For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Mar 22, 2021

How to make access profile allow non auth'ed people in

Hi   if I have a vs_test   and I apply access profile to vs_test (say ap_test)   and the flow for that is   start -> allow   that still fails   if i want to allow user to b...
ASM Advanced WAF
BIG-IP Access Policy Manager (APM)
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Mar 23, 2021

Hi,

 

I think you are on the right track. A policy with "Start ---> Allow" will work, everyone will pass without the need to further authenticate.

 

Pay attention, in your example above you are mixing http and https URLs. If your VS is listening on http and you Access Policy has a setting for "Cookie Options: Secure" enabled it won't work with http, only with https.

A cookie with the Secure attribute set is sent to the server only over https.

If you apply an Access Policy with "Cookie Options: Secure" enabled to a http virtual then APM will display a blocked page saying "Access was denied by the access policy."

 

The idea of have a Pre-Request Policy for /secret is also right.

 

KR

Daniel