Forum Discussion
youssef1
May 17, 2018Cumulonimbus
Hi,
To put it simply, you have to know that IP Inteligence is an independent function (it does not need a very specific module to work), you can use it with ltm, asm, afm, ...
this function acts on the IP source in order defined IP classification configured in IP intelligence policies. F5 utilises the IP intelligence (reputation) database to drop traffic from source IP that match the threat categories from WebRoot...
Example with ltm you can use this functionality trough an Irule:
when HTTP_REQUEST {
use [HTTP::header values "X-Forwarded-For"] in replacement of [IP::client_addr] if using the x forwarded for testing
set ip_reputation_categories [IP::reputation [IP::client_addr]]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")} {
set is_reject 1
}
if {($ip_reputation_categories contains "Web Attacks")} {
set is_reject 1
}
if {($ip_reputation_categories contains "Scanners")}{
set is_reject 1
}
if {($ip_reputation_categories contains "Proxy")}{
set is_reject 1
}
if {($is_reject)} {
log local0. "Attempted access from malicious IP address
[IP::client_addr]($ip_reputation_categories), request was rejected"
HTTP::respond 200 content "
Rejected Request
The request was rejected.
Attempted access from malicious IP address
"
}
}
Irule source: https://devcentral.f5.com/questions/ip-intelligence-irule