Need help in understand the irule - APM

Hello,

I would like to suggest you here

This iRule is used in the context of a remote access VPN in the APM module of the F5 BIG-IP system. The purpose of the iRule is to check if a user attempting to access a certain URL is allowed based on their role and the category of the URL.

The iRule is triggered on the "ACCESS_PER_REQUEST_AGENT_EVENT" event. It checks if the value of a per-flow data variable called "perflow.irule_agent_id" is set to "VPN_CATEGORY2ROLE_LOOKUP". If it is, the iRule continues to execute, otherwise it does nothing.

The iRule then sets a per-flow data variable called "perflow.scratchpad" to "0". This variable will be used later to determine if the user is allowed to access the URL. The iRule then gets the user's roles from a session data variable called "session.cg.user.roles".

Next, the iRule loops through the categories that are returned by a call to the "CATEGORY::lookup" command, which takes the URL being accessed as an argument. The "CATEGORY::lookup" command is used to match the URL to a category.

For each category that is returned, the iRule checks if the user's roles include the allowed role for that category. If they do, the iRule sets "perflow.scratchpad" to "1" and breaks out of the loop. If they don't, the iRule continues to the next category.

At the end of the iRule, the value of "perflow.scratchpad" is checked. If it is set to "1", the user is allowed to access the URL. If it is set to "0", the user is not allowed to access the URL. hope so it is useful for you .

During the per-request access policy execution, iRule event agent is executed and ACCESS_POLICY_PER_AGENT_EVENT is raised in iRules inside TMM.

when ACCESS_PER_REQUEST_AGENT_EVENT {

The next line looks to see if the iRule Agent ID, which is set in the irule_agent_id variable, equals the text string.

if { [ACCESS::perflow get {perflow.irule_agent_id}] eq "VPN_CATEGORY2ROLE_LOOKUP" } {

If it does match, first set the scratchpad variable to "0".

ACCESS::perflow set {perflow.scratchpad} "0"

Then, retrieve a list of the user roles from the session.cg.user.roles variable.

set user_roles [ACCESS::session data get {session.cg.user.roles}]

Next, lookup the destination URL's category in SWG. The list of categories supported is available in the UI under “Secure Web Gateway” in the APM section. Examples of categories include Sports, Shopping, etc. The response is a list of category names. Most input URLs result in a single category but some will return more than one. Additionally, a result of “199” indicating a recommendation to scan the response can also be returned.

foreach category [CATEGORY::lookup [ACCESS::perflow get {perflow.category_lookup.result.url}] -display custom]
{

If the user's role matches the a category, set the scratchpad variable to "1" and stop processing the iRule. 

if {$user_roles contains "|$category|"}
{
ACCESS::perflow set {perflow.scratchpad} "1"
break
}
}
}
}

The significance of these variables is heavily dependent on the APM policy, but the next step would be to see what the APM policies does with the scratchpad variable value after the iRule is processed. The iRule itself is not modifying any aspect of the connection itself directly.