Forum Discussion

henry_kay_36032's avatar
henry_kay_36032
Icon for Nimbostratus rankNimbostratus
Jun 24, 2014

AFM rules filtering based on Active Directory Grouping

hi all,

 

was posed with this question a few days ago. In AFM, we are able to do firewall rules based on VS. Then there is this question, If i wanted to do a AFM policy based on AD-grouping. Can we do that?

 

i noticed that when you create the rules for AFM, there is a option to insert an iRules in. so technically, we should be able to create an ACL that uses the iRules to do an AD query for the group.

 

However, i search through the iRules wiki, i couldn't find any syntax that allows checking of AD grouping in iRules. Appreciate if anyone could point me at the right direction.

 

advanced firewall manager
application delivery
deployment
devops
iRules
security

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 24, 2014

    The basic problem here is the difference between OSI layers 4 and 7. AFM generally operates at layer 4, while any sort of authentication (ie. AD group information) is going to be queried for/obtained/processed in layer 7. In other words, by the time you've queried AD, an AFM policy has already allowed the traffic to pass. Now you could create a block on subsequent requests, based on AD query status, but you'd have to let the first few L7 transactions happen.

     

  • henry_kay_36032's avatar
    henry_kay_36032
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2014

    Hi kelvin, thanks for the reply. Yep I do realize the fundamental problem of this request.

     

    If we approach this with an irules in a vs, after the AD check, forward it to another vs with the AFM rules in it.

     

    Do you think this is possible? Or I should say practical.

     

  • henry_kay_36032's avatar
    henry_kay_36032
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2014

    thanks kelvin, for pointing me to the right direction. the solution that you provided, should serve what i am aiming to achieve.

     

    Real grateful for it. :)