Forum Discussion
LJB_107563
Nimbostratus
NimbostratusScanner allowances
I have several scanning engines that need to properly asses the actual state of our many web servers and apps. I have the web servers all in blocking mode which also blocks the scanning engines and mo...
hoolio
Cirrostratus
CirrostratusHi,
ASM doesn't have a concept of enforcing different policies based on client IP address. It's up to TMM to handle the logic of selected the ASM web app/policy.
It might be cleaner to configure a separate VIP which is restricted by source IP address that does not have an HTTP class or ASM policy enabled. This ensures complete separation between general users and the specific clients that should not go through ASM. You could enforce the source IP restrictions using an iRule, packet filters and/or an external firewall.
If you really want to use the same VIP for both types of users, you could use an interesting workaround that a previous poster suggested:
Restricting Access by IP to different web application
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=22747 (Click here)
There is an existing request for enhancement to add source IP address as a filter for HTTP classes. It seems like it would make a lot of sense. If you want to add your request to the list, you could open a case with F5 Support and ask them to find the RFE CR for you.
Or you could use an iRule which selects the HTTP class based on the source IP address/subnet. You can do this using HTTP::class (Click here) and a datagroup of type 'address'.
Aaron
