For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ilija_Stankovsk's avatar
Ilija_Stankovsk
Icon for Nimbostratus rankNimbostratus
Feb 03, 2017

APM ACCESS::acl eval and dynamic ACLs

Can someone please clarify what is the argument type for the "ACCESS::acl eval" command? Does it take:

 

  • Userdefined ACLs
  • Dynamic ACLs

Also, will it accapt F5 ACL syntax as used in definitions for dynamic ACLs? (E.g. {allow http any 1.2.3.4 *} etc.)

 

The use case behind this question is the ability to reload and evaluate complex dynamic ACLs per request in order to apply new ACLs mid session without forcing the user to start a new session.

 

The "ACCESS::acl eval" command is called through the ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events for each request.

 

Thank you in advance.

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

  • Ilija_Stankovsk's avatar
    Ilija_Stankovsk
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2017

    After a ticket with the F5 support team, it turned out that the "ACCESS::acl eval" can be used to re-evaluate static, user defined ACLs and not dynamic ACLs. Hopefully documentation will be updated in the iRule wiki to show that clearly.

     

    Also a feature request was submitted to expand the scope of the "ACCESS::acl eval" command to also work with dynamic ACLs. Will it ever show up in a release? Time will tell.