For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tacobell_112236's avatar
tacobell_112236
Icon for Nimbostratus rankNimbostratus
Dec 08, 2010

URL access based on IP\LDAP

Im new to F5 ASM so I apologize for my ignorance in advance. Is it possible to create an IRule to allow access to a webpage based on IP adresses and\ or LDAP group?     I see this as an exam...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 09, 2010
I don't think current versions of ASM allow you to restrict access by client IP, subnet or GeoIP region, etc. I'm pretty sure there is at least one request for enhancement related to this type of functionality. You could open a case with F5 Support and have your request added to the existing RFE(s).

 

 

In the meantime, you could try a few approaches:

 

 

Create an address type datagroup containing the allowed subnets/hosts and use an iRule to check for requests to /admin that aren't from an allowed IP. Rewrite the URI to something that will always get blocked in the ASM policy like /illegal_client_request_to_admin.exe (assuming you don't have .exe or wildcard filetypes allowed in your policy).

 

 

Use a separate VS which goes to a separate ASM policy that allows /admin URI access (or no policy if you trust the app administrators). Restrict access to the VS using an iRule and the same address type datagroup as you would for option one. Then block all access to /admin on your main ASM policy using an attack signature.

 

 

Aaron