Block URI based on Source IPs

Question

Dear Team, i need to block the following URI for all internet users but needs to allow for some LAN users based on ip address following are the URIs that i need to block &nbsp;

&nbsp;
for testing pupose i have created a below i rule but this i rule is not working fine &nbsp;
when HTTP_REQUEST { 
   log local0. "Path = [string tolower [HTTP::path]]"
   log local0. "Client IP = [IP::client_addr]"
   if { [string tolower [HTTP::path]] contains "MyHiddenLoginPage.aspx" } { 
       if { !([IP::addr [IP::client_addr] equals 10.0.0.8]) } {
         discard 
 log local0. " Just discarded a request! "} 
 else {
 log local0. "Just processed a request!"
      }
   }
}&nbsp;

p_k · Answer

did you try drop instead of discard?&nbsp;

ed_summers · Answer

What testing have you performed, and what results are you getting vs what you expect?&nbsp;I tried to pretty this up a bit as it was difficult to read from your OP. Does this look like what you have? (When you post one of these, use the 'pre-formatted code' button to make the code more readable.)&nbsp;when HTTP_REQUEST {
    log local0. "Path = [string tolower [HTTP::path]]"
    log local0. "Client IP = [IP::client_addr]"
    if { [string tolower [HTTP::path]] contains "MyHiddenLoginPage.aspx" } {
        if { !([IP::addr [IP::client_addr] equals 10.0.0.8]) } {
            discard
            log local0. " Just discarded a request!"
        } else {
            log local0. "Just processed a request!"
        }
    }
}One immediate issue I notice is your If-test. You use the 'string tolower' conversion to make the string all lower-case, but then you attempt to test against a mixed-case string. That will never match. Change your test text to all lower-case, or if you want a case-sensitive match remove the 'string tolower' operation.&nbsp;When you move to production do you plan to use a data-group to hold your 'LAN user' IPs for the IP address match? That would be a good idea to allow flexibility and scalability for your matches. There are many DevCentral posts for using data-groups for matching, though you may already be familiar with the syntax.&nbsp;

sajid_284881 · Answer

let me try than i will update you &nbsp;

sajid_284881 · Answer

i tried drop instead of discard still the result is same page is still opening &nbsp;

sajid_284881 · Answer

i got it :) no need thanks &nbsp;

Forum Discussion

Block URI based on Source IPs

5 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

Block destination IP by source IP

Logging/Blocking possible prompt injection

Generic iRule based on datagroup parsing

Restsh is now available under an Open Source license!

Implementing Risk-Based Actions with AI-Powered WAF: Customer Policy Paths

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS