userid to ip mapping - F5 APM

Question

I have been wrestling with how I can share user to ip mappings for VPN connections with internal security devices(namely palo alto firewalls).  I found a few great suggestions on here regarding leveraging an irule to accomplish this, and while they appeared to work, adding DTLS broke most of the examples provided. 
reference: https://devcentral.f5.com/questions/userid-to-leasepool-ip-mapping
So I spent some time attempting to figure out how I could accomplish this with DTLS enabled and this is what I came up with:
when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
  set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool]
}

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } {
    set vpnip [ACCESS::session data get "session.assigned.clientip"]
    log local0. "timeout beacon received"
    if { $vpnip != "" }{
        set user [ACCESS::session data get "session.logon.last.username"]
        If pa-vpn table entry for ip does not equal the current user we need to update the firewall
        if { [table lookup -notouch "pa-vpn:$vpnip"] != $user } {
            HSL::send $hsl "&lt;190&gt;F5_PA_UID_Event uid:$user vpnip:$vpnip
"
            log local0. "periodic: F5_PA_UID_Event uid:$user vpnip:$vpnip"
            table set "pa-vpn:$vpnip" "$user" "indef" 600
        }    
    }
 }
}

when ACCESS_SESSION_CLOSED {
    set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool]
    set vpnip [ACCESS::session data get "session.assigned.clientip"]
    if { $vpnip != "" }{
        set user [ACCESS::session data get "session.logon.last.username"]
        HSL::send $hsl "&lt;190&gt;F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip
"
        log local0. "periodic: F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip"
    }
}

My only concern with this implementation is performance impact.   The /vdesk/timeoutagent-i.php happens every 10 seconds or so, which means the set vpnip [ACCESS::session data get "session.assigned.clientip"] and 
[table lookup -notouch "pa-vpn:$vpnip"]  will also occur.
Is my concern warranted? Is there possibly a better implementation out there? Any possible alleys that I might have missed?

jtlampe · Answer

I have been working on the irule as we have been having this issue with Mac users. This is what we came up with that didn't constantly log against the F5. It does still check about every 10 seconds so we are going to be watching our production F5s to ensure we do not start overloading with roughly 5k users a day.
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable set hsl1 [HSL::open -proto UDP -pool pool_hsl_palo-uid-1]set hsl2 [HSL::open -proto UDP -pool pool_hsl_palo-uid-2] } when HTTP_REQUEST { if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } { set vpnip [ACCESS::session data get "session.assigned.clientip"] if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"]set domain [ACCESS::session data get "session.logon.last.domain"]#if pa-vpn table entry for ip does not equal the current user we need to update the firewall# if { [table lookup -notouch "pa-vpn:$vpnip"] != $user } {HSL::send $hsl1 "&lt;190&gt;F5_PA_UID_Event uid:$domain\$user; vpnip:$vpnip;
"HSL::send $hsl2 "&lt;190&gt;F5_PA_UID_Event uid:$domain\$user; vpnip:$vpnip;
"log local0. "periodic: F5_PA_UID_Event uid:$domain\$user; vpnip:$vpnip;"table set pa-vpn:$vpnip $user 600 } } } } when ACCESS_SESSION_CLOSED { set hsl1 [HSL::open -proto UDP -pool pool_hsl_palo-uid-1]set hsl2 [HSL::open -proto UDP -pool pool_hsl_palo-uid-2] set vpnip [ACCESS::session data get "session.assigned.clientip"] if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"]set domain [ACCESS::session data get "session.logon.last.domain"]HSL::send $hsl1 "&lt;190&gt;F5_PA_LOGOUT_Event uid:$domain\$user; vpnip:$vpnip;
"HSL::send $hsl2 "&lt;190&gt;F5_PA_LOGOUT_Event uid:$domain\$user; vpnip:$vpnip;
"log local0. "periodic: F5_PA_LOGOUT_Event uid:$domain\$user; vpnip:$vpnip;" table delete pa-vpn:$vpniptable delete pa-vpn:$user} }

ekaleido · Answer

Mostly unrelated but if the IP and user are tracked on the BigIP, why do you need to track them on the PAN as well? Is this another case of worthless security teams needing to feel valuable? ;)&nbsp;

terrence · Answer

We are a very small networking team and sometimes coordinating access policy requirements across multiple platforms is tedious.  Consolidating access policy to a central point will provide a clearer picture of what is and isn't allowed.  
&nbsp;
Mostly unrelated I find your comment worthless.&nbsp;

lee_sutcliffe · Answer

I wouldn't be overly concerned about performance with this iRule, once every 10 seconds is not a lot but it depends on what else your system is doing. However there are things you can do to make your code more efficient.&nbsp;For example, it's more expensive to set variables using the iRule namespace to make your code more readable. It's more efficient to execute the iRule commands when you need them:&nbsp;if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } {
     set removed - added directly to 'if'
    log local0. "timeout beacon received"
    if { [ACCESS::session data get "session.assigned.clientip"] != "" }{
    .
    .
    .. etcHave a look here if you're interested in optimization:&nbsp;https://devcentral.f5.com/articles/irules-optimization-101-05-evaluating-irule-performance&nbsp;You could also configure a flag so that logging only happens when the flag is set so to avoid needless logging and computer resource&nbsp;

ryan_m_362715 · Answer

Sorry to bring this thread up from the dead, but I've run into the exact same issue.  Our iRule works perfectly for regular TLS connections, but I'm unable to apply the iRule to the DTLS virtual server due to the fact that I can't apply an HTTP profile to a UDP based server.  I get the following error when trying to apply the iRule:
01071912:3: HTTP_REQUEST event in rule (/Common/VPN_UserID) requires an associated HTTP or FASTHTTP profile on the virtual-server (/Common/VPN-POC-DTLS).

To get around this, I tried using "ACCESS_POLICY_COMPLETED", but receive this:
01071912:3: ACCESS_POLICY_COMPLETED event in rule (/Common/VPN_UserID_DTLS) requires an associated ACCESS profile on the virtual-server (/Common/VPN-POC-DTLS).

Again, I'm unable to associate an access profile to the virtual server due to it being UDP.
Does anyone know if something has changed recently that would disallow this config or am I possibly missing something?  We are running 13.1.1.3.

Forum Discussion

userid to ip mapping - F5 APM

8 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

API Gateway Mapping - Gartner - F5

F5 TIC3.0 Capability Mappings

iRules Heat Map - US Only

F5 Network Map to Json with Python

Bigpipe Mappings