F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Implementing Zero Trust with Per-Request Policies
  3. Per-Request Policy Concepts
  4. About gating criteria in subroutines
Manual Chapter : About gating criteria in subroutines

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

About gating criteria in subroutines

You can use gating criteria in the subroutine properties to allow the same subroutine to control multiple subsessions. A distinct subsession is created for each distinct gating criteria value. In the Gating Criteria field in the subroutine properties, you can select a perflow variable (such as
perflow.client.ip.address
), or you can specify a Tcl expression (such as
expr {[mcget {session.logon.last.username}]}
).
The gating criteria value is the value that results from evaluating the specified gating criteria expression, which is the value stored in the selected perflow variable, or the value computed from a iRule/Tcl expression. If you leave the Gating Criteria field blank, the subroutine runs once and applies the same ending to all requests for resources for the duration of the subsession.
APM uses the value in this field to determine whether to run the subroutine. If a subsession already exists for the particular resource (such as a URL or an application) or the group of resources (such as those represented by a URL category or an application family), APM does not run the subroutine again for the current request, but uses the same subsession, applying the result that was obtained when the subroutine ran.
If APM does not find a matching subsession, APM validates the gating criteria before running the subroutine. If the field contains a perflow variable, APM looks up its value. If the perflow variable does not contain a value, APM returns an error. (The per-request policy must be configured to provide a value for the perflow variable before you're trying to use it.) If the perflow variable contains a valid value or if the gating criteria is blank, APM runs the subroutine.
Here are some examples of gating criteria that you can use in a subroutine:
  • perflow.client.ip.address
    – You can use this variable as gating criteria for requests to double check whether the user's IP address has changed since the subsession started. So if, for example, the user moves from a wired to a wireless network connection, you can ask again for user credentials.
  • expr { [ mcget {session.adStepUpAuth.gatingCounterPath} ] }
    – To use this variable as gating criteria, another part of the policy needs to populate the session variable
    session.adStepUpAuth.gatingCounterPath
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information