Forum Discussion
F5 object groups in AFM
Hello guys,
In our infra F5 is internet facing and behind F5 we have palo alto firewall. So, we are blocking malicious Ips in F5 and palo alto to secure the network. Now, palo alto blocking group limit is exceeded, and they are not able to block more ips in palo alto. We need to use F5 for blocking ips in future. We have an internet to internal rule for blocking and now we are going to create a rule for internal to external (internal network to malicious IP group). I hope F5 network firewall will be able to block all these internal to internet and internet to internal communications using AFM.
Thanks
Bilal
Hello saddiq_bilal
Address list should support 65k ips, the limit on the firewall address-list / port-lists is due to the mcpd DB size so you might need to adjust it– see https://my.f5.com/manage/s/article/K17883124
However, performance degradation might occur with large numbers of IPs, so I advise to test it. check MCPD and and increase if you have less free space .
7 Replies
Hi,
We can block the malicious IPs in global rule, using AFM and block the DDOS as well.
One question in this - how many IPs in your current blocking rule group?
- saddiq_bilal
Altocumulus
Hello saddiq_bilal
Address list should support 65k ips, the limit on the firewall address-list / port-lists is due to the mcpd DB size so you might need to adjust it– see https://my.f5.com/manage/s/article/K17883124
However, performance degradation might occur with large numbers of IPs, so I advise to test it. check MCPD and and increase if you have less free space .
- Brandon_
Employee
You can also leverage shun lists in FPGA on the hardware appliances. These lists aren’t limited by mcpd and can grow much larger.
https://community.f5.com/kb/technicalarticles/ip-intelligence-and-ip-shunning/286783
- Melissa_C
Moderator
Hello saddiq_bilal,
I see you have had a few great responses from members of the community. Wanted to remind you if these have assisted in answering your question or if you have gotten the answer outside of your post to provide an update and mark what solved this for you.
Thank you for being part of our DevCentral Community!
-Melissa
- Kendall_Brennei
Moderator
To add on, I also found K10978895: Blocking malicious traffic using the IP Intelligence feature in BIG-IP AFM that walks through how to go about blocking IPs if you're interested in taking the next step.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com