should I add deny all policy at end of Advanced Resource Assignment

Question

should I add deny at end of Advanced Resource Assignment to deny any access except the access specified in the access list, like below example I have entry that have specific access list then I added deny at end that will match on all entry because it doesn't have expression, by this the entry will only have access to IPs in access list any other IPs are denied or should I remove the deny rule as the default implicit is deny?, will the user have access to any without this explicit deny rule?&nbsp;
also if resource assign order doesn't matter, does this mean if the deny entry loaded first before the permit entry user will not be able to access any resources?&nbsp;
&nbsp;

stanislas_piro2 · Answer

Yes, it is recommended to add such ACL!&nbsp;
But the resource assign order doesn’t matter! The ACL order does!&nbsp;

stanislas_piro2 · Answer

ACL order matters. then inside ACL, entry order matters...&nbsp;
Why 1000??? do you really need more than 1000 ACL?&nbsp;
I don't know if there is a limit. you can try with 10000.&nbsp;
but any time you create a new resource, don't forget to define an ACL order less than the deny all ACL.&nbsp;

Forum Discussion

should I add deny all policy at end of Advanced Resource Assignment

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

DevCentral Resources

From ASM to Advanced WAF: Advancing your Application Security

APM Webtop didn't appear in the Advanced resource assignment agent in trial VM V17.1.0

APM variable assign examples

F5 BIG-IP Advanced WAF – DOS profile configuration options.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS