Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Drew_123833's avatar
Drew_123833
Icon for Nimbostratus rankNimbostratus
Oct 02, 2013

Allow only internal access to load balanced website

Hello Folks I'm not be able to block external traffic on my website. I want just to allow internal IP-addresses or traffic to the internal website. I've an iRule, but it doesn't do the trick. Any s...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 02, 2013

Well, first thought is to simply disable access to the external VLAN. Barring that, you could use an iRule and data group, or packet filter rules. The beauty of enabling specific VLANs or using packet filter rules, is that request are immediately reset, where an iRule would allow a 3-way TCP handshake before discarding the traffic.

Here's what the iRule might look like:

when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        discard
    }
}

where "my_ip_dg" is an address-based data group. I'm assuming here that you probably don't need to evaluate the Host header (because the user could be trying with an IP address), and that the pool is assigned to the virtual server. You just need to block access if the client source doesn't come from an approved list. The address-based data group can contain single IP addresses and IP subnets.