Forum Discussion
Lucas_Thompson_
Nov 17, 2015Historic F5 Account
We generally recommend avoiding irules for simple situations like this where VPE rules can be used to have the same functionality. The main reasons are:
- APMD/APD maintains a cache of user session variables to avoid calls to/from TMM's sessiondb where the variables are stored. These calls occur over a socket interface and are slower than APD/APMD using its cache directly. When you update session variables inside an irule during Access Policy evaluation, you are basically forcing a cache flush because APMD/APD can't know what "ACCESS::session data" you're using. "ACCESS::session data" operates on sessiondb directly, and not the sessvar cache.
- APM has a function to import and export Access Profiles. These do NOT include external irules. So, if you implement part of your session logic in irules and part in Access Policy, then the whole policy is not included in import/export.
The Variable Assign already has predefined settings for max session timeout and idle timeout, so you can just use those. You can also add an "empty" action and define branch rules with whatever TCL you want. Instead of being executed by TMM, these are executed directly in APD/APMD and DO use the cache.
The other advantage is that the policy can be clearly visualized for reports to managers, execs, whatever. And it makes supporting the whole solution much easier.