Forum Discussion

Nimbostratus

Jun 22, 2018

Irule for restricting selected ips for NOT USING TLSV1 and 1.1

Hello All, I have requirement of use an iRules in F5 to enable TLS V1.0 and 1.1 only for Selected IP addresses or IP ranges. and enable only TLS 1.2 for all remaining . I have tried the irule below by creating data group list with Name"TLSV1.0_1.1_Disable" and 2 SSL profiles with tls disabled and enabled .but i see the error below, can some one please suggest me if there is any irule or procedure to follow for this requirement?

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] eq $TLSV1.0_1.1_Disable ]} {

SSL::profile SSLprofile1---------------> TLSv0and1 enabled

} else {

SSL::profile SSLprofile2_Disable------------->TLSv0and1 enabled.

}

Error i am seeing is below. where kaladhar_test is name of the irule

01070151:3: Rule [/Common/Kaladhar_test] error: /Common/Kaladhar_test:2: error: [Invalid IP address][TLSV1.0_1.1_Disable]

application delivery

iRules

security

kcrawford4597_1
Jun 27, 2018
matchclass ...

Note: matchclass has been deprecated in v10 in favor of the new commands. The class command offers better functionality and performance than matchclass.

Inserting the appropriate class command into this iRule would look something like this:

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals TLSV1.0_1.1_Enable ]} { SSL::profile example_profile_enable_weak_TLS } else { SSL::profile example_profile_disable_weak_TLS } }

AceDawg1
Nimbostratus
Jun 22, 2018
Looks like the syntax may be slightly off. Try this:

{ if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]}

Check the following solution article for examples on referencing data groups in IRules:

https://support.f5.com/csp/article/K3386
- vvskaladhar_488
  Nimbostratus
  Jun 22, 2018
  Thanks you so much for the help on this. i am able to add the irule as below and waiting for the confirmation form the client to say ready for testing. below is the irule by taging to the vip kaladhar.abc.com.
  
  when CLIENT_ACCEPTED {
  
  if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]} {
  
  SSL::profile kaladhar.abc.com_TLS_Disable
  
  } else {
  
  SSL::profile kaladhar.abc.com
  
  }
  
  }
AceDawg_204810
Cirrus
Jun 22, 2018
Looks like the syntax may be slightly off. Try this:

{ if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]}

Check the following solution article for examples on referencing data groups in IRules:

https://support.f5.com/csp/article/K3386
- vvskaladhar_488
  Nimbostratus
  Jun 22, 2018
  Thanks you so much for the help on this. i am able to add the irule as below and waiting for the confirmation form the client to say ready for testing. below is the irule by taging to the vip kaladhar.abc.com.
  
  when CLIENT_ACCEPTED {
  
  if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]} {
  
  SSL::profile kaladhar.abc.com_TLS_Disable
  
  } else {
  
  SSL::profile kaladhar.abc.com
  
  }
  
  }
kcrawford4597_1
Historic F5 Account
Jun 27, 2018
matchclass ...

Note: matchclass has been deprecated in v10 in favor of the new commands. The class command offers better functionality and performance than matchclass.

Inserting the appropriate class command into this iRule would look something like this:

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals TLSV1.0_1.1_Enable ]} { SSL::profile example_profile_enable_weak_TLS } else { SSL::profile example_profile_disable_weak_TLS } }
- vvskaladhar_488
  Nimbostratus
  Jun 28, 2018
  thank you so much
  
  this worked.