For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Raymond_Feng_97's avatar
Raymond_Feng_97
Historic F5 Account
Jul 20, 2006

how to persistant client when using bigip load balance firepass

There is two problem when using bigip load balance firepass:   1> For ADSL client, when user logon the firepass, his adsl line dropped and reconnected adsl, so the client ip address had been change...
BIG-IP Access Policy Manager (APM)
remote access
security
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Dec 09, 2006
my friend from australia gave me feedback to enhance this i-rule (he did the irule for f/p ssl offload quite sometime ago but did not post to it to the forum).

 

 

I modify my irule as below

 

 

you may add

 

if { $sid == "" } {

 

set sid [findstr [HTTP::uri] "S=" 2 "&"]

 

}

 

to support cookie-less client

 

 

regarding how to config... bigip is very flexible, there are multiple options you can use...

 

I choose this way for my irule

 

- I dont configure any persistent profile

 

- I add persistent by source ip as an alternative persist if sid is not detected

 

- source ip persist will be add to table by irule

 

 

* i have not test much... so please feel free to feedback if you find any error...

 

 

Nat

 

 

==============================================================

 

when SERVER_CONNECTED {

 

persist add source_addr [IP::client_addr] $::tmout2

 

}

 

when RULE_INIT {

 

set ssl_handshake 0

 

uie persist table timeout

 

may adjust as appropriate

 

 

set ::tmout 3600

 

separate timeout for source ip persistent

 

assume that if sid is not available, source ip is acceptable

 

set ::tmout2 600

 

}

 

when CLIENTSSL_HANDSHAKE {

 

set ssl_handshake 1

 

}

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_handshake 1

 

}

 

when HTTP_REQUEST {

 

set http_disable 0

 

set sid [HTTP::cookie "MRHSession"]

 

 

to support cookie-less client

 

if { $sid == "" } {

 

set sid [findstr [HTTP::uri] "S=" 2 "&"]

 

}

 

if { $ssl_handshake == 1 } {

 

HTTP::header replace "BIGIP" "on"

 

HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"

 

HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"

 

HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"

 

set ssl_handshake 0

 

}

 

if { [HTTP::uri] starts_with "/myvpn" } {

 

2 additional lines

 

To detect session id from ssl vpn traffic

 

It has no cookie, but there is session id at

 

beginning of the session (which is ppp)

 

 

set sid [findstr [HTTP::uri] "sess=" 5 "&"]

 

set http_disable 1

 

}

 

if { [HTTP::uri] starts_with "/tunnel" } {

 

2 additional lines

 

same reason as /myvpn

 

 

set sid [findstr [HTTP::uri] "sess=" 5 "&"]

 

set http_disable 1

 

}

 

 

if { $sid != "" } {

 

persist uie $sid $::tmout

 

} else {

 

persist source_addr [IP::client_addr] $::tmout2

 

}

 

 

}

 

 

when HTTP_REQUEST_SEND {

 

if { $http_disable != 0 } {

 

HTTP::disable

 

}

 

}

 

 

These lines of iRule are added to create uie persist table

 

 

when HTTP_RESPONSE {

 

set sid [HTTP::cookie "MRHSession"]

 

if { $sid != "" && $sid != "deleted" } {

 

persist add uie $sid $::tmout

 

}

 

even client does not support cookie,

 

firepass will send out set-cookie header anyway

 

so this would support cookie-less client

 

}

 

==============================================================