redirect80 virtual server does not inherit properties of parent virtual server

[calman-isu]

Environment

• Application Services Version: {"version":"3.33.0","release":"4","schemaCurrent":"3.33.0","schemaMinimum":"3.0.0"}
• BIG-IP Version: 15.1.4

Summary

This seems vaguely similar to #514.

When setting redirect80 to 'true'. the resulting port 80 virtual server does not inherit the AFM policy or logging profile of the parent VIP. This causes AFM to effectively block (and not log) traffic to port 80.

I am deploying AS3 VSs through Big-IQ, but I suspect the result would be the same when declaring directly to the Big-IP.

Steps To Reproduce

Steps to reproduce the behavior:

1. Submit the following declaration:

   {
   "id": "example.com_HTTPS_443",
   "class": "ADC",
   "controls": {
       "class": "Controls",
       "userAgent": "BIG-IQ/8.1 Configured by API"
   },
   "updateMode": "selective",
   "schemaVersion": "3.22.0",
   "example.com_HTTPS_443": {
       "class": "Tenant",
       "ipv4_vip": {
           "class": "Application",
           "template": "https",
           "TLS_Server": {
               "class": "TLS_Server",
               "cipherGroup": {
                   "bigip": "/Common/test-balanced"
               },
               "certificates": [
                   {
                       "certificate": "/example.com_HTTPS_443/ipv4_vip/Certificate"
                   }
               ],
               "tls1_0Enabled": false,
               "tls1_1Enabled": false,
               "tls1_2Enabled": true,
               "tls1_3Enabled": false,
               "singleUseDhEnabled": true,
               "renegotiationEnabled": true
           },
           "Certificate": {
               "class": "Certificate",
               "chainCA": {
                   "bigip": "/Common/letsencrypt-stg-int-r3.crt"
               },
               "privateKey": {
                   "bigip": "/Common/example.com.key"
               },
               "certificate": {
                   "bigip": "/Common/example.com.crt"
               }
           },
           "serviceMain": {
               "pool": {
                   "use": "/example.com_HTTPS_443/ipv4_vip/example.com_https-443_ipv4_pool"
               },
               "snat": "none",
               "class": "Service_HTTPS",
               "enable": true,
               "clientTLS": {
                   "bigip": "/Common/serverssl-test"
               },
               "mirroring": "none",
               "serverTLS": "/example.com_HTTPS_443/ipv4_vip/TLS_Server",
               "profileTCP": {
                   "egress": {
                       "bigip": "/Common/test-tcp-server"
                   },
                   "ingress": {
                       "bigip": "/Common/test-tcp-client"
                   }
               },
               "redirect80": true,
               "profileHTTP": {
                   "bigip": "/Common/HTTP_X-Forwarded-for"
               },
               "virtualPort": 443,
               "shareAddresses": true,
               "profileAnalytics": {
                   "use": "/example.com_HTTPS_443/ipv4_vip/Analytics_Profile"
               },
               "virtualAddresses": [
                   "10.254.254.254"
               ],
               "persistenceMethods": [],
               "securityLogProfiles": [
                   {
                       "bigip": "/Common/test-network"
                   }
               ],
               "policyFirewallEnforced": {
                   "bigip": "/Common/HIGH-VIP_AFM_POLICY"
               },
               "serviceDownImmediateAction": "none"
           },
           "Analytics_Profile": {
               "class": "Analytics_Profile",
               "collectIp": false,
               "collectGeo": false,
               "collectUrl": false,
               "collectMethod": false,
               "collectUserAgent": false,
               "collectOsAndBrowser": false,
               "collectPageLoadTime": false,
               "collectResponseCode": true,
               "collectClientSideStatistics": true
           },
           "example.com_https-443_ipv4_pool": {
               "class": "Pool",
               "members": [
                   {
                       "ratio": 1,
                       "adminState": "enable",
                       "shareNodes": true,
                       "servicePort": 443,
                       "priorityGroup": 0,
                       "serverAddresses": [
                           "10.250.255.1"
                       ]
                   }
               ],
               "monitors": [
                   {
                       "bigip": "/Common/test-https1.0"
                   }
               ],
               "loadBalancingMode": "round-robin",
               "serviceDownAction": "none"
           }
       }
   }
   }

2. Observe the following error response:

   
   ltm virtual /example.com_HTTPS_443/ipv4_vip/serviceMain {
   creation-time 2022-01-12:14:44:03
   description ipv4_vip
   destination 10.254.254.254:https
   fw-enforced-policy HIGH-VIP_AFM_POLICY
   ip-protocol tcp
   last-modified-time 2022-01-12:14:44:03
   mask 255.255.255.255
   partition example.com_HTTPS_443
   pool /example.com_HTTPS_443/ipv4_vip/example.com_https-443_ipv4_pool
   profiles {
       /example.com_HTTPS_443/ipv4_vip/Analytics_Profile { }
       /example.com_HTTPS_443/ipv4_vip/TLS_Server {
           context clientside
       }
       HTTP_X-Forwarded-for { }
       test-tcp-client {
           context clientside
       }
       test-tcp-server {
           context serverside
       }
       serverssl-test {
           context serverside
       }
   }
   security-log-profiles {
       test-network
   }
   serverssl-use-sni disabled
   source 0.0.0.0/0
   translate-address enabled
   translate-port enabled
   vs-index 53
   }

ltm virtual /example.com_HTTPS_443/ipv4_vip/serviceMain-Redirect- { creation-time 2022-01-12:14:44:03 description ipv4_vip destination 10.254.254.254:http ip-protocol tcp last-modified-time 2022-01-12:14:44:03 mask 255.255.255.255 partition example.com_HTTPS_443 profiles { http { } test-tcp-client { context clientside } test-tcp-server { context serverside } } rules { _sys_https_redirect } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 54 }

### Expected Behavior
Ideally, the port 80 VS should inherit all properties of the parent VS, aside from the pool and iRule.  Otherwise, the behavior of the port 80 VS is inconsistent with the behavior of the port 443 VS.  

But for the issues in front of me currently, just getting the 80 VS to inherit the AFM and log profiles to be inherited would help a lot.

### Actual Behavior
The port 80 VS enabled by redirect80 does not inherit the Network Firewall policy or logging profiles of the parent VS.  This has security and compliance implications in my specific case.

I do see, from my examples, that the port 80 VS does inherit the parent TCP profiles.

[dstokesf5]

Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-2962.

[sunitharonan]

Please reach out to us at automation_toolchain_pm@f5.com in order for us to get more information and prioritize. Thanks.

[21buckets]

Hi @dstokesf5 , @sunitharonan

Has there been any progress on AUTOTOOL-2962 ? If it is still in development, would it be possible to have this include the "Description" of the redirect virtual server to be a copy of the main VS's description/remark?

The current behaviour is the description of the Redirect VS taks the Path (application) name of the virtual. I think would better for usability if it matched the main VS's description.