IP's allowed with Application security

Question

I am trying to find out the following information. I have BIG-IP 9.4.7 Build 320.1 Final. I have the Application Security Module on this configuration. Is it possible, to add a list of IP's that the F5 will allow through and block all other IP's? Thanks, Deni

santosh_81454 · Answer

You can do this an iRule on the LTM module using the "IP::client_addr" parameter.  
&nbsp;  
&nbsp; Please refer this article: https://devcentral.f5.com/wiki/irules.IP__client_addr.ashx 
&nbsp;  
&nbsp; -Santosh.

djkromarek · Answer

How much overhead will be created on the F5 if I need to create the iRule with 1000 IPs to allow and everything else to be blocked? Can something be done using geolocation instead?

santosh_81454 · Answer

You can create a Data group and use an external class file to list the IPs.  
&nbsp; So are you having 1000 unique IP's, can you try consolidating into networks using subnet masks ? &nbsp;&nbsp;
&nbsp; And for your next question, No, I dont think ASM or LTM can filter traffic based on geo location. But other product of F5 called the GTM has the capability to filter traffic based on geo location.
&nbsp; Hope this helps. &nbsp;
&nbsp; -Santosh.&nbsp;

bt_90520 · Answer

Something that you may be interested 
&nbsp;  
&nbsp; LTM and GTM  
&nbsp; - Geolocation iRules to do it (https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1082330/New-Geolocation-Capabilities-in-v101.aspx)  
&nbsp; ....more GTM (topology) http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13412.html 
&nbsp; ....more LTM (Packet filter) http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/5.htmlunique_1529505549 
&nbsp;  
&nbsp; ASM (Enforcing application use in certain geolocations) 
&nbsp; - http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-1-0/5.htmlconceptid

djkromarek · Answer

Do you have a link to instructions on how to create a Data group and use an external class file to list the IPs? this sounds like our best bet on trying to get this configured. At this time, we cannot upgrade to the correct version in order to use the GTM.&nbsp;
&nbsp;Thanks!

Forum Discussion

IP's allowed with Application security

7 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Why does SSLO not support ACTIVE-ACTIVE mode deployments？

How to Integrate F5 Anti-Virus with Fortisandbox using ICAP

Adding a Second Subnet for Virtual Server IP's

Two Arm Deployment mode using PBR

APM URL Branching tolower

Related Content

Securing and Scaling Hybrid Application with F5 NGINX (Part 1)

Enhance your Application Security using Client-side signals

Mitigating OWASP Web Application Risk: Security Misconfiguration using F5 XC Platform

Using Distributed Application Security Policies in Secure Multicloud Networking Customer Edge Sites

Increase Security in AWS without Rearchitecting your Applications - Part 1: Tuesday

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS