Manual Chapter : Perflow and Subsession Variables

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Perflow and Subsession Variables

Perflow and subsession variables

Perflow variables exist only while a per-request policy runs. Perflow variables for a per-request policy subroutine exist while the subsession exists. Multiple subsessions can run simultaneously. The table lists perflow variables and their values.
Name
Value, if known
perflow.ad.last.authresult
Last authentication result.
perflow.agent_category_lookup.type
Agent category type.
perflow.agent_ending.result
0
(success) or
1
(failure).
perflow.agent_failed.reason
Reason for agent failure.
perflow.agent_license.status
Status of the agent license.
perflow.agent_license.type
Type of agent license.
perflow.agent.state
Agent state.
perflow.api.api_server
Set by the Request Classification agent when the matching path is associated with a server. Also set by the API Server Selection agent.
perflow.api.traffic_key.user_id
API traffic user ID.
perflow.api.traffic_key.user_group_id
API traffic user group ID.
perflow.api.traffic_key.client_app_id
API traffic client application ID.
perflow.api.traffic_key.service_tier
API traffic service tier.
perflow.api.traffic_key.organization_id
API traffic organization ID.
perflow.api_rate_limiting.error_string
Set by the API Rate Limiting Enforcement agent if an error occurred.
perflow.api.proxy_error
API proxy error.
perflow.api.proxy_auth_type
API proxy authorization type.
perflow.api_rate_limiting.result
Set by the API Rate Limiting Enforcement agent indicating whether enforcement succeeded.
perflow.apmd_agent.state
APM daemon state.
perflow.application_filter_lookup.result.action
0
(block) or
1
(allow).
perflow.application_lookup.result.effective_ application
Name of the application that is ultimately used.
perflow.application_lookup.result.effective_ family
Name of the application family that is ultimately used.
perflow.application_lookup.result.families
Comma-separated list of application families.
perflow.application_lookup.result.names
Comma-separated list of application names.
perflow.application_lookup.result.primary_ application
Name of the application that APM determines is the primary one.
perflow.application_lookup.result.primary_family
Name of the application family that Access Policy Manager (APM) determines is the primary one. (An application might fit into more than one application family.)
perflow.bypass_lookup.result.ssl
SSL bypass lookup result.
perflow.assign_credentials.password
Password from Assign Credentials agent.
perflow.assign_credentials.share_password
Shared password from Assign Credentials agent.
perflow.assign_credentials.username
Username from Assign Credentials agent.
perflow.branching.url
Name of branching URL.
perflow.bypass_lookup.result.ssl
0
(http) or
1
(https).
perflow.category_lookup.failure
0
(success) or
1
(server failure).
perflow.category_lookup.result.categories
Comma-separated list of categories.
perflow.category_lookup.result.custom categories
Unique number that identifies a custom category; used internally.
perflow.category_lookup.result.display category
Name of the display category.
perflow.category_lookup.result.effective_category
Name of the category that is ultimately used.
perflow.category_lookup.result.filter_name
Name of the URL filter.
perflow.category_lookup.result.hostname
Host name retrieved from SSL input.
perflow.category_lookup.result.numcategories
Integer. Total number of categories in the comma-separated list of categories.
perflow.category_lookup.result.numcustom categories
Integer. Total number of custom categories in the comma-separated list of custom categories.
perflow.category_lookup.result.primarycategory
Name of the category that APM determines is the primary one. (A URL might fit into more than one category, such as news and sports.)
perflow.category_lookup.result.url
Requested URL.
perflow.client.information.hash
Client information.
perflow.client.information.header
Client information header.
perflow.client.information.metadata.header
Client information metadata header.
perflow.client.ip.address
Client IP address.
perflow.client.port
Client port number.
perflow.credential.block
Credential block.
perflow.credential.blockkeys
perflow.custom
Unique number that identifies a custom category; used internally.
perflow.custom.flow
Custom flow.
perflow.decision_box.result
0
(continue) or
1
(cancel) selected for the Confirm Box action in the subroutine.
perflow.ending.redirect.captive.url
Ending redirect captive portal URL.
perflow.epi.error_code
End-point inspection error code.
perflow.epi.result
End-point inspection result.
perflow.ip.geolocation.continent.result
Continent based on geolocation of the IP address.
perflow.ip.geolocation.country.code.result
Country code based on geolocation of the IP address.
perflow.ip.geolocation.country.name.result
Country name based on geolocation of the IP address.
perflow.ip.geolocation.failure
Geolocation failure.
perflow.ip.geolocation.region.result
Region based on geolocation of the IP address.
perflow.ip.reputation.failure
IP reputation failure.
perflow.ip.reputation.result
IP reputation result.
perflow.irule_agent_id
iRule agent ID.
perflow.l7_protocol_lookup.result
Layer 7 protocol lookup result.
perflow.last.auth_failure.err_code
User error displayed at the top of the logon page.
perflow.last.auth_failure.err_msg
User error displayed at the top of the logon page.
perflow.last.logon.itemname
Last logon.
perflow.logon_save_user_credentials_ block
Saved user credentials block.
perflow.mangled.url
Name of mangled URL.
perflow.map.subroutine_subsession
Subroutine subsession.
perflow.oauth.scope.auth_hdr_name
OAuth scope header name.
perflow.oauth.scope.auth_hdr_value
OAuth scope header value.
perflow.oauth.scope.status_code
OAuth scope status codes.
perflow.oauth.scope.status_string
OAuth scope status string.
perflow.on_demand_cert.result
0
(success) or
1
(failure) of On-Demand Certificate authentication in the subroutine.
perflow.on_demand_cert.orig_uri
Originating URI of the On-Demand Certificate in the subroutine.
perflow.policy_path
Policy path.
perflow.policy_path_count
Policy path count.
perflow.protocol_lookup.result
http
or
https
. Defaults to https.
perflow.proxy_select.selection_reused
Proxy select reuse.
0
(No) or
1
(Yes)
perflow.redirect.url
Redirect URL.
perflow.renderer.status_code
Renderer status code.
perflow.renderer.status_code_from
Where renderer status code is from.
perflow.renderer.status_code_to
Where renderer status code is going to.
perflow.renderer.token
Renderer token.
perflow.renderer.url
Renderer URL.
perflow.request_analytics.failure
0
(success) or
1
(server failure).
perflow.request_classification.path_id
Set by the Request Classification agent.
perflow.resource_assign_pool.name
Pool name assigned.
perflow.response_analytics.failure
0
(success) or
1
(server failure).
perflow.response_header_names
Response header names.
perflow.response_headers_num
Response headers number.
perflow.response_headers_set
Response headers set.
perflow.response_header_values
Response header values.
perflow.response_selection.response
Set by the Response Selection agent.
perflow.save.validated.credentials
Validated credentials to save. If
perflow.save.validated.credentials
is activated from Logon page, then the <Validated Credentials Prefix>.username = username used for authentication, and <Validated Credentials Prefix>.password = password used for authentication.
perflow.scratchpad
Scratchpad.
perflow.scratchpad.flow
Scratchpad flow.
perflow.service_path
Service path.
perflow.session_check.session_found
0
(Not found) or
1
(found). Session found during service check.
perflow.session.id
Session ID.
perflow.server.ip.address
Server IP address.
perflow.server.port
Server port number.
perflow.ssl_bypass_set
0
(bypass) or
1
(intercept). SSL Bypass Set and SSL Intercept Set items update this value.
perflow.ssl.bypass_default
0
(bypass) or
1
(intercept). Specified in the client SSL profile, used when SSL Bypass Set and SSL Intercept Set items not included in per-request policy.
perflow.ssl_check.ssl_found
0
(Not found) or
1
(found). SSL check found SSL.
perflow.ssl.client_cipher_name
Client SSL cipher name.
perflow.ssl.client_cipher_version
Client SSL cipher version.
perflow.ssl.server_cipher_name
Server SSL cipher name.
perflow.ssl.server_cipher_version
Server SSL cipher version.
perflow.ssl.server_cert.response_control
Server SSL certificate response control.
perflow.ssl.server_cert.status
Server SSL certificate status.
perflow.sso_configuration_select.name
Single sign on configuration name.
perflow.subroutine.gating_expr
Subroutine gating expression.
perflow.subroutine.invalidated
0
(validated) or
1
(invalidated) subroutine.
perflow.subroutine.loop_countdown
Subroutine loop countbown.
perflow.subroutine.name
Name of the subroutine.
perflow.subroutine.out_terminal
Name of the subroutine out terminal.
perflow.subroutine_skip_agent_cb_flag
Subroutine skip agent flag.
perflow.subsession.id
Subsession ID.
perflow.subsession.lifetime
Subsession length.
perflow.subsession.lookup
Subsession lookup.
perflow.subsession.state
Subsession state.
perflow.subsession.state_lookup
Subsession state lookup.
perflow.swg_license.consume
Secure Web Gateway consumer license.
perflow.swg_limited_license.consume
Secure Web Gateway limited consumer license.
perflow.urlfilter_lookup.result.action
3
(confirm),
2
(block) or
1
(allow).
perflow.username
User name.
perflow.subroutine.loop_countdown
Number of iterations remaining on a subroutine loop.
subsession.ad.last.actualdomain
User's domain from AD for the last login.
subsession.ad.last.attr.$attr_name
$attr_name is a value that represents the user’s attributes received from the Active Directory. For example, displayName, distinguishedName, givenName, memberOf, name, objectGUID, primaryGroup, pwdLastSet, sAMAccountName, userAccountControl, and userPrincipalName.
subsession.ad.last.authresult
0
(success) or
1
(failure) of Active Directory authentication in the subroutine.
subsession.ad.last.errmsg
Displays the error message for the last login.
subsession.ad.last.queryresult
Result of the Active Directory query.
0
(failure) or
1
(success)
subsession.api_authentication.scheme
Set by the API Authentication agent. Set to either
basic
or
bearer
based on the authentication header in the request.
subsession.http_connector.body
Stores full response payload, when
response-action
is set to
save
. When
response-action
is set to
parse
, response body is parsed as JSON and all leaf values are stored as subsession variables under
subsession.http_connector.body
prefix.
subsession.http_connector.error
Set to
0
, if HTTP connector is able to receive and parse (if needed) HTTP response.
subsession.http_connector.header.*
Variables store response headers. For example, subsession.http_connector.header.Set-Cookie
subsession.http_connector.status
Contains the HTTP status code of response when received.
subsession.ldap.last.authresult
0
(success) or
1
(failure) of LDAP authentication in the subroutine.
subsession.ldap.last.errmsg
Displays the error message for the last login.
subsession.ldap.last.errmsgext
Displays extended error message from the last login. This can be used to obtain extended information from some endpoints such as user account expiration status from a Windows Global Catalog.
subsession.logon.last.password
Password for the last login.
subsession.ldap.last.queryresult
Result of the LDAP query.
0
(failure) or
1
(success)
subsession.ldap.last.totalEntries
Number of matches to query
subsession.logon.last.username
User name for the last login.
subsession.logon.last.authtype
Last authentication type
subsession.okta_mfa.factor
Output by the Okta MFA agent and displays the factor name (okta_totp, okta_push, or yubico_otp) upon successful Okta authentication.
subsession.okta_mfa.result
Output by the Okta MFA agent and displays 1 upon successful Okta authentication or enrollment.
subsession.otp.assigned.expire
Timeout including the current time (Unix format)
subsession.otp.assigned.ttl
Timeout time in seconds of OTP
subsession.otp.assigned.val
Generated value of OTP
subsession.otp.verify.last.authresult
Output after OTP Verify agent reads the OTP token value and compares the current time with the expiry time and produces a result.
subsession.otp.verify.last.errmsg
Displays the OTP verify error message.
subsession.radius.last.acct.acct_authentic
Indicates how the user was authenticated: Radius, local or remote.
subsession.radius.last.acct.acct_status_type
RADIUS accounting status on whether it is the start or end of accounting.
subsession.radius.last.acct.nas_ip_address
RADIUS accounting NAS-IP address
subsession.radius.last.acct.nas_ipv6_address
RADIUS accounting NAS-IPv6 address
subsession.radius.last.acct.nas_port
RADIUS accounting NAS port
subsession.radius.last.acctresult
RADIUS accounting result on whether the START message is sent to the accounting server.
subsession.radius.last.acct.server
RADIUS accounting server
subsession.radius.last.acct.service_type
RADIUS accounting service type.
subsession.radius.last.acct.start_time
Time when the last START message was sent to the RADIUS Accounting agent.
subsession.radius.last.attr.filter-id
RADIUS attribute filter ID
subsession.radius.last.attr.framed-compression
RADIUS attribute framed compression.
subsession.radius.last.attr.framed-mtu
RADIUS attribute framed MTU.
subsession.radius.last.attr.framed-protocol
RADIUS attribute framed protocol.
subsession.radius.last.attr.service-type
RADIUS attribute service type.
subsession.radius.last.errmsg
Displays the error message for the last login.
subsession.radius.last.result
0
(success) or
1
(failure) of RADIUS authentication in the subroutine.