Administrators may need to build an Identify Document task to match a request or response using multiple values.
For example, the information below is to configure a task that limits access based on the value of request header X-Forwarded-For, where the X-Forwarded-For value can be any of 10 IP addresses.
There are a couple of ways to accomplish this.
1. The easiest way to do this is to use the Identify Document task with a header filter, looking at the value of the X-Forwarded-For header. Set the comparator to = then put each IP in the list separated by the | character. Note that there are no spaces between the IPs and the | character.
Here is the example broken out:
Filter Type: Request Header
Header Name: X-Forwarded-For
Comparator: =
Value Type: Constant
Value: ip1|ip2|ip3
With this task list you'll also need the 'No Matching XML' IDP rule to block if the X-Forwarded-For header doesn't match one of the defined IPs.
2. Alternatively, you could use 10 different tasks in the same task list group, each with a unique Identify Document task (header filter) that looks at the value of the X-Forwarded-For header and tries to match 1 of the 10 IP addresses. So task list 1 looks for IP 1, task list 2 for IP 2, and so on. You would need to ensure that the 'No Matching XML IDP' rule is enabled on the policy, then as long as one matches, the request will go through.
0 Comments