Manual Chapter :
Perflow and Subsession Variables
Applies To:
Show VersionsBIG-IP APM
- 16.0.1, 16.0.0
Perflow and Subsession Variables
Perflow and subsession variables
Perflow variables exist only while a
per-request policy runs. Perflow variables for a per-request policy
subroutine exist while the subsession exists. Multiple subsessions
can run simultaneously. The table lists perflow variables and their
values.
Name |
Value, if
known |
---|---|
perflow.ad.last.authresult
|
Last authentication
result. |
perflow.agent_category_lookup.type
|
Agent category
type. |
perflow.agent_ending.result
|
0 (success) or 1 (failure). |
perflow.agent_failed.reason
|
Reason for agent
failure. |
perflow.agent_license.status
|
Status of the agent
license. |
perflow.agent_license.type
|
Type of agent
license. |
perflow.agent.state
|
Agent state. |
perflow.api.api_server
|
Set by the Request
Classification agent when the matching path is
associated with a server. Also set by the API
Server Selection agent. |
perflow.api.traffic_key.user_id
|
API traffic user
ID. |
perflow.api.traffic_key.user_group_id
|
API traffic user
group ID. |
perflow.api.traffic_key.client_app_id
|
API traffic client
application ID. |
perflow.api.traffic_key.service_tier
|
API traffic service
tier. |
perflow.api.traffic_key.organization_id
|
API traffic
organization ID. |
perflow.api_rate_limiting.error_string
|
Set by the API Rate
Limiting Enforcement agent if an error
occurred. |
perflow.api.proxy_error
|
API proxy
error. |
perflow.api.proxy_auth_type
|
API proxy
authorization type. |
perflow.api_rate_limiting.result
|
Set by the API Rate
Limiting Enforcement agent indicating whether
enforcement succeeded. |
perflow.apmd_agent.state
|
APM daemon
state. |
perflow.application_filter_lookup.result.action
|
0 (block) or 1 (allow). |
perflow.application_lookup.result.effective_
application
|
Name of the
application that is ultimately used. |
perflow.application_lookup.result.effective_
family
|
Name of the
application family that is ultimately
used. |
perflow.application_lookup.result.families
|
Comma-separated list
of application families. |
perflow.application_lookup.result.names
|
Comma-separated list
of application names. |
perflow.application_lookup.result.primary_
application
|
Name of the
application that APM determines is the primary
one. |
perflow.application_lookup.result.primary_family
|
Name of the
application family that Access Policy Manager
(APM) determines is the primary one. (An
application might fit into more than one
application family.) |
perflow.bypass_lookup.result.ssl
|
SSL bypass lookup
result. |
perflow.assign_credentials.password
|
Password from Assign
Credentials agent. |
perflow.assign_credentials.share_password
|
Shared password from
Assign Credentials agent. |
perflow.assign_credentials.username
|
Username from Assign
Credentials agent. |
perflow.branching.url
|
Name of branching
URL. |
perflow.bypass_lookup.result.ssl
|
0 (http) or 1 (https). |
perflow.category_lookup.failure
|
0 (success) or 1 (server failure). |
perflow.category_lookup.result.categories
|
Comma-separated list
of categories. |
perflow.category_lookup.result.custom
categories
|
Unique number that
identifies a custom category; used
internally. |
perflow.category_lookup.result.display
category
|
Name of the display
category. |
perflow.category_lookup.result.effective_category
|
Name of the category
that is ultimately used. |
perflow.category_lookup.result.filter_name
|
Name of the URL
filter. |
perflow.category_lookup.result.hostname
|
Host name retrieved
from SSL input. |
perflow.category_lookup.result.numcategories
|
Integer. Total
number of categories in the comma-separated list
of categories. |
perflow.category_lookup.result.numcustom
categories
|
Integer. Total
number of custom categories in the comma-separated
list of custom categories. |
perflow.category_lookup.result.primarycategory
|
Name of the category
that APM determines is the primary one. (A URL
might fit into more than one category, such as
news and sports.) |
perflow.category_lookup.result.url
|
Requested
URL. |
perflow.client.information.hash
|
Client
information. |
perflow.client.information.header
|
Client information
header. |
perflow.client.information.metadata.header
|
Client information
metadata header. |
perflow.client.ip.address
|
Client IP
address. |
perflow.client.port
|
Client port
number. |
perflow.credential.block
|
Credential
block. |
perflow.credential.blockkeys
|
|
perflow.custom
|
Unique number that
identifies a custom category; used
internally. |
perflow.custom.flow
|
Custom flow. |
perflow.decision_box.result
|
0 (continue) or 1 (cancel) selected for the Confirm
Box action in the subroutine. |
perflow.ending.redirect.captive.url
|
Ending redirect
captive portal URL. |
perflow.epi.error_code
|
End-point inspection
error code. |
perflow.epi.result
|
End-point inspection
result. |
perflow.ip.geolocation.continent.result
|
Continent based on
geolocation of the IP address. |
perflow.ip.geolocation.country.code.result
|
Country code based
on geolocation of the IP address. |
perflow.ip.geolocation.country.name.result
|
Country name based
on geolocation of the IP address. |
perflow.ip.geolocation.failure
|
Geolocation
failure. |
perflow.ip.geolocation.region.result
|
Region based on
geolocation of the IP address. |
perflow.ip.reputation.failure
|
IP reputation
failure. |
perflow.ip.reputation.result
|
IP reputation
result. |
perflow.irule_agent_id
|
iRule agent
ID. |
perflow.l7_protocol_lookup.result
|
Layer 7 protocol
lookup result. |
perflow.last.auth_failure.err_code |
User error displayed at the top of the
logon page. |
perflow.last.auth_failure.err_msg |
User error displayed at the top of the
logon page. |
perflow.last.logon.itemname
|
Last logon. |
perflow.logon_save_user_credentials_
block
|
Saved user
credentials block. |
perflow.mangled.url
|
Name of mangled
URL. |
perflow.map.subroutine_subsession
|
Subroutine
subsession. |
perflow.oauth.scope.auth_hdr_name
|
OAuth scope header
name. |
perflow.oauth.scope.auth_hdr_value
|
OAuth scope header
value. |
perflow.oauth.scope.status_code
|
OAuth scope status
codes. |
perflow.oauth.scope.status_string
|
OAuth scope status
string. |
perflow.on_demand_cert.result
|
0 (success) or 1 (failure) of On-Demand Certificate
authentication in the subroutine. |
perflow.on_demand_cert.orig_uri
|
Originating URI of
the On-Demand Certificate in the
subroutine. |
perflow.policy_path
|
Policy path. |
perflow.policy_path_count
|
Policy path
count. |
perflow.protocol_lookup.result
|
http or https . Defaults to https. |
perflow.proxy_select.selection_reused
|
Proxy select reuse.
0 (No) or 1 (Yes) |
perflow.redirect.url
|
Redirect
URL. |
perflow.renderer.status_code
|
Renderer status
code. |
perflow.renderer.status_code_from
|
Where renderer
status code is from. |
perflow.renderer.status_code_to
|
Where renderer
status code is going to. |
perflow.renderer.token
|
Renderer
token. |
perflow.renderer.url
|
Renderer
URL. |
perflow.request_analytics.failure
|
0 (success) or 1 (server failure). |
perflow.request_classification.path_id
|
Set by the Request
Classification agent. |
perflow.resource_assign_pool.name
|
Pool name
assigned. |
perflow.response_analytics.failure
|
0 (success) or 1 (server failure). |
perflow.response_header_names
|
Response header
names. |
perflow.response_headers_num
|
Response headers
number. |
perflow.response_headers_set
|
Response headers
set. |
perflow.response_header_values
|
Response header
values. |
perflow.response_selection.response
|
Set by the Response
Selection agent. |
perflow.save.validated.credentials
|
Validated
credentials to save. If
perflow.save.validated.credentials
is activated from Logon page, then the
<Validated Credentials Prefix>.username =
username used for authentication, and
<Validated Credentials Prefix>.password =
password used for authentication. |
perflow.scratchpad
|
Scratchpad. |
perflow.scratchpad.flow
|
Scratchpad
flow. |
perflow.service_path
|
Service
path. |
perflow.session_check.session_found
|
0 (Not found) or 1 (found). Session found during
service check. |
perflow.session.id
|
Session ID. |
perflow.server.ip.address
|
Server IP
address. |
perflow.server.port
|
Server port
number. |
perflow.ssl_bypass_set
|
0 (bypass) or 1 (intercept). SSL Bypass Set and SSL
Intercept Set items update this value. |
perflow.ssl.bypass_default
|
0 (bypass) or 1 (intercept). Specified in the client
SSL profile, used when SSL Bypass Set and SSL
Intercept Set items not included in per-request
policy. |
perflow.ssl_check.ssl_found
|
0 (Not found) or 1 (found). SSL check found
SSL. |
perflow.ssl.client_cipher_name
|
Client SSL cipher
name. |
perflow.ssl.client_cipher_version
|
Client SSL cipher
version. |
perflow.ssl.server_cipher_name
|
Server SSL cipher
name. |
perflow.ssl.server_cipher_version
|
Server SSL cipher
version. |
perflow.ssl.server_cert.response_control
|
Server SSL
certificate response control. |
perflow.ssl.server_cert.status
|
Server SSL
certificate status. |
perflow.sso_configuration_select.name
|
Single sign on
configuration name. |
perflow.subroutine.gating_expr
|
Subroutine gating
expression. |
perflow.subroutine.invalidated
|
0 (validated) or 1 (invalidated) subroutine. |
perflow.subroutine.loop_countdown
|
Subroutine loop
countbown. |
perflow.subroutine.name
|
Name of the
subroutine. |
perflow.subroutine.out_terminal
|
Name of the
subroutine out terminal. |
perflow.subroutine_skip_agent_cb_flag
|
Subroutine skip
agent flag. |
perflow.subsession.id
|
Subsession
ID. |
perflow.subsession.lifetime
|
Subsession
length. |
perflow.subsession.lookup
|
Subsession
lookup. |
perflow.subsession.state
|
Subsession
state. |
perflow.subsession.state_lookup
|
Subsession state
lookup. |
perflow.swg_license.consume
|
Secure Web Gateway
consumer license. |
perflow.swg_limited_license.consume
|
Secure Web Gateway
limited consumer license. |
perflow.urlfilter_lookup.result.action
|
3 (confirm), 2 (block) or 1 (allow). |
perflow.username
|
User name. |
perflow.subroutine.loop_countdown
|
Number of iterations
remaining on a subroutine loop. |
subsession.ad.last.actualdomain
|
User's domain from
AD for the last login. |
subsession.ad.last.attr.$attr_name
|
$attr_name is a value that represents the
user’s attributes received from the Active
Directory. For example, displayName,
distinguishedName, givenName, memberOf, name,
objectGUID, primaryGroup, pwdLastSet,
sAMAccountName, userAccountControl, and
userPrincipalName. |
subsession.ad.last.authresult
|
0 (success) or 1 (failure) of Active Directory
authentication in the subroutine. |
subsession.ad.last.errmsg
|
Displays the error
message for the last login. |
subsession.ad.last.queryresult
|
Result of the Active Directory query.
0 (failure) or 1 (success) |
subsession.api_authentication.scheme
|
Set by the API
Authentication agent. Set to either basic or bearer based on the authentication
header in the request. |
subsession.http_connector.body |
Stores full response payload, when
response-action is set to
save . When
response-action is set to
parse , response body is
parsed as JSON and all leaf values are stored as
subsession variables under
subsession.http_connector.body
prefix. |
subsession.http_connector.error |
Set to 0 , if HTTP
connector is able to receive and parse (if needed)
HTTP response. |
subsession.http_connector.header.* |
Variables store response headers. For
example,
subsession.http_connector.header.Set-Cookie |
subsession.http_connector.status |
Contains the HTTP status code of response
when received. |
subsession.ldap.last.authresult
|
0 (success) or 1 (failure) of LDAP authentication in
the subroutine. |
subsession.ldap.last.errmsg
|
Displays the error
message for the last login. |
subsession.ldap.last.errmsgext
|
Displays extended error message from the
last login. This can be used to obtain extended
information from some endpoints such as user
account expiration status from a Windows Global
Catalog. |
subsession.logon.last.password
|
Password for the
last login. |
subsession.ldap.last.queryresult
|
Result of the LDAP query. 0 (failure) or 1 (success) |
subsession.ldap.last.totalEntries
|
Number of matches to query |
subsession.logon.last.username
|
User name for the
last login. |
subsession.logon.last.authtype
|
Last authentication
type |
subsession.okta_mfa.factor |
Output by the Okta
MFA agent and displays the factor name (okta_totp,
okta_push, or yubico_otp) upon successful Okta
authentication. |
subsession.okta_mfa.result |
Output by the Okta
MFA agent and displays 1 upon successful Okta
authentication or enrollment. |
subsession.otp.assigned.expire |
Timeout including the current time (Unix
format) |
subsession.otp.assigned.ttl |
Timeout time in seconds of OTP |
subsession.otp.assigned.val |
Generated value of OTP |
subsession.otp.verify.last.authresult |
Output after OTP Verify agent reads the OTP
token value and compares the current time with the
expiry time and produces a result. |
subsession.otp.verify.last.errmsg |
Displays the OTP verify error
message. |
subsession.radius.last.acct.acct_authentic
|
Indicates how the user was authenticated:
Radius, local or remote. |
subsession.radius.last.acct.acct_status_type
|
RADIUS accounting status on whether it is
the start or end of accounting. |
subsession.radius.last.acct.nas_ip_address
|
RADIUS accounting NAS-IP address |
subsession.radius.last.acct.nas_ipv6_address
|
RADIUS accounting NAS-IPv6 address |
subsession.radius.last.acct.nas_port
|
RADIUS accounting NAS port |
subsession.radius.last.acctresult
|
RADIUS accounting result on whether the
START message is sent to the accounting
server. |
subsession.radius.last.acct.server
|
RADIUS accounting server |
subsession.radius.last.acct.service_type
|
RADIUS accounting service type. |
subsession.radius.last.acct.start_time
|
Time when the last START message was sent
to the RADIUS Accounting agent. |
subsession.radius.last.attr.filter-id
|
RADIUS attribute
filter ID |
subsession.radius.last.attr.framed-compression
|
RADIUS attribute
framed compression. |
subsession.radius.last.attr.framed-mtu
|
RADIUS attribute
framed MTU. |
subsession.radius.last.attr.framed-protocol
|
RADIUS attribute
framed protocol. |
subsession.radius.last.attr.service-type
|
RADIUS attribute
service type. |
subsession.radius.last.errmsg
|
Displays the error
message for the last login. |
subsession.radius.last.result
|
0 (success) or 1 (failure) of RADIUS authentication
in the subroutine. |