How to set different inactivity and Max session timeouts for the users in the different AD group

Question

Hi friends , 
I am new to f5 Apms -irules in particular , I would like some hands on my scenario . We have got multiple clients whose session MAX &amp; Inactivity timeouts needs to be different from one another .&nbsp;
The resource assignment for the clients are based on the AD group. I've manged to put together a irule and decided to call this irule in the APM Policy just after ad query .&nbsp;
I wonder whether this irule script is correct ? and on the apm policy editor , when i select irule-event there is an field where i need to type in Custom-iRule-Event-Agent- ID which is i believe is the irule name !!!&nbsp;
when ACCESS_POLICY_AGENT_EVENT { 
set AdGroup [ACCESS::session data get "session.ad.$name.attr.group.$attr_name"] 
switch -exact "$AdGroup" {
 Standard_SSL_Users 
 {
  ACCESS::session data set session.inactivity_timeout 150 
  ACCESS::session data set session.max_session_timeout 200 }{ log local0.notice "Inactivity and Max timeout set" } } }&nbsp;

michael_jenkins · Answer

When using an ACCESS_POLICY_AGENT_EVENT, you'll want to check the [ACCESS::policy agent_id], which is the value that you set in the iRule Event object in the VPE. You'll also need to associate the iRule with your VS. The code you have now would run any time an iRule event from the VPE is used because it's not checking to make sure on that specific one should run.
So your iRule might look something like this (notice the agent_id check, and the value should be the same as the iRule Event one). The code is a little different than yours, but I copied the idea from an iRule I'm using.
&nbsp;
when ACCESS_POLICY_AGENT_EVENT { 
     check for policy agent_id 
    if { [ACCESS::policy agent_id] eq "set_timeout_values" } {
        switch -glob [ACCESS::session data get "session.ad.last.attr.memberof"] {
            "*CN=Standard_SSL_Users*" {
                ACCESS::session data set session.inactivity_timeout 150 
                ACCESS::session data set session.max_session_timeout 200
                log local0.notice "Inactivity and Max timeout set" 
            }
        }
    }
}

&nbsp;
Hope this helps.

sab · Answer

Thanks for the quick reply , let me try this and come back ,.... if i have multiple AD-group/clients which needs different timeout settings , then the irule will look like this:-
&nbsp;
when ACCESS_POLICY_AGENT_EVENT { 
if { [ACCESS::policy agent_id1] eq "set_timeout_values" } {
    switch -glob [ACCESS::session data get "session.ad.last.attr.memberof"] {
        "*CN=Standard_SSL_Users*" {
            ACCESS::session data set session.inactivity_timeout 150 
            ACCESS::session data set session.max_session_timeout 200
            log local0.notice "Inactivity and Max timeout set" 
        }

if { [ACCESS::policy agent_id2] eq "set_timeout_values" } {
    switch -glob [ACCESS::session data get "session.ad.last.attr.memberof"] {
        "*CN= SSL_Users2*" {
            ACCESS::session data set session.inactivity_timeout 600 
            ACCESS::session data set session.max_session_timeout 200
            log local0.notice "Inactivity and Max timeout set" 
        }

if { [ACCESS::policy agent_id3] eq "set_timeout_values" } {
    switch -glob [ACCESS::session data get "session.ad.last.attr.memberof"] {
        "*CN= SSL_Users3*" {
            ACCESS::session data set session.inactivity_timeout 600 
            ACCESS::session data set session.max_session_timeout 200
            log local0.notice "Inactivity and Max timeout set" 
        }

} } } } } } }

&nbsp;

michael_jenkins · Answer

You would do something like this, just adding other criteria to the switch statement.
&nbsp;
when ACCESS_POLICY_AGENT_EVENT { 
     check for policy agent_id 
    if { [ACCESS::policy agent_id] eq "set_timeout_values" } {
        switch -glob [ACCESS::session data get "session.ad.last.attr.memberof"] {
            "*CN=Standard_SSL_Users*" {
                ACCESS::session data set session.inactivity_timeout 150 
                ACCESS::session data set session.max_session_timeout 200
                log local0.notice "Inactivity and Max timeout set (1)" 
            }
            "*CN=SSL_Users_2*" {
                ACCESS::session data set session.inactivity_timeout 200
                ACCESS::session data set session.max_session_timeout 300
                log local0.notice "Inactivity and Max timeout set (2)" 
            }
            "*CN=SSL_Users_3*" {
                ACCESS::session data set session.inactivity_timeout 300
                ACCESS::session data set session.max_session_timeout 400
                log local0.notice "Inactivity and Max timeout set (3)" 
            }
        }
    }
}

&nbsp;

lucas_thompson_ · Answer

We generally recommend avoiding irules for simple situations like this where VPE rules can be used to have the same functionality. The main reasons are:&nbsp;
APMD/APD maintains a cache of user session variables to avoid calls to/from TMM's sessiondb where the variables are stored. These calls occur over a socket interface and are slower than APD/APMD using its cache directly. When you update session variables inside an irule during Access Policy evaluation, you are basically forcing a cache flush because APMD/APD can't know what "ACCESS::session data" you're using. "ACCESS::session data" operates on sessiondb directly, and not the sessvar cache.APM has a function to import and export Access Profiles. These do NOT include external irules. So, if you implement part of your session logic in irules and part in Access Policy, then the whole policy is not included in import/export.
The Variable Assign already has predefined settings for max session timeout and idle timeout, so you can just use those. You can also add an "empty" action and define branch rules with whatever TCL you want. Instead of being executed by TMM, these are executed directly in APD/APMD and DO use the cache. &nbsp;
The other advantage is that the policy can be clearly visualized for reports to managers, execs, whatever. And it makes supporting the whole solution much easier.&nbsp;

lucas_thompson_ · Answer

We generally recommend avoiding irules for simple situations like this where VPE rules can be used to have the same functionality. The main reasons are:&nbsp;
APMD/APD maintains a cache of user session variables to avoid calls to/from TMM's sessiondb where the variables are stored. These calls occur over a socket interface and are slower than APD/APMD using its cache directly. When you update session variables inside an irule during Access Policy evaluation, you are basically forcing a cache flush because APMD/APD can't know what "ACCESS::session data" you're using. "ACCESS::session data" operates on sessiondb directly, and not the sessvar cache.APM has a function to import and export Access Profiles. These do NOT include external irules. So, if you implement part of your session logic in irules and part in Access Policy, then the whole policy is not included in import/export.
The Variable Assign already has predefined settings for max session timeout and idle timeout, so you can just use those. You can also add an "empty" action and define branch rules with whatever TCL you want. Instead of being executed by TMM, these are executed directly in APD/APMD and DO use the cache. &nbsp;
The other advantage is that the policy can be clearly visualized for reports to managers, execs, whatever. And it makes supporting the whole solution much easier.&nbsp;

Forum Discussion

How to set different inactivity and Max session timeouts for the users in the different AD group

5 Replies

Recent Discussions

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

Related Content

Copper SFP Differences

Different policies same destination and pool

Http monitor on different port

Disable vip that is listening on different ports

gtm sync group different software version