Forum Discussion

Nimbostratus

Dec 23, 2009

Ip Restrict then client cert check

BigIP 8.3.3 and 8.4.1 (hopefully there is no difference) So here is what I want to do. If an IP is in a datagroup then passthrough but if not then authenticate with an SSL cert. I t...

Cirrostratus

Dec 29, 2009

Setting the client cert mode to request is only useful if the iRule or the web application validates the client cert. If you want LTM to do this using the client SSL profile it must be set to require. If you have a case open with F5 Support, you could ask them to help you capture a tcpdump and use ssldump to troubleshoot the failure. You might also be able to get some relevant info from the /var/log/ltm log file (somewhat doubtful on this though).

If that turns into a dead end, you could use a more complicated iRule which dynamically requests and validates a client cert based on the client IP address.

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Ip Restrict then client cert check

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 XC 503 upstream_reset_before_response_started{protocol_error}

CVE mitigation on F5 XC vs classic F5 WAF

F5 mssql health monitor failing

Could not communicate with the system. Try to reload page.

UCS Encryption Question

Related Content

BIG-IP security hardening and compliance checks

Office 365 Tenant Restrictions

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

APM Policy with Restrict to single client IP

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS