Forum Discussion
WAF_Monkey
Altostratus
AltostratusiRule to reference data group for whitelisting IP
This has got to be simple but I can't figure it out!! :-( Can anyone help me to write an iRule that will reference a data group list of IP addresses I want to whitelist on ASM? I don't want to de...
You can log the unblocked requests from within the local traffic policy. (I had log statements in both my rules, but removed them for the answer above.) There is a log action that can be added on the disable ASM rule. For example:
ltm policy disable_asm_for_select_IPs { controls { asm } last-modified 2020-12-03:15:50:12 requires { http tcp } rules { disable_asm_for_select_IPs { actions { 0 { asm disable } 1 { log write facility local0 message "tcl:ASM disabled for allowed IP [IP::client_addr]" priority info } } conditions { 0 { tcp address matches datagroup no_ASM_IPs } } } enable_asm_for_all_traffic { actions { 0 { asm enable policy /Common/lab_8_manual } } ordinal 1 } } status published strategy first-match }
Samir
MVP
MVPyou can try something like this... Not tested yet. Please test in non prod device.
when CLIENT_ACCEPTED {
if {[matchclass [IP::client_addr] equals bypass_asm_class]}{
set disable_asm 1
#log local0. "[IP::client_addr]:[TCP::client_port]: Client matched bypass_asm_class datagroup."
} else {
set disable_asm 0
#log local0. "[IP::client_addr]:[TCP::client_port]: Client did not match bypass_asm_class datagroup."
}
}
when HTTP_CLASS_SELECTED {
if {[HTTP::class asm]==1}{
if {$disable_asm==1}{
log local0. "[IP::client_addr]:[TCP::client_port]: Disabling ASM for this request."
ASM::disable
} else {
log local0. "[IP::client_addr]:[TCP::client_port]: Not disabling ASM for this request."
ASM::enable
}
}
}Set the log according to requirements and later disable it