APM ACL what is source for IP evaluated

ACLs can operate on Network Access or App Tunnel or LTM+APM or Portal Access mode. Some of these modes have a soure/dest IP and sometimes it's not really relevant.

 

ACL evaluation comes after ACCESS_POLICY_COMPLETED. Between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED, iRule flows actually are triggered from Client -> APM Renderer, so the source/dest won't make a lot of sense there. After the Access Policy is done, and the session is in "Allow" state, then all assigned ACLs are processed as normal.

 

What exactly are you trying to ACL? It's pretty flexible, there should be no need to come up with any funny tricks like DNS lookups, etc.

 

ACLs can operate on Network Access or App Tunnel or LTM+APM or Portal Access mode. Some of these modes have a soure/dest IP and sometimes it's not really relevant.

 

ACL evaluation comes after ACCESS_POLICY_COMPLETED. Between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED, iRule flows actually are triggered from Client -> APM Renderer, so the source/dest won't make a lot of sense there. After the Access Policy is done, and the session is in "Allow" state, then all assigned ACLs are processed as normal.

 

What exactly are you trying to ACL? It's pretty flexible, there should be no need to come up with any funny tricks like DNS lookups, etc.

 

Well, I tried to set for example Static ACL object in VPE based on dst IP of host in Internet (I am talking about SWG-Explicit type Access Profile). Any IPs set as dst in ACL are ignored - quite logical as info about target host is actually inside HTTP in Method line (as in my original post it's like GET http://www.site.com/something/index.html HTTP/1.1). At the L4 level connection looks like that client IP:port -> VS IP:port (this VS is working as explicit proxy). If I set src IP in ACL it's evaluated correctly - given client IP is blocked or allowed.

 

So again problem is with enforcing real dst of proxy request - not known at L4 level. I as well would like to do that not only when Access Policy is processed but for each request - as far as I know it's only possible using ACCESS_ACL_ALLOWED - this is only iRule event fired for each request after policy was evaluated - using ACCESS::acl eval.

 

Based on my test ACLs in Access Policy are not working per request (opposite to how Per-Request Policy - this is working for each request - but I am not aware of any iRule event fired by Per-Request Policy :-().

 

To be honest my setup is a bit not standard. I am actually using VS with standard http profile (reverse-proxy not explicit type).

 

This is another approach to proxy chaining - I need to pass request to upstream explicit proxy. I already tried approach with HTTP::proxy disable for VS with HTTP profile type explicit but now I would like to try opposite approach. But ACLs in this case are ignoring real destination IP. That's why I wonder if any Access Session variable is used for ACL evaluation - if so I could just do DNS resolve per request and update session variable used for ACL evaluation.

 

Of course maybe it's dead end and there is better way?

 

Ultimate goal is to create L4 rules (like AFM) that are working for proxy type HTTP requests. In this case AFM rules can only see client IP but not real destination IP - this is explicit proxy VS IP.

 

So I wonder if using APM ACLs could be solution?

 

Piotr