Forum Discussion
NimbostratusBlock IP Address on Fly
What is the best way to block list of IP addresses.
- One could be use an iFile and using iRule, reject traffic matching ip addresses in that file.
- Another one could be using DataGroup and following script (BlockIpRange)
when CLIENT_ACCEPTED { if { ([ class match [IP::remote_addr] equals ipblock ]) } { reject } }
My main task is that I want to be able to call rest end points(icontrol-rest-api-reference) in order to do it via script. That is, supply an IP Addresss on fly and block it.
for iFile option, I cannot find and option to append to existing iFile for DataGroup I am not sure how to update existing dataGroup?
I need a rest api end point I can use for f5 asm, using which I can block an IP address on fly.
In case of iFile, I couldn't find an option to append information to existing file. I need to dynamically update the file with Ip Adress so that ip can be blocked when next traffic arrives. (Will it only update in the running instance or in the physical file as well?)
In case of Data Group, I am not able to find an example to use it?
Let me know if more information is required.
Any help/pointers?
you are not able to block IPs using iRules on the fly. Datagroup files need to be re uploaded every time you update it. It is better to look towards AFM if you require more intelligent behavior. Re-uploading datagroup file will cause mcpd to reload the config and may bump up CPU usage.
I am not quite strong in REST API yet but this link may help you
https://devcentral.f5.com/articles/v11-irules-data-group-updates
