Forum Discussion
Blue_whale
Cirrocumulus
CirrocumulusNeed help in understand the irule - APM
Hi Team , Can you please help me understand the irule configured under the VIP in APM ( remote access VPN). What exactly this irule will check ? when ACCESS_PER_REQUEST_AGENT_EVENT { if { [ACCES...
G-Rob
Employee
EmployeeDuring the per-request access policy execution, iRule event agent is executed and ACCESS_POLICY_PER_AGENT_EVENT is raised in iRules inside TMM.
when ACCESS_PER_REQUEST_AGENT_EVENT {
The next line looks to see if the iRule Agent ID, which is set in the irule_agent_id variable, equals the text string.
if { [ACCESS::perflow get {perflow.irule_agent_id}] eq "VPN_CATEGORY2ROLE_LOOKUP" } {
If it does match, first set the scratchpad variable to "0".
ACCESS::perflow set {perflow.scratchpad} "0"
Then, retrieve a list of the user roles from the session.cg.user.roles variable.
set user_roles [ACCESS::session data get {session.cg.user.roles}]
Next, lookup the destination URL's category in SWG. The list of categories supported is available in the UI under “Secure Web Gateway” in the APM section. Examples of categories include Sports, Shopping, etc. The response is a list of category names. Most input URLs result in a single category but some will return more than one. Additionally, a result of “199” indicating a recommendation to scan the response can also be returned.
foreach category [CATEGORY::lookup [ACCESS::perflow get {perflow.category_lookup.result.url}] -display custom]
{
If the user's role matches the a category, set the scratchpad variable to "1" and stop processing the iRule.
if {$user_roles contains "|$category|"}
{
ACCESS::perflow set {perflow.scratchpad} "1"
break
}
}
}
}
The significance of these variables is heavily dependent on the APM policy, but the next step would be to see what the APM policies does with the scratchpad variable value after the iRule is processed. The iRule itself is not modifying any aspect of the connection itself directly.