allow rule vs deny

Question

I would like to add a new irule which permits all previous versions of Apple IOS from 6.145 and will deny anything release thereafter. This is our current rule&nbsp;
when HTTP_REQUEST {&nbsp;
 switch -glob [string tolower [HTTP::header User-Agent]] {&nbsp;
  "*1002.14[0-4]*" {&nbsp;
   if { [HTTP::uri] contains "Cmd=MeetingResponse" } {&nbsp;
    reject&nbsp;
    log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]"&nbsp;
   }&nbsp;
  }&nbsp;
 }&nbsp;
}&nbsp;
Thank in advance.&nbsp;

what_lies_bene1 · Answer

Is your current rule not working?

kevin_davies_40 · Answer

If you are talking version numbers your probably better off converting and comparing numerically.
set num=*get field from user agent*
foreach {major minor sub} [split $num "."] break;

if { $major &lt; 7 } {
  if { $minor &lt; 1002 } {
     if { $sub &lt; 145 } {
         reject
         log local0. "reject reason"
     }
  }
}

If however the version number is numerically valid.. 
if {$version &lt; 1006.145} {
   reject
}

Forum Discussion

allow rule vs deny

2 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Is it possible to create a Single Pool with multiple ports ?

F5 object groups in AFM

Round-robin method not load balanced

F5 ASM with fortisandbox

Disabling signature for a URL

Related Content

F5 Distributed Cloud Origin Server Subset Rules

LTM Cipher rule

F5 NGINX HTTP Request Header Rules: What’s Permitted and What’s Not

F5 Rules for AWS WAF - Rule ID to Attack Type Reference

Deny access to F5 management from specific addresses

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS