Forum Discussion
NimbostratusAFM rules filtering based on Active Directory Grouping
hi all,
was posed with this question a few days ago. In AFM, we are able to do firewall rules based on VS. Then there is this question, If i wanted to do a AFM policy based on AD-grouping. Can we do that?
i noticed that when you create the rules for AFM, there is a option to insert an iRules in. so technically, we should be able to create an ACL that uses the iRules to do an AD query for the group.
However, i search through the iRules wiki, i couldn't find any syntax that allows checking of AD grouping in iRules. Appreciate if anyone could point me at the right direction.
3 Replies
- Kevin_Stewart
Employee
The basic problem here is the difference between OSI layers 4 and 7. AFM generally operates at layer 4, while any sort of authentication (ie. AD group information) is going to be queried for/obtained/processed in layer 7. In other words, by the time you've queried AD, an AFM policy has already allowed the traffic to pass. Now you could create a block on subsequent requests, based on AD query status, but you'd have to let the first few L7 transactions happen.
henry_kay_36032Hi kelvin, thanks for the reply. Yep I do realize the fundamental problem of this request.
If we approach this with an irules in a vs, after the AD check, forward it to another vs with the AFM rules in it.
Do you think this is possible? Or I should say practical.
- henry_kay_36032
thanks kelvin, for pointing me to the right direction. the solution that you provided, should serve what i am aiming to achieve.
Real grateful for it. :)
