Different Prelogin Inspection

Posted By mironduplessis on 6/15/2006 4:05 PM

 

 

Hi,

 

 

Does anyone know if it is possible to create different prelogin

 

inspections based on a user landing on a different URI, or a single prelogin inspection that runs different scans based on

 

a different landing URI or destination IP address.

 

 

Miron,

 

 

Absolutely. If you haven't received an answer yet, or figured it out, here's how you can do it (assuming that you've already built your custom URI landing pages, so they exist):

 

 

1) Create a new blank sequence and open it for editing in the visual policy editor.

 

 

2) Add a new inspection first that does not use one of the built-in inspectors, insert a new rule, and name it accordingly.

 

 

3) For the rule, you'll want to take advantage of the session.network.server.land_uri user variable, documented here:

 

 

http://devcentral.f5.com/Wiki/default.aspx/FirePass/EndPointSecuritySessionVariables.html

 

 

You will set its evaluation value to the name of your URI, such as "students" or "teachers"

 

 

4) Then you can push all of your existing eps checks after this very first check. So when a user logs in, the eps checks will be determined by their landing URI. Your results for this rule won't be "Allow Login" or "Deny Login", but instead will start sub-groups with your complete eps checks for your various groups.

 

 

Another helpful tip is to enable variable logging for all users, which dumps all eps variables to the logs on successful login. This is documented in the help. WARNING, it will fill up your logs if you leave it on forever.

 

 

Good luck!

 

 

rcrawley