Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

restrict access to a vs by a datagroup but temp allow exceptions and log


So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.


I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.


After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.


looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it


Also in a address datagroup, i understand the Address is the ip, but what is the value field for?



   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{


   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."


   } }






value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic


when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }


SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

F5 Employee
F5 Employee

Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

(tmos)# list /ltm policy reject_disallowed_ip_addresses ltm policy reject_disallowed_ip_addresses { last-modified 2021-04-10:15:59:01 requires { tcp } rules { reject_disallowed_ip_addresses { actions { 0 { log client-accepted write facility local0 message "tcl:Dropping connection for client [IP::client_addr] not in datagroup" priority info } } conditions { 0 { tcp client-accepted address matches datagroup disallowed_ips } } } } status published strategy first-match

When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.


With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.


thanks all i got it working, thanks for the very quick replies.