Forum Discussion
APM - Adding a working iRule to an APM iRule event
I have this iRule that works on sending requests to different pools based on URI keywords. It works great but i am now trying to incorporate it into the APM Access Policy. I am using the iRule editor but it doesn't like the format of the code. How do I trigger the ACCESS_POLICY_AGENT_EVENT for APM?
Here is the working iRule:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/" -
"/myabc/*" -
"/claims/*" -
"/client/*" -
"/claimsdesktop/*" {pool Pool_new}
"/services/*" {pool Pool_app}
"/infoapp/*" {pool Pool_bo}
default {pool Pool_legacy}
}
}
This is the ACCESS_POLICY_AGENT_EVENT i am trying to add:
when ACCESS_POLICY_AGENT_EVENT {
if {[ACCESS::policy agent_id] == "decide"} {
- Eric_St__JohnEmployeeUsing the iRule Event object in the VPE. That event will only fire when the connection is running through the policy and reaches the iRule Event object.
- Kyle_SNimbostratusYes. I am going to use the keyword "decide" as the iRule Event ID. I am going to add the iRule event into the Access Policy but how do I write the iRule? I can't just put the line" when ACCESS_POLICY_AGENT_EVENT " on top of the existing rule..can I? The editor didn't like that the "when" statement didn't have an action to it.
- Eric_St__JohnEmployeeYou wouldn't be able to use ACCESS_POLICY_AGENT_EVENT to do pool selection based on URI, since that event only fires one time as the policy is being evaluated. Once the allow or deny has occurred, the policy does not run through again.
- Kevin_StewartEmployeeACCESS_POLICY_AGENT_EVENT is regular event, so the following works:
- Kyle_SNimbostratusI thought that I could have used the iRule event before the Allow. I was hoping to complete the Access Policy by having the iRule Event forward the traffic to the appropriate pool. Currently the traffic goes through the APM and gets sent to the Default Pool selected in the Virtual Server resources tab. I have the iRule above working on a different VS directing to different pools by the URI keywords but I do not have an Access Policy used at this time. The Access Policy would be used for AD_AUTH, Logon page, and SSO credentials. I am alittle confused on using the ACCESS_ACL_ALLOWED event. I thought that was to use a L4 or L7 access list for permitting or denying; not directing to a certain pool.
- Kevin_StewartEmployeeFor what it's worth, APM now (11.1 I believe) sports a pool resource assignment in the VPE.
- brad_11480Nimbostratus
i created an irule and associated it with the virtual server using APM.
when ACCESS_POLICY_AGENT_EVENT { set agentid [ACCESS::policy agent_id] switch $agentid : : }
In the VPE I have constructed a flow that should trigger this iRule more than once with different event agent id's. I have a log local0. and see that the first one works fine, but it doesn't seem to trigger the iRule again when it flows to another iRule item.
Start -> Logon Page -> iRule -> RADIUS Auth -> Success -> iRule Event1
Fallback -> iRule Event2
I get the log for the first iRule but nothing for iRule Event1 or iRule Event2.
what gives?
- brad_11480Nimbostratus
seems that if it is on the success side of the RADIUS Auth the iRule triggers. the iRule on the 'fallback' side does not trigger.
- Kevin_StewartEmployee
I just tried this on 11.3 HF5 and the iRule event is triggered on the fallback branch. If you put a message box on the fallback branch, do you see that when Radius Auth fails?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com