F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Visual Policy Editor
  3. Defining Access Policy Items
Manual Chapter : Defining Access Policy Items

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Defining Access Policy Items

About access policy item configuration

An access policy item is a small action, or rule, that serves a specific purpose in an access policy. Access policy items are all added to the access policy in the same way; but in most cases, each access policy item must be configured individually. In Access Policy Manager, an access policy item is one of five types.
Item type
Configuration details
Examples
Blank item
This type of access policy item has no explicit configuration on the configuration page, and can be configured to verify a wide range of conditions with Expression screens.
  • General Purpose: Empty action
  • Endpoint Security (Client-Side): Machine Info
Preconfigured branch rule item
This type of access policy item has no explicit configuration on the configuration page, and a preconfigured set of rules on the Branch Rules page.
  • Endpoint Security (Server-Side): IP Reputation
  • Endpoint Security (Client-Side): Windows Info
Properties page configuration item
This type of access policy has all standard configuration options on the configuration page, to verify the required information, prompt for information, or another action.
  • General Purpose: Logon Page action
  • Endpoint Security (Client-Side): Antivirus
Assignment item
An assignment action allows configuration on the configuration page, and contains a list of available resources of a certain type, and allows you to select one or multiple resources to assign. Some resource assignment actions, such as Webtop, Links and Sections Assign, allow you to assign multiple items of different types. Advanced Resource Assign is a special case that allows you to select and assign multiple resources of different types at once.
  • Assignment: Pool Assign
  • Assignment: Webtop, Links and Sections Assign
Mapping assignment item
A mapping assignment action allows you to assign one variable or resource to the value of another variable or resource. This kind of assign action includes the assignment of resources or variables on a separate page, linked from the main screen.
  • Assignment: AD Group Resource Assign
  • Assignment: Variable Assign
When naming VPE objects, APM removes special characters such as exclamation marks, equal signs, and brackets before saving the objects. The following characters are allowed: ( ) - _ + [ ].

Adding a blank access policy item to an access policy

Before you start this task, configure an access profile.
Configure a blank item to configure one of several actions that has no explicit configuration defined.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
     icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select a blank action:
    Endpoint Security (Client-Side)
    Machine Info
    Collects machine info, and checks it against established values.
    General Purpose
    Empty
    An empty action that you can configure with any allowed checks.
    A properties screen opens.
  5. Click the Branch Rules tab.
    The Branch Rules screen opens.
  6. Click the
    Add Branch Rule
     button.
    New
    Name
     and
    Expression
     settings display.
  7. Click the
    change
     link in the Expression area.
    A popup screen opens.
  8. Click
    Add Expression
    .
    New properties display.
  9. For each expression you add, select an agent from the
    Agent Sel.
     list, a condition from the
    Condition
     list, and configure any details.
    See the reference information for each action for more details.
  10. Click
    Add Expression
     to add the expression to the list.
  11. Add more expressions to the check as required. You can add expressions as either
    AND
     or
    OR
     conditions.
  12. Click
    Finished
    .
    The popup screen closes.
  13. Click
    Save
    .
    The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the
Apply Access Policy
 link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy item with preconfigured branch rules

Before you start this task, configure an access profile.
Configure an access policy with preconfigured branch rules to add preconfigured settings and branches to an access policy.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
     icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an action with preconfigured branch rules, and click
    Add Item
    :
    Endpoint Security (Server-Side)
    Client for MS Exchange
    Checks that the system is a client for Microsoft Exchange.
    Endpoint Security (Server-Side)
    Client OS
    Provides branches based on the result of an operating system check on the client.
    Endpoint Security (Server-Side)
    Client Type
    Provides branches based on the result of an client type check.
    Endpoint Security (Server-Side)
    Client-Side Capability
    Checks whether the client can run client side checks and provides positive and fallback branches.
    Endpoint Security (Server-Side)
    Date Time
    Provides branches based on a certain date or time.
    Endpoint Security (Server-Side)
    IP Geolocation Match
    Provides branches based on a specific geographic origin for the client.
    Endpoint Security (Server-Side)
    IP Reputation
    Checks the client IP against an IP reputation database.
    Endpoint Security (Server-Side)
    Jailbroken or Rooted Device Detection
    Provides branches based on whether the device appears to be jailbroken or rooted.
    Endpoint Security (Server-Side)
    Landing URI
    Provides branches based on a specific landing URI.
    Endpoint Security (Server-Side)
    License
    Provides branches based on the available global APM licenses.
    Endpoint Security (Client-Side)
    Windows Info
    Provides branches based on specific Windows information, such as operating system type and patch level.
    A properties screen opens.
  5. Click the Branch Rules tab.
    The Branch Rules screen opens.
  6. View the preconfigured branch rules.
    You can make changes to the branch rules, or close the item.
  7. Click
    Save
    .
    The properties screen closes and the policy displays.
The access policy is saved with the action you have configured.
Click the
Apply Access Policy
 link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy item with configurable properties

Before you start this task, configure an access profile.
Configure an access policy with configurable properties to check for specific items or policies.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
     icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an action with configurable properties, then click
    Add Item
    :
    Logon
    External Logon Page
    Presents an external logon page for the client.
    Logon
    HTTP 401 Response
    Provides a custom HTTP 401 logon page.
    Logon
    HTTP 407 Response
    Provides a custom HTTP 407 logon page.
    Logon
    Logon Page
    Provides a custom logon page that you can configure entirely from the properties screen.
    Logon
    Virtual Keyboard
    Provides a configurable virtual keyboard for logon information entry.
    Logon
    VMware View Logon Page
    Provides a custom logon page for VMware View.
    Endpoint Security (Client-Side)
    Anti-Spyware
    Checks that the client is running specified anti-spyware software.
    Endpoint Security (Client-Side)
    Antivirus
    Checks that the client is running specified antivirus software.
    Endpoint Security (Client-Side)
    Firewall
    Checks that the client is running specified firewall software.
    Endpoint Security (Client-Side)
    Hard Disk Encryption
    Checks that the client hard disk is encrypted.
    Endpoint Security (Client-Side)
    Linux File
    Allows a check for a specific file with specified properties on a Linux system.
    Endpoint Security (Client-Side)
    Linux Process
    Allows a check for a specific process on Linux systems.
    Endpoint Security (Client-Side)
    Mac File
    Allows a check for a specific file with specified properties on a Mac.
    Endpoint Security (Client-Side)
    Mac Process
    Allows a check for a specific process on a Mac.
    Endpoint Security (Client-Side)
    Machine Cert Auth
    Allows a check for a machine certificate.
    Endpoint Security (Client-Side)
    Patch Management
    Allows a check for patches to specific files.
    Endpoint Security (Client-Side)
    Peer-to-peer
    Allows a check for peer to peer software on a system.
    Endpoint Security (Client-Side)
    Windows Cache and Session Control
    Allows you to configure Windows clients to clean certain items after the session closes.
    Endpoint Security (Client-Side)
    Windows File
    Allows a check for a specific file with specified properties on Windows systems.
    Endpoint Security (Client-Side)
    Windows Health Agent
    Allows a check for a health agent on Windows systems.
    Endpoint Security (Client-Side)
    Windows Process
    Allows a check for a specific process on Windows systems.
    Endpoint Security (Client-Side)
    Windows Protected Workspace
    Allows configuration of a protected workspace in Windows.
    Endpoint Security (Client-Side)
    Windows Registry
    Allows a check for a specific registry value in Windows.
    General Purpose
    Decision Box
    Allows configuration of a choice of two branches for the user, with custom text describing each choice.
    General Purpose
    Email
    Sends an email, when reached in the access policy.
    General Purpose
    iRule Event
    Allows configuration of a choice of two branches for the user, with custom text describing each choice.
    General Purpose
    Local Database
    Allows you to add entries to a local database.
    General Purpose
    Logging
    Allows you to log a session variable result.
    General Purpose
    Message Box
    Shows a message, and requires the user to click to continue.
    A properties screen opens.
  5. Configure the properties for the item.
  6. Click
    Save
    .
    The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the
Apply Access Policy
 link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy assignment item

Before you can add an access policy assignment item, you need to configure an access profile.
Configure an access policy with an assignment action to assign a resource, local traffic pool, ACL, profile, or other item. Each assignment action works differently and assigns different items.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
     icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an assignment action, then click
    Add Item
    :
    Assignment
    ACL Assign
    Assigns an ACL to the access policy branch.
    Assignment
    Advanced Resource Assign
    Directly assigns all types of resources.
    Assignment
    BWC Policy
    Assigns a Bandwidth Controller policy to an access policy branch.
    Assignment
    Citrix Smart Access
    Assigns a Citrix Smart Access filter to an access policy branch.
    Assignment
    Dynamic ACL
    Assigns a dynamic ACL to an access policy branch.
    Assignment
    Resource Assign
    Allows you to assign connection resources, remote desktops, and SAML resources.
    Assignment
    Route Domain and SNAT Selection
    Allows you to assign a route domain, SNAT, and SNAT pool to an access policy branch.
    Assignment
    SSO Credential Mapping
    Allows you to assign attributes for the SSO username and password.
    Assignment
    Webtop, Links and Sections Assign
    Allows you to assign a webtop, webtop links, and webtop sections to an access policy branch.
    A properties screen opens.
  5. Configure the properties for the item.
  6. Click
    Save
    .
    The properties screen closes and the policy displays.
The access policy is configured with the assignment action you have configured.
Click the
Apply Access Policy
 link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy mapping item

Before you start this task, configure an access profile.
Configure an access policy with a mapping action to map resources or variables of one type to another type or value. Each mapping action works differently and assigns different items.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
     icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select a mapping action, then click
    Add Item
    :
    Assignment
    AD Group Resource Assign
    Maps resources from an Active Directory group to access policy resources.
    Assignment
    LDAP Group Resource Assign
    Maps resources from an LDAP group to access policy resources.
    Assignment
    Variable Assign
    Allows you to assign predefined or custom variables to attributes, values, text, or expressions.
    A properties screen opens.
  5. For the Variable assign action, click the
    Add new entry
     button.
    The AD and LDAP Group Assign actions already include an entry.
  6. Click the
    Edit
     link.
  7. Configure the settings for the assign action.
    For the AD or LDAP group resource assign action, type the name of the group, then click
    Add group manually
    .
  8. Configure the mapping items.
    Refer to the specific documentation for each item to map items.
  9. Click
    Save
    .
    The properties screen closes and the policy displays.
The access policy is configured with the assignment action you have configured.
Click the
Apply Access Policy
 link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information