How To: Content Policy Access Control using Source IP Filtering at the Task List Layer

While IP ACL filtering can be done at the network policy and virtual directory layers with the IP ACL option you can also do source IP filtering at the task list layer.

With the Identify Document task, build a Header Filter that uses "Source IP Address" as the Filter Type.

You can use the = Comparator, constant as the Value Type and then in the Value field list out the specific IPs that you want to match -
all separated by the or operator || (see article linked below). This will work if you want to list out all of the IPs manually instead of a range.

How To: Configure Identify Document Task to Match Multiple Values -

For a network address or range of addresses, you could use a regex expression in the Value field or even the "starts with" comparator.

For example:

For the network address you would use: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}
For the range to use: 192\.168\.1\.1(([0-9][0-9])|(2[0-9]))

The following steps shows how to add the task list:

Go to Gateway--->Task Lists and click New and fill in Name and other info
Click Save then click New
Select Identify Document then click Next
Click New for "Header Filters" an fill in the info as follows

Filter Type:                  Source Ip Address
Header Name*:
Comparator:               =
Value Type:                Constant
Value:                          10\.\d{1,3}\.\d{1,3}\.\d{1,3}

Click Create then create a Task List Group and Add this Task list to it.

Next you need to add this Task List Group to the Content Policy in question and make sure the 'No Matching XML' IDP rule is set to Enforce by IP and Abort is defined.


The Result when the incoming IP Address is not a match:

Server Error 500

No Matching IP
System Name: Malak-PC
Server Policy: New XML Policy
Matched task list:
Failure occurred in task:

The System log on Sentry should show:

11:22:32.533 Document entered Communications Layer
11:22:32.534 Received an HTTP request:
Protocol: HTTP/1.1
Scheme: http
Method: GET
Request URL:
Listener Policy: HttpListenerPolic4
Virtual Directory: New Virtual Directory
Virtual path: /*
Auth Type:
Header Info:
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

11:22:32.535 Processing request for 'XML Policy: 'New XML Policy''
11:22:32.535 ACL check skipped - no ACL associated with network policy 'HttpListenerPolic4'
11:22:32.536 ACL check skipped - no ACL associated with virtual directory '/*'
11:22:32.537 Message type filter match succeeded - matched filter 'HTTP GET' of type Simple
11:22:32.538 Request document:

11:22:32.539 No TaskListGroup configured, document will not be processed
11:22:32.539 Failed to identify incoming document with a TaskList using TaskListGroup 'Compare_IP_Task_List_Group', document will not be processed
11:22:32.540 IDP Rule: 'No Matching XML', IDP Group 'Default XML Policy Group', Associated Policy: XML Policy: 'New XML Policy', Triggered 1 time(s) on Request, Policy:
New XML Policy, Client IP:, User: -. No matching XML filter.
11:22:32.540 Failed to identify incoming document:

11:22:32.541 Message type filter encode: document was generated locally; encoding with 'simple' format
11:22:32.541 Sending client an internally generated error response:
Status Code: 500
Header Info:
Content-Type: text/html
Message Body:
<html><head><title>Server Error 500</title></head>
<body><h1>Server Error 500</h1>
<big><b>No Matching IP</b></big>
<b>System Name:</b> Malak-PC<br>
<b>Server Policy:</b> New XML Policy<br>
<b>Matched task list:</b> <br>
<b>Failure occurred in task:</b> <br>

11:22:32.543 Document left Communications Layer


Article is closed for comments.