Log Bypass for BIG-IP Monitor Traffic
Published May 01, 2012
Version 1.0Was this article helpful?
monitoring string. If you are worried about this scenario, it is very easy
to block external requests with this User-Agent with an iRule:
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]: User-Agent: [string
tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]"
if { [string tolower [HTTP::header "User-Agent"]] contains "F5 BIG-IP
Monitor"} {
log local0. "[IP::client_addr]:[TCP::client_port]: Rejected
request"
reject
}
}
You can also add this logic to the Apache server config. Since you've already set an environment variable for the monitoring User-Agent we can reuse that to enforce access. You'll want to locate the VirtualHost's Allow and Deny directives and change the order and parameters to block external monitoring requests:
Order Deny,Allow
Deny from env=monitor
set subnet or addresses of BIG-IP self-IPs
allow from 10.40.0.0/16
Great question. Hope that helps!