For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jan 16, 2024

F5 AFM IP intelligence whitelist content

We have F5 AFM IP intelligence and we dont use the AFM license so no external feed list but only the local categories on the system. it is licensed with IP intelligence, now the question. How can we...
ipi
security
Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP
Jan 16, 2024

I do not believe it is possible to extract a full dump of the IP addresses currently contained within an IP Intelligence category; you can only check if a single IP address is in a category with the following command:

show security ip-intelligence info address <IP ADDRESS>
Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jan 23, 2024

Hi Michael, thanks for the reply we were facing an issue where an external IP is blacklisted as windows_exploit category so we created a custom category in the IP intelligence policy windows_exploit_bypass with action allow however while doing so the IP got recognized by both categories and still dropped.

When finally requesting BRighcloud to whitelist this IP address they performed it and is now allowed. This IP however is not really trusted as behind these IP exist a guest network where attacker launch attacks frequently.

So we should be able to bypass this locally as this is not a good security remediation. Other customers can now also be exposed to threats.

The category whitelist embedded on the F5 system cant be used in IPI policy, what would you recommend to do in this situation?