Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jun 19, 2018

APM with F5 Access - ACLs for https Endpoints with dynamic IPs

Hello, we are using F5 Access to connect from mobile devices (iOS/Android) using static L4 ACLs to restrict the destinations users can access. With changing IP adresses on the backend (e.g. AWS ALBs change their IPs as they want), this design doesn't work any more. Using L7 ACLs even does only help for http connections but don't work on https.

 

I tried attaching an iRule to the APM VS with ACCESS_ACL_DENIED (to do some magic stuff like DNS lookup and allow that request based on the DNS name), but I don't see that event triggered.

 

Does anybody has an idea how to solve that?

 

Thanks in advance.

 

APM
iRules
security

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 20, 2018

    Can you give more information?

     

    • Portal Access? Network Access? LTM-APM mode?
    • Are you redirected to ACL deny page? if yes, the event ACCESS_ACL_DENIED may trigger.
  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Jun 21, 2018

    Use the event ACCESS_POLICY_AGENT_EVENT instead of ACCESS_ACL_DENIED. Then call your method inside APM using "iRule Event" box with the name of your method present in the iRule attached to the VS.

    Here below an example of an iRule that can match your need to assign dynamically an L4 ACL for HTTP/HTTPS ressources:

    when ACCESS_POLICY_AGENT_EVENT {       
    if { [ACCESS::policy agent_id] eq "set_dynamic_acl" } { 
        set hostname [ACCESS::session data get session.custom.hostname]
        set ip [lindex [RESOLV::lookup @$static::dns $hostname] 0]
        set protocol [ACCESS::session data get session.custom.protocol]
        if { $protocol == "http" }{
            ACCESS::session data set session.dyn_acl "{ allow tcp any $ip:80 }"
        }
        if { $protocol == "https" }{            
            ACCESS::session data set session.dyn_acl "{ allow tcp any $ip:443 }"
        }
    }
}

    The variable "session.dyn_acl" created by this method must be used in a "Dynamic ACL" box after iRule-event call.