Access rule to deny IP based of URI called

If I may add, I think WLB's initial notion would be the most sound. If you remove the SNAT profile then the servers see the client's true source and you're back to where you started. Of course to make that work you have to force return routing in another way, usually by making the F5 self-IP the default route for the servers. In lieu of that, I would be cautious using the F5 as an authorization platform. While it is entirely possible, and quite easy to do so, you might eventually find yourself managing very complex authz rulesets, and in multiple places. I think if you're going to do anything, and you cannot turn off SNAT, I'd recommend simply passing an X-Forwarded-For header and add some code to your application to read this HTTP header (instead of the source address).