For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SergeyAU's avatar
SergeyAU
Icon for Altostratus rankAltostratus
Mar 13, 2024

APM session policy based on IP address datagroup?

Hi everyone We currently use LTM policy to use datagroup as ACL for virtual server access. After LTM ACL is accepted, APM policy will create a session etc But I was thinking to optimize it, so tha...
BIG-IP Access Policy Manager (APM)
datagroup
per session policy
SergeyAU's avatar
SergeyAU
Icon for Altostratus rankAltostratus
Mar 13, 2024

while reading various info, I am thinking that I dont need to do anything in the APM to only check for client IP once

Can use ACCESS_SESSION_STARTED iRule instead of the LTM policy CLIENT_ACCEPTED check.
Strange that there is no policy to work with APM...

 

when ACCESS_SESSION_STARTED {

set user_subnet [ACCESS::session data get "session.user.clientip"]

if { ($user_subnet & 0xffffff00) != "192.168.255.0" } {

log local0.notice "Unauthorized subnet"

ACCESS::session remove

}

}

OR

when ACCESS_SESSION_STARTED {
if { [class match [IP::client_addr] eq <datagroup_name>] } {
log local0. "Dropped connection: client IP [IP::client_addr] is restricted."
ACCESS::session remove
drop
}
}