Forum Discussion
Peter_Baumann_5
Nimbostratus
NimbostratusA simple source-ip whitelist and blocking page on HTTP pages?
Hi all, I need to do some whitelisting on a http virtual-server for some source-ip's and for all other ip's there should be a html blocking page displayed to the user.
No iRule should be used for this, since the config needs to be simple.
I checked with AFM. It is possible but no response page with source-ip filter.
I checked ASM. But it seems to complicated since I don't need ANY other filtering, only source-ip acl.
I checked protocol security profile but no possibility to combine a blocking page with AFM.
Any ideas how to do this on a simple way with the advanced firewall on F5?
Thanks,
Peter
I don't believe you can have a custom blocking page per source ip filter. This could be considered a request for enhancement. I would recommend that you open a support case regarding this.
Simon_BlakelyEmployee
I would recommend using a Local Traffic Policy
This can do request IP whitelisting, and direct traffic to a specific node/virtual for the blocking page.
Peter_BaumannCirrostratus
OK, select a datagroup seems to be possible in version 13.x, I was trying it with v12.1.2.
But there is again a problem according to this website: https://somoit.net/f5-big-ip/f5-bigip-bug-when-using-datagroups-in-ltm-policies
-> Bug ID688744 when matching multiple datagroups
The website above explains a workaround.
I will use the address matching when we upgraded to v13.x, probable later this year...
Thanks for giving the hint with the new ltm policy feature.
