For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sysadmin_2015_2's avatar
sysadmin_2015_2
Icon for Nimbostratus rankNimbostratus
Sep 08, 2017

Virtual Server - Block IP

Hello,   We need to block a several subnets for a particular virtual server. Is the best way to use an iRule? And can you please send me an example of an iRule we can use?   Thank you for the...
application delivery
BIG-IP
devops
iRules
Faruk_AYDIN's avatar
Faruk_AYDIN
Icon for Altostratus rankAltostratus
Sep 11, 2017

In my opinion, the best way is to create an IP datagroup, then write an iRule like this:

 Datagroup which defines denied client IP addresses/networks
class denied_clients {
   network 10.0.0.0/8
   host 192.168.10.0/24
}

when CLIENT_ACCEPTED {
   if { [class match [IP::client_addr] equals denied_clients] }{
      log local0.  "client IP: [IP::client_addr] - discarded"
      discard
   }
}

To use a datagroup makes it easy to manage, whenever you want to add an IP subnet or delete an IP subnet, you can do it easily without touching to the iRule.