Forum Discussion

SergeyAU's avatar
SergeyAU
Icon for Altostratus rankAltostratus
Mar 13, 2024

APM session policy based on IP address datagroup?

Hi everyone

We currently use LTM policy to use datagroup as ACL for virtual server access.
After LTM ACL is accepted, APM policy will create a session etc

But I was thinking to optimize it, so that LTM policy is not executed for every request while APM session is active

So, I am thinking of removing the LTM policy that does IP matching and adding a step in APM per-session policy to do IP matching. Under APM there are 2 areas that can be used - IP subnet matching or ACL matching

We have 100s, if not 1000s of IPs, and not sure if either of the 2 would be able to work with it without reaching limits of sorts. Have a call with F5 support to confirm the limits.

But I wanted to investigate the idea, if its possible to execute a policy/iRule from within APM that would use existing datagroup/external file datagroup to perform the check.

Can anyone assist with a clean way of doing it?
I am thinking having a step to execute iRule that inserts some sort of variable into APM session (say isIPAllowed) and then in the next step check if that isIPAllowed = 1 and branch out from there?

  • while reading various info, I am thinking that I dont need to do anything in the APM to only check for client IP once

    Can use ACCESS_SESSION_STARTED iRule instead of the LTM policy CLIENT_ACCEPTED check.
    Strange that there is no policy to work with APM...

     

    when ACCESS_SESSION_STARTED {

    set user_subnet [ACCESS::session data get "session.user.clientip"]

    if { ($user_subnet & 0xffffff00) != "192.168.255.0" } {

    log local0.notice "Unauthorized subnet"

    ACCESS::session remove

    }

    }

    OR

    when ACCESS_SESSION_STARTED {
    if { [class match [IP::client_addr] eq <datagroup_name>] } {
    log local0. "Dropped connection: client IP [IP::client_addr] is restricted."
    ACCESS::session remove
    drop
    }
    }