cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to reference data group for whitelisting IP

WAF_Monkey
Altostratus
Altostratus

This has got to be simple but I can't figure it out!! 😞

Can anyone help me to write an iRule that will reference a data group list of IP addresses I want to whitelist on ASM? I don't want to deny IP's that aren't on the list, just to never block those on the list.

 

Thanks!

Tony

1 ACCEPTED SOLUTION

crodriguez
F5 Employee
F5 Employee

You can log the unblocked requests from within the local traffic policy. (I had log statements in both my rules, but removed them for the answer above.) There is a log action that can be added on the disable ASM rule. For example:

ltm policy disable_asm_for_select_IPs { controls { asm } last-modified 2020-12-03:15:50:12 requires { http tcp } rules { disable_asm_for_select_IPs { actions { 0 { asm disable } 1 { log write facility local0 message "tcl:ASM disabled for allowed IP [IP::client_addr]" priority info } } conditions { 0 { tcp address matches datagroup no_ASM_IPs } } } enable_asm_for_all_traffic { actions { 0 { asm enable policy /Common/lab_8_manual } } ordinal 1 } } status published strategy first-match }

 

 

View solution in original post

9 REPLIES 9

Samir
Nacreous
Nacreous

You can add whitelist ip in WAF/ASM under ip/subnet exception list. It will give more flexibility then iRule... Hope it will work.

Thanks​

WAF_Monkey
Altostratus
Altostratus

I have about 450 IP addresses to allow. I already have the data group list on the box, just need an iRule to reference it. Thanks.

Samir
Nacreous
Nacreous

you can try something like this... Not tested yet. Please test in non prod device.

when CLIENT_ACCEPTED { if {[matchclass [IP::client_addr] equals bypass_asm_class]}{ set disable_asm 1 #log local0. "[IP::client_addr]:[TCP::client_port]: Client matched bypass_asm_class datagroup." } else { set disable_asm 0 #log local0. "[IP::client_addr]:[TCP::client_port]: Client did not match bypass_asm_class datagroup." } } when HTTP_CLASS_SELECTED { if {[HTTP::class asm]==1}{ if {$disable_asm==1}{ log local0. "[IP::client_addr]:[TCP::client_port]: Disabling ASM for this request." ASM::disable } else { log local0. "[IP::client_addr]:[TCP::client_port]: Not disabling ASM for this request." ASM::enable } } }

Set the log according to requirements and later disable it

 

 

WAF_Monkey
Altostratus
Altostratus

I'll test this out, thanks!

crodriguez
F5 Employee
F5 Employee

The HTTP_CLASS_SELECTED event has been deprecated. Instead, you can use a local traffic policy to selectively enable and disable ASM, as Samir showed, using an IP address data group to make the comparisons. For example:

ltm policy disable_asm_for_select_IPs { controls { asm } last-modified 2020-12-03:10:38:38 requires { http tcp } rules { disable_asm_for_select_IPs { actions { 0 { asm disable } } conditions { 0 { tcp address matches datagroup no_ASM_IPs } } } enable_asm_for_all_traffic { actions { 0 { asm enable policy /Common/lab_8_manual } } ordinal 1 } } status published strategy first-match }

It's important that the catch-all rule, enable_asm_for_all_traffic, be the second rule in the policy, and disable_asm_for_select_IPs be first. You would assign the local traffic policy to the appropriate virtual server, replacing the default one applied when you enable an application security policy on the virtual server.

 

Here is what my internal datagroup looks like. (You can use an external data group just as easily.):

ltm data-group internal no_ASM_IPs { records { 10.10.10.30/32 { } } type ip }

I tested this on BIG-IP ASM v15.1.0. 

 

 

 

 

WAF_Monkey
Altostratus
Altostratus

Nice, I'll run this on my v16.0.1 lab. Thanks!

WAF_Monkey
Altostratus
Altostratus

Works great on v16, unfortunately I can't log the unblocked requests. Guess that's the lesser of the two evils. Off to dev. Thanks again!

crodriguez
F5 Employee
F5 Employee

You can log the unblocked requests from within the local traffic policy. (I had log statements in both my rules, but removed them for the answer above.) There is a log action that can be added on the disable ASM rule. For example:

ltm policy disable_asm_for_select_IPs { controls { asm } last-modified 2020-12-03:15:50:12 requires { http tcp } rules { disable_asm_for_select_IPs { actions { 0 { asm disable } 1 { log write facility local0 message "tcl:ASM disabled for allowed IP [IP::client_addr]" priority info } } conditions { 0 { tcp address matches datagroup no_ASM_IPs } } } enable_asm_for_all_traffic { actions { 0 { asm enable policy /Common/lab_8_manual } } ordinal 1 } } status published strategy first-match }

 

 

WAF_Monkey
Altostratus
Altostratus

Too awesome, thanks again for your help!