How To: Allow traffic only from specific IPs or subnets.

How To: Allow traffic only from specific IPs or subnets.

book

Article ID: CTX632450

calendar_today

Updated On:

Description

Create a Responder policy that will block access to bound virtual server depending on source IP or source subnet of the client, so that the resource is only accessible from specific IPs and specific subnet IPs.

Instructions

If subnets and multiple individual IPs need to be allowed, it is best to use a Data Set where the "Allowed IPs list" are defined and can later be edited individually of the policy.

  1. Navigate to AppExpert > Data Sets and click on Add to create a new data set.
  2. Provide a name for the data set, in this case we are using "Allowlist".
  3. Insert values in the data set, in this case the values are individual external public IPs that will be allowed access to a resource.

Image_2024-03-14_15-16-08.png

  1. Navigate to AppExpert > Responder > Policies and select Add.
  2. Provide a name for the responder policy, select DROP from the action dropdown.
  3. In the Expression box, we specify which IPs will be allowed as the action is to DROP all other IPs that do NOT match the expression provided. For this example, we use the expression below which will block any IPs that are not included the data set "Allowlist" and also any IPs that do not belong to the internal subnet 10.14.31.0/24: 
    (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("Allowlist").NOT && CLIENT.IP.SRC.IN_SUBNET(10.14.31.0/24).NOT)
  4. Click on Done to finish creating the policy.
  5. Bind the Responder policy to the virtual server or resource where access needs to be restricted. 

 

If subnets and a single individual IP needs to be allowed, it is best not to use a Data Set as it will reduce the amount of processing required.

  1. Navigate to AppExpert > Responder > Policies and select Add.
  2. Provide a name for the responder policy, select DROP from the action dropdown.
  3. In the Expression box, we specify IPs will be allowed as the action is to DROP all other IPs that do NOT match the expression provided. For this example, we use the expression below which will block any IPs that are not 10.122.8.10 and also any IPs that do not belong to the internal subnet 10.14.31.0/24: 
    (CLIENT.IP.SRC.EQ(10.122.8.10).NOT && CLIENT.IP.SRC.IN_SUBNET(10.14.31.0/24).NOT)
  4. Click on Done to finish creating the policy.
  5. Bind the Responder policy to the virtual server or resource where access needs to be restricted. 

Issue/Introduction

How to block access to bound virtual server depending on source IP or source subnet of the client, so that the resource is only accessible from specific IPs and specific subnet IPs by using a Responder policy.
Powered by Wolken Software