For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Peter_Baumann_5's avatar
Peter_Baumann_5
Icon for Nimbostratus rankNimbostratus
Nov 28, 2017

A simple source-ip whitelist and blocking page on HTTP pages?

Hi all, I need to do some whitelisting on a http virtual-server for some source-ip's and for all other ip's there should be a html blocking page displayed to the user.

 

No iRule should be used for this, since the config needs to be simple.

 

I checked with AFM. It is possible but no response page with source-ip filter.

 

I checked ASM. But it seems to complicated since I don't need ANY other filtering, only source-ip acl.

 

I checked protocol security profile but no possibility to combine a blocking page with AFM.

 

Any ideas how to do this on a simple way with the advanced firewall on F5?

 

Thanks,

 

Peter

 

acl
AFM
application delivery
ASM Advanced WAF
security

3 Replies

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Jan 12, 2018

    I don't believe you can have a custom blocking page per source ip filter. This could be considered a request for enhancement. I would recommend that you open a support case regarding this.

     

  • Peter_Baumann's avatar
    Peter_Baumann
    Icon for Cirrostratus rankCirrostratus
    Jan 16, 2018

    OK, select a datagroup seems to be possible in version 13.x, I was trying it with v12.1.2.

     

    But there is again a problem according to this website: https://somoit.net/f5-big-ip/f5-bigip-bug-when-using-datagroups-in-ltm-policies

     

    -> Bug ID688744 when matching multiple datagroups

     

    The website above explains a workaround.

     

    I will use the address matching when we upgraded to v13.x, probable later this year...

     

    Thanks for giving the hint with the new ltm policy feature.