F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Visual Policy Editor
  3. Per-Request Policy Item Reference
Manual Chapter : Per-Request Policy Item Reference

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.5, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Per-Request Policy Item Reference

About per-request policy items

When configuring a per-request policy, many agents are available for inclusion in the per-request policy.

About SSL check

Specifies that the system performs an SSL check, which determines whether SSL is found on the endpoint. It provides two default branches: SSL Found and fallback. There is no configuration required for this action.

About per-request policy authentication items

Authentication items perform authentication or authentication-related functions.

About AD Group Lookup

An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression,
expr
 { [
mcget
 {
session.ad.last.attr.primaryGroupID
}] ==
100
 }
, as an example.
A branch rule expression can include any populated session variable, such as
session.ad.last.attr.primaryGroupID
,
session.ad.last.attrmemberOf
,
session.ad.last.attr.lastLogon
,
session.ad.last.attr.groupType
,
session.ad.last.attr.member
, and so on. As an example,
expr
 { [
mcget
 {
session.ad.last.attr.memberOf
}] contains
"CN=Administrators"
is a valid expression.
An AD Query action can populate the session variables.

About LDAP Group Lookup

An LDAP Group Lookup item compares a specified string against the
session.ldap.last.attr.memberOf
 session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is
User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN
; the values
MY_GROUP
,
USERS
,
MY_DOMAIN
, must be replaced with values used in the LDAP group configuration at the user site.
An LDAP Query action is required in the access policy to populate the session variable.

About LocalDB Group Lookup

A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.
The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is
User is a member of
MY_GROUP
. The default advanced rule expression is
expression
is
expr
 { [
mcget
 {
session.localdb.groups
}]
contains
 "
MY_GROUP
" }
. In either the simple or the advanced rule, the variable,
MY_GROUP
, must be replaced with a valid group name.
The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be
session.localdb.groups
 (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.

About RADIUS Class Lookup

The RADIUS Class Lookup access policy item compares a user-specified class name against the
session.radius.last.attr.class
 session variable. The specified class name is configurable in a branch rule.
The default simple branch rule expression is
RADIUS Class attribute contains
MY_CLASS
 . The variable
MY_CLASS
 must be replaced with the name of an actual class.
A RADIUS Acct or RADIUS Auth action is required in the access policy to populate the session variable.

About per-request policy assignment items

Assignment items support assigning resources, such as a pool, in a per-request policy. The Assign Credentials agent provides the username and password source session variable names. and stores them in perflow variables. The Variable Assign item supports assigning values to existing variables, to existing configuration elements, and to variables that you define yourself.

About Assign Credentials

The Assign Credentials agent is available only in a per-request policy (not in a subroutine). If the password is shared, the agent gets user credentials from the main session, takes the username and password source session variable names. and stores them in perflow variables. The Assign Credentials agent must precede the subroutine where the credential needs to be reused. The logon page is shown only when perflow credentials variables are empty.

About Pool Assign

The Pool Assign agent can dynamically assign a local traffic pool; it provides this configuration element only: selection of a static pool.
In a per-session policy, the Pool Assign agent enables session-based pool selection from among valid pools in this priority order: a pool selected by an iRule that is defined for the virtual server takes precedence over any other; a static pool defined in the Pool Assign agent takes precedence over a static pool defined for the virtual server.
In a per-request policy, the Pool Assign agent enables request-based pool selection for reverse proxy (LTM+APM) only. In a per-request policy, the Pool Assign agent specifies the pool to use.
In a per-request policy, using the Pool Assign agent in a forward proxy configuration does not work and is not supported.

About Variable Assign

The Variable Assign action can includes one or more entries. An entry specifies a variable and assigns a value to it.
A variable assign entry screen as it displays initially
2-pane screen: custom variable in left pane and custom expression in right pane.
In the entry screen, the variable is specified in the left pane and the value is specified in the right pane.
A Variable Assign action provides these configuration elements and options for the variable:
Custom Variable
Specifies a variable name. It can be any name including the name of a session variable or the name of a perflow variable.
For a per-session policy, when the policy runs it recognizes only existing perflow variables.
Predefined Variables
Specifies a predefined session variable or perflow variable name, which must be selected from the
Variable
 list. The type of variable (session or perflow) that is available for selection depends on the selected
Group
:
Per-Session Variables
 or
Per-Request Variables
.
For
Per-Request Variables
, the
Scratchpad, Custom
, and
Primary Category
 perflow variables are available for use in the per-request policy and in per-request policy subroutines. You can, for example, pass the value of a session variable into the per-request policy in one of these variables.
Unsecure or Secure
Specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.
A Variable Assign action provides these configuration elements and options for the value:
Custom Expression
Specifies a Tcl expression. The result of the expression is used as the value.
AAA attribute
Specifies the name of the attribute that contains the value:
  • Agent Type
     - specifies the type of AAA server: AD, LDAP, or RADIUS.
  • Attribute Type
     - specifies the attribute type to use depending on the agent type:
    • Use user's attribute
       - for AD agent.
    • Use user's primary group attribute
       - for AD agent.
    • Use LDAP attribute
       - for LDAP agent.
    • Use RADIUS attribute
       - for RADIUS agent.
  • Agent type
     attribute name
     - specifies the name of the attribute that contains the value.
Text
Specifies a text string to use as the value. The text entered in this field is used as is.
Session Variable
Specifies the name of a session variable from which to get the value.

About endpoint security (server-side) per-request policy items

In endpoint security (server-side) actions, the server queries clients and makes policy decisions based on information that a client presents to the server. For example, the Client Type action presents a query to find out what type of client is connecting, and routes the client to the different policy branches based on the results of the query. Endpoint security (server-side) access policy items do not require installation of client components.

About Client Information

The Client Information agent gets the device posture from the client. You implement device posture checks in a per-request policy by using a Client Information agent followed by a subroutine with one or more client check agents.

About Client IP Subnet Match

This agent lets you create policy branch rules based on the user's subnet.

About Client OS

The Client OS action detects the operating system of the remote client. Access Policy Manager detects this using information from the HTTP header. The action provides separate branches for separate operating systems. This action can be very useful at the beginning of an access policy. Each branch can include actions that are specific to a client operating system.
This figure shows the Client OS action and default branches, configured to allow access to clients on the Windows RT operating system and to deny access to all others.
Client OS item with Allow ending configured on Windows RT branch
Client OS action with Windows RT branch ending set to Allow and other branch endings set to Deny
In practice, actions would be specified on the access policy branches and might include logon actions, authentication actions, and other actions.

About Client Port Match

This agent lets you create policy branch rules based on the user's port number.

About Client Type

The Client Type action determines whether the client is using a full browser, the BIG-IP Edge Client, or another client to access the Access Policy Manager (APM). This action makes it possible to specify different actions for different client types in one access policy and, as a result, to use one virtual server for traffic from different client types. This figure shows the Client Type action as it looks when first added to an access policy.
Client Type
What the Client Type action looks like when initially added to an access policy
By default, the Client Type action includes these branches:
Edge Portal
Indicates that the user is connecting with the BIG-IP Edge Portal mobile app.
Windows Inbox F5 VPN Client
Indicates the user is connecting using the Windows Inbox F5 VPN client.
F5 Access
Indicates the user is connecting using F5 Access.
Machine Tunnel
Use this branch to configure an access policy to detect the machine tunnel client type.
Edge Client
Indicates that the user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems.
Citrix Receiver
Indicates that the user is connecting using a later Citrix Receiver client. Use this branch to configure authentication for later Citrix Receiver clients (iOS, Mac, and Android).
Citrix Receiver (legacy)
Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent). Use this branch to configure authentication for legacy Citrix Receiver clients (Windows and Linux).
VMware View
Indicates that the user is connecting using a VMware Horizon View client. Use this branch to configure an access policy to authenticate View Client using VMware View logon pages.
Microsoft RDP Client
Indicates the user is connecting using Microsoft RDP Client . Use this branch to configure an access policy to authorize resource requests from Microsoft RDP clients.
MS-OFBA Compliant
Indicates the user is connecting using MS-OFBA (Microsoft Office Forms Based Authentication) supported office applications. Use this branch to configure an access policy that allow users to open, use, and authenticate Microsoft Office applications.
Full or Mobile Browser
Indicates the user is connecting with a Windows web browser or a mobile browser.
fallback
Indicates the user is connecting with another method.
APM supports the client types on multiple operating systems. Refer to AskF5 (
support.f5.com
) to look up the supported operating systems and versions in the compatibility matrix for your version of APM.
To create additional branching for a client type based on operating system, you can add a client operating system (Client OS) action on the client type branch.

About Dynamic Date Time

The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:
Weekend
Defined as Saturday and Sunday.
Business Hours
Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch rules.
Time From
Specifies a time of day. The condition is true at or after the specified time.
Time To
Specifies a time of day. This condition is true before or at the specified time.
Date From
Specifies a date. This condition is true at or after the specified date.
Date To
Specifies a date. This condition is true before or at the specified date
Day of Week
Specifies a day. The condition is true for the entire day (local time zone).
Day of Month
Specifies the numeric day of month. This condition is true for this day every month (local time zone).

About IP Geolocation Lookup

This agent lets you determine the geographic origin of the IP address of a request.

About IP Reputation Lookup

When an IP Reputation Lookup agent is included in an access or per-request policy, Access Policy Manager (APM) searches for the IP address in the IP intelligence database. The IP intelligence database contains only IP addresses that are considered untrustworthy, along with a category for each that describes why it is not trusted.
APM provides these default branch rules for the IP Reputation action.
Bad
The IP address exists in the IP intelligence database. The expression for this branch rule includes every IP reputation category. For example, the rule includes expressions such as IP Reputation is: Spam Sources OR IP Reputation is: Proxy, and so on. If any IP reputation category is acceptable at your site, you should update this rule or create and use another rule.
Good
The IP address is not found in the IP intelligence database.
fallback
The IP intelligence database is inaccessible for some reason. This can be due to a misconfiguration or a problem with a license or Internet connectivity.

About Server IP Subnet Match

This agent lets you create policy branch rules based on the subnet of the server.

About Server Port Match

This agent lets you create policy branch rules based on the server port number.

About per-request policy classification items

Classification items are used to classify traffic based on traffic properties.

About Application Filter Assign

An Application Filter Assign item matches an application or application family against an application filter. Application Filter Assign provides one configuration element. The
Application Filter
 element specifies the application filter to use in determining whether to block access to an application or allow it. The Application Filter Assign item exits on the Allow branch if the filter action specifies allow. Otherwise, Application Filter Assign exits on the fallback branch.
To supply input for the Application Filter Assign agent, an Application Lookup item must run in the per-request policy sometime prior to it.

About Application Lookup

An Application Lookup item obtains the name of the application that is being requested and looks up the application family that matches it. By default, this item has a fallback branch only.
Application Lookup can be used to branch by application family or by application name; branch rules are required to do this. If an Application Filter Assign item is included in the per-request policy, an Application Lookup must complete before it.

About Category Lookup

A Category Lookup item looks up URL categories for a request and obtains a web response page.
The Category Lookup item provides these elements and options.
Categorization Input
The list specifies these options:
  • Use HTTP URI (cannot be used for SSL Bypass decisions)
    : For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP system with an SWG subscription the
    SafeSearch Mode
     setting displays.
  • Use SNI in Client Hello (if SNI is not available, use Subject.CN)
    : For HTTPS traffic, this option specifies performing a host-based lookup.
  • Use Subject.CN in Server Cert
    : For HTTPS traffic, this option specifies performing a host-based lookup. (This option is not for use in a reverse proxy configuration.)
  • Use HTTP Connect Hostname
    : For connections that are passing through an upstream proxy, this option uses information from the HTTP Connect header and matches only the hostname. The Category Lookup agent functions only on the transparent HTTP virtual servers and fails if the policy is attached to explicit HTTP virtual servers.
SafeSearch Mode
The options are
Enabled
 (default) and
Disabled
. When enabled, SWG enables Safe Search for supported search engines.
SafeSearch is available only with an SWG subscription.
Category Lookup Type
Select the category types in which to search for the requested URL. On a BIG-IP system with an SWG subscription, options are:
  • Select one from Custom categories first, then standard categories if not found
  • Always process full list of both custom and standard categories
  • Process standard categories only
On a BIG-IP system without an SWG subscription, the available option is
Process custom categories only
. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.

About Request Analytics

A Request Analytics item inspects an outgoing web request for malicious embedded contents. In a per-request policy, a Request Analytics item must be preceded by a Category Lookup item and followed by a URL Filter Assign item. To block outgoing traffic from chat applications, a Request Analytics item is required.
Request Analytics works only on a BIG-IP system with an SWG subscription.
Request Analytics provides these elements and options.
Max Buffer Size
Specifies the maximum amount of request data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the request content. Otherwise, the system retains the request data in the buffer.
Max Buffer Time
Specifies the maximum amount of time (in seconds) for buffering and analyzing request data. If the time elapses at any point in this process, the agent sets the
perflow.request_analytics.failure
 variable to 1 (which indicates an ANTserver failure) and discards the request data.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.

About Response Analytics

A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.
Response Analytics works only on a BIG-IP system with an SWG subscription.
Response Analytics provides these elements and options.
Max Buffer Size
Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
Max Buffer Time
Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets the
perflow.response_analytics.failure
 variable to 1 (which indicates an ANTserver failure) and discards the response data.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
Exclude Types
Specifies one entry for each type of content to be excluded from content analysis. Images, the
All-Images
 type, do not get analyzed.

About URL Branching

The URL Branching action is useful for treating a few URLs differently from others. The action provides an Allow branch and a fallback branch. The URL Branching action provides these conditions for defining branch rules.
Equals
The URL must exactly match the specified URL.
Substring
The URL must contain the specified string.
Prefix Match
The URL must start with the specified string.
Suffix Match
The URL must end with the specified string.
Glob match
The URL must match the specified globbing pattern. These globbing patterns are supported:
  • *
     Matches any number of characters (none or one or more).
  • ?
     Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
  • [
    characters
    ]
     Matches one of the specified characters.
  • [^
    characters
    ]
     Matches any characters except for those specified.
  • [!
    characters
    ]
     Matches any characters except for those specified.
To match many URLs, you might consider configuring URL categories in the
Access
Secure Web Gateway
area of the product and using Category Lookup in your per-request policy.

About URL Filter Assign

A URL Filter Assign item looks up the URL filter action for each category that the Category Lookup item found for a request. If any filter action is set to Block, the request is blocked. In a configuration with an SWG subscription, the URL Filter Assign item also uses the analysis from the Response Analytics item, if used, to determine whether to block the request.
By default, the URL Filter Assign item has three branches: Allow, Confirm, and fallback. If the request is not blocked and any filter action is set to Confirm, the per-request policy takes the Confirm branch.
A URL Filter Assign item provides the
URL Filter
 element, with a list of filters from which to select.
A Category Lookup item must precede the URL Filter Assign item.

About per-request policy general purpose items

General purpose items can be used in any case and can be placed anywhere in a per-request policy. These items support miscellaneous actions such as HTTP header modification, several actions for SSL, IP protocol lookup, logging, and others.

About the Empty action

An Empty action has no explicit configuration. The action allows a user to create rules only, using the Branch Rules tab.

About HTTP Headers

An HTTP Headers action supports modifying an outgoing HTTP request to a back-end server. The action supports manipulation of HTTP and cookie headers being sent to back-end servers.
The HTTP Headers item cannot manipulate HTTP cookies in outgoing HTTP requests to any portal access application.
The HTTP Headers item provides these configuration options and elements.
An entry in the HTTP Header Modify table includes these elements.
Header Operation
Specifies
insert
,
append
,
replace
, or
remove
.
Header Name
Specifies the header name on which to operate.
Header Value
Specifies the value on which to operate.
Any per-flow or session variable can be used as a header value, for example, %{
session.user.clientip
} or %{
perflow.session.id
}.
Header Delimiter
Specifies the separator to use when appending a header.
An entry in the HTTP Cookie Modify table includes these elements.
Cookie Operation
Specifies
update
 or
delete
.
When
update
 is selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.
Cookie Name
Specifies the name to match.
Cookie Value
Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.
Any per-flow or session variable can be used as a cookie value.

About IP Based SSL Bypass Set

Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you bypass SSL traffic based on IP address. Place this agent after a matching rule (for example, Client IP Subnet Match) to bypass matched traffic. This rule must be specified early in the policy, before other protocol handling rules.

About IP Protocol Lookup

This agent is used to identify Layer 4 protocol such as TCP or UDP. For example, a value of 6 is TCP and 17 is UDP.

About iRule Event

An iRule Event action adds iRule processing to an access policy or to a per-request policy subroutine at a specific point. An iRule Event provides one configuration option: ID, which specifies an iRule event ID.
iRule event access policy items must be processed and completed before the access policy can continue.
An iRule Event action can occur anywhere in an access policy or a per-request policy subroutine.

About Layer 7 Protocol Lookup

This agent is used to identify Layer 7 protocol such as DNS, FTP, FTPS, HTTP, HTTP CONNECT, HTTPS, IMAP, IMAPS, POP3, POP3S, QUIC, SMTP, SMTPS and TELNET.

About the Logging action

The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and perflow variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in a specific branch.
A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.
The Logging action provides these configuration elements and options:
Log Message
For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows. 
The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.
Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
Add new entry
Specify actions that read from and write to specific database properties. Click the
Add New Entry
 button to add a new logging agent to the action.
Session Variables
Specifies a session variable from a list of predefined session variables or a custom session variable.
This option is available only when adding the Logging action to an access policy.

About Server Cert Response Control

Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you control the response to information about the server certificate. The agent provides an option to Ignore or Mask in case a server certificate is expired or untrusted, and control the behavior on a perflow basis.

About Server Cert Status

Use this agent in a per-request policy for SSL Orchestrator use cases only.
This agent lets you check server certificate status. The agent provides two branches representing the status of the certificate: good and fallback.

About SSL Bypass Set

The SSL Bypass Set item provides a read-only element,
Action
, that specifies the
Bypass
 option.
For an SSL Bypass Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to
Intercept
; and the SSL Bypass Set item must occur in the policy before any items that process HTTP traffic.

About SSL check

Specifies that the system performs an SSL check, which determines whether SSL is found on the endpoint. It provides two default branches: SSL Found and fallback. There is no configuration required for this action.

About SSL Intercept Set

The SSL Intercept Set item provides a read-only element,
Action
, that specifies the
Intercept
 option.
For an SSL Intercept Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to
Intercept
; and the SSL Intercept Set item must occur in the policy before any items that process HTTP traffic.

About SSO Configuration Select

The Select SSO Configuration agent enables per-request selection of an SSO configuration from these SSO configuration types:
  • HTTP Basic
  • NTLMv1
  • NTLMv2
  • Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
SSO Configuration Name
Select an SSO configuration name from the list.

About per-request policy traffic management items

Traffic management items are available for proxy select, service connect, and session check.

About Proxy Select

The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The Proxy Select agent provides these elements and options:
Pool
Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in the
Upstream Proxy Mode
 setting.
Upstream Proxy Mode
Specifies whether the next hop is to a forward proxy server that supports
Explicit
 forward proxy or
Transparent
 forward proxy.
Username
Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .
Password
Specifies the password for the user account on the proxy server.

About Service Connect

This agent, used primarily by SSLO, allows you to connect to SSLO services that were previously configured. Service Connect provides the option to attach a Connector profile to the virtual server to enable service chaining in a per-request policy.

About Session Check

This agent, used primarily by SSLO, is used to check whether a session exists. If no session exists, the agent creates a perflow variable with a redirect URL to the captive portal virtual server.

About per-request policy subroutine items

When configuring a per-request policy subroutine, many per-request and per-session agents are available for inclusion in the subroutine.

About AD Auth

An AD Auth action authenticates a user against an AAA Active Directory server. An authentication action typically follows a logon action that collects credentials.
When configured in a per-request policy subroutine, some screen elements and options described here might not be available.
Type
Specifies Authentication, the type of this Active Directory action.
Server
Specifies an Active Directory server; servers are defined in the
Access
Authentication
area of the Configuration utility.
Cross Domain Support
Specifies whether AD cross domain authentication support is enabled for this action.
Complexity check for Password Reset
Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.
Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt. The default value is
3
 . You can set this field to a value of
1-5
 .
For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
Max Password Reset Attempts Allowed
Specifies the number of times that APM allows the user to try to reset password.

About AD Query

An AD Query action performs a query against an AAA Active Directory server. An AD Query action provides these configuration elements and options:
The LDAP communication channel between BIG-IP APM and Microsoft Active Directory AAA server is secured and encrypted using Simple Authentication and Security Layer (SASL).
Type
Specifies Query, the type of this Active Directory action.
Server
Specifies an Active Directory server; servers are defined in the
Access
Authentication
area of the Configuration utility.
SearchFilter
Specifies the search criteria to use when querying the Active Directory server for the user's information. Session variables are supported as part of the search query string.
Fetch Primary Group
Specifies whether to retrieve a user's primary group Distinguished Name for use in the access policy.
Cross Domain Support
Specifies whether AD cross domain authentication support is enabled for this action.
Fetch Nested Groups
When disabled, associates the user only to the groups to which they belong directly. When enabled, associates the user to all groups that are nested under the groups that they directly belong to. For example, if the user belongs to Group 1 and Group 2, and Group1 is a member of Group 3 and Group 4, enabling this setting allows the user to obtain privileges from all groups.
Complexity check for Password Reset
Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.
Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Password Reset Attempts Allowed
Specifies the number of times that APM allows the user to try to reset password.
Prompt user to change password before expiration
Specifies whether to warn the user at a set time before the password expires and provide the option to change the password.
Required Attributes (optional)
By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned. Click the
Add New Entry
 button to add a new attribute to the Active Directory query action.

About Antivirus

The Antivirus action checks for antivirus software on the client computer. When checking for multiple antivirus types, if one antivirus type matches the software on the client system, the action passes, regardless of other antivirus conditions that are specified in the action.
An antivirus action in a subroutine is continuously checked, based on the settings configured in the Subroutine Settings.
An Antivirus action provides these settings and options:
Platform
Specifies a platform. The default is
Any
. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.
A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
Vendor ID
Specifies a vendor ID (from the list of supported vendors) or
Any
.
Product ID
Specifies a product ID (from the list of supported products) or
Any
.
State
Specifies one of these states:
  • Enabled
     - when selected, the action verifies that the antivirus software is enabled
  • Disabled
     - when selected, the action verifies that the antivirus software is disabled.
  • Unspecified
     - when selected, the action does not verify the state of the software.
Version
Specifies a version; when specified, the antivirus action verifies the version of the software.
Engine Version
Specifies the engine version number; when specified, the antivirus action verifies this information.
DB Version
Specifies the database version number; when specified, the antivirus action verifies this information.
DB Age Not Older Than (days)
Specifies the database age in days; when specified, the antivirus action verifies this information.
Last Scan Time Not Older Than (days)
Specifies a number of days; when specified, the antivirus action verifies that the last scan did not occur more than the specified number of days ago.

About Client Cert Inspection

The Client Cert Inspection agent checks the result of the SSL handshake that occurs at the start of a session. It does not, however, negotiate an SSL session. It relies on settings in a client SSL profile that is added to the virtual server. The Client Cert Inspection item can provide the result of the SSL handshake, including certificate revocation status when the client SSL profile specifies a certificate revocation list (CRL).
If using the Client Cert Inspection agent in a per-request policy subroutine, you must have an On-Demand Cert agent configured before it in the same subroutine.
The Client Cert Inspection action provides two branches: Successful and fallback.

About Client IP Subnet Match

This agent lets you create policy branch rules based on the user's subnet.

About Client OS

The Client OS action detects the operating system of the remote client. Access Policy Manager detects this using information from the HTTP header. The action provides separate branches for separate operating systems. This action can be very useful at the beginning of an access policy. Each branch can include actions that are specific to a client operating system.
This figure shows the Client OS action and default branches, configured to allow access to clients on the Windows RT operating system and to deny access to all others.
Client OS item with Allow ending configured on Windows RT branch
Client OS action with Windows RT branch ending set to Allow and other branch endings set to Deny
In practice, actions would be specified on the access policy branches and might include logon actions, authentication actions, and other actions.

About Client Port Match

This agent lets you create policy branch rules based on the user's port number.

About Client Type

The Client Type action determines whether the client is using a full browser, the BIG-IP Edge Client, or another client to access the Access Policy Manager (APM). This action makes it possible to specify different actions for different client types in one access policy and, as a result, to use one virtual server for traffic from different client types. This figure shows the Client Type action as it looks when first added to an access policy.
Client Type
What the Client Type action looks like when initially added to an access policy
By default, the Client Type action includes these branches:
Edge Portal
Indicates that the user is connecting with the BIG-IP Edge Portal mobile app.
Windows Inbox F5 VPN Client
Indicates the user is connecting using the Windows Inbox F5 VPN client.
F5 Access
Indicates the user is connecting using F5 Access.
Machine Tunnel
Use this branch to configure an access policy to detect the machine tunnel client type.
Edge Client
Indicates that the user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems.
Citrix Receiver
Indicates that the user is connecting using a later Citrix Receiver client. Use this branch to configure authentication for later Citrix Receiver clients (iOS, Mac, and Android).
Citrix Receiver (legacy)
Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent). Use this branch to configure authentication for legacy Citrix Receiver clients (Windows and Linux).
VMware View
Indicates that the user is connecting using a VMware Horizon View client. Use this branch to configure an access policy to authenticate View Client using VMware View logon pages.
Microsoft RDP Client
Indicates the user is connecting using Microsoft RDP Client . Use this branch to configure an access policy to authorize resource requests from Microsoft RDP clients.
MS-OFBA Compliant
Indicates the user is connecting using MS-OFBA (Microsoft Office Forms Based Authentication) supported office applications. Use this branch to configure an access policy that allow users to open, use, and authenticate Microsoft Office applications.
Full or Mobile Browser
Indicates the user is connecting with a Windows web browser or a mobile browser.
fallback
Indicates the user is connecting with another method.
APM supports the client types on multiple operating systems. Refer to AskF5 (
support.f5.com
) to look up the supported operating systems and versions in the compatibility matrix for your version of APM.
To create additional branching for a client type based on operating system, you can add a client operating system (Client OS) action on the client type branch.

About Confirm Box

A Confirm Box action presents links for these options:
Continue
 and
Cancel
. The action is available for a per-request policy subroutine only and is for use in a Secure Web Gateway (SWG) configuration. Confirm Box offers these elements and options for customization.
Language
Specifies the language to use to customize the Confirm Box page. Selecting a language causes the content in the remaining fields display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Message
Specifies the message to display.
Field 1 image
Specifies the icon (red, green, or none) to display with the
Continue
 option.
Continue
Specifies the text to display for this option.
Field 2 image
Specifies the icon (red, green, or none) to display with the
Cancel
 option.
Cancel
Specifies the text to display for this option.

About CRLDP Auth

A CRLDP Auth action retrieves a Certificate Revocation List (CRL) from a network location (
distribution point
). A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL. An CRLDP Auth action provides these configuration elements and options:
CRLDP Server
Specifies a CRLDP server; servers are defined in the
Access
Authentication
area of the Configuration utility.
A CRLDP Auth action is valid for use in a per-request policy subroutine when placed after an On-Demand Cert Auth action.

About Dynamic Date Time

The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:
Weekend
Defined as Saturday and Sunday.
Business Hours
Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch rules.
Time From
Specifies a time of day. The condition is true at or after the specified time.
Time To
Specifies a time of day. This condition is true before or at the specified time.
Date From
Specifies a date. This condition is true at or after the specified date.
Date To
Specifies a date. This condition is true before or at the specified date
Day of Week
Specifies a day. The condition is true for the entire day (local time zone).
Day of Month
Specifies the numeric day of month. This condition is true for this day every month (local time zone).

About the Email action

An Email action can send email. An Email action provides these configuration options and elements:
SMTP Configuration
Specifies an SMTP configuration on the BIG-IP system.
From
Specifies the sender which can be a string or a session variable name or both. For example:
APM@vs-%{session.server.network.name}
To
Specifies the recipient. This can be a fully qualified email address or a session variable name; for example:
%{session.ad.last.attr.mail}
CC
Specifies recipients to be copied on the mail. This can be fully qualified email addresses or session variable names.
Subject
Specifies the subject of the email message. This can be a string, a session variable name, or a combination of strings and session variable names.
Message
Specifies the message to send. This can be a string, a session variable name, or a combination of strings and session variable names. Note: New lines should be specified with the <br/> tag.

About Endpoint State

Endpoint State provides simple branching rules to determine the endpoint state based on the Client Information data.

About the Empty action

An Empty action has no explicit configuration. The action allows a user to create rules only, using the Branch Rules tab.

About Firewall

The Firewall agent can continuously check whether the client endpoint has a firewall activated on Windows, Mac, and Linux systems. The system ends the session if the firewall check fails, and the client does not respond within five minutes.

About Hard Disk Encryption

The Hard Disk Encryption action checks for hard disk encryption software on a client computer. When this action includes checks for multiple hard disk encryption types, if one of the specified hard disk encryption types matches the software on the client system, the action passes, regardless of other hard disk encryption conditions that are specified in the item.
A Hard Disk Encryption action provides these settings and options:
Continuously check the result and end the session if it changes
Specifies
Enabled
 or
Disabled
.
When
Enabled
, if the client does not respond for five minutes, the server ends the session.
Platform
Specifies a platform. The default is
Any
. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.
A link to a report that includes the hard disk encryption software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
Vendor ID
Specifies a vendor ID (from the list of supported vendors) or
Any
.
Product ID
Specifies a product ID (from the list of supported products) or
Any
.
Encryption State
Specifies one of these states:
  • Enabled
     When selected, the action verifies that all disk volumes are encrypted on the client.
  • Disabled
     When selected, the action verifies all disk volumes are not encrypted on the client.
  • Unspecified
     When selected, the action verifies that hard disk encryption software is installed on the client.
Version
Specifies a version; when specified, the Hard Disk Encryption action verifies the version of the software.

About HTTP 401 Response

The HTTP 401 Response action sends an HTTP 401 Authorization Required Response page to capture HTTP Basic or Negotiate authentication.
For a per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only.
The HTTP 401 Response action provides up to three branches: Basic, Negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch and a Kerberos Auth action follows on the Negotiate branch.
An HTTP 401 Response action provides these configuration elements and options.
Basic Auth Realm
Specifies the authentication realm for use with Basic authentication.
HTTP Auth Level
Specifies the authentication required for the policy.
  • none
     - specifies no authentication.
  • basic
     - specifies Basic authentication only.
  • negotiate
     - specifies Kerberos authentication only.
    This option is not available for a per-request policy subroutine.
  • basic+negotiate
     - specifies either Basic or Kerberos authentication.
    This option is not available for a per-request policy subroutine.
The action provides customization options that specify the text to display on the screen.
Language
Specifies the language to use to customize this HTTP 401 response page. Selecting a language causes the content in the remaining fields display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Logon Page Input Field #1
Specifies the text to display on the logon page to prompt for input for the first field. When
Language
 is set to
en
, this defaults to
Username
.
Logon Page Input Field #2
Specifies the text to display on the logon page to prompt for input for the second field. When
Language
 is set to
en
, this defaults to
Password
.
HTTP response message
Specifies the text that appears when the user receives the 401 response, requesting authentication.

About HTTP Auth

A HTTP Auth action authenticates a user against an HTTP AAA server. An HTTP Auth action provides these configuration elements and options:
AAA Server
Specifies an HTTP AAA server; servers are defined in the
Access
Authentication
area of the Configuration utility.

About HTTP Connector

An HTTP Connector action allows you to insert an HTTP Connector request in a per-request policy subroutine. The HTTP Connector action can then be configured with rules based on the results of the HTTP Connector request.
You can only insert an HTTP Connector action in a subroutine.
The HTTP Connector item provides this configuration option.
HTTP Connector Request
Select the HTTP Connector Request that you want to insert in the subroutine. The HTTP Connector Request, as defined on the BIG-IP, is submitted, using the parameters defined in the HTTP Connector Request and the associated HTTP Connector Transport.

About IP Protocol Lookup

This agent is used to identify Layer 4 protocol such as TCP or UDP. For example, a value of 6 is TCP and 17 is UDP.

About iRule Event

An iRule Event action adds iRule processing to an access policy or to a per-request policy subroutine at a specific point. An iRule Event provides one configuration option: ID, which specifies an iRule event ID.
iRule event access policy items must be processed and completed before the access policy can continue.
An iRule Event action can occur anywhere in an access policy or a per-request policy subroutine.

About LDAP Auth

An LDAP Auth action authenticates a user against an AAA LDAP server. An LDAP Auth action provides these configuration elements and options.
When configured in a per-request policy subroutine, some screen elements and options described here might not be available.
Type
Specifies Authentication, the type of this LDAP action.
Server
Specifies an LDAP server; servers are defined in the
Access
Authentication
area of the Configuration utility.
SearchDN
Specifies the base node of the LDAP server search tree to start the search with.
SearchFilter
Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. Parentheses are required around search strings; (
sAmAccountName
=%{
session.logon.last.username
})
UserDN
Specifies the Distinguished Name (DN) of the user. The DN can be derived from session variables.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt. The default value is
3
 . You can set this field to a value of
1-5
 .
For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

About LDAP Query

An LDAP Query action performs a query against an AAA LDAP server. An LDAP Query action provides these configuration elements and options:
Type
Specifies Query, the type of this LDAP action.
Server
Specifies an LDAP server; servers are defined in the
Access
Authentication
area of the Configuration utility.
SearchDN
Specifies the base node of the LDAP server search tree to start the search with.
SearchFilter
Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. When strings are used, they must be enclosed in parentheses; for example, (
sAmAccountName
=%{
session.logon.last.username
}).
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Fetch groups to which the user or group belong
Specifies how to fetch groups; associates the groups to the user or the group.
  • None
     - Do not fetch groups.
  • Direct
     - Fetch only those groups to which the user or group belong directly.
  • All
     - Fetch groups to which the user or group belong directly; then fetch all groups that are nested under those groups. For example, if the user belongs to Group 1 and Group 2, and Group 1 is a member of Group 3 and Group 4, selecting
    All
     associates all four groups to the user. Alternatively, if the group is Group 1, selecting
    All
     associates Group 3 and Group 4 to Group 1.
Fetch users that belong to the group
Specifies how to fetch users that are members of the group; associates the users to the group.
  • None
     - Do not fetch groups.
  • Direct
     - Fetch only those users that belong to the group directly.
  • All
     - Fetch users that belong to the group directly and, if other groups are nested under the group, fetch users that belong to those groups also. For example, if the group (for example, Group 1) is a member of Group 3 and Group 4, selecting
    All
     associates the members (users) of all three groups to the group.
Required Attributes (optional)
By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned.

About LocalDB Auth

The LocalDB Auth action can authenticate a user against a local user database instance. The LocalDB Auth action can lock a user out of a local user database instance if they fail to log on within a specified number of attempts.
For enhanced security, typically, Local Database actions should be placed before and after a LocalDB Auth action to read and write user information to track non-static users (those not created by an administrator) that attempt repeatedly to logon and fail.
A LocalDB Auth action provides these configuration elements and options.
LocalDB Instance
Specifies a local user database instance.
Max Logon Attempts Allowed
A number from 1 to 5.
For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

About the Logging action

The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and perflow variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in a specific branch.
A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.
The Logging action provides these configuration elements and options:
Log Message
For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows. 
The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.
Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
Add new entry
Specify actions that read from and write to specific database properties. Click the
Add New Entry
 button to add a new logging agent to the action.
Session Variables
Specifies a session variable from a list of predefined session variables or a custom session variable.
This option is available only when adding the Logging action to an access policy.

About Logon Page

A logon page action prompts for a user name and password, or other identifying information. The logon page action typically precedes the authentication action that checks the credentials provided on the logon page. The logon page action provides up to five customizable fields and enables localization.
The logon page action provides these configuration options and elements.
When configured in a per-request subroutine, some screen elements and options described here might not be available.
Split domain from full username
Specifies
Yes
 or
No
.
  • Yes
     - specifies that when a username and domain combination is submitted (for example,
    marketing\jsmith
     or
    jsmith@marketing.example.com
    ), only the username portion (in this example,
    jsmith
    ) is stored in the session variable
    session.logon.last.username
    .
  • No
     - specifies that the entire username string is stored in the session variable.
CAPTCHA configuration
Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
Type
Specifies the type of logon page input field:
text
,
password
,
select
,
checkbox
, or
none
.
  • text
     Displays a text field, and shows the text that is typed in that field.
  • password
     Displays an input field, but displays the typed text input as asterisks.
  • select
     Displays a list. The list is populated with values that are configured for this field.
  • checkbox
     Displays a check box.
  • none
     Specifies that the field is not displayed on the logon page.
Post Variable Name
Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable
username
 sends the user name input
omaas
 as the POST string
username=omaas
.
Session Variable Name (or Subsession Variable Name)
Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable
username
 stores the username input
omaas
 as the session variable string
session.logon.last.username=omaas
.
A per-request policy subroutine uses subsession variables in place of session variables.
Clean Variable
Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, select
Yes
. Defaults to
No
.
Values
Specifies values for use on the list when the input field type is
select
.
Read Only
Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use
Read Only
 to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the
CN
 (typically the user name) field from a certificate, then you can assign that variable to
session.logon.last.username
. In the logon page action, you can specify
session.logon.last.username
 as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate
CN
 field (typically the user name).
Additionally, customization options specify text and an image to display on the screen.
Language
Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field #
number
Specifies the text to display for each input field (number 1 through 5) that is defined in the Logon Page Agent area with
Type
 set to other than
none
.
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page. The
Replace Image
 link enables customization and the
Revert to Default Image
 discards any customization and use the default logon page image.
Save Password Check Box
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the prompt displayed when a new Active Directory password and verification password do not match.
Don't Change Password
Specifies the prompt displayed when a user should not change password.
Change Password
Specifies the message that is displayed to the user when they need to change the password.
Logon Page Original URL
Specifies the text to display in a link for a user who is already logged on.
Yes
Specifies a possible response to a logon page query or challenge.
No
Specifies a possible response to a logon page query or challenge.

About Managed Endpoint Notification

The Managed Endpoint Notification action sends a push notification of an unauthorized device access to a client device through an endpoint management system.
The Managed Endpoint Notification action provides these settings and options:
Endpoint Management System
Specifies the endpoint management system. The default is
None
. Select the endpoint management system server you want to use from the list.
Message
Specifies a push notification message that is sent to a client device through an endpoint management system.

About Managed Endpoint Status

The Managed Endpoint Status action checks for device compliance against the configured Endpoint Management System (EMS). You can configure an access policy to perform compliance checks for connected devices.
The Managed Endpoint Status action provides the following settings:
Endpoint Management System
Specifies the endpoint management system. The default is
None
. Select the endpoint management system server you want to use from the list.
By default, the Managed Endpoint Status action includes these branches:
compliant
Indicates the user is connecting with a device compliant with the configured Endpoint Management System.
not compliant
Indicates the user is connecting with a device not compliant with the configured Endpoint Management System.
fallback
Indicates the user is connecting with another method.

About the Message Box action

A Message Box action presents a message to the user, and prompts the user to click a link to continue. The message box has no effect on the user's access to the network or the preceding or following access policy checks. A message box can be used, for example, to warn a user about a redirect to a guest network, or that the client certificate failed to authenticate, or to display a message about the results of a rule branch in the access policy.
A Message Box action provides these configuration elements and options:
Language
Specifies the language to use to customize this logon page. When a user selects a language, the content in the remaining fields display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Message
Specifies the message to present to the user.
Link
Specifies the message that appears as the link text.

About OAuth Client

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:
Using Dynamic Server
Specifies whether to dynamically select OAuth servers based on the configured session variable.
Using Dynamic Server, you can provision a single authorization server to multiple clients in a user group or multiple authorization servers to various clients using the same session variable. Defaults to
Disabled
.
  • Disabled
     - The client directs requests to the OAuth server selected in the
    Server
     drop-down list.
  • Enabled
     - The client uses session variables to dynamically select the OAuth server assigned to the client. You may assign the session variable for the OAuth Server to which this client directs requests using iRule or Variable Assign action. Enabling this option displays the
    Dynamic Server
     field.
Dynamic Server
Specifies the session variable to dynamically select the OAuth server to which this client directs requests. For example,
%{session.oauth.clientserver}
.
You may assign the session variable for the OAuth Server to which this client directs requests using iRule or Variable Assign action. Displays when
Using Dynamic Server
 is set to
Enabled
.
Server
Specifies the OAuth server to which this OAuth client directs requests.
Grant Type
Specifies the type of grant that the OAuth client uses.
  • Authorization code
     - The client redirects the resource owner to the OAuth server to request an authorization code.
  • Password
     - The client uses resource owner password credentials to request an access token from the OAuth server.
OpenID Connect
Specifies whether the agent uses OpenID Connect for authorization. Displays when
Grant Type
 is set to
Authorization code
. Defaults to
Disabled
.
To function correctly when enabled, the OAuth provider (associated with the selected
Server
) must be configured to support JSON web tokens.
OpenID Connect Flow Type
Specifies the OpenID Connect flow type to use:
Authorization code
 or
Hybrid
. Displays when
OpenID Connect
 is set to
Enabled
.
OpenID Connect Hybrid Response Type
Specifies the response type to use for an OpenID Connect hybrid flow:
code-idtoken
,
code-token
, or
code-idtoken-token
. Displays when
OpenID Connect Flow Type
 is set to
Hybrid
.
Authentication Redirect Request
Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
Grant Type
 is set to
Authorization code
.
Token Request
Specifies a token-request type of request.
Refresh Token Request
Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
OpenID Connect UserInfo Request
Specifies an openid-userinfo-request type of request. Displays when
OpenID Connect
 is set to
Enabled
. JWT access tokens can be submitted for an OpenID Connect UserInfo request; however, issuing id_tokens alongside an opaque token is not supported.
Redirection URI
Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when
Grant Type
 is set to
Authorization code
.
Scope
Specifies one or more strings separated by spaces; for example
contacts photo email
. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.
For the
Authorization code
 grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the
Password
 grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
Access
Federation
OAuth Client / Resource Server
Requests
area of the product.

About OAuth Logon

The OAuth logon page action prompts for a user name and password, or other identifying information. This action creates a logon page in a per-session policy (or in a per-request policy subroutine), and is typically added before the authentication action that checks the credentials provided on the logon page. The logon page action provides customizable fields and enables localization.
The OAuth logon page action provides these configuration options and elements.
When configured in a per-request subroutine, some screen elements and options described here might not be available.
Split domain from full username
Specifies
Yes
 or
No
.
  • Yes
     - specifies that when a username and domain combination is submitted (for example,
    marketing\jsmith
     or
    jsmith@marketing.example.com
    ), only the username portion (in this example,
    jsmith
    ) is stored in the session variable
    session.logon.last.username
    .
  • No
     - specifies that the entire username string is stored in the session variable.
CAPTCHA configuration
Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
Type
Specifies the type of logon page input field:
text
,
password
,
select
,
checkbox
, or
none
.
  • text
     Displays a text field, and shows the text that is typed in that field.
  • password
     Displays an input field, but displays the typed text input as asterisks.
  • select
     Displays a list. The list is populated with values that are configured for this field.
  • checkbox
     Displays a check box.
  • radio
     Displays radio buttons; users select among buttons labeled with values that they configure for this field.
  • none
     Specifies that the field is not displayed on the logon page.
Post Variable Name
Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable
username
 sends the user name input
omaas
 as the POST string
username=omaas
.
Session Variable Name (or Subsession Variable Name)
Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable
username
 stores the username input
omaas
 as the session variable string
session.logon.last.username=omaas
.
A per-request policy subroutine uses subsession variables in place of session variables.
Clean Variable
Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, select
Yes
. Defaults to
No
.
Values
Specifies values for use for a
select
 or
radio
 type logon page input field. To configure values, click the field. A popup window opens where users can specify values and any text that they want to display in place of a value.
Read Only
Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use
Read Only
 to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the
CN
 (typically the user name) field from a certificate, then you can assign that variable to
session.logon.last.username
. In the logon page action, you can specify
session.logon.last.username
 as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate
CN
 field (typically the user name).
Additionally, customization options specify text and an image to display on the screen.
Import
Click
Import
 to import a previously exported logon customization file.
Language
Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field #
number
Specifies the text to display for each input field (number 1 through 4) that is defined in the Logon Page Agent area with
Type
 set to other than
none
.
Input Field #
number
 Values
Specifies values that are used to label radio buttons (for the radio type of logon page input field) or values to include on a list (for the select type of logon page input field).
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page. The
Replace Image
 link enables customization and the
Revert to Default Image
 discards any customization and use the default logon page image.
Save Password Check Box
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the warning that the user sees when the passwords typed in the
New Password Prompt
 and
Verify Password Prompt
 boxes do not match.
Don't Change Password
Specifies the prompt displayed when a user should not change password.
Change Password
Specifies the message that is displayed to the user when they need to change the password.
Logon Page Original URL
Specifies the text to display in a link for a user who is already logged on.
Yes
Specifies a possible response to a logon page query or challenge.
No
Specifies a possible response to a logon page query or challenge.

About OAuth Scope

The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens. The OAuth Scope item provides these elements and options:
Token Validation Mode
  • Internal
     - In this mode, the agent validates JSON web tokens (JWT).
  • External
     - In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.
JWT Provider List
Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. Displays when
Token Validation Mode
 is set to
Internal
.
Provider lists are configured in the
Access
Federation
JSON Web Token
Provider List
area of the product.
Using Dynamic Server
Specifies whether to dynamically select OAuth servers based on the configured session variable.
Using Dynamic Server, you can provision a single authorization server to multiple clients in a user group or multiple authorization servers to various clients using the same session variable. Defaults to
Disabled
.
  • Disabled
     - The client directs requests to the OAuth server selected in the
    Server
     drop-down list.
  • Enabled
     - The client uses session variables to dynamically select the OAuth server assigned to the client. You may assign the session variable for the OAuth Server to which this client directs requests using iRule or Variable Assign action. Enabling this option displays the
    Dynamic Server
     field.
Dynamic Server
Specifies the session variable to dynamically select the OAuth server to which this client directs requests. For example,
%{session.oauth.clientserver}
.
You may assign the session variable for the OAuth Server to which this client directs requests using iRule or Variable Assign action. Displays when
Using Dynamic Server
 is set to
Enabled
.
Server
Specifies the OAuth server from which to request scope data or to request the list of scopes associated with an access token. Displays when
Token Validation Mode
 is set to
External
 and
Using Dynamic Server
 is set to
Disabled
.
Scopes Request
Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. Displays when
Token Validation Mode
 is set to
External
.
OpenID Connect UserInfo Request
Specifies an openid-userinfo-request type request where the client sends the request using either GET or POST. Displays when
Token Validation Mode
 is set to
External
.
In
External
 mode, you can add multiple scope data requests to the agent. Click
Add New Entry
 and specify:
Scope Name
Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
Request
Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
You can configure requests here:
Access
Federation
OAuth Client / Resource Server
Requests
.

About OCSP Auth

An OCSP Auth action retrieves the revocation status of an X.509 certificate by sending the certificate information to a remote Online Certificate Status Protocol (OCSP) responder. Typically, an OCSP Auth action follows an action that receives an X.509 certificate. Either a Client Cert Inspection or On-Demand Cert Auth action can receive the X.509 certificate from a user. Either action populates session variables with data that OCSP Auth uses. Similarly, a Machine Cert Auth action can receive an X.509 certificate from a machine and populate session variables.
A CRLDP Auth action is valid for use in a per-request policy subroutine when placed after an On-Demand Cert Auth action.
An OCSP Auth action provides these configuration elements and options:
OCSP Responder
Specifies the OCSP Responder AAA configuration object, defined in the Access Policy AAA servers area of the Configuration utility.
Certificate Type
Specifies the expected type of certificate:
User
 or
Machine
.

About Okta MFA

In a subroutine in a per-request policy, the Okta MFA agent performs multifactor authentication (MFA) using the Okta service. The Okta MFA agent specifies the Okta Connector and the MFA prompt in the per-request policy subroutine. Many customization options allow you to adjust the wording of the MFA prompts.
The Okta MFA agent uses the
subsession.logon.last.username
 variable for Okta queries from current or previously executed subroutines. It creates the following output variables:
  • subsession.okta_mfa.result
    , which contains 1 in the case of a successful authentication or enrollment.
  • subsession.okta_mfa.factor
    , which stores the factor name (okta_totp, okta_push, or yubico_otp) when authentication is successful.
The Okta MFA agent has two branches: Successful and fallback. The Successful branch expression should specify:
expr {[mcget {subsession.okta_mfa.result}] == 1}
The Okta MFA action provides these configuration elements and options:
Okta Connector
Specifies the Okta Connector to use with the action. The Okta Connector defines Okta API parameters (Okta Org domain and Okta API token), and refers to an associated HTTP Connector Transport object (for SSL and DNS settings).
Language
Specifies the language to use to customize the Okta MFA page. Selecting a language causes the content in the remaining fields to display in the selected language.
Languages on the list reflect those that are configured in the access profile.
Reset all defaults
Reset all the values to the defaults provided by the system.
Display name for Okta Verify factor
Specifies the title on the MFA screen, such as Okta verify.
TOTP caption
Specifies the label asking for the code provided for TOTP authentication, such as Enter code.
Push caption
Specifies the label requesting Push authentication, such as Send push.
Enter code caption
Specifies the label requesting a code, such as
Or enter code
.
Code error caption
Specifies the message to display if the user typed the code incorrectly.
Okta Verify enrollment setup message
Specifies that the user must set up multifactor authentication for Okta Verify.
Multifactor authentication enrollment setup text
Specifies the message that the user needs to set up MFA authentication. For example: Company requires multifactor authentication to use additional layer of security when signing in to your account.
Download mobile app and QRCode scan description
Specifies the instructions to download the Okta Verify mobile app. For example: Download and launch Okta Verify application on your mobile device and select Add an account to scan QR code.
Can't scan QR Code caption
Specifies the text to display if the QRCode cannot be scanned. For example: More options to enroll.
Add account using secret key message
Specifies the text when the user is enrolling using a secret key. For example: Enter your username and below secret key in Okta MFA App to add account.
Invalid Phone number error
Specifies the text asking the user to enter a valid phone number.
Please enter phone number
Specifies the text asking the user to enter a phone number.
Activation sms link sent message
Specifies the text of the message when the Activation link has been sent to your cell phone, which is included dynamically in the message.
Activation email link sent message
Specifies the text of the message when the Activation link has been sent to your registered email at Okta account.
Send link via Sms caption
Specifies the caption for the button to enroll via SMS.
Send link via email caption
Specifies the caption for the button to enroll via email.
Setup without push caption
Specifies the caption for the Setup without sending a push, such as Enroll manually without push.
Display name for YubiKey factor
Specifies the caption to select YubiKey authentication.
YubiKey message
Specifies the text that explains how to use the YubiKey for authentication, such as Insert your YubiKey into a USB port and tap it to generate a verification code.
Next caption
Specifies the caption for the Next button.
Back caption
Specifies the caption for the Back button.
Verify caption
Specifies the caption for the Verify button.
Enrollment text shown along with factor name. Factor name will be added dynamically
Specifies the enrollment and factor. To retrieve the factor, specify
[FACTOR_NAME]
 anywhere in the text exactly as shown.

About On-Demand Cert Auth

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate authentication. The agent verifies the value of the session variable
session.ssl.cert.valid
 to determine whether authentication was a success.
When configuring on-demand certification authentication in a per-request policy, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the
Client Certificate
 field set to
ignore
. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent.
The On-Demand Cert Auth action provides one configuration option,
Auth Mode
, with two supported modes:
Request
With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
Require
With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.
For an iPod or an iPhone, the
Require
 setting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine for a per-request policy that is part of a forward proxy configuration.

About OTP Generate

The OTP Generate action can generate a one-time use time-limited password. This action does not send the one-time password to a user. Typically, an OTP Generate action precedes other actions that send the password (the Email action, for example) and then verify it (OTP Verify action). The OTP Generate action provides these configuration options:
OTP length
Specifies the length of the one-time password. Defaults to 6.
OTP timeout
Specifies the number of seconds that the password is valid. Defaults to 300.

About OTP Verify

In an access policy, the OTP Verify action checks for a match between a user-entered password and the one-time password generated previously by the OTP Generate action. The OTP Verify action also verifies that the one-time password has not expired. The OTP Verify action provides this configuration option:
Max Logon Attempts Allowed
Limits the number of logon attempts.

About Patch Management

The Patch Management action can check for patch management software on the client system. When this action includes checks for multiple patch management types, if one specified type matches, the action passes, regardless of other conditions that are specified in the action.
The Patch Management action provides the following configuration elements and options:
Continuously check the result and end the session if it changes
Specifies
Enabled
 or
Disabled
.
When
Enabled
, if the client does not respond for five minutes, the server ends the session.
Platform
Specifies a platform. The default is
Any
. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.
A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
Vendor ID
Specifies a vendor ID (from the list of supported vendors) or
Any
.
Product ID
Specifies a product ID (from the list of supported products) or
Any
.
Automatic Updates
Specifies one of these values:
  • Enabled
     When selected, the action verifies that patch management software is running on the client system.
  • Disabled
     When selected, the action verifies that patch management software is not running on the client system.
  • Unspecified
     When selected, the action does not perform either verification.
Version
Specifies a version; when specified, the Patch Management action verifies the version of the software.
Max Allowed No. of Missing Critical Updates
Specifies a number; when specified, the action verifies that the number of missing critical updates for the software is less than this number.

About Proxy Select

The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The Proxy Select agent provides these elements and options:
Pool
Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in the
Upstream Proxy Mode
 setting.
Upstream Proxy Mode
Specifies whether the next hop is to a forward proxy server that supports
Explicit
 forward proxy or
Transparent
 forward proxy.
Username
Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .
Password
Specifies the password for the user account on the proxy server.

About Public File Sharing

The Public File Sharing agent can continuously check the peer-to-peer software on client endpoints on Windows, Mac, and Linux systems. The system ends the session if the result changes, and the client does not respond within five minutes.

About RADIUS Acct

A RADIUS Acct action reports user session information to an external RADIUS accounting server; it does not perform authentication.
A RADIUS Acct action provides these configuration elements and options:
AAA Server
Specifies the RADIUS server; servers are defined in the
Access
Authentication
area of the Configuration utility.
Username Source
Specifies the session variable name from which the RADIUS Accounting server should read the username. The default value is
%{session.logon.last.username}
.

About RADIUS Auth

A RADIUS Auth action authenticates a client against an external RADIUS server. A RADIUS Auth action provides these configuration elements and options.
When configured in a per-request policy subroutine, some screen elements and options described here might not be available.
AAA Server
Specifies the RADIUS accounting server; servers are defined in the
Access
Authentication
area of the Configuration utility.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt. The default value is
3
 . You can set this field to a value of
1-5
 .
For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
Username Source
Specifies the session variable name from which RADIUS agent should read the username. The default value is
%{session.logon.last.username}
.
Password Source
Specifies the session variable name from which RADIUS agent should read the password. The default value is
%{session.logon.last.password}
.

About SAML Auth

The SAML Auth action authenticates against an external SAML Identity Provider (IdP). This action is for use when the BIG-IP system is configured as a SAML service provider and supports connections initiated at SAML service providers.
The SAML Auth action provides this configuration element:
AAA server
Specifies a local SP service that is associated with a SAML IdP. The local SP service configuration uniquely identifies the SP and specifies its security requirements..
IdPs are specified in SAML IdP connector configurations.
Attribute Consuming Service
Specifies the name of one of the attribute consuming service associated with the server. The index associated with the selected attribute consuming service is included in the SAML authentication request generated. The identity provider maps the index to the list of attributes derived from the metadata previously shared and returns those attributes in the SAML response. For example, the SP may include an Attribute Consuming Index in a SAML request to get the attributes of an authenticated user.
Force Authentication
Allows the SP to include the ForceAuthn flag in an Authentication request at runtime. The options are:
  • Enable
     - Overrides the Service Provider Force Authentication setting and always adds
    ForceAuthn=true
     to the Authentication request. Uses the Force Authentication setting on the Service Provider (
    Access
    Federation
    SAML Service Provider
    ).
  • Disable
     - Overrides the Service Provider Force Authentication setting and always adds
    ForceAuthn=false
     to the Authentication request.
  • Use AAA server setting (the default)
     - Uses the same Force Authentication setting as the Service Provider (
    Access
    Federation
    SAML Service Provider
    ).
  • Session variable setting
     - Specifies that you want to use a session variable to control the ForceAuthn flag included in the Authentication request.
Force Authentication Session Variable
When Force Authentication is set to
Session variable setting
, specifies a session variable that controls the value of the ForceAuthn flag included in the Authentication request, as follows.
  • If the session variable resolves to 1 at runtime, APM adds
    ForceAuthn=true
     to the Authentication request overriding the Force Authentication setting on the Service Provider.
  • If the session variable resolves to 0 at runtime, APM adds
    ForceAuthn=false
     to the Authentication request overriding overriding the Force Authentication setting on the Service Provider.
  • If the session variable is not found at runtime or resolves to a value other than 1 or 0, then the Force Authentication setting on the Service Provider controls the behavior of the ForceAuthn flag included in the Authentication request.

About Server IP Subnet Match

This agent lets you create policy branch rules based on the subnet of the server.

About Server Port Match

This agent lets you create policy branch rules based on the server port number.

About SSO Configuration Select

The Select SSO Configuration agent enables per-request selection of an SSO configuration from these SSO configuration types:
  • HTTP Basic
  • NTLMv1
  • NTLMv2
  • Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
SSO Configuration Name
Select an SSO configuration name from the list.

About System Health Agent

The System Health Agent action checks for health agent software on client systems. When this action includes checks for multiple health agent types, if one specified type matches the software on the client system, the action passes, regardless of other health agent conditions that are specified in the action.
A System Health Agent action provides these settings and options:
Platform
Specifies a platform. The default is
Any
. When a platform is selected, the Vendor ID and Product ID lists update to include the products and vendors that are supported for that platform according to the EPSEC package that is installed on the BIG-IP system.
A link to a report that includes the antivirus software that Access Policy Manager currently supports is available on the BIG-IP system Welcome page.
Vendor ID
Specifies a vendor ID (from the list of supported vendors) or
Any
.
Product ID
Specifies a product ID (from the list of supported products) or
Any
.
Version
Specifies a version; when specified, the System Health Agent action verifies the version of the software.
Policy Compliance
Specifies one of these values:
  • Enabled
     - when selected, the action verifies that the client is compliant with the health policy specified by the site administrator.
  • Disabled
     - when selected, the agent verifies that the client is out of compliance with the health policy specified by the site administrator.
  • Unspecified
     - when selected, the gent verifies the existence of the software only.

About URL Branching

The URL Branching action is useful for treating a few URLs differently from others. The action provides an Allow branch and a fallback branch. The URL Branching action provides these conditions for defining branch rules.
Equals
The URL must exactly match the specified URL.
Substring
The URL must contain the specified string.
Prefix Match
The URL must start with the specified string.
Suffix Match
The URL must end with the specified string.
Glob match
The URL must match the specified globbing pattern. These globbing patterns are supported:
  • *
     Matches any number of characters (none or one or more).
  • ?
     Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
  • [
    characters
    ]
     Matches one of the specified characters.
  • [^
    characters
    ]
     Matches any characters except for those specified.
  • [!
    characters
    ]
     Matches any characters except for those specified.
To match many URLs, you might consider configuring URL categories in the
Access
Secure Web Gateway
area of the product and using Category Lookup in your per-request policy.

About Variable Assign

The Variable Assign action can includes one or more entries. An entry specifies a variable and assigns a value to it.
A variable assign entry screen as it displays initially
2-pane screen: custom variable in left pane and custom expression in right pane.
In the entry screen, the variable is specified in the left pane and the value is specified in the right pane.
A Variable Assign action provides these configuration elements and options for the variable:
Custom Variable
Specifies a variable name. It can be any name including the name of a session variable or the name of a perflow variable.
For a per-session policy, when the policy runs it recognizes only existing perflow variables.
Predefined Variables
Specifies a predefined session variable or perflow variable name, which must be selected from the
Variable
 list. The type of variable (session or perflow) that is available for selection depends on the selected
Group
:
Per-Session Variables
 or
Per-Request Variables
.
For
Per-Request Variables
, the
Scratchpad, Custom
, and
Primary Category
 perflow variables are available for use in the per-request policy and in per-request policy subroutines. You can, for example, pass the value of a session variable into the per-request policy in one of these variables.
Unsecure or Secure
Specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.
A Variable Assign action provides these configuration elements and options for the value:
Custom Expression
Specifies a Tcl expression. The result of the expression is used as the value.
AAA attribute
Specifies the name of the attribute that contains the value:
  • Agent Type
     - specifies the type of AAA server: AD, LDAP, or RADIUS.
  • Attribute Type
     - specifies the attribute type to use depending on the agent type:
    • Use user's attribute
       - for AD agent.
    • Use user's primary group attribute
       - for AD agent.
    • Use LDAP attribute
       - for LDAP agent.
    • Use RADIUS attribute
       - for RADIUS agent.
  • Agent type
     attribute name
     - specifies the name of the attribute that contains the value.
Text
Specifies a text string to use as the value. The text entered in this field is used as is.
Session Variable
Specifies the name of a session variable from which to get the value.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information