controlling APM access policy from iRule

Question

im trying to influence the access policy to use a different path through the VPE based on a variable set in an irule with ACCESS::session data set. the VPE has an element with some branch rules and expressions like expr { [mcget {session.tst.choice}] == 1}.
it seems you can only successfully use this by setting the variable with ACCESS::session data set during the handling of HTTP_REQUEST on /my.policy (this was enabled with ACCESS::restrict_irule_events disable in CLIENT_ACCEPTED).
is that correct or am i missing something?

kevin_stewart · Answer

There's actually a few places you can set an access policy variable.

The HTTP_REQUEST event - while this is certainly one place you can set an access session variable, you have to be careful when you set it. As you found out, you had to wait for the client to request /my.policy because there's no access session token prior to this request.

The ACCESS_SESSION_STARTED event - this event fires, as the name implies, at the beginning of the session, and unlike the HTTP_REQUEST event, is guaranteed to be inside the access session.

A standard variable assignment agent in the visual policy.

The ACCESS_POLICY_AGENT_EVENT - assuming you have an iRule event agent in the visual policy BEFORE the agent that needs to do the evaluation, this is a great way to drop into an iRule during policy evaluation to do something crafty, and then proceed. If you have multiple iRule event agents in the visual policy, make sure they all have different ID values, and then you can evaluate the ACCESS::policy agent_id value in this event to fire different code at different points in the visual policy from within the same event. Example:
when ACCESS_POLICY_AGENT_EVENT {    
    switch [ACCESS::policy agent_id] {        
        "TAG_ID_1" {            
             do something here                
            ACCESS::session data set session.custom.foo "bar"                
        }            
        "TAG_ID_2" {            
             do something here                 
            if { [ACCESS::session data get session.custom.foo] equals "bar" } {
                ACCESS::session data set session.custom.hello "world"           
            }                
        }            
    }
}

boneyard · Answer

thanks (as always) Kevin, your pointers got me where i wanted to be, working perfectly now.&nbsp;

sab · Answer

Hi friends , 
I am new to f5 Apms -irules in particular , I  would like some hands on my scenario . We have got multiple clients whose session MAX &amp; Inactivity timeouts needs to be different from one another . &nbsp;
The resource assignment for the clients are based on the AD group. I've manged to put together a irule and decided to call this irule in the APM Policy just after ad query .&nbsp;
I wonder whether this irule script is correct ? and on the apm policy editor , when i select irule-event there is an field where i need to type in  Custom-iRule-Event-Agent- ID which is i believe is the irule name !!! &nbsp;
when ACCESS_POLICY_AGENT_EVENT {
set AdGroup [ACCESS::session data get "session.ad.$name.attr.group.$attr_name"]
 switch -exact "$AdGroup" {
 Standard_SSL_Users {
 ACCESS::session data set session.inactivity_timeout 150
 ACCESS::session data set session.max_session_timeout 200
  }{
 log local0.notice "Inactivity and Max timeout set"
 } } }&nbsp;

sab · Answer

Hi friends , 
I am new to f5 Apms -irules in particular , I  would like some hands on my scenario . We have got multiple clients whose session MAX &amp; Inactivity timeouts needs to be different from one another . &nbsp;
The resource assignment for the clients are based on the AD group. I've manged to put together a irule and decided to call this irule in the APM Policy just after ad query .&nbsp;
I wonder whether this irule script is correct ? and on the apm policy editor , when i select irule-event there is an field where i need to type in  Custom-iRule-Event-Agent- ID which is i believe is the irule name !!! &nbsp;
when ACCESS_POLICY_AGENT_EVENT {
set AdGroup [ACCESS::session data get "session.ad.$name.attr.group.$attr_name"]
 switch -exact "$AdGroup" {
 Standard_SSL_Users {
 ACCESS::session data set session.inactivity_timeout 150
 ACCESS::session data set session.max_session_timeout 200
  }{
 log local0.notice "Inactivity and Max timeout set"
 } } }&nbsp;

walter_kacynski · Answer

Try this iRule instead, you must map ActivityTimeout as the Agent ID within the VPE. You also must attach the iRule to the virtual in the normal fashion.
&nbsp;
when ACCESS_POLICY_AGENT_EVENT { 
    switch [ACCESS::policy agent_id] {
        "ActivityTimeout" {
            switch -glob [ACCESS::session data get "session.ad.last.attr.memberOf"] { 
                "*Standard_SSL_Users*" { 
                    ACCESS::session data set session.inactivity_timeout 150
                    ACCESS::session data set session.max_session_timeout 200
                    log -noname accesscontrol.local1.notice "01490000:7: [ACCESS::session data get "session.user.sessionid"]: [IP::client_addr]:[TCP::client_port]: --- Inactivity and Max timeout set ---"
                }
            }
        }
    }
}

&nbsp;

Forum Discussion

controlling APM access policy from iRule

8 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Overview of API Access Control and implementing API key access control with BIG-IP APM

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Access policy, LTM policy and iRules

Advanced API Access Control with BIG-IP APM – Part I

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server