APM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, Vered
[APM] The F5 API returned the error BadRequest(400)
Hello Team , We use a tool for whitelisting the URL and IP's and push the configuration to F5 everyday . We have below error on the tool . Can we check anything on the F5 . I did not find any error message on the audit logs . Error : F5 synchronization batch reported an error while managing F5 : SendRequest: The F5 API returned the error BadRequest(400) received from the API: request failed with null exception
[APM] ACL Interest
Hi, I'm integrating VPNSSL F5 by using APM since many week. Our users population are susceptible to use the following elements : Portal Access RDP Access Network Access My questions are about Network Access. Today, I use Network Access to allocate the same IP address inside and outside the entreprise (F5 has in interface in all my entreprise LAN). After that I have as many Forwading VS than Entreprise LAN. On each forwarding IP I've I this irule : when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.160.0/255.255.254.0] } { node 192.168.160.1 } else { log local0. "[IP::client_addr] access problem" reject } } This Irule send to gateway 192.168.160.1 if the Network Access IP is in 192.168.160.0/23 range. This system works perfectly but i've questions about that : I've have an ACL that looks like this : Src : 192.168.160.0/23 Destination : 0.0.0.0 Port : Any Allow My firewall are here to do filtering, not APM. Since this morning I realized that if I remove this ACL, nothing change, all works perfectly too. My F5 is not supposed to filter if there is no ACL ? In this case, what is intereset off ACL (only portal mode) ? Thanks a lot for yours answersF5 Dynamic ACL format for AD based attribute
I have reviewed the dynamic acl documentation at: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/2.html However, acls are not working as I expect them to. Is there a way to debug how APM is parsing the ACLs being returned from LDAP? I can see messages in the debug mode but the page is not producing an ACL deny message: Sep 2 13:09:00 TST-VE-BIGIP debug apd[11021]: 01490000:7: modules/ResourceAssignment/DynamicAcl/DynamicAclAgent.cpp func: "DynamicAclAgentexecuteInstance()" line: 484 Msg: agent_dynamic_acl source session.ad.last.attr.extensionAttribute5: deny https any 10.0.0.0/8 *://*/app1/Engine On the frontend the url is HTTPS, but on the backend it is HTTP over port 443. What I am not certain about is what the target URLs should match. I have implemented this ACL via a statically defined ACL within APM, however I want to evaluate centralizing our ACLs within the LDAP directory where account management and access control occurs. Thank-You.
L7 https ACL with APM SSL VPN not working
Hi, I am building a POC for Client SSl VPN with F5 APM in AWS. Since we are using AWS I would like to use L7 ACLs instead of L4 since IP addresses keep changing in AWS. I got it working for http but not for https. In another post I found this: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html147209 You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web access management connections, with the following configuration notes. With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access. For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server. Does that really means I will have to create an additional VS for every single URL I want to access via https and also need the key for that URL? I hope not. Thanks.
L7 https ACL with APM SSL VPN not working
Hi, I am building a POC for Client SSl VPN with F5 APM in AWS. Since we are using AWS I would like to use L7 ACLs instead of L4 since IP addresses keep changing in AWS. I got it working for http but not for https. In another post I found this: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html147209 You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web access management connections, with the following configuration notes. With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access. For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server. Does that really means I will have to create an additional VS for every single URL I want to access via https and also need the key for that URL? I hope not. Thanks.APM dynamic ACLs attached to AD or LDAP groups
Hi, I am building a client vpn setup with F5 APM. It's working quite good so far. I have a static ACL configured for now. I would like to use dynamic ACLs in the future so managers can give their Team members access themselves by adding them to specific ldap or AD groups (we use both). My question is, is this even possible? Can I add ACLs to groups? And if yes, how does the F5 then knows which groups it should read ACLs from, since a user could be in different groups. The groups would be preconfigured in LDAP/AD and all ACLs would be configured on the group. e.g. Sales guys need access to specific tools. I would create a group in LDAP/AD for this purpose and add the appropriate ACLs to this group. The manager could then add his Team members to this group and thus the Group members have access to the needed services. But the user could be also in many other groups. I was thinking about some sort of naming convention for the groups. Like acl-sales, acl-internet-access. So the F5 only looks in groups that start with acl-. Hope you understand my question and I have understood dynamic ACLs correctly. Thanks in advance.APM dynamic ACLs attached to AD or LDAP groups
Hi, I am building a client vpn setup with F5 APM. It's working quite good so far. I have a static ACL configured for now. I would like to use dynamic ACLs in the future so managers can give their Team members access themselves by adding them to specific ldap or AD groups (we use both). My question is, is this even possible? Can I add ACLs to groups? And if yes, how does the F5 then knows which groups it should read ACLs from, since a user could be in different groups. The groups would be preconfigured in LDAP/AD and all ACLs would be configured on the group. e.g. Sales guys need access to specific tools. I would create a group in LDAP/AD for this purpose and add the appropriate ACLs to this group. The manager could then add his Team members to this group and thus the Group members have access to the needed services. But the user could be also in many other groups. I was thinking about some sort of naming convention for the groups. Like acl-sales, acl-internet-access. So the F5 only looks in groups that start with acl-. Hope you understand my question and I have understood dynamic ACLs correctly. Thanks in advance.
APM Deny ACL Blocking Portal Access Resources
I hoping this is an easy one.. I have added a deny all ACL to an access policy, ensuring that it is last in the ACL order. However it is blocking portal access resources - with configured resource items. My understanding is that providing the user defined deny ACL is processed after the ACEs that make up the portal access resources, then access to these resources should be permitted. Am I missing something?? Thanks MP
