F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

LJB_107563's avatar
LJB_107563
Icon for Nimbostratus rankNimbostratus
May 28, 2009

Scanner allowances

I have several scanning engines that need to properly asses the actual state of our many web servers and apps. I have the web servers all in blocking mode which also blocks the scanning engines and mo...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 28, 2009
Hi,

 

 

ASM doesn't have a concept of enforcing different policies based on client IP address. It's up to TMM to handle the logic of selected the ASM web app/policy.

 

 

It might be cleaner to configure a separate VIP which is restricted by source IP address that does not have an HTTP class or ASM policy enabled. This ensures complete separation between general users and the specific clients that should not go through ASM. You could enforce the source IP restrictions using an iRule, packet filters and/or an external firewall.

 

 

If you really want to use the same VIP for both types of users, you could use an interesting workaround that a previous poster suggested:

 

 

Restricting Access by IP to different web application

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=22747 (Click here)

 

 

There is an existing request for enhancement to add source IP address as a filter for HTTP classes. It seems like it would make a lot of sense. If you want to add your request to the list, you could open a case with F5 Support and ask them to find the RFE CR for you.

 

 

Or you could use an iRule which selects the HTTP class based on the source IP address/subnet. You can do this using HTTP::class (Click here) and a datagroup of type 'address'.

 

 

Aaron