Forum Discussion
Dan_Rogers_1933
Nimbostratus
NimbostratusIgnore individual hosts in policies/classes
Hi all, I am trying to figure out the easiest way to ignore individual client IPs from being checked by the policy (or class). The only method I can think of is setting up a regex in the class that i...
Hey Dan,
None of the clients in the class filter criteria would allow you to examine the client IP address. You could, potentially, insert an X-Forwarded-For header and use the header field and evaluate this, but it doesn't strike me as a terribly grand idea.
The best solution is probably a hybrid of these rules. This, to filter based on client IP address:
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html
Then this to bypass ASM:
https://support.f5.com/kb/en-us/solutions/public/7000/600/sol7616.html
Naturally, you could also create an HTTP Class which simply has Application Security set to 'Disabled' and use the iRule to select that class for processing, as well, and not muck about in disabling ASM on the same class when it is selected. Something like this, perhaps:
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{
set trustedHost 1
} else {
set trustedHost 0
}
}
when HTTP_CLASS_SELECTED {
if { $trustedHost eq 1 }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - Not using ASM"
PLUGIN::disable ASM
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - Using ASM"
PLUGIN::enable ASM
}
}
This, of course, relies on a class existing. You could use a simple one-to-one comparison if you wanted, but starting off with a class makes it easier to scale if you want to add more hosts later on.
