iRules to manipulate established sessions

Question

Is there a way to use an iRule to close established sessions for a specific source-IP?  I'm working on a "Passive" IPS solution that receives data from the F5 via clone-pools and then upon policy violation makes a call to the F5 where an iRule inserts the source-IP of the 'attacker' into a subtable that is then referenced by the VS.  If any further connections from that source-IP come in, the connection is denied. &nbsp;
The problem I'm having is that while the clone/inspect/notify process described above is going on (takes probably a second), an attacker can open an additional TCP socket and once it's open, it's not subject to denial via the blacklist. So I'm looking for a way to proactively go through and close any open connections from that source-IP.  &nbsp;
Anyone know if this is possible?&nbsp;

nitass · Answer

So I'm looking for a way to proactively go through and close any open connections from that source-IP. &nbsp;

have you checked icall? is it usable?&nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

iRules to manipulate established sessions

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Related Content

F5 Architecture Track Sessions - AppWorld 2026

F5 NGINX API Gateway: Simplify Response Manipulation

MCP Session Affinity With F5 NGINX Plus

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

RADIUS authentication packet manipulation library

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS