Can Silverline block IP Ranges?

Description

Can Silverline block IP Ranges?

 

Environment

• Silverline
• WAF
• DDoS

Answer

Yes this is possible with following methods:

Option 1: With use of IP denylist

This option is the preferred option in case you would like to block the IP against all GRE tunnels and/or Proxies

Note: You can use https://www.ipaddressguide.com/cidr to transfer IP range to CIDR

1. Navigate to Config > IP Management > IP Denylist

2. Click add and input your CIDR range after calculation

 

More Info:

• How to Denylist IP Addresses for DDoS Routed Services
• How to Denylist IP Addresses for Proxy Services (WAF and DDoS)

 

Option 2: With an iRule

This option is preferred in case you would like to block thee IP against only some of the Proxies

Using for example:

when HTTP_REQUEST priority 305 {
if { ([class match -- [IP::client_addr] equals [call ag_info0::datatable_name Your_ip_datatable]]) } {
set agl [call ag_log0::open -rulename IP_Denylist -rulever 1]
call ag_log0::http_kvp $agl INFO action "IP blocked"
HTTP::respond 403 content {<html><body><h1>Unauthorized</h1></body></html>} noserver Connection close
TCP::close
} 
}

This iRule will block traffic based on source IP address and send a HTTP response that also can be modified.

In order to deploy iRule, create ticket with SOC and provide the following:

1. Name for your iRule.

2. Name for the IP datatable.

In order to block IP range with this method, you will be able to input your IP CIDR once calculated into your IP datatabe like: 64.22.34.234/20

 

 

More info: Q&A: What iRules are Supported by Silverline?

 

Related Content

• Q&A: When to use Silverline iRule Data Tables?
• How To Configure iRules Proxy Option
• How to Denylist IP Addresses for DDoS Routed Services
• How to Denylist IP Addresses for Proxy Services (WAF and DDoS)
• Q&A: What iRules are Supported by Silverline?