For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Demeter_Luo's avatar
Demeter_Luo
Icon for Nimbostratus rankNimbostratus
Oct 31, 2016

LTM VS inheritance APM VS VPE-Poilcy issue.

Hello~

 

I have a LTM combo APM device and a special scene.

 

I hope customer after login the VPN(APM-Listener) ,and then accesee the non-APM-listener can inherit APM-listener-VPE-policy, such as VPE assigned ACL.

 

Configuration list is as follows:

 

(1) VS_VPN_PORT_443(APM-listener) ---Access policy VPE associated FULL webtop,local auth and ACL .....

 

(2) VS_XXX_PORT_ANY (non-APM-listener) ---standard type, pool .....

 

I test the result is the successful login VPN(APM-listener), then access to non-APM-listener, but not by the VPE-ACL limit.

 

How to configure non-APM-listener to make non-APM-listener to inherit the APM-listener policy?

 

Thanks everyone. D.Luo

 

access control
acl
application delivery
BIG-IP Access Policy Manager (APM)
iRules
security
vpe

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 31, 2016

    Hi,

    I created this to authenticate users with APM and allow with AFM:

    On the APM VS, assign this irule:

    when ACCESS_ACL_ALLOWED {
    log local0. "requete de [IP::client_addr]"
    switch [HTTP::path] {
        "/status" {
             limit to 1 connection per IP address
            set value [table lookup -subtable IPAdmins [IP::client_addr]]
            set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
            set lifetime_formated [clock format $lifetime -format {%H:%M:%S}]
            if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
            ACCESS::respond 200 content "
                
                    Authenticated
                
                    You are authenticated successfuly : 
                    session time remaining : $lifetime_formated
                    Your client IP : [IP::client_addr]
                    Your autorization role : $value
                
                
            " noserver
        }
        "/disconnect" {
            table delete -subtable IPAdmins [IP::client_addr]
            ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"

        }
        default {
            table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
            ACCESS::respond 302 noserver Location "/status"
        }
    }
}

    On the routing VS, assign this irule

    when CLIENT_ACCEPTED {
    switch [table lookup -subtable IPAdmins [IP::client_addr]] {
        "Group1" {virtual /Common/VS-GROUP1}
        "Group2" {virtual /Common/VS-GROUP2}
        "Group3" {virtual /Common/VS-GROUP3}
        default {drop}
    }
}

    Each VS VS-GROUPX is a forwarding VS with dedicated AFM policy.

    If you do not have AFM module, you can filter in the irule with Datagroup instead of assigning VS.