For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

djkromarek's avatar
djkromarek
Icon for Nimbostratus rankNimbostratus
May 18, 2012

IP's allowed with Application security

I am trying to find out the following information. I have BIG-IP 9.4.7 Build 320.1 Final. I have the Application Security Module on this configuration. Is it possible, to add a list of IP's that the F5 will allow through and block all other IP's? Thanks, Deni
app sec
BIG-IP Access Policy Manager (APM)
security

7 Replies

  • santosh_81454's avatar
    santosh_81454
    Icon for Nimbostratus rankNimbostratus
    May 22, 2012
    You can do this an iRule on the LTM module using the "IP::client_addr" parameter.

     

     

    Please refer this article: https://devcentral.f5.com/wiki/irules.IP__client_addr.ashx

     

     

    -Santosh.
  • djkromarek's avatar
    djkromarek
    Icon for Nimbostratus rankNimbostratus
    May 22, 2012
    How much overhead will be created on the F5 if I need to create the iRule with 1000 IPs to allow and everything else to be blocked? Can something be done using geolocation instead?
  • santosh_81454's avatar
    santosh_81454
    Icon for Nimbostratus rankNimbostratus
    May 23, 2012
    You can create a Data group and use an external class file to list the IPs.

     

    So are you having 1000 unique IP's, can you try consolidating into networks using subnet masks ?

     

     

     

    And for your next question, No, I dont think ASM or LTM can filter traffic based on geo location. But other product of F5 called the GTM has the capability to filter traffic based on geo location.

     

    Hope this helps.

     

     

    -Santosh.

     

  • BT_90520's avatar
    BT_90520
    Icon for Nimbostratus rankNimbostratus
    May 24, 2012
    Something that you may be interested

     

     

    LTM and GTM

     

    - Geolocation iRules to do it (https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1082330/New-Geolocation-Capabilities-in-v101.aspx)

     

    ....more GTM (topology) http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13412.html

     

    ....more LTM (Packet filter) http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/5.htmlunique_1529505549

     

     

    ASM (Enforcing application use in certain geolocations)

     

    - http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-1-0/5.htmlconceptid
  • djkromarek's avatar
    djkromarek
    Icon for Nimbostratus rankNimbostratus
    May 24, 2012
    Do you have a link to instructions on how to create a Data group and use an external class file to list the IPs? this sounds like our best bet on trying to get this configured. At this time, we cannot upgrade to the correct version in order to use the GTM.

     

     

    Thanks!
  • djkromarek's avatar
    djkromarek
    Icon for Nimbostratus rankNimbostratus
    May 24, 2012
    Thank you for the articles, they were very informative. The Geolocation may not be our best bet at this time since we are on version 9.4, however we do plan on upgrading this year and these articles will be very useful then. I appreciate your response.
  • santosh_81454's avatar
    santosh_81454
    Icon for Nimbostratus rankNimbostratus
    May 24, 2012
    This article discusses about Data Groups:

     

     

    http://support.f5.com/kb/en-us/solutions/public/3000/300/sol3386.html?sr=21443170