Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
About per-request policy items
When configuring a per-request policy, a few access policy items are available for inclusion in the policy. Most per-request policy items are unique to a per-request policy.
About Protocol Lookup
A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS.
About SSL Intercept Set
In a per-request policy, the SSL Intercept Set item sets the SSL bypass action to Intercept. Including this item early in the policy ensures that SSL traffic is not bypassed until the policy reaches an SSL Bypass Set item.
A default action for SSL bypass (intercept or bypass) is specified in the client SSL profile.
The SSL Intercept Set item provides a read-only element, Action, that specifies the Intercept option.
About Category Lookup
A Category Lookup item looks up URL categories for a request and obtains a web response page.
The Category Lookup item provides these elements and options.
- Categorization Input
- The list specifies these options:
- Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, the SafeSearch Mode setting displays.
- Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
- Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup.
- SafeSearch Mode
- The options are Enabled (default) and Disabled. When enabled, SWG enables Safe Search for supported search engines.
- Category Lookup Type
- Select the category types in which to search for the requested URL. Options are:
- Select one from Custom categories first, then standard categories if not found
- Always process full list of both custom and standard categories
- Process standard categories only
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.
About Response Analytics
A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.
Response Analytics provides these elements and options.
- Max Buffer Size
- Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
- Max Buffer Time
- Specifies the maximum amount of time (in seconds) to retain response data in the buffer. If this time elapses, the system does not send the content for analysis. If the URL is allowed, the system sends the content to the client; otherwise, the system sends a block page or block image to the client.
- Exclude Types
- Specifies one entry for each type of content to be excluded from content analysis. Images, the All-Images type, do not get analyzed.
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.
About SSL Bypass Set
The SSL Bypass Set item sets the SSL bypass action to Bypass in a per-request policy. (A default action, intercept or bypass, for SSL bypass is specified in the client SSL profile.)
The SSL Bypass Set item provides a read-only element, Action, that specifies the Bypass option.
About URL Filter Assign
A URL Filter Assign item determines whether to block or allow a request. A Category Lookup item must precede URL Filter Assign to provide categories. The URL Filter Assign item looks up the filter action for each category found for the request. If any filter action is set as Block, the request is blocked. The URL filter item also uses the analysis from the Response Analytics item, if used, to determine whether to block or allow the request.
A URL Filter Assign item provides the URL Filter element, a list of filters from which to select.
About Dynamic Date Time
The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:
- Weekend
- Defined as Saturday and Sunday.
- Business Hours
- Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch rules.
- Time From
- Specifies a time of day. The condition is true at or after the specified time.
- Time To
- Specifies a time of day. This condition is true before or at the specified time.
- Date From
- Specifies a date. This condition is true at or after the specified date.
- Date To
- Specifies a date. This condition is true before or at the specified date
- Day of Week
- Specifies a day. The condition is true for the entire day (local time zone).
- Day of Month
- Specifies the numeric day of month. This condition is true for this day every month (local time zone).
About AD Group Lookup
An AD Group Lookup item compares a specified string against the session.ad.last.attr.primaryGroupID session variable. The specified string is configurable in a branch rule.
The default simple branch rule expression is User's Primary Group ID is 100. The specified string, 100, should be replaced with a group name specific to the Active Directory configuration at the user site.
About LDAP Group Lookup
An LDAP Group Lookup item compares a specified string against the session.ldap.last.attr.memberOf session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN ; the values MY_GROUP, USERS, MY_DOMAIN, must be replaced with values used in the LDAP group configuration at the user site.
About LocalDB Group Lookup
A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.
The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is User is a member of MY_GROUP. The default advanced rule expression is expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }. In either the simple or the advanced rule, the variable, MY_GROUP, must be replaced with a valid group name.
The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be session.localdb.groups (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.
About RADIUS Class Lookup
The RADIUS Class Lookup access policy item compares a user-specified class name against the session.radius.last.attr.class session variable. The specified class name is configurable in a branch rule.
The default simple branch rule expression is RADIUS Class attribute contains MY_CLASS . The variable MY_CLASS must be replaced with the name of an actual class.
About per-request policy endings
An ending provides a result for a per-request policy branch. An ending for a per-request policy branch is one of two types.
- Allow
- Allows the user to continue to the requested URL. Typically, you assign this when the requested URL passes specific checks.
- Reject
- Blocks the user from continuing to the requested URL. Typically, you assign this when the requested URL fails specific checks. When the per-request policy terminates on a Reject ending, the access policy displays a URL filter denied web page.