Block IP Addresses With Data Group And Log Requests On ASM Event Log

Problem this snippet solves:

This is Irule which will block IP Addresses that are not allowed in your organization. instead of adding each IP Address in Security ›› Application Security : IP Addresses : IP Address Exceptions you can create a data group and use a simple IRULE to block hundreds of Addressess. Also,createing a unique signature to specify the request of the illigile IP Address.

First, You will need to create Data Group under Local Traffic ›› iRules : Data Group List and add your illigile IP Addresses to the list. If you have hundreds of IP's that you want to block, you can to it in TMSH using this command: TMSH/modify ltm data-group internal <Data-Group-Name> { records add {IP-ADDRESS} }

Now, We are ready to create the IRULE under Local Traffic ›› iRules : iRule List

Last, Create violation list under Security ›› Options : Application Security : Advanced Configuration : Violations List Create -> Name:Illegal_IP_Address -> Type:Access Violation -> Severity:Critical -> Update

Don't forgat to enable trigger ASM IRULE events with "Normal Mode"

How to use this snippet:

Code :

when HTTP_REQUEST {
  set reqBlock 0
  if { [class match [IP::remote_addr] equals ] } {
  set reqBlock 1
 # log local0. "HTTP_REQUEST [IP::client_addr]"
  }
}

when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise "Illegal_IP_Address"
  #    log local0. "ASM_REQUEST_DONE [IP::client_addr]"
  }
}

Tested this on version:

13.0
Published Feb 17, 2019
Version 1.0

Was this article helpful?

No CommentsBe the first to comment