For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 09, 2023
Solved

iRule to accept client then SSL cert validation

Hi everyone 🙂 Please advise the best way to combine an iRule with doing this: 1. Accept only client coming from 1 specific IP then: 2. For the rest (who are not this specific IP), I want to chec...
devops
  • Hooni_L's avatar
    Hooni_L
    Jan 13, 2023

    MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

G-Rob's avatar
G-Rob
Icon for Employee rankEmployee
Jan 10, 2023

Max,

Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.