APM VPE - Different branch rules depending on different IP Subnet Match via classmatch data group?
Hi there, we are trying to allow a specific Feature or progress only, when internal and specific other Source IP addresses which hit the VIP are in the list of "IP Subnet Match". As these are getting more and more and I would also like to include Comments, I need to use a data group instead. How can I say now in a Branch Rule, that it should do an Source IP address match this data group IP addresses instead of this "subnet match"? There might be some obvious ways to do that, but currently I have no idea. Maybe also an advanced expression in the branch rule using something like " if { [class match [IP::addr [IP::client_addr] equals source-ips] } { do something } Any ideas for this issue? Thanks in advance for your feedback! Best regards, Felix
Is there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!APM VPE skip next item
I'm trying to configure an item to check client OS, if it is windows, linux, MacOS, then check AV if not continue normal to logon page how can I connect the 'Others' action as bellow to 'logon page' item? if I swap it then 'antivirus' successful action will be lost is there a solution for such an issue like this?Session Variable names with special characters
Hi I am trying to access a session variable in the Policy Editor and display it in a message box but that variable name has special characters and it keeps showing the variable name instead of the value I am using the following which displays normally: session.user.sessionid = %{session.user.sessionid} session.saml.last.identity = %{session.saml.last.identity} The one that has a problem is: dataofbirth = %{session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth} I tried to escape the dots in schemas.xmlsoap.org using \ but it doesn't work I also tried to escape the slashes and the colon and it doesn't work http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/dateofbirth Any ideas? Or maybe guidance on how to access saml session variables that hold the attributes values in general would be appreciated. Thanks a lot.LTM+APM SSO only for designated Subnets
Hi, we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case) This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client So my question: How can i supress this message and get only one session per client? Thanks for your answers Martin
Use APM variable in redirect ending for VPE
Trying to clean up my VPE, would like to create a handful of macros and have minimal endings: allow, deny, redirect, etc. Is it possible for me to use a variable on a Redirect ending in the redirect URL box? Does it take TCL at all? I was hoping to just use a redirect to https://{[mcget {session.server.network.name}]} or something. Maybe tack on a URI variable also. Worst case scenario, I could use an iRule on ACCESS_ACL_DENIED if I'm not able to do this in VPE, correct? Any other events I should consider? Also, are there any limits on Macro calls in a VPE? Nested Macro calls? Not trying to do any loops or anything. Thank you.LTM+APM SSO only for designated Subnets
Hi, we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case) This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client So my question: How can i supress this message and get only one session per client? Thanks for your answers Martin
APM 12.1.2 EHF 271 OPSWAT Mac File Check Issues
I have an access policy that I'm having issues with. I had to update APM to 12.1.2 with engineering hotfix 271. When I updated it, OPSWAT v4 was installed inadvertently. As soon as it was installed, any user in my company with McAfee Endpoint Encryption v6.x could not get past the HD Encryption check. I ran the OESIS Diagnostic tool on their computers and it did not detect any HD Encryption software. Users that have Bitlocker work just fine. I was able to get around this by setting up a process check coming off of the fallback branch of the HD Encryption macro, and everything is fine for Safeboot/Endpoint Encryption 6.x users (about 1500). I have some other users with Mac OS 10.12.5 that are unable to pass the client check. This is a bug in the version of the OPSWAT SDK that is installed (4.2.1067.0). There's also an issue with Mac Endpoint Security 10.x. I was going to try to get around the issue for now by checking that the files exist for the endpoint encryption and the endpoint security processes. I put the files in a Mac file check but it is still failing to see them. The files are: /Library/Application Support/JAMF/JAMF.keychain for JAMF, and /Library/Application Support/JAMF/status.0 for Filevault. Does anyone out there with Mac experience have the ability to check to see if that is correct? The only thing I can think of is that it needs a ~ in front of /Library. If I remove the check altogether it works. The other issue Mac users are having is that they keep getting disconnected right when they log in. Their log files show this: 1106,1106,edge, 48, , 143, TunnelController, Tunnel Server, Connecting state 1106,1106,edge, 2, , 171, TunnelController, Disconnected state, Error code, Routing table cannot be patched 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en5 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en0 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, awdl0 1106,1106,edge, 48, , 84, DoRequest, DoRequest, cancel 1106,1106,edge, 48, , 165, TimerController, TimerController, Captive Network Not Detected 1106,1106,edge, 48, , 77, TimerController, Timer Controller, Activated 1106,1106,edge, 48, , 80, TimerController, Timer Controller, Timer Activated (interval: 10 secs) 1106,1106,edge, 48, , 124, TimerController, Timer Controller, Deactivated 1106,1106,edge, 48, , 330, SvpnHandler::StopSvpn, TunnelService, Cannot open pid file, svpn already closed Does anyone know why this would be happening? F5 support suggested adding a split tunnel entry of 0.0.0.0/0.0.0.0 to their network access profile, but I don't know if that will help.
