About deny a transaction from a specific address of client to API Gateway.

Document ID : KB000099963
Last Modified Date : 04/06/2018
Show Technical Document Details
Question:
About deny a transaction from a specific address of client to API Gateway.

Can deny a transaction from a specific address of client to API Gateway in configuration of "Manage Firewall Rules"?
If yes, could you please let me know how to configure it?

In "Manage Firewall Rules"
01. Click Advanced Create.
02. Set according to the attached file. 
Souece Address : client IP
Destination Address : Gatewy IP
Rule Action : Drop

User-added image
But, transactions of API Gateway are possible from that client.
 
Environment:
CA API Gateway - 8.x
CA API Gateway - 9.0
CA API Gateway - 9.1
CA API Gateway - 9.2
CA API Gateway - 9.3
Answer:
Both listening ports and firewall rules are all added to iptables-extras file in /opt/SecureSpan/Appliance/var/firewall directory. But because listening port is higher in the list so it take priority over the custom firewall rules.
So for example if the request from an IP is using 8080 it will match the third rule in the list and ignore everything below that. 
The custom rule does block request from that ip using port other than opened listening port. For example ssh is over port 22 and customer from blocked IP won't be able to ssh to gateway.
There is a workaround using global policy with a "Restric Access to IP address Range" assertion but the best place to do this is using cooperate firewall.

Sample iptable-extras file
    *filter
    [0:0] -A INPUT  -p tcp -m tcp --dport 3444 -j ACCEPT
    [0:0] -A INPUT  -p tcp -m tcp --dport 8443 -j ACCEPT
    [0:0] -A INPUT  -p tcp -m tcp --dport 8080 -j ACCEPT
    [0:0] -A INPUT  -p tcp -m tcp --dport 9443 -j ACCEPT
    [0:0] -A INPUT  -p tcp -m tcp --dport 2124 -j ACCEPT
    [0:0] -A INPUT  -p tcp -m tcp --dport 8081 -j ACCEPT
    COMMIT

    *filter
    [0:0] -A INPUT --protocol tcp --source xxx.xxx.xxx.xxx --in-interface eth0 -j DROP
    [0:0] -A INPUT --protocol tcp --destination-port 8374 -j ACCEPT
    [0:0] -A INPUT --protocol tcp --destin