restrict access to a vs by a datagroup but temp allow exceptions and log
So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.
I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.
However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.
After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.
looking thought the forums i have a vague idea that the below will be close to working
and i change the last return to drop once i want to enforce it
Also in a address datagroup, i understand the Address is the ip, but what is the value field for?
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
return
} else {
log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
return
} }