Forum Discussion

Nolan_Jensen's avatar
Nolan_Jensen
Icon for Cirrostratus rankCirrostratus
Oct 19, 2021
Solved

APM IP Subnet Match - single IP list

Hello,

I am trying to figure out the best way to reference a single list of IP's in a few different access policies. Having this would allow me to just maintain one subnet match list and when updated all access polices using it would be using the new list.

I am using the IP subnet match to identify which machines are on our domain so I can route them to a 401 response and kerberos auth.

I am running version 14.1.4.4

Ideal options

  • If there was a way to create a Shared Object list of IP's then reference that in an access policy to make a branch decision but that doesn't seem to be possible.
  • Make an access policy decision based on what VLAN the request came from

Other option

  • I am aware I could do some sort of client side check to determine if machine was domain joined but that seems to cause the users more problems which I would rather be more behind the scenes.

Only concept I can find to reference a list of IP's would be to use an iRule that references a data group list then reference that iRule event in each of my access polices. However I am not really sure how to do that and not finding much helpful documentation on that process.

Here is what I tried but it is not sending the ones that match down the correct branch.

Any help someone could provide would be greatly appreciated. Thank you!

when ACCESS_POLICY_AGENT_EVENT {
	if { [class match [IP::client_addr] equals kerberos_apm_subnet_match] } {
	 	switch [ACCESS::policy item_id] {
	 	  "match" 

The did something like this in access policy, however it always matched so my rule must be incorrect.

  • You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

     

    For other option of iRule, you can use something like below

     

    when ACCESS_POLICY_AGENT_EVENT {
        if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{
        ACCESS::session data set session.custom.ip 0
     	} else {
    	ACCESS::session data set session.custom.ip 1
    	}
     }

     

    event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

     

2 Replies

  • You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

     

    For other option of iRule, you can use something like below

     

    when ACCESS_POLICY_AGENT_EVENT {
        if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{
        ACCESS::session data set session.custom.ip 0
     	} else {
    	ACCESS::session data set session.custom.ip 1
    	}
     }

     

    event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

     

    • Nolan_Jensen's avatar
      Nolan_Jensen
      Icon for Cirrostratus rankCirrostratus

      SanjayP,

       

      Wow thank you very much the iRule and iRule event is working on my first quick pass at testing. I am going to do more testing and will mark this as answer once I am able to do so.

       

      Thank you again for your help I greatly appreciate it!

       

      Note: for anyone else who comes across this there is a minor code error in above iRule so here is the working one.

      when ACCESS_POLICY_AGENT_EVENT {
          if { ([ACCESS::policy agent_id] eq "match") and [class match [IP::client_addr] equals kerberos_apm_subnet_match] } {
      		ACCESS::session data set session.custom.ip 0
       	} else {
      		ACCESS::session data set session.custom.ip 1
      	}
       }