Use iRule variable in Access Policy

Hi Guy,

when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "setXFF" } {
    ACCESS::session data set session.custom.XFF [HTTP::header X-Forwarded-For]
}   
}   

Then you can use session.custom.XFF anywhere in your flow.

Hello Chad,

There's a couple different ways to use Irules and variables in APM, as you can see here. Personally I like to use Access Policy Agent Events, which can be placed from the VPE. ACCESS_POLICY_AGENT_EVENTs are under the General Purpose tab. Place it wherever you want in your VPE flow, and give it a unique id.

Irules can then be triggered by these Events with a simple 'if' statement.

 if { [ ACCESS::policy agent_id ] eq "[id]" } {
    [insert your code]
 }

I don't know how your Irule works, but you have a couple choices for creating a variable. The simplest solution would probably be to create a new Irule which triggers whenever a new Access Session is created, by using the following:

when ACCESS_SESSION_STARTED {
    [insert your code here]
}

To create a variable that your access policy can reference, you can do this:

ACCESS::session data set session.temp.[variable] [value]

Feel free to slide that line into any Irule you have, but remember that an Access Session must have been created before the variable is set or it will not work. Based on some simple logging I did, I know an HTTP_REQUEST event occurs before a sessions is created, so keep that in mind. I don't know the specifics on how you are using your XFF Irule, but once your session is created the source address is actually already saved as a variable in APM, which you can reference with:

session.user.clientip

Feel free to ask if you have any follow-up questions,

Austin

You can’t read an irule variable from APM, but you can set a access session variable from irule...

when ACCESS_SESSION_STARTED
    ACCESS::session data set session.custom.XFF $xff
}