Forum Discussion
Ravager
Altostratus
Altostratusrestrict access to a vs by a datagroup but temp allow exceptions and log
So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule. I have virtual server that has open access and I want to change it to ...
Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:
(tmos)# list /ltm policy reject_disallowed_ip_addresses
ltm policy reject_disallowed_ip_addresses {
last-modified 2021-04-10:15:59:01
requires { tcp }
rules {
reject_disallowed_ip_addresses {
actions {
0 {
log
client-accepted
write
facility local0
message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
priority info
}
}
conditions {
0 {
tcp
client-accepted
address
matches
datagroup disallowed_ips
}
}
}
}
status published
strategy first-matchWhen you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.
With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.
The-messenger
Cirrostratus
Cirrostratuscrodriguez,
I'm running 15.1.4
I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct. In my policy I have, as you can see below:
1 - TCP address matches in datagroup (group with allowed IPs) - Ignore
2 - All Traffic - Log traffic - This does appear to be logging traffic that doesn't match the first rule
3 - All Traffic - Reset traffic
When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.