Forum Discussion

marin_266716's avatar
marin_266716
Icon for Nimbostratus rankNimbostratus
Aug 10, 2017

iRule when TLS below 1.2 match datagroup

Hello All,

 

Im looking for some assistance on an iRule. Looking to have VS listen on SSLv3 - TLS1.2 (Client Profile).

 

If client connection is eq TLS1.2 pass to back end pool.

 

If < TLS1.2 then it must match a datagroup, if client IP is in datagroup, pass to pool.

 

All else, not in datagroup connection closed.

 

Long and short of it is my VS will listen on all, only TLS1.2 is allowed from ANY. Only SSLv3-TLS1.1 is allowed from datagroup, all else are closed.

 

Is this even possible?

 

BIG-IP
LTM
security
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Aug 11, 2017

    Hi Marin,

    Please find here after an example of the irule that you can use to do that.

    To use this irule you need to create 2 data groups :

    • First one is string type called "dg_allowed_ciphers" with following records "SSLv3", "TLSv1" and "TLSv1.1" (keep the same format when adding it to your data group)

    • Second one is address type called "dg_allowed_sourceIPs" that contains allowed IP addresses

      when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1.2" } {             Do nothing if TLSv1.2
} elseif { ([class match [SSL::cipher version] eq "dg_allowed_ciphers"]) && ([class match [IP::client_addr] equals "dg_allowed_sourceIPs" ]) } {
     Do nothing if both conditions are met
} else {
     Redirect to a sorry page or reject client connections
    reject
}
}

    If you are using a partition other than the "Common" partition, you will need to specify the partition name before calling the data-group name from the irule.

    Example: "/Partition_name/dg_allowed_ciphers"

    Hope it helps

    Regards