For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mrichter's avatar
mrichter
Icon for Nimbostratus rankNimbostratus
Dec 17, 2015

I know this is a little old, but I believe I've done something similar to you and the way I did this is with an iRule sending data directly to a custom syslog parser on PA.

The main issue I've found is that for whatever reason, you cannot access the VPN client IP via methods I would have thought useful (ACCESS_POLICY_AGENT_EVENT or ACCESS_POLICY_COMPLETED) as it's not available until after these events have been completed.

https://support.f5.com/kb/en-us/solutions/public/12000/700/sol12706.html

The only way I'm aware of to do this is referenced in this article

Essentially, you need to tie this iRule to your APM VIP:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/myvpn?sess=" } {
    after 5000 { 
      set user [ACCESS::session data get "session.logon.last.username"]
      set vpnip [ACCESS::session data get "session.assigned.clientip"]
      log x.x.x.x "F5_PA_UID_Event uid:$user vpnip:$vpnip" 
      }
    }
}

With this you can setup a custom syslog parser on your PA(s) and map the user to the VPN assigned IP.