Case Management

MY PRODUCTS & PLANS

Subscriptions

Product Usage

Trials

Registration Keys

Resources
Downloads
Licensing
Activate F5 product registration key
Ihealth
Verify the proper operation of your BIG-IP system

Education Services Portal
Access courses and certifications to master F5 products
Devcentral
Join the community of 300,000+ technical peers

F5 Certification
Advance your career with F5 Certification
Product Manuals
Product Manuals and Release notes

Manual Chapter : Configuring SSRF hosts list

Applies To:

Versions

BIG-IP ASM

17.5.1
17.5.0

back-action

Mitigating Ssrf

Configuring SSRF hosts list

On the Main tab, click Security > Application Security > Security Policies > Policy List.
Select the policy for which hosts list is to be configured.
Navigate to Advanced Protection > SSRF Protection section.

In the SSRF Hosts field, select the action from the dropdown and add the IP address or domain name.

The following are few examples of IP address as a host:

CIDR	IP Range	Action	Is Configuration Allowed	Explanation
10.20.30.40	10.20.30.40	Deny	Yes	Traffic that contains 10.20.30.40 as a URI Parameter value will be blocked with SSRF violation.
100.200.254.50/32	100.200.254.50	Allow	Yes	Traffic that contains 100.200.254.50 as a URI Parameter value will be allowed.
200.0.0.0/24	200.0.0.0 – 200.0.0.255	Deny	Yes	Traffic that contains any IP Address in the configured IP Range as URI Parameter value will be blocked.
255.255.255.256	Not applicable	Deny	No	Each IP Octet in IPv4 Address should be in the Range 0-255.
001.2.3.4	Not applicable	Deny	No	IP octet should not start with two consecutive zeros.
2001:0db8:85a3:0000:0000:8a2e:0370:7334	2001:0db8:85a3:0000:0000:8a2e:0370:7334	Allow	Yes	Traffic which contains configured IP Address as URI Parameter value will be allowed.
2002:0000:0000:1234:0000:0000:0000:0000/64	2002:0000:0000:1234:0000:0000:0000:0000 - 2002:0000:0000:1234:ffff:ffff:ffff:ffff	Deny	Yes	Traffic that contains any IP Address in the configured IP Range as URI Parameter value will be allowed.
56FE::2159:5BBC::6594	Not applicable	Deny	No	Double colon notation can be used only once in IPv6 Addresses.
56FE::2159:5BBC::1234/129	Not applicable	Allow	No	Invalid CIDR.

The following are few examples of domain name as host:

Domain Name	Action	Is configuration valid?	Explanation
abc123.com	Deny	Yes	Traffic that contains abc123.com as URI Parameter value will be blocked with SSRF violation.
*.help.com	Allow	Yes	Traffic that contains any subdomain of domain help.com as URI Parameter value will be allowed.
a$b.com	Deny	No	The domain name should not contain any special character.
a..b.com	Deny	No	An empty subdomain is not valid.

Click Save and then Apply Policy.

Parent topic:Mitigating Server-Side Request Forgery