For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ryan_Rowe_79249's avatar
Ryan_Rowe_79249
Icon for Nimbostratus rankNimbostratus
Dec 23, 2009

Ip Restrict then client cert check

BigIP 8.3.3 and 8.4.1 (hopefully there is no difference) So here is what I want to do. If an IP is in a datagroup then passthrough but if not then authenticate with an SSL cert. I t...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 29, 2009
Can you remove the HTTP_REQUEST event and retest? Also, you only need one set of square braces around matchclass. It shouldn't matter which client SSL profile you specify in the VIP config as the iRule will set it based on the client IP address check. 

 
 when CLIENT_ACCEPTED {  
    if { [matchclass [IP::client_addr] equals $::Test_IPs]} {  
      SSL::profile NoBrowserCert  
    } else {  
      SSL::profile BrowserCert  
    }  
  }

If this doesn't work, can you clarify what happens when testing from a client in the Test_IPs class and one not in the class?

Thanks,

Aaron