Classification Items¶
The classification items are used to classify traffic based on traffic properties.
Refer to Create Access policy for the OpenAPI specification document.
URL Branching¶
The URL Branching item is helpful for treating a few URLs differently from others. You can protect an application or a part of the application by specifying the application URL in the URL Branching item and creating branch rules on it. You might use URL branching to run different types of step-up authentication for different URLs or to skip step-up authentication altogether for a group of URLs.
The URL Branching item can have separate branch rules for URLs that match and a fallback branch for URLs that do not conform.
Successful - Indicates that the URL matches the specified URL. You can add additional items, such as Active Directory Auth, to protect all matching URLs.
Fallback - Indicates that the URL does not match, and the access is denied. You can add additional items in the fallback branch to write actions for non-matching IP subnets.
For example, you might want all admin users with domain name https://app.example.com/admin/* to have multi-factor authentication (MFA), non-admin users with domain name https://app.example.com/* to take the non-MFA branch rule and have a fallback branch for the URLs that do not match and are denied access.
The expression in the URL Branching item can be configured to exactly match a URL, a substring, a prefix, or a suffix or to perform glob pattern matching on a URL. In a per-request policy, you can also insert a call to a subroutine after a URL branch. Or, in a subroutine, you can insert an authentication agent after a URL branch.
Example: The following example shows a BIG-IP Next Access policy with the URL Branching configuration.
expression - In the example, expr {[mcget {perflow.branching.url}] contains \"192\"} checks if the URL address contains 192. Access is denied if the URL does not contain the required string, and the policy takes the fallback branch.
{
"policyType": "PerRequest",
"name": "url_branching_ap",
"policy": {
"objectContent": {
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "Fallback",
"itemType": "url-branching",
"nextItems": [
{
"caption": "Successful",
"expression": "expr {[mcget {perflow.branching.url}] contains \"192\"}",
"itemType": "allow",
"name": "Allow"
},
{
"caption": "Fallback",
"itemType": "reject",
"name": "Reject"
}
]
}
}
}
}
The table below lists the objects for configuring the URL Branching item:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the Access policy item. For the URL Branching item, the value is url-branching. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| nextItems | array | Specifies the branches to the next policy item. This is a required setting. |