For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

williamc_154806's avatar
williamc_154806
Icon for Nimbostratus rankNimbostratus
Sep 20, 2014

Apply Access Policy Update Automatically after a failover.

Hi Is there a way to set an irule or some other option which will automatically apply an access policy update? either based on time interval, set time, or preferably apply an update access policy if the APM status changes from standby to active (ie when a failover occurs).

 

we have an issue where the webtop icons (items like portal links icons, rdp desktops icons, host files) will disappear if a failover occurs; and the only way to bring these icons back is to apply an update to our access policy (so our access policy is correct, its just the f5 device doesn't apply the access policy during the failover)

 

by automating the access policy update, even if a failover occurs and icons disappear; the policy will update and refresh itself to display icons again.

 

wondering if this is possible? thanks

 

running: 11.5.1 HF4 APM

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
performance
security
TMOS
TMSH

4 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 22, 2014

    i don't believe irules can apply policies or are HA status aware. if you want to do something like this you will probably have to write a shell script that checks for failovers and then applies.

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Sep 22, 2014

    You can't, but your behaviour is not normal. You should see your icons after the failover. Icons are stored in the BIGIP and the configuration file (the policy) get reference to these icons. I do not understand why you have to apply to make them visible.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 22, 2014

    Well, so technically you can update an access policy from a TMSH command:

    tmsh modify apm profile access [policy name] generation-action increment

    But as Matthieu declares, you have a bigger problem if icons are disappearing on failover.

  • Simon_Waters_13's avatar
    Simon_Waters_13
    Icon for Cirrostratus rankCirrostratus
    Oct 06, 2014

    As per other thread we see a similar issue.

     

    Interested to know if you see the partial failure. So some users work, some don't, which seems very odd. Can't be session specific as it persists for that user, but can't be simply policy as some users work some don't. Wondering if it is something silly like ordering of Active Directory group information, but can't see what this has to do with fail-over.