Forum Discussion

redheadontherun's avatar
redheadontherun
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

Block Source IP using a blocklist hosted on a webserver

Currently we utilize a web server to host a blocklist that some of our other security devices use to block IP addresses. It allows us to maintain 1 list for all devices. Can the F5 ASM or LTM utilize...
ASM Advanced WAF
BIG-IP
ifiles
iRules
LTM
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jul 27, 2016

Hi,

 

this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules

 

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    You can create an ifile using the following command : 

    tmsh create sys file ifile blacklist source-path http://hostname.com/uri

    and then update it using the following command : 

    tmsh modify sys file ifile blacklist source-path http://hostname.com/uri

    The filesize for a single iFile was raised to 32Mb in 12.1.0. Prior versions limited the size to 4Mb.

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Here a small Proof of Concept.

    when HTTP_REQUEST {
    set file [ifile get domains]
    log local0. "$file"
    set domain "amazon.co.uk.security-check.ga"
    if { [string match "*$domain*" $file] } {
        log local0. "succeeded"
        HTTP::respond 200 content "ok"
    } else {
        log local0. "failed"
    }
}

    Note : should test performance impact, memory consumption and stuff like that before switching something in production