apm session variable from part of uri...
Hey all, I have a problem I need to solve. We have an application that uses a mobile app, the app does authentication with apm(local sp/external idp) through one browser and then accesses the the backend server in another session.. and the apm is not aware of that second one so it gerenrates a new login which fails and the app cannot login. The app passes a identification value the the urls which the app uses.. I want to do the same. Does anyone know or have any tips on how i can catch part of the uri (sort of like this https://test.com/sessionid=1234-5678-9101) that contains the sessionid and apply it to a session variable? /Kim
Session size garbage after an AD query, can I remove them?
Hello community, I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule. One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have. I have found that this generatea lot of session variables, and I worry that I will exhaust the cache. So I wonder if there is any way to discard these session variables or mark them as garbage orsomething, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred! I'm curious if there is any way to discard these variables to exclude from the session? This is what I do: I use the following LDAP filter to get all enabled users that has them in the manager attribute: (&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) The filter works fine. To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute. This generates session output like this: 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net ... Now, I only care about how many employees they have, not who they are. As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables. Surely there must be some garbage collection functions or unset functions to tidy up our sessions? How would you guys implement this? Any ideas?
Adding variable to generic Message Box
I'm having issues with my AD Query. The AD Query agent expression is as such: expr { [mcget {session.ad.last.attr.memberOf}] contains "Test.40.Employee" && [mcget {session.ad.last.authresult}] == 1 } The AD Query isn't sending the user agents down the expected branch, so I'm trying to carry the defined variable into a generic message box to troubleshoot. In the generic message box, I added the below value: AD Query variable %{session.ad.last.attr.memberOf} However when I go through the VPE, the value is not displayed in the message box. Any help on where I'm going wrong?
APM :: Detecting IE 11
Ok I suck, I know. But why is this wrong? expr { [string tolower [mcget {session.user.agent}]] matches_regex {trident\/7.+rv\:11} } It never matches... even though my UA is: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko I'm using an empty branch rule with this as the 'advanced' script above. Always hits fallback (i.e. doesn't match).APM 12.1.2 EHF 271 OPSWAT Mac File Check Issues
I have an access policy that I'm having issues with. I had to update APM to 12.1.2 with engineering hotfix 271. When I updated it, OPSWAT v4 was installed inadvertently. As soon as it was installed, any user in my company with McAfee Endpoint Encryption v6.x could not get past the HD Encryption check. I ran the OESIS Diagnostic tool on their computers and it did not detect any HD Encryption software. Users that have Bitlocker work just fine. I was able to get around this by setting up a process check coming off of the fallback branch of the HD Encryption macro, and everything is fine for Safeboot/Endpoint Encryption 6.x users (about 1500). I have some other users with Mac OS 10.12.5 that are unable to pass the client check. This is a bug in the version of the OPSWAT SDK that is installed (4.2.1067.0). There's also an issue with Mac Endpoint Security 10.x. I was going to try to get around the issue for now by checking that the files exist for the endpoint encryption and the endpoint security processes. I put the files in a Mac file check but it is still failing to see them. The files are: /Library/Application Support/JAMF/JAMF.keychain for JAMF, and /Library/Application Support/JAMF/status.0 for Filevault. Does anyone out there with Mac experience have the ability to check to see if that is correct? The only thing I can think of is that it needs a ~ in front of /Library. If I remove the check altogether it works. The other issue Mac users are having is that they keep getting disconnected right when they log in. Their log files show this: 1106,1106,edge, 48, , 143, TunnelController, Tunnel Server, Connecting state 1106,1106,edge, 2, , 171, TunnelController, Disconnected state, Error code, Routing table cannot be patched 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en5 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en0 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, awdl0 1106,1106,edge, 48, , 84, DoRequest, DoRequest, cancel 1106,1106,edge, 48, , 165, TimerController, TimerController, Captive Network Not Detected 1106,1106,edge, 48, , 77, TimerController, Timer Controller, Activated 1106,1106,edge, 48, , 80, TimerController, Timer Controller, Timer Activated (interval: 10 secs) 1106,1106,edge, 48, , 124, TimerController, Timer Controller, Deactivated 1106,1106,edge, 48, , 330, SvpnHandler::StopSvpn, TunnelService, Cannot open pid file, svpn already closed Does anyone know why this would be happening? F5 support suggested adding a split tunnel entry of 0.0.0.0/0.0.0.0 to their network access profile, but I don't know if that will help.
APM VPE - Different branch rules depending on different IP Subnet Match via classmatch data group?
Hi there, we are trying to allow a specific Feature or progress only, when internal and specific other Source IP addresses which hit the VIP are in the list of "IP Subnet Match". As these are getting more and more and I would also like to include Comments, I need to use a data group instead. How can I say now in a Branch Rule, that it should do an Source IP address match this data group IP addresses instead of this "subnet match"? There might be some obvious ways to do that, but currently I have no idea. Maybe also an advanced expression in the branch rule using something like " if { [class match [IP::addr [IP::client_addr] equals source-ips] } { do something } Any ideas for this issue? Thanks in advance for your feedback! Best regards, FelixAPM VPE skip next item
I'm trying to configure an item to check client OS, if it is windows, linux, MacOS, then check AV if not continue normal to logon page how can I connect the 'Others' action as bellow to 'logon page' item? if I swap it then 'antivirus' successful action will be lost is there a solution for such an issue like this?
Is there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!
