Logging Variables
I have an iRule which performs the following: 1. Read the contents of the XML through an XML profile 2. Sets the variable 'id' to $XML::values($I) 3. If the value equals an entry in the data group, sends the traffic to pool_A 4. Else, sends the traffic to pool_B 5. Logs the variable 'id' and the pool member the traffic was sent to This is the iRule: when XML_CONTENT_BASED_ROUTING { for {set i 0} { $i < $XML::count } {incr i} { set id $XML::values($i) if { ([matchclass $XML::values($i) equals DataGroup_by_Org])} { pool pool_A } else { pool pool_B } } } when LB_SELECTED { log local0. "3189: orgName $id sent to [LB::server addr]" } I am having an issue with the logging portion. When I look at the log entry, the variable can't be read. This is the entry in the logs: Dec 15 14:39:09 local/tmm1 err tmm1[21886]: 01220001:3: TCL error: Routing_by_Org - can't read "id": no such variable while executing "log local0. "3189: orgName $id sent to [LB::server addr]""
Custom session variable for filtered memberOf AD attribute
Can someone give me a pointer as to the best way to create a custom session variable that returns all AD groups that start with a certain string? I'm not sure if the best way to do it is with an LDAP query or with a TCL expression. We have some particular groups that all start with F5- and I'd like to only return those groups as a session variable.
Stop processing iRule by referencing a variable
I've set a variable in iRule named "stop_rule_processing" and its value is set to 1 if a particular iRule has a hit: priority 300 when HTTP_REQUEST { if { [string tolower [HTTP::path]] starts_with "/staging" } { if { !([matchclass [IP::client_addr] equals IP_private_access])} { log local0. "Source address [IP::client_addr] not from Private pool, session discarded" } { discard set stop_rule_processing 1 } } } The other iRule check if that variable is set to 1 and if it is i want to use "event disable" stop rule processing immediately: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/staging*" { log local0. "PreProd URL detected from [IP::client_addr] , sending to preprod pool" pool PL-staging-pool } "/production*" { log local0. "Prod URL detected [IP::client_addr] , sending to prod pool" pool PL-production-pool } } } However I don't know how to check that variable at the beginning of second rule. I've tried to use multiple syntax versions of "if" command but can't get the syntax right.
Is there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!
APM Session Variable Not Being Cached
F5 Big-IP LTM 11.4.1 HF7, APM The objective was to create an access policy that inspects client certificates for a specific certificate and grant access to resources based on that inspection. I created an access policy that consisted of: * ClientOS rule - to ensure only iOS, Windows and MacOS devices are granted access * Client Inspection rule - to ensure the device is presenting an approved certificate * Logging rule - to log the client certificate Common Name value presented * Message Box rule - to show the end user the client certificate Common Name value presented Because the default Client Inspection rule only checks whether the client certificate is 'valid' I updated the expression syntax to read: expr { [mcget {session.ssl.cert.cn}] =="clientcertcommonname"} There is no issue with the ClientOS rule however the Client Inspection rule fails. Additionally the Logging and Message Box rules do not show the client certificate Common Name value. The Logging rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. The Message Box rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. I believe the issue is that the session variable session.ssl.cert.cn is not capturing the client certificate Common Name value but I don't know why. Any suggestions/recommendations will be appreciated. Thanks.
SAML session variables in APM: how to dump them?
Hello, I need to print a list of all APM Session variables related to SAML as IdP. I have a working configured APM as an IdP and at some point I would like to access the content of the variable session.saml.last.assertion. How to I access all the variable? Thanks PaoloSWG iRule reading session variable
We are using Secure Web Gateway as a forward proxy server. One of the iRules we have in place is passing data to another iRule via the Query String in the URL, which is causing problems. I'm trying to change this so that the variables we need to send are saved in session variables instead, but have only had partial success, I was hoping someone could shed some light on where I'm going wrong. The first iRule is successfully storing the data into session variables: set host [HTTP::host] set uri [HTTP::uri] if {[ACCESS::session data get session.custom.initialhost] != "$host"} { ACCESS::session data set session.custom.initialhost "$host" ACCESS::session data set session.custom.initialurl "$uri" } But the second iRule doesn't seem to be reading the data from these variables. I changed the lines: set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[lindex $uri_list 1]://[lindex $uri_list 2]/$new_uri" HTTP::redirect "$full_redirect" to set uri_list [split [HTTP::uri] &] set new_uri [join [lrange $uri_list 3 end] "/"] set full_redirect "[ACCESS::session data get server.network.protocol]://[ACCESS::session data get session.custom.initialhost][ACCESS::session data get session.custom.initialurl]" HTTP::redirect "$full_redirect" but it doesn't seem to have made any difference, the second iRule is still using the variables from the Query String rather than the session variables. I had planned to tidy up the now unnecessary lines of code (i.e. to read the Query String data) after confirming the rule was working as expected. To troubleshoot, I did remove the extra lines including changing the first rule to not add the values to the Query String. The second iRule just behaved as if it had been passed blank variables. I even attempted to add extra plain text to the end of the set full_redirect string, but it didn't appear, almost as if the changes to the iRule hadn't been saved. Is there something wrong with my code, or is there something wrong on the F5 causing it to fail to read the variables, or to execute the old (cached?) version of the iRule instead? Many thanksComparison with PHP Session Variable
Hi I have created a custom login screen and need the screen layout to be different depending on the URI. To do this I have created a PHP variable and set it to '%{session.server.landinguri}' Based on this variable I want to build the logic to display the relevant screen design. In theory this should work but the variable does not convert to a string. If I echo the variable, it outputs the correct uri but if you try to do a comparison or any string function on the variable it does not work. For example: if I have the following url: http://test.com/a $t = '%{session.server.landinguri}'; echo $t; The output is /a which is correct By this logic the following code should output /a if ($t == '/a') { echo "URI = /a"; } else { echo "error"; } But it does not output /a Another example is : $t = '%{session.server.landinguri}'; $t2 = substr($t, 1); echo $t; echo $t2; This should output : /a a but it outputs : /a {session.server.landinguri} I have searched the forums and found a similar post. The solution was to use javascript and not PHP. Unfortunately for this problem I need to use PHP and not Javascript. If you have any suggestions on how to handle the URI or to make use of session variables to build the logic it would be appreciated. Thanks
Session size garbage after an AD query, can I remove them?
Hello community, I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule. One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have. I have found that this generatea lot of session variables, and I worry that I will exhaust the cache. So I wonder if there is any way to discard these session variables or mark them as garbage orsomething, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred! I'm curious if there is any way to discard these variables to exclude from the session? This is what I do: I use the following LDAP filter to get all enabled users that has them in the manager attribute: (&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) The filter works fine. To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute. This generates session output like this: 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net ... Now, I only care about how many employees they have, not who they are. As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables. Surely there must be some garbage collection functions or unset functions to tidy up our sessions? How would you guys implement this? Any ideas?APM version 12 (12.1.1) Session Variables
Im having trouble finding some detailed documentation about session variables pertaining to version 12. Example for version 10: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sessionvars.html Closest thing I have found for version 12.1.1: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-12-1-0/6.html Specifically, what I would like to know more about are the AV checks and the various session variables and their detailed explanations of what each variable is used for and their possible return values. Has anyone ever come across a document for this type of thing?