Forum Discussion

jba3126's avatar
Icon for Cirrus rankCirrus
Sep 19, 2017

iRule that triggers a capture of the HTTP request before rejecting

I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?

Note:Credit to hoolio


   if {[HTTP::header "X-Forwarded-For"] ne ""}{

      log local0. "XFF: [HTTP::header "X-Forwarded-For"]"

      foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {

     log local0. "Current XFF element: $xff"

     if {[IP::addr $xff equals]}{
            log local0. "Sending 410 for $xff"
            HTTP::respond 410

2 Replies

  • Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?


  • Hi,

    You can log output from command :


    This command returns the whole request!