Forum Discussion
Hugo_Frauches_2
Cirrus
CirrusDifference between ASM IP Address Intelligence and AFM IP Intelligence
Hello,
I recently activate the IP Address Intelligence subscription in my client BIG-IP and its working just fine with the ASM Module, this give me a lot of violations in ASM events Logs based i...
youssef1
Cumulonimbus
CumulonimbusHi,
To put it simply, you have to know that IP Inteligence is an independent function (it does not need a very specific module to work), you can use it with ltm, asm, afm, ...
this function acts on the IP source in order defined IP classification configured in IP intelligence policies. F5 utilises the IP intelligence (reputation) database to drop traffic from source IP that match the threat categories from WebRoot...
Example with ltm you can use this functionality trough an Irule:
when HTTP_REQUEST {
use [HTTP::header values "X-Forwarded-For"] in replacement of [IP::client_addr] if using the x forwarded for testing
set ip_reputation_categories [IP::reputation [IP::client_addr]]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")} {
set is_reject 1
}
if {($ip_reputation_categories contains "Web Attacks")} {
set is_reject 1
}
if {($ip_reputation_categories contains "Scanners")}{
set is_reject 1
}
if {($ip_reputation_categories contains "Proxy")}{
set is_reject 1
}
if {($is_reject)} {
log local0. "Attempted access from malicious IP address
[IP::client_addr]($ip_reputation_categories), request was rejected"
HTTP::respond 200 content "
Rejected Request
The request was rejected.
Attempted access from malicious IP address
"
}
}
Irule source: https://devcentral.f5.com/questions/ip-intelligence-irule