For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RyanSch's avatar
RyanSch
Icon for Nimbostratus rankNimbostratus
Aug 30, 2016

Update packet filter rule from icall

My Use Case: We have a proxy client installed on our laptops that performs a captive portal test before it will initiate a connection with a proxy server within it's list. The test tries to reach out to 2 urls and if this test succeeds it will try to connect to a proxy server on it's list. If the 1st test fails by receiving a reset packet from a firewall, it marks itself as behind a firewall and will initiate a connection with a proxy server on it's list.

 

Going through F5 SSL-VPN using edge client is causing the client to fail (never connect to a proxy server) because apm is performing a 3 way handshake to proxy the traffic then forwarding the firewall reset packet. So instead of just sending a syn packet and receiving a rest packet it gets a syn, syn-ack, ack, rst. The client thinks it's connecting and is expecting the 1st test to complete, but it never does.

 

The only way around this was to enable Packet Filters on the SSL-VPN vlan to issue resets for the 2 hosts it is trying to reach out to. The problem now is these systems are hosted through Akamai and the IP Addresses change. Even though you can specify host names in the packet filters, it will resolve the name to an IP when applying the rule and keep it, it never refreshes the IP Address.

 

So I want to create an icall script and handler to detect when someone connects to the SSL-VPN VS and reapply the packet filter to refresh the IP Address. This way we don't have to keep manually reapplying the packet filters.

 

I can create the icall script but I don't know how to trigger it upon a connection.

 

My alternative would be to setup a timer handler to reapply the packet filter every hour, but that may not work 100% of the time.

 

PS We cannot leverage a VS to perform a reset because once you are in the VPN tunnel all other VS are unavailable.

 

application delivery
BIG-IP Access Policy Manager (APM)
captive portal
devops
iCall
irule
iRules
vpn

2 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 30, 2016

    Hi Ryan,

    you could try the iRule below...

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } then {
        ISTATS::set "VPN_Client_Is_Connecting" 1
    }
}

    ... in combination with an 

    ISTATS
    based iCall trigger ...

    https://devcentral.f5.com/articles/icall-triggers-invalidating-cache-from-irules

    Note: Keep in mind, that the iRule event should implement certain request limiters, so that just every few seconds the iCall script can be launched (e.g. setting/checking a 

    [table]
    entry with rather short lifetimes).

    Cheers, Kai

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 02, 2016

    Hi Ryan,

    glad to hear that the ISTATS/iCall approach is working out for your.

    A request limiter should be mplemented because the "/myvpn?sess=" ISTATS-trigger is anonymously accessible. But its not a big deal to implement such an request limiter.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } then {
        if { [table lookup "XX policy string Client_Connected"] eq "" } then {
            table set "XX policy string Client_Connected" "1" indefinite 5
            ISTATS::set "XX policy string Client_Connected" 1
        }
    }
}

    Note: The above example will limit the execution of the iCall script to a maximum of every 5 seconds.

    Cheers, Kai