Enforcing individual APM Policy "In Progress Sessions Limits"
Problem this snippet solves:
Hi Folks,
the iRule below can be used to enforce individual APM Policy "In Progress Sessions Limits" per source IP address.
The iRule make use of
[class match]
to retrive custom settings for individual client IPs and then uses [table]
to count and finally enforce the individual "In Progress Sessions Limits" for APM authentication.
Cheers, Kai
How to use this snippet:
- Tweak the provided data-group and RULE_INIT section as needed.
- Import the data-group and iRule to your device.
- Attach the iRule to your APM enabled Virtual Server.
- Open different APM authentication sessions (via InPrivate browsing) to see if the iRule is able to block further APM session creations if the counter is reached.
Code :
ltm data-group internal DG_APM_SESSION_LIMITS { records { 1.1.1.1/32 { data 50 } 2.2.2.0/24 { data 100 } } type ip } when RULE_INIT { set static::inprogress_session_limit 5 set static::access_policy_timeout 300 } when ACCESS_SESSION_STARTED { log local0.debug "Started" if { [set SessionLimit [class lookup "[ACCESS::session data get "session.user.clientip"]" "DG_APM_SESSION_LIMITS"]] eq "" } then { set SessionLimit $static::inprogress_session_limit } if { [table keys -count -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]"] > $SessionLimit } then { ACCESS::respond 200 content "To many concurrent logon sessions from your IP address
" noserver "Content-Type" "text/html" ACCESS::session remove log local0.debug "Login from client IP \"[ACCESS::session data get "session.user.clientip"]\" was blocked. Too many inprogress sessions..." } else { table add -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]" 1 indefinite $static::access_policy_timeout } } when ACCESS_POLICY_COMPLETED { table delete -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]" }
Tested this on version:
12.0Updated Jun 06, 2023
Version 2.0