Here are the requirements:
Exclude access, to either HTTP requests that contain /portal/console in the URI or from among deemed suspicious variables, from all client requests other than those who's source address is from internal address space.
***UNTESTED***
rule server_lock_down {
if (http_uri matches_regex "/portal/console" and not one of internal_network_class) {
redirect to "http://%h"
}
else if (http_content contains one of bad_variable_class and not one of internal_network_class) {
redirect to "http://%h"
}
else {
use pool x
}
}