Applies To:

Show Versions Show Versions

Manual Chapter: Per-Request Policy Item Reference
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Per-Request Policy Item Reference

About per-request policy items

When configuring a per-request policy, a few access policy items are available for inclusion in the policy. Most per-request policy items are unique to a per-request policy.

About Protocol Lookup

A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS. It provides two default branches: HTTPS and fallback. Use the Protocol Lookup item early in a per-request policy to process HTTPS traffic before processing HTTP traffic.

About SSL Bypass Set

The SSL Bypass Set item provides a read-only element, Action, that specifies the Bypass option.

Note: For an SSL Bypass Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept; and the SSL Bypass Set item must occur in the policy before any items that process HTTP traffic.

About AD Group Lookup

An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression, expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }, as an example.

A branch rule expression can include any populated session variable, such as session.ad.last.attr.primaryGroupID, session.ad.last.attrmemberOf, session.ad.last.attr.lastLogon, session.ad.last.attr.groupType, session.ad.last.attr.member, and so on. As an example, expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators" is a valid expression.

Note: An AD Query action in the access policy can populate the session variables.

About LDAP Group Lookup

An LDAP Group Lookup item compares a specified string against the session.ldap.last.attr.memberOf session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN ; the values MY_GROUP, USERS, MY_DOMAIN, must be replaced with values used in the LDAP group configuration at the user site.

Note: An LDAP Query action is required in the access policy to populate the session variable.

About LocalDB Group Lookup

A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.

The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is User is a member of MY_GROUP. The default advanced rule expression is expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }. In either the simple or the advanced rule, the variable, MY_GROUP, must be replaced with a valid group name.

The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be session.localdb.groups (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.

About RADIUS Class Lookup

The RADIUS Class Lookup access policy item compares a user-specified class name against the session.radius.last.attr.class session variable. The specified class name is configurable in a branch rule.

The default simple branch rule expression is RADIUS Class attribute contains MY_CLASS . The variable MY_CLASS must be replaced with the name of an actual class.

Note: A RADIUS Acct or RADIUS Auth action is required in the access policy to populate the session variable.

About Dynamic Date Time

The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:

Weekend
Defined as Saturday and Sunday.
Business Hours
Defined as 8:00am to 5:00pm.

The Dynamic Date Time action provides these conditions for defining branch rules.

Time From
Specifies a time of day. The condition is true at or after the specified time.
Time To
Specifies a time of day. This condition is true before or at the specified time.
Date From
Specifies a date. This condition is true at or after the specified date.
Date To
Specifies a date. This condition is true before or at the specified date
Day of Week
Specifies a day. The condition is true for the entire day (local time zone).
Day of Month
Specifies the numeric day of month. This condition is true for this day every month (local time zone).

About SSL Intercept Set

The SSL Intercept Set item provides a read-only element, Action, that specifies the Intercept option.

Note: For an SSL Intercept Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept; and the SSL Intercept Set item must occur in the policy before any items that process HTTP traffic.

About the Logging action

The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and per flow variables to the per-request policy.

This action is useful for tracing the variables that are created for a specific category, or in a specific branch.

Note: A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.

The Logging action provides these configuration elements and options:

Log Message
For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and perflow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.
The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.
Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
Session Variables
Specifies a session variable from a list of predefined session variables or a custom session variable.
Note: This option is available only when adding the Logging action to an access policy.

About Category Lookup

A Category Lookup item looks up URL categories for a request and obtains a web response page.

The Category Lookup item provides these elements and options.

Categorization Input
The list specifies these options:
  • Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP® system with an SWG subscription the SafeSearch Mode setting displays.
  • Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
  • Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup.
SafeSearch Mode
The options are Enabled (default) and Disabled. When enabled, SWG enables Safe Search for supported search engines.
Note: SafeSearch is available only with an SWG subscription.
Category Lookup Type
Select the category types in which to search for the requested URL. On a BIG-IP® system with an SWG subscription, options are:
  • Select one from Custom categories first, then standard categories if not found
  • Always process full list of both custom and standard categories
  • Process standard categories only
On a BIG-IP® system without an SWG subscription, the available option is Process custom categories only. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.

About Response Analytics

A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.

Note: Response Analytics works only on a BIG-IP® system with an SWG subscription.

Response Analytics provides these elements and options.

Max Buffer Size
Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
Max Buffer Time
Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets the perflow.response_analytics.failure variable to 1 (which indicates an ANTserver failure) and discards the response data.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
Exclude Types
Specifies one entry for each type of content to be excluded from content analysis. Images, the All-Images type, do not get analyzed.

About URL Filter Assign

A URL Filter Assign item determines whether to block or allow a request. A Category Lookup item must precede URL Filter Assign to provide categories. The URL Filter Assign item looks up the filter action for each category found for the request. If any filter action is set as Block, the request is blocked. The URL filter item also uses the analysis from the Response Analytics item, if used, to determine whether to block or allow the request.

A URL Filter Assign item provides the URL Filter element, a list of filters from which to select.

Note: A Category Lookup item must precede the URL Filter Assign item.

About Application Lookup

An Application Lookup item obtains the name of the application that is being requested and looks up the application family that matches it. By default, this item has a fallback branch only.

Application Lookup can be used to branch by application family or by application name; branch rules are required to do this. If an Application Filter Assign item is included in the per-request policy, an Application Lookup must complete before it.

About Application Filter Assign

An Application Filter Assign item matches an application or application family against an application filter. Application Filter Assign provides one configuration element. The Application Filter element specifies the application filter to use in determining whether to block access to an application or allow it. The Application Filter Assign item exits on the Allow branch if the filter action specifies allow. Otherwise, Application Filter Assign exits on the fallback branch.

Important: To supply input for the Application Filter Assign agent, an Application Lookup item must run in the per-request policy sometime prior to it.

About HTTP Headers

An HTTP Headers action supports modifying an outgoing HTTP request to a back-end server. The action supports manipulation of HTTP and cookie headers being sent to back-end servers.

Important: The HTTP Headers item cannot manipulate HTTP cookies in outgoing HTTP requests to any portal access application.

The HTTP Headers item provides these configuration options and elements.

An entry in the HTTP Header Modify table includes these elements.

Header Operation
Specifies insert, append, replace, or remove.
Header Name
Specifies the header name on which to operate.
Header Value
Specifies the value on which to operate.
Note: Any per-flow or session variable can be used as a header value, for example, %{session.user.clientip} or %{perflow.session.id}.
Header Delimiter
Specifies the separator to use when appending a header.

An entry in the HTTP Cookie Modify table includes these elements.

Cookie Operation
Specifies update or delete.
Note: When update is selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.
Cookie Name
Specifies the name to match.
Cookie Value
Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.
Note: Any per-flow or session variable can be used as a cookie value.

About per-request policy endings

An ending provides a result for a per-request policy branch. An ending for a per-request policy branch is one of two types.

Allow
Allows the user to continue to the requested URL.
Reject
Blocks the user from continuing and triggers the access profile Logout screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)