Forum Discussion
- JeffRWAltocumulus
The difference is simply what layer the IP Intelligence is handled by the F5. For the ASM, IPI is handled at Layer 7, whereas for AFM, IPI is handled at Layer 3.
Some good information is here - https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-6-0/8.html
- youssef1Cumulonimbus
Hi,
To put it simply, you have to know that IP Inteligence is an independent function (it does not need a very specific module to work), you can use it with ltm, asm, afm, ...
this function acts on the IP source in order defined IP classification configured in IP intelligence policies. F5 utilises the IP intelligence (reputation) database to drop traffic from source IP that match the threat categories from WebRoot...
Example with ltm you can use this functionality trough an Irule:
when HTTP_REQUEST { use [HTTP::header values "X-Forwarded-For"] in replacement of [IP::client_addr] if using the x forwarded for testing set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($ip_reputation_categories contains "Scanners")}{ set is_reject 1 } if {($ip_reputation_categories contains "Proxy")}{ set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr]($ip_reputation_categories), request was rejected" HTTP::respond 200 content " Rejected Request The request was rejected. Attempted access from malicious IP address " } }
Irule source: https://devcentral.f5.com/questions/ip-intelligence-irule