Enforcing individual APM Policy "In Progress Sessions Limits"

Problem this snippet solves:

Hi Folks,

the iRule below can be used to enforce individual APM Policy "In Progress Sessions Limits" per source IP address.

The iRule make use of 

[class match]
to retrive custom settings for individual client IPs and then uses 
[table]
to count and finally enforce the individual "In Progress Sessions Limits" for APM authentication.

Cheers, Kai

How to use this snippet:

  1. Tweak the provided data-group and RULE_INIT section as needed.
  2. Import the data-group and iRule to your device.
  3. Attach the iRule to your APM enabled Virtual Server.
  4. Open different APM authentication sessions (via InPrivate browsing) to see if the iRule is able to block further APM session creations if the counter is reached.

Code :

ltm data-group internal DG_APM_SESSION_LIMITS {
    records {
        1.1.1.1/32 {
            data 50
        }
        2.2.2.0/24 {
            data 100
        }
    }
    type ip
}
when RULE_INIT {
    set static::inprogress_session_limit 5
    set static::access_policy_timeout 300
}
when ACCESS_SESSION_STARTED {
    log local0.debug "Started"
    if { [set SessionLimit [class lookup "[ACCESS::session data get "session.user.clientip"]" "DG_APM_SESSION_LIMITS"]] eq "" } then {
        set SessionLimit $static::inprogress_session_limit
    }
    if { [table keys -count -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]"] > $SessionLimit } then {
        ACCESS::respond 200 content "
To many concurrent logon sessions from your IP address
" noserver "Content-Type" "text/html"
        ACCESS::session remove
        log local0.debug "Login from client IP \"[ACCESS::session data get "session.user.clientip"]\" was blocked. Too many inprogress sessions..."
    } else {
        table add -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]" 1 indefinite $static::access_policy_timeout
    }
}
when ACCESS_POLICY_COMPLETED {
    table delete -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]"
}

Tested this on version:

12.0
Updated Jun 06, 2023
Version 2.0
APM
in progress sessions limits
iRules
security

Was this article helpful?

5 Comments

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 09, 2016

    Hi,

    this is an interesting irule.

    For better user experience, I should have set an APM session variable in ACCESS_SESSION_STARTED 

    ACCESS::session data set "session.custom.tomanysession" 1

    instead of 

    ACCESS::respond 200 content "To many concurrent logon sessions from your IP address" noserver "Content-Type" "text/html"
ACCESS::session remove

    and added a empty box in VPE with branch with expression 

    expr { [mcget {session.custom.tomanysession}] != 0 }
    to dedicated policy ending with message: 

    To many concurrent logon sessions from your IP address

    with this solution, the response page format is the same as access profile.

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 09, 2016

    Hi Stanislas,

     

    Cool suggestion. I'll definately include this appeoach when I update this post (it has currently some code glitches).

     

    Cheers, Kai

     

  • Sensoo_L_279023's avatar
    Sensoo_L_279023
    Icon for Nimbostratus rankNimbostratus
    May 08, 2017

    Hello,

     

    Is there any way to replace the default value (in rule INIT: set static::inprogress_session_limit 5) on the APM profile?

     

    Else, we have to set the default value (in APM profile) higher than the highest value of the datagroup because the APM profile's feature remains active.

     

    Am i wrong?

     

    Thanks,

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 09, 2017

    Hi Sensoo L,

     

    you can set the access profile max in progress session to 0 (unlimited)!

     

  • Ali_Khan's avatar
    Ali_Khan
    Icon for Nimbostratus rankNimbostratus
    Oct 18, 2018

    Good Solution,

     

    But in my scenario i am looking to limit 'ESTABLISHED' sessions per IP. Is this possible?