Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Jun 15, 2015

iRule using DataGroup to bypass APM Policy

Hi,

We have an APM policy to collect the machine name, set it to our domain, and perform an AD lookup. We have to utilize Datagroups to pre-authorize a few users that do not fall into proper AD groups without moving the computer account.

Our current iRule is below. I've created the datagroup and specified the machine names. I'm trying to create an irule that collects the machine name like normal but, bypasses the APM posture check if defined. If not defined, follow standard policy.

Our APM policy --> Windows Info --> Irule Event --> AD Query --> Allow

when RULE_INIT {
 set static::THIS_DOMAIN ".ourdomain.com"
} end rule_init

when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "get_computer_name" } {

set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]]
foreach x [split $computer "|"] {

  if { $x ends_with $static::THIS_DOMAIN } {
    set machinename [lindex [split $x "."] 0]
    ACCESS::session data set session.custom.computer $machinename
    return

    } end if this_domain
  } end set computer
 } end ACCESS::policy agent_id
} end access policy agent event
APM
application delivery
data group
devops
irule
iRules
security

1 Reply

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jun 15, 2015

    Hey Nick,

     

    I would add a check in the iRule under the "set machinename" to query the data group and if it exists then set another ACCESS::session variable like "session.custom.bypass_adquery" then after the iRule event in the VPE have an empty action with branch rules that if the bypass_adquery variable is set then you go down that branch to allow. If it isn't set then they will go to AD Query like normal.

     

    Seth