Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Update packet filter rule from icall

My Use Case: We have a proxy client installed on our laptops that performs a captive portal test before it will initiate a connection with a proxy server within it's list. The test tries to reach out to 2 urls and if this test succeeds it will try to connect to a proxy server on it's list. If the 1st test fails by receiving a reset packet from a firewall, it marks itself as behind a firewall and will initiate a connection with a proxy server on it's list.

Going through F5 SSL-VPN using edge client is causing the client to fail (never connect to a proxy server) because apm is performing a 3 way handshake to proxy the traffic then forwarding the firewall reset packet. So instead of just sending a syn packet and receiving a rest packet it gets a syn, syn-ack, ack, rst. The client thinks it's connecting and is expecting the 1st test to complete, but it never does.

The only way around this was to enable Packet Filters on the SSL-VPN vlan to issue resets for the 2 hosts it is trying to reach out to. The problem now is these systems are hosted through Akamai and the IP Addresses change. Even though you can specify host names in the packet filters, it will resolve the name to an IP when applying the rule and keep it, it never refreshes the IP Address.

So I want to create an icall script and handler to detect when someone connects to the SSL-VPN VS and reapply the packet filter to refresh the IP Address. This way we don't have to keep manually reapplying the packet filters.

I can create the icall script but I don't know how to trigger it upon a connection.

My alternative would be to setup a timer handler to reapply the packet filter every hour, but that may not work 100% of the time.

PS We cannot leverage a VS to perform a reset because once you are in the VPN tunnel all other VS are unavailable.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Ryan,

you could try the iRule below...

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } then {
        ISTATS::set "VPN_Client_Is_Connecting" 1
    }
}

... in combination with an ISTATS based iCall trigger ...

https://devcentral.f5.com/articles/icall-triggers-invalidating-cache-from-irules

Note: Keep in mind, that the iRule event should implement certain request limiters, so that just every few seconds the iCall script can be launched (e.g. setting/checking a [table] entry with rather short lifetimes).

Cheers, Kai

0
Comments on this Answer
Comment made 30-Aug-2016 by RyanSch 1

Kai,

Thanks for the quick reply. This is exactly what I was looking for. I will look into limiting the rate.

Once I have something that is functional. I'll update this thread for analysis.

Kind regards,

Ryan

0
Comment made 31-Aug-2016 by RyanSch 1

It's working. The only thing missing is a rate limiter, but I'm not sure I need it. The way it works is it triggers a packet filter update on every connection to the Virtual Server hosting the VPN for laptops.

Here is the iCall setup.

Script:

(tmos.sys.icall.script)# edit Packet_Filter_script

modify script Packet_Filter_script {

app-service none
definition {
    tmsh::log "iCall Script: Begin Apply packet-filters"
    exec tmsh modify /net packet-filter Reject-1 vlan vpn_vlan action reject order 1 rule "( dst host xxx.domain1.com ) and ( dst port 80 )" description "Reject xxx.domain1.com"
     exec tmsh modify /net packet-filter Reject-2 vlan vpn_vlan action reject order 2 rule "( dst host xxx.domain2.com ) and ( dst port 80 )" description "Reject www.domain2.com"
    tmsh::log "iCall Script: Apply Packet Filters for Captive Portal Test Complete."
    tmsh::log "iCall Script: Begin Removal of istat Key"
    exec istats remove "XX policy string Client_Connected"
    tmsh::log "iCall Script: Removal of  istat Key  Complete"
}
description none
events none

}

Trigger:

(tmos.sys.icall.istats-trigger)# edit Packet_Filter_trigger

sys icall istats-trigger Packet_Filter_trigger {

event-name UpdateFilter
istats-key "XX policy string Client_Connected"

}

Handler:

(tmos.sys.icall.handler)# edit triggered Packet_Filter_handler

sys icall handler triggered Packet_Filter_handler {

script Packet_Filter_script
subscriptions add {
    messages {
        event-name UpdateFilter
    }
}

}

iRule Setup:

when CLIENT_ACCEPTED {

ACCESS::restrict_irule_events disable

}

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/myvpn?sess=" } then {
ISTATS::set "XX policy string Client_Connected" 1
}

Please let me know your thoughts.

Kind regards,

Ryan

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Ryan,

glad to hear that the ISTATS/iCall approach is working out for your.

A request limiter should be mplemented because the "/myvpn?sess=" ISTATS-trigger is anonymously accessible. But its not a big deal to implement such an request limiter.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } then {
        if { [table lookup "XX policy string Client_Connected"] eq "" } then {
            table set "XX policy string Client_Connected" "1" indefinite 5
            ISTATS::set "XX policy string Client_Connected" 1
        }
    }
}

Note: The above example will limit the execution of the iCall script to a maximum of every 5 seconds.

Cheers, Kai

0