cancel
Showing results for 
Search instead for 
Did you mean: 

APM IP Subnet Match - single IP list

Nolan_Jensen
Cirrostratus
Cirrostratus

Hello,

 

I am trying to figure out the best way to reference a single list of IP's in a few different access policies. Having this would allow me to just maintain one subnet match list and when updated all access polices using it would be using the new list.

 

I am using the IP subnet match to identify which machines are on our domain so I can route them to a 401 response and kerberos auth.

 

I am running version 14.1.4.4

 

Ideal options

  • If there was a way to create a Shared Object list of IP's then reference that in an access policy to make a branch decision but that doesn't seem to be possible.
  • Make an access policy decision based on what VLAN the request came from

 

Other option

  • I am aware I could do some sort of client side check to determine if machine was domain joined but that seems to cause the users more problems which I would rather be more behind the scenes.

 

Only concept I can find to reference a list of IP's would be to use an iRule that references a data group list then reference that iRule event in each of my access polices. However I am not really sure how to do that and not finding much helpful documentation on that process.

 

Here is what I tried but it is not sending the ones that match down the correct branch.

 

Any help someone could provide would be greatly appreciated. Thank you!

 

when ACCESS_POLICY_AGENT_EVENT { if { [class match [IP::client_addr] equals kerberos_apm_subnet_match] } { switch [ACCESS::policy item_id] {   "match" 

The did something like this in access policy, however it always matched so my rule must be incorrect.

 

 

0691T00000F6BE1QAN.png

0691T00000F6BE6QAN.png

0691T00000F6BEBQA3.png

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

 

0691T00000F6EczQAF.png 

For other option of iRule, you can use something like below

 

when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{ ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }

event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

 

 

 

View solution in original post

2 REPLIES 2

SanjayP
MVP
MVP

You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.

 

0691T00000F6EczQAF.png 

For other option of iRule, you can use something like below

 

when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{ ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }

event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet

 

 

 

SanjayP,

 

Wow thank you very much the iRule and iRule event is working on my first quick pass at testing. I am going to do more testing and will mark this as answer once I am able to do so.

 

Thank you again for your help I greatly appreciate it!

 

Note: for anyone else who comes across this there is a minor code error in above iRule so here is the working one.

when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and [class match [IP::client_addr] equals kerberos_apm_subnet_match] } { ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }