Re: Acceas Control Policy - Dynamically assign IPs...

marlenepecotich · 05-01-2023 06:35 PM

Hi,

For the Access Control policy, I have been able to dynamically specify IP using KVMs similar to this

<IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "ALLOW">
        <SourceAddress mask="32">{variable-1}</SourceAddress>
        <SourceAddress mask="32">{variable-2}</SourceAddress>
        <SourceAddress mask="32">{variable-3}</SourceAddress>
        <SourceAddress mask="32">{variable-4}</SourceAddress>
     </MatchRule>
     <MatchRule action = "DENY">
        <SourceAddress mask="24">{variable-5}</SourceAddress>
     </MatchRule>
</IPRules>

This has worked fine in the past. However, now, I have the scenario where different environments have number of IPs to whitelist. So in some cases, variables above will be null. eg variable-3 and variable-4 is null in an environment. If it's nulll, I have noticed that get the following error:

{"fault":{"faultstring":"Unresolved variable : variable-3 ","detail":{"errorcode":"entities.UnresolvedVariable"}}}

I know that we can add a hard coded value if the reference variable is null but is there a way that we can let the policy remove that IP if the reference value is null?

Thanks,

Marlene

ganadurai

Couple of options to address this:

Option 1: Have AccessControlPolicy for each environment. At runtime the environment specific policy get executed based on Conditions matching to a environment specific variable (eg: env name) . So each env specific AccessControlPolicy has the fixed set of SourceAddress element for that environment.

Option 2: Use an AssignMessage policy (<AssignVariable>) before setting the values in KVM policy. Set all the variables to an ip address from the reserved ip list (eg: 255.255.255.254) assuming the incoming address will not have these address in the request. This will make sure you have a valid not-null value as ip address to use in the proxy.

Thanks.

marlspecotich

Thanks for the quick reply! I think that I might go for option 1. Although it's something that we normally would do, it will cover our requirement. Thanks! I didn't think about that 🙂

dchiesa1

You may be able to use an alternative syntax in the single policy, specifying a default value. like this:

<IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "ALLOW">
        <SourceAddress mask="32">{variable-1.1.2.3.4}</SourceAddress>
        <SourceAddress mask="32">{variable-2:1.2.3.4}</SourceAddress>
        <SourceAddress mask="32">{variable-3:1.2.3.4}</SourceAddress>
        <SourceAddress mask="32">{variable-4:1.2.3.4}</SourceAddress>
     </MatchRule>
     <MatchRule action = "DENY">
        <SourceAddress mask="24">{variable-x:10.20.30.40}</SourceAddress>
     </MatchRule>
</IPRules>

marlenepecotich

Hi @dchiesa1, not too sure what you mean.

Do you mean that if for example, variable-4 doesn't exist, it will default to 1.2.3.4? Just by separating with a ( : )? I just tried that and it still brings up the unresolved variable error. Also, are the curly braces inthe right place? I would assume that it should just be around the {variable-4}? Let me know if I am doing something wrong.

Although, in my case, I don't want to specify a default value, it would be good to know if we can define a default value if the reference variable doesn't exist because I can't see it in the documentiation 🙂

dknezic

I haven't tried this out, but another approach that should work is the firstnonnull message template function. It's documented to work in the Access Control policy.

ie {firstnonnull(variable-4,'1.2.3.4.')}

Access Control Policy - Dynamically assign IPs with different number of IPs in an enviromment