Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

F5 irule set restrictaccess 0 & 1 command.


Hi All,


I'm newbie to F5 irule and kind of stuck in understanding the syntax, especially not able to figure out what does "set restrictaccess 1" and "set restrictaccess 0" have effect here.


ltm rule Drop_Xyz_Requests {

partition Xyz

priority 10



set restrictaccess 1

if { [class match [IP::client_addr] equals corp_Vlan10-Vlan80] ||

} {

set restrictaccess 0




if {$restrictaccess} {

if { ! (([string tolower [HTTP::path]] starts_with ""/xxx-xxx-xxxx/api/"") ||

} {

HTTP::respond 403 content {<html>403 Forbidden - Access Denied</html>}






Legacy Employee
Legacy Employee

In your example, the variable named restrictaccess is being used as a Boolean switch to determine whether a client should be restricted from accessing what looks like an application API. The restrictaccess switch is set to true (1) by default, meaning the client should not have access to the API. This happens during the CLIENT_ACCEPTED event, which occurs upon successful completion of the three-way handshake between the client and the virtual server on the BIG-IP system. Then the client's IP address is compared to the values in a datagroup. If a match is found, restrictaccess is set to false (0), meaning the client is allowed to access the API.


The restrictaccess switch is then checked during the HTTP_REQUEST event, which occurs every time the client sends an HTTP request across the existing connection. If restrictaccess is true (1) and if the request is for the API, the client is blocked from access via the custom HTTP response content. If restrictaccess is false (0), the client is allowed access to the API (or whatever element it was they requested).

Thanks a lot for your response..Much helpful to understand​ now..