Forum Discussion

Nikoolayy1's avatar
Mar 13, 2022

F5 blocked IP address expiration without the use of the F5 table irule command ?

Hello,

 

I was reading about Palo Alto XSOAR and I saw that for silverline you can add an ip address using the REST-API that has timeout, so the IP address will be blocked just for some time and seems great but I was wondering how this was done ? Maybe the silverline uploads the ip address to a custom ip intelligence category and there is an external script/automation that removes it after the configured by the user time or something else and it i good to know if the same can be done for the on-prem F5 devices using REST-API and not the F5 irule table command and maybe the sideband command (https://community.f5.com/t5/technical-articles/populating-tables-with-csv-data-via-sideband-connections/ta-p/277376).

 

Please share if you know.

 

 

The Palo Alto XSOAR example:

https://xsoar.pan.dev/docs/reference/integrations/f5-silverline

  • I have renembered this topic as now I have played with new F5 BIG-IP versions an IP address can manually be added to a category with a TTL using the GUI or REST API so it seems that just Silverline software as a SaaS solution was just having the latest F5 features like the new TMOS versions.

     

    https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_category.html

     

    Name Type Default Value Required Access Description ipTtl string   required read/write The IP,TTL entries to be added or removed. The format is <IP,TTL IP,TTL …>, with the TTL being optional. For example: <1.1.1.1,100 2.2.2.2 fe::fc,200, 2.2.2.2,infinite>. tmName string   required read/write The name of the category.

     

     

3 Replies