For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

marin_266716's avatar
marin_266716
Icon for Nimbostratus rankNimbostratus
Aug 10, 2017

iRule when TLS below 1.2 match datagroup

Hello All,   Im looking for some assistance on an iRule. Looking to have VS listen on SSLv3 - TLS1.2 (Client Profile).   If client connection is eq TLS1.2 pass to back end pool.   If < TLS...
BIG-IP
LTM
security
Jad_Tabbara__J1's avatar
Jad_Tabbara__J1
Icon for Cirrostratus rankCirrostratus
Aug 11, 2017

Hi Marin,

Please find here after an example of the irule that you can use to do that.

To use this irule you need to create 2 data groups :

  • First one is string type called "dg_allowed_ciphers" with following records "SSLv3", "TLSv1" and "TLSv1.1" (keep the same format when adding it to your data group)

  • Second one is address type called "dg_allowed_sourceIPs" that contains allowed IP addresses

    when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1.2" } {             Do nothing if TLSv1.2
} elseif { ([class match [SSL::cipher version] eq "dg_allowed_ciphers"]) && ([class match [IP::client_addr] equals "dg_allowed_sourceIPs" ]) } {
     Do nothing if both conditions are met
} else {
     Redirect to a sorry page or reject client connections
    reject
}
}

If you are using a partition other than the "Common" partition, you will need to specify the partition name before calling the data-group name from the irule.

Example: "/Partition_name/dg_allowed_ciphers"

Hope it helps

Regards