Forum Discussion

Ryan_M_362715's avatar
Ryan_M_362715
Icon for Altocumulus rankAltocumulus
Jan 11, 2019
Solved

Logging client username and assigned IP on logout

I'm trying to log a user's APM assigned IP and their username upon APM SSLVPN logout (either via timeout or hitting the "disconnect" button). We need both components in a single line. I have attempt...
BIG-IP Access Policy Manager (APM)
security
  • AMiles_377865's avatar
    AMiles_377865
    Jan 11, 2019

    Hello Ryan

     

    Off the top of my head, I think that logout url is a little too late to trigger the iRule based off of an HTTP request. Instead of triggering your irule on solely an HTTP request event, break it up in to two parts. Use an event that triggers during the access session to set the variables (probably either on session start or with an access policy agent event)as you have done above.

     

    You could then keep your http event above, having it function solely to log the information as users disconnect from the VPN (instead of having it set the variables), or you could use an access session ended event to trigger the logging instead of the http request. If you were to implement on an access session end, you wouldn't even need to worry about the url.

     

    At the very least, change where your variables are set to be earlier in the access session. This should give you some broad strokes ideas for troubleshooting.

     

    Feel free to ask if you have any follow-up questions,

     

    Austin

     

AMiles_377865's avatar
AMiles_377865
Icon for Cirrocumulus rankCirrocumulus
Jan 11, 2019

Hello Ryan

 

Off the top of my head, I think that logout url is a little too late to trigger the iRule based off of an HTTP request. Instead of triggering your irule on solely an HTTP request event, break it up in to two parts. Use an event that triggers during the access session to set the variables (probably either on session start or with an access policy agent event)as you have done above.

 

You could then keep your http event above, having it function solely to log the information as users disconnect from the VPN (instead of having it set the variables), or you could use an access session ended event to trigger the logging instead of the http request. If you were to implement on an access session end, you wouldn't even need to worry about the url.

 

At the very least, change where your variables are set to be earlier in the access session. This should give you some broad strokes ideas for troubleshooting.

 

Feel free to ask if you have any follow-up questions,

 

Austin

 

  • Ryan_M_362715's avatar
    Ryan_M_362715
    Icon for Altocumulus rankAltocumulus
    Jan 14, 2019

    Awesome, thanks for pointing me in the right direction! This was actually very simple using the following:

     

    when ACCESS_SESSION_CLOSED {
    log local0. "SESSION_ENDED, User=[ACCESS::session data get session.logon.last.username], IP=[ACCESS::session data get session.assigned.clientip]"
}

    Per the docs for ACCESS_SESSION_CLOSED, this will capture all APM session end reasons (timeout, user initiated, admin initiated, etc) and allows for direct access to the ACCESS::session variables right before they are expunged, so there's no need for a two-part iRule or setting variables.

     

  • AMiles_377865's avatar
    AMiles_377865
    Icon for Cirrocumulus rankCirrocumulus
    Jan 14, 2019

    Well there you go! Glad it worked out!