Forum Discussion
NimbostratusF5 IP intelligence white-list and verifying the IP whether getting blocked by F5 intelligence
Hello Experts,
We have Big-IP with 12.0.x.x with AFM and ASM in our current scenario. We have IP intelligence license with three years of subscription. We have placed in transparent mode. Client requirement is that they need to allow in blocking mode but before enabling in blocking mode we need clarity on below mentioned point:
- Can we white-list particular source ip which legitimate traffic from client's perspective but malicious and updated in IP intelligence database.
- How can we check whether particular source is getting blocked by IP intelligence in F5.
- Is there any way we can get those IP intelligence databases to verify.
Thanks in advance for your support
samstepCirrocumulus
Yes, you can white-list and yes there is a tool to check if an IP address is in the database, see this knowledgebase article:
"K13875: Managing IP reputations and the IP Address Intelligence database"
https://support.f5.com/csp/article/K13875
Additionally the ASM logs will tell you if a request was blocked because of an IP Intelligence match
- BigD_300005
Cirrostratus
Are you doing IPI within AFM or ASM? They are two different deployment models depending on which one you've done.
- BigD_300005
I've deployed IPI only with AFM. I have both AFM and ASM modules, but IPI is only deployed for AFM.
If you are creating a whitelist within the feedlist, I used a FTP server inhouse to host the text file. I believe if you deployed IPI within ASM that it is built right into the GUI of the F5 to whitelist though.
This link will show the formatting of how you need to apply your whitelist on the "Feed list settings" section: https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-0/5.html
example: 10.0.0.3,,wl,
In order to see if a virtual server is showing blocks, you need to enable logging.
- Create a logging profile. Security > Event Logs > Logging Profile.
- Name is Local_IPI
- Enable Network Firewall
- Under the IPI, select local-db-publisher for your publisher. (You'll want to offload this else where later.
- Go to your virtual server and click on the security tab at the top > policy
- Make sure IP Intelligence profile is enabled and selected.
- Move Local_IPI you just created over to the selected section of Log Profile.
- Click the update button
- Your logs should now appear here: Security > Event Logs > Network > IP Intelligence
Give it a few minutes to a few hours depending on how much traffic this virtual server sees. I initially tested IPI on a very unpopular VS and didn't see any hits. As soon as I moved it to my most popular my logs went off the charts. Thus why it is not wise to keep these logs on the F5 themselves. I'd recommend pushing those logs to an external syslog server if you have one. My steps above also assume you have logging enabled on the IPI policy you created "Log blacklist category matches" if not, you'll need to do that too.
Deep_287674Hello, We are using in AFM. I m not sure whether we are using IPI in AsM as I m not sure.
How can we Whitelist in AFM only.- BigD_300005
View my answer I posted this morning.