Rule Creation and CIDR Notation

Classless inter-domain routing (CIDR) notation is a shorthand representation of a range of IP addresses and their associated routing prefix. CIDR notation format is an IP address, a forward slash character, and an integer. For example:

F5 Distributed Cloud App Infrastructure Protection (AIP) supports rule creation using CIDR notation. The following Rule fields support CIDR notation:

Event Field Field Type
src_ip Linux Host, Windows Host
connection.addr Audit, Threat Intel
connection.dst_addr Audit, Threat Intel
connection.src_addr Audit, Threat Intel
dst_ip Windows Host
dstIpv6 Windows Host
srcIpv6 Windows Host


If you query CIDR notation on a field that does not support it, then your rules evaluate as false on that field.

Sample CIDR Notation Event Queries


An alert triggers when an event contains a value in the source IP address field that falls within the specific CIDR range:

src_ip = ""


An alert triggers when an event contains a value in the connection IP address field that falls outside of a specific CIDR range:

connection.addr != ""
Was this article helpful?
0 out of 0 found this helpful