F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Application Security Manager: Implementations
  3. Mitigating Server-Side Request Forgery
  4. Configuring SSRF hosts list
Manual Chapter : Configuring SSRF hosts list

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 21.0.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Configuring SSRF hosts list

  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policy List
    .
  2. Select the policy for which hosts list is to be configured.
  3. Navigate to
    Advanced Protection
    SSRF Protection
     section.
  4. In the
    SSRF Hosts
     field, select the action from the dropdown and add the IP address or domain name.
    The following are few examples of IP address as a host:
    CIDR
    IP Range
    Action
    Is Configuration Allowed
    Explanation
    10.20.30.40
    10.20.30.40
    Deny
    Yes
    Traffic that contains 10.20.30.40 as a URI Parameter value will be blocked with SSRF violation.
    100.200.254.50/32
    100.200.254.50
    Allow
    Yes
    Traffic that contains 100.200.254.50 as a URI Parameter value will be allowed.
    200.0.0.0/24
    200.0.0.0 – 200.0.0.255
    Deny
    Yes
    Traffic that contains any IP Address in the configured IP Range as URI Parameter value will be blocked.
    255.255.255.256
    Not applicable
    Deny
    No
    Each IP Octet in IPv4 Address should be in the Range 0-255.
    001.2.3.4
    Not applicable
    Deny
    No
    IP octet should not start with two consecutive zeros.
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    Allow
    Yes
    Traffic which contains configured IP Address as URI Parameter value will be allowed.
    2002:0000:0000:1234:0000:0000:0000:0000/64
    2002:0000:0000:1234:0000:0000:0000:0000 - 2002:0000:0000:1234:ffff:ffff:ffff:ffff
    Deny
    Yes
    Traffic that contains any IP Address in the configured IP Range as URI Parameter value will be allowed.
    56FE::2159:5BBC::6594
    Not applicable
    Deny
    No
    Double colon notation can be used only once in IPv6 Addresses.
    56FE::2159:5BBC::1234/129
    Not applicable
    Allow
    No
    Invalid CIDR.
    The following are few examples of domain name as host:
    Domain Name
    Action
    Is configuration valid?
    Explanation
    abc123.com
    Deny
    Yes
    Traffic that contains abc123.com as URI Parameter value will be blocked with SSRF violation.
    *.help.com
    Allow
    Yes
    Traffic that contains any subdomain of domain help.com as URI Parameter value will be allowed.
    a$b.com
    Deny
    No
    The domain name should not contain any special character.
    a..b.com
    Deny
    No
    An empty subdomain is not valid.
  5. Click
    Save
     and then
    Apply Policy
    .
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information