Session size garbage after an AD query, can I remove them?
Hello community, I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule. One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have. I have found that this generatea lot of session variables, and I worry that I will exhaust the cache. So I wonder if there is any way to discard these session variables or mark them as garbage orsomething, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred! I'm curious if there is any way to discard these variables to exclude from the session? This is what I do: I use the following LDAP filter to get all enabled users that has them in the manager attribute: (&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) The filter works fine. To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute. This generates session output like this: 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net ... Now, I only care about how many employees they have, not who they are. As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables. Surely there must be some garbage collection functions or unset functions to tidy up our sessions? How would you guys implement this? Any ideas?348Views0likes1Commentcan't get APM to assign my variables
Hello, I've got to commit username as domain\username to a HTML5/RDP Gateway (Remote Spark) but I can't get it to work. I've got in my Policy which is used for othe Portal Access a "variable Assign" where I define the domain session.logon.last.domain = bvk . I tried to add a new entry: session.logon.last.username = { "bvk\\[mcget {session.logon.last.username}]" } but I can't see in the session these variables. All the other things in the Policy are working (Portal Access, remote Desktop) somebody an Idea? thanks a lot edit: working on Version 13236Views0likes4CommentsStop processing iRule by referencing a variable
I've set a variable in iRule named "stop_rule_processing" and its value is set to 1 if a particular iRule has a hit: priority 300 when HTTP_REQUEST { if { [string tolower [HTTP::path]] starts_with "/staging" } { if { !([matchclass [IP::client_addr] equals IP_private_access])} { log local0. "Source address [IP::client_addr] not from Private pool, session discarded" } { discard set stop_rule_processing 1 } } } The other iRule check if that variable is set to 1 and if it is i want to use "event disable" stop rule processing immediately: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/staging*" { log local0. "PreProd URL detected from [IP::client_addr] , sending to preprod pool" pool PL-staging-pool } "/production*" { log local0. "Prod URL detected [IP::client_addr] , sending to prod pool" pool PL-production-pool } } } However I don't know how to check that variable at the beginning of second rule. I've tried to use multiple syntax versions of "if" command but can't get the syntax right.738Views0likes10CommentsLogging Variables
I have an iRule which performs the following: 1. Read the contents of the XML through an XML profile 2. Sets the variable 'id' to $XML::values($I) 3. If the value equals an entry in the data group, sends the traffic to pool_A 4. Else, sends the traffic to pool_B 5. Logs the variable 'id' and the pool member the traffic was sent to This is the iRule: when XML_CONTENT_BASED_ROUTING { for {set i 0} { $i < $XML::count } {incr i} { set id $XML::values($i) if { ([matchclass $XML::values($i) equals DataGroup_by_Org])} { pool pool_A } else { pool pool_B } } } when LB_SELECTED { log local0. "3189: orgName $id sent to [LB::server addr]" } I am having an issue with the logging portion. When I look at the log entry, the variable can't be read. This is the entry in the logs: Dec 15 14:39:09 local/tmm1 err tmm1[21886]: 01220001:3: TCL error: Routing_by_Org - can't read "id": no such variable while executing "log local0. "3189: orgName $id sent to [LB::server addr]""1.3KViews0likes8CommentsSWG iRule reading session variable
We are using Secure Web Gateway as a forward proxy server. One of the iRules we have in place is passing data to another iRule via the Query String in the URL, which is causing problems. I'm trying to change this so that the variables we need to send are saved in session variables instead, but have only had partial success, I was hoping someone could shed some light on where I'm going wrong. The first iRule is successfully storing the data into session variables: set host [HTTP::host] set uri [HTTP::uri] if {[ACCESS::session data get session.custom.initialhost] != "$host"} { ACCESS::session data set session.custom.initialhost "$host" ACCESS::session data set session.custom.initialurl "$uri" } But the second iRule doesn't seem to be reading the data from these variables. I changed the lines: set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[lindex $uri_list 1]://[lindex $uri_list 2]/$new_uri" HTTP::redirect "$full_redirect" to set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[ACCESS::session data get server.network.protocol]://[ACCESS::session data get session.custom.initialhost][ACCESS::session data get session.custom.initialurl]" HTTP::redirect "$full_redirect" but it doesn't seem to have made any difference, the second iRule is still using the variables from the Query String rather than the session variables. I had planned to tidy up the now unnecessary lines of code (i.e. to read the Query String data) after confirming the rule was working as expected. To troubleshoot, I did remove the extra lines including changing the first rule to not add the values to the Query String. The second iRule just behaved as if it had been passed blank variables. I even attempted to add extra plain text to the end of the set full_redirect string, but it didn't appear, almost as if the changes to the iRule hadn't been saved. Is there something wrong with my code, or is there something wrong on the F5 causing it to fail to read the variables, or to execute the old (cached?) version of the iRule instead? Many thanks473Views0likes0CommentsIs there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!576Views0likes3CommentsCustom session variable for filtered memberOf AD attribute
Can someone give me a pointer as to the best way to create a custom session variable that returns all AD groups that start with a certain string? I'm not sure if the best way to do it is with an LDAP query or with a TCL expression. We have some particular groups that all start with F5- and I'd like to only return those groups as a session variable.783Views0likes6CommentsAPM version 12 (12.1.1) Session Variables
Im having trouble finding some detailed documentation about session variables pertaining to version 12. Example for version 10: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sessionvars.html Closest thing I have found for version 12.1.1: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-12-1-0/6.html Specifically, what I would like to know more about are the AV checks and the various session variables and their detailed explanations of what each variable is used for and their possible return values. Has anyone ever come across a document for this type of thing?245Views0likes1CommentAPM session variables in Advanced Customisation PHP files
Hi, Do you know, is it somehow possible to work with APM session variables in APM Advanced Customisation's PHP files and vice versa? Let's say: There are 3 different virtual servers - each VS uses different VIP with different URL (customerX.company.com) There is just 1 single APM policy used by all 3 VS Now I would like to customise the logon page for each customer via Advanced Customisation (the basic customisation within VPE policy is not enough in this case). Let's say I am updating the header.inc file in Advanced Customisation and would like to do some simple if/else statement based on URL (if URL contains customer1 do this, if URL contains customer2 do that, etc.). What set of variables is available for Advanced Customisation files? Is the URL also stored in some of the $GLOBALS[] variables? Can I get the content of Session Variables inside header.inc? Thanks for any tips/tricks :-)195Views0likes0CommentsComparison with PHP Session Variable
Hi I have created a custom login screen and need the screen layout to be different depending on the URI. To do this I have created a PHP variable and set it to '%{session.server.landinguri}' Based on this variable I want to build the logic to display the relevant screen design. In theory this should work but the variable does not convert to a string. If I echo the variable, it outputs the correct uri but if you try to do a comparison or any string function on the variable it does not work. For example: if I have the following url: http://test.com/a $t = '%{session.server.landinguri}'; echo $t; The output is /a which is correct By this logic the following code should output /a if ($t == '/a') { echo "URI = /a"; } else { echo "error"; } But it does not output /a Another example is : $t = '%{session.server.landinguri}'; $t2 = substr($t, 1); echo $t; echo $t2; This should output : /a a but it outputs : /a {session.server.landinguri} I have searched the forums and found a similar post. The solution was to use javascript and not PHP. Unfortunately for this problem I need to use PHP and not Javascript. If you have any suggestions on how to handle the URI or to make use of session variables to build the logic it would be appreciated. Thanks453Views0likes1Comment