LTM VS inheritance APM VS VPE-Poilcy issue.

Hi,

I created this to authenticate users with APM and allow with AFM:

On the APM VS, assign this irule:

when ACCESS_ACL_ALLOWED {
    log local0. "requete de [IP::client_addr]"
    switch [HTTP::path] {
        "/status" {
             limit to 1 connection per IP address
            set value [table lookup -subtable IPAdmins [IP::client_addr]]
            set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
            set lifetime_formated [clock format $lifetime -format {%H:%M:%S}]
            if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
            ACCESS::respond 200 content "
                
                    Authenticated
                
                    You are authenticated successfuly : 
                    session time remaining : $lifetime_formated
                    Your client IP : [IP::client_addr]
                    Your autorization role : $value
                
                
            " noserver
        }
        "/disconnect" {
            table delete -subtable IPAdmins [IP::client_addr]
            ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"

        }
        default {
            table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
            ACCESS::respond 302 noserver Location "/status"
        }
    }
}

On the routing VS, assign this irule

when CLIENT_ACCEPTED {
    switch [table lookup -subtable IPAdmins [IP::client_addr]] {
        "Group1" {virtual /Common/VS-GROUP1}
        "Group2" {virtual /Common/VS-GROUP2}
        "Group3" {virtual /Common/VS-GROUP3}
        default {drop}
    }
}

Each VS VS-GROUPX is a forwarding VS with dedicated AFM policy.

If you do not have AFM module, you can filter in the irule with Datagroup instead of assigning VS.