Ignore individual hosts in policies/classes

Hey Dan,

None of the clients in the class filter criteria would allow you to examine the client IP address. You could, potentially, insert an X-Forwarded-For header and use the header field and evaluate this, but it doesn't strike me as a terribly grand idea.

The best solution is probably a hybrid of these rules. This, to filter based on client IP address:

http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html

Then this to bypass ASM:

https://support.f5.com/kb/en-us/solutions/public/7000/600/sol7616.html

Naturally, you could also create an HTTP Class which simply has Application Security set to 'Disabled' and use the iRule to select that class for processing, as well, and not muck about in disabling ASM on the same class when it is selected. Something like this, perhaps:

  
 when CLIENT_ACCEPTED  { 
   if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{ 
     set trustedHost 1 
   } else { 
 set trustedHost 0 
   } 
 } 
 when HTTP_CLASS_SELECTED { 
   if { $trustedHost eq 1 }{ 
     Uncomment the line below to turn on logging. 
 log local0.  "Valid client IP: [IP::client_addr] - Not using ASM" 
 PLUGIN::disable ASM 
   } else { 
 Uncomment the line below to turn on logging. 
 log local0. "Invalid client IP: [IP::client_addr] - Using ASM" 
 PLUGIN::enable ASM 
   } 
 } 
 

This, of course, relies on a class existing. You could use a simple one-to-one comparison if you wanted, but starting off with a class makes it easier to scale if you want to add more hosts later on.