Forum Discussion
Need help in understand the irule - APM
Hi Team ,
Can you please help me understand the irule configured under the VIP in APM ( remote access VPN).
What exactly this irule will check ?
when ACCESS_PER_REQUEST_AGENT_EVENT {
if { [ACCESS::perflow get {perflow.irule_agent_id}] eq "VPN_CATEGORY2ROLE_LOOKUP" } {
# in v13+: replace with ACCESS::perflow set {perflow.scratchpad} and replace the Per-Request-Policy VPE variable with {perflow.scratchpad}
# ACCESS::session data set {session.custom.cg_allow_access_to_url} "0"
ACCESS::perflow set {perflow.scratchpad} "0"
set user_roles [ACCESS::session data get {session.cg.user.roles}]
foreach category [CATEGORY::lookup [ACCESS::perflow get {perflow.category_lookup.result.url}] -display custom]
{
# loop through matched categories
if {$user_roles contains "|$category|"}
{
# users roles contain the allowed role
# ACCESS::session data set {session.custom.cg_allow_access_to_url} "1"
ACCESS::perflow set {perflow.scratchpad} "1"
break
}
}
}
}
- robert205Nimbostratus
Hello,
I would like to suggest you here
This iRule is used in the context of a remote access VPN in the APM module of the F5 BIG-IP system. The purpose of the iRule is to check if a user attempting to access a certain URL is allowed based on their role and the category of the URL.
The iRule is triggered on the "ACCESS_PER_REQUEST_AGENT_EVENT" event. It checks if the value of a per-flow data variable called "perflow.irule_agent_id" is set to "VPN_CATEGORY2ROLE_LOOKUP". If it is, the iRule continues to execute, otherwise it does nothing.
The iRule then sets a per-flow data variable called "perflow.scratchpad" to "0". This variable will be used later to determine if the user is allowed to access the URL. The iRule then gets the user's roles from a session data variable called "session.cg.user.roles".
Next, the iRule loops through the categories that are returned by a call to the "CATEGORY::lookup" command, which takes the URL being accessed as an argument. The "CATEGORY::lookup" command is used to match the URL to a category.
For each category that is returned, the iRule checks if the user's roles include the allowed role for that category. If they do, the iRule sets "perflow.scratchpad" to "1" and breaks out of the loop. If they don't, the iRule continues to the next category.
At the end of the iRule, the value of "perflow.scratchpad" is checked. If it is set to "1", the user is allowed to access the URL. If it is set to "0", the user is not allowed to access the URL. hope so it is useful for you .
- Blue_whaleCirrocumulus
thank you very much robert205
- G-RobEmployee
During the per-request access policy execution, iRule event agent is executed and ACCESS_POLICY_PER_AGENT_EVENT is raised in iRules inside TMM.
when ACCESS_PER_REQUEST_AGENT_EVENT {
The next line looks to see if the iRule Agent ID, which is set in the irule_agent_id variable, equals the text string.
if { [ACCESS::perflow get {perflow.irule_agent_id}] eq "VPN_CATEGORY2ROLE_LOOKUP" } {
If it does match, first set the scratchpad variable to "0".
ACCESS::perflow set {perflow.scratchpad} "0"
Then, retrieve a list of the user roles from the session.cg.user.roles variable.
set user_roles [ACCESS::session data get {session.cg.user.roles}]
Next, lookup the destination URL's category in SWG. The list of categories supported is available in the UI under “Secure Web Gateway” in the APM section. Examples of categories include Sports, Shopping, etc. The response is a list of category names. Most input URLs result in a single category but some will return more than one. Additionally, a result of “199” indicating a recommendation to scan the response can also be returned.
foreach category [CATEGORY::lookup [ACCESS::perflow get {perflow.category_lookup.result.url}] -display custom]
{If the user's role matches the a category, set the scratchpad variable to "1" and stop processing the iRule.
if {$user_roles contains "|$category|"}
{
ACCESS::perflow set {perflow.scratchpad} "1"
break
}
}
}
}The significance of these variables is heavily dependent on the APM policy, but the next step would be to see what the APM policies does with the scratchpad variable value after the iRule is processed. The iRule itself is not modifying any aspect of the connection itself directly.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com