Cisco CSS – Deny traffic based on User-Agent header

Within this article we will show you how to deny traffic based on the HTTP User-Agent header.

This is achieved by configuring a header-field-group. Within this group we define a header string rule that matches any header that does not contain a defined string. This group is then associated to a content rule.

header-field-group deny-agent
header-field ua1 user-agent not-contain “spider”

content VIP-88.88.88.88
protocol tcp
vip address 88.88.88.88
port 80
url “/*”
header-field-rule deny-agent
add service server1
add service server2

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• NETCONF & YANG: Automate Network Configs via Python - April 2, 2026
• Palo Alto – How to Configure Your Next-Generation Firewall - April 2, 2026
• How to Harden Linux SSH: Keys, Fail2ban & Ciphers - March 1, 2026

Want to become a networking expert ?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
Delta Practice Tests