f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Unable to compare SSL SNI/hostname against data group
Environment
- Application Services Version: 3.48.0
- BIG-IP Version: 17.1.0.2
Summary
When building a policy, I can compare the HTTP hostname against a data group, but I cannot compare the SSL SNI hostname against the same data group. I get the following error
Steps To Reproduce
- Submit the following policy:
"http-redirect": {
"class": "Endpoint_Policy",
"strategy": "first-match",
"rules": [
{
"name": "permit",
"conditions": [{
"type": "httpHost",
"event": "request",
"host": {
"operand": "ends-with",
"datagroup": {
"use": "permitted-domains"
}
}
}]
}
]
}
It works fine.
- Submit this policy instead:
"https-block": {
"class": "Endpoint_Policy",
"strategy": "first-match",
"rules": [
{
"name": "permit",
"conditions": [{
"type": "sslExtension",
"event": "ssl-client-hello",
"serverName": {
"operand": "ends-with",
"datagroup": {
"use": "permitted-domains"
}
}
}]
}
]
}
It fails to post, I get the following error:
{
"code": 422,
"message": "declaration failed",
"response": "01020036:3: The requested datagroup lookup failure: (use) was not found.",
"host": "localhost",
"tenant": "init-policy",
"runTime": 2365
},
it looks like two things are changing from your working and not working examples. If the permitted-domains data group is managed by AS3, can you try updating your failing example to use a use pointer instead of a bigip pointer?
Good observation. In all my testing, I copied/pasted the wrong example. The behavior is the same when with a use pointer. I updated my post above.
