Forum Discussion

Techgeeeg_28888's avatar
Techgeeeg_28888
Icon for Nimbostratus rankNimbostratus
Aug 06, 2015
Solved

Blocking Traffic from Single IP with block page on ASM

Hi Everyone,

 

I would like to have the experts input on a point, I have ASM running where I want to block the requests from a particular source IP address and the violation page with id should be returned. How can I do this as in the GUI i didn't find any option where i can define a black list IP which would have been much easier. There is only an option to define white list.

 

Regards,

 

  • The following extensions I hope will make the rule more efficient:

    when ASM_REQUEST_DONE {
      if { [ASM::violation count] > 0 } {
        if { not([class match[IP::client_addr] == "black-list-data-group"]) } {
          ASM::unblock
        }
      }
    }
    
    1. You can check sources against the data group.
    2. Apply ASM::unblock action only if there were violations.

    Hope this helps.

    And do not forget to enable "Trigger ASM iRule Events" option in your policy.

5 Replies

  • If you're using v11:

     

    Security -> Application Security -> IP Addresses -> IP Address Exceptions

     

    You can use the section above to define explicitly trusted or explicitly non-trusted IP addresses. The link is creted between the IP address(es) defined and a particular security policy. Unfortunately, you can not create a granular setup where the IP address (trusted or non-trusted) is linked to a particular Signature ID without the use of iRules.

     

  • You can definetely do what you want with the following iRule:

    when ASM_REQUEST_DONE {
      if { not([IP::client_addr] == "1.1.1.1/32") }{
        ASM::unblock
      }
    }
    

    This will do an ASM::unblock action for any request except those sent from 1.1.1.1/32.

  • The following extensions I hope will make the rule more efficient:

    when ASM_REQUEST_DONE {
      if { [ASM::violation count] > 0 } {
        if { not([class match[IP::client_addr] == "black-list-data-group"]) } {
          ASM::unblock
        }
      }
    }
    
    1. You can check sources against the data group.
    2. Apply ASM::unblock action only if there were violations.

    Hope this helps.

    And do not forget to enable "Trigger ASM iRule Events" option in your policy.

  • Hi Petrov,

     

    I would like to know one more point is it possible via iRule that we assign the IP to the data_group dynamically based on the counter of violation and block them for selected time period after that they are removed from data_group.

     

    Regards,