Block specific Client IP if request contains XYZ

MaxMedov · ‎18-Apr-2023

Hi, I need help creating the fastest solution (LTM Policy / iRule / other) to do this:
If client IP = X.X.X.X
and request contains = XYZ
Drop the client / or block by WAF message

Thank you!

Michael_Saleem · ‎18-Apr-2023

For a very quick solution to match on a single source IP and URI, you could use the following:

when HTTP_REQUEST {
    if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [string tolower [HTTP::uri]] contains "xyz" ) ) } {
        drop
    }
}

However, if you need need it to be more scalable, I would probably use a data group to hold multiple client IP addresses and then maybe another data group or switch -glob statement to match on multiple URIs.

CA_Valli · ‎18-Apr-2023

I'd just advise to avoid using "string tolower" on HTTP uri instruction, since path is case sensitive.

Michael_Saleem · ‎18-Apr-2023

Good point 👍

MaxMedov · ‎18-Apr-2023

So what is better?

CA_Valli · ‎18-Apr-2023

[HTTP::path] or [HTTP::query] should work just fine for exact matches on path/query parts of the uri

Michael_Saleem · ‎18-Apr-2023

If you are using a mixture of upper and lowercase letters in your URI and you need an exact match on this, then remove the [string tolower]

when HTTP_REQUEST {
    if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [HTTP::uri] contains "XYZ" ) ) } {
        drop
    }
}

MaxMedov · ‎18-Apr-2023

I'll test it thank you!

DevCentral

Block specific Client IP if request contains XYZ

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

Block specific Client IP if request contains XYZ

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards