Forum Discussion

WAF_Monkey's avatar
WAF_Monkey
Icon for Altostratus rankAltostratus
Dec 02, 2020

iRule to reference data group for whitelisting IP

This has got to be simple but I can't figure it out!! :-( Can anyone help me to write an iRule that will reference a data group list of IP addresses I want to whitelist on ASM? I don't want to de...
  • crodriguez's avatar
    Dec 03, 2020

    You can log the unblocked requests from within the local traffic policy. (I had log statements in both my rules, but removed them for the answer above.) There is a log action that can be added on the disable ASM rule. For example:

    ltm policy disable_asm_for_select_IPs {
        controls { asm }
        last-modified 2020-12-03:15:50:12
        requires { http tcp }
        rules {
            disable_asm_for_select_IPs {
                actions {
                    0 {
                        asm
                        disable
                    }
                    1 {
                        log
                        write
                        facility local0
                        message "tcl:ASM disabled for allowed IP [IP::client_addr]"
                        priority info
                    }
                }
                conditions {
                    0 {
                        tcp
                        address
                        matches
                        datagroup no_ASM_IPs
                    }
                }
            }
            enable_asm_for_all_traffic {
                actions {
                    0 {
                        asm
                        enable
                        policy /Common/lab_8_manual
                    }
                }
                ordinal 1
            }
        }
        status published
        strategy first-match
    }