Layer7 API Management

Hello All,

       I am observing one issue with all versions. I am using below assertion to whitelist my IP to restrict the access to only to me and some other persons IP.

Restrict Access to IP Address Range

      I have added almost 20 IPs added for testing purpose but its accepting the same IP multiple times. It means duplicate also accepting.

     How to restrict that not to allow duplicate IPs?  

Thanks&regards

Rajasekhar

Can someone please help on this request?

Hi rajasekhar33,

Can you please provide more information? I am looking for information such as the following:

1. What version of API Gateway are you using?
2. What platform are you running Policy Manager on? I.e. Windows, Linux, etc. (and what version of the platform?)
3. That assertion can only have a range or a specific IP address but one entry in the assertion only... so how are you adding 20 IP's and some of them being the same... is that through dragging that assertion to the policy 20 times, for example?
4. What does your policy look like at this moment in time?

I am going to go out on a limb and say that this is most likely not something we can prevent (at least not easily), as I can imagine use-cases where the same IP needs to be authorized in different branches of the policy logic tree. I admittedly can't imagine that would be used in that way very often at all, and I would suspect there are better ways to do that, but it is theoretically possible.

Sincerely,

Dustin Dauncey

Support Engineer, Global Customer Success

Email: API-Support@ca.com

Phone: +1 800 225 5224

Outside of North America - ca.com/us/worldwide.aspx

CA API Management Community: ca.com/talkapi

Hi Dustin,

        Please find the requested details below.

1. What version of API Gateway are you using?

   Ans:  API Gateway 9.0

2. What platform are you running Policy Manager on? I.e. Windows, Linux, etc. (and what version of the platform?) \

Ans: Windows 2003 Server

3.That assertion can only have a range or a specific IP address but one entry in the assertion only... so how are you adding 20 IP's and some of them being the same... is that through dragging that assertion to the policy 20 times, for example?

  Ans: It depends, Some time adding single IP and some times range of IPs. Its not all 20 IPs are same. There are some times i am doing that for testing.

4. What does your policy look like at this moment in time?

   Ans: Nothing is happening but i dont want multiple times to be added the same IP.

All I want here, if i try to add existing IP it has to give IP already exist.

Thanks&Regards

Rajasekhar

Hello Rajasekhar,

I assume you are using the Restrict Access to IP Address Range Assertion - CA Technologies Documentation . This assertion does not take multiple ip addresses as input. What it does is take a subnet (a set of ip addresses) and allow or deny all requests that come from those addresses. A subnet is defined like this: If we have a set of IPs from 192.168.1.0 to 192.168.1.255 the subnet is defined as 192.168.1.0/24, meaning that any ip with the first 24 bits matching that pattern will be accepted. If you want to block or allow a single ip then you can use this format: 192.168.1.255/32, which means that all 32 bits of the ip need to match that pattern in order for the request to be allowed/blocked.

You can find more information about IP subnetting here: IPv4 subnetting reference - Wikipedia, the free encyclopedia

Now as I understand it you are adding multiple copies of the "Restrict Access to IP Address Range" in a single policy. If you do not want those assertions to have overlapping sets you should carefully configure those assertions.

Furthermore, you should keep in mind the type of folder those assertion are in.

• If you are using an All Assertions Must Evaluate to True Assertion - CA Technologies Documentation to store the "Restrict" assertions then you need to remember that all "Restrict" assertions must NOT fail for the branch to succeed.
• If you are using an At Least One Assertion Must Evaluate to True Assertion - CA Technologies Documentation to store the "Restrict" assertions than the branch will succeed if only ONE of the assertions will succeed.

I hope you find this information useful. Please, let us know if we can help you further, or if we can mark this question as "Answered".