Manual Chapter :
Per-Request Policy Item Reference
Applies To:
Show VersionsBIG-IP APM
- 16.0.1, 16.0.0
Per-Request Policy Item Reference
About per-request policy items
When configuring a per-request policy, many agents are available for inclusion in the per-request policy.
About SSL check
Specifies that the system performs an SSL check, which determines whether SSL
is found on the endpoint. It provides two default branches: SSL Found and fallback.
There is no configuration required for this action.
About per-request policy authentication items
Authentication items perform authentication or authentication-related
functions.
About AD Group Lookup
An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression, , as an example.
expr
{ [mcget
{session.ad.last.attr.primaryGroupID
}] == 100
}A branch rule expression can include any populated session variable, such as is a valid expression.
session.ad.last.attr.primaryGroupID
, session.ad.last.attrmemberOf
, session.ad.last.attr.lastLogon
, session.ad.last.attr.groupType
, session.ad.last.attr.member
, and so on. As an example, expr
{ [mcget
{session.ad.last.attr.memberOf
}] contains "CN=Administrators"
An AD Query action can populate the session variables.
About LDAP Group
Lookup
An LDAP Group Lookup item compares a specified string against the
session.ldap.last.attr.memberOf
session variable. The specified string is
configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN
; the values MY_GROUP
, USERS
, MY_DOMAIN
, must be replaced with values used in
the LDAP group configuration at the user site.An LDAP
Query action is required in the access policy to populate the session variable.
About LocalDB Group
Lookup
A per-request policy LocalDB Group Lookup item compares a specified string
against a specified session variable.
The string is specified in a branch rule of the LocalDB Group Lookup item.
The default simple branch rule expression is . In either the simple or the advanced rule, the variable,
User
is a member of
MY_GROUP
.
The default advanced rule expression is expression
is
expr
{ [mcget
{session.localdb.groups
}] contains
"MY_GROUP
" }MY_GROUP
, must be replaced with a valid group name. The session variable must initially be specified and populated by a Local
Database action in the access policy. A Local Database action reads groups from a local database
instance into a user-specified session variable. It can be
session.localdb.groups
(used by default in the LocalDB Group Lookup advanced rule
expression) or any other name. The same session variable name must be used in the Local Database
action and the LocalDB Group Lookup advanced rule expression.About RADIUS Class Lookup
The RADIUS Class Lookup access policy item compares a user-specified class name against the
session.radius.last.attr.class
session variable. The specified class name
is configurable in a branch rule. The default simple branch rule expression is
RADIUS Class attribute
contains
MY_CLASS
. The variable MY_CLASS
must be replaced with
the name of an actual class. A RADIUS Acct or RADIUS Auth action is required in the access policy to
populate the session variable.
About per-request policy assignment items
Assignment items support assigning resources, such as a pool, in a
per-request policy. The Assign Credentials agent provides the username and password source
session variable names. and stores them in perflow variables. The Variable Assign item supports
assigning values to existing variables, to existing configuration elements, and to variables that
you define yourself.
About Assign Credentials
The Assign Credentials agent is available only in a per-request policy (not in a subroutine).
If the password is shared, the agent gets user credentials from the main session, takes the
username and password source session variable names. and stores them in perflow variables. The
Assign Credentials agent must precede the subroutine where the credential needs to be reused. The
logon page is shown only when perflow credentials variables are empty.
About Pool Assign
The Pool Assign agent can dynamically assign a local traffic pool; it provides this configuration element only: selection of a static pool.
In a per-session policy, the Pool Assign agent enables session-based pool selection from among valid pools in this priority order: a pool selected by an iRule that is defined for the virtual server takes precedence over any other; a static pool defined in the Pool Assign agent takes precedence over a static pool defined for the virtual server.
In a per-request policy, the Pool Assign agent enables request-based pool selection for reverse proxy (LTM+APM) only. In a per-request policy, the Pool Assign agent specifies the pool to use.
In a per-request policy, using the Pool Assign agent in a forward proxy configuration does not work and is not supported.
About Variable Assign
The Variable Assign action can includes one or more entries. An entry specifies a variable and
assigns a value to it.
In the entry screen, the variable is specified in the left pane and the value is specified in
the right pane.
A Variable Assign action provides these configuration elements and options for the
variable:
- Custom Variable
- Specifies a variable name. It can be any name including the name of a session variable or the name of a perflow variable.For a per-session policy, when the policy runs it recognizes only existing perflow variables.
- Predefined Variables
- Specifies a predefined session variable or perflow variable name, which must be selected from theVariablelist. The type of variable (session or perflow) that is available for selection depends on the selectedGroup:Per-Session VariablesorPer-Request Variables.ForPer-Request Variables, theScratchpad, Custom, andPrimary Categoryperflow variables are available for use in the per-request policy and in per-request policy subroutines. You can, for example, pass the value of a session variable into the per-request policy in one of these variables.
- Unsecure or Secure
- Specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.
A Variable Assign action provides these configuration elements and options for the value:
- Custom Expression
- Specifies a Tcl expression. The result of the expression is used as the value.
- AAA attribute
- Specifies the name of the attribute that contains the value:
- Agent Type- specifies the type of AAA server: AD, LDAP, or RADIUS.
- Attribute Type- specifies the attribute type to use depending on the agent type:
- Use user's attribute- for AD agent.
- Use user's primary group attribute- for AD agent.
- Use LDAP attribute- for LDAP agent.
- Use RADIUS attribute- for RADIUS agent.
- - specifies the name of the attribute that contains the value.Agent typeattribute name
- Text
- Specifies a text string to use as the value. The text entered in this field is used as is.
- Session Variable
- Specifies the name of a session variable from which to get the value.
About endpoint security (server-side) per-request policy
items
In endpoint security (server-side) actions, the server queries clients and
makes policy decisions based on information that a client presents to the server. For example,
the Client Type action presents a query to find out what type of client is connecting, and routes
the client to the different policy branches based on the results of the query. Endpoint security
(server-side) access policy items do not require installation of client components.
About Client Information
The Client Information agent gets the device posture from the client. You implement device
posture checks in a per-request policy by using a Client Information agent followed by a
subroutine with one or more client check agents.
About Client IP Subnet Match
This agent lets you create policy branch rules based on the user's subnet.
About Client OS
The Client OS action detects the operating system of the remote
client. Access Policy Manager detects this
using information from the HTTP header. The action provides separate branches for
separate operating systems. This action can be very useful at the beginning of an access
policy. Each branch can include actions that are specific to a client operating
system.
This figure shows the Client OS action and default branches,
configured to allow access to clients on the Windows RT operating system and to deny
access to all others.
In
practice, actions would be specified on the access policy branches and might include
logon actions, authentication actions, and other actions.
About Client Port Match
This agent lets you create policy branch rules based on the user's port number.
About Client Type
The Client Type action determines whether the client is using a full
browser, the BIG-IP Edge Client, or another client to access the Access Policy Manager (APM).
This action makes it possible to specify different actions for different client types in one
access policy and, as a result, to use one virtual server for traffic from different client
types. This figure shows the Client Type action as it looks when first added to an access
policy.
By default, the Client Type action includes these branches:
- Edge Portal
- Indicates that the user is connecting with the BIG-IP Edge Portal mobile app.
- Windows Inbox F5 VPN Client
- Indicates the user is connecting using the Windows Inbox F5 VPN client.
- F5 Access
- Indicates the user is connecting using F5 Access.
- Machine Tunnel
- Use this branch to configure an access policy to detect the machine tunnel client type.
- Edge Client
- Indicates that the user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems.
- Citrix Receiver
- Indicates that the user is connecting using a later Citrix Receiver client. Use this branch to configure authentication for later Citrix Receiver clients (iOS, Mac, and Android).
- Citrix Receiver (legacy)
- Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent). Use this branch to configure authentication for legacy Citrix Receiver clients (Windows and Linux).
- VMware View
- Indicates that the user is connecting using a VMware Horizon View client. Use this branch to configure an access policy to authenticate View Client using VMware View logon pages.
- Microsoft RDP Client
- Indicates the user is connecting using Microsoft RDP Client . Use this branch to configure an access policy to authorize resource requests from Microsoft RDP clients.
- MS-OFBA Compliant
- Indicates the user is connecting using MS-OFBA (Microsoft Office Forms Based Authentication) supported office applications. Use this branch to configure an access policy that allow users to open, use, and authenticate Microsoft Office applications.
- Full or Mobile Browser
- Indicates the user is connecting with a Windows web browser or a mobile browser.
- fallback
- Indicates the user is connecting with another method.
APM supports the client types on multiple operating systems. Refer to
AskF5 (
support.f5.com
) to look up the
supported operating systems and versions in the compatibility matrix for your version of APM. To create additional branching for a client type based
on operating system, you can add a client operating system (Client OS) action on the client
type branch.
About Dynamic Date
Time
The Dynamic Date Time action enables branching based on the day, date, or
time on the server. It provides two default branch rules:
- Weekend
- Defined as Saturday and Sunday.
- Business Hours
- Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch
rules.
- Time From
- Specifies a time of day. The condition is true at or after the specified time.
- Time To
- Specifies a time of day. This condition is true before or at the specified time.
- Date From
- Specifies a date. This condition is true at or after the specified date.
- Date To
- Specifies a date. This condition is true before or at the specified date
- Day of Week
- Specifies a day. The condition is true for the entire day (local time zone).
- Day of Month
- Specifies the numeric day of month. This condition is true for this day every month (local time zone).
About IP Geolocation Lookup
This agent lets you determine the geographic origin of the IP address of a request.
About IP Reputation Lookup
When an IP Reputation Lookup agent is included in an access or per-request policy, Access Policy Manager (APM) searches for the IP address in the IP intelligence database. The IP intelligence database contains only IP addresses that are considered untrustworthy, along with a category for each that describes why it is not trusted.
APM provides these default branch rules for the IP Reputation action.
- Bad
- The IP address exists in the IP intelligence database. The expression for this branch rule includes every IP reputation category. For example, the rule includes expressions such as IP Reputation is: Spam Sources OR IP Reputation is: Proxy, and so on. If any IP reputation category is acceptable at your site, you should update this rule or create and use another rule.
- Good
- The IP address is not found in the IP intelligence database.
- fallback
- The IP intelligence database is inaccessible for some reason. This can be due to a misconfiguration or a problem with a license or Internet connectivity.
About Server IP Subnet Match
This agent lets you create policy branch rules based on the subnet of the server.
About Server Port Match
This agent lets you create policy branch rules based on the server port number.
About per-request policy classification items
Classification items are used to classify traffic based on traffic properties.
About Application
Filter Assign
An Application Filter Assign item matches an application or application
family against an application filter. Application Filter Assign provides one configuration
element. The
Application Filter
element
specifies the application filter to use in determining whether to block access to an application
or allow it. The Application Filter Assign item exits on the Allow branch if the filter action
specifies allow. Otherwise, Application Filter Assign exits on the fallback branch. To
supply input for the Application Filter Assign agent, an Application Lookup item must run in the
per-request policy sometime prior to it.
About Application
Lookup
An Application Lookup item obtains the name of the application that is being
requested and looks up the application family that matches it. By default, this item has a
fallback branch only.
Application Lookup can be used to branch by application family or by
application name; branch rules are required to do this. If an Application Filter Assign item is
included in the per-request policy, an Application Lookup must complete before it.
About Category
Lookup
A Category Lookup item looks up URL categories for a request and obtains a
web response page.
The Category Lookup item provides these elements and options.
- Categorization Input
- The list specifies these options:
- Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP system with an SWG subscription theSafeSearch Modesetting displays.
- Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
- Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup. (This option is not for use in a reverse proxy configuration.)
- Use HTTP Connect Hostname: For connections that are passing through an upstream proxy, this option uses information from the HTTP Connect header and matches only the hostname. The Category Lookup agent functions only on the transparent HTTP virtual servers and fails if the policy is attached to explicit HTTP virtual servers.
- SafeSearch Mode
- The options areEnabled(default) andDisabled. When enabled, SWG enables Safe Search for supported search engines.SafeSearch is available only with an SWG subscription.
- Category Lookup Type
- Select the category types in which to search for the requested URL. On a BIG-IP system with an SWG subscription, options are:
- Select one from Custom categories first, then standard categories if not found
- Always process full list of both custom and standard categories
- Process standard categories only
Process custom categories only. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item. - Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.
About Request Analytics
A Request Analytics item inspects an outgoing web request for malicious embedded contents. In a
per-request policy, a Request Analytics item must be preceded by a Category Lookup item and
followed by a URL Filter Assign item. To block outgoing traffic from chat applications, a Request
Analytics item is required.
Request Analytics works only on a BIG-IP system with an
SWG subscription.
Request Analytics provides these elements and options.
- Max Buffer Size
- Specifies the maximum amount of request data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the request content. Otherwise, the system retains the request data in the buffer.
- Max Buffer Time
- Specifies the maximum amount of time (in seconds) for buffering and analyzing request data. If the time elapses at any point in this process, the agent sets theperflow.request_analytics.failurevariable to 1 (which indicates an ANTserver failure) and discards the request data.
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
About Response Analytics
A Response Analytics item inspects a web response page for malicious embedded contents.
Response Analytics must be preceded by a Category Lookup item because it obtains a web response
page.
Response Analytics works only on a BIG-IP system with an
SWG subscription.
Response Analytics provides these elements and options.
- Max Buffer Size
- Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
- Max Buffer Time
- Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets theperflow.response_analytics.failurevariable to 1 (which indicates an ANTserver failure) and discards the response data.
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
- Exclude Types
- Specifies one entry for each type of content to be excluded from content analysis. Images, theAll-Imagestype, do not get analyzed.
About URL Branching
The URL Branching action is useful for treating a few URLs differently from others. The action
provides an Allow branch and a fallback branch. The URL Branching action provides these
conditions for defining branch rules.
- Equals
- The URL must exactly match the specified URL.
- Substring
- The URL must contain the specified string.
- Prefix Match
- The URL must start with the specified string.
- Suffix Match
- The URL must end with the specified string.
- Glob match
- The URL must match the specified globbing pattern. These globbing patterns are supported:
- *Matches any number of characters (none or one or more).
- ?Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
- [characters]Matches one of the specified characters.
- [^characters]Matches any characters except for those specified.
- [!characters]Matches any characters except for those specified.
To match many URLs, you might
consider configuring URL categories in the
area of the product and using Category Lookup in your per-request policy.About URL Filter Assign
A URL Filter Assign item looks up the URL filter action for each category that the Category
Lookup item found for a request. If any filter action is set to Block, the request is blocked.
In a configuration with an SWG subscription, the URL Filter Assign item also uses the analysis
from the Response Analytics item, if used, to determine whether to block the request.
By default, the URL Filter Assign item has three branches: Allow, Confirm, and fallback. If the
request is not blocked and any filter action is set to Confirm, the per-request policy takes the
Confirm branch.
A URL Filter Assign item provides the
URL Filter
element, with a list of
filters from which to select.A Category Lookup item must precede the URL Filter Assign item.
About per-request policy general purpose items
General purpose items can be used in any case and can be placed anywhere in
a per-request policy. These items support miscellaneous actions such as HTTP header modification,
several actions for SSL, IP protocol lookup, logging, and others.
About the Empty action
An Empty action has no explicit configuration. The action allows a user to create rules only,
using the Branch Rules tab.
About HTTP
Headers
An HTTP Headers action supports modifying an outgoing HTTP request to a
back-end server. The action supports manipulation of HTTP and cookie headers being sent to
back-end servers.
The
HTTP Headers item cannot manipulate HTTP cookies in outgoing HTTP requests to any portal
access application.
The HTTP Headers item provides these configuration options and
elements.
An entry in the HTTP Header Modify table includes these elements.
- Header Operation
- Specifiesinsert,append,replace, orremove.
- Header Name
- Specifies the header name on which to operate.
- Header Value
- Specifies the value on which to operate.Any per-flow or session variable can be used as a header value, for example, %{session.user.clientip} or %{perflow.session.id}.
- Header Delimiter
- Specifies the separator to use when appending a header.
An entry in the HTTP Cookie Modify table includes these elements.
- Cookie Operation
- Specifiesupdateordelete.Whenupdateis selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.
- Cookie Name
- Specifies the name to match.
- Cookie Value
- Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.Any per-flow or session variable can be used as a cookie value.
About IP Based SSL Bypass Set
Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you bypass SSL traffic based on IP address. Place this agent
after a matching rule (for example, Client IP Subnet Match) to bypass matched traffic. This rule
must be specified early in the policy, before other protocol handling rules.
About IP Protocol Lookup
This agent is used to identify Layer 4 protocol such as TCP or UDP. For
example, a value of 6 is TCP and 17 is UDP.
About iRule Event
An iRule Event action adds iRule processing to an access policy or to a
per-request policy subroutine at a specific point. An iRule Event provides one configuration
option: ID, which specifies an iRule event ID.
iRule event
access policy items must be processed and completed before the access policy can continue.
An iRule Event action can occur anywhere in an access policy or a
per-request policy subroutine.
About Layer 7 Protocol Lookup
This agent is used to identify Layer 7 protocol such as DNS, FTP, FTPS,
HTTP, HTTP CONNECT, HTTPS, IMAP, IMAPS, POP3, POP3S, QUIC, SMTP, SMTPS and TELNET.
About the Logging action
The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and perflow variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in a specific branch.
A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.
The Logging action provides these configuration elements and options:
- Log Message
- For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
- Add new entry
- Specify actions that read from and write to specific database properties. Click theAdd New Entrybutton to add a new logging agent to the action.
- Session Variables
- Specifies a session variable from a list of predefined session variables or a custom session variable.This option is available only when adding the Logging action to an access policy.
About Server Cert Response Control
Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you control the response to information about the server
certificate. The agent provides an option to Ignore or Mask in case a server certificate is
expired or untrusted, and control the behavior on a perflow basis.
About Server Cert Status
Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you check server certificate status. The agent provides two
branches representing the status of the certificate: good and fallback.
About SSL Bypass Set
The SSL Bypass Set item provides a read-only element,
Action
, that
specifies the Bypass
option. For an SSL Bypass Set item
to be effective, the client and server SSL profiles on the virtual server must enable SSL
forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass
action to
Intercept
; and the SSL Bypass Set item must occur in the
policy before any items that process HTTP traffic. About SSL check
Specifies that the system performs an SSL check, which determines whether SSL
is found on the endpoint. It provides two default branches: SSL Found and fallback.
There is no configuration required for this action.
About SSL Intercept Set
The SSL Intercept Set item provides a read-only element,
Action
, that
specifies the Intercept
option.For an SSL Intercept Set
item to be effective, the client and server SSL profiles on the virtual server must enable SSL
forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass
action to
Intercept
; and the SSL Intercept Set item must occur in the
policy before any items that process HTTP traffic.About SSO Configuration Select
The Select SSO Configuration agent enables per-request selection of an SSO configuration from these SSO configuration types:
- HTTP Basic
- NTLMv1
- NTLMv2
- Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
- SSO Configuration Name
- Select an SSO configuration name from the list.
About per-request policy traffic management items
Traffic management items are available for proxy select, service connect, and session
check.
About Proxy Select
The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The
Proxy Select agent provides these elements and options:
- Pool
- Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in theUpstream Proxy Modesetting.
- Upstream Proxy Mode
- Specifies whether the next hop is to a forward proxy server that supportsExplicitforward proxy orTransparentforward proxy.
- Username
- Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .
- Password
- Specifies the password for the user account on the proxy server.
About Service Connect
This agent, used primarily by SSLO, allows you to connect to SSLO services that were previously
configured. Service Connect provides the option to attach a Connector profile to the virtual
server to enable service chaining in a per-request policy.
About Session Check
This agent, used primarily by SSLO, is used to check whether a session exists. If no session
exists, the agent creates a perflow variable with a redirect URL to the captive portal virtual
server.
About per-request policy subroutine items
When configuring a per-request policy subroutine, many per-request and per-session agents are available for inclusion in the subroutine.
About AD Auth
An AD Auth action authenticates a user against an AAA Active Directory
server. An authentication action typically follows a logon action that collects credentials.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- Type
- Specifies Authentication, the type of this Active Directory action.
- Server
- Specifies an Active Directory server; servers are defined in thearea of the Configuration utility.
- Cross Domain Support
- Specifies whether AD cross domain authentication support is enabled for this action.
- Complexity check for Password Reset
- Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password. - Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
- Max Password Reset Attempts Allowed
- Specifies the number of times that APM allows the user to try to reset password.
About AD Query
An AD Query action performs a query against an AAA Active Directory
server. An AD Query action provides these configuration elements and options:
- Type
- Specifies Query, the type of this Active Directory action.
- Server
- Specifies an Active Directory server; servers are defined in thearea of the Configuration utility.
- SearchFilter
- Specifies the search criteria to use when querying the Active Directory server for the user's information. Session variables are supported as part of the search query string.
- Fetch Primary Group
- Specifies whether to retrieve a user's primary group Distinguished Name for use in the access policy.
- Cross Domain Support
- Specifies whether AD cross domain authentication support is enabled for this action.
- Fetch Nested Groups
- When disabled, associates the user only to the groups to which they belong directly. When enabled, associates the user to all groups that are nested under the groups that they directly belong to. For example, if the user belongs to Group 1 and Group 2, and Group1 is a member of Group 3 and Group 4, enabling this setting allows the user to obtain privileges from all groups.
- Complexity check for Password Reset
- Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password. - Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Password Reset Attempts Allowed
- Specifies the number of times that APM allows the user to try to reset password.
- Prompt user to change password before expiration
- Specifies whether to warn the user at a set time before the password expires and provide the option to change the password.
- Required Attributes (optional)
- By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned. Click theAdd New Entrybutton to add a new attribute to the Active Directory query action.
About Antivirus
The Antivirus action checks for antivirus software on the client computer.
When checking for multiple antivirus types, if one antivirus type matches the software on the
client system, the action passes, regardless of other antivirus conditions that are specified in
the action.
An antivirus action in a subroutine is continuously checked, based on the settings configured
in the Subroutine Settings.
An Antivirus action provides these settings and options:
- Platform
- Specifies a platform. The default isAny. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
- Vendor ID
- Specifies a vendor ID (from the list of supported vendors) orAny.
- Product ID
- Specifies a product ID (from the list of supported products) orAny.
- State
- Specifies one of these states:
- Enabled- when selected, the action verifies that the antivirus software is enabled
- Disabled- when selected, the action verifies that the antivirus software is disabled.
- Unspecified- when selected, the action does not verify the state of the software.
- Version
- Specifies a version; when specified, the antivirus action verifies the version of the software.
- Engine Version
- Specifies the engine version number; when specified, the antivirus action verifies this information.
- DB Version
- Specifies the database version number; when specified, the antivirus action verifies this information.
- DB Age Not Older Than (days)
- Specifies the database age in days; when specified, the antivirus action verifies this information.
- Last Scan Time Not Older Than (days)
- Specifies a number of days; when specified, the antivirus action verifies that the last scan did not occur more than the specified number of days ago.
About Client Cert Inspection
The Client Cert Inspection agent checks the result of the SSL handshake that occurs at the start of a session. It does not, however, negotiate an SSL session. It relies on settings in a client SSL profile that is added to the virtual server. The Client Cert Inspection item can provide the result of the SSL handshake, including certificate revocation status when the client SSL profile specifies a certificate revocation list (CRL).
If using the Client Cert Inspection agent in a per-request policy subroutine, you must have an On-Demand Cert agent configured before it in the same subroutine.
The Client Cert Inspection action provides two branches: Successful and fallback.
About Client IP Subnet Match
This agent lets you create policy branch rules based on the user's subnet.
About Client OS
The Client OS action detects the operating system of the remote
client. Access Policy Manager detects this
using information from the HTTP header. The action provides separate branches for
separate operating systems. This action can be very useful at the beginning of an access
policy. Each branch can include actions that are specific to a client operating
system.
This figure shows the Client OS action and default branches,
configured to allow access to clients on the Windows RT operating system and to deny
access to all others.
In
practice, actions would be specified on the access policy branches and might include
logon actions, authentication actions, and other actions.
About Client Port Match
This agent lets you create policy branch rules based on the user's port number.
About Client Type
The Client Type action determines whether the client is using a full
browser, the BIG-IP Edge Client, or another client to access the Access Policy Manager (APM).
This action makes it possible to specify different actions for different client types in one
access policy and, as a result, to use one virtual server for traffic from different client
types. This figure shows the Client Type action as it looks when first added to an access
policy.
By default, the Client Type action includes these branches:
- Edge Portal
- Indicates that the user is connecting with the BIG-IP Edge Portal mobile app.
- Windows Inbox F5 VPN Client
- Indicates the user is connecting using the Windows Inbox F5 VPN client.
- F5 Access
- Indicates the user is connecting using F5 Access.
- Machine Tunnel
- Use this branch to configure an access policy to detect the machine tunnel client type.
- Edge Client
- Indicates that the user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems.
- Citrix Receiver
- Indicates that the user is connecting using a later Citrix Receiver client. Use this branch to configure authentication for later Citrix Receiver clients (iOS, Mac, and Android).
- Citrix Receiver (legacy)
- Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent). Use this branch to configure authentication for legacy Citrix Receiver clients (Windows and Linux).
- VMware View
- Indicates that the user is connecting using a VMware Horizon View client. Use this branch to configure an access policy to authenticate View Client using VMware View logon pages.
- Microsoft RDP Client
- Indicates the user is connecting using Microsoft RDP Client . Use this branch to configure an access policy to authorize resource requests from Microsoft RDP clients.
- MS-OFBA Compliant
- Indicates the user is connecting using MS-OFBA (Microsoft Office Forms Based Authentication) supported office applications. Use this branch to configure an access policy that allow users to open, use, and authenticate Microsoft Office applications.
- Full or Mobile Browser
- Indicates the user is connecting with a Windows web browser or a mobile browser.
- fallback
- Indicates the user is connecting with another method.
APM supports the client types on multiple operating systems. Refer to
AskF5 (
support.f5.com
) to look up the
supported operating systems and versions in the compatibility matrix for your version of APM. To create additional branching for a client type based
on operating system, you can add a client operating system (Client OS) action on the client
type branch.
About Confirm
Box
A Confirm Box action presents links for these options:
Continue
and Cancel
. The action is available for a per-request
policy subroutine only and is for use in a Secure Web Gateway (SWG) configuration. Confirm Box
offers these elements and options for customization.- Language
- Specifies the language to use to customize the Confirm Box page. Selecting a language causes the content in the remaining fields display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Message
- Specifies the message to display.
- Field 1 image
- Specifies the icon (red, green, or none) to display with theContinueoption.
- Continue
- Specifies the text to display for this option.
- Field 2 image
- Specifies the icon (red, green, or none) to display with theCanceloption.
- Cancel
- Specifies the text to display for this option.
About CRLDP Auth
A CRLDP Auth action retrieves a Certificate Revocation List (CRL) from a
network location (
distribution point
). A distribution point is
either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location
where the CRLs are published, or a fully qualified HTTP URL. An CRLDP Auth action provides these
configuration elements and options:- CRLDP Server
- Specifies a CRLDP server; servers are defined in thearea of the Configuration utility.
A CRLDP
Auth action is valid for use in a per-request policy subroutine when placed after an On-Demand
Cert Auth action.
About Dynamic Date
Time
The Dynamic Date Time action enables branching based on the day, date, or
time on the server. It provides two default branch rules:
- Weekend
- Defined as Saturday and Sunday.
- Business Hours
- Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch
rules.
- Time From
- Specifies a time of day. The condition is true at or after the specified time.
- Time To
- Specifies a time of day. This condition is true before or at the specified time.
- Date From
- Specifies a date. This condition is true at or after the specified date.
- Date To
- Specifies a date. This condition is true before or at the specified date
- Day of Week
- Specifies a day. The condition is true for the entire day (local time zone).
- Day of Month
- Specifies the numeric day of month. This condition is true for this day every month (local time zone).
About the Email action
An Email action can send email. An Email action provides these
configuration options and elements:
- SMTP Configuration
- Specifies an SMTP configuration on the BIG-IP system.
- From
- Specifies the sender which can be a string or a session variable name or both. For example:APM@vs-%{session.server.network.name}
- To
- Specifies the recipient. This can be a fully qualified email address or a session variable name; for example:%{session.ad.last.attr.mail}
- CC
- Specifies recipients to be copied on the mail. This can be fully qualified email addresses or session variable names.
- Subject
- Specifies the subject of the email message. This can be a string, a session variable name, or a combination of strings and session variable names.
- Message
- Specifies the message to send. This can be a string, a session variable name, or a combination of strings and session variable names. Note: New lines should be specified with the <br/> tag.
About Endpoint State
Endpoint State provides simple branching rules to determine the endpoint state based on the
Client Information data.
About the Empty action
An Empty action has no explicit configuration. The action allows a user to create rules only,
using the Branch Rules tab.
About Firewall
The Firewall agent can continuously check whether the client endpoint has a firewall activated
on Windows, Mac, and Linux systems. The system ends the session if the firewall check fails, and
the client does not respond within five minutes.
About Hard Disk
Encryption
The Hard Disk Encryption action checks for hard disk encryption software on
a client computer. When this action includes checks for multiple hard disk encryption types, if
one of the specified hard disk encryption types matches the software on the client system, the
action passes, regardless of other hard disk encryption conditions that are specified in the
item.
A Hard Disk Encryption action provides these settings and options:
- Continuously check the result and end the session if it changes
- SpecifiesEnabledorDisabled.WhenEnabled, if the client does not respond for five minutes, the server ends the session.
- Platform
- Specifies a platform. The default isAny. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.A link to a report that includes the hard disk encryption software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
- Vendor ID
- Specifies a vendor ID (from the list of supported vendors) orAny.
- Product ID
- Specifies a product ID (from the list of supported products) orAny.
- Encryption State
- Specifies one of these states:
- EnabledWhen selected, the action verifies that all disk volumes are encrypted on the client.
- DisabledWhen selected, the action verifies all disk volumes are not encrypted on the client.
- UnspecifiedWhen selected, the action verifies that hard disk encryption software is installed on the client.
- Version
- Specifies a version; when specified, the Hard Disk Encryption action verifies the version of the software.
About HTTP 401
Response
The HTTP 401 Response action sends an HTTP 401 Authorization Required
Response page to capture HTTP Basic or Negotiate authentication.
For a
per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only.
The HTTP 401 Response action provides up to three branches: Basic,
Negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch
and a Kerberos Auth action follows on the Negotiate branch.
An HTTP 401 Response action provides these configuration elements and
options.
- Basic Auth Realm
- Specifies the authentication realm for use with Basic authentication.
- HTTP Auth Level
- Specifies the authentication required for the policy.
- none- specifies no authentication.
- basic- specifies Basic authentication only.
- negotiate- specifies Kerberos authentication only.This option is not available for a per-request policy subroutine.
- basic+negotiate- specifies either Basic or Kerberos authentication.This option is not available for a per-request policy subroutine.
The action provides customization options that specify the text to display
on the screen.
- Language
- Specifies the language to use to customize this HTTP 401 response page. Selecting a language causes the content in the remaining fields display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Logon Page Input Field #1
- Specifies the text to display on the logon page to prompt for input for the first field. WhenLanguageis set toen, this defaults toUsername.
- Logon Page Input Field #2
- Specifies the text to display on the logon page to prompt for input for the second field. WhenLanguageis set toen, this defaults toPassword.
- HTTP response message
- Specifies the text that appears when the user receives the 401 response, requesting authentication.
About HTTP Auth
A HTTP Auth action authenticates a user against an HTTP AAA server. An HTTP
Auth action provides these configuration elements and options:
- AAA Server
- Specifies an HTTP AAA server; servers are defined in thearea of the Configuration utility.
About HTTP Connector
An HTTP Connector action allows you to insert an HTTP Connector request in a
per-request policy subroutine. The HTTP Connector action can then be configured with rules based
on the results of the HTTP Connector request. The HTTP Connector item provides this configuration
option.
You can only insert an HTTP
Connector action in a subroutine.
- HTTP Connector Request
- Select the HTTP Connector Request that you want to insert in the subroutine. The HTTP Connector Request, as defined on the BIG-IP, is submitted, using the parameters defined in the HTTP Connector Request and the associated HTTP Connector Transport.
About IP Protocol Lookup
This agent is used to identify Layer 4 protocol such as TCP or UDP. For
example, a value of 6 is TCP and 17 is UDP.
About iRule Event
An iRule Event action adds iRule processing to an access policy or to a
per-request policy subroutine at a specific point. An iRule Event provides one configuration
option: ID, which specifies an iRule event ID.
iRule event
access policy items must be processed and completed before the access policy can continue.
An iRule Event action can occur anywhere in an access policy or a
per-request policy subroutine.
About LDAP Auth
An LDAP Auth action authenticates a user against an AAA LDAP server. An LDAP
Auth action provides these configuration elements and options.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- Type
- Specifies Authentication, the type of this LDAP action.
- Server
- Specifies an LDAP server; servers are defined in thearea of the Configuration utility.
- SearchDN
- Specifies the base node of the LDAP server search tree to start the search with.
- SearchFilter
- Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. Parentheses are required around search strings; (sAmAccountName=%{session.logon.last.username})
- UserDN
- Specifies the Distinguished Name (DN) of the user. The DN can be derived from session variables.
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
About LDAP Query
An LDAP Query action performs a query against an AAA LDAP server. An LDAP Query action provides these configuration elements and options:
- Type
- Specifies Query, the type of this LDAP action.
- Server
- Specifies an LDAP server; servers are defined in thearea of the Configuration utility.
- SearchDN
- Specifies the base node of the LDAP server search tree to start the search with.
- SearchFilter
- Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. When strings are used, they must be enclosed in parentheses; for example, (sAmAccountName=%{session.logon.last.username}).
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Fetch groups to which the user or group belong
- Specifies how to fetch groups; associates the groups to the user or the group.
- None- Do not fetch groups.
- Direct- Fetch only those groups to which the user or group belong directly.
- All- Fetch groups to which the user or group belong directly; then fetch all groups that are nested under those groups. For example, if the user belongs to Group 1 and Group 2, and Group 1 is a member of Group 3 and Group 4, selectingAllassociates all four groups to the user. Alternatively, if the group is Group 1, selectingAllassociates Group 3 and Group 4 to Group 1.
- Fetch users that belong to the group
- Specifies how to fetch users that are members of the group; associates the users to the group.
- None- Do not fetch groups.
- Direct- Fetch only those users that belong to the group directly.
- All- Fetch users that belong to the group directly and, if other groups are nested under the group, fetch users that belong to those groups also. For example, if the group (for example, Group 1) is a member of Group 3 and Group 4, selectingAllassociates the members (users) of all three groups to the group.
- Required Attributes (optional)
- By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned.
About LocalDB Auth
The LocalDB Auth action can authenticate a user against a local user
database instance. The LocalDB Auth action can lock a user out of a local user database instance
if they fail to log on within a specified number of attempts.
For
enhanced security, typically, Local Database actions should be placed before and after a LocalDB
Auth action to read and write user information to track non-static users (those not created by an
administrator) that attempt repeatedly to logon and fail.
A LocalDB Auth action provides these configuration elements and options.
- LocalDB Instance
- Specifies a local user database instance.
- Max Logon Attempts Allowed
- A number from 1 to 5.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
About the Logging action
The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and perflow variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in a specific branch.
A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.
The Logging action provides these configuration elements and options:
- Log Message
- For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
- Add new entry
- Specify actions that read from and write to specific database properties. Click theAdd New Entrybutton to add a new logging agent to the action.
- Session Variables
- Specifies a session variable from a list of predefined session variables or a custom session variable.This option is available only when adding the Logging action to an access policy.
About Logon
Page
A logon page action prompts for a user name and password, or other
identifying information. The logon page action typically precedes the authentication action
that checks the credentials provided on the logon page. The logon page action provides up to
five customizable fields and enables localization.
The logon page action provides these configuration options and
elements.
When configured in a per-request subroutine, some screen
elements and options described here might not be available.
- Split domain from full username
- SpecifiesYesorNo.
- Yes- specifies that when a username and domain combination is submitted (for example,marketing\jsmithorjsmith@marketing.example.com), only the username portion (in this example,jsmith) is stored in the session variablesession.logon.last.username.
- No- specifies that the entire username string is stored in the session variable.
- CAPTCHA configuration
- Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
- Type
- Specifies the type of logon page input field:text,password,select,checkbox, ornone.
- textDisplays a text field, and shows the text that is typed in that field.
- passwordDisplays an input field, but displays the typed text input as asterisks.
- selectDisplays a list. The list is populated with values that are configured for this field.
- checkboxDisplays a check box.
- noneSpecifies that the field is not displayed on the logon page.
- Post Variable Name
- Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variableusernamesends the user name inputomaasas the POST stringusername=omaas.
- Session Variable Name (or Subsession Variable Name)
- Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variableusernamestores the username inputomaasas the session variable stringsession.logon.last.username=omaas.A per-request policy subroutine uses subsession variables in place of session variables.
- Clean Variable
- Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, selectYes. Defaults toNo.
- Values
- Specifies values for use on the list when the input field type isselect.
- Read Only
- Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can useRead Onlyto add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract theCN(typically the user name) field from a certificate, then you can assign that variable tosession.logon.last.username. In the logon page action, you can specifysession.logon.last.usernameas the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificateCNfield (typically the user name).
Additionally, customization options specify text and an image to display
on the screen.
- Language
- Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Form Header Text
- Specifies the text that appears at the top of the logon box.
- Logon Page Input Field #number
- Specifies the text to display for each input field (number 1 through 5) that is defined in the Logon Page Agent area withTypeset to other thannone.
- Logon Button
- Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
- Front Image
- Specifies an image file to display on the logon page. TheReplace Imagelink enables customization and theRevert to Default Imagediscards any customization and use the default logon page image.
- Save Password Check Box
- Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
- New Password Prompt
- Specifies the prompt displayed when a new Active Directory password is requested.
- Verify Password Prompt
- Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
- Password and Password Verification do not Match
- Specifies the prompt displayed when a new Active Directory password and verification password do not match.
- Don't Change Password
- Specifies the prompt displayed when a user should not change password.
- Change Password
- Specifies the message that is displayed to the user when they need to change the password.
- Logon Page Original URL
- Specifies the text to display in a link for a user who is already logged on.
- Yes
- Specifies a possible response to a logon page query or challenge.
- No
- Specifies a possible response to a logon page query or challenge.
About Managed Endpoint Notification
The Managed Endpoint Notification action sends a push notification of an unauthorized device
access to a client device through an endpoint management system.
The Managed Endpoint Notification action provides these settings and
options:
- Endpoint Management System
- Specifies the endpoint management system. The default isNone. Select the endpoint management system server you want to use from the list.
- Message
- Specifies a push notification message that is sent to a client device through an endpoint management system.
About Managed Endpoint Status
The Managed Endpoint Status action checks for device compliance against the configured Endpoint Management System (EMS). You can configure an access policy to perform compliance checks for connected devices.
The Managed Endpoint Status action provides the following settings:
- Endpoint Management System
- Specifies the endpoint management system. The default isNone. Select the endpoint management system server you want to use from the list.
By default, the Managed Endpoint Status action includes these branches:
- compliant
- Indicates the user is connecting with a device compliant with the configured Endpoint Management System.
- not compliant
- Indicates the user is connecting with a device not compliant with the configured Endpoint Management System.
- fallback
- Indicates the user is connecting with another method.
About the Message Box action
A Message Box action presents a message to the user, and prompts the user to click a link to
continue. The message box has no effect on the user's access to the network or the preceding or
following access policy checks. A message box can be used, for example, to warn a user about a
redirect to a guest network, or that the client certificate failed to authenticate, or to display
a message about the results of a rule branch in the access policy.
A Message Box action provides these configuration elements and options:
- Language
- Specifies the language to use to customize this logon page. When a user selects a language, the content in the remaining fields display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Message
- Specifies the message to present to the user.
- Link
- Specifies the message that appears as the link text.
About OAuth Client
An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:
- Server
- Specifies the OAuth server to which this OAuth client directs requests.
- Grant Type
- Specifies the type of grant that the OAuth client uses.
- Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
- Password - The client uses resource owner password credentials to request an access token from the OAuth server.
- OpenID Connect
- Specifies whether the agent uses OpenID Connect for authorization. Displays whenGrant Typeis set toAuthorization code.To function correctly when enabled, the OAuth provider (associated with the selectedServer) must be configured to support JSON web tokens.
- OpenID Connect Flow Type
- Specifies the OpenID Connect flow type to use:Authorization codeorHybrid.
- OpenID Connect Hybrid Response Type
- Specifies the response type to use for an OpenID Connect hybrid flow:code-idtoken,code-token, orcode-idtoken-token.
- Authentication Redirect Request
- Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays whenGrant Typeis set toAuthorization code.
- Token Request
- Specifies a token-request type of request.
- Refresh Token Request
- Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
- OpenID Connect UserInfo Request
- Specifies an openid-userinfo-request type of request. Displays whenOpenID Connectis set toEnabled. JWT access tokens can be submitted for an OpenID Connect UserInfo request; however, issuing id_tokens alongside an opaque token is not supported.
- Redirection URI
- Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays whenGrant Typeis set toAuthorization code.
- Scope
- Specifies one or more strings separated by spaces; for examplecontacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.For theAuthorization codegrant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For thePasswordgrant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
area of the product.About OAuth Logon
The OAuth logon page action prompts for a user name and password, or other
identifying information. This action creates a logon page in a per-session policy (or in a
per-request policy subroutine), and is typically added before the authentication action that
checks the credentials provided on the logon page. The logon page action provides customizable
fields and enables localization.
The OAuth logon page action provides these configuration options and
elements.
When configured in a per-request subroutine, some screen
elements and options described here might not be available.
- Split domain from full username
- SpecifiesYesorNo.
- Yes- specifies that when a username and domain combination is submitted (for example,marketing\jsmithorjsmith@marketing.example.com), only the username portion (in this example,jsmith) is stored in the session variablesession.logon.last.username.
- No- specifies that the entire username string is stored in the session variable.
- CAPTCHA configuration
- Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
- Type
- Specifies the type of logon page input field:text,password,select,checkbox, ornone.
- textDisplays a text field, and shows the text that is typed in that field.
- passwordDisplays an input field, but displays the typed text input as asterisks.
- selectDisplays a list. The list is populated with values that are configured for this field.
- checkboxDisplays a check box.
- radioDisplays radio buttons; users select among buttons labeled with values that they configure for this field.
- noneSpecifies that the field is not displayed on the logon page.
- Post Variable Name
- Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variableusernamesends the user name inputomaasas the POST stringusername=omaas.
- Session Variable Name (or Subsession Variable Name)
- Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variableusernamestores the username inputomaasas the session variable stringsession.logon.last.username=omaas.A per-request policy subroutine uses subsession variables in place of session variables.
- Clean Variable
- Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, selectYes. Defaults toNo.
- Values
- Specifies values for use for aselectorradiotype logon page input field. To configure values, click the field. A popup window opens where users can specify values and any text that they want to display in place of a value.
- Read Only
- Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can useRead Onlyto add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract theCN(typically the user name) field from a certificate, then you can assign that variable tosession.logon.last.username. In the logon page action, you can specifysession.logon.last.usernameas the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificateCNfield (typically the user name).
Additionally, customization options specify text and an image to display on
the screen.
- Import
- ClickImportto import a previously exported logon customization file.
- Language
- Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Form Header Text
- Specifies the text that appears at the top of the logon box.
- Logon Page Input Field #number
- Specifies the text to display for each input field (number 1 through 4) that is defined in the Logon Page Agent area withTypeset to other thannone.
- Input Field #numberValues
- Specifies values that are used to label radio buttons (for the radio type of logon page input field) or values to include on a list (for the select type of logon page input field).
- Logon Button
- Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
- Front Image
- Specifies an image file to display on the logon page. TheReplace Imagelink enables customization and theRevert to Default Imagediscards any customization and use the default logon page image.
- Save Password Check Box
- Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
- New Password Prompt
- Specifies the prompt displayed when a new Active Directory password is requested.
- Verify Password Prompt
- Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
- Password and Password Verification do not Match
- Specifies the warning that the user sees when the passwords typed in theNew Password PromptandVerify Password Promptboxes do not match.
- Don't Change Password
- Specifies the prompt displayed when a user should not change password.
- Change Password
- Specifies the message that is displayed to the user when they need to change the password.
- Logon Page Original URL
- Specifies the text to display in a link for a user who is already logged on.
- Yes
- Specifies a possible response to a logon page query or challenge.
- No
- Specifies a possible response to a logon page query or challenge.
About OAuth Scope
The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes
for opaque tokens. The OAuth Scope item provides these elements and options:
- Token Validation Mode
- Internal- In this mode, the agent validates JSON web tokens (JWT).
- External- In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.
- JWT Provider List
- Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. ForInternalmode.
- Server
- Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. ForExternalmode.
- Scopes Request
- Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. ForExternalmode.
- OpenID Connect UserInfo Request
- Specifies an openid-userinfo-request type request where the client sends the request using either GET or POST. ForExternalmode.
In
External
mode, you can add multiple scope data requests to the agent. Click Add New
Entry
and specify:- Scope Name
- Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
- Request
- Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
You can
configure requests here:
.About OCSP Auth
An OCSP Auth action retrieves the revocation status of an X.509 certificate by sending the
certificate information to a remote Online Certificate Status Protocol (OCSP) responder.
Typically, an OCSP Auth action follows an action that receives an X.509 certificate. Either a
Client Cert Inspection or On-Demand Cert Auth action can receive the X.509 certificate from a
user. Either action populates session variables with data that OCSP Auth uses. Similarly, a
Machine Cert Auth action can receive an X.509 certificate from a machine and populate session
variables.
A CRLDP Auth action is valid for
use in a per-request policy subroutine when placed after an On-Demand Cert Auth action.
An OCSP Auth action provides these configuration elements and options:
- OCSP Responder
- Specifies the OCSP Responder AAA configuration object, defined in the Access Policy AAA servers area of the Configuration utility.
- Certificate Type
- Specifies the expected type of certificate:UserorMachine.
About Okta MFA
In a subroutine in a per-request policy, the Okta MFA agent performs
multifactor authentication (MFA) using the Okta service. The Okta MFA agent specifies the Okta
Connector and the MFA prompt in the per-request policy subroutine. Many customization options
allow you to adjust the wording of the MFA prompts.
The Okta MFA agent uses the
subsession.logon.last.username
variable for Okta queries from current or previously
executed subroutines. It creates the following output variables:- subsession.okta_mfa.result, which contains 1 in the case of a successful authentication or enrollment.
- subsession.okta_mfa.factor, which stores the factor name (okta_totp, okta_push, or yubico_otp) when authentication is successful.
The Okta MFA agent has two branches: Successful and fallback. The Successful
branch expression should
specify:
expr {[mcget {subsession.okta_mfa.result}] == 1}
The Okta MFA action provides these configuration elements and options:
- Okta Connector
- Specifies the Okta Connector to use with the action. The Okta Connector defines Okta API parameters (Okta Org domain and Okta API token), and refers to an associated HTTP Connector Transport object (for SSL and DNS settings).
- Language
- Specifies the language to use to customize the Okta MFA page. Selecting a language causes the content in the remaining fields to display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Reset all defaults
- Reset all the values to the defaults provided by the system.
- Display name for Okta Verify factor
- Specifies the title on the MFA screen, such as Okta verify.
- TOTP caption
- Specifies the label asking for the code provided for TOTP authentication, such as Enter code.
- Push caption
- Specifies the label requesting Push authentication, such as Send push.
- Enter code caption
- Specifies the label requesting a code, such asOr enter code.
- Code error caption
- Specifies the message to display if the user typed the code incorrectly.
- Okta Verify enrollment setup message
- Specifies that the user must set up multifactor authentication for Okta Verify.
- Multifactor authentication enrollment setup text
- Specifies the message that the user needs to set up MFA authentication. For example: Company requires multifactor authentication to use additional layer of security when signing in to your account.
- Download mobile app and QRCode scan description
- Specifies the instructions to download the Okta Verify mobile app. For example: Download and launch Okta Verify application on your mobile device and select Add an account to scan QR code.
- Can't scan QR Code caption
- Specifies the text to display if the QRCode cannot be scanned. For example: More options to enroll.
- Add account using secret key message
- Specifies the text when the user is enrolling using a secret key. For example: Enter your username and below secret key in Okta MFA App to add account.
- Invalid Phone number error
- Specifies the text asking the user to enter a valid phone number.
- Please enter phone number
- Specifies the text asking the user to enter a phone number.
- Activation sms link sent message
- Specifies the text of the message when the Activation link has been sent to your cell phone, which is included dynamically in the message.
- Activation email link sent message
- Specifies the text of the message when the Activation link has been sent to your registered email at Okta account.
- Send link via Sms caption
- Specifies the caption for the button to enroll via SMS.
- Send link via email caption
- Specifies the caption for the button to enroll via email.
- Setup without push caption
- Specifies the caption for the Setup without sending a push, such as Enroll manually without push.
- Display name for YubiKey factor
- Specifies the caption to select YubiKey authentication.
- YubiKey message
- Specifies the text that explains how to use the YubiKey for authentication, such as Insert your YubiKey into a USB port and tap it to generate a verification code.
- Next caption
- Specifies the caption for the Next button.
- Back caption
- Specifies the caption for the Back button.
- Verify caption
- Specifies the caption for the Verify button.
- Enrollment text shown along with factor name. Factor name will be added dynamically
- Specifies the enrollment and factor. To retrieve the factor, specify[FACTOR_NAME]anywhere in the text exactly as shown.
About On-Demand Cert Auth
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start
of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand
Cert Auth action can re-negotiate the SSL connection from an access policy by sending a
certificate request to the user. This prompts a certificate screen to open. After the user
provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate
authentication. The agent verifies the value of the session variable
session.ssl.cert.valid
to determine whether authentication was a
success. When configuring on-demand certification authentication in a per-request
policy, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL
profile on the virtual server has the
Client
Certificate
field set to ignore
. This configuration makes the per-request policy re-execute the
subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request
policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent. The On-Demand Cert Auth action provides one configuration option,
Auth
Mode
, with two supported modes: - Request
- With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
- Require
- With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.For an iPod or an iPhone, theRequiresetting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine
for a per-request policy that is part of a forward proxy configuration.
About OTP Generate
The OTP Generate action can generate a one-time use time-limited password. This action does not
send the one-time password to a user. Typically, an OTP Generate action precedes other actions
that send the password (the Email action, for example) and then verify it (OTP Verify action).
The OTP Generate action provides these configuration options:
- OTP length
- Specifies the length of the one-time password. Defaults to 6.
- OTP timeout
- Specifies the number of seconds that the password is valid. Defaults to 300.
About OTP Verify
In an access policy, the OTP Verify action checks for a match between a user-entered password and
the one-time password generated previously by the OTP Generate action. The OTP Verify action also
verifies that the one-time password has not expired. The OTP Verify action provides this
configuration option:
- Max Logon Attempts Allowed
- Limits the number of logon attempts.
About Patch Management
The Patch Management action can check for patch management software on the client system. When
this action includes checks for multiple patch management types, if one specified type matches,
the action passes, regardless of other conditions that are specified in the action.
The Patch Management action provides the following configuration elements and options:
- Continuously check the result and end the session if it changes
- SpecifiesEnabledorDisabled.WhenEnabled, if the client does not respond for five minutes, the server ends the session.
- Platform
- Specifies a platform. The default isAny. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
- Vendor ID
- Specifies a vendor ID (from the list of supported vendors) orAny.
- Product ID
- Specifies a product ID (from the list of supported products) orAny.
- Automatic Updates
- Specifies one of these values:
- EnabledWhen selected, the action verifies that patch management software is running on the client system.
- DisabledWhen selected, the action verifies that patch management software is not running on the client system.
- UnspecifiedWhen selected, the action does not perform either verification.
- Version
- Specifies a version; when specified, the Patch Management action verifies the version of the software.
- Max Allowed No. of Missing Critical Updates
- Specifies a number; when specified, the action verifies that the number of missing critical updates for the software is less than this number.
About Proxy Select
The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The
Proxy Select agent provides these elements and options:
- Pool
- Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in theUpstream Proxy Modesetting.
- Upstream Proxy Mode
- Specifies whether the next hop is to a forward proxy server that supportsExplicitforward proxy orTransparentforward proxy.
- Username
- Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .
- Password
- Specifies the password for the user account on the proxy server.
About Public File Sharing
The Public File Sharing agent can continuously check the peer-to-peer software on client
endpoints on Windows, Mac, and Linux systems. The system ends the session if the result changes,
and the client does not respond within five minutes.
About RADIUS Acct
A RADIUS Acct action reports user session information to an external RADIUS accounting server; it does not perform authentication.
A RADIUS Acct action provides these configuration elements and options:
- AAA Server
- Specifies the RADIUS server; servers are defined in thearea of the Configuration utility.
- Username Source
- Specifies the session variable name from which the RADIUS Accounting server should read the username. The default value is%{session.logon.last.username}.
About RADIUS Auth
A RADIUS Auth action authenticates a client against an external RADIUS server. A RADIUS Auth action provides these configuration elements and options.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- AAA Server
- Specifies the RADIUS accounting server; servers are defined in thearea of the Configuration utility.
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
- Username Source
- Specifies the session variable name from which RADIUS agent should read the username. The default value is%{session.logon.last.username}.
- Password Source
- Specifies the session variable name from which RADIUS agent should read the password. The default value is%{session.logon.last.password}.
About SAML Auth
The SAML Auth action authenticates against an external SAML Identity Provider (IdP). This action is for use when the BIG-IP system is configured as a SAML service provider and supports connections initiated at SAML service providers.
The SAML Auth action provides this configuration element:
- AAA server
- Specifies a local SP service that is associated with a SAML IdP. The local SP service configuration uniquely identifies the SP and specifies its security requirements..IdPs are specified in SAML IdP connector configurations.
- Attribute Consuming Service
- Specifies the name of one of the attribute consuming service associated with the server. The index associated with the selected attribute consuming service is included in the SAML authentication request generated. The identity provider maps the index to the list of attributes derived from the metadata previously shared and returns those attributes in the SAML response. For example, the SP may include an Attribute Consuming Index in a SAML request to get the attributes of an authenticated user.
- Force Authentication
- Allows the SP to include the ForceAuthn flag in an Authentication request at runtime. The options are:
- Enable- Overrides the Service Provider Force Authentication setting and always addsForceAuthn=trueto the Authentication request. Uses the Force Authentication setting on the Service Provider ( ).
- Disable- Overrides the Service Provider Force Authentication setting and always addsForceAuthn=falseto the Authentication request.
- Use AAA server setting (the default)- Uses the same Force Authentication setting as the Service Provider ( ).
- Session variable setting- Specifies that you want to use a session variable to control the ForceAuthn flag included in the Authentication request.
- Force Authentication Session Variable
- When Force Authentication is set toSession variable setting, specifies a session variable that controls the value of the ForceAuthn flag included in the Authentication request, as follows.
- If the session variable resolves to 1 at runtime, APM addsForceAuthn=trueto the Authentication request overriding the Force Authentication setting on the Service Provider.
- If the session variable resolves to 0 at runtime, APM addsForceAuthn=falseto the Authentication request overriding overriding the Force Authentication setting on the Service Provider.
- If the session variable is not found at runtime or resolves to a value other than 1 or 0, then the Force Authentication setting on the Service Provider controls the behavior of the ForceAuthn flag included in the Authentication request.
About Server IP Subnet Match
This agent lets you create policy branch rules based on the subnet of the server.
About Server Port Match
This agent lets you create policy branch rules based on the server port number.
About SSO Configuration Select
The Select SSO Configuration agent enables per-request selection of an SSO configuration from these SSO configuration types:
- HTTP Basic
- NTLMv1
- NTLMv2
- Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
- SSO Configuration Name
- Select an SSO configuration name from the list.
About System Health Agent
The System Health Agent action checks for health agent software on client
systems. When this action includes checks for multiple health agent types, if one specified type
matches the software on the client system, the action passes, regardless of other health agent
conditions that are specified in the action.
A System Health Agent action provides these settings and options:
- Platform
- Specifies a platform. The default isAny. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
- Vendor ID
- Specifies a vendor ID (from the list of supported vendors) orAny.
- Product ID
- Specifies a product ID (from the list of supported products) orAny.
- Version
- Specifies a version; when specified, the System Health Agent action verifies the version of the software.
- Policy Compliance
- Specifies one of these values:
- Enabled- when selected, the action verifies that the client is compliant with the health policy specified by the site administrator.
- Disabled- when selected, the agent verifies that the client is out of compliance with the health policy specified by the site administrator.
- Unspecified- when selected, the gent verifies the existence of the software only.
About URL Branching
The URL Branching action is useful for treating a few URLs differently from others. The action
provides an Allow branch and a fallback branch. The URL Branching action provides these
conditions for defining branch rules.
- Equals
- The URL must exactly match the specified URL.
- Substring
- The URL must contain the specified string.
- Prefix Match
- The URL must start with the specified string.
- Suffix Match
- The URL must end with the specified string.
- Glob match
- The URL must match the specified globbing pattern. These globbing patterns are supported:
- *Matches any number of characters (none or one or more).
- ?Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
- [characters]Matches one of the specified characters.
- [^characters]Matches any characters except for those specified.
- [!characters]Matches any characters except for those specified.
To match many URLs, you might
consider configuring URL categories in the
area of the product and using Category Lookup in your per-request policy.About Variable Assign
The Variable Assign action can includes one or more entries. An entry specifies a variable and
assigns a value to it.
In the entry screen, the variable is specified in the left pane and the value is specified in
the right pane.
A Variable Assign action provides these configuration elements and options for the
variable:
- Custom Variable
- Specifies a variable name. It can be any name including the name of a session variable or the name of a perflow variable.For a per-session policy, when the policy runs it recognizes only existing perflow variables.
- Predefined Variables
- Specifies a predefined session variable or perflow variable name, which must be selected from theVariablelist. The type of variable (session or perflow) that is available for selection depends on the selectedGroup:Per-Session VariablesorPer-Request Variables.ForPer-Request Variables, theScratchpad, Custom, andPrimary Categoryperflow variables are available for use in the per-request policy and in per-request policy subroutines. You can, for example, pass the value of a session variable into the per-request policy in one of these variables.
- Unsecure or Secure
- Specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.
A Variable Assign action provides these configuration elements and options for the value:
- Custom Expression
- Specifies a Tcl expression. The result of the expression is used as the value.
- AAA attribute
- Specifies the name of the attribute that contains the value:
- Agent Type- specifies the type of AAA server: AD, LDAP, or RADIUS.
- Attribute Type- specifies the attribute type to use depending on the agent type:
- Use user's attribute- for AD agent.
- Use user's primary group attribute- for AD agent.
- Use LDAP attribute- for LDAP agent.
- Use RADIUS attribute- for RADIUS agent.
- - specifies the name of the attribute that contains the value.Agent typeattribute name
- Text
- Specifies a text string to use as the value. The text entered in this field is used as is.
- Session Variable
- Specifies the name of a session variable from which to get the value.