For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

HTTP Event Order -- Access Policy Manager

Early last year I blogged an update to the iRules HTTP event order that F5er John Alam put together. John is back with another update to the drawing, this time, however, including the access policy m...
Published Jun 26, 2012
Version 1.0
BIG-IP Access Policy Manager (APM)
iRules
security
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
May 03, 2017

Hi Jason,

It's really a great drawing which helped me to understand how APM work and to write my own irules.

I have some comments about it :

  1. ACCESS_ACL_DENIED doesn't lead to 
    Respond with session terminaison page
    but to 
    Respond with denial page
  2. I don't understand 
    VPE Allow condition
    . If VPE is not allowed after ACCESS_POLICY_COMPLETED, session is removed so this condition is always true as only valid session are going there.
  3. As René already said, 
    ACL Defined
    and 
    Evaluate ACL
    must be merge into one with 
    Denied by ACL
    , if not denied, ACCESS_ACL_ALLOWED is evaluated even if no ACL is defined.
  4. ACCESS_POLICY_AGENT_EVENT may loop to 
    VPE calls irule Event
    as VPE can raise this event multiple times
  5. ACCESS_SESSION_CLOSED is triggered outside of flow context. it doesn't lead to 
    Respond with session terminaison page
  6. if 
    Valid existing session
    and URI equals APM logout URI (/vdesk/hangup.php3 or /vdesk/my.logout.php3) --> leads to ACCESS_SESSION_CLOSED

Do you agree with these comments? If I am right, is it possible to update the drawing?