Forum Discussion
Nikoolayy1
MVP
MVPF5 blocked IP address expiration without the use of the F5 table irule command ?
Hello,
I was reading about Palo Alto XSOAR and I saw that for silverline you can add an ip address using the REST-API that has timeout, so the IP address will be blocked just for some time and seems great but I was wondering how this was done ? Maybe the silverline uploads the ip address to a custom ip intelligence category and there is an external script/automation that removes it after the configured by the user time or something else and it i good to know if the same can be done for the on-prem F5 devices using REST-API and not the F5 irule table command and maybe the sideband command (https://community.f5.com/t5/technical-articles/populating-tables-with-csv-data-via-sideband-connections/ta-p/277376).
Please share if you know.
The Palo Alto XSOAR example:
https://xsoar.pan.dev/docs/reference/integrations/f5-silverline
I have renembered this topic as now I have played with new F5 BIG-IP versions an IP address can manually be added to a category with a TTL using the GUI or REST API so it seems that just Silverline software as a SaaS solution was just having the latest F5 features like the new TMOS versions.
https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_category.html
Name Type Default Value Required Access Description ipTtlstring required read/write The IP,TTL entries to be added or removed. The format is <IP,TTL IP,TTL …>, with the TTL being optional. For example: <1.1.1.1,100 2.2.2.2 fe::fc,200, 2.2.2.2,infinite>. tmNamestring required read/write The name of the category.
Sounds like it might be a specific feature in the Silverline API.
Depending on what modules/configuration you're using, there might be a couple options.
- You might be able to use a scheduled task in XSOAR to call for the opposite (delete) of whatever command you use to block an address on your F5. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPOaCAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
- Another thought is it seems the AFM module (not my forte) has the ability to attach a schedule to a rule. Check here for more info: https://support.f5.com/csp/article/K00842042#scheduledrule
- Other options would be LTM Policy or iRule with a datagroup, or Packet Filters. All are controllable via API. https://community.f5.com/t5/technical-articles/icontrol-rest-cookbook-ltm-policy-ltm-policy/ta-p/287587
- Nikoolayy1
For the F5 data groups I am aware but I was looking for dynamic entries like the table irule command (the issue is that the table object can't be changed with a REST-API, so this is why the sideband irule function is needed to fetch the new data from the external server) not static ones like the data group (a workaround that I have made for this https://community.f5.com/t5/crowdsrc/automate-data-group-updates-on-many-big-ip-devices-using-big-iq/ta-p/291466?page=1).
For the AFM you are right that it is a nice touch to use a REST-API to upload a list of of ip addresses in a rule that has a schedule in it the only thing is that after time someone will need to clean the old rules https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-1-0/04.html
I am still thinking that maybe Silverline uses the a custom ip intelligence feed list and that they have some kind of an automation in place that removes the old entries after time. Too bad that maybe this is custom thing just for Silverline REST-API and not for the F5 products.
I will take a deeper look if I find anything.
- Nikoolayy1
I have renembered this topic as now I have played with new F5 BIG-IP versions an IP address can manually be added to a category with a TTL using the GUI or REST API so it seems that just Silverline software as a SaaS solution was just having the latest F5 features like the new TMOS versions.
https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_category.html
Name Type Default Value Required Access Description ipTtlstring required read/write The IP,TTL entries to be added or removed. The format is <IP,TTL IP,TTL …>, with the TTL being optional. For example: <1.1.1.1,100 2.2.2.2 fe::fc,200, 2.2.2.2,infinite>. tmNamestring required read/write The name of the category.
