Forum Discussion
Altostratusrestrict access to a vs by a datagroup but temp allow exceptions and log
Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:
(tmos)# list /ltm policy reject_disallowed_ip_addresses
ltm policy reject_disallowed_ip_addresses {
last-modified 2021-04-10:15:59:01
requires { tcp }
rules {
reject_disallowed_ip_addresses {
actions {
0 {
log
client-accepted
write
facility local0
message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
priority info
}
}
conditions {
0 {
tcp
client-accepted
address
matches
datagroup disallowed_ips
}
}
}
}
status published
strategy first-matchWhen you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.
With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.
Cirrostratuscrodriguez,
I'm running 15.1.4
I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct. In my policy I have, as you can see below:
1 - TCP address matches in datagroup (group with allowed IPs) - Ignore
2 - All Traffic - Log traffic - This does appear to be logging traffic that doesn't match the first rule
3 - All Traffic - Reset traffic
When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.
