APM ACL what is source for IP evaluated

Hi,

I am struggling with figuring out what is base for IP evaluated by for example Static ACL in APM. As far as understand ACL object in VPE are only evaluated during Access Policy processing (between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED) but using ACCESS_ACL_ALLOWED (or denied) I can use ACCESS::acl eval to doper request ACLs. Question is what is used as src and dst IP for ACL evaluation? Is that one of Access Policy variable or actual IPs based on flow? I am asking because I would like to create ACL for forward proxy VS - in this case I can see client IP as src IP but dst IP is VS IP not target server IP (proxy is doing DNS on HTTP proxy request URI - like GET http://www.site.com/something/index.html HTTP/1.1) so in L3/L4 there is no real dst IP known. My idea was to use host from HTTP proxy URI ( do DNSresolveand pass it to access session variable so ACL can use it to evaluate - but not knowing if evaluation is based on session variables makes me wonder if this will work?

Piotr