Applies To:Show Versions
- 16.0.1, 16.0.0
Visual Policy Editor
About the visual policy editor
Visual policy editor conventions
Initial access policy and initial per-request policy
When an access profile is created, usually an initial access policy is also created. A per-request policy starts with similar initial elements.
Every access policy and per-request policy contains a start.
A branch connects an action to another action or to an ending.
Add an action
Clicking this icon causes a screen to open with available actions for selection.
Clicking the name of an action, such as
Logon Page, opens a screen with properties and rules for the action. Clicking the
xdeletes the action from the access policy.
Action that requires some configuration
The red asterisk indicates that some properties must be configured. Clicking the name opens a screen with properties for the action.
Each branch has an ending. An access policy includes
Denyendings. A per-request policy includes
Clicking the name of an ending opens a popup screen.
Add a macro for use in the access policy
Opens a screen for macro template selection. After addition, the macro is available for configuration and for use as an action item.
Macro added for use
Added macros display under the access policy. Clicking the plus (
+) sign expands the macro for configuration of the actions in it.
Macrocall in an access policy
Clicking the macrocall name expands the macro in the area below the access policy.
Apply Access Policy
Clicking it commits changes. The visual policy editor displays this link when any changes remain uncommitted.
About actions on
the add item screen
About macros and
- Access policy actions
- Any available action or series of actions.
- Calls to other macros (nested macros).
- An endpoint in a macro. Default terminals areSuccessfulandFailure. Terminals are configurable and can be added and deleted.
on the add item screen
About maximum depth
for nested macros in an access policy
About access policy endings
- Starts the SSL VPN session and loads assigned resources and a webtop, if assigned, for the user. Typically, you assign this when the user passes specific checks.
- Disallows the SSL VPN session and shows the user an access denied web page. Typically, you assign this when the user does not have access to resources, or fails authentication. Alternatively after a session starts, shows a URL filter denied web page after a per-request policy rejects a request for a URL.
- Redirects the client to the URL specified in the ending configuration. You can define a redirect URL for each redirect ending. Typically, you can assign a redirect when the user requires remediation or a separate resource. For example, a user who fails the antivirus check because virus definitions are out of date can be redirected to the software manufacturer's site to get an antivirus update.
expression size for visual policy editor
About per-session and
- Per-session policy
- The per-session policy runs when a client initiates a session. (A per-session policy is also known as an access policy.) Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
- Per-request policy
- After a session starts, aper-request policyruns each time the client makes an HTTP or HTTPS request. Because of this behavior, a per-request policy is particularly useful in the context of a Zero Trust scenario, where the client requires re-verification on every request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.You cannot use subroutines in macros within per-request policies.
About per-request policies and the Apply Access Policy link
About per-request policies and nested macros
About per-request policy subroutines
Additional resources and documentation for BIG-IP Access Policy Manager
BIG-IP Access Policy Manager: Application Access
This guide contains information for an administrator to configure application tunnels for secure, application-level TCP/IP connections from the client to the network.
BIG-IP Access Policy Manager: Authentication Essentials
This guide contains information to help an administrator understand authentication concepts, such as AAA server, SSL certificate, local user database, and so on.
BIG-IP Access Policy Manager: Authentication Methods
This guide contains information describes different types of authentication, including Active Directory, LDAP and LDAPS, RSA SecurID, RADIUS, OCSP, CRLDP, Certificate, TACACS+, and so on.
BIG-IP Access Policy Manager: OAuth Concepts and Configuration
This guide describes OAuth concepts and explains how to configure the system to use OAuth authorization servers, resource servers, and other examples.
BIG-IP Access Policy Manager: SAML Configuration
This guide introduces SAML concepts and provides several examples using APM as a SAML IdP, as a SAML service provider, and others.
BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration
This guide describes how to configure different types of single sign-on methods, such as HTTP basic, HTTP forms-based, NTLMV1, NTLMV2, Kerberos, OAuth Bearer.
BIG-IP Access Policy Manager: Customization
This guide provides information about using the APM customization tool to provide users with a personalized experience for access policy screens, and errors. An administrator can apply your organization's brand images and colors, change messages and errors for local languages, and change the layout of user pages and screens.
BIG-IP Access Policy Manager: Edge Client and Application Configuration
This guide contains information for an administrator to configure the BIG-IP system for browser-based access with the web client as well as for access using BIG-IP Edge Client and F5 Access Apps. It also includes information about how to configure or obtain client packages and install them for BIG-IP Edge Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux.
BIG-IP Access Policy Manager: Implementations
This guide contains implementations for synchronizing access policies across BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries, configuring dynamic ACLs, web access management, and configuring an access policy for routing.
BIG-IP Access Policy Manager: Network Access
This guide contains information for an administrator to configure APM Network Access to provide secure access to corporate applications and data using a standard web browser.
BIG-IP Access Policy Manager: Portal Access
This guide contains information about how to configure APM Portal Access. In Portal Access, APM communicates with back-end servers, rewrites links in application web pages, and directs additional requests from clients back to APM.
BIG-IP Access Policy Manager: Secure Web Gateway
This guide contains information to help an administrator configure Secure Web Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and filtering to Internet traffic from your enterprise.
BIG-IP Access Policy Manager: Third-Party Integration
This guide contains information about integrating third-party products with Access Policy Manager (APM). It includes implementations for integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface site, and so on.
BIG-IP Access Policy Manager: Visual Policy Editor
This guide contains information about how to use the visual policy editor to configure access policies.
Release notes contain information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.
Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information.