Forum Discussion

LJB_107563's avatar
LJB_107563
Icon for Nimbostratus rankNimbostratus
May 28, 2009

Scanner allowances

I have several scanning engines that need to properly asses the actual state of our many web servers and apps. I have the web servers all in blocking mode which also blocks the scanning engines and most importantly our PCI external scan. Is there some way (short of an iRule) that I can allow a specific source IP to not be blocked at any level?

 

 

Thanks

2 Replies

  • Hi,

     

     

    ASM doesn't have a concept of enforcing different policies based on client IP address. It's up to TMM to handle the logic of selected the ASM web app/policy.

     

     

    It might be cleaner to configure a separate VIP which is restricted by source IP address that does not have an HTTP class or ASM policy enabled. This ensures complete separation between general users and the specific clients that should not go through ASM. You could enforce the source IP restrictions using an iRule, packet filters and/or an external firewall.

     

     

    If you really want to use the same VIP for both types of users, you could use an interesting workaround that a previous poster suggested:

     

     

    Restricting Access by IP to different web application

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=22747 (Click here)

     

     

    There is an existing request for enhancement to add source IP address as a filter for HTTP classes. It seems like it would make a lot of sense. If you want to add your request to the list, you could open a case with F5 Support and ask them to find the RFE CR for you.

     

     

    Or you could use an iRule which selects the HTTP class based on the source IP address/subnet. You can do this using HTTP::class (Click here) and a datagroup of type 'address'.

     

     

    Aaron
  • Thanks a million. I will have to both make a request for enhancement and an irule. I have in excess of 400 VIPs and don't much feel like replicating them. Thanks for the help!