Forum Discussion

Bartek's avatar
Bartek
Icon for Cirrus rankCirrus
Jul 12, 2019

remove "requires { http ssl-persistance }" from policy

Whenever I create a policy it adds it's own, default configuration snippets in the config. The one that gives me trouble is: requires { http ssl-persistence } When the policy is created, but only...
  • Bartek's avatar
    Jul 14, 2019

    OK, so i actually got it, and learned a ton about policies in the process.

     

    The most important thing is that the policy assumes http event if not told otherwise. In this case adding an "ssl-client-hello" after forward action changed this assumption to ssl event. This is also true for actions that (according to specs) have nothing to do with http - I guess something that F5 overooked.

     

    But wait, there is more - there is no way at all to add the ssl-client-hello while preparing the policy in GUI. You need to prepare it as far as possible and edit or modify the policy in TMSH (the latter is more elegant, but edit is easier and also does the job) to add the ssl-client_hello action. This automatically removes http from aspect and leaves just the desired ssl-persistence which in result allows to remove unwanted http profile from VIP.