Logging Variables
I have an iRule which performs the following: 1. Read the contents of the XML through an XML profile 2. Sets the variable 'id' to $XML::values($I) 3. If the value equals an entry in the data group, sends the traffic to pool_A 4. Else, sends the traffic to pool_B 5. Logs the variable 'id' and the pool member the traffic was sent to This is the iRule: when XML_CONTENT_BASED_ROUTING { for {set i 0} { $i < $XML::count } {incr i} { set id $XML::values($i) if { ([matchclass $XML::values($i) equals DataGroup_by_Org])} { pool pool_A } else { pool pool_B } } } when LB_SELECTED { log local0. "3189: orgName $id sent to [LB::server addr]" } I am having an issue with the logging portion. When I look at the log entry, the variable can't be read. This is the entry in the logs: Dec 15 14:39:09 local/tmm1 err tmm1[21886]: 01220001:3: TCL error: Routing_by_Org - can't read "id": no such variable while executing "log local0. "3189: orgName $id sent to [LB::server addr]""
APM Cookbook: Dynamic APM Variables
Introduction In this article we’ll discuss how to set a variable dynamically. The most common use case is setting something like a role attribute to use in SAML. We’ll use the example of setting a SAML attribute name “role” based on group membership. You need to set the value of “role” to either “managers”, “finance”, or “users”, depending on group membership. The trick is you can only send one value even if the user is a member of multiple groups. You have hierarchical preference first to “managers”, then “finance”, and everyone else gets the role “users”. You could do this in an iRule or in a TCL expression in the Variable Assign object. However, I like to leverage the Visual Policy Editor GUI wherever possible so that I can quickly examine a policy flow and determine what’s happening without reading code, and most importantly, so that those who come after me don’t have to decipher what I was doing. Macros Are Your Friend We’ll assume you’ve already got a policy with a logon page, AD Auth, AD Query, and resource assignment for the SAML resource. We will create a macro named “Role Variable Setting” to perform this action after the AD Query. It goes after the AD Query because first we need to collect the group information. Here’s what the policy will look like with the piece we’re adding. We want to create our flow in a macro because otherwise it could clutter up the policy itself, imagine twenty differetn conditions and all the branches you'd have. The macro can have all those branches exit to one place mkaing it all much cleaner and simpler to maintain. To create the macro you click “Add New Macro” inside the Visual Policy Editor (VPE). You should use the “empty template” and name it something relevant to you, I’ve obviously named mine “Role Variable Setting”. After building it out, here’s what my macro looks like when completed. Setting the Conditions We will start by building this section of the macro: First I added an “empty” object from the general purpose tab. I named it “Empty (Group Check)”. Go to the branch rules tab and add rules as appropriate. Below is my complete macro. Notice the arrows on the right hand side of the branch rules list, you can reorder for preference with most preferred at the top. Remember how we said preference went to the managers role, then finance, and finally everyone else (fallback). Your branch rules could be based on conditions like geolocation, landing URI, and many more. You can also go to the Advanced tab and modify the TCL expression to meet your needs if the simple GUI builder doesn’t meet them. The branch rule will be used if it resolves to “true”, and you can create complex logical statements with AND/OR even using the GUI. To build those branch rules I went into the Empty object and selected the Branch Rules tab. Then Add Branch Rule, selected the Simple tab, Add Expression, then AD Query, then User is a Member Of and entered the full DN path as you can see here, then Add Expression and Finished. This uses the data from our AD Query earlier in the policy flow. Setting the Variable Now we have three branches out of the Empty object and need to do something on them. We'll be building this section of the macro now: On each branch I added a Variable Assign from the Assignment tab to set my custom variable. Here’s what it looks like inside the Variable Assign objects. I got that by clicking Add New Entry and then inputting the values as you can see below. Now that I have my macro complete all I need to do is add it from the Macros tab into the policy after the AD Query. Using the Variable Now to use that dynamically set variable I simply need to call %{session.custom.role} within APM, or if I need it in an iRule I can use [ACCESS::session data get session.custom.role], or if I need it in an TCL expression such as a branch rule I can use [mcget {session.custom.role}]. Here is an example where I’m using it as the value for a SAML attribute named “role”. p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}
Custom session variable for filtered memberOf AD attribute
Can someone give me a pointer as to the best way to create a custom session variable that returns all AD groups that start with a certain string? I'm not sure if the best way to do it is with an LDAP query or with a TCL expression. We have some particular groups that all start with F5- and I'd like to only return those groups as a session variable.
Stop processing iRule by referencing a variable
I've set a variable in iRule named "stop_rule_processing" and its value is set to 1 if a particular iRule has a hit: priority 300 when HTTP_REQUEST { if { [string tolower [HTTP::path]] starts_with "/staging" } { if { !([matchclass [IP::client_addr] equals IP_private_access])} { log local0. "Source address [IP::client_addr] not from Private pool, session discarded" } { discard set stop_rule_processing 1 } } } The other iRule check if that variable is set to 1 and if it is i want to use "event disable" stop rule processing immediately: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/staging*" { log local0. "PreProd URL detected from [IP::client_addr] , sending to preprod pool" pool PL-staging-pool } "/production*" { log local0. "Prod URL detected [IP::client_addr] , sending to prod pool" pool PL-production-pool } } } However I don't know how to check that variable at the beginning of second rule. I've tried to use multiple syntax versions of "if" command but can't get the syntax right.Is there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!
APM Session Variable Not Being Cached
F5 Big-IP LTM 11.4.1 HF7, APM The objective was to create an access policy that inspects client certificates for a specific certificate and grant access to resources based on that inspection. I created an access policy that consisted of: * ClientOS rule - to ensure only iOS, Windows and MacOS devices are granted access * Client Inspection rule - to ensure the device is presenting an approved certificate * Logging rule - to log the client certificate Common Name value presented * Message Box rule - to show the end user the client certificate Common Name value presented Because the default Client Inspection rule only checks whether the client certificate is 'valid' I updated the expression syntax to read: expr { [mcget {session.ssl.cert.cn}] =="clientcertcommonname"} There is no issue with the ClientOS rule however the Client Inspection rule fails. Additionally the Logging and Message Box rules do not show the client certificate Common Name value. The Logging rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. The Message Box rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. I believe the issue is that the session variable session.ssl.cert.cn is not capturing the client certificate Common Name value but I don't know why. Any suggestions/recommendations will be appreciated. Thanks.
SAML session variables in APM: how to dump them?
Hello, I need to print a list of all APM Session variables related to SAML as IdP. I have a working configured APM as an IdP and at some point I would like to access the content of the variable session.saml.last.assertion. How to I access all the variable? Thanks PaoloSWG iRule reading session variable
We are using Secure Web Gateway as a forward proxy server. One of the iRules we have in place is passing data to another iRule via the Query String in the URL, which is causing problems. I'm trying to change this so that the variables we need to send are saved in session variables instead, but have only had partial success, I was hoping someone could shed some light on where I'm going wrong. The first iRule is successfully storing the data into session variables: set host [HTTP::host] set uri [HTTP::uri] if {[ACCESS::session data get session.custom.initialhost] != "$host"} { ACCESS::session data set session.custom.initialhost "$host" ACCESS::session data set session.custom.initialurl "$uri" } But the second iRule doesn't seem to be reading the data from these variables. I changed the lines: set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[lindex $uri_list 1]://[lindex $uri_list 2]/$new_uri" HTTP::redirect "$full_redirect" to set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[ACCESS::session data get server.network.protocol]://[ACCESS::session data get session.custom.initialhost][ACCESS::session data get session.custom.initialurl]" HTTP::redirect "$full_redirect" but it doesn't seem to have made any difference, the second iRule is still using the variables from the Query String rather than the session variables. I had planned to tidy up the now unnecessary lines of code (i.e. to read the Query String data) after confirming the rule was working as expected. To troubleshoot, I did remove the extra lines including changing the first rule to not add the values to the Query String. The second iRule just behaved as if it had been passed blank variables. I even attempted to add extra plain text to the end of the set full_redirect string, but it didn't appear, almost as if the changes to the iRule hadn't been saved. Is there something wrong with my code, or is there something wrong on the F5 causing it to fail to read the variables, or to execute the old (cached?) version of the iRule instead? Many thanksComparison with PHP Session Variable
Hi I have created a custom login screen and need the screen layout to be different depending on the URI. To do this I have created a PHP variable and set it to '%{session.server.landinguri}' Based on this variable I want to build the logic to display the relevant screen design. In theory this should work but the variable does not convert to a string. If I echo the variable, it outputs the correct uri but if you try to do a comparison or any string function on the variable it does not work. For example: if I have the following url: http://test.com/a $t = '%{session.server.landinguri}'; echo $t; The output is /a which is correct By this logic the following code should output /a if ($t == '/a') { echo "URI = /a"; } else { echo "error"; } But it does not output /a Another example is : $t = '%{session.server.landinguri}'; $t2 = substr($t, 1); echo $t; echo $t2; This should output : /a a but it outputs : /a {session.server.landinguri} I have searched the forums and found a similar post. The solution was to use javascript and not PHP. Unfortunately for this problem I need to use PHP and not Javascript. If you have any suggestions on how to handle the URI or to make use of session variables to build the logic it would be appreciated. Thanks
Session size garbage after an AD query, can I remove them?
Hello community, I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule. One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have. I have found that this generatea lot of session variables, and I worry that I will exhaust the cache. So I wonder if there is any way to discard these session variables or mark them as garbage orsomething, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred! I'm curious if there is any way to discard these variables to exclude from the session? This is what I do: I use the following LDAP filter to get all enabled users that has them in the manager attribute: (&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) The filter works fine. To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute. This generates session output like this: 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net ... Now, I only care about how many employees they have, not who they are. As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables. Surely there must be some garbage collection functions or unset functions to tidy up our sessions? How would you guys implement this? Any ideas?
