Forum Discussion

Evan_Champion_1's avatar
Evan_Champion_1
Icon for Cirrus rankCirrus
Aug 25, 2016

APM set network access resource variable from iRule

I am trying to set network access resources variables relating to split tunneling via an iRule. Is this possible and if so can you explain how to achieve?

I have set network access resource variables in VPE by adding a variable assignment like:

config.connectivity_resource_network_access..split_tunneling = expr { 0 }

(and I am aware of how the value 

0
gets actually set as
"0"
).

When I try to set this via an iRule like:

ACCESS::session data set config.connectivity_resource_network_access..split_tunneling "0"

the config variable is not set, and I don't achieve no split tunneling. I have verified that the iRule is actually executed. I have tried setting in an iRule event (ACCESS_POLICY_AGENT_EVENT) and also in ACCESS_POLICY_COMPLETED, just in case.

The reason why I want to do this is because I have lots of network access resources and don't want to have to make a separate no-split tunnel versions of them. When you set in VPE using a variable assign you have to specify the exact network resource to change. Instead I wanted to get the assigned network access resource from session.assigned.resources.na, and then set the split tunnelling-related variables for the assigned resource.

Thank you!

Evan

BIG-IP Access Policy Manager (APM)
iRules
security

2 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 25, 2016

    Hi,

    Did you try to insert an expression in the variable name? I never tried it, update this thread if it works.

    config.connectivity_resource_network_access.[mcget {session.assigned.resources.na}].split_tunneling = expr { 0 }
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 26, 2016

    Hi,

    you need to define 2 variables:

    [stanislas@F5adm:Active:Standalone] ~  sessiondump --allkeys | grep -i split
14780e3f.config.connectivity_resource_network_access./Common/myna.client.SplitTunneling 36 2
14780e3f.config.connectivity_resource_network_access./Common/myna.split_tunneling 36 0

    The following irule write variables as expected:

    when ACCESS_POLICY_COMPLETED {
    if { [ACCESS::policy result] equals "allow" } {
        foreach naprofile [ACCESS::session data get session.assigned.resources.na] {
            ACCESS::session data set "config.connectivity_resource_network_access.$naprofile.split_tunneling" "0"
            ACCESS::session data set "config.connectivity_resource_network_access.$naprofile.client.SplitTunneling" "2"
        }
    }
}