For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jsmith294_47458's avatar
jsmith294_47458
Icon for Nimbostratus rankNimbostratus
Jun 03, 2010

Pre-Logon Sequence

I have been trying to figure out how to add multiple IP address segment checks to a pre-logon sequence. I currently have a rule in place using "session.network.client.ip == "IP address here" but what if I have multiple IP ranges?
BIG-IP Access Policy Manager (APM)
remote access
security

11 Replies

  • jsmith294_47458's avatar
    jsmith294_47458
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2010
    I tried your suggestion but now when you login and it identifies that you have the proper IP address it starts to perform the two original checks I was trying to get around. The outcome I would like to have would be to perform an IP check then file check for local users on specific segments but if the users are connecting remotely from home then they would have been checked for the IP address and discovered not in the accepted list and have to go through additional checks to validate them.

     

     

    Any help you have would Mike would be appreciated.

     

     

    Thanks
  • Don_Ryles_52501's avatar
    Don_Ryles_52501
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2010

    Hi,

     

     

    Are you trying do all of this through the pre-logon sequence or are you using session variables?

     

    session variable definitions can be very flexible.

     

     

    Kevin S.

     

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jun 04, 2010
    So this is an option.

     

     

    Create a sequence and name it "smith's IP check". The IP you will have is session.network.client.ip == "001.001.001.125". Once that is complete, add a new file check from the dropdown menu from the add new action section.

     

     

    Now under the fallback section you add everyone else or in addition another IP check.
  • jsmith294_47458's avatar
    jsmith294_47458
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2010
    Hello,

     

     

    I did as you suggested but the login process resorts back to the fallback option. I verified that the following is in place.

     

     

    session.network.client.ip == "xx.x.x0x.0/24"

     

    OR

     

    session.network.client.ip == "xx.xx.x0.0/24"

     

     

    If the authenticated user is coming from one of these in theory it should present the login screen, however it resorts to the fallback sequence and proceeds to perform additional checks.

     

     

    Does the service require to be restarted if you switch sequences.

     

     

    Thanks
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jun 04, 2010
    Because xx.x.x0x.0/24 is not a valid variable from my understanding.

     

     

     

    Add the listed below, you will have to manually place the IP ranges or use a three number system.

     

     

    (session.network.client.ip >= "0XX.0XX.0XX.001"

     

    AND

     

    session.network.client.ip <= "0XX.0XX.0XX.009")
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jun 04, 2010
    Try this instead session.network.client.ip == "xxx.xxx.x0x.0/24" - Make sure to use the three number system
  • jsmith294_47458's avatar
    jsmith294_47458
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2010
    Hello,

     

     

    I attempted your suggestion and it still does not seem to work. I wonder if the services need to be restarted. The system has not been restated in about a year.

     

     

    Thanks