For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_T__Morgan_'s avatar
John_T__Morgan_
Icon for Nimbostratus rankNimbostratus
Oct 27, 2017

IRule to disallow access to a resource based on IP address

Hi All,   We have hundreds of laptops distributed with the f5 Edge client installed. Unfortunately, we can not find a way to lock down the options to "Disconnect, Auto-Connect, and Connect". No ...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
crodriguez's avatar
crodriguez
Ret. Employee
Oct 27, 2017

Is it just one subnet that you want to block access from? If so, a datagroup is unnecessary. Usually data groups are used when you have more than about a dozen comparisons to make, otherwise an IF or SWITCH statement is usually sufficient. If using datagroups, you are better off using the CLASS command rather than MATCHCLASS which is deprecated (although still allowed to support older iRules).

If just checking against one subnet, you could the IP::addr command to test the client's IP address against the "bad" subnet:

if { [IP::addr [IP::client_addr] equals "10.10.0.0/16"] } {
    
}