Manual Chapter : Per-Request Policy Examples for APM and APMLTM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Per-Request Policy Examples for APM and APM+LTM

URL filter per user group example

Each URL Filter Assign item in this per-request policy example should specify a filter that is applicable to the user group.

Group lookup followed by branches for specific groups and a URL filter assignment for each.

URL filter based on group membership

Access control by date, time, and user group example

This per-request policy example applies specific URL filters for weekends and weeknights, and restricts access during work hours based on user group.

Policy that restricts access except for weekends, after hours, and sales group

Deny or allow access based on date and time and group membership

Custom category-specific access control example

In this per-request policy example, only recruiters are allowed to access URLs in the custom category Employment. The policy also restricts access to entertaining videos during business hours.

Category-specific access restrictions (using custom categories)

Application lookup and filter example

Application lookup and application filter assign in a per-request policy

Application access control by application family, application name, and application filter

1 A user-defined branch for the instant messaging application family.
2 A user-defined branch for a specific application.
3 The default fallback branch, on which an application filter is applied. Application Filter Assign needs the information provided by Application Lookup.

Additional authentication subroutine example

Group lookup followed by branches for specific groups and a URL filter assignment for each.

Per-request policy with subroutine for additional authentication

Note: A Loop terminal provides the user with multiple logon attempts. The subroutine exits on the Loop terminal only if no authentication attempt succeeds.

SSL bypass example

This example is for use in an SSL forward proxy configuration. In it, a per-request policy bypasses all SSL traffic from users in the Directors group. For other users, the policy bypasses SSL traffic only if it falls into a category that raises privacy concerns, such as one in which financial data might be accessed. After a determination about whether to bypass or intercept SSL traffic is complete, the policy can then move from processing HTTPS data to processing the HTTP data in the SSL payload.

policy with protocol lookup, group lookup, category lookup, and ssl bypass set

SSL bypass decision based on group membership and URL category

1 For directors, do not intercept and inspect any SSL request. To bypass the traffic, use the SSL Bypass Set item.
2 To use Category Lookup to process HTTPS traffic, you must configure it to use SNI or Subject.CN input.
3 For users that are not in the Directors group, do not intercept and inspect SSL requests that contain private information. Bypass the traffic by inserting the SSL Bypass Set item.
4 After the policy completes HTTPS processing, you can start to process HTTP data. Continue with actions, such as URL Filter Assign or Application Lookup, that inspect the SSL payload. The URL Filter Assign item determines whether to allow, block, or confirm traffic.

(For this example to be valid, both the server and client SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.)