Everything a BIG-IP Zero Trust Access (formerly BIG-IP APM - Access Policy Manager) access policy learns, it stores in session variables, hierarchical names the Visual Policy Editor guide's own anatomy figure spells out: the string session, a type, the agent name or the string last, agent-specific pieces, a node name of attr or result, an attribute name. The Session Variables chapter is the canonical table of those names, and this tool vendors it, a substantial curated core spanning policy results, the session-management and client set, the AD, LDAP, and RADIUS families, the complete session.ssl.cert family, the endpoint checks, OTP, and resource assignment, extended with the logon and SSO plumbing rows the SSO Configuration Guide defines, session.logon.last.* and session.sso.token.last.*, the pair every SSO method reads.

The lookup is pattern-aware because the chapter writes patterns. Rows like session.ad.$name.attr.$attr_name are templates, each retrieved attribute converted to a separate session variable, so pasting session.ad.last.attr.memberOf resolves to its row with the bindings shown, $name = last, $attr_name = memberOf, along with which action populates it, an AD Query in that case. Family lookups and a full catalogue mode round out the reference side.

Paste an expression instead and every reference inside it is extracted and explained, across the three syntaxes the platform itself uses: %{session.x} inline expansion, which the chapter's own OTP example message demonstrates; mcget inside expr branch rules, whose canonical form the per-request policy reference ships as expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }; and access::session data get and set. The secure audit rides along on all three, grounded verbatim in F5's own lab material: a secure variable's value is stored encrypted in the session db, is not displayed in the session report, is not logged by the logging agent, and requires the -secure flag for both mcget and access::session data get/set. The one-click Example is the classic trap this contract creates, a bare mcget on session.logon.last.password, and the tool names exactly what comes back: an empty value, silently, not an error.

The honest edges are stated on the cards. This is a snapshot of the 13.1 chapter, the last generation shipped as manual chapters, with names and families stable across versions and per-version verification as the standing advice; variables outside the snapshot are reported as such, with the two debug surfaces named, the Current Sessions report, which the lab notes shows variables for active sessions only, hence its message-box pause trick, and the sessiondump command with its sid and allkeys views.

Everything runs locally; nothing you paste leaves the page.