APM^® access control lists (ACLs) restrict user access to host and port combinations that are specified in access control entries (ACEs). An ACE can apply to Layer 4 (the protocol layer), Layer 7 (the application layer), or both. A Layer 4 or Layer 7 ACL is used with network access, application access, or web access connections.

Unlike a Network Access webtop or a Portal Access webtop, a full webtop supports all types or\f resources. For many resources, such as app tunnels, you must assign them to a policy along with a full webtop. When you assign an app tunnel or a remote desktop resource to a policy, Access Policy Manager^® (APM^®) assigns the allow ACLs that it created for the resource items associated with them. With an app tunnel or a remote desktop resource assigned, F5^® strongly recommends that you also assign an ACL that rejects all other connections and place it last in the ACL order.

If you also add a Network Access resource to the policy, you must create and assign ACLs that allow users access to all the hosts and all parts of the web sites that you want them to access. Otherwise, the ACL that rejects all connections will stop them.

If you add a Portal Access resource to the policy, APM assigns the allow ACLs that it created for the resource items associated with the Portal Access resource. However, you must create and assign ACLs to allow access to the target of the Portal Access link, which is either a start URI or hosted content. Again, without ACLs that explicitly allow the user to connect, the ACL that rejects all connections will stop users from launching the application or the web site.

1. On the Main tab, click Access > Access Control Lists .
   The ACLs screen opens.
2. Click Create.
   The New ACL screen opens.
3. In the Name field, type a name for the access control list.
4. From the Type list, select Static.
5. Optional: In the Description field, add a description of the access control list.
6. Optional: From the ACL Order list, specify the relative order in which to add the new ACL respective to other ACLs:
   • Select After to add the ACL after a specific ACL and select the ACL.
   • Select Specify and type the specific order number.
   • Select Last to add the ACL at the last position in the list.
7. From the Match Case for Paths list, select Yes to match case for paths, or No to ignore path case.
   This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
8. Click the Create button.
   The ACL Properties screen opens.
9. In the Access Control Entries area, click Add to add an entry.
   For an ACL to have an effect on traffic, you must configure at least one access control entry.
   The New Access Control Entry screen appears.
10. From the Type list, select the layers to which the access control entry applies:
    • L4 (Layer 4)
    • L7 (Layer 7)
    • L4+L7 (Layer 4 and Layer 7)
11. From the Action list, select the action for the access control entry:
    • Allow Permit the traffic.
    • Continue Skip checking against the remaining access control entries in this ACL and continue evaluation at the next ACL.
    • Discard Drop the packet silently.
    • Reject Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
      Note: If HTTP traffic matches a Layer 4 ACL, APM sends a TCP RST message. If traffic matches a Layer 7 ACL and is denied, APM sends the ACL Deny page.
    To create a default access control list, complete this step, then skip to the last step in this procedure.
12. In the Source IP Address field, type the source IP address.
    This specifies the IP address to which the access control entry applies.
13. In the Source Mask field, type the network mask for the source IP address.
    This specifies the network mask for the source IP address to which the access control entry applies.
14. For the Source Port setting, select Port or Port Range.
    This setting specifies whether the access control entry applies to a single port or a range of ports.
15. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
16. In the Destination IP Address field, type the IP address to which the access control entry controls access.
17. In the Destination Mask field, type the network mask for the destination IP address.
18. For the Destination Ports setting, select Port or Port Range.
    This setting specifies whether the access control entry applies to a single port or a range of ports.
19. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
20. From the Scheme list, select the URI scheme for the access control entry:
    • http
    • https
    • any
    The scheme any matches either HTTP or HTTPS traffic.
21. In the Host Name field, type a host to which the access control entry applies.
    The Host Name field supports shell glob matching: you can use the asterisk wildcard (*) to match match zero or more characters, and the question mark wildcard (?) to match a single character.
    *.siterequest.com matches siterequest.com with any prefix, such as www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.
    n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
22. In the Paths field, type the path or paths to which the access control entry applies.
    You can separate multiple paths with spaces, for example, /news /finance. The Paths field supports shell glob matching. You can use the wildcard characters * and question mark (?) to represent multiple or single characters, respectively. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.
23. From the Protocol list, select the protocol to which the access control entry applies.
24. From the Log list, select the log level for this access control entry:
    • None Log nothing.
    • Packet Log the matched packet.
    When events occur at the selected log level, the server records a log message.
25. Click Finished.

This example access control entry (ACE) rejects all connections to a specific network at 192.168.112.0/24.

This example access control entry (ACE) allows SSH connections to the internal host at 192.168.112.9.

This example access control entry (ACE) rejects all connections that attempt to open files with the extensions doc, exe, and txt.