Best practice for Allowed URLs

Question

Hi,&nbsp;

What is the best practice to create an Allowed URLs list
for a huge website that contains blogs and uses a URL generator.
The website contains more than 60,000 page?&nbsp;

is it necessary to configure a list of Allowed and NOT-Allowed URLs?&nbsp;

Thanks&nbsp;

stephanmanthey · Answer

Hi Majda,
from my perspective it is best practice to use an iRule with a "[class match [string tolower [HTTP::path]] starts_with ]" condition.
The datagroup will be of type string and contains a whitelist (allowed list) of allowed paths in lower-case format as keys (no values required).
You will find tons of working examples here on DC.
The "class" wiki page will be a good start.
Please avoid using the legacy syntax of "matchclass" or "findclass" and datagroups with the "$::" prefix!
With current TMOS versions it should not be a problem to use a datagroup of this size.
I would recommend, to work with a so called external datagroup (stored as a separate file in the TMOS filestore, which can be easily updated).
Thanks, Stephan   
PS: Just noticed the "Application Security Manager" (ASM) tag in your post. My response refers to standard "Local Traffic Manager" (LTM) features.

Forum Discussion

Best practice for Allowed URLs

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

AS3 Best Practice

Hands-On Quantum-Safe PKI: A Practical Post-Quantum Cryptography Implementation Guide

F5 Certified Practice Exams

Security Best Practices for F5 Products

Cipher Suite Practices and Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS