Forum Discussion

Nimbostratus

Feb 10, 2016

APM session table - find key based on value workaround?

Hi Trying to build the following logic: On the VS/AP with Network Access resource: User authenticates on the APM table set [ACCESS::session data get "session.user.sessionid"]...

BIG-IP Access Policy Manager (APM)

security

Kai_Wilke

MVP

Feb 10, 2016

Hi Amolari,

I guess a layered

[table]

and

[table -subtable]

approach would be the best choice.

1.) User authenticates on the APM

table set "ID_[ACCESS::session sid]" "" indefinite 84600

2.) User connects with Network Access, I add the assigned IP to the table

table append -mustexist "ID_[ACCESS::session sid]" "[ACCESS::session data get session.assigned.clientip]"
table set -subtable "IP_[ACCESS::session data get session.assigned.clientip]" "[ACCESS::session sid]" "" indefinite 84600

3.) User logs out or session times out

table delete -subtable "IP_[ACCESS::session data get session.assigned.clientip]" [ACCESS::session sid]
table delete "ID_[ACCESS::session sid]"

4.) Check for allowed client IPs

if { [table -keys -count -subtable "IP_[IP::client_addr]"] > 0 } then {
     Allow the request
}

Note: I've added the scenario that a single source IP would initiate multiple APM sessions. (in cause of Proxy/NAT)

Note: I've added a maximum lifetime for the table records to make sure they would getting flushed if something goes wrong...

*Note: What is the purpose of differentiating 1.) and 2.)? After my changes, I don't get the point of the "ID_[ACCESS::session sid]" table, at all?

Note: I'm certain unsure if 4.) covers your use case? But you may elaborate additional requirements on this...

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)