Forum Discussion

iRule's avatar
iRule
Icon for Cirrus rankCirrus
Apr 10, 2023

Allow access to 2 wildcard URIs from internet and allow all URIs from internal organization network

Dear Community,

I received a requirement from application gateway team that they need to expose only two URIs to internet consumers and all URIs should be accessable to internal organnization users.

Wildcard URIs Allowed from Internet

xyz.com/abc/asdf/morning/* 

xyz.com/abc/asdf/evening/*

All  URIs allowed from internal origanization private IPs

xyz.com/*

Please inform how I can accomplish this from ASM policy

  • Hi,

    It's easier to do with iRule or LTM policy.

    when HTTP_REQUEST {
    	if { not ([class match [IP::client_addr] equals /Common/private_net]) } {
    		switch -glob [HTTP::uri] {
    			"/abc/asdf/morning/*" -
    			"/abc/asdf/evening/*" {
    				return
    			}
    			default {
    				drop
    				return
    			}
    		}
    	}
    }

    If you want to do it with WAF, you need two WAF policy. One for the internal network, the other for the external network. And you need to set these policies with LTM policy or iRule.

    In the external waf policy, you should to add the allowed URLs and remove the wildcard URL in the Allowed URLs list.

    Illegal URL violation values must be enable in Learning and Blocking Settings.