For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

amolari_4313's avatar
amolari_4313
Icon for Nimbostratus rankNimbostratus
Feb 10, 2016

APM session table - find key based on value workaround?

Hi

 

Trying to build the following logic:

 

On the VS/AP with Network Access resource:

 

  1. User authenticates on the APM

     

    table set [ACCESS::session data get "session.user.sessionid"] "" (in event ACCESS_POLICY_COMPLETED)

     

  2. User connects with Network Access, I add the assigned IP to the table

     

    table append -mustexist [ACCESS::session data get "session.user.sessionid"] [ACCESS::session data get session.assigned.clientip] (event HTTP_REQUEST , if URI starts with "/myvpn?sess=")

     

  3. User logs out or session times out

     

    table delete [ACCESS::session data get "session.user.sessionid"] (in event ACCESS_SESSION_CLOSED)

     

The user then connects to VS/AP on the same cluster but I should bypass authentication for him ("usability" argued) because he comes from NA and already authenticated. Access should be logged.

 

On other VS/AP I would like to call an iRule (through the VPE), if client source IP is in the NA_pool range, I verify the sessionID of his NA session based on his client_ip and log it.

 

Issue: no way to lookup table's key based on the value.

 

Table will remain small with max 500 rows.

 

Glad for any input.

 

BIG-IP Access Policy Manager (APM)
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 10, 2016

    Hi Amolari,

    I guess a layered 

    [table]
    and 
    [table -subtable]
    approach would be the best choice.

    1.) User authenticates on the APM

    table set "ID_[ACCESS::session sid]" "" indefinite 84600

    2.) User connects with Network Access, I add the assigned IP to the table

    table append -mustexist "ID_[ACCESS::session sid]" "[ACCESS::session data get session.assigned.clientip]"
table set -subtable "IP_[ACCESS::session data get session.assigned.clientip]" "[ACCESS::session sid]" "" indefinite 84600

    3.) User logs out or session times out

    table delete -subtable "IP_[ACCESS::session data get session.assigned.clientip]" [ACCESS::session sid]
table delete "ID_[ACCESS::session sid]"

    4.) Check for allowed client IPs

    if { [table -keys -count -subtable "IP_[IP::client_addr]"] > 0 } then {
     Allow the request
}

    Note: I've added the scenario that a single source IP would initiate multiple APM sessions. (in cause of Proxy/NAT)

    Note: I've added a maximum lifetime for the table records to make sure they would getting flushed if something goes wrong...

    *Note: What is the purpose of differentiating 1.) and 2.)? After my changes, I don't get the point of the "ID_[ACCESS::session sid]" table, at all?

    Note: I'm certain unsure if 4.) covers your use case? But you may elaborate additional requirements on this...

    Cheers, Kai