Forum Discussion

Cirrostratus

Apr 18, 2023

Block specific Client IP if request contains XYZ

Hi, I need help creating the fastest solution (LTM Policy / iRule / other) to do this:
If client IP = X.X.X.X
and request contains = XYZ
Drop the client / or block by WAF message

Thank you!

security

7 Replies

Michael_Saleem
MVP
Apr 18, 2023

For a very quick solution to match on a single source IP and URI, you could use the following:
when HTTP_REQUEST { if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [string tolower [HTTP::uri]] contains "xyz" ) ) } { drop } }
However, if you need need it to be more scalable, I would probably use a data group to hold multiple client IP addresses and then maybe another data group or switch -glob statement to match on multiple URIs.
- CA_Valli
  MVP
  Apr 18, 2023
  I'd just advise to avoid using "string tolower" on HTTP uri instruction, since path is case sensitive.
  - Michael_Saleem
    MVP
    Apr 18, 2023
    Good point 👍
MaxMedov
Cirrostratus
Apr 18, 2023
I'll test it thank you!