CA API Gateway 9.1

9.4 9.1

Restrict Access to IP Address Range Assertion

The Restrict Access to IP Address Range assertion allows you to restrict or allow service access based on the IP address of the web service or XML application requestor.
gateway90
The Restrict Access to IP Address Range assertion allows you to restrict or allow service access based on the IP address of the web service or XML application requestor.
The IP address of the requestor considered when this assertion is run can either be the actual remote IP address available at the TCP level or a string extracted from the message. The latter case can be used, for example, when requests are first forwarded through multiple network components before arriving at the
API Gateway
. If such network components are configured to pass down the original IP address through an HTTP or SOAP header, that information source can then be configured in the Restrict Access to IP Address Range assertion using context variables.
When using a context variable as the source for the IP address, that source is first filtered using the following Regular Expression: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
This will filter out any extraneous information, such as a client port number. The accepted formats are "ipv4_literal", "ipv4_literal:port", "ipv6_literal", "[ipv6_literal]:port".
Using the assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the
    IP Address Range Properties
     automatically appear; when modifying the assertion, right-click
    [Allow|Forbid] IP Address Range
     in the policy window and select IP Address Range Properties or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows:
    Setting
    Description
    Authorize/Forbid
    From the drop-down list, select Authorize if you are permitting access to the IP range listed. Select Forbid if you are restricting access to the IP range listed.
    IP range
    Enter the allowable or forbidden IP address and/or "bits" in accordance with the CIDR (Classless Inter-Domain Routing) standard. Both IPv4 and IPv6 addresses are supported.
    Requestor IP address source
    Specify how the
    API Gateway
     should determine the source IP address:
    • Select TCP to use the IP address associated with the TCP request.
    • Select Context variable and then enter any context variable that resolves to a valid IP address. The default is request.tcp.remoteAddress, which will return the remote address of the TCP connection through which the message arrived.
    To learn more about context variables, see Context Variables.
  4. Click [
    OK
    ] when done.

Content feedback and comments