For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tika_92763's avatar
Tika_92763
Icon for Nimbostratus rankNimbostratus
Jul 30, 2012

Source IP restriction without HTTP profile

Hello,     I have to create a irule or find any other way.     Scenario, I am managing 2 Juniper SA 2500 (SSL VPN) devices in active/active clustering. Each client has their own sub-urls ...
application delivery
dev
devops
iRules
Brian_Van_Stone's avatar
Brian_Van_Stone
Icon for Nimbostratus rankNimbostratus
Jul 30, 2012
Without an http profile you will not be able to query the URI.

Perhaps you can SNAT all requests from the restricted range to one SNAT pool, and all requests from the unrestricted range to a different SNAT pool. By doing this you could still perform IP restriction at the SA. 

when CLIENT_ACCEPTED {    if { [class match [IP::client_addr] equals allowed_nets] } {        snatpool allowedForABC }    else { snatpool everyoneElse }}