Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jun 02, 2020

bypassing ASM from specific source IP

Hello guys   What is the alternative irule for this: https://clouddocs.f5.com/api/irules/ASM__disable.html   The HTTP_CLASS_SELECTED is not recognized anymore in newer versions   I know ...
ASM Advanced WAF
iRules
security
KeesvandenBos's avatar
KeesvandenBos
Icon for MVP rankMVP
Jun 02, 2020

Hi,

 

Why do you prefer an irule??

 

Cheers,

 

Kees

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jun 02, 2020

Not up to my choice

Its shared management environment and its a customer decision

I totally know that whenever there is a chance to solve a problem with a policy, it is the preferred way.

Anyhow, this irule solved the problem:

when CLIENT_ACCEPTED {
   set allowed 0
   if { [class match [IP::client_addr] equals bypass_asm_class]  } {
      set allowed 1
   }
}
 
when HTTP_REQUEST {
   if { $allowed } {
       #log local0.  "This client IP: [IP::client_addr] is allowed to bypass ASM"
       ASM::disable
   } else {
      ASM::enable /partition/asmpolcy
   }
}