Forum Discussion
Dan_Rogers_1933
Nimbostratus
NimbostratusIgnore individual hosts in policies/classes
Hi all, I am trying to figure out the easiest way to ignore individual client IPs from being checked by the policy (or class). The only method I can think of is setting up a regex in the class that includes all except one client IP address, however, that would be a complex (and slow) regex. Is there an easier way to do this?
4 Replies
- Hey Dan,
None of the clients in the class filter criteria would allow you to examine the client IP address. You could, potentially, insert an X-Forwarded-For header and use the header field and evaluate this, but it doesn't strike me as a terribly grand idea.
The best solution is probably a hybrid of these rules. This, to filter based on client IP address:
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html
Then this to bypass ASM:
https://support.f5.com/kb/en-us/solutions/public/7000/600/sol7616.html
Naturally, you could also create an HTTP Class which simply has Application Security set to 'Disabled' and use the iRule to select that class for processing, as well, and not muck about in disabling ASM on the same class when it is selected. Something like this, perhaps:when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{ set trustedHost 1 } else { set trustedHost 0 } } when HTTP_CLASS_SELECTED { if { $trustedHost eq 1 }{ Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - Not using ASM" PLUGIN::disable ASM } else { Uncomment the line below to turn on logging. log local0. "Invalid client IP: [IP::client_addr] - Using ASM" PLUGIN::enable ASM } }
This, of course, relies on a class existing. You could use a simple one-to-one comparison if you wanted, but starting off with a class makes it easier to scale if you want to add more hosts later on. 
Dan_Rogers_1933How silly do I feel. We do a very similar thing in some of our LTM iRules. Ben, thank you for pointing me in the right direction. I never searched for HTTP CLASS directly.
I actually found a simpler method to accomplish what I am looking for. In ASM V10 (not sure about V9 since we upgraded before deploying them in our test lab), you can add trusted hosts. From the looks of it, it will ignore the hosts I want to ignore. I just started playing around with ASM last Friday and I am still getting used to GUI/options available.
Thanks again Ben.- Hey Dan,
Glad to help. =] I think you're talking about the Trusted Hosts setting for the policy builder. This doesn't accomplish exactly what it sounded like you were looking for - it will affect how the policy is configured for all users, not just those hosts. Be sure to have a gander over here to be sure that it does what you expect it to before going in with both feet:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_policy_builder.html1033790
Cheers! 
hoolioCirrostratus
There is an existing request to add a filter to the HTTP class for the client IP address or network. It's a fairly common request but for some reason it hasn't been implemented. You could open a case with F5 support and ask them to attach your case to the request for enhancement.
Aaron
