Manual Chapter : Access Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Access Policies

About per-session and per-request policies

Access in BIG-IQ Centralized Management provides two types of policies.
Per-session policy
The per-session policy runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
Per-request policy
After a session starts, a
per-request policy
runs each time the client makes an HTTP or HTTPS request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.
One per-session policy and one per-request policy are specified in a virtual server.

About access policies

In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. An access policy can be either a per-session policy or a per-request policy. You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile, using the Visual Policy Editor.

View an access policy

After you've imported a device, you can view the access policies that are configured on it. An access policy is either a per-session policy or a per-request policy. In either case, an access policy is made up of policy items, such as Start, Logon, Deny, and macros. A
macro
is a sub-policy with a beginning, one or more policy items, and one or more endings.
These policies are deployed to all the devices in the Access group. You can view the properties of the actions and the flow of actions in the policy.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles / Policies
    , click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Use the vertical and horizontal scrollbars to move to another section of the policy.
  6. To save your changes, click the
    Save
    button.
  7. To close the screen, click the
    Close
    button.

Create an access profile and per-session policy

You must create a access profile and its accompanying per-session policy before you can configure it in the visual policy editor.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group you would like to add an access profile to.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles / Policies
    and click
    Per-Session Policies
    .
    The Per-Session Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  4. Click
    Create
    .
    The New Access Policy screen opens.
  5. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  6. From the
    Profile Type
    list, select one these options:
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  7. From the
    Scope
    list, retain the default value or select another.
    • Profile
      : Gives a user access only to resources that are behind the same per-session profile. This is the default value.
    • Virtual Server
      : Gives a user access only to resources that are behind the same virtual server.
    • Global
      : Gives a user access to resources behind any per-session profile that has global scope.
  8. In the Language Settings area, add and remove accepted languages, and set the default language. This setting does not display if the profile type is RDG-RAP
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  9. To save and display the policy diagram, click the
    Save & Close
    button.
The policy name appears on the Per-Session Policies (Shared) screen.

Create a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles / Policies
    and click
    Per-Request Policies
    .
    The Per-Request Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  4. Click
    Create
    .
    The Create per-req policy screen opens.
  5. In the Name field, type a name for the policy and click
    Save
    .
    A per-request policy name must be unique among all per-request policy and access profile names.
The policy name appears on the Per-Request Policies (Shared) screen.

Edit an access policy

You can edit an existing access policy using the Access Visual Policy Editor (VPE) if the policy items are action, ending, or macro calls. Although Start and In are policy items, you cannot edit them. You can undo any edited actions, and if you cancel an editing session before saving, the Policy Editor makes no changes to the policy. However, some actions or objects cannot be undone or discarded. These include the following:
  • Creating a per-session policy macro.
  • Creating a per-request policy macro, subroutine, or subroutine macro.
  • Creating new endings or terminals
  • Deleting endings or terminals.
  • Changing macros or subroutine properties.
  • Modifying any policy ending or macro terminal.
These actions can't be undone and also can't be undone if there are any pending diagram changes.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  3. On the left, expand
    Profiles / Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Modify the policy by clicking the diagram to insert new items, modify existing items, delete items, or change endings.
    • Undo
      returns you to the access policy before your most recent change.
    • Redo
      allows you to redo an action you have undone.
    • Revert
      returns the access diagram to the state before you made any changes to the diagram.
  6. Click
    Save
    .
    Saving the policy saves all changes in the policy diagram, including all workflows and modified macros. You can also discard pending changes and macros by clicking
    Discard
    .

Add a policy item

You can add a policy item using the Access Visual Policy Editor (VPE).
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  3. On the left, expand
    Profiles / Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Move your mouse over a policy branch, depicted by the blue line.
    An add icon (+) displays.
  6. Click the (+) icon.
    The Item Insertion Selection popup screen opens.
  7. From the selection list on the left, select the type of policy item.
    Example:
    Logon
    , or
    Authentication
    .
    The screen displays a list of policy items on the right.
  8. From either the
    Caption
    or
    Description
    list, select a policy item.
    Another popup screen with properties and branch rules opens.
  9. On the Properties tab, modify or fill in the fields.
  10. To add a new branch rule or select an existing rule from the list, on the Branch Rules tab, click
    Add
    .
  11. Click either
    Simple
    or
    Advanced
    , and modify the branch rule.
  12. Click the
    Save
    button.
The policy item displays in the VPE at the location on the policy branch where you clicked the add icon (+).

Add an action item or macro-call to a policy

You can modify an existing policy or sub-policy by adding additional action items and macro-calls. When modifying a policy, such as a macro, all diagram operations, insertions, deletions, modifications, and branch swaps are the same from the policy or sub-policy.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles/Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies (Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens. The macros that you can insert are in the Insertion dialog that displays when you click the + button.
  5. Hover your cursor over a branch line between two items.
    An add icon (+) displays.
  6. Click the icon
    +
    .
    The Item Insertion Selection popup screen opens.
  7. From the Item Insertion Selection screen, select a macro or an action item.
    A new screen opens if you select an action item.
  8. Fill in the relevant parameters and fields.
  9. Click
    Branch Rules
    .
  10. Click
    Add
    .
    The Branch Rules popup section displays more settings.
  11. On the left, select either
    Simple
    or
    Advanced
    to create a branch rule configuration.
  12. Fill in the relevant parameters and fields.
  13. Click
    OK
    .
    The new branch rule displays in the Branch Rules screen.
  14. Click the
    Save
    button.
    The
    Save
    button is only enabled if the form is valid.
The Access policy now includes the new action item.

Swap policy branches

When examining the policy workflow, you can swap one branch with another. You swap branches as an easy way to change the policy workflow without deleting the existing branches and creating new ones. Swapping branches does not change the order of the branch rule, only the destination of the two branches involved in the swap. When moving a branch, a highlighted bold blue line indicates that the swap is allowed. You cannot swap branches from an agent's upstream and downstream agent branches.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles/Policies
    , and click
    Access Profiles (Per-Session Policies)s (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Click a branch and hold your mouse button.
  6. Drag the branch up or down.
    A red dotted line previews where the branch ends up.
  7. Release your mouse button.
    The VPE displays an access policy with swapped branches.
  8. Click the
    Save
    button when you are done editing the policy.

About timeouts and crashes

During an editing session, if you remain inactive for a prolonged period of time, the session times out. Other times, the browser might freeze. In either case, you might have to prematurely terminate an editing session without a chance to save your changes. However, regardless of why you had to terminate a session, BIG-IQ® Centralized Management saves a draft of the policy and saves any unsaved macro when you make a modification. The next time you log in, locate the policy, and open the editing screen. The system notifies you that an unsaved draft exists, and prompts you to select whether you want to continue editing the draft or start over.
The system saves the change history in the draft, so actions such as Undo and Redo work for all changes you make before the session was interrupted. Lastly, if someone else was the previous editor, you can see the user and the time of the last edit. This allows you to choose whether or not to resume that person's editing session.

Per-Session and per-request policy comparison

The table summarizes per-session policy and per-request policy similarities and differences.
Feature
Per-Session policy
Per-request policy
Supports macros
Yes
Yes
Requires that users click an Apply Access Policy link to go into effect.
Yes
No
When run
At session start.
After session is created, on every request.
Policy ending types
Allow, Deny, Redirect; endings apply to the session.
Allow, Redirect, Reject; endings apply to URL requests processed in the per-request policy. A Reject ending triggers the Deny ending in the access policy.
Supports variables
Creates session variables that are available throughout a session.
Reads available session variables. Creates per-flow variables that are available only while the per-request policy runs.