Terry_77423
Jul 26, 2017Altostratus
userid to ip mapping - F5 APM
I have been wrestling with how I can share user to ip mappings for VPN connections with internal security devices(namely palo alto firewalls). I found a few great suggestions on here regarding leveraging an irule to accomplish this, and while they appeared to work, adding DTLS broke most of the examples provided.
reference: https://devcentral.f5.com/questions/userid-to-leasepool-ip-mapping
So I spent some time attempting to figure out how I could accomplish this with DTLS enabled and this is what I came up with:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool]
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } {
set vpnip [ACCESS::session data get "session.assigned.clientip"]
log local0. "timeout beacon received"
if { $vpnip != "" }{
set user [ACCESS::session data get "session.logon.last.username"]
If pa-vpn table entry for ip does not equal the current user we need to update the firewall
if { [table lookup -notouch "pa-vpn:$vpnip"] != $user } {
HSL::send $hsl "<190>F5_PA_UID_Event uid:$user vpnip:$vpnip\n"
log local0. "periodic: F5_PA_UID_Event uid:$user vpnip:$vpnip"
table set "pa-vpn:$vpnip" "$user" "indef" 600
}
}
}
}
when ACCESS_SESSION_CLOSED {
set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool]
set vpnip [ACCESS::session data get "session.assigned.clientip"]
if { $vpnip != "" }{
set user [ACCESS::session data get "session.logon.last.username"]
HSL::send $hsl "<190>F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip\n"
log local0. "periodic: F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip"
}
}
My only concern with this implementation is performance impact. The
/vdesk/timeoutagent-i.php
happens every 10 seconds or so, which means the set vpnip [ACCESS::session data get "session.assigned.clientip"]
and
[table lookup -notouch "pa-vpn:$vpnip"]
will also occur.
Is my concern warranted? Is there possibly a better implementation out there? Any possible alleys that I might have missed?