For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TedSmith_143757's avatar
TedSmith_143757
Icon for Nimbostratus rankNimbostratus
Apr 02, 2014

Forward to VS based on URI? - firepass to APM migration

Hi, we are currently migrating from Firepass to APM, currently we have a load of URI's that people connect to on the firepass and get various policies applied and customisation depending on which one they connect to.

 

I was wondering if it is possible to use an iRule in APM to forward requests to a VS with a sepecific access policy assosiated with it. I know you can have a uri check in the VPE but I think that the policy could start to get very large if we have say 20 braches coming off the URI check with a separate logon page and resource assign on each (although I guess we could have each branch going to a macro and leep it tidy that way). I think it would be neater to have one access policy per uri.

 

Does anyone out there do something in a similar way?

 

Many thanks

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

6 Replies

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Apr 02, 2014

    Yes, we do that often.

    Use the HTTP_REQUEST event on the front virtual server.

    when HTTP_REQUEST {
  switch -glob [HTTP::uri] {
      "abc*" { virtual abc }
      "def*  { virtual def }
      default { HTTP::respond 200 content "You are in the wrong place." }
  }
}

    HTH

    • TedSmith_143757's avatar
      TedSmith_143757
      Icon for Nimbostratus rankNimbostratus
      Apr 03, 2014
      John, I have got this to work, however it appears that when I connect to the virtual server with the APM access policy associated it changes to uri to be /my.policy and I get the 'you are in the wrong place message' Any ideas?
  • TedSmith_143757's avatar
    TedSmith_143757
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2014

    OK thanks, so if I can get this to work, it should save me from using up lots of public IP's, I can have 1 x external IP and people will get the policy they need based in the uri they enter?

     

    I will give it a go Thanks

     

    • Mike_Maher's avatar
      Mike_Maher
      Icon for Nimbostratus rankNimbostratus
      Apr 02, 2014
      What version are you running? If you are using 11.4.x code, I would wonder if Local Traffic policy might be an option for you?
  • TedSmith_143757's avatar
    TedSmith_143757
    Icon for Nimbostratus rankNimbostratus
    Apr 03, 2014

    Hi, we are running 11.4.1, I will have a look at local traffic policy if that will achieve the same goal. We will only be buying a license for APM though so not sure how many LTM options we will have? May need to speak to my reseller.

     

    • Mike_Maher's avatar
      Mike_Maher
      Icon for Nimbostratus rankNimbostratus
      Apr 21, 2014
      So I have a device that is only ASM licensed and there are still a lot of options to utilize in Local Traffic policy even without LTM licensing. It looks to me a lot of HTTP functionality that you had to do in a iRule in previous version can now be accomplished in LT policy with rules