Forum Discussion

Nimbostratus

Apr 01, 2011

data group not matching

I'm writing an irule to deny logins from external users. I've tried to define a datagroup that contains allowed subnets, but have not been able to get it to match to an incoming address. See below. ...

Cirrostratus

Apr 01, 2011

Which LTM version are you running? For 9.4.4+ you should remove the $:: prefix from the datagroup name references in the iRule. If you're on v10, you could also change matchclass to 'class match' to improve the efficiency of the iRule:

http://devcentral.f5.com/wiki/default.aspx/iRules/class

Also, if you're using IIS, you should set the URI to lowercase in the switch statement. You could also check HTTP::path instead of HTTP::uri. This would catch someone using a URI like /login.aspx? or /login.aspx?ignore=this to bypass your logic.

switch -glob [string tolower [HTTP::path]] {

Aaron

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

data group not matching

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Class match with starts_with - Data group matching order

Re: Automate Data Group updates on many Big-IP devices using Big-IQ or Ansible

Working with subsets of data-group records via iControl REST

Certified Kubernetes Administrator - Study Group

Can I have a data group, with "data group" members

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS