Applies To:

Show Versions Show Versions

Manual Chapter: Updates
Manual Chapter
Table of Contents   |   Next Chapter >>

What is new in APM reports

Disable writing to local log database

A new setting, Write to Local Database on the Report Preferences screen, enables you to stop writing logs to the local log database. By default, this setting is selected. If you clear it, APM reports are empty or contain only data written previously to the local database.

Bad IP Reputation Sessions report

A new report displays a summary view of sessions for IP addresses that are present in the IP intelligence database. The IP intelligence database is populated only when IP intelligence is enabled on your system.

IP Reputation column in reports

A report column specifies the reputation of the IP address that initiated the session. The column displays Unknown when IP intelligence is not enabled on the BIG-IP system.

View Session Details displays logged session variables for inactive sessions

When you click the View Session Detail link from the All Sessions report, a tab opens to display a hierarchy of session variables for active sessions. For inactive sessions, the View Session Details tab displays a list with time, name, and value, for any session variables that were logged. An access policy can log session variables when you include a Logging action in the policy.


A CAPTCHA is a test that tries to determine whether a user is a human or a bot. A popular CAPTCHA displays wavy text that a human must decipher and type. Vendors provide CAPTCHA services that present challenges and verify results.

In APM, you specify the CAPTCHA service in a CAPTCHA configuration, and then add a CAPTCHA challenge to a Logon Page action in any access policy.

About logon pages

You can present a logon page in the access policy to prompt users for a username and password or other identifying information. The logon page action typically precedes the authentication action that checks the credentials provided on the logon page. You can add other checks before or after the logon page check.

You can customize the logon page with custom fields and text for different sections of the logon form. On the logon page you can also localize text messages for different languages. The logon page can display as many as five customizable fields.

You can define a logon page agent with the following elements and options:

Split domain from full username
Select Yes to specify that when a username and domain combination is submitted (for example, marketing\jsmith or, only the username portion (in this example, "jsmith") is stored in the session variable session.logon.last.username. If you select No, the entire username string is stored in the session variable.
CAPTCHA configuration
Select a CAPTCHA configuration to present added CAPTCHA security on the logon page.
Specifies the type of logon page agent. You can specify any agent to be text, password, or none. A text agent type displays a text field, and shows the text that is typed in that field. A password agent type displays an input field, but displays the typed text input as asterisks. A none agent type specifies that the field is not displayed on the logon page.
Post Variable Name
Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.
Session Variable Name
Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.
Read Only
Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use Read Only to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).

You can also customize the fields and images on the logon page with the following options.

Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field # (1-5)
These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area.
Save Password Checkbox
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page. Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the prompt displayed when the new Active Directory password and verification password do not match.

Adding a CAPTCHA configuration

Before you add a CAPTCHA configuration, you should sign up for CAPTCHA service with a vendor. Access Policy Manager CAPTCHA support is based on the API that the Google reCAPTCHA service provides. You can use any CAPTCHA service with a compatible API.
Note: You can create a CAPTCHA configuration without the information you obtain from a vendor, but the configuration is not effective until you add it.
Add a CAPTCHA configuration to Access Policy Manager so that you can add a CAPTCHA challenge to a logon page.
  1. On the Main tab, select Access Policy > Access Profiles > CAPTCHA Configurations. The CAPTCHA Configurations screen opens.
  2. Click Create. The New CAPTCHA Configuration screen opens.
  3. In the Configuration area, in the Private Key field, type the string that was provided as the private key when you signed up for CAPTCHA service.
  4. In the Public Key field, type the string that you received as the public key from the vendor.
  5. In the Verification URL field, type the URL of the service that verifies the response to the CAPTCHA challenge. Defaults to Do not start this URL with https.
  6. In the Challenge URL field, type the URL of the service that provides the CAPTCHA challenge. Defaults to Do not start this URL with https.
  7. In the Noscript URL, type the URL to use for obtaining the challenge picture if JavaScript is disabled. Defaults to Do not start this URL with https.
  8. In the Display CAPTCHA After Number of Logon Attempts Equals field, type the number of logon attempts to allow before issuing a CAPTCHA challenge. Defaults to 0 (zero), in which case Access Policy Manager always issues a challenge.
  9. For the Track Logon Failures setting, select one or more options to specify how to track logon failure attempts: By IP Address or By Username. Access Policy Manager checks whether the number of logon failures exceeds the number set in the Display CAPTCHA After Number Of Logon Attempts Equals field.
  10. Optional: From the CAPTCHA Theme list, select a standard theme or select Custom to control the appearance of the CAPTCHA widget. Defaults to Red.
    Note: If you select Custom, you must add some code to the logon page to implement the look and feel that you want for the CAPTCHA challenge; for information, refer to the site you use for CAPTCHA service. If you do not add code to the logon page, the CAPTCHA challenge is not displayed, but still requires a response. In this case, users cannot respond and cannot log in.
  11. To permit user access when CAPTCHA service is unavailable, select Enable for the Allow Access if CAPTCHA Verification Cannot Complete setting.
  12. Click Finished.
You have created a CAPTCHA configuration.
To use this configuration, add it to a Logon Page action in an access policy.

Adding a logon page to an access policy

Before you start this task, you must have an access profile created.
You add the logon page action to an access policy to display a logon page for the user on which the user can enter username, password, and other identifying information you specify.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  5. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
  6. From the General Purpose area, select Logon Page and click the Add Item button. This opens the Logon Page Agent popup window.
  7. In the Name field, type a name for the access policy item. This name is displayed in the action field for the access policy.
  8. Select whether to split the username from the domain.
  9. To add a CAPTCHA challenge to the logon page, select a CAPTCHA configuration from the list. You can configure CAPTCHA configurations from the Access Profiles page.
  10. In the Logon Page Agent area, select the fields you want to display on the logon page. By default, a text field for user name, and a password field for the password are enabled and displayed. You can specify up to three more fields to display, or customize the selected fields.
  11. From the Language list, select the language for which you want to customize messages. You can specify more languages in the Access Profile properties Language Settings area.
  12. In the Customization area, customize the logon page elements.
  13. Click the Save button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)