Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Jun 22, 2018

Irule for restricting selected ips for NOT USING TLSV1 and 1.1

Hello All, I have requirement of use an iRules in F5 to enable TLS V1.0 and 1.1 only for Selected IP addresses or IP ranges. and enable only TLS 1.2 for all remaining . I have tried the irule below...
application delivery
iRules
security
  • kcrawford4597_1's avatar
    kcrawford4597_1
    Jun 27, 2018

    matchclass ...

    Note: matchclass has been deprecated in v10 in favor of the new commands. The class command offers better functionality and performance than matchclass.

    Inserting the appropriate class command into this iRule would look something like this:

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals TLSV1.0_1.1_Enable ]} {
        SSL::profile example_profile_enable_weak_TLS
    } else {
        SSL::profile example_profile_disable_weak_TLS
    }
}
AceDawg1's avatar
AceDawg1
Icon for Nimbostratus rankNimbostratus
Jun 22, 2018

Looks like the syntax may be slightly off. Try this:

{ if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]}

Check the following solution article for examples on referencing data groups in IRules:

https://support.f5.com/csp/article/K3386

  • vvskaladhar_488's avatar
    vvskaladhar_488
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2018

    Thanks you so much for the help on this. i am able to add the irule as below and waiting for the confirmation form the client to say ready for testing. below is the irule by taging to the vip kaladhar.abc.com.

    when CLIENT_ACCEPTED {

    if { [matchclass [IP::client_addr] contains TLSV1.0_1.1_Disable ]} {

    SSL::profile kaladhar.abc.com_TLS_Disable

    } else {

    SSL::profile kaladhar.abc.com

    }

    }