dave-byrne.co.uk

always remember

Nothing is foolproof to a sufficiently talented fool... Make something
idiot proof, and the world will simply make a bigger idiot.

F5 BigIP LTM – iRule Accept Only UserAgent to Hostname

The following code snippet assumes you have a wildcard virtual host within the F5 LTM device, and that you wish to only allow traffic into that virtual host if a specific user agent string is matched and that the hostname is matched.

when HTTP_REQUEST {
    if {{ [class match [HTTP::header "User-Agent"] = "Browser 2.1.0"] } and { ([string tolower [HTTP::host]] starts_with "subdomain.domain.com") }} {
        return
    } else {
        drop
    }
}

It should be modified to suit your specific requirements.

dave / April 14, 2020 / Code, F5 BigIP

F5 BigIP LTM – iRule Unblock Violation Name

In the event you need to unblock a triggered ASM block event within F5’s BigIP LTM/ASM appliances, the following iRule may be of use. The one shown below specifically unblocks illegal redirection attempts that match a URI partial string.

when ASM_REQUEST_DONE {
    if {{[ASM::violation names] contains "VIOL_REDIRECT"} and 
    {[string tolower [HTTP::uri]] contains "/string1/" || 
    [string tolower [HTTP::uri]] contains "/xyz-location/" ||
    [string tolower [HTTP::uri]] contains "/abc/"}}
    {
        ASM::unblock
        log local0. "ASM unblocking [HTTP::uri] - (XYZ Manual iRule Unblock)"
    }
}

Additional Violation Names can be found under: Security -> Options -> Application Security -> Advanced Configuration -> Violations List -> Built-In Violations. You must use the internal ASM Violation Name in the iRule, not the friendly name shown in the event logs or the rest of the GUI.

The above is tested/working within F5 BipIP LTM VE v15.0.1

dave / March 18, 2020 / Code, F5 BigIP