For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jan 25, 2022

Check code for ordering of events and accuracy

Hi Everyone,   Can someone please check the code below to ensure we are doing the correct things for accuracy... Objective: Since all internal users egress out via a FW and through a CDN and back ...
devops
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jan 25, 2022

All the action exists in a single event. The client will be redirected or not, the external pool will be selected or not, so the line by line order doesn't matter so much as how you construct your logic. I personally don't like to leave logic on pool selection spread across objects, such as having a default pool that isn't visible in the rule, so even if you specify a default pool, I'd still be explicit to send traffic there if they do match internal users. But that's my preference, not required. I'd also combine your logic to set the pool and/or reject so that you don't have to check the XFF IP data-group twice, so make the if condition about the data-group, then inside that condition, you can do an if/else for the URI

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jan 25, 2022

Thanks Jason...

I added the specific pool in the irule so that if users XFF IP matches the "DG-INTERNAL-USERS-XFF" gets sent to the internal pool designated for internal employees...

What would be the best way to group the pool/reject together here?

f { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
pool EXTERNAL-POOL
} else {
pool INTERNAL-POOL

if { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
if { [class match [HTTP::uri] eq DG-URI-LIST] } {
reject }
}

 

########## Modified with default internal Pool in iRule #########

when HTTP_REQUEST {
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
log local0. "the X-Forwarded-For header value is $CHECK_IP"

if { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
pool EXTERNAL-POOL
} else {
pool INTERNAL-POOL

if { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
if { [class match [HTTP::uri] eq DG-URI-LIST] } {
reject }
}

switch -glob [HTTP::uri] {
"*/app1/abc/portal/Tracker*" -
"*/app2/cde/Tracker*" -
"*/app3/wps/portal/CaseTracker*" {
if { ([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
if { [HTTP::uri] contains "/app2/Tracker" } {
HTTP::redirect "https://[HTTP::host]/new-app2/Tracker"
} else {
HTTP::redirect "https://[HTTP::host]/app1/old/portal/Tracker/"
}
}
}
}
}
}