Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

sachin_80710's avatar
sachin_80710
Icon for Nimbostratus rankNimbostratus
Feb 07, 2015

SWG iRule per-packet policy

Hello,   I'm working on SWG and would like to configure/assign different per-request policy as per client request. - If request is from IP address A or IP address B then use per-request policy A ...
BIG-IP Access Policy Manager (APM)
deployment
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Feb 07, 2015

You can do it with an iRule. It is not possible use iRules to switch PRPs, but you can create source Ip-based branches within a single per-request policy. In the Per-Request Policy, you can create an Empty action, and assign a branch to it with the following check:

 

expr { [IP::addr [mcget {session.user.clientip}] equals "10.0.0.0/8"] }

 

That branch will hit if the IP address comes from 10.0.0.0/8 subnet. There is an IP Subnet Match action the main access policy that is unfortunately not available in Per request access policy - so you need to create it manually.

 

sachin_80710's avatar
sachin_80710
Icon for Nimbostratus rankNimbostratus
Feb 07, 2015
Thanks Michael, good I don't need irule. But as per SWG 11.6 implementation guide page 53 under Session variables for use in a per-requestpolicy. There they mentioned only 4 session that can be used in PRP.