Forum Discussion

Cirrostratus

Oct 19, 2021

APM IP Subnet Match - single IP list

Hello, I am trying to figure out the best way to reference a single list of IP's in a few different access policies. Having this would allow me to just maintain one subnet match list and when upd...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

spalande
Oct 21, 2021
You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

For other option of iRule, you can use something like below

when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{ ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }

event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

spalande

Nacreous

Oct 21, 2021

You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

For other option of iRule, you can use something like below

when ACCESS_POLICY_AGENT_EVENT {
    if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{
    ACCESS::session data set session.custom.ip 0
 	} else {
	ACCESS::session data set session.custom.ip 1
	}
 }

event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

Nolan_Jensen
Cirrostratus
Oct 21, 2021
SanjayP,

Wow thank you very much the iRule and iRule event is working on my first quick pass at testing. I am going to do more testing and will mark this as answer once I am able to do so.

Thank you again for your help I greatly appreciate it!

Note: for anyone else who comes across this there is a minor code error in above iRule so here is the working one.
when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and [class match [IP::client_addr] equals kerberos_apm_subnet_match] } { ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

APM IP Subnet Match - single IP list

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Brute Force protection for single parameter like OTP

single slot multiple core vs multiple slot single core

Remove subnet from NAT pools without any impact

No matches under XML_CONTENT_BASED_ROUTING

Multiple SNAT pools under a single VIP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS