Forum Discussion

Greg_130338's avatar
Icon for Nimbostratus rankNimbostratus
Sep 02, 2015

userID to LeasePool IP Mapping

Hey all, I finally have my SSLVPN route domain working to force all my vpn traffic through our internal network. I am not translating any of the source addresses so each leased address in the lease pool for my vpn clients are visible on the network. My goal now is to configure syslog to point to some of our syslog collectors and associate the authenticated user with the leased address. So far, in reviewing the APM logs, I cannot find one log that contains both the leased address and the userID. I have two separate logs with the info, myuserID being my account and being the leased IP in the pool.


Sep 2 13:12:08 JHHCF5-2 info apd[7160]: 01490007:6: a9dbfe8b: Session variable 'session.logon.last.username' set to 'myuserID'


Sep 2 13:12:28 JHHCF5-2 notice tmm3[13010]: 01490549:5: a9dbfe8b: Assigned PPP Dynamic IPv4: Tunnel Type: VPN_TUNNELTYPE_DTLS NA Resource: /Common/jhhc_test_vpn_ap_na_res Client IP:


Has anyone done this? As an example I would like to integrate it with my palo alto URL filtering engine which can be configured to parse logs to associate userID with source IP.


Any help is appreciated!


5 Replies

  • There is a way to capture the end of session (logout, time-out or other reason) with this irule? I need this so the firewall will release the ip-to-username mapping.


    • BASH1's avatar
      Icon for Nimbostratus rankNimbostratus

      If your Palo is scanning the syslog entries as noted above... you can write a log line entry in the ACCESS_POLICY_COMPLETED event. This will catch the logouts, timeouts, and disconnects (disconnects will hit this event via idle timeout).


      Advantage to using this event is that the APM session variables are still avalible.


      If you are using a sideband to call the Palo's API, you will need to be creative; perhaps write the info to a table and make the API call in a different event. Note: "This event is triggered outside of flow context (similar to RULE_INIT) when a session goes away. The iRule commands which require a flow context (for e.g. TCP, HTTP and SSL commands) can not be used in this event."


  • In Version 12 I don't see the URI "/myvpn?sess=". I see following URI "/isession?sess=".


  • I know this is a little old, but I believe I've done something similar to you and the way I did this is with an iRule sending data directly to a custom syslog parser on PA.

    The main issue I've found is that for whatever reason, you cannot access the VPN client IP via methods I would have thought useful (ACCESS_POLICY_AGENT_EVENT or ACCESS_POLICY_COMPLETED) as it's not available until after these events have been completed.

    The only way I'm aware of to do this is referenced in this article

    Essentially, you need to tie this iRule to your APM VIP:

      ACCESS::restrict_irule_events disable
    when HTTP_REQUEST {
      if { [HTTP::uri] starts_with "/myvpn?sess=" } {
        after 5000 { 
          set user [ACCESS::session data get "session.logon.last.username"]
          set vpnip [ACCESS::session data get "session.assigned.clientip"]
          log x.x.x.x "F5_PA_UID_Event uid:$user vpnip:$vpnip" 

    With this you can setup a custom syslog parser on your PA(s) and map the user to the VPN assigned IP.

  • Hi Greg,


    You best bet on this one is to use the session id (a9dbfe8b) and correlate the two log lines. I'm not sure what collector you are using but I believe most SIEM solutions should provide the ability to index and run reports. If you are just using syslog you could always run a script to parse the logs pull the information and insert it into a database that you can run reports from.