Forum Discussion

WAF_Monkey's avatar
WAF_Monkey
Icon for Altostratus rankAltostratus
Dec 02, 2020

iRule to reference data group for whitelisting IP

This has got to be simple but I can't figure it out!! :-( Can anyone help me to write an iRule that will reference a data group list of IP addresses I want to whitelist on ASM? I don't want to de...
ASM Advanced WAF
iRules
security
  • crodriguez's avatar
    crodriguez
    Dec 03, 2020

    You can log the unblocked requests from within the local traffic policy. (I had log statements in both my rules, but removed them for the answer above.) There is a log action that can be added on the disable ASM rule. For example: 

    ltm policy disable_asm_for_select_IPs {
    controls { asm }
    last-modified 2020-12-03:15:50:12
    requires { http tcp }
    rules {
        disable_asm_for_select_IPs {
            actions {
                0 {
                    asm
                    disable
                }
                1 {
                    log
                    write
                    facility local0
                    message "tcl:ASM disabled for allowed IP [IP::client_addr]"
                    priority info
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    datagroup no_ASM_IPs
                }
            }
        }
        enable_asm_for_all_traffic {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/lab_8_manual
                }
            }
            ordinal 1
        }
    }
    status published
    strategy first-match
}
crodriguez's avatar
crodriguez
Ret. Employee
Dec 03, 2020

The HTTP_CLASS_SELECTED event has been deprecated. Instead, you can use a local traffic policy to selectively enable and disable ASM, as Samir showed, using an IP address data group to make the comparisons. For example:

ltm policy disable_asm_for_select_IPs {
    controls { asm }
    last-modified 2020-12-03:10:38:38
    requires { http tcp }
    rules {
        disable_asm_for_select_IPs {
            actions {
                0 {
                    asm
                    disable
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    datagroup no_ASM_IPs
                }
            }
        }
        enable_asm_for_all_traffic {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/lab_8_manual
                }
            }
            ordinal 1
        }
    }
    status published
    strategy first-match
}

It's important that the catch-all rule, enable_asm_for_all_traffic, be the second rule in the policy, and disable_asm_for_select_IPs be first. You would assign the local traffic policy to the appropriate virtual server, replacing the default one applied when you enable an application security policy on the virtual server.

Here is what my internal datagroup looks like. (You can use an external data group just as easily.):

ltm data-group internal no_ASM_IPs {
    records {
        10.10.10.30/32 { }
    }
    type ip
}

I tested this on BIG-IP ASM v15.1.0.