For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thornid's avatar
Thornid
Icon for Nimbostratus rankNimbostratus
Jul 01, 2019

Restrict Source IPs iRule

Hi all   Forgive what may be such an easy iRule question but unfortunately my experience with them is rather limited and time is of the essence. We have an iRule which looks to be doing something w...
application delivery
iRules
LTM
iaine's avatar
iaine
Icon for Nacreous rankNacreous
Jul 01, 2019

Hi

You need some logic within the CLIENT_ACCEPTED Event for this. Something like this for a single IP.....this will look for a connection from 10.10.10.10 and apply a different SSL profile. All other connections will used the default config of the VIP

when CLIENT_ACCEPTED {     
  if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
     SSL::profile new_clientssl
 }
}

You can expand out for look for a subnet

when CLIENT_ACCEPTED {     
  if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } {
     SSL::profile new_clientssl
 }
}

or use a DataGroup if you want to....

when CLIENT_ACCEPTED {     
    if { [class match [IP::client_addr] equals source_ip] } {  
		SSL::profile new_clientssl
	}
}