Forum Discussion
About IP intelligence
- Nov 14, 2023
Hi SanYang ,
When I reviwed the AFM module , I found that I was wrong to say that there is not diffierence between IPI in AWAF and AFM.
Beside Nikoolayy1 and Amine_Kadimi
IPI in AWAF : works per ASM policy also your appliance should be IPI licensed ( 1 Y or 3 Y .... etc ) , it's detectable in XFF headers as well.
IPI in AFM module : is very interesting , first it can work same as AWAF and your devices should be licensed for IPI
For your info ( License means : your Bigip able to get updates from a third party such as " brightCloud " , it updates its data base each 5 minutes with the latest bad reputation ips. )
That's not all for AFM IPI,
you have another 2 functions can be used in AFM IPI ...
1- you can create IPI policy and assign it to Virtual server context or globally in bigip , this policy contains a defined Feed URL which enable your Bigip to get " Black listed or White listed " IPs information in a specific file format bigip ip can understand it , also you can define manually some IPs you want to drop or allow it with a defined duration for blocking if you need that.
Sample of the format that bigip gets from the defined feed in IPI policy: 10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,For more info check this : https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html
2- You can use IPI shun :
briefly IPI shun works with AFM D(DoS) Vectors such as " Endpoint Sweep Vector " , if there is an IP exceeds a defined limits or thresholds of packets , AFM DDoS Sweep vector will be triggered and dynamically add this IP to IPI shun list which can be dropped furtherly very quickly without furher inspection, because AFM DDoS vector detected it as a malicious.
Also you can Configure something like Shun Black hole which means ( If bigip detedted bad actor or malicious IP , it advertise this ip to peer routers via BGP announcements , and these routers will be configured to send any trials of these bad ips which detected by AFM DDoS vectors to a black hole hop or drop these ips from the first layer in your network. " That's the Black hole and shun list role briefly "
Also you can configure scrubber instead of black hole which means bigip will send the malicious IPs trails to external scrubber such as " F5 server line/scrubber to clean or remove unwanted patterns in the packets from these Ips.
it follows the same mechanism of Black hole in advertising malicious IPs.
Both of Black hole and scrubber rely on ZebOS/BGP.
you can review this : https://community.f5.com/t5/technical-articles/ip-intelligence-and-ip-shunning/ta-p/286783I hope my comment give you some insights 🙂
Hi SanYang ,
When I reviwed the AFM module , I found that I was wrong to say that there is not diffierence between IPI in AWAF and AFM.
Beside Nikoolayy1 and Amine_Kadimi
IPI in AWAF : works per ASM policy also your appliance should be IPI licensed ( 1 Y or 3 Y .... etc ) , it's detectable in XFF headers as well.
IPI in AFM module : is very interesting , first it can work same as AWAF and your devices should be licensed for IPI
For your info ( License means : your Bigip able to get updates from a third party such as " brightCloud " , it updates its data base each 5 minutes with the latest bad reputation ips. )
That's not all for AFM IPI,
you have another 2 functions can be used in AFM IPI ...
1- you can create IPI policy and assign it to Virtual server context or globally in bigip , this policy contains a defined Feed URL which enable your Bigip to get " Black listed or White listed " IPs information in a specific file format bigip ip can understand it , also you can define manually some IPs you want to drop or allow it with a defined duration for blocking if you need that.
Sample of the format that bigip gets from the defined feed in IPI policy: 10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,
For more info check this : https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html
2- You can use IPI shun :
briefly IPI shun works with AFM D(DoS) Vectors such as " Endpoint Sweep Vector " , if there is an IP exceeds a defined limits or thresholds of packets , AFM DDoS Sweep vector will be triggered and dynamically add this IP to IPI shun list which can be dropped furtherly very quickly without furher inspection, because AFM DDoS vector detected it as a malicious.
Also you can Configure something like Shun Black hole which means ( If bigip detedted bad actor or malicious IP , it advertise this ip to peer routers via BGP announcements , and these routers will be configured to send any trials of these bad ips which detected by AFM DDoS vectors to a black hole hop or drop these ips from the first layer in your network. " That's the Black hole and shun list role briefly "
Also you can configure scrubber instead of black hole which means bigip will send the malicious IPs trails to external scrubber such as " F5 server line/scrubber to clean or remove unwanted patterns in the packets from these Ips.
it follows the same mechanism of Black hole in advertising malicious IPs.
Both of Black hole and scrubber rely on ZebOS/BGP.
you can review this : https://community.f5.com/t5/technical-articles/ip-intelligence-and-ip-shunning/ta-p/286783
I hope my comment give you some insights 🙂
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com