Skip to content

Files

Latest commit

f5b78bd · May 18, 2022

History

History
32 lines (25 loc) · 1.04 KB

tls_version_ip_group.md

File metadata and controls

32 lines (25 loc) · 1.04 KB

TLS Version and IP Group

Match the TLS version and if IP address is not present on IP address group, drop the request.

F5 TLS Version and IP Group Match

when HTTP_REQUEST {
#log local0. "[SSL::cipher version] and client [client_addr]"
 if { ([SSL::cipher version] equals "TLSv1") && (not([class match [IP::client_addr] equals IP_Group])) }{
   log local0. "dropped [SSL::cipher version] for [http_host] [http_uri] source-ip [client_addr] header [HTTP::header "User-Agent"]"
   drop
   }
 elseif { ([SSL::cipher version] equals "TLSv1.1") && (not([class match [IP::client_addr] equals IP_Group])) }{
   log local0. "dropped [SSL::cipher version] for [http_host] [http_uri] source-ip [client_addr] header [HTTP::header "User-Agent"]"
   drop
   }
}   

Avi TLS Version and IP Group Match

var=avi.vs.client_ip()
ua = avi.http.get_header("user-agent")
ip_group=avi.ipgroup.contains("IP_Group", var)

if avi.ssl.protocol() == "TLSv1.0" or "TLSv1.1" and avi.ipgroup.contains("IP_Group", var) == false then
avi.http.close_conn()
end