Here is my irule:
when CLIENT_ACCEPTED {
This is required to allow HTTP_REQUEST event to key off of APM internal URI
ACCESS::restrict_irule_events disable
}
when ACCESS_POLICY_COMPLETED {
After VPE policy is completed, check if user has been denied. A session variable of "session.custom.denyreason" is set in the VPE to provide an errorcode for logging purposes
Note that ACCESS::policy result isn't evaluated in the ACCESS_SESSION_CLOSED event. Placing the logging here removes the need to create a new session variable containing the result.
if {[ACCESS::policy result] equals "deny"} {
catch {set starttime [ACCESS::session data get "session.user.starttime"]}
catch {set userip [ACCESS::session data get "session.user.clientip"]}
catch {set username [ACCESS::session data get "session.logon.last.username"]}
catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
catch {set platform [ACCESS::session data get "session.client.platform"]}
catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
catch {set browser [ACCESS::session data get "session.client.type"]}
catch {set version [ACCESS::session data get "session.client.version"]}
catch {set url [ACCESS::session data get "session.server.network.name"]}
catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]}
log local0. "Denied ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"
}
}
when HTTP_REQUEST {
The "session.assigned.clientip" is assigned after ACCESS_POLICY_COMPLETED and before ACCESS_SESSION_CLOSED. In order to capture it, we key off of an internal URI
hit by client when VPN is established. We wait a few seconds for the lease pool IP address to be assigned and then log the address here.
if { [HTTP::uri] starts_with "/myvpn?sess=" } {
after 5000 {
catch {set starttime [ACCESS::session data get "session.user.starttime"]}
catch {set userip [ACCESS::session data get "session.user.clientip"]}
catch {set username [ACCESS::session data get "session.logon.last.username"]}
catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
catch {set platform [ACCESS::session data get "session.client.platform"]}
catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
catch {set browser [ACCESS::session data get "session.client.type"]}
catch {set version [ACCESS::session data get "session.client.version"]}
catch {set url [ACCESS::session data get "session.server.network.name"]}
catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]}
log local0. "Established ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"
}
}
}