APM Dynamic ACL assignment from AD

In my experience it needs to be a single line entry, not multi-line to work. You also can't put spaces between the rules. When you format it like this, does it load? What kind of error do you get if it doesn't? What does the APM log look like for the session? Also, you can look at the built acl with sessiondump -list

{ allow tcp any 10.100.32.15:3389 }{ allow tcp any 10.100.32.15:80 }{ allow tcp any 10.100.32.15:443 }{ allow udp any 10.100.1.84:53 }{ allow udp any 10.100.1.85:53 }{ deny ip any any }

Hi Brad,

Thanks for chiming in. I tried a single line acl, but it still didn't work. The other thing I did see is that I had a mistake above; "deny" should be reject or discard. So I did change deny to reject, but that didn't do it either.

Should the acl be in straight ASCII? Because what I see in the log is HEX encoded and I'm not sure what that's about.

The ACL looks like this:

8e132485.session.ad.last.attr.info 394 0x7b20616c6c6f772074637020616e792031302e3130302e33322e31353a33333839207d0a7b20616c6c6f772074637020616e792031302e3130302e33322e31353a3830207d0a7b20616c6c6f772074637020616e792031302e3130302e33322e31353a343433207d0a7b20616c6c6f772075647020616e792031302e3130302e312e38343a3533207d0a7b20616c6c6f772075647020616e792031302e3130302e312e38353a3533207d0a7b2072656a65637420697020616e7920616e7920616e79207d

If you were to decode it, you'd get the acl. I thought it would be something you could easily read. I might just delete it and drop it in again with less ACEs for testing. Any other thoughts?

Thanks, Mike

Hey there,

So for anyone who tried this, Brad is right. The ACL must be a single string with all the ACEs concatenated together. In my case, I had to clear out the AD attribute and paste the properly formatted ACL for it to work.

Thanks for the tips Brad!

BTW, F5 should consider documenting things like that!

Cheers, Mike