Blocking requests by combining originating IP & User-Agent

Hi Team,

we would like to block malicious requests if they have come with a specific User-Agent header, but only if the request has been originated from a particular IP.

In other words, we would like to block all requests that have come with an User-Agent (for example) “Mozilla”, but only if they have come from IP A.B.C.D, e.g. we don’t want to block all requests from “Mozilla” agents or any request from A.B.C.D .

Is that possible to be achieved with API call ?

Thanks in advance.

You can perfectly achieve this with a firewall rule. What is the user agent in question?

It is not known in advance, but it would be some standard like " Mozilla/5.0 (Windows NT 6.3; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0](" or " Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36](".

We have an internal system for identification of malicious requests and we would like to block the offenders.

The problem is that we have customer sharing a single public IP and respectively we don’t want to block the IP on the FW. Obviously, if we do it, we would block legitimate customers as well.
So, we would like to block on the combination of IP & User-Agent.

In this case

(http.user_agent eq "USERAGENT" and ip.src eq IPADDRESS)
1 Like

Great. Many thanks.

This topic was automatically closed after 30 days. New replies are no longer allowed.