Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Dynamic ACLs and custom variables

Hi all,

I am trying to set up an APM policy with a dynamic ACL object. The manual (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-6-0/2.html?sr=39977781) says that the source field for a Dynamic ACL object can either be a custom F5 ACL or a Cisco AV-Pair VSA value. My question is about the custom field.

My Active Directory does not have an attribute for the dynamic ACLs, so I can't provide an AD attribute name to the Dynamic ACL object. I would like to define the ACL strings in a datagroup, where the key is the AD group name and the value is the string representing the ACL in the F5-expected syntax. In my policy, I added an iRule event after the group membership check to look up the group name in the datagroup, then store the corresponding ACL string in an APM session variable (session.custom.MyACLList). Then, in the VPE, I set the source of the Dynamic ACL object to be the custom variable name. However, the policy doesn't seem to be acting on the ACL correctly; I can still get to all of my network resources when testing. Is it not possible to drive a dynamic ACL object from a custom variable?

Thanks, Jen

Rate this 0

Replies to this 0


just tested it successfully with local userDB.

i set the user's group in APM custom variable : session.localdb.myuser_group

i store my acl in apm custom variable : session.logon.last.myacl

Here is my irule :

set myuser  [ACCESS::session data get session.logon.last.username]

set user_group [ACCESS::session data get session.localdb.myuser_group]

set myacl [class match -value $user_group equals datagroup_local_acl]
log local0. "user: $myuser group $user_group"
log local0. "user acl : $myacl"

ACCESS::session data set session.logon.last.myacl $myacl

did you added some log to check if only one group was coming back from ad ? have you created the dynamic acl object in apm config ?

Comments on this Reply
Comment made 02-Sep-2014 by dubdub 358
Hi Arnaud, Thanks for your answer! I don't have any trouble setting the custom variable in the iRule - the issue is that after the iRule event is processed, and the custom variable has its value set, I have a Dynamic ACL object in the policy whose "Source" field is set to that custom variable. I verified the value is being set properly, but when I execute the policy, it seems the ACL is not being applied to my connection, and I can still get anywhere I want to (I am not limited by the ACL string I specified in the variable). I am not clear how the Dynamic ACL object is driving off the specified ACL string, if at all. Thanks, Jen

do you see anything in /var/log/apm, maybe you have a syntax error in the ACL ? can you try with the following one : { reject http any any http:/// }

you can also check in cli sessiondump (or with apm report tool via gui), the variable session.assigned.dacl should be populated.


Hi Arnaud,

Sorry for the delay in replying. I was just able to test again, and I see no errors in my apm log, and the session.assigned.dacl variable is correctly populated with my Dynamic ACL object and the ACL string I sent in from my iRule processing. The session.dynamic-acl.last.result value is set to 1. The problem is that I can't figure out how to enforce the ACL constraint that exists in the instance of this Dynamic ACL object into the subsequent policy flow. A Resource Assign object with network access and a basic webtop still allows me to get anywhere on the intranet I want to go, despite my Dynamic ACL object specifying that I have access to only one web site. Is there any documentation on what resource assignment objects must be specified and/or how they should be configured to work with a preceding Dynamic ACL object?

Thanks, Jen


Hi, Nothing special in my policy, could you post on ihealth a qkview to have a look to your policy ?