For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

steven_singer_8's avatar
steven_singer_8
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

Per-IP rate limiting for non-matching IPs

I wrote an iRule that 403'ed any requesting IPs that did NOT match a class of IPs. 

rule filter_clients_rule {
when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] equals $::MySelfDefined_Network_class] } {
   pool regular-site-pool
  }
  else {
   HTTP::respond 403
  }
}
}

How would one write a similar rule for ASM to simply throttle those non-matching IPs?

ASM Advanced WAF
security

1 Reply

  • Stewart's avatar
    Stewart
    Icon for Altostratus rankAltostratus
    Sep 26, 2014

    You could do something like this assuming your default pool is "regular-site-pool" and you'd need to create the rate class "non-matching-IPs as well:

    rule filter_clients_rule { when HTTP_REQUEST { if { [matchclass [IP::client_addr] not $::MySelfDefined_Network_class] } { rateclass non-matching-IPs } } }

    `

    This isn't using ASM though.