Forum Discussion

Janek_42109's avatar
Janek_42109
Icon for Nimbostratus rankNimbostratus
Aug 21, 2015

APM - hostname evaluation and client authentication

Hello All,

 

I build a policy that depending of the hostname requested by the client, a client certificate is require or not.

 

This is the view of my policy :

 

 

The two boxes "Hostname 2 ways" and "Hostname 1 way" are empty box. Within the box the following expression :

 

"Hostname 2 ways" : Expression: expr { [mcget {session.network.name}] contains "foo" and contains "test.com"}

 

"Hostname 1 way" : Expression: expr { [mcget {session.network.name}] contains "bar" and contains "test.com"}

 

During the test, i have an error message saying that the session couldn't be established.

 

On the APM report i have the following information :

 

Access policy result: Logon_Deny

 

Rule evaluation failed with error: syntax error in expression " [mcget {session.network.name}] cont

 

Is someone have an idea of what i'm doing wrong ?

 

Thank you for your help

 

APM
client ssl profile
design
security
ssl

5 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 21, 2015

    Hi,

    expr { [mcget {session.network.name}] contains "foo" and contains "test.com"}

    is not a good expression

    expr { ([mcget {session.network.name}] contains "foo") && ([mcget {session.network.name}] contains "test.com")}

    if the domain is test.com, it's better to use 

    ends_with
    instead of 
    contains

    Why do you create 2 boxes for hostname check? you can create a second branch in the first box?

  • Janek_42109's avatar
    Janek_42109
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2015

    Hello Stanislas,

     

    Thank you for your reply

     

    I don't have the error message anymore, but it's still not working as i wish, so i will follow your advice about using only one box for hostname check to simplify the policy.

     

  • jkreyes_313300's avatar
    jkreyes_313300
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2018

    Hi Stanislas,

     

    For the expression

     

    expr { [mcget {session.client.hostname}] contains "HTPA387" }

     

    If i want to allow multiple hostnames, which adding additional branches are not efficient, how can i just add the list of hostnames?

     

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus
      Jun 04, 2018

      Hi,

       

      If you want to add add list of hostname, you can do this:

       

      expr { [mcget {session.client.hostname}] contains "HTPA387" || [mcget {session.client.hostname}] contains "hostname2" || [mcget {session.client.hostname}] contains "hostname3" }

       

      Regards