iRule with ASM URL filtering

Question

I have a website that the developers would like to have one particular /path available for internal access but deny for external users.  The trick is that we use ASM URL Filtering.  I can certainly remove the /path from the ASM Allowed list but still need to deny this path to external users.  I was thinking of something like this.&nbsp;
when HTTP_REQUEST {
if {([matchclass [IP::client_addr] equals private_net]) and ([class match [HTTP::path] starts_with sitename-acl])  } {
   return }
HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri] "
}&nbsp;
This should allow internal users access to the site but it would deny access to everything else.  I don't want to maintain an ACL list for allowed access as that is handled by ASM.  Does anyone know how I can allow 1 particular /path via and iRule or in ASM for private_net?&nbsp;

hannes_rapp · Answer

It's essentially L7 IP-whitelist that you're looking for. You have two great solutions to choose from, one with a custom ASM violation (as an advantage, it would allow you to retain ASM logs); and another possible solution can be applied with the use of LTM Local Traffic Policies (best-match strategy; default action - enable ASM policy, conditional action - disable ASM)&nbsp;
For the first option, have a look at https://devcentral.f5.com/questions/ip-access-whitelist-when-using-asm&nbsp;
For the second option, look into Local Traffic Policies. It's very straight-forward. https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15085.html&nbsp;

charles_rosenbe · Answer

If your private network has a single congruent subnet source (10.0.0.0/8), you could limit access using Source Mask on the virtual server. You could create a virtual server with the same settings as the existing one, but give it a source mask of the private network. This new virtual server could have a policy that allowed access to the URL while the other virtual server would handle all other source addresses. The virtual server that handles all other traffic could have a slightly different policy that just denied access to that URL in question. This way you can still reuse the existing IP address for the virtual servers, but have different virtual servers depending on the source address. With different virtual servers, you can have different ASM policies which have different restrictions.

jokragly · Answer

I was able to get this to work by using the following iRule. Leaving all my external traffic secured and logged via ASM. &nbsp;
If I need to expand on the list of starts will I will create a data group and change it to a matchclass... &nbsp;
when HTTP_REQUEST { if {([matchclass [IP::client_addr] equals private_net]) and ([HTTP::path] starts_with "/Help")}{ ASM::disable } }&nbsp;

Forum Discussion

iRule with ASM URL filtering

3 Replies

F5 AppWorld 2026 Registration - early bird pricing.

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Building new F5 replica

F5 upgrades

R2600 device and tenant/partition configuration

expandsSubcollections and filtering in F5 SDK

Dnssec deployment

Related Content

iRules Style Guide

Re: F5 HTTPS Redirect iRule Update

BGP - filtering kernel redistribution

Hey DeepSeek, can you write iRules?

Hey Claude, can you write iRules?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS