NimbostratusI'd like to add an iRule to block a specific Activesync DeviceId (SamsungXYZ123) Reason: This phone has been trying to auth approx 20,000 times per day for 11 months... (Ex-Employee)
Does this look ok? I have very little iRule experience.
priority 100 when HTTP_REQUEST {
if {[HTTP::header "DeviceId"] equals {SamsungXYZ123} } reject } } }
CirrostratusSure. You're very close. I don't see the need for the priority so I've dropped that. I've changed 'reject' to 'drop' so no TCP RST is sent, saving a few more CPU cycles and a tiny bit of memory. Just ensure the case of the header and it's value are correct (or alternatively use 'string tolower' to make everything lower case).
when HTTP_REQUEST {
if { [HTTP::header value "DeviceId"] equals "SamsungXYZ123" } {
drop }
}
NimbostratusHmmm. It's not working. I wonder if it's a case sensitivity issue that you mentioned. Would you mind explaining the 'string tolower option? Is that a checkbox in the GUI? or part of the iRule?
CirrostratusPart of the iRule. It seems the HTTP header command is case insensitive about the header name but not it's value. If you ensure the string your matching against is lower case we can avoid doing the conversion to lower case twice. I've added some logging too which you can remove or comment out later;
when HTTP_REQUEST {
if { [string tolower [HTTP::header value "DeviceId"]] equals "samsungxyz123" } {
drop
log local0. "Dropped a request from [HTTP::header value "DeviceId"]"
}
}
CirrostratusYou may also want to change the equals to contains if the specific user-agent isn't exactly samsungxyz123.
Aaron
NimbostratusHi it is an irule command.