Forum Discussion

Check1t_282465's avatar
Check1t_282465
Icon for Nimbostratus rankNimbostratus
Jul 24, 2017

Utilize iRule to minimize APM usage

I have an Access Profile which is invoked for an application in which a) Checks source IP. If whitelisted subnet, allowed to pass through. Otherwise b) Checks URI. if specificied URI requested, c) F5 presents authentication prompt prior to passing through to application.

 

This works fine, but ALL user traffic to the application is requiring an APM license. In order to reduce license impact, is it possible to utilize an iRule that would only invoke the APM when user is coming via non-whitelisted IP subnet and specified URI? If yes, any pointers on how one would write this? For what it's worth, application also has ASM policy.

 

Thank you.

 

APM
security

1 Reply

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2017

    Hello Check1t,

    Yes you can reduce the number of session consumed by the APM by writing an irule.

    The irule can take many forms but the important is to use "Access::disable" "Access::enable".

    If you don't have many subnets to whitelist you can do it like this : 

    when HTTP_REQUEST {

ACCESS::disable

if { ([HTTP::uri] starts_with "/admin") && ! ([IP::addr [IP::client_addr] equals 192.168.1.0/24]) && ! ([IP::addr [IP::client_addr] equals 192.168.2.0/24]) } {
   Only client IP that are not in subnets 192.168.1.0/24 and 192.168.2.0/24 and requesting /admin will use APM  

   ACCESS::enable
}
}

    If you have more subnets, you can use datagroup for clarity.

    Regards