Forum Discussion
SergeyAU
Altostratus
AltostratusAPM session policy based on IP address datagroup?
Hi everyone
We currently use LTM policy to use datagroup as ACL for virtual server access.
After LTM ACL is accepted, APM policy will create a session etc
But I was thinking to optimize it, so that LTM policy is not executed for every request while APM session is active
So, I am thinking of removing the LTM policy that does IP matching and adding a step in APM per-session policy to do IP matching. Under APM there are 2 areas that can be used - IP subnet matching or ACL matching
We have 100s, if not 1000s of IPs, and not sure if either of the 2 would be able to work with it without reaching limits of sorts. Have a call with F5 support to confirm the limits.
But I wanted to investigate the idea, if its possible to execute a policy/iRule from within APM that would use existing datagroup/external file datagroup to perform the check.
Can anyone assist with a clean way of doing it?
I am thinking having a step to execute iRule that inserts some sort of variable into APM session (say isIPAllowed) and then in the next step check if that isIPAllowed = 1 and branch out from there?
SergeyAUwhile reading various info, I am thinking that I dont need to do anything in the APM to only check for client IP once
Can use ACCESS_SESSION_STARTED iRule instead of the LTM policy CLIENT_ACCEPTED check.
Strange that there is no policy to work with APM...when ACCESS_SESSION_STARTED {
set user_subnet [ACCESS::session data get "session.user.clientip"]
if { ($user_subnet & 0xffffff00) != "192.168.255.0" } {
log local0.notice "Unauthorized subnet"
ACCESS::session remove
}
}
OR
when ACCESS_SESSION_STARTED {
if { [class match [IP::client_addr] eq <datagroup_name>] } {
log local0. "Dropped connection: client IP [IP::client_addr] is restricted."
ACCESS::session remove
drop
}
}