should I add deny all policy at end of Advanced Resource Assignment

Question

should I add deny at end of Advanced Resource Assignment to deny any access except the access specified in the access list, like below example I have entry that have specific access list then I added deny at end that will match on all entry because it doesn't have expression, by this the entry will only have access to IPs in access list any other IPs are denied or should I remove the deny rule as the default implicit is deny?, will the user have access to any without this explicit deny rule?&nbsp;
also if resource assign order doesn't matter, does this mean if the deny entry loaded first before the permit entry user will not be able to access any resources?&nbsp;
&nbsp;

stanislas_piro2 · Answer

Yes, it is recommended to add such ACL!&nbsp;
But the resource assign order doesn’t matter! The ACL order does!&nbsp;

stanislas_piro2 · Answer

ACL order matters. then inside ACL, entry order matters...&nbsp;
Why 1000??? do you really need more than 1000 ACL?&nbsp;
I don't know if there is a limit. you can try with 10000.&nbsp;
but any time you create a new resource, don't forget to define an ACL order less than the deny all ACL.&nbsp;

Forum Discussion

should I add deny all policy at end of Advanced Resource Assignment

2 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

DevCentral Resources

From ASM to Advanced WAF: Advancing your Application Security

APM Webtop didn't appear in the Advanced resource assignment agent in trial VM V17.1.0

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: DNS Sinkholing