For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stan_Ward's avatar
Stan_Ward
Icon for Altocumulus rankAltocumulus
Aug 20, 2016

How can I set the route domain in an iRule?

I have an iRule that determines the business unit of a customer based on their login. Presently the rule is called by an APM iRule event, and then looks at the response and sets the RD based on it using a Route Domain Selection Agent. But we have a large and growing number of BUs. Rather than continuously modifying the policy in the VPE, I would like to map the BU name to a route domain read from a data group, and set it in the iRule.

 

I could pass a variable to the RD Selection Agent, but there are other actions occurring within iRules. it would be cleaner if it could be done within the iRule before returning to the policy, rather than bouncing in and out between an iRule and APM policy.

 

BIG-IP Access Policy Manager (APM)
iRules
security

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 22, 2016

    Hi,

    you can try this irule:

    when ACCESS_POLICY_COMPLETED {
   if { ([ACCESS::policy result] equals "allow") } {
      set ou [ACCESS::session data get "session.ad.last.attr.ou"]
      set route_domain [class match -value $ou equals BU_RD_DG]
      ACCESS::session data set "session.network.name" $route_domain
   } 
}

    When using APM with irule, it is better to use events ACCESS_POLICY_COMPLETED and ACCESS_POLICY_STARTED instead of irule policy event.

    in you case, ACCESS_POLICY_COMPLETED is the best event as it raise once at the end of policy evaluation.