ltm rule command ACCESS policy
iRule(1) BIG-IP TMSH Manual iRule(1)
ACCESS::policy
Return information about access policies.
SYNOPSIS
ACCESS::policy agent_id
ACCESS::policy evaluate ('-sid' SESSION_ID)
('-profile' APM_PROFILE_OBJ) (KEY
VALUE)*
ACCESS::policy result (-sid SESSION_ID)?
ACCESS::policy uri
ACCESS::policy ACCESS_POLICY_COMMAND (ACCESS_POLICY_INFO)?
DESCRIPTION
The ACCESS::policy commands allow you to retrieve information about the
access policies in place for a given connection.
ACCESS::policy agent_id
* Returns the identifier for the agent raising the
ACCESS_POLICY_AGENT_EVENT.
ACCESS::policy result
* Returns back the result of an access policy. The result will be one
of following:
* - allow
* - deny
* - redirect
ACCESS::policy uri
* Returns TRUE if current request URI is internal to ACCESS (v11+
only).
ACCESS::policy evaluate
* Executes an access policy using an APM profile and an existing APM
session. The flags sid and profile are required, and the profile
selection should include the folder path
("/Common/access-policy-name"). The policy will evaluate in
clientless mode (i.e., no logon pages or message boxes). You can
insert multiple session variable keys and values that will be used
during policy evaluation.
* Requires APM module
RETURN VALUE
VALID DURING
HTTP_REQUEST, HTTP_PROXY_REQUEST
EXAMPLES
when RULE_INIT {
# Set a static username and password for testing.
set static::username user1
set static::password password1
}
when CLIENT_ACCEPTED {
# When we accept a connection, create an Access session and save the session ID.
set flow_sid [ACCESS::session create -timeout 600 -lifetime 3600]
}
when HTTP_REQUEST {
# Under the previously saved session ID for the created session, use the "/Common/test" access
# policy to evaluate the connection. Set the session variables "username", "password", and "landinguri"
# to something so the policy has something to evaluate.
ACCESS::policy evaluate -sid $flow_sid -profile /Common/test session.logon.last.username $static::username session.logon.last.password $static::password session.server.landinguri [string tolower [HTTP::uri]]
# Check the outcome of the access policy evaluation. Throw a response basedon what we learn.
switch [ACCESS::policy result -sid $flow_sid] {
"allow" {
HTTP::respond 200 content "You made it ($flow_sid)!"
}
"deny" {
HTTP::respond 200 content "Go away ($flow_sid)!"
}
default {
HTTP::respond 200 content "Different result than expected - check your configuration. ($flow_sid)"
}
}
}
when CLIENT_CLOSED {
# To avoid clutter, remove the access session for the flow.
ACCESS::session remove -sid $flow_sid
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-10.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)