APM - hostname evaluation and client authentication

Question

Hello All,&nbsp;
I build a policy that depending of the hostname requested by the client, a client certificate is require or not.&nbsp;
This is the view of my policy :&nbsp;
&nbsp;
The two boxes "Hostname 2 ways" and "Hostname 1 way" are empty box.
Within the box the following expression :&nbsp;
"Hostname 2 ways" : Expression: expr { [mcget {session.network.name}] contains "foo" and contains "test.com"}&nbsp;
"Hostname 1 way" : Expression: expr { [mcget {session.network.name}] contains "bar" and contains "test.com"}&nbsp;
During the test, i have an error message saying that the session couldn't be established.&nbsp;
On the APM report i have the following information :&nbsp;
Access policy result: Logon_Deny&nbsp;
Rule evaluation failed with error: syntax error in expression " [mcget {session.network.name}] cont&nbsp;
Is someone have an idea of what i'm doing wrong ?&nbsp;
Thank you for your help&nbsp;

stanislas_piro2 · Answer

Hi,
expr { [mcget {session.network.name}] contains "foo" and contains "test.com"}

is not a good expression
expr { ([mcget {session.network.name}] contains "foo") &amp;&amp; ([mcget {session.network.name}] contains "test.com")}

if the domain is test.com, it's better to use ends_with instead of contains
Why do you create 2 boxes for hostname check? you can create a second branch in the first box?

janek_42109 · Answer

Hello Stanislas,&nbsp;
Thank you for your reply&nbsp;
I don't have the error message anymore, but it's still not working as i wish, so i will follow your advice about using only one box for hostname check to simplify the policy.&nbsp;

jkreyes_313300 · Answer

Hi Stanislas,&nbsp;
For the expression &nbsp;
expr { [mcget {session.client.hostname}] contains "HTPA387" }&nbsp;
If i want to allow multiple hostnames, which adding additional branches are not efficient, how can i just add the list of hostnames?&nbsp;

youssef1 · Answer

Hi,&nbsp;
If you want to add add list of hostname, you can do this:&nbsp;
expr { [mcget {session.client.hostname}] contains "HTPA387" || [mcget {session.client.hostname}] contains "hostname2" || [mcget {session.client.hostname}] contains "hostname3" }&nbsp;
Regards&nbsp;

jkreyes_313300 · Answer

Thanks a lot.&nbsp;

Forum Discussion

APM - hostname evaluation and client authentication

5 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

Question about adding VEs to existing physical appliance device group without ASM licenses

What is the best practice for migrating from iseries to rseries?

BIG-IP i11000 – License compatibility with TMOS versions above 14.1.2 and Web GUI inaccessible

Related Content

Intermediate iRules: Evaluating Performance

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

iControl REST Authentication Token Management

Doing mTLS Authentication per URL

F5 Distributed Cloud Network Firewall Rule Evaluation and Packet Flow

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS