Block ASN but not certain IP addresses or User Agents

I am blocking ASNs that have a lot of VPN/Proxies, but there are some IPs or some traffic from those ASNs based on user agent that I would like to allow. Is there a way to do this?

How are you blocking these ASNs?

In the firewall rules. Here is an example: ip.geoip.asnum eq 33387. That is one that I block.

In the same rule you can also define your exceptions.

1 Like

Yes, but I am not sure of the logic/syntax. my psuedo code would look something like: IF ASN = 12345 BUT NOT IP

What have you tried so far? You’d just need to combine the expressions properly. has all on that.

Ah! Thank you. That doc should have just what I need.

Something like this should do what you want for ASN and IP addresses:

If you want to include UA then you will need to switch to the [Edit Expression] mode and use something like

ip.geoip.asnum eq 33387 and not (ip.src in {} or http.user_agent contains "UserAgentToAllow")

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.