iRule ACCESS_ACL_ALLOWED VS APM Per-request Policy to insert APM variables in HTTP headers
Hi, When I need to insert APM session variable in a HTTP header, I use irule like the following : when CLIENT_ACCEPTED { set APMusername "" } when ACCESS_ACL_ALLOWED { if {$APMusername equals ""} { set APMusername [ACCESS::session data get session.logon.last.username] } HTTP::header insert "USER" $APMusername } But during Agility 2017 labs, we configured header insertion in Per-request policy which seems to be more integrated. F5 communicates on performance improvement using LTM Policies instead of iRules. is there such improvement using Per-request policy? Is Per-request policy not using more memory than a simple iRule?
APM Gating Criteria sub-routines
Does anyone have real-world examples of using the new per-request policies in APM 12.1? https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-12-1-0/7.html The docs are terse on how the gating criteria work, is there anything that I need to perform in the main access policy?
Can the access policy variable session.logon.last.password be passed to a per-request policy subroutine?
Can the access policy variable session.logon.last.password be passed to a per-request policy subroutine? Version 13.1.0 I am attempting to pass the username and password from the Access Policy to the Per-Request-Policy subroutine for use after URL branching, without adding another logon prompt. Similar to this thread but without the OTP logon prompt. https://devcentral.f5.com/questions/is-accessing-session-variables-from-per-request-subroutine-possible-58789 The mentioned thread solution works. It creates a logon prompt for the OTP as the password. This is still a prompt for a user to enter a "password" although it is an OTP. I can successfully pass the user name but not the originating session.logon.last.password from the access-policy. After the user logs on the site, I want to enable Radius MFA Push for specific URL paths. The user is already logged on the access policy. I don't feel they need another logon prompt during the per-request policy. I have tried many methods without success (per-request policy; subroutine, subroutine macro, access policy; decrypt password). Either I haven't found the right combination or it doesn't work this way. Am I missing something? mcget -secure {session.logon.last.password} https://devcentral.f5.com/questions/how-can-i-see-a-password-session-variable-47462 mcget {session.logon.last.password} subsession.logon.last.password I am also trying other avenues such as using iRule LX to submit the request to the MFA API. I was just hoping radius would be an easier route.
Per-Request subroutine loop setup?
Hello All, I am trying to figure out how to configure a RADIUS authentication subroutine in a per request policy so the user can have more then one attempt to enter a one time password. The default gives them just one attempt then they need to close the session and start over. I am running 13.1.0.7 and understand that the setting I need is under the "Subroutine Settings / Rename" button. The issue is when I try to modify this subroutine settings I keep getting this error message. I have attempted selecting a bunch of different things for the Gating Criteria but nothing works it always has same error message. Thanks for your help! I have also tried to use AD Auth as a test and I get a similar error saying that can't be found as well. Here is my Per-Request policy in case it might help figure out why I am getting this error.
Copy a branch of Per-request Policy
hi all! is there a way to copy a branch in a per request policy then paste it to another branch? i think that this can be done if the branch is already configured as a macro but in our scenario, all branches are configured manually. is there a way to do this or the only way is to configure it manually? Thank you.Where is the APM/SWG Assign URL Filter action?
Where is the APM/SWG Assign URL Filter action within the VPE for per-request policies? I have a URL filter defined, but all the manual says is "To put a URL filter into effect, you must assign it in a per-request policy. A per-request policy runs each time a URL request is made." I may be blind, but I'm not seeing URL Filter under the Assignments tab (or any other) when editing the per-request policy. (v12.1.1).
