Forum Discussion
Nfordhk_66801
Nimbostratus
NimbostratusiRule using DataGroup to bypass APM Policy
Hi,
We have an APM policy to collect the machine name, set it to our domain, and perform an AD lookup. We have to utilize Datagroups to pre-authorize a few users that do not fall into proper AD groups without moving the computer account.
Our current iRule is below. I've created the datagroup and specified the machine names. I'm trying to create an irule that collects the machine name like normal but, bypasses the APM posture check if defined. If not defined, follow standard policy.
Our APM policy --> Windows Info --> Irule Event --> AD Query --> Allow
when RULE_INIT {
set static::THIS_DOMAIN ".ourdomain.com"
} end rule_init
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "get_computer_name" } {
set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]]
foreach x [split $computer "|"] {
if { $x ends_with $static::THIS_DOMAIN } {
set machinename [lindex [split $x "."] 0]
ACCESS::session data set session.custom.computer $machinename
return
} end if this_domain
} end set computer
} end ACCESS::policy agent_id
} end access policy agent event
Seth_CooperEmployee
Hey Nick,
I would add a check in the iRule under the "set machinename" to query the data group and if it exists then set another ACCESS::session variable like "session.custom.bypass_adquery" then after the iRule event in the VPE have an empty action with branch rules that if the bypass_adquery variable is set then you go down that branch to allow. If it isn't set then they will go to AD Query like normal.
Seth