For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sachin_80710's avatar
sachin_80710
Icon for Nimbostratus rankNimbostratus
Feb 07, 2015

SWG iRule per-packet policy

Hello,

 

I'm working on SWG and would like to configure/assign different per-request policy as per client request. - If request is from IP address A or IP address B then use per-request policy A or Per-request policy B, we need to configure dynamic per-request policy.

 

Is it possible to achieve this using iRule in APM access policy?

 

Thanks, Sachin

 

BIG-IP Access Policy Manager (APM)
deployment
security

7 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Feb 07, 2015

    You can do it with an iRule. It is not possible use iRules to switch PRPs, but you can create source Ip-based branches within a single per-request policy. In the Per-Request Policy, you can create an Empty action, and assign a branch to it with the following check:

     

    expr { [IP::addr [mcget {session.user.clientip}] equals "10.0.0.0/8"] }

     

    That branch will hit if the IP address comes from 10.0.0.0/8 subnet. There is an IP Subnet Match action the main access policy that is unfortunately not available in Per request access policy - so you need to create it manually.

     

    • sachin_80710's avatar
      sachin_80710
      Icon for Nimbostratus rankNimbostratus
      Feb 08, 2015
      Thanks Michael, good I don't need irule. But as per SWG 11.6 implementation guide page 53 under Session variables for use in a per-requestpolicy. There they mentioned only 4 session that can be used in PRP.
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Feb 07, 2015

    You can do it with an iRule. It is not possible use iRules to switch PRPs, but you can create source Ip-based branches within a single per-request policy. In the Per-Request Policy, you can create an Empty action, and assign a branch to it with the following check:

     

    expr { [IP::addr [mcget {session.user.clientip}] equals "10.0.0.0/8"] }

     

    That branch will hit if the IP address comes from 10.0.0.0/8 subnet. There is an IP Subnet Match action the main access policy that is unfortunately not available in Per request access policy - so you need to create it manually.

     

    • sachin_80710's avatar
      sachin_80710
      Icon for Nimbostratus rankNimbostratus
      Feb 08, 2015
      Thanks Michael, good I don't need irule. But as per SWG 11.6 implementation guide page 53 under Session variables for use in a per-requestpolicy. There they mentioned only 4 session that can be used in PRP.