Forum Discussion
NimbostratusF5 IRULE TO block exchange with external IP and useragent
I'm trying to block all non RFC1918 addresss when they use a particular useragent
when HTTP_REQUEST priority 1000 {
if { [matchclass [IP::client_addr] equals outlook_private_block] } { switch -glob [HTTP::header User-Agent] { "Microsoft Outlook" - "Microsoft Office" - "Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4701; Pro)" - "Microsoft Office/15.0*" { log local0.info "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]"
discard
}
default {
log local0.debug "Client IP:[IP::client_addr] attempt with user agent :[HTTP::header User-Agent] successful"
}
}
} }
I have tried to set the useragent to lower and match the variables with the lower strings but it does not work
I noticed it I remove the useragent string portion of it, the block works via the IP addresses. I'm not 100 percent sure why, but I'm doing something wrong.
I;m running 11.5.1
Any help would be appreciated
2 Replies
Michael_JenkinsCirrostratus
What do your logs look like? Especially on the requests that should be dropped but aren't being dropped?
- jona187_168823
Actually I had to block the MSRPC string as well. I enabled logging on my IP and saw it was utilizing more useragents, so I added those in. I'm still able to use OWA, but I'm restricting external access to Outlook client.
Thanks for the idea for logging...i just enabled logging for all and jus searched my IP and saw what I needed to add in.
Thx!~
