Forum Discussion

sandiksk_35282's avatar
sandiksk_35282
Icon for Altostratus rankAltostratus
Mar 06, 2018
Solved

F5 Whitelisting/ Allowing a specific range of traffic to VS

We have a req to allow only specific subnet range and IPs to access the virtual server it would be great if you help me on this. VS on f5 is configured to listen only on port 443.

 

  • Create IP type LTM data-group. Define allowed IP/subnet values, and add optional descriptions. You can find data-group creation page at

    Local Traffic - iRules - Data-group List
    . Example of an IP type data-group in CLI/TEXT format:

    ltm data-group internal datagroup_allowed_ip {
      records {
        100.20.20.0/32 { }
        199.20.20.128/25 { }
      }
      type ip
    }
    

    Create an iRule that checks for matches against entries in datagroup_allowed_ip

    when CLIENT_ACCEPTED {
      if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
         Traffic is allowed. Client IP match found in datagroup_allowed_ip
        return
      } else {
         Traffic is dropped. Client IP match not found in datagroup_allowed_ip
        drop
      }
    }
    

14 Replies

  • Hello,

     

    From version v11 on-wards, your Virtual Server has "Source" field. As value, you may specify a single /32 IP, or a bigger subnet.

     

    You may create multiple identical Virtual Servers with different Source IP restrictions if your allowed addresses are in separate subnets. As the number of allowed Source IP addresses and subnets grow, at one point you will be better off going with an LTM iRule solution that checks LTM data-group for allowed source IP addresses. Or you can do whitelisting in AFM module. If you prefer one of the latter scenarios, let me know and I'll get you an example.

     

    Rgds

     

  • We have multiple IP in different subnets and I guess it would be better for LTM iRule solution that checks LTM data-group for allowed source IP addresses.

     

    Can you please assist me on the irule.

     

  • Create IP type LTM data-group. Define allowed IP/subnet values, and add optional descriptions. You can find data-group creation page at

    Local Traffic - iRules - Data-group List
    . Example of an IP type data-group in CLI/TEXT format:

    ltm data-group internal datagroup_allowed_ip {
      records {
        100.20.20.0/32 { }
        199.20.20.128/25 { }
      }
      type ip
    }
    

    Create an iRule that checks for matches against entries in datagroup_allowed_ip

    when CLIENT_ACCEPTED {
      if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
         Traffic is allowed. Client IP match found in datagroup_allowed_ip
        return
      } else {
         Traffic is dropped. Client IP match not found in datagroup_allowed_ip
        drop
      }
    }
    
    • sandiksk_35282's avatar
      sandiksk_35282
      Icon for Altostratus rankAltostratus

      Thankyou , configuring for the QA setup , will get back to you if I run into any issues.

       

    • sandiksk_35282's avatar
      sandiksk_35282
      Icon for Altostratus rankAltostratus

      I am not able to see any traffic hitting the irule . In the datagroup we specified the IP range . BUt i dont see any hits.

       

    • Maneesh_72711's avatar
      Maneesh_72711
      Icon for Cirrostratus rankCirrostratus

      What do you mean not seeing any traffic hitting the i-rule have you enabled logging on i-rule and dont see the logic getting triggered ? Hannes has provided correct i-rule as per your requirement, are you coming from correct sources ?

       

  • Create IP type LTM data-group. Define allowed IP/subnet values, and add optional descriptions. You can find data-group creation page at

    Local Traffic - iRules - Data-group List
    . Example of an IP type data-group in CLI/TEXT format:

    ltm data-group internal datagroup_allowed_ip {
      records {
        100.20.20.0/32 { }
        199.20.20.128/25 { }
      }
      type ip
    }
    

    Create an iRule that checks for matches against entries in datagroup_allowed_ip

    when CLIENT_ACCEPTED {
      if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
         Traffic is allowed. Client IP match found in datagroup_allowed_ip
        return
      } else {
         Traffic is dropped. Client IP match not found in datagroup_allowed_ip
        drop
      }
    }
    
    • sandiksk_35282's avatar
      sandiksk_35282
      Icon for Altostratus rankAltostratus

      Thankyou , configuring for the QA setup , will get back to you if I run into any issues.

       

    • sandiksk_35282's avatar
      sandiksk_35282
      Icon for Altostratus rankAltostratus

      I am not able to see any traffic hitting the irule . In the datagroup we specified the IP range . BUt i dont see any hits.

       

    • Maneesh_72711's avatar
      Maneesh_72711
      Icon for Cirrostratus rankCirrostratus

      What do you mean not seeing any traffic hitting the i-rule have you enabled logging on i-rule and dont see the logic getting triggered ? Hannes has provided correct i-rule as per your requirement, are you coming from correct sources ?

       

  • An alternative to using an iRule is to use AFM(Advanced Firewall Manager). AFM which is included in the Better bundle or standalone makes adding an ACL to your virtual server trivial.