Forum Discussion
[APM] ACL Interest
Hi, I'm integrating VPNSSL F5 by using APM since many week.
Our users population are susceptible to use the following elements :
- Portal Access
- RDP Access
- Network Access
My questions are about Network Access. Today, I use Network Access to allocate the same IP address inside and outside the entreprise (F5 has in interface in all my entreprise LAN).
After that I have as many Forwading VS than Entreprise LAN. On each forwarding IP I've I this irule :
when CLIENT_ACCEPTED {
if {
[IP::addr [IP::client_addr] equals 192.168.160.0/255.255.254.0] } {
node 192.168.160.1
} else {
log local0. "[IP::client_addr] access problem"
reject
}
}
This Irule send to gateway 192.168.160.1 if the Network Access IP is in 192.168.160.0/23 range.
This system works perfectly but i've questions about that :
I've have an ACL that looks like this :
- Src : 192.168.160.0/23
- Destination : 0.0.0.0
- Port : Any
- Allow
My firewall are here to do filtering, not APM.
Since this morning I realized that if I remove this ACL, nothing change, all works perfectly too.
My F5 is not supposed to filter if there is no ACL ? In this case, what is intereset off ACL (only portal mode) ?
Thanks a lot for yours answers
- Stanislas_Piro2Cumulonimbus
If no ACL is assigned to a APM session, nothing is blocked.
The main goal of ACL is to manage authorization based on user session (group membership, partners not allowed to some networks, ...)
Network firewall will manage filter based on IP, APM will manage filter based on multiple criteria. that's why the product is called Access Policy Manager :-)
ACL can be used for L4 (with Network Access) and / or for L7 (portal access, remote desktop, App Tunnel).
If a L4 ACL matches a L7 request because L4 ACL is above Portal Access ACL with SSO, action of L4 will be applied without SSO.
when working with portal access, all requests are initiated with APM IP. the firewall won't be able to filter which user is allowed to access resources.
If you don't put a default drop ACL with the higher number, a user connected to a portal access will be allowed to browse all internal resources by APM. if the APM have a default drop ACL, it will display a blocking page, if this is done by the firewall, the request will be dropped without blocking page.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com