For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Aug 05, 2016

IRULE to terminate connection after certificate verification

to minimize CCU usage and the desired outcome being to terminate connection after certificate verification, We can use the SSL::handshake event.

 

The idea behind the irule is to terminate connection once the ssl-handshake is completed and the logic is as follows

 

when SSL::handshake is complete { for a given ip-address (here you would check an incoming IP address against a pre-determined(known) address [ for example ip.addr == 10.125.0.3]) reject if ip-address matches then the iRule would terminate the connection. }

 

This way we would immediately release the connection and would not have to wait for 900 seconds. More importantly it would not affect your Access policy

 

Could you please sample irule on this

 

application delivery
iRules

1 Reply

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2016

    drop should do what you need. I, personally would do a class match against a data-group for this. Since a data-group is a structured list, so there is less risk in adding/removing that updating the iRule itself.

    Not sure why you'd wait util after the ssl handshake though, if you know the IP is bad, just drop it and CLIENT_ACCEPTED, though you can do it in most other events, I believe. That being said, this is probably better handled at a firewall.

    ltm data-group internal drop-list {
records {
        10.125.0.3/32 {}
    }
    type ip
}

    ltm rule drop-list-rule {
    CLIENT_ACCEPTED {
        if { [class match [IP::client_addr equals drop-list] } {
            drop
        }
    }
}