view access policy changes history APM

Question

Hi all ,I'm wondering if there's a way to view changes in access policy because the message "Apply access policy" is always displayed and I can't remember what I did, so I want to see what the changes are before I apply them.Thanks in advance .

mohamed_ahmed_kansoh · Accepted Answer

Hello&nbsp;Mohamed_salah1&nbsp;,&nbsp;I’m not expert with APM , But with my knowledge with ASM you can view the historical changes for each policy.&nbsp;I want only to add :&nbsp;&gt; you can view your changes from /var/log/audit&nbsp;and this KB for more details :&nbsp;https://support.f5.com/csp/article/K09050750&gt; OR Check this KB for Configuration file change Tracking differences :&nbsp;https://support.f5.com/csp/article/K53125560I hope for you to find your optimal solution from one of Community F5 APM experts.&nbsp;my reply just for help or adding a clue for you&nbsp;Regards&nbsp;

kai_wilke · Answer

Hi Mohamed,
the "Apply Access Policy" button is a very often misunderstood concept.
Its probably the name itself which makes it so confusing. A rename to "Invalidate memory cached configuration data in APM related services" would make sense, but may confuse much more people... 😉&nbsp;
Some background information:&nbsp;
Whenever you change APM related configuration data, it will immediatly overwrite your bigip configuration files (change-by-change). And depending on the type of change you've just performed, you may also update/add/remove files in BigIPs Filestore and/or in external directories where APM related services reading their configuration data.
You dont have a "lets say: staged configuration" which replaces at some point a "lets say: master configuration".&nbsp;The&nbsp;"Apply Access Policy" button executes more or less just a partial config reload for a given Access Policy. Instead of clicking on "Apply Access Policy" you could alternatively restart your entire system, the outcome would be the same. The latest configuration would be active and the "Apply Access Policy" message is gone...
How to figure out the changes caused the "Apply Access Policy" message to appear:
BigIP or APM has unfortunately no build-in tool, to analyse historical changes made either directly to a given Access Policy or to referenced configuration items (e.g. AAA objects used by one or more Policies). Both types of changes may cause the&nbsp;the "Apply Access Policy" message to appear.
If you are interested to see which recent APM related changes where made to your unit, you could crawl your BIG-IP Audit Logs or read BIG-IP Change Tracker files for APM related changes:
How to find recent changes to the configuration (f5.com)
Overview of BIG-IP configuration historical change tracking (config_diff) (f5.com)
But those two utilities are most likely very hefty to use. Especially if you reorganize a VPE you may end up with a lot change-by-change outputs without any assistance to understand the big picture of VPE graphical workflow.
Just trust me when I say that you will most likely start to hate those tools, if you have to use them frequently. Implementing good organisational practises how to change and maintain BigIP configurations is probably less time consuming and more effective... 😉
Cheers, Kai

Forum Discussion

view access policy changes history APM

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Getting Started with iControl: History

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Change admin account

BIG-IP SSL Cipher History

Overview of API Access Control and implementing API key access control with BIG-IP APM