reached.
Example:
when LB_FAILED {
pool errorPool
}
Related Information
Available Commands:
LB::reselect, LB::server
LB_SELECTED
Triggered when the system selects a pool member.
Example:
when LB_SELECTED {
if { [IP::addr [IP::remote_addr] equals "10.0.0.1"] } {
snat VIPsnat
}
}
94 of 304
HTTP Events
HTTP_REQUEST
Triggered when the system fully parses a complete client request header
(that is, the method, URI, version, and all headers, not including the body).
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "secure"} {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}
Example:
If a client request URI contains the string "secure", redirect to the client to HTTPS.
when HTTP_REQUEST {
if { [HTTP::uri] contains "secure"} {
HTTP::redirect https://
[HTTP::host][HTTP::uri]
}
}
Example:
If a client request uri contains the string "Webdir", use service group
app-pool. If the request URI contains the string "Docdir", use service
group doc-pool.
when HTTP_REQUEST {
if { [HTTP::uri] contains "Webdir" } {
pool app-pool
} elseif { [HTTP::uri] contains "Docdir" } {
pool doc-pool
}
}
95 of 304
HTTP_REQUEST_DATA
Triggered whenever an HTTP::collect command finishes processing,
after collecting the requested amount of request data.
Example:
when HTTP_REQUEST_DATA {
set rpc_id [findstr [HTTP::payload] Authorization: 14 20]
persist uie $rpc_id
log local0. WE RECORDED $rpc_id AS THE PERSIST VARIABLE
HTTP::release
}
Related Information
Available Commands:
HTTP::fallback, HTTP::host, HTTP::is_keepalive,
HTTP::is_redirect, HTTP::method, HTTP::path,
HTTP::query, HTTP::redirect, HTTP::release,
HTTP::request, HTTP::request_num, HTTP::respond,
HTTP::uri, HTTP::version
96 of 304
HTTP_REQUEST_SEND
Triggered immediately before a request is sent to a server. This is a serverside event.
Example:
when HTTP_REQUEST_SEND {
TCP::collect 12
}
Related Information
Available Commands:
HTTP::header, HTTP::payload, IP::local_addr,
IP::server_addr
HTTP_RESPONSE
Triggered when the system parses all of the response status and header lines
from the server response.
Note:
Example:
when HTTP_RESPONSE {
if { [HTTP::status] contains "404"} {
HTTP::redirect "http://www.siterequest.com/"
}
}
Related Information
Available Commands:
HTTP::cookie, HTTP::header, HTTP::host,
HTTP::is_keepalive, HTTP::is_redirect,
HTTP::payload, HTTP::redirect, HTTP::release,
HTTP::request_num, HTTP::respond, HTTP::retry,
HTTP::status, HTTP::version, IP::local_addr,
IP::server_addr, URI::query
97 of 304
HTTP_RESPONSE_CONTINUE
Triggered whenever the system receives a 100 Continue response from the
server.
Example:
when HTTP_RESPONSE_CONTINUE {
if { [HTTP::version] != 1.1 }
log Buggy server: sent 100-Continue to non-1.1 client!
}
}
HTTP_RESPONSE_DATA
Triggered whenever an HTTP::collect command finishes processing
on the server side of a connection, after collecting the requested amount of
response data. Also triggered if the server closes the connection before the
HTTP:collect command finishes processing.
Example:
when HTTP_RESPONSE_DATA {
regsub "oursite" [HTTP::payload] "oursitedev" fixeddata
log "Replacing payload with fixed data."
HTTP::payload replace 0 $clen $fixeddata
HTTP::release
}
Example:
when HTTP_RESPONSE {
HTTP::collect [HTTP::header Content-Length]
}
when HTTP_RESPONSE_DATA {
set clen [HTTP::payload length]
set newdata "Sorry, This website is
temporarily unavailable."
HTTP::payload replace 0 $clen $newdata
HTTP::respond 200 content [HTTP::payload]
}
Related Information
Available Commands:
HTTP::is_keepalive, HTTP::is_redirect,
HTTP::redirect, HTTP::release, HTTP::request_num,
HTTP::respond, HTTP::retry, HTTP::status,
HTTP::version
98 of 304
Note:
shake is completed.
Example:
when CLIENT_ACCEPTED {
set curtime [TIME::clock seconds]
set formattedtime [clock format $curtime -format {%H:%S} ]
log "the time is: $formattedtime"
}
Example:
when CLIENT_ACCEPTED {
if { [IP::addr [client_addr] == 192.168.217.0/24] } {
discard
log "discard client from 192.168.217.0/24 "
}
}
Related Information
Available Commands:
IP::client_addr, IP::local_addr, IP::protocol,
IP::remote_addr, IP::server_addr, IP::tos, pool,
serverside, TCP::collect
99 of 304
CLIENT_CLOSED
Triggered at the end of any client connection, regardless of protocol.
Example:
when CLIENT_CLOSED {
if { [info exists ::active_clients($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}
Related Information
Available Commands:
IP::local_addr
CLIENT_DATA
Triggered when new data is received from the client while the connection is
in a collect state.
Note:
Example:
when CLIENT_DATA {
if { [UDP::payload 50] contains "XYZ" } {
pool xyz_servers
}
}
100 of 304
when CLIENT_DATA {
log "UDP::payload 12 12 = [UDP::payload 12 12]"
if { [UDP::payload 12 12] contains "abc" } {
pool abc-dns
log " select pool abc-dns"
} elseif { [UDP::payload 12 12] contains "xyz" } {
pool xyz-dns
log " select pool xyz-dns"
}
}
Related Information
Available Commands:
pool
SERVER_CLOSED
Triggered when the server-side connection closes.
Example:
when SERVER_CLOSED {
log local0. "Server [IP::server_addr] has closed the connection"
}
Related Information
Available Commands:
IP::local_addr, IP::server_addr
101 of 304
SERVER_CONNECTED
Triggered when a connection has been established with the target node.
Example:
when CLIENT_ACCEPTED {
set vip [IP::local_addr] : [TCP::local_port]
}
when SERVER_CONNECTED {
set client [IP::client_addr]:[TCP::client_port]
set node [IP::server_addr]:[TCP::server_port]
}
when CLIENT_CLOSED {
# log connection info
log local0.info Client $client -> VIP: $vip -> Node: $node
}
Related Information
Available Commands:
IP::local_addr, IP::server_addr, snatpool
SERVER_DATA
Triggered when new data is received from the target node while the connection is in a hold state.
Note:
For UDP, the SERVER_DATA event is triggered for every packet. For
TCP, you need to issue a TCP::collect.
Example:
when SERVER_DATA {
set payload (TCP::payload)
}
Related Information
Available Commands:
AES::encrypt,AES::key,AES::decrypt,
RADIUS::avp,RADIUS::code,RADIUS::id,
RADIUS::length,TCP::payload, TCP::respond,
UDP::client_port,UDP::local_port,UDP::payload,
UDP::remote_port,UDP::server_port,UDP::respond,
pool, whereis
102 of 304
Related Information
Available Commands:
CACHE::age, CACHE::disable, CACHE::expire,
CACHE::hits
CACHE_RESPONSE
Triggered immediately prior to sending a cache response.
Example:
when CACHE_RESPONSE {
if { $::expired == 1 } {
CACHE::expire
log "cache expire"
set ::expired 0
}
}
Related Information
Available Commands:
CACHE::age, CACHE::disable, CACHE::expire,
CACHE::hits
103 of 304
DNS Events
DNS-related operations use the following events.
DNS_REQUEST
Triggered when the DNS request packet arrives.
Example:
when DNS_REQUEST {
set len [DNS::len]
log dns query pkt len = $len
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
DNS_RESPONSE
Triggered when the DNS reply packet arrives.
Example:
when DNS_RESPONSE {
set len [DNS::len]
log dns query pkt len = $len
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
104 of 304
FIX Events
Financial Information eXchange (FIX) load balancing uses the following
events.
FIX_REQUEST
Triggered when the system receives a FIX request.
Example:
when FIX_REQUEST {
if { [FIX::sender_compid] eq CLIENT1} {
pool sg2
}
}
Related Information
Available Commands:
FIX::begin_string, FIX::body_length,
FIX::msg_seq_num, FIX::msg_type,
FIX::sender_compid, FIX::target_compid,
FIX::sending_time
FIX_RESPONSE
Triggered when the system receives a FIX response.
Example:
when FIX_RESPONSE {
log [FIX::sender_compid] -> [FIX::target_compid]
}
Related Information
Available Commands:
FIX::begin_string, FIX::body_length,
FIX::msg_seq_num, FIX::msg_type,
FIX::sender_compid, FIX::target_compid,
FIX::sending_time
105 of 304
DIAMETER_REQUEST
Triggered when the system fully parses a complete Diameter request message.
Example:
when DIAMETER_REQUEST {
log "DIAMETER::cmd_code = [DIAMETER::cmd_code]"
}
Related Information
Available Commands:
DIAMETER::app_id, DIAMETER::avp,
DIAMETER::cmd_code, DIAMETER::length,
DIAMETER::version, pool
DIAMETER_ANSWER
Triggered when the system fully parses a complete Diameter answer message.
Example:
when DIAMETER_ANSWER {
log "DIAMETER::cmd_code = [DIAMETER::cmd_code]"
}
Related Information
Available Commands:
DIAMETER::app_id, DIAMETER::avp,
DIAMETER::cmd_code, DIAMETER::length,
DIAMETER::version, pool
106 of 304
DIAMETER_REQUEST_SEND
Triggered immediately before a Diameter request is sent by the ACOS
device.
Example:
when DIAMETER_REQUEST_SEND {
log "DIAMETER::cmd_code = [DIAMETER::cmd_code]"
}
Related Information
Available Commands:
DIAMETER::app_id, DIAMETER::avp,
DIAMETER::cmd_code, DIAMETER::length,
DIAMETER::version
DIAMETER_ANSWER_SEND
Triggered immediately before a Diameter answer is sent.
Example:
when DIAMETER_ANSWER_SEND {
log "DIAMETER::cmd_code = [DIAMETER::cmd_code]"
}
Related Information
Available Commands:
DIAMETER::app_id, DIAMETER::avp,
DIAMETER::cmd_code, DIAMETER::length,
DIAMETER::version
107 of 304
SSL Events
CLIENTSSL_CLIENTCERT
Triggered when the ACOS device receives an SSL client certificate.
Example:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject [X509::subject $cert]
}
Related Information
Available Commands:
SSL::cert, SSL::sessionid, SSL::verify_result,
X509::subject, X509::verify_cert_error_string
CLIENTSSL_HANDSHAKE
Triggered when an SSL handshake on the client side is completed.
Example:
when CLIENTSSL_HANDSHAKE {
set cert [SSL::cert 0]
set subject {X509::subject $cert]
}
Related Information
Available Commands:
SSL::cert, SSL::sessionid, SSL::verify_result,
X509::subject, X509::verify_cert_error_string
SERVERSSL_HANDSHAKE
Triggered when an SSL handshake on the server side is completed.
Note:
108 of 304
The new SSL commands for ACOS 2.7.1 are supported for the
SERVERSSL_HANDSHAKE event only.
Valid Commands
SSL::cert,SSL::sessionid,
SSL::verify_result,X509::subject,
X509::verify_cert_error_string
Required Release: ACOS 2.7.1 or higher
SIP Events
Beginning with AX Release 2.7.0, Session Initiation Protocol (SIP) events
are supported for the following:
SIP Session Initiation Protocol over UDP
SIP-TCP SIP over TCP
SIPS Secure SIP over TLS
Note:
SIP_REQUEST
Triggered when the ACOS system receives a full SIP request header from
the client.
Example:
when SIP_REQUEST {
log sip id: [ SIP::call_id ]
}
Related Information
Available Commands:
SIP::call_id, SIP::from, SIP::header,
SIP::header_insert, SIP::method, SIP::respond,
SIP::response, SIP::to, SIP::uri, SIP::via,
snatpool
109 of 304
SIP_REQUEST_SEND
Triggered when the ACOS system sends the SIP request to the server.
Example:
when SIP_REQUEST_SEND {
log sip method: [ SIP::method ]
}
Related Information
Available Commands:
SIP::call_id, SIP::from, SIP::header,
SIP::header_insert, SIP::method, SIP::respond,
SIP::response, SIP::to, SIP::uri, SIP::via
SIP_RESPONSE
Triggered when the ACOS system receives a full SIP response from the
server.
Example:
when SIP_RESPONSE {
log response code: [SIP::response code]
}
Related Information
Available Commands:
SIP::call_id, SIP::from, SIP::header,
SIP::header_insert, SIP::method, SIP::respond,
SIP::response, SIP::to, SIP::uri, SIP::via,
snatpool
110 of 304
DBLB Events
DB_QUERY
Triggered when the ACOS receives a full SQL query from the client side.
Example:
when DB_QUERY {
set ret [ DB::query ]
log "aflex script got query $ret"
pool mssqlgroup
}
Valid Commands
All
DB_COMMAND
Triggered when the client sends an SQL command.
Example:
when DB_COMMAND {
set ret [ DB::command ]
log "aflex script got command number $ret"
pool mssqlgroup
}
Valid Commands
Al
111 of 304
112 of 304
Operators
The following chapter describes the FleX operators.
Relational Operators
contains
Tests whether one string (string1) contains another string (string2).
Syntax
<string1> contains <string2>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "aol" } {
pool aol_pool
} else {
pool all_pool
}
}
Related Information
Valid Events: All
ends_with
Tests whether one string (string1) ends with another string (string2).
Syntax
<string1> ends_with <string2>
Example:
when HTTP_REQUEST {
set uri [HTTP::uri]
if { $uri ends_with ".gif" } {
pool my_pool
} elseif { $uri ends_with ".jpg" } {
pool your_pool
}
}
113 of 304
equals
Tests whether one string equals another string.
Syntax
<string1> equals <string2>
Example:
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::aol] } {
pool aol_pool
} else {
pool all_pool
}
}
Related Information
Valid Events: All
114 of 304
matches
Tests whether one string matches another string.
Syntax
<string1> matches <string2>
Note:
The "matches" operator uses the same comparison as the Tcl "string
match" command, which functions like a cut-down regular expression.
For the two strings to match, their contents must be identical except that the
following special sequences may appear in the pattern:
* Matches any sequence of characters in string, including a null string.
? Matches any single character in string.
[chars] Matches any character in the set given by chars. If a sequence
of the form x-y appears in chars, then any character between x and y,
inclusive, will match. When used with -nocase, the end points of the
range are converted to lower case first. Whereas {[A-z]} matches '_'
when matching case-sensitively ('_' falls between the 'Z' and 'a'), with
-nocase this is considered to be like {[A-Za-z]}. (This is probably what
was meant in the first place).
\x Matches the single character x. This provides a way of avoiding the
Related Information
Valid Events: All
115 of 304
matches_regex
Tests whether one string matches a regular expression.
Syntax
<string1> matches_regex <regex>
<string1> matches_regex <string2>
Tests if string2 is contained within string1.
Example:
when HTTP_REQUEST {
if { [HTTP::host] matches_regex "www\.([\w]*)\.com" } {
pool com_pool
} elseif { [HTTP::host] matches_regex "www\.([\w]*)\.edu" } {
pool edu_pool
}
}
Related Information
Valid Events: All
starts_with
Tests whether one string (string1) starts with another string (string2).
Syntax
<string1> starts_with <string2>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/news" } {
pool news_pool
} elseif { [HTTP::uri] starts_with "/sports" } {
pool sports_pool
}
}
Related Information
Valid Events: All
116 of 304
Logical Operators
and
Performs a logical and comparison between two values.
Syntax
<value1> and <value2>
Example:
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/abc") and ([HTTP::host] equals "www.company.com") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All
not
Performs a logical not on a value.
Syntax
not <value>
Example:
when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/abc") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All
117 of 304
or
Performs a logical or comparison between two values.
Syntax
<value1> or <value2>
Example:
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/abc") or ([HTTP::uri] starts_with "/cde") } {
pool pool1
} else {
pool pool2
}
}
Related Information
Valid Events: All
118 of 304
Commands
The following chapter describes the aFleX commands.
GLOBAL Commands
active_members
Returns number of active members in the pool.
Syntax
active_members <pool_name>
Example:
when HTTP_REQUEST {
if {[active_members pool1] >= 5} {
pool big_pool
}
}
Related Information
Valid Events: All
b64decode
Returns the specified string, decoded from base-64. Returns NULL if there
is an error.
Syntax
b64decode <string>
Example:
when HTTP_REQUEST {
set encrypted [HTTP::cookie "EncryptedCookie"]
set decrypted [b64decode $encrypted]
HTTP::cookie insert name "MyCookie" value $decrypted
}
119 of 304
b64encode
Returns the specified string, encoded as base-64. Returns NULL if there is
an error.
Syntax
b64encode <string>
Example:
when HTTP_REQUEST {
set cert [SSL::cert 0]
HTTP::header insert SSLCERT [b64encode $cert]
}
Related Information
Valid Events: All
clientside
Causes the specified aFleX commands to be evaluated under the client-side
context. This command has no effect if the aFleX command is already being
evaluated under the client-side context.
Syntax
clientside {<aFleX commands>}
Example:
when SERVER_CONNECTED {
if { [IP::addr [clientside {IP::remote_addr}] == 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All
120 of 304
cpu
The cpu usage command returns the average CPU load for the given
interval. All averages are exponential weighted moving averages over the
interval.
Syntax
cpu usage [1sec | 5secs | 15secs | 1min | 5mins |
15mins | all_seconds | all_minutes]
Example:
when HTTP_REQUEST {
if { [cpu usage 5secs] <= 1} {
pool1
} else {
HTTP::redirect "http://anotherpool.com"
}
}
Related Information
Valid Events: All
discard
Causes the current packet or connection (depending on the context of the
event) to be discarded. This statement must be conditionally associated with
an if statement. This command performs the same function as the drop command.
Syntax
discard
Example:
when SERVER_CONNECTED {
if { [IP::addr [clientside {IP::remote_addr}] == 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All
121 of 304
domain
Parses the specified string as a dotted domain name and returns the last
<count> portions of the domain name.
Syntax
domain <string> <count>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with "html" } {
pool cache_pool
set key [crc32 [concat [domain [HTTP::host] 2] [HTTP::uri]]]
}
}
Related Information
Valid Events: All
drop
Causes the current packet or connection (depending on the context of the
event) to be discarded. This command must be conditionally associated with
an if command. This command performs the same function as the discard
command.
Syntax
drop
Example:
when SERVER_CONNECTED {
if { [IP::addr [clientside {IP::remote_addr}] drop 10.1.1.80] } {
drop
}
}
Related Information
Valid Events: All
122 of 304
encoding
Convert the character encoding of a payload to the specified encodiing.
Syntax
encoding {convertfrom | convertto} <encoding>
Example:
event
Discontinue evaluating the specified aFleX event, or all aFleX events, on
this connection. However, the aFleX script continues to run.
Syntax
event [<name>] [enable | disable] | [enable all |
disable all]
Example:
when CLIENT_ACCEPTED {
if { [IP::client_addr] equals "10.1.1.1" } {
event HTTP_REQUEST disable
}
}
when HTTP_REQUEST {
log "HTTP Request from [IP::client_addr]"
}
Example:
when HTTP_RESPONSE {
event disable
}
Related Information
Valid Events: All
123 of 304
findstr
Find a string within another string and return the string starting at the offset
specified from the match.
Syntax
findstr <string> <search_string> [<skip_count>
[<terminator>]]
Finds the string <search_string> within <string> and returns a sub-string
based on the <skip_count> and <terminator> from the matched location.
Note the following:
The <terminator> argument may be either a character or length.
If the <skip_count> argument is not specified, it defaults to zero.
If the <terminator> argument is not specified, it defaults to the end of
the string.
This command, without <skip_count> or <terminator>, is equivalent to
Related Information
Valid Events: All
124 of 304
getfield
Splits a string on a character or string, and returns the string corresponding
to the specific field.
Syntax
getfield <string> <split> <field_number>
Example:
To extract only the hostname from the host header (strips any trailing ":###"
port specification)
when HTTP_REQUEST {
[getfield [HTTP::host] ":" 1]
}
To redirect any request for a domain.com host to the same hostname.subdomain @ domain.org (uses a multi-character split string and field_number 1
to extract only those characters in the hostname before the split string.):
when HTTP_REQUEST {
if { [HTTP::host] contains "domain.com"} {
HTTP::redirect https://[getfield [HTTP::host] ".domain.com"
1].domain.org[HTTP::uri]
}
}
Related Information
Valid Events: All
htonl
Convert the unsigned integer from host byte order to network byte order.
Syntax
htonl <hostlong>
125 of 304
Related Information
Valid Events: All
htons
Convert the unsigned short integer from host byte order to network byte
order.
Syntax
htons <hostshort>
Example:
when HTTP_REQUEST {
set hostshort 1234
set netshort [htons $hostshort]
}
Related Information
Valid Events: All
log
Generates and logs the specified message to the Syslog utility. This command works by performing variable expansion on the message as defined
for the HTTP profile Header Insert setting.
Note:
If not used appropriately, the log command can produce large amounts of
output.
Note:
The syslog facility is limited to logging 1024 bytes per request. Longer
strings will be truncated.
Syntax
log [<facility>.<level>] <message>
The facility can be one from "local0" to "local7" (Currently only "local0" is
supported). The level can be a number from 0 to 7, or the corresponding
126 of 304
There is a significant behavioral difference when the optional <facility>.<level> is specified. When aFleX logs messages without the facility
and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are
textually different. However, when the <facility> and/or <level> are specified, the log messages are not rate-limited (though syslog will still perform suppression of repeated duplicates).
Example:
log local0. "Found $isCard $type CC# $card_number"
log local0.0 "Fatal error"
log local0.DEBUG "This is log message from facility local0 and level DEBUG"
Related Information
Valid Events: All
md5
Returns the RSA MD5 Message Digest Algorithm message digest of the
specified string.
Syntax
md5 <string>
Example:
when CLIENT_ACCEPTED {
set value1 [md5 1234567890]
log local0.4 md5 $value1
}
Related Information
Valid Events: All
Required AX Release: 2.4.3 or higher
127 of 304
members
Counts or lists all members in a service group.
Syntax
members [list] <pool>
The list option lists the members. If you omit this option, the command
counts the members.
Example:
when CLIENT_ACCEPTED {
log "members [members list sg1]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.1 or higher
nexthop
Sets the next hop for a connection.
Syntax
nexthop <ipaddr>
Example:
When CLIENT_ACCEPTED {
If {[IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
nexthop 20.20.20.1
} else {
Log use default nexthop
}
}
Related Information
Valid Events: All
128 of 304
For other events, this command overwrites the forward next-hop IP address.
Required AX Release: 2.6 or higher
node
Causes the specified server node (that is, IP address and port number) to be
used directly, thus bypassing any load-balancing.
Syntax
node <addr> [<port>]
Note:
The node command requires that the real server (node) and service port
already be configured. They also must be configured as a member of a
service group.
Note:
Connection limiting and connection rate limiting are not applied to a node
if it is selected by this command.
Example:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with ".gif" } {
node 10.1.2.200 80
}
}
129 of 304
ntohl
Convert the unsigned integer from network byte order to host byte order.
Syntax
ntohl <netlong>
Example:
when HTTP_REQUEST{
set netlong 12345678
set hostlong [ntohl $netlong]
}
Related Information
Valid Events: All
ntohs
Convert the unsigned short integer from network byte order to host byte
order.
Syntax
ntohs <netshort>
Example:
when HTTP_REQUEST {
set netshort 1234
set hostshort [ntohs $netshort]
}
Related Information
Valid Events: All
130 of 304
persist
Set client persistence based on any value you choose.
Note:
Beginning with AX Release 2.7.0, server template limits are applied for
both service-group and server selection. Commands that call for server
selection (i.e., node, pool, persist, etc.) will enforce server template
limits on the selected server. As a result, new connections that match a
persist uie entry may be unable to use the rport and a default server selection will occur instead. To prevent default server selection, use the no
def-selection-if-pref-failed command for the vport.
Syntax
persist uie <string> [<timeout>]
Sets the key for an entry on the persistence table, which maps the client
to an SLB resource (real server, real server port, or service group). If the
persistence table contains the specified key, the ACOS device uses the
SLB resource that key is mapped to in the table. Otherwise, the ACOS
device uses SLB to select a resource and creates a corresponding persistence table entry. The uie option stands for Universal Inspection
Engine, indicating that you can set persistence based on any key.
The <timeout> specifies how many seconds the persistence entry can
remain in the table after the last time traffic from the client is sent to the
server. The default is 1800 seconds. Internally, the timeout is converted
to minutes and is decremented one minute at a time.
persist uie <string> [<timeout>]
[dont_honor_conn_rules]
Ignores server template limits for persistence server selection.
persist add uie <key> [<timeout>]
Adds an entry to the persistence table. This command differs from the
command above in that it does not first check the persistence table for an
existing entry for the key. The persist add form of the command is
useful for setting persistence based on data that is set on the server and is
therefore first observed by the ACOS device in the server response,
rather than in the client request.
131 of 304
traffic contains the specified key value and is sent to the same virtual port and service group (pool).
any service Persist to the same real server, if the traffic contains the specified key value and is sent to the same virtual server, to
any virtual port.
any pool Persist to the same real server, if the traffic contains
the specified key value.
pool <pool-name> Persist to the same real server and port, if
the traffic contains the specified key value and is sent to the same
virtual port and to the specified service group.
132 of 304
Example:
The following script provides the same persistence for a client IP address
accessing one VIP and port:
when HTTP_RESPONSE {
set IP [IP::client_addr]
persist add uie $IP 1800
}
when HTTP_REQUEST {
set IP [IP::client_addr]
persist uie $IP
}
133 of 304
Related Information
Valid Events: All
pool
Causes the system to load balance traffic to the specified pool or pool member.
Note:
Note:
Beginning with AX Release 2.7.0, server template limits are applied for
both service-group and server selection. Commands that call for server
selection (i.e., node, pool, persist, etc.) will enforce server template
limits on the selected server. As a result, new connections that match a
persist uie entry may be unable to use the rport and a default server selection will occur instead. To prevent default server selection, use the no
def-selection-if-pref-failed command for the vport.
Syntax
pool <pool_name>
pool <pool_name> [member <addr> [<port>] ]
pool <pool_name>
134 of 304
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_DATA, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, LB_FAILED,
NAME_RESOLVED
Events which do not generate an error, but are not likely valid for this command:
HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE,
HTTP_RESPONSE_DATA, LB_SELECTED, SERVER_CLOSED,
SERVER_CONNECTED, SERVER_DATA
use
This command is provided for backwards compatibility. The use statement
must be paired with certain commands such as node, and pool. However,
A10 Networks recommends using the commands node and pool directly.
Syntax
use <object> <object_name>
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "aol" } {
use pool aol_pool
} else {
use pool all_pool
}
}
Related Information
Valid Events: All
135 of 304
reject
Causes the connection to be rejected, returning a reset as appropriate for the
protocol.
Syntax
reject
Example:
when SERVER_CONNECTED {
if { [IP::addr [clientside {IP::remote_addr}] equals 10.1.1.80] } {
drop
}
}
Related Information
Valid Events: All
serverside
Causes the specified aFleX command or commands to be evaluated under
the server-side context. This command has no effect if the aFleX policy is
already being evaluated under the server-side context.
Syntax
serverside { <aFleX command> }
Example:
when CLIENT_ACCEPTED {
if {[IP::addr [serverside {IP::remote_addr}] equals 10.1.1.80] } {
discard
}
}
Related Information
Valid Events: All
136 of 304
session
Manage SSL sessions.
Syntax
session add ssl <key> <data> [<timeout>]
session lookup ssl <key>
session delete <mode> <key>
The session add ssl command creates a table to store SSL information. If an
SSL table already exists, the command adds an entry to the table. Generally,
the <key> is the session ID and the data is the SSL verify_result or the SSL
certificate.
The session lookup ssl command Searches the SSL table for information
about the specified key.
The session delete command deletes an SSL entry.
Example:
when CLIENTSSL_HANDSHAKE {
set cert1 [SSL::cert 0]
session add ssl [SSL::sessionid] $cert1 300
}
when
HTTP_REQUEST {
Related Information
Valid Events:
CLIENT_ACCEPTED, HTTP_REQUEST, HTTP_RESPONSE,
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE
137 of 304
set encode
Set the character encoding for data payloads.
Syntax
set encode "<encoding>"
Example:
Here is an example of an aFleX policy that converts payload data into Japanese encoding Shift_JIS:
when HTTP_RESPONSE {
if { [HTTP::header "Content-Type"] contains "Shift_JIS" } {
set encode "shiftjis"
HTTP::collect
}
}
when HTTP_RESPONSE_DATA {
set hoge [HTTP::payload length]
set payload [encoding convertfrom $encode [HTTP::payload]]
regsub -all "abc" $payload "xyz" newdata
set newdata3 [encoding convertto $encode $newdata]
HTTP::payload replace 0 $hoge $newdata3
HTTP::release
}
Related Information
Valid Events: All
sha1
Returns the Secure Hash Algorithm version 1.0 (SHA1) message digest of
the specified string.
Note:
138 of 304
snatpool
Uses the specified pool of IP addresses as translation addresses to create a
SNAT. The command uses the specified NAT pool instead of the NAT pool
that is already bound to the virtual port in the AX configuration.
Syntax
snatpool <snatpool_name>
The <snatpool_name> option specifies the name of a configured IP
address pool.
snatpool none
The none option disables the SNAT.
Note:
A NAT pool must already be bound to virtual port in the AX configuration. This is the virtual ports default NAT pool.
Note:
The IP type (IPv4 or IPv6) of the pool must be the same as the IP type of
the real servers.
Example:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::local_addr] equals 10.0.0.35] } {
snatpool snat_a
} else {
snatpool snat_b
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, HTTP_REQUEST, LB_SELECTED
Valid Events added with AX Release 2.7.0:
SIP_REQUEST, SIP_RESPONSE
139 of 304
substr
Returns a sub-string named <string>, based on the values of the
<skip_count> and <terminator> arguments.
Syntax
substr <string> <skip_count> [<terminator>]
Notes
The <skip_count> and <terminator> arguments are used in the same
140 of 304
"x"]"
"gh"]"
4]"
20]"
0]"
switch
Built-in Tcl command. Evaluates one of several scripts, depending on a
given value.
Syntax
switch ?options? string {pattern body ?pattern
body ...?}
Matches its string argument against each of the pattern arguments in order.
As soon as it finds a pattern that matches string, it evaluates the following
body argument by passing it recursively to the Tcl interpreter and returns the
result of that evaluation. If the last pattern argument is "default", then it
matches anything. If no pattern argument matches string and no default is
given, then the command returns an empty string.
If the initial arguments start with "-", then they are treated as options. The
following options are currently supported:
-exact Use exact matching when comparing string to a pattern. This is
the default.
-glob When matching string to the patterns, use glob-style matching
141 of 304
If the result of the switch evaluation is invalid, the script will stop but
no compile error will be displayed. To avoid this, make sure that all possible outcomes are valid, or consider using if ... elseif syntax instead
of switch.
For example, the following script will give a compile error, as expected:
when CLIENT_ACCEPTED {
pool $invalid-pool-name
}
However, the following script will not give a compile error:
when CLIENT_ACCEPTED {
$value = $somevalue
switch $value {
0 {
pool $invalid-pool-name
}
default {
}
}
}
142 of 304
This example will send traffic with host header "www.domain.com" to pool
www, host header "www.domain2.com" will cause header manipulation and
URI rewriting to take place first, and requests with any other host header
will be discarded:
switch [string tolower [HTTP::host]] {
www.domain.com { pool www }
www.domain2.com {
HTTP::header insert Header1 domain2
HTTP::header replace Host www.domain.com
[HTTP::uri] "/domain2[HTTP::uri]"
pool www
}
default { discard }
}
Related Information
Valid Events: All
143 of 304
virtual
Return the name of the associated virtual server that the connection is flowing through.
Syntax
virtual name
Example:
when HTTP_REQUEST {
log local0. "Virtual Server: [virtual name]"
}
Related Information
Valid Events: All
when
Specify an event in an aFleX script. All aFleX events begin with a when
command. You can specify multiple when commands within a single aFleX
script.
Syntax
when <event_name>
Example:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool my_pool
}
}
Related Information
Valid Events: All
whereis
Returns geo-location information for a given IP address. The command performs a lookup in the geo-location database in use on the ACOS device. For
example, you can use this command in a script that looks up information in
a geo-location database from a third-party vendor such as MaxMind or
Neustar IP Intelligence.
144 of 304
The following example uses a geo-location database from a thirdparty vendor to look up the location of clients who send requests to a
specific VIP.
To use the geo-location database, you must import it onto the ACOS device
as a comma-separated values (.csv) file, load it to activate it, then use a template to specify the data fields to extract from the database.
This example uses a geo-location database that contains entries in the following format:
"0000000000","0016777215","","","",""
"0016777216","0016777471","AU","AUSTRALIA","OC","OCEANIA"
"0016777472","0016778239","CN","CHINA","AS","ASIA"
"0016778240","0016779263","AU","AUSTRALIA","OC","OCEANIA"
"0016779264","0016781311","CN","CHINA","AS","ASIA"
"0016781312","0016785407","JP","JAPAN","AS","ASIA"
"0016785408","0016793599","CN","CHINA","AS","ASIA"
"0016793600","0016809983","JP","JAPAN","AS","ASIA"
"0016809984","0016842751","TH","THAILAND","AS","ASIA"
...
"3758093312","3758094335","IN","INDIA","AS","ASIA"
"3758094336","3758095359","AU","AUSTRALIA","OC","OCEANIA"
"3758095360","3758095871","CN","CHINA","AS","ASIA"
"3758095872","3758096127","SG","SINGAPORE","AS","ASIA"
"3758096128","3758096383","AU","AUSTRALIA","OC","OCEANIA"
...
Each entry in this database has 6 fields. The aFleX script will use a GSLB
CSV template to look up the data in 4 of the fields:
ip-from, ip-to-mask, country, , , continent
145 of 304
The following steps show the AX configuration required to install the geolocation database and use the aFleX script to look up data in the database.
1. The following command imports a geo-location database file in .csv
format onto the ACOS device:
AX#import geo-location ipligence-lite.csv use-mgmt-port scp://
root@192.168.209.80:/ipligence-lite.csv
Password []********
Importing ...
146 of 304
147 of 304
148 of 304
Note:
For simplicity, the example does not show configuration of the real servers and service group. However, these also are required for a functioning
configuration. Likewise, configuration for network connectivity, such as
use of Network Address Translation (NAT), may be needed in a live network but is not shown here.
Note:
The end command is not part of the VIP configuration. The end command
simply returns the CLI prompt directly to the Privileged EXEC configuration level.
[AFLEX]:geo_test:Continent=ASIA
[AFLEX]:geo_test:Country=CN
[AFLEX]:geo_test:Continent=NORTH AMERICA
[AFLEX]:geo_test:Country=US
[AFLEX]:geo_test:Continent=NORTH AMERICA
[AFLEX]:geo_test:Country=US
Related Information
Valid Events:
CLIENT_ACCEPTED, LB_FAILED, LB_SELECTED,
CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED,
SERVER_CONNECTED, SERVER_DATA, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE,
HTTP_RESPONSE_DATA
Required AX Release: 2.7.0 or higher
set
Syntax
set <global_variable> <value>
Sets the <global_variable> to the specified <value>. If the variable does not
exist, this command will create a new variable.
Related Information
Valid Events: All
149 of 304
incre
Syntax
incre <global_variable>
Increments the <global_variable> by a value of 1.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
get
Syntax
get <global_variable>
Returns the value of the specified <global_variable>.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
unset
Syntax
unset <global_variable>
Deletes the value for the <global_variable>. This command will cause the
specified variable to return an empty string.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
150 of 304
array
Syntax
array set <global_array> <key> <value>
Sets the values of one or more elements in the <global_array>.
array size <global_array>
Gets the number of elements in the <global_array>.
array names <global_array>
Returns a list of names for all elements in the <global_array>.
array get <global_array> <key>
Gets a list of all pairs of elements in the <global_array>.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
Table Commands
Beginning with ACOS 2.7.1, you can use the following aFleX commands to
manage a table of data entries.
Table Entry Expiration Date
You can configure the <lifetime> and <timeout>
values to
predefine an expiration date for the table entries. The following list defines
conditions for using these options.
Set an Indefinite Expiration Time Use indefinite or indef for the
151 of 304
seconds.
If <lifetime> is not specified, the lifetime is set to indefinite.
Notes
By default, session table entries are synced to the peer unit.
Depending on the aFleX event used in the policy, you can track connec-
period of time, regardless of how many changes or lookups are performed on the entry.
An entry can have both a configured lifetime and timeout. The entry is
removed from the table for whichever expiration time comes first.
table set
Syntax
table
set
<name>
[<lifetime>]]
<key>
<value>
[<timeout>
Sets a key in the table with the specified <value>. Optionally, you can apply
a <timeout> and <lifetime> to the entry.Returns the entrys value after the
set operation is complete. This command adds a key if it does not already
exist.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
table add
Syntax
table
add
<name>
[<lifetime>]]
152 of 304
<key>
<value>
[<timeout>
table replace
Syntax
table replace
[<lifetime>]]
<name>
<key>
<value>
[<timeout>
Replaces the value in the table with the specified <key> or <value>. Optionally, you can apply a <timeout> and <lifetime> to the entry. This command
returns the entrys value after completing the replacement. If the specified
key does not exist, no action is taken and an empty string is returned.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
table lookup
Syntax
table lookup <name> [-notouch] <key>
Returns the value associated with the specified key. If -notouch is specified,
then any existing entries for the key will not have an updated timestamp.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
153 of 304
table incr
Syntax
table incr <name> [-notouch] <key> [<num>]
Increments the value associated with the specified key, in the specified
table. If you do not specify a value for <num>, 1 is used by default. If notouch is specified, then any existing entries for the key will not have an
updated timestamp.
Note:
This command returns the entrys value after the operation is complete. If
the specified key does not exist, then no action is taken.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
table append
Syntax
table append <name> [-notouch] <key> <string>
Appends a string to the value associated with the specified key. If
-notouch is specified, then any existing entries for the key will not have
an updated timestamp.
Note:
If the key does not exist, then no action is taken. This command returns
the entrys value after the operation is complete.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
table delete
Syntax
table delete <name> <key>|-all
154 of 304
table timeout
Syntax
table timeout <name> [-remaining] <key>
table timeout <name> <key> [<value>]
Returns the timeout for the specified key. Optionally, this command also
sets the timeout for the key. Specify the -remaining option to return the
remaining time before the expiration timeout, instead of the timeout itself.
Note:
This command returns -1 if no timeout is set for the specified key or the
timeout is indefinite.
Related Information
Valid Events: All
Required Release: ACOS 2.7.1 or higher
table lifetime
Syntax
table lifetime <name> [-remaining] <key>
table lifetime <name> <key> [<value>]
Returns the lifetime for the specified key. Optionally, this command also
sets the lifetime for the key. Specify -remaining to return the remaining time
before the expiration lifetime, instead of the lifetime itself.
This command returns -1 if no lifetime is set for the specified key or the
lifetime is indefinite.
155 of 304
table keys
Syntax
table keys <name> [-count|-notouch]
Returns a list of key and value pairs for the specified table. If -notouch is
specified, then existing entries will not have an updated timestamp. If count is specified, then the table entries will not have an updated timestamp
and the command returns the number of keys in the specified table.
Note:
156 of 304
In this example, the aFleX policy blacklists IP addresses for 10 minutes if traffic from the IP address makes more than 100 DNS queries
per second:
when RULE_INIT {
set ::maxquery 100
set ::holdtime 600
}
when CLIENT_ACCEPTED {
set srcip [IP::remote_addr]
if { [table lookup "blacklist" $srcip] != "" } {
drop
log "$srcip is blocked, the packet is dropped."
return
}
set curtime [TIME::clock seconds]
set key "count:$srcip:$curtime"
if { [table lookup tmp_table $srcip] == "" } {
table set tmp_table $srcip 1
log "$srcip's session table is created."
}
set count [table incr tmp_table $srcip]
log "session count=$count"
table lifetime tmp_table $srcip 2
if { $count > $::maxquery } {
table add "blacklist" $srcip "blocked" indef $::holdtime
log "blacklist table is created with $srcip "
table delete tmp_table $srcip
drop
return
}
}
157 of 304
CLASS::exists
Returns a Boolean value that indicates whether the class list exists.
Syntax
CLASS::exists <list-name>
Example:
when HTTP_REQUEST {
log classlist1 exists: [CLASS::exists classlist1]
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
CLASS::match
Queries class lists to check for matches and returns any component of a
matching entry.
Notes:
Queries to a string class list are case-sensitive. Queries to a DNS class
158 of 304
any way.
Syntax for Class List of Types Other than String
CLASS::match <param> <list-name> [ip | dns]
Returns whether <param> matches an [ip | dns] entry in class list
<list-name>. Omitting the [ip | dns] argument will result in IP entries in the
class list being searched first, followed by DNS entries.
CLASS::match <param> <list-name> <key> [ip | dns]
Returns key of match when <param> matches an [ip | dns] entry in class list
<list-name>. Omitting the [ip | dns] argument will result in IP entries in the
class list being searched first, followed by DNS entries.
CLASS::match <param> <list-name> <lid> [ip | dns]
Returns LID of match (only if configured) when <param> matches an
[ip | dns] entry in classlist <list-name>. Omitting the [ip | dns] argument will
result in IP entries in the class list being searched first, followed by DNS
entries.
Example:
when HTTP_REQUEST {
log Matches: [CLASS::match abcd classlist1]
log Key of Match: [CLASS::match abcd classlist1 key]
log LID of Match: [CLASS::match abcd classlist1 lid]
}
Note:
or
[CLASS::match [IP::client_addr] $classlist ip]
159 of 304
Example 1
when HTTP_REQUEST {
log Matches: [CLASS::match abcd starts_with classlist1]
log Key of Match: [CLASS::match abcd starts_with classlist1 key]
log LID of Match: [CLASS::match abcd starts_with classlist1 lid]
}
Example 2
This example imports the values of a string class list named cs1.
when HTTP_REQUEST {
if {[HTTP::cookie exists cookie-name]}{
set cookie_value [HTTP::cookie cookie-name]
if { $cookie_value != } {
set redirect_url [CLASS::match $cookie_value equals cs1 value]
if { $redirect_url != } {
HTTP::redirect $redirect_url
}
}
}
}
Related Information
Valid Events: All
160 of 304
CLASS::names
Returns a list of class-list names.
Syntax
CLASS::names
Example:
when HTTP_REQUEST {
log "list of class-lists: [CLASS::names]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
CLASS::type
Returns the type of the specified class list.
Syntax
CLASS::type <list-name>
The type value that can be returned by aFleX depends on whether the type
was explicitly specified during class-list configuration.
Explicitly configured: dns, ipv4, ipv6, string
Implicitly configured by the ACOS device based on the class-list
161 of 304
LID Commands
Commands for reading Limit IDs (LIDs).
Note:
Note:
To apply these commands, the LID must be configured and attached to the
same vport as the aFleX policy using the template. If GLID is used, it
must be configured and enabled on the configuration.
LID::conn_limit
Returns a list of conn-limit and LID type, one each for a matching LID
where conn-limit is configured.
Syntax
LID::conn_limit <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 conn-limit: [LID::conn_limit glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
162 of 304
LID::conn_rate_limit
Returns a list of conn-rate-limit values and LID type, one each for a matching LID where conn-rate-limit is configured.
Syntax
LID::conn_rate_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 conn-rate-limit: [LID::conn_rate_limit glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
LID::exists
Returns a Boolean value that indicates whether the specified LID exists.
Syntax
LID::exists <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 exists: [LID::exists glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
163 of 304
LID::nat_pool
Returns a list of string and LID type, one each for a matching LID where
nat-pool is configured.
Syntax
LID::nat_pool <lid-id>
Example:
when HTTP_REQUEST {
log "glid1 nat-pool: [LID::nat_pool glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
LID::request_limit
Returns a list of request-limit and LID type, one each for a matching LID
where request-limit is configured.
Syntax
LID::request_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 request-limit: [LID::request_limit glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
164 of 304
LID::request_rate_limit
Returns a list of request-rate-limit values and LID type, one each for a
matching LID where conn-rate-limit is configured.
Syntax
LID::request_rate_limit <param>
Example:
when HTTP_REQUEST {
log "glid1 request-rate-limit: [LID::request_rate_limit glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
LID::type
Returns a list of LIDs of the specified type.
Syntax
LID::type <param>
Returns a list of LID types, one each for a matching LID. The type can be
one of the following: global, vport-policy, vport-dns, vserver-policy, system
policy
Example:
when HTTP_REQUEST {
log "glid1 type: [LID::type glid1]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.2 or higher
165 of 304
Link Commands
LINK::lasthop
Returns the MAC address of the last hop.
Syntax
LINK::lasthop
Example:
when CLIENT_ACCEPTED {
set sip [IP::addr [IP::remote_addr]]
set lastmac [LINK::lasthop]
session add uie $sip $lastmac 180
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-GR1 or higher
LINK::nexthop
Returns the MAC address of the next hop.
Syntax
LINK::nexthop
Example:
when SERVER_CONNECTED {
set info "ethernet { [LINK::lasthop] -> [LINK::nexthop] tag [LINK::vlan_id] }"
log local0. $info
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-GR1 or higher
166 of 304
LINK::vlan_id
Returns the VLAN tag of the packet.
Note:
Example:
when CLIENT_ACCEPTED {
set info "client { [IP::client_addr]:[TCP::client_port] ->
[IP::local_addr]:[TCP::local_port] }"
append info " ethernet "
append info " { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop]
0 16] "
append info "tag [LINK::vlan_id] }"
log local0. $info
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-GR1 or higher
167 of 304
LB::reselect
Reperforms server selection.
Syntax:
LB::reselect [pool <pool-name> [<member>]]
If you use the command without any of the optional parameters, SLB selects
the next available member (server and port) from the same service group
used for the initial server selection.
To specify the service group to use, use the pool <pool-name> option.
If you also use the <member> option, the specified member is selected
from the specified service group.
Notes:
This command applies to Layer 7 traffic only for HTTP and HTTPS.
Failure to execute this command will not always lead the LB_FAILED
event to be triggered.
Beginning with AX Release 2.7.0, server template limits are applied for
both service-group and server selection. Commands that call for server
selection (i.e., node, pool, persist, etc.) will enforce server template limits on the selected server. As a result, new connections that
match a persist uie entry may be unable to use the rport and a default
server selection will occur instead. To prevent default server selection,
use the no def-selection-if-pref-failed command for the
vport.
Example 1:
In this aFleX policy, the HTTP::retry command retries sending a clients request to a service port that replies with an HTTP 5xx status code. If
the first server continues to reply with a 5xx status code after 3 retries, the
LB::reselect command reassigns the client request to another server.
168 of 304
Example 2:
This aFleX policy is similar to the one above, except the LB::down command in the policy marks the service port down for 30 seconds.
when CLIENT_ACCEPTED {
set retry 0
set max_retry 3
}
when HTTP_REQUEST {
log "In HTTP_REQUEST: $retry"
log "End HTTP_REQUEST"
}
169 of 304
Example 3:
This aFleX policy uses the STATS::get command to retrieve total connection statistics two service groups, then select the service group with
fewer total connections.
After a service group is selected, the policy selects a server from the group.
If a retry occurs, the LB::reselect command selects another server from
the same service group. If the maximum number of retries has already been
reached, the other service group is selected. If both service groups have
reached the maximum number of retries, a third service group is used.
when CLIENT_ACCEPTED {
#set initial retires count equal to 0
set retries 0
# variable for the first time
set first 0
# number of retry per pool
set retry_cnt_per_pool 0
# max. number of retry per pool
set max_retry_per_pool 6
170 of 304
171 of 304
Related Information
Valid Events:
LB_FAILED, LB_SELECTED
LB::server
Returns the results of pool and node selection.
Syntax
LB::server [pool | addr | port]
LB::server returns a Tcl list containing the pool, node, node IP address,
and Layer 4 protocol port selected by SLB. If no server was selected when
the script was executed, or all servers are down, the command returns only
the default pool name.
LB::server pool returns the pool of the currently selected member. If
no server was selected when the script was executed, or all servers are
down, the command returns only the default pool name.
172 of 304
Example:
The following script takes a specified action if all servers in the default pool
are down:
when HTTP_REQUEST {
# Check if the default pool has less than one active member
if { [active_members [LB::server pool]] < 1 } {
[do something]
}
}
173 of 304
Related Information
Valid Events:
LB_SELECTED, LB_FAILED, SERVER_CONNECTED,
LB_SELECTED, LB_FAILED, SERVER_CONNECTED,
HTTP_REQUEST, HTTP_REQUEST_DATA, CLIENT_ACCEPTED
LB::status node
Returns the health check status of a node.
Syntax
LB::status node <ipaddr>
[port <port-num> {tcp | udp}]
If you specify the node IP address only, the Layer 3 health status of the
server is returned. If you also specify a protocol port and its transport protocol, the health status of the port is also returned. If you use the port option,
the port number and the transport protocol (tcp or udp) also are required.
The health status returned by the command is up or down.
Example:
when HTTP_REQUEST {
if { [LB::status node 10.1.100.222 port 7000 tcp] equals "up"} {
log "*** Server 10.1.100.222 port 7000 is UP! ***"
} else {
log "*** Server 10.1.100.222 port 7000
is DOWN! ***"
}
}
Note:
174 of 304
Related Information
Valid Events: All
LB::status pool
Returns the health check status of a pool.
Syntax
LB::status pool <pool_name>
[member <ipaddr> [<port_num>]] [partition shared]
If you specify the pool name only, the health status of the group is returned.
If you also specify a member (node) IP address and, optionally, service port
number, the health status of the specified member or port is returned.
The health status returned by the command is up or down.
Example:
when HTTP_REQUEST {
if { [LB::status pool svcgroup-1 member 10.1.100.222 7000] equals "up"} {
log "member 10.1.100.222 port 7000 of service group svcgroup-1 is UP!"
} else {
log "member 10.1.100.222 port 7000 of service group svcgroup-1 is DOWN!"
}
}
Related Information
Valid Events: All
175 of 304
HTTP Commands
HTTP::close
Inserts a Connection: close header and closes the HTTP connection.
Syntax
HTTP::close
Example:
when HTTP_RESPONSE {
HTTP::version "0.9"
HTTP::close
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE
HTTP::collect
Collects the amount of data that you specify with the <length> argument.
When the system collects the specified amount of HTTP content data, it
triggers
aFleX
event
HTTP_REQUEST_DATA
or
HTTP_RESPONSE_DATA depending on the data coming from.
You can use this command with the HTTP::request or
HTTP::payload <size> command.
Syntax
HTTP::collect
Collects data. Use caution when omitting the value of the content length.
Doing so can stall the connection.
HTTP::collect [<length>]
Collects the amount of data that you specify with the <length> argument.
Use caution when specifying a value larger than the size of the actual
length. Doing so can stall the connection.
Note:
176 of 304
If you specify length 0, the HTTP_RESPONSE_DATA event is not triggered since no data is collected.
Customer Driven Innovation
Doc. No.: D-030-01-00-0007 - aFleX 2.0, ACOS 2.7.1 7/2/2013
device will keep collecting data until one of the following occurs:
1.25 MB of data is collected (This is the maximum amount that can
be collected.)
A zero-size chunk-encoded packet is received
RST is received from the server
FIN is received from the server
Generally, a packet without a Content-Length header will be a chunkencoded packet.
Notes:
The ACOS device buffers the entire payload before replying to the client. If
the object to be collected is very large, performance can be affected.
The HTTP::collect command is not supported if RAM caching is enabled.
If the HTTP::payload replace command is used in the same aFleX policy as
the HTTP::collect command:
For packets that do not contain chuck-encoded data, the ACOS device
first, by removing the chunk header and assembling the packet. The
ACOS device will then replace the content with the new string without
re-chunking the payload. The packet received by the client will not be
chunk-encoded.
In the current release, the HTTP::payload replace command only sup-
ports clear text replacement. If the server response is compressed (transfer-encoded, tar, gz, bz, and so on), this feature will not work properly.
177 of 304
Note:
Example:
when HTTP_RESPONSE {
if {[HTTP::status] == 205}{
HTTP::collect [HTTP::header Content-Length]
}
}
Related Information
Valid Events
HTTP_REQUEST, HTTP_RESPONSE, HTTP_REQUEST_DATA,
HTTP_RESPONSE_DATA
HTTP::cookie
Queries for or manipulates cookies in HTTP requests and responses. This
command replaces the http_cookie command.
Syntax
HTTP::cookie names
HTTP::cookie count
HTTP::cookie [value] <name> [<string>]
HTTP::cookie version <name> [version]
HTTP::cookie path <name> [path]
HTTP::cookie domain <name> [domain]
178 of 304
179 of 304
180 of 304
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE
HTTP::fallback
Specifies or overrides the fallback host specified in the HTTP profile.
Syntax
HTTP::fallback <host>
Example:
when LB_FAILED {
HTTP::fallback "http://siteunavailable.mysite.com/"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::header
Queries for or manipulates an HTTP header.
Syntax
HTTP::header [value] <name>
Returns the value of the HTTP header named <name>. You can omit the
<value> argument if the header name does not collide with any of the subcommands.
HTTP::header names
Returns a list of all the headers present on the request or response.
181 of 304
182 of 304
If there are multiple headers with the same name, the command returns a
list of values for all of the headers. If there is a single value for the HTTP
header, that value will be returned.
Note:
Example:
when HTTP_REQUEST {
if { [HTTP::header "Host"] starts_with "andrew" }
pool andrew_pool
} else {
pool main_pool
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE
HTTP::host
Returns the host name (and port, if specified) of the HTTP request. This
command replaces the http_host command.
Syntax
HTTP::host
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "secure"} {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}
183 of 304
HTTP::is_keepalive
Returns a true value if this is a Keep-Alive connection.
Syntax
HTTP::is_keepalive
Example:
when HTTP_RESPONSE {
if {[HTTP::is_keepalive]}{
HTTP::close
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
HTTP::is_redirect
Returns a true value if the response is a certain type of redirect.
Syntax
HTTP::is_redirect
Example:
when HTTP_RESPONSE {
if { [HTTP::is_redirect] } {
log local0. "Request redirected."
}
}
184 of 304
HTTP::method
Returns the type of HTTP request method.
Syntax
HTTP::method
Example:
when HTTP_REQUEST {
log local0. "HTTP Method: [HTTP::method]"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::path
Returns the path part of the HTTP request.
Syntax
HTTP::path [<string>]
Example:
when HTTP_REQUEST {
log local0. "Host - [HTTP::host]"
log local0. "Path - [HTTP::path]"
}
185 of 304
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::payload
Queries for or replaces content information. With this command, you can
retrieve content, query for content size, or replace a certain amount of content.
Syntax
HTTP::payload [<size>]
Returns the content that the HTTP::collect command has collected thus far.
If you do not specify a size, the system returns the collected content.
HTTP::payload length
Returns the size of the content that the command has collected thus far, not
including the HTTP headers.
HTTP::payload <offset> <size>
Returns the content that the HTTP::collect command has collected, starting
at <offset> with size equals <size>.
HTTP::payload replace <offset> <size> <string>
Replaces the amount of content that you specified with the <size> argument, starting at <offset> with <string>.
186 of 304
Related Information
Valid Events
HTTP_REQUEST, HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
HTTP::query
Returns the query part of the HTTP request.
Syntax
HTTP::query
Example:
when HTTP_REQUEST {
log local0. "http_path [HTTP::path]"
log local0. "http_query [HTTP::query]"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
187 of 304
HTTP::redirect
Redirects an HTTP request or response to the specified URL.
Note:
Example:
when HTTP_RESPONSE {
if { [HTTP::status] contains "404"} {
HTTP::redirect "http://www.siterequest.com/"
}
}
Related Information
Valid Events
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
HTTP::release
Releases the collected data. Unless a subsequent HTTP::collect command was issued, there is no need to use the HTTP::release command
inside of the HTTP_REQUEST_DATA and HTTP_RESPONSE_DATA
events, since in these cases, the data is implicitly released.
Syntax
HTTP::release
Example:
when HTTP_RESPONSE_DATA {
regsub -all "oursite" [HTTP::payload] "oursitedev" newdata
log "Replacing payload with new data."
HTTP::payload replace 0 $clen $newdata
}
188 of 304
HTTP::request
Returns the raw request header string. You can access the request payload
using the HTTP::collect command.
Syntax
HTTP::request
Example:
when HTTP_REQUEST {
# save original request
set req [HTTP::request]
# flag as new request needing lookup
set lookup 1
# inject lookup URI in place of original request
HTTP::uri "/page.aspx?ip=[IP::client_addr]"
# set pool to lookup server pool
pool lookup_server
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
HTTP::request_num
Returns the number of HTTP requests that a client made on the connection.
Syntax
HTTP::request_num
Example:
when HTTP_REQUEST {
log local0. "Request number [HTTP::request_num]"
}
189 of 304
HTTP::respond
Allows users to generate or rewrite a client request or a server response.
This is a powerful API that allows users to generate or rewrite a client
request or a server response. When the system runs the command on the client side, it sends the response to the client without any load balancing taking
place. If the system runs the command on the server side, the content from
the actual server is discarded and replaced with the information provided to
this API.
Note:
The maximum size response that can be sent using this command is
64 KB.
Note:
Because the system sends the response data immediately after this aFleX
script runs, A10 Networks recommends that you not run any more aFleX
scripts after this API.
Syntax
HTTP::respond <status code>
[content <content Value>]
[<Header name> <Header Value>]+
Example:
To send a redirect with a cookie set.
when HTTP_REQUEST {
set ckname "app"
set ckvalue "893"
set cookie [format "%s=%s; path=/; domain=%s" $ckname $ckvalue
".domain.org"]
HTTP::respond 302 Location "http://www.domain.org" "Set-Cookie" $cookie
}
190 of 304
HTTP::retry
Resends an HTTP request to the server. This command triggers the
HTTP_REQUEST event.
Note:
This command is supported only for virtual port types HTTP and HTTPS.
They are not supported for fast-HTTP or any of the other virtual port
types.
Syntax:
HTTP:retry
Example:
when HTTP_RESPONSE {
if { [HTTP::status] equals "503"} {
HTTP::retry
}
}
Related Information
Valid Events:
HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::status
Returns the response status code.
Syntax
HTTP::status
191 of 304
Related Information
Valid Events:
HTTP_RESPONSE, HTTP_RESPONSE_DATA
HTTP::stream
Replaces the specified string of an HTTP response.
Note:
Example:
when HTTP_RESPONSE {
HTTP::stream replace "abc" "ABC"
HTTP::stream replace "x" "XYZ"
}
Related Information
Valid Events:
HTTP_RESPONSE
192 of 304
HTTP::uri
Returns or sets the URI of the request. This command replaces the
http_uri command.
Syntax
HTTP::uri <string>
The URI string does not include the protocol (http or https) or hostname,
just the path, starting with the slash after the hostname.
HTTP::uri <string>
Changes the URI passed to the server. It should always start with a slash.
Example:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with "cgi" } {
pool cgi_pool
} elseif { [HTTP::uri] starts_with "/abc" } {
pool abc_servers
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA
193 of 304
HTTP::version
Returns or sets the HTTP version of the request or response. This command
replaces the http_version command.
Syntax
HTTP::version ["0.9" | "1.0" | "1.1"]
Example:
when HTTP_RESPONSE {
HTTP::version "1.1"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
194 of 304
Compression Commands
COMPRESS::disable
Disables compression for the current HTTP response.
Syntax
COMPRESS::disable
Example:
when HTTP_RESPONSE {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
COMPRESS::disable
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_DATA
COMPRESS::enable
Enables compression for the current HTTP response.
Syntax
COMPRESS::enable
Example:
when HTTP_REQUEST {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
COMPRESS::enable
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_DATA
195 of 304
COMPRESS::gzip
Sets the compression level for HTTP compression.
Setting the compression level to a higher value results in more HTTP
compression, at a greater CPU cost. Additional CPU usage can outweigh
the benefit of a higher level. For example, setting compression to level 6
can provide equivalent performance to level 9. For best performance, A10
Networks recommends setting compression to level 1.
Note:
Syntax
COMPRESS::gzip level <level>
The <level> can be 1-9.
Example:
when HTTP_REQUEST {
COMPRESS::gzip level 9
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_DATA
Required AX Release: 2.7.0 or higher
AES Commands
Commands for performing Advanced Encryption Standard (AES) operations.
AES::decrypt
Decrypts data using an AES key.
Syntax
AES::decrypt <key> <data>
196 of 304
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
AES::encrypt
Encrypts data using an AES key.
Syntax
AES::encrypt <key> <data>
Example:
when SERVER_DATA {
set key [AES::key password 256]
set encryptedData [AES::decrypt $key [TCP::payload]]
log local0. "The encrypted data is $encryptedData"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
197 of 304
AES::key
Creates a random key to use for encrypting/decrypting data using AES.
The key returned has the following format:
<8-byte-header><16-byte-IV><16/24/32-byte-key>
The 8-byte header is of the form AES xxx where xxx is 128, 192, or 256.
The resulting key file can be 40, 48, or 56 bytes long.
Syntax
AES::key <passphrase> [256 | 192 | 128]
The [256 | 192 | 128] option specifies the key length, in bits. The
default is 128.
Example:
when SERVER_DATA {
set key [AES::key password 256]
set encryptedData [AES::decrypt $key [TCP::payload]]
log local0. "The encrypted data is $encryptedData"
}
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
198 of 304
IP Commands
IP::addr
Performs comparison of IP address/subnet/supernet to IP address/subnet/
supernet. Returns 0 if no match, 1 for a match.
Note:
This command does NOT perform a string comparison. To perform a literal string comparison, simply compare the 2 strings with the appropriate
operator (equals, contains, starts_with, and so on) rather than using the
IP::addr comparison.
Syntax
IP::addr <addr1>[/<mask>] equals <addr2>[/<mask>]
IP::addr
Example:
To perform comparison of IP address 10.10.10.1 with subnet 10.0.0.0/8.
(Will return 1, since it is a match.)
[IP::addr 10.10.10.1 equals 10.0.0.0/8]
To perform comparison of client-side IP address with subnet 10.0.0.0/8.
(Will return 1 or 0, depending on client IP address.)
[IP::addr [IP::client_addr] equals 10.0.0.0/8]
To select a specific pool for a specific client IP address.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool my_pool
}
}
Related Information
Valid Events: All
199 of 304
IP::client_addr
Returns the client IP address of a connection. This command is equivalent
to the command clientside { IP::remote_addr }.
Syntax
IP::client_addr
Example:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool my_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED,
SERVER_CONNECTED
IP::local_addr
This command is primarily useful for generic rules that are re-used. Also, it
is useful in reusing the connected endpoint in another statement or to make
routing type decisions. You can also specify the IP::client_addr and
IP::server_addr commands.
Syntax
IP::local_addr
Returns the IP address of the AX being used in the connection. In the clientside context, this is the destination IP address (virtual IP address). In the
serverside context, this is the source IP address (SNAT address if SNAT is
used, else spoofed client IP address).
200 of 304
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED,
SERVER_CLOSED, SERVER_CONNECTED
IP::protocol
Returns the IP protocol value.
Syntax
IP::protocol
Example:
when CLIENT_ACCEPTED {
if { [IP::protocol] == 6 } {
pool tcp_pool
} else {
pool slow_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
201 of 304
IP::remote_addr
Returns the IP address of the host on the far end of the connection. In the
clientside context, this is the client IP address. In the serverside context this
is the node IP address. You can also specify the IP::client_addr and
IP::server_addr commands, respectively.
Syntax
IP::remote_addr
Example:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 206.0.0.0/255.0.0.0] } {
pool clients_from_206
} else {
pool other_clients_pool
}
}
when SERVER_CONNECTED {
log local0. "Node IP address is: [IP::remote_addr]"
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, HTTP_REQUEST,
HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
HTTP_RESPONSE, HTTP_RESPONSE_DATA, LB_SELECTED,
SERVER_CLOSED, SERVER_CONNECTED
IP::server_addr
Returns the servers (nodes) IP address, once a serverside connection has
been established. This command is equivalent to the command serverside
{IP::remote_addr}. The command returns 0 if the serverside connection has
not been made.
Syntax
IP::server_addr
Example:
when SERVER_CONNECTED {
log local0. "Node IP address: [IP::server_addr]"
}
202 of 304
IP::stats
Supplies information about the number of packets or bytes being sent or
received in a given connection.
Syntax
IP::stats pkts in
Returns number of packets received
IP::stats pkts out
Returns number of packets sent
IP::stats pkts
Returns a Tcl list of packets in and packets out
IP::stats bytes in
Returns number of bytes received
IP::stats bytes out
Returns number of bytes sent
IP::stats bytes
Returns Tcl list of bytes in and bytes out
Related Information
Valid Events: All
IP::tos
Selects a different pool of servers based on the ToS level within a packet.
The Type of Service (ToS) standard is a means by which network equipment
can identify and treat traffic differently based on an identifier. As traffic
enters the site, the ACOS device can apply a rule that sends the traffic to different pools of servers based on the ToS level within a packet.
Note:
203 of 304
Related Information
Valid Events:
CLIENT_ACCEPTED
IP::ttl
Returns the TTL of the current packet being acted upon.
Syntax
IP::ttl
Example:
when CLIENT_ACCEPTED {
if { [IP::ttl] < 3 } {
drop
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
204 of 304
IP::version
Returns the version of the current packet being acted upon.
Syntax
IP::version
Example:
when CLIENT_ACCEPTED {
if {[IP::version] eq 6} {
pool ipv6_pool
} else {
pool ipv4_pool
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
DNS Commands
DNS::additional
Returns, inserts, removes, or clears RRs from the Additional section. With
no arguments, gets a tcl list of RR objects. With an argument, inserts/
removes RR tcl objects in the Additional section or clears all RRs from the
Additional section.
Syntax
DNS::additional [[insert | remove rr_obj] | clear]
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
205 of 304
DNS::answer
Returns, inserts, removes, or clears RRs from the Answer section. With no
arguments, gets a tcl list of RR objects. With an argument, inserts/removes
RR tcl objects in the Answer section or clears all RRs from the Answer section.
Syntax
DNS::answer [[insert | remove rr_obj] | clear]
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
DNS::answer insert $rr
set rrs [DNS::answer]
log "rrs = '$rrs'"
}
Example:
when DNS_RESPONSE {
set rrs [DNS::answer]
set i 0
foreach rr $rrs {
log "i = $i rr = '$rr'"
incr i
}
set rr1 [lindex $rrs 0]
log "remove rr1 = '$rr1'"
DNS::answer remove $rr1
set k 0
foreach rr [DNS::answer] {
log "k = $k rr = '$rr'"
incr k
}
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
206 of 304
DNS::authority
Returns, inserts, removes, or clears RRs from the Authority section. With no
arguments, gets a tcl list of RR objects. With an argument, inserts/removes
RR tcl objects in the Authority section or clears all RRs from the Authority
section.
Syntax
DNS::authority [[insert | remove rr_obj] | clear]
Example:
The following script changes the TTL of all Answer records and adds
a glue record.
when DNS_RESPONSE {
set rrs [DNS::answer]
foreach rr $rrs {
DNS::ttl $rr 1234
}
set new_rr [DNS::rr "webserv1.yahoo.com. 88 IN A 1.2.3.4"]
DNS::additional insert $new_rr
}
Example:
when DNS_RESPONSE {
set rrs [DNS::answer]
set i 0
foreach rr $rrs {
log " i = $i rr ='$rr'"
incr i
}
set rrs2 [DNS::authority]
set j 0
foreach rr2 $rrs2 {
log "j = $j rr2 = '$rr2'"
incr j
}
DNS::authority clear
}
when DNS_RESPONSE {
set rrs2 [DNS::authority]
set rr2 [lindex $rrs2 1]
DNS::authority remove $rr2
}
207 of 304
DNS::header
Gets or sets simple bits or byte fields. Return value is always an integer
except for successful recognition of the rcode or opcode fields, where a
string is returned.
The rcode can be one of the following:
NOERROR
FORMERR
SERVFAIL
NXDOMAIN
NOTIMPL
REFUSED
YXDOMAIN
YXRRSET
NXRRSET
NOTAUTH
NOTZONE
208 of 304
These log statements can be used to see all questions and responses:
when DNS_REQUEST {
# debugging statement see all questions and request details
log local0. "Client: [IP::client_addr] Question:[DNS::question name]
Type:[DNS::question type] Class:[DNS::question class] Origin:[DNS::origin]"
set fqdn [DNS::question name]
}
when DNS_RESPONSE {
# debugging statement to see all questions and response details
log local0. "Request: $fqdn Answer: [DNS::answer] Origin:[DNS::origin] Status:
[DNS::header rcode] Flags: RD [DNS::header rd] RA [DNS::header ra]"
}
Example:
when DNS_REQUEST {
log "query id [DNS::header id] qr: [DNS::header qr] opcode: [DNS::header
opcode]"
}
when DNS_RESPONSE {
log "qr: [DNS::header qr] rcode: [DNS::header rcode] ra: [DNS::header ra]"
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
209 of 304
DNS::len
Returns the DNS packet message length.
Syntax
DNS::len
Example:
when DNS_REQUEST {
set len [DNS::len]
log dns query pkt len = $len
}
Example:
when DNS_RESPONSE {
set len [DNS::len]
log "dns reply pkt len = $len"
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::query
Returns a tcl list of RR tcl objects lists, one for each section: Answer,
Authority, and Additional.
Constructs and sends a query to the DNS-Express database for a name and
type (IN class only).
Syntax
DNS::query <target> <name> <type> [dnssec]
The <target> can be dnsx.
The <name> is the FQDN (for example, www.example.com).
The <type> specifies the record type (A, AAA, MX, NPTR, and so on).
210 of 304
when DNS_RESPONSE {
set rrsl [DNS::query dnsx nameserver.org SOA]
foreach rrs $rrsl {
foreach rr $rrs {
if { [DNS::type $rr] equals "SOA" } {
DNS::additional insert $rr
}
}
}
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::question
Gets or sets the question field value.
Note:
211 of 304
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::class
Gets or sets the resource record class field (IN, CH, HS, and so on).
Syntax
DNS::class <rr_obj> [value]
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
set old_class [DNS::type $rr]
DNS::class $rr "HS"
DNS::answer insert $rr
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
212 of 304
DNS::name
Gets or sets the resource record name field (FQDN); for example,
www.example.com.
Syntax
DNS::name <rr_obj> [value]
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
set old_name [DNS::name $rr]
DNS::name $rr "yahoo.com"
DNS::answer insert $rr
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::rdata
Gets or sets the resource record rdata field.
Syntax
DNS::rdata <rr_obj> [value]
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
set old_rdata [DNS::rdata $rr]
DNS::rdata $rr "10.1.1.100"
DNS::answer insert $rr
}
213 of 304
DNS::rr
Creates a new resource record object with the specified attributes or as a
complete string.
Syntax
DNS::rr <name> <type> <class> <ttl> <rdata...> |
<string>>
The <name> is the FQDN (for example, www.example.com).
The <type> specifies the record type (A, AAA, MX, NPTR, and so on).
The <class> specifies the DNS class (IN, CH, HS, and so on).
The <rdata> value depends on the type of RR. For example for an A
record, the <rdata> will be an IP address (X.X.X.X).
Example:
when DNS_RESPONSE {
set rr [DNS::rr www.domain1.com 149 IN A 255.255.255.255]
log rr = $rr
}
when DNS_RESPONSE {
set name [DNS::question name]
set rr1 [DNS::rr $name IN CNAME vip.a10.com]
DNS::answer insert $rr1
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
214 of 304
DNS::ttl
Gets or sets the resource record TTL field.
Syntax
DNS::ttl <rr_obj> [value]
Example:
The following script removes SOA records from the Answer section.
when DNS_RESPONSE {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] equals "SOA" } {
DNS::answer remove $rr
}
}
}
Example:
when DNS_RESPONSE {
set rr [DNS::rr google.com 149 IN A 74.125.224.222]
set old_ttl [DNS::type $rr]
DNS::ttl $rr 200
DNS::answer insert $rr
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::type
Gets or sets the resource record type field (A, AAAA, MX, NPTR, and so
on).
Syntax
DNS::type <rr_obj> [value]
215 of 304
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::return
Skips all further processing after tcl execution and sends the DNS packet in
the opposite direction.
Syntax
DNS::return
Example:
when DNS_REQUEST {
if { [DNS::question name] contains "a10.com" } {
DNS::header qr 1
DNS::header ra 1
set name [DNS::question name]
set rr1 [DNS::rr $name 65000 IN CNAME vip.a10.com]
DNS::answer insert $rr1
DNS::return
}
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
216 of 304
DNS::cache
Controls the DNS cache access and update for the current DNS session.
Syntax
DNS::cache <enable | disable>
Enables or disables the DNS cache for the current DNS session.
Note:
This command is only effective when global DNS cache or a DNS cache
template is enabled.
DNS::cache update
Updates the DNS cache with content changed through aFleX.
If a DNSSEC query, bypass the cached response.
Example:
when DNS_REQUEST {
if {[DNS::is_dnssec]} {
log "This is DNSSEC request!"
DNS::cache disable
}
}
Example:
when DNS_RESPONSE {
set rrs [DNS::answer]
DNS::answer remove $rr1
DNS::cache update
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
217 of 304
DNS::is_dnssec
Checks for a DNSSEC query or reply.
Syntax
DNS::is_dnssec
Returns a value of 1 if true, and 0 if false.
Example:
when DNS_REQUEST {
if {[DNS::is_dnssec]} {
log "This is DNSSEC request!"
}
}
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS::opt
Gets or sets the parameters of a DNS OPT record. If there is no OPT record
in the DNS content, the return value is NULL for get commands.
Syntax
DNS::opt do [value]
Gets or sets the DO value for DNSSEC in an OPT record.
DNS::opt udpsize [value]
Gets or sets the UDP size value in an OPT record.
DNS::opt rcode [value]
Gets or sets the extended RCODE value in an OPT record.
DNS::opt version [value]
Gets or sets the version in an OPT record.
218 of 304
Related Information
Valid Events:
DNS_REQUEST, DNS_RESPONSE
Required AX Release: 2.7.0 or higher
DNS Example
The following script uses some of the DNS commands described above to
perform DNS blackholing of malware sites.
When a user sends a query, the script inspects the destination. The the destination matches a list of well-known malware domains, the script returns the
address of an internal site where remediation, or at least notification, can
take place. In either event, the request is not sent to the malicious destination. The user and organization are protected.
The black-listed domains can be imported into a class list. You can import
black-listed domains from the big list at the following site: mirror1.malwaredomains.com
Here is an example class list:
class-list Blacklist string
str .abbcp.cn type1
str .3dglases-panasonic-tv.com type2
The first field is the domain, and the second field is a type description. The
first will match your traffic, the second is strictly for classification purposes
and can be edited as necessary.
Customer Driven Innovation
Doc. No.: D-030-01-00-0007 - aFleX 2.0, ACOS 2.7.1 7/2/2013
219 of 304
220 of 304
221 of 304
SIP Commands
SIP::call_id
Returns the value of the Call-ID header in a SIP request.
Syntax
SIP::call_id
Example:
SIP::from
Returns the value of the From header in a SIP request.
Syntax
SIP::from
Example:
SIP::header
Returns SIP header header-name.
Syntax
SIP::header [<value>] header-name [<index>]
The <value> option specifies the header value. The <index> option indicates the header to act upon, in cases where there are multiple header levels.
Without the <index> option, the first instance of the header is acted upon by
the aFleX policy.
222 of 304
SIP::header insert
Inserts the specified SIP header-name:header-value pair at position
<index>.
Syntax
SIP::header insert header-name header-value
<index>
If you do not specify the <index>, the header is inserted prior to any preexisting header of the same name and value. If no such header exists, a
via header is inserted at the head of the SIP headers, and others are
inserted at the tail.
Example:
SIP::method
Returns the type of the SIP request method.
Syntax
SIP::method
Example:
223 of 304
SIP::respond
Sends back a response with the specified code, phrase, and headername:header-value pair.
Syntax
SIP::respond code <"phrase" <"header-name"
"header-value">>
Example:
SIP::response
Gets the SIP response code or response phrase, or rewrites the response
code and phrase, if specified.
Syntax
SIP::response code
Gets the SIP response code.
SIP::response phrase
Gets the response phrase.
SIP::response rewrite code <phrase>
Rewrites the response code and phrase, if specified.
Example:
224 of 304
SIP::to
Returns the value of the To header in the SIP request.
Syntax
SIP::to
Example:
SIP::uri
Returns the complete URI of the request.
Syntax
SIP::uri
Example:
SIP::via
Gets SIP via information.
Syntax
SIP::via [<index>]
Gets the information in the SIP via header. If you specify the <index>,
only the information at the specified index level is returned.
SIP::via proto [<index>]
Gets the protocol part of the SIP via at the specified index level. If you
specify the <index>, only the information at the specified index level is
returned.
225 of 304
226 of 304
SIP-REQUEST
*******************"
227 of 304
log "---------------------------------------------------"
228 of 304
229 of 304
Example 3:
when SIP_REQUEST_SEND {
if { [SIP::method] contains "SUBSCRIBE" } {
log "*****************
SIP-REQUEST-SEND
*******************"
230 of 304
log "---------------------------------------------------"
SIP::header insert From "<sip:218@mysip.com>;tag=1043119751"
log "SIP::header insert From index1 [SIP::header From]"
log "SIP::header From [SIP::header From]"
SIP::header insert Via "SIP/2.0/UDP
171.1.1.217:5060;rport;branch=z9hG4bk11229103"
231 of 304
232 of 304
Related Information
Valid Events: All
233 of 304
Related Information
Valid Events:
CACHE_REQUEST, CACHE_RESPONSE
Required AX Release: 2.6.1 or higher
CACHE::disable
Disables caching for the current HTTP request.
Syntax
CACHE::disable
Example:
when HTTP_REQUEST {
if { not ([HTTP::uri] contains "images") } {
CACHE::disable
}
}
234 of 304
CACHE::enable
Forces caching of an object.
Syntax
CACHE::enable [<age>]
The age option specifies how long (in seconds) the object should be
cached. If you do not specify an age, the age specified in the RAM caching
template is used.
Example:
when HTTP_REQUEST {
if { [HTTP::uri] contains "images" } {
CACHE::enable 10000
}
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_RESPONSE, CACHE_REQUEST,
CACHE_RESPONSE
Required AX Release: 2.6.1 or higher
CACHE::expire
Forces a cached object to be revalidated from the server.
Syntax
CACHE::expire
235 of 304
Related Information
Valid Events:
CACHE_REQUEST, CACHE_RESPONSE
Required AX Release: 2.6.1 or higher
CACHE::headers
Returns the HTTP headers of a cached object. The <name>/<value> pairs
are returned in a Tcl list.
Syntax
CACHE::headers
Example:
when CACHE_RESPONSE {
# log all HTTP headers sent in cache response.
log local0. [CACHE::headers]
}
Related Information
Valid Events:
CACHE_REQUEST, CACHE_RESPONSE
Required AX Release: 2.6.1 or higher
236 of 304
CACHE::hits
Returns the number of cache hits for a cached object.
Syntax
CACHE::hits
Example:
when CACHE_REQUEST {
log "[CACHE::hits] cache hits for document at [HTTP::uri]"
}
Related Information
Valid Events:
CACHE_REQUEST, CACHE_RESPONSE
Required AX Release: 2.6.1 or higher
237 of 304
DIAMETER::app_id
Returns the application ID of a Diameter message.
Syntax
DIAMETER::app_id
Example:
when DIAMETER_REQUEST {
log "DIAMETER::app_id = [DIAMETER::app_id]"
}
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
DIAMETER::avp
Reads, writes, or deletes AVPs.
Syntax
DIAMETER::avp count
Returns the number of AVPs.
DIAMETER::avp get_ids [<avp_code> | <name>]
Returns a list of the IDs of AVPs with matching <avp_code> or <name>. If
the <avp_code> or <name> is not specified, the IDs of all AVPs are
returned.
Note:
The order of IDs might not be the same as the order of the AVPs in the
packet.
DIAMETER::avp <id> code [name | type]
Returns the numeric AVP code of the AVP with ID <id>. If the [name] is
specified and the AVP is a standard AVP, a user-readable string is returned;
otherwise, an empty string is returned. If [type] is specified, and the AVP is
a standard AVP, its type is returned; otherwise, an empty string is returned.
238 of 304
239 of 304
Example:
when DIAMETER_REQUEST {
set ids [DIAMETER::avp get_ids]
for { set i 0 } { $i < [llength $ids] } { incr i } {
set id [lindex $ids $i]
log
log
log
log
log
log
log
log
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
"DIAMETER::avp
$id
$id
$id
$id
$id
$id
$id
$id
}
}
Example:
when DIAMETER_REQUEST {
set ids [DIAMETER::avp get_ids]
for { set i 0 } { $i < [llength $ids] } { incr i } {
set id [lindex $ids $i]
DIAMETER::avp $id delete
}
}
240 of 304
$newid
$newid
$newid
$newid
$newid
$newid
$newid
$newid
Example:
when DIAMETER_REQUEST_SEND {
set newid [DIAMETER::avp 0 insert 12345 6789 VMP 567 type Unsigned32]
DIAMETER::avp $newid replace value 12345 type Unsigned32 flags VMP 567
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
log "DIAMETER::avp
Unsigned32]"
}
$newid
$newid
$newid
$newid
$newid
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
DIAMETER::cmd_code
Returns the command code, or its name, of a Diameter message. If [name] is
specified, an empty string or one of the following is returned as appropriate:
ASR, ASA, ACR, ACA, CER, CEA, DWR, DWA, DPR, DPA, RAR, RAA,
STR, or STA.
Syntax
DIAMETER::cmd_code [name]
If you use the [name] option, the name is returned,. If you omit the [name]
option, the command code is returned instead.
241 of 304
Example:
when DIAMETER_REQUEST {
log "DIAMETER::cmd_code name = [DIAMETER::cmd_code name]"
}
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
DIAMETER::length
Returns the length of a Diameter message.
Syntax
DIAMETER::length
Example:
when DIAMETER_REQUEST {
log "DIAMETER::length = [DIAMETER::length]"
}
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
DIAMETER::version
Returns the version of a Diameter message.
Syntax
DIAMETER::version
242 of 304
Related Information
Valid Events:
DIAMETER_REQUEST, DIAMETER_ANSWER,
DIAMETER_REQUEST_SEND, DIAMETER_ANSWER_SEND
243 of 304
RADIUS::code
Returns the RADIUS message code.
Syntax
RADIUS::code
Example:
when CLIENT_DATA {
log "RADIUS code=[RADIUS::code]"
}
Related Information
Valid Events:
CLIENT_DATA, SERVER_DATA
Required AX Release: 2.6.1-GR1 or higher
RADIUS::id
Returns the RADIUS message ID.
Syntax
RADIUS::id
Example:
when CLIENT_DATA {
log "RADIUS id=[RADIUS::id]"
}
244 of 304
RADIUS::length
Returns the RADIUS message length.
Syntax
RADIUS::length
Example:
when CLIENT_DATA {
log "RADIUS message length=[RADIUS::length]"
}
Related Information
Valid Events:
CLIENT_DATA, SERVER_DATA
Required AX Release: 2.6.1-GR1 or higher
SSL Commands
This section describes the SSL commands.
Note:
In AX Release 2.6.1-P2 and later, the SSL::cert command returns certificates in DER format. In previous releases, this command returns certificates in text format.
To return a certificate in text format instead, X509::text on page 261.
To return a certificate in PEM format instead, X509::whole on
page 263.
Note:
ACOS 2.7.1 SSL commands are supported only on HTTP virtual port 80
and are not supported on HTTPS virtual ports or other port numbers. The
SSL commands introduced in releases previous to ACOS 2.7.1 are supported for both HTTP and HTTPS virtual ports.
245 of 304
SSL::cert
Returns the SSL certificate with the specified level in the certificate chain.
The level is 0-based.
Note:
The SSL::cert command returns certificates in DER format. In previous releases, this command returns certificates in text format.
Syntax
SSL::cert <level>
Example:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert
}
when HTTP_REQUEST {
if { [SSL::cert count] > 5 } {
set issuer [SSL::cert issuer 2]
log "issuer $issuer"
} else {
SSL::cert mode request
}
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
246 of 304
SSL::cert count
Returns the number of certificates in the certificate chain.
Syntax
SSL::cert count
Example:
See the example for SSL::cert on page 246.
Related Information
Valid Events: See SSL::cert on page 246.
SSL::cert issuer
Returns the issuer of the certificate with the specified level.
Syntax
SSL::cert issuer <index>
Example:
SSL::cert mode
Sets the certificate mode. This setting overrides the mode setting in the template.
Syntax
SSL::cert mode <request | require | ignore |
auto>
Example:
See the example for SSL::cert on page 246.
Related Information
Valid Events: See SSL::cert on page 246.
Customer Driven Innovation
Doc. No.: D-030-01-00-0007 - aFleX 2.0, ACOS 2.7.1 7/2/2013
247 of 304
SSL::cipher
Returns SSL cipher information.
Syntax
SSL::cipher name
Returns the current SSL cipher name using the format of the OpenSSL
SSL_CIPHER_get_name() function (for example, EDH-RSA-DESCBC3-SHA" or "RC4-MD5).
SSL::cipher version
Returns the current SSL cipher version using the format of the OpenSSL
SSL_CIPHER_get_version() function (for example, SSLv2, SSLv3, or
TLSv1).
SSL::cipher bits
Returns the number of secret bits that the current SSL cipher used, using the
format of the OpenSSL SSL_CIPHER_get_bits() function (for example,
128 or 40).
Example:
when HTTP_REQUEST {
log "[IP::remote_addr]: SSL cipher strength is [SSL::cipher bits]"
# Check encryption strength
if { [SSL::cipher bits] < 128 } {
# Client is using a weak cipher, so redirect to a URL showing a sorry page
HTTP::respond 302 Location "http://10.10.10.10/sorry.html" Cache-Control
No-Cache Pragma No-Cache
} else {
pool web_servers
}
}
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
Required AX Release: 2.6.1
248 of 304
SSL::sessionid
Returns the current SSL session ID.
Syntax
SSL::sessionid
Note:
Example:
when CLIENTSSL_HANDSHAKE {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 300
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
249 of 304
SSL::verify_result
If <result_code> is not specified, returns the result code of the peer certification verification. If <result_code> is specified, sets the result code of the
peer certification verification.
Syntax
SSL::verify_result [<result_code>]
Example:
when CLIENTSSL_HANDSHAKE {
set result [ X509::verify_cert_error_string [SSL::verify_result]]
log "Result is $result"
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
SSL::disable
Disables SSL on either the client or server side.
Syntax
SSL::disable [clientside | serverside]
Example:
when CLIENT_ACCEPTED {
SSL::disable
SSL::disable serverside
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
CLIENTSSL_CLIENTCERT,CLIENTSSL_HANDSHAKE,
CLIENT_ACCEPTED,SERVER_CONNECTED
Required Release: ACOS 2.7.1 or higher
250 of 304
SSL::enable
Enables SSL for either the client or server side.
Syntax
SSL::enable [clientside | serverside]
Example:
when CLIENT_ACCEPTED {
SSL::enable
SSL::enable serverside
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND,CLIENTSSL_CLIENTCERT,
CLIENTSSL_HANDSHAKE,CLIENT_ACCEPTED,
SERVER_CONNECTED
Required Release: ACOS 2.7.1 or higher
SSL::mode
Returns a 1 when SSL is enabled or a 0 when SSL is disabled. This command can apply to either the client or server side.
Note:
The certificate mode, set with the command SSL::cert mode, can override
the mode set in the SSL template.
Syntax
SSL::mode
Example:
when CLIENT_ACCEPTED {
SSL::template t1
}
when HTTP_REQUEST {
log "SSL::mode = [SSL::mode]"
}
251 of 304
SSL::sessionid
Returns the current SSL session ID number.
Syntax
SSL::sessionid
Example:
when CLIENTSSL_HANDSHAKE {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 300
}
Valid Events
CLIENTSSL_CLIENTCERT,CLIENTSSL_HANDSHAKE,
HTTP_REQUEST,HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND,HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
Required Release: ACOS 2.7.1 or higher
SSL::template
Applies an SSL template to either the client or server side of a connection.
Syntax
SSL::template <templatename>
Applies an SSL template on either the client or server side, depending
on the context of the event.
SSL::template [clientside|serverside]
<templatename>
Applies an SSL template for specifically the client or server side only.
252 of 304
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
CLIENTSSL_CLIENTCERT,CLIENTSSL_HANDSHAKE,
CLIENT_ACCEPTED,SERVER_CONNECTED,
SERVERSSL_HANDSHAKE, LB_SELECTED
Required Release: ACOS 2.7.1 or higher
SSL::session invalidate
Disables reuse of the SSL Session ID for the client. This command is valid
only after the SSL handshake is complete for the client side of the connection.
Syntax
SSL::session invalidate
Example:
when CLIENT_ACCEPTED {
SSL::template t1
}
when CLIENTSSL_HANDSHAKE {
SSL::session invalidate
}
Valid Events
HTTP_REQUEST,HTTP_REQUEST_DATA, HTTP_REQUEST_SEND,
CLIENTSSL_CLIENTCERT,CLIENTSSL_HANDSHAKE,
CLIENT_ACCEPTED,SERVER_CONNECTED,
SERVERSSL_HANDSHAKE
Required Release: ACOS 2.7.1 or higher
253 of 304
X509 Commands
This section describes the X.509 commands.
Note:
X509::extensions
Returns the X.509 extensions set on the specified X.509 certificate. If an
invalid certificate is supplied, a runtime TCL error is generated.
Note:
Example:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $cert]"
}
254 of 304
Related Information
Valid Events: All
255 of 304
X509::hash
Returns the MD5 (default) or SHA1 hash (fingerprint) of the specified
X.509 certificate.
Note:
when HTTP_REQUEST {
set client_cert [SSL::cert 0]
log local0. "Cert hash - [X509::hash $client_cert]"
set cert_hash [X509::hash $client_cert]
}
Example 2
This example prints a text string of the X509::hash command output.
when CLIENTSSL_CLIENTCERT {
set hash [X509::hash sha1 [SSL::cert 0]]
binary scan $hash H* sha1str
log "X-LB-Cert-Thumbprint: $sha1str
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
X509::issuer
Returns the issuer of the X.509 certificate.
Syntax
X509::issuer
256 of 304
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
X509::not_valid_after
Returns the not-valid-after date of an X.509 certificate.
Syntax
X509::not_valid_after
Example:
when CLIENTSSL_HANDSHAKE {
set not_valid_after [X509::not_valid_after [SSL::cert 0]]
log "Not Valid After: $not_valid_after"
}
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
257 of 304
X509::not_valid_before
Returns the not-valid-before date of an X.509 certificate.
Syntax
X509::not_valid_before
Example:
when CLIENTSSL_HANDSHAKE {
set not_valid_before [X509::not_valid_before [SSL::cert 0]]
log "Not Valid Before: $not_valid_before"
}
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
X509::serial_number
Returns the serial number of an X.509 certificate.
Syntax
X509::serial_number
Example:
when CLIENTSSL_HANDSHAKE {
set serial_number [X509::serial_number [SSL::cert 0]]
log "Serial Number: $serial_number"
}
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
258 of 304
X509::signature_algorithm
Returns the signature algorithm of the specified X.509 certificate.
Syntax
X509::signature_algorithm <X509 certificate>
Example:
when LB_SELECTED {
set cert [SSL::cert 0]
log local0. "Cert signature_algorithm - [X509::signature_algorithm $cert]"
}
Related Information
Valid Events: All
X509::subject
Returns the subject of an X.509 certificate.
Syntax
X509::subject
Example:
when CLIENTSSL_HANDSHAKE {
set subject [X509::subject [SSL::cert 0]]
log "subject $subject"
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
259 of 304
X509::subject_public_key
Returns the subjects public key of the specified X.509 certificate.
Syntax
X509::subject_public_key <X509 certificate>
Example:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Cert subject - [X509::subject $client_cert]"
log local0. "Cert public key - [X509::subject_public_key $client_cert]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
X509::subject_public_key_RSA_bits
Returns the size of the subjects public RSA key of an X.509 certificate.
Note:
This command is only applicable when the public key type is RSA. Otherwise, the command generates an error.
Syntax
X509::subject_public_key_RSA_bits
<X509 certificate>
Example:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Cert subject - [X509::subject $client_cert]"
log local0. "Cert public key - [X509::subject_public_key_RSA_bits $client_cert]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
260 of 304
X509::subject_public_key_type
Returns the subjects public key type of the specified X.509 certificate. The
returned value can be RSA, DSA, or unknown.
Syntax
X509::subject_public_key_type <X509 certificate>
Example:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Cert subject - [X509::subject $client_cert]"
log local0. "Cert public key type - [X509::subject_public_key_type client_cert]"
if { [X509::subject_public_key_type $client_cert] equals "unknown" } {
SSL::verify_result 50
}
set error_code [SSL::verify_result]
log local0. "Cert verify result - [X509::verify_cert_error_string $error_code]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
X509::text
Return a certificate in human-readable (text) format.
Syntax
X509::text <X509 certificate>
Example:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
set cert_text "[X509::text $client_cert]"
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
261 of 304
X509::verify_cert_error_string
Returns the error string as an OpenSSL X.509 error string.
Syntax
X509::verify_cert_error_string
Example:
when CLIENTSSL_HANDSHAKE {
set result [X509::verify_cert_error_string [SSL::verify_result]]
log "result $result"
}
Related Information
Valid Events
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
X509::version
Returns the version number of an X.509 certificate.
Syntax
X509::version
Example:
when CLIENTSSL_HANDSHAKE {
set version [X509::version [SSL::cert 0]]
log "Version Number: $version"
}
Related Information
Valid Events:
CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,
HTTP_REQUEST, HTTP_REQUEST_DATA,
HTTP_REQUEST_SEND, HTTP_RESPONSE,
HTTP_RESPONSE_DATA, HTTP_RESPONSE_CONTINUE
262 of 304
X509::whole
Returns the entire X.509 certificate in PEM format.
Syntax
X509::whole <X509 certificate>
Example:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "[X509::whole $client_cert]"
}
Example:
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole
[SSL::cert 0]]
}
}
Related Information
Valid Events: All
Required AX Release: 2.6.1-P2
263 of 304
STATS Commands
STATS::clear
Clears statistics for a real server (node), virtual server, or service group
(pool).
Syntax Clear Real Server Statistics:
To clear statistics for a real server, use the following command:
STATS::clear server <server-name | ipaddr>
[<port-num> <tcp | udp>]
current-connection | total-connection | request-pkt |
response-pkt
[partition shared]
Example:
when HTTP_REQUEST {
STATS::clear server rs-server-2 80 tcp total-connection
STATS::clear virtual-server vip-1 80 http total-connection
STATS::clear pool sg-tcp80 total-connection
}
Related Information
Valid Events: All
264 of 304
STATS::get
Retrieves statistics for a real server (node), virtual server, or service group
(pool).
Syntax Get Real Server Statistics:
To retrieve statistics from a real server, use the following command:
STATS::get server <server-name | ipaddr>
[<port-num> <tcp | udp>]
current-connection | total-connection | request-pkt |
response-pkt
[partition shared]
The shared partition option applies the command to real servers in the
shared partition. By default, the STATS::get command acts only upon
the real servers located in the Role-Based Administration (RBA) partition
that contains the aFleX policy.
Syntax Get Virtual Server Statistics:
To retrieve statistics from a virtual server, use the following command:
STATS::get virtual-server <vip-name| vipaddr>
[<port-num> <service-type>]
current-connection | total-connection | request-pkt |
response-pkt
[partition shared]
You can specify the virtual server by its name or VIP address (<vip-name>
or <vipaddr>).
265 of 304
Example:
when CLIENT_ACCEPTED {
node 10.10.10.10 80
}
}
266 of 304
TCP Commands
TCP::client_port
Returns the TCP port/service number of the specified client. This command
is equivalent to the command clientside { TCP::remote_port }
and to client_port.
Syntax
TCP::client_port
Example:
when CLIENT_ACCEPTED {
if { [TCP::client_port] > 1000 } {
pool slow_pool
}
else {
pool fast_pool
}
}
Related Information
Valid Events: All
TCP::close
Closes the TCP connection.
Syntax
TCP::close
Example:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if {[TCP::payload] contains "abc"} {
pool abc_pool
TCP::release
} else {
TCP::close
}
}
267 of 304
TCP::collect
Causes TCP to start collecting the specified amount of content data.
Syntax
TCP::collect <length>
The <length> parameter specifies the minimum number of bytes to collect.
Example:
when CLIENT_ACCEPTED {
TCP::collect 15
}
when CLIENT_DATA {
if { [TCP::payload 15] contains "XYZ" } {
pool xyz_servers
} else {
pool web_servers
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED
Support for Generic TCP Proxy
The generic tcp-proxy service type, new in AX Release 2.6, is also supported in aFleX.
Specifically, you can use the TCP::collect [<length>] command
to collect payload data on a tcp-proxy virtual port.
The script behavior differs slightly depending on whether the <length>
option is used.
TCP::collect <length>
268 of 304
the DATA event. Thus, a TCP release will be performed even if the
script does not contain the TCP::release command.
The collect flag will be disabled following the DATA event. TCP::col-
TCP::collect
If the <length> option is not specified:
DATA event is triggered when first data packet is received.
If the event does not contain the TCP::release command, the
269 of 304
270 of 304
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
set tcplen [TCP::payload length]
log "length = ($tcplen)"
if { [TCP::payload ] contains "XYZ" } {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
}
271 of 304
Example:
Collect first 2000 bytes of data and trigger DATA event. To perform
this operation, the script uses the following:
Example:
CLIENT_ACCEPTED event
TCP::release command at the end of CLIENT_DATA event
when CLIENT_ACCEPTED {
TCP::collect 2000
}
when CLIENT_DATA {
set tcplen [TCP::payload length]
log "length = ($tcplen)"
if { [TCP::payload ] contains "XYZ" } {
pool xyz_servers
} else {
pool web_servers
}
TCP::release
}
272 of 304
If the total TCP payload is less than the collect <length>, the ACOS
device will keep waiting for more data from the client, and can not forward to the server as expected. Make sure to specify the correct length
value in the script.
Note:
If the collect <length> is specified, aFleX does not allow TCP::collect to be used again in the DATA event.
Collect the first 3 data packets then forward to the server. To perform
this operation, the script uses the following:
Example:
TCP::local_port
Returns the local TCP port/service number. This command is equivalent to
the variable local_port.
Syntax
TCP::local_port
273 of 304
TCP::mss
Returns the on-wire Maximum Segment Size (MSS) for a TCP connection.
Syntax
TCP::mss
Example:
when CLIENT_ACCEPTED {
log "MSS is [TCP::mss]"
}
TCP::rtt
Returns the smoothed round-trip time (RTT) estimate for a TCP connection.
Syntax
TCP::rtt
Notes:
Divide the returned value by 2 to get the actual round-trip time in milli-
seconds.
The RTT takes some time to converge.
274 of 304
Related Information
Valid Events: All
Required AX Release: 2.7.0 or higher
TCP::offset
Returns the position in the TCP data stream in which the collected TCP data
starts.
Syntax
TCP::offset
Example:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if {[TCP::offset] > 1000} {
TCP::release
}
}
275 of 304
TCP::payload
Returns the accumulated TCP data content, or replaces collected payload
with the specified data.
Syntax
TCP::payload [<size>]
TCP::payload <offset> <size>
TCP::payload length
TCP::payload [<size>]
Returns the accumulated TCP data content.
TCP::payload <offset> <size>
Returns the accumulated TCP data content start from <offset>.
TCP::payload length
Returns the amount of accumulated TCP data content in bytes.
TCP::payload <offset> <size> <data>
Returns collected payload with the given data.
Note:
Example:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload] contains "flower" } {
pool http-sg2
} else {
pool http-sg3
}
}
Related Information
Valid Events
CLIENT_DATA, SERVER_DATA
276 of 304
TCP::release
Causes TCP to resume processing the connection and flush collected data.
Syntax
TCP::release
Example:
when CLIENT_ACCEPTED {
TCP::collect 1500
}
when CLIENT_DATA {
if {[TCP::offset] > 1000} {
TCP::release
}
}
TCP::remote_port
Returns the remote TCP port/service number.
When used with the clientside command (that is,
clientside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::client_port command.
When used with the serverside command (that is,
serverside TCP::remote_port), the TCP::remote_port command is equivalent to the TCP::server_port command.
Note:
Example:
when SERVER_CONNECTED {
log "server TCP port = [TCP::remote_port]"
}
277 of 304
TCP::server_port
Returns the TCP port/service number of the specified server. This command
is equivalent to the command serverside { TCP::remote_port }
and to the deprecated variable server_port.
Syntax
TCP::server_port
Example:
when SERVER_CONNECTED {
if { [TCP::server_port] > 1000 } {
pool slow_pool
}
else {
pool fast_pool
}
}
TCP::respond
Sends the specified data directly to the peer. This command can be used to
complete a protocol handshake.
Syntax
TCP::respond <data>
The <data> parameter specifies the data to send to the peer.
Example:
when HTTP_REQUEST {
if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } {
HTTP::header remove "Expect"
TCP::respond "HTTP/1.1 100 Continue\r\n\r\n"
}
}
Example:
278 of 304
The aFleX example below looks for an EHLO <hostname> command and responds with a specific error message. This script intercepts the TCP stream between a webserver that is behind the ACOS
device and an SMTP server that is external to the ACOS device.
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
Required AX Release: 2.7.0 or higher
TIME Commands
TIME::clock
Return the system time, in seconds or milliseconds. This command is used
in a SMP environment for high-performance processing.
Note:
Example:
when CLIENT_ACCEPTED {
set curtime [TIME::clock seconds]
set formattedtime [clock format $curtime -format {%H:%S} ]
log "the time is: $formattedtime"
}
Related Information
Valid Events: All
279 of 304
UDP Commands
UDP::client_port
Returns the UDP port/service number of the client system. This command is
equivalent to the command clientside { UDP::remote_port }.
Syntax
UDP::client_port
Example:
when CLIENT_ACCEPTED {
if { [UDP::client_port] equals 80 } {
pool pool-80
}
}
Related Information
Valid Events
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
UDP::local_port
Returns the local UDP port/service number.
Syntax
UDP::local_port
Example:
when CLIENT_ACCEPTED {
if {[IP::protocol] == 47 || [TCP::local_port] == 1723} {
# GRE used by MS PPTP server, TCP control channel
pool ms_pptp
} elseif {[IP::protocol] == 50 || [IP::protocol] == 51 || [UDP::local_port]
== 500} {
# AH and ESP used by IPSec, IKE used by IPSec
pool ipsec_pool
} elseif {[IP::protocol] == 115} {
pool l2tp_pool
# L2TP Protocol server
}
}
280 of 304
UDP::payload
Returns the content or length of the current UDP payload.
Syntax
UDP::payload [<size>]
Returns the content of the current UDP payload.
UDP::payload length
Returns the length, in bytes, of the current UDP payload.
UDP::payload <offset> <size>
Returns the content of the current UDP payload from <offset>.
UDP::payload replace <offset> <size> <new_data>
Stating at <offset>, replaces the <size> of the collected payload with
the specified <new_data>.
Note:
Note:
Example:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [UDP::payload 12 20] contains "a10networks" } {
pool dns-sg1
} else {
pool dns-sg2
}
}
281 of 304
In the following example, the payload is emptied and filled with data
from the packetdata string sent to the server
when CLIENT_DATA {
UDP::payload replace 0 [UDP::payload length] ""
# craft a string to hold data, 0x01 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x03
0x00 0x00 0x00
set packetdata [binary format i1i1i1 1 2 3 ]
UDP::payload replace 0 0 $packetdata
}
Related Information
Valid Events
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
UDP::remote_port
Returns the remote UDP port/service number.
Syntax
UDP::remote_port
Example:
when CLIENT_ACCEPTED {
if { [UDP::remote_port] equals 80 } {
pool pool-80
}
}
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
UDP::server_port
Returns the UDP port/service number of the server. This command is equivalent to the command serverside { UDP::remote_port }.
282 of 304
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
UDP::respond
Sends the specified data directly to the peer. This command can be used to
complete a protocol handshake.
Syntax
UDP::respond <data>
The <data> parameter specifies the data to send to the peer.
Example:
when CLIENT_DATA {
if { [UDP::payload] contains "abc"] } {
UDP::respond "xyz"
}
}
Example:
when CLIENT_DATA {
set payload "Error: Client not allowed."
if { [IP::remote_addr] eq 10.10.10.1 } {
UDP::drop
UDP::respond $payload
}
}
283 of 304
Related Information
Valid Events:
CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA,
SERVER_CONNECTED, SERVER_CLOSED, SERVER_DATA
Required AX Release: 2.7.0 or higher
URI Commands
URI::decode
Returns a decoded version of a given URI.
Syntax
URI::decode <uri>
The following script decodes URI string whoa%20%30%31%32
and writes the decoded string to the log:
Example:
when HTTP_REQUEST {
set d "whoa%20%30%31%32"
set e [URI::decode $d]
log "Decoded string=$e"
}
Example:
The following script decodes the URIs in every HTTP request and
writes both the encoded and decoded strings to the log:
when HTTP_REQUEST {
log "The decoded version of \"[HTTP::query]\" is \"[URI::decode
[HTTP::query]]\""
}
284 of 304
Related Information
Valid Events
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
URI::encode
Returns an encoded version of a given URI.
Syntax
URI::encode <uri>
The following script encodes URI string this is a test (&*@#\[\])
and writes the encoded string to the log:
Example:
when HTTP_REQUEST {
set a "this is a test (&*@#\[\])"
set b [URI::encode $a]
log "Encoded string=$b"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
285 of 304
URI::basename
The basename portion of the given URI.
For example, given the URI below:
/path/to/file.ext?=param=value
The command URI::basename returns the following:
file.ext
Syntax
URI::basename <uri>
Example:
when HTTP_REQUEST {
set uri [HTTP::uri]
log "$uri basename=[URI::basename $uri]"
}
Related Information
Valid Events:
HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE,
HTTP_RESPONSE_DATA
URI::path
The path portion of the given URI.
For example, given the URI below:
/path/to/file.ext?=param=value
The command URI::path returns the following:
/path/to/
Syntax:
URI:path <uri>
URI::path <uri> depth
The depth option returns the path depth.
286 of 304
Related Information
Valid Events:
HTTP_REQUEST,HTTP_REQUEST_DATA,HTTP_RESPONSE,
HTTP_RESPONSE_DATA
URI::query
The query string portion of the given URI.
For example, given the URI below:
/path/to/file.ext?=param=value
The command URI::path returns the following:
param=value
Syntax
URI::query <uri>
URI::query <uri> <param>
The <param> option returns the query parameter value corresponding to the
requested parameter name.
Example:
when HTTP_REQUEST {
set query [URI::query [HTTP::uri]]
log local0. "Query portion of uri [HTTP::uri] is $query"
}
Related Information
Valid Events:
HTTP_REQUEST,HTTP_REQUEST_DATA
Required AX Release: 2.7.0 or higher
287 of 304
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE, pool, node
Required AX Release: 2.7.0 or higher
Note:
pool and node commands are only available when the vport is of type
tcp-proxy.
FIX::body_length
Returns the value of the BodyLength tag. The FIX BodyLength tag gives
the message length, in bytes, forward to the CheckSum field. It is always the
second field in the FIX message and is always unencrypted.
Syntax
FIX::body_length
Example:
when FIX_REQUEST {
log local0. "BodyLength=[FIX::body_length] bytes"
}
288 of 304
FIX::msg_seq_num
Returns the integer message sequence number. It is always a positive value.
Syntax
FIX::msg_seq_num
Example:
when FIX_REQUEST {
log local0. "Message Sequence Number=[FIX::msg_seq_num]"
}
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE
Required AX Release: 2.7.0 or higher
FIX::msg_type
Returns the value of the MsgType tag. The MsgType tag defines the message type, which is a string that is one or two characters in length. It is
always the third field in the message and is always unencrypted.
Note:
Example:
when FIX_REQUEST {
log local0. "Message Type=[FIX::msg_type]"
}
289 of 304
FIX::sender_compid
Returns the value of the SenderCompID tag. The SenderCompID is an
assigned string value used to identify the firm sending the FIX message.
Syntax
FIX::sender_compid
Example:
when FIX_REQUEST {
log local0. "SenderCompID=[FIX::sender_compid]"
}
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE
Required AX Release: 2.7.0 or higher
FIX::sending_time
Returns the value of the time of message transmission, always expressed in
UTC time. The time is returned as a string in either of the following formats:
Whole seconds YYYYMMDD-HH:MM:SS
Milliseconds YYYYMMDD-HH:MM:SS.sss
290 of 304
This timestamp is part of the transport level as a field in the StandardHeader and does not represent the time of a related business transaction.
A timestamp for the business transaction is conveyed with the tag 60
TransactTime.
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE
Required AX Release: 2.7.0 or higher
FIX::target_compid
Returns the value of the TargetCompID tag. The TargetCompID is an
assigned string value used to identify the firm receiving the FIX message.
Syntax
FIX::target_compid
Example:
when FIX_REQUEST {
log local0. "TargetCompID=[FIX::target_compid]"
}
Related Information
Valid Events:
FIX_REQUEST, FIX_RESPONSE
Required AX Release: 2.7.0 or higher
291 of 304
Valid Events
DB_QUERY
Required Release: ACOS 2.7.1 or higher
DB::Command
Gets a numeric value that represents the command number. For example,
the MySQL QUIT command has a value of 1.
Example:
when DB_COMMAND {
set ret [ DB::command ]
log "aflex script got command number $ret"
pool mssqlgroup
}
Valid Events
DB_COMMAND
Required Release: ACOS 2.7.1 or higher
292 of 304
Template Commands
The TEMPLATE:: commands enable you to access individual configuration
parameters per template.
The following commands allow you to check the existence of a certain template type on a virtual server. In addition, you can use these commands to
access the individual configuration parameters of a template.
TEMPLATE::exists
Determines if a template is bound to a virtual server.
This command returns a 1 integer value if a template is configured on the
current virtual server or a 0 if the template is not configured on the current
virtual server.
Syntax
TEMPLATE::exists [cache | client_ssl | conn_reuse
| http | server_ssl | tcp | udp]
Checks if the following type of template exists:
cache RAM Caching template
client_ssl Client SSL template
conn_reuse Connection Reuse template
http HTTP template
server_ssl Server SSL template
tcp TCP template
udp UDP template
TEMPLATE::exists persist
[cookie | src_ip | dst_ip | ssl_sid]
Checks if the following type of persistence template exists:
cookie Cookie Persistence
src_ip Source IP Persistence
dst_ip Destination IP Persistence
ssl_sid SSL Session ID Persistence
293 of 304
Example:
when CLIENT_ACCEPTED {
if { [TEMPLATE::exists client_ssl] == 1} {
log "client SSL template enabled on virtual server"
}
}
Example:
when SERVER_CONNECTED {
if { [TEMPLATE::exists server_ssl] == 1} {
log "server SSL profile enabled on virtual server"
}
}
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::cache
Gets the current value of the parameter for a RAM cache template.
Syntax
TEMPLATE::cache <setting>
Returns the value for the specified <setting> in the assigned RAM
cache template. For <setting>, enter one of the following:
name
accept_reload_req
age
default_policy_nocache
disable_insert_age
disable_insert_via
max_cache_size
max_content_size
min_content_size
294 of 304
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::client_ssl
Gets the current value of the parameter for the client SSL template.
Syntax
TEMPLATE::client_ssl <setting>
Returns the value for the specified <setting> in the assigned client SSL
template. For <setting>, enter one of the following:
name
ca_cert
cert
chain_cert
cipher
client_certificate
close_notify
crl
key
session_cache_size
ssl_false_start_disable
295 of 304
Example:
when CLIENT_ACCEPTED {
if { [TEMPLATE::exists client_ssl] == 1 } {
log "*** Template client_ssl is configured on vport ***"
log "*** Name: [TEMPLATE::client_ssl name]"
} else {
log "template client_ssl is not configured on vport"
}
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::conn_reuse
Gets the current value of the parameter for the connection reuse template.
Syntax
TEMPLATE::conn_reuse <setting>
Returns the value for the specified <setting> in the assigned connection
reuse template. For <setting>, enter one of the following:
name
keep_alive_conn
limit_per_server
timeout
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::http
Gets the current value of the parameter for the HTTP template.
296 of 304
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::ssl
Gets the current value of the parameter for the server SSL template.
297 of 304
Valid Events
All
Required Release: ACOS 2.7.1 or higher
TEMPLATE::tcp
Gets the current value of the parameter for the TCP template.
Syntax
TEMPLATE::tcp <setting>
Returns the value for the specified <setting> in the assigned TCP
template. For <setting>, enter one of the following:
name
force_delete_timeout
close_idle_timeout
half_close_idle_timeout
idle_timeout
initial_window_size
reset_fwd
reset_rev
Valid Events
All
Required Release: ACOS 2.7.1 or higher
298 of 304
TEMPLATE::udp
Gets the current value of the parameter for the UDP template.
Syntax
TEMPLATE::udp <setting>
Returns the value for the specified <setting> in the assigned UDP
template. For <setting>, enter one of the following:
name
aging
idle_timeout
qos
re_select_if_server_down
stateless_conn_timeout
Valid Events
All
Required Release: ACOS 2.7.1 or higher
299 of 304
300 of 304
Deprecated Commands
Deprecated Command
client_addr
client_port
http_cookie
http_header
http_host
http_method
http_uri
http_version
ip_protocol
ip_tos
local_addr
redirect
remote_addr
server_addr
server_port
use <cmd>
301 of 304
exec
interp
seek
auto_execok
exit
load
socket
auto_import
fblocked
memory
source
auto_load
fconfigure
namespace
tcl_findLibrary
auto_mkindex
fcopy
open
tell
auto_mkindex_old
file
package
unknown
auto_qualify
fileevent
pid
update
auto_reset
filename
pkg::create
uplevel
bgerror
flush
pkg_mkIndex
upvar
cd
gets
proc
vwait
close
glob
pwd
eof
http
rename
302 of 304
303 of 304
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr.
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
304