Forum Discussion

saddiq_bilal's avatar
saddiq_bilal
Icon for Altocumulus rankAltocumulus
Aug 18, 2025
Solved

F5 object groups in AFM

Hello guys,

In our infra F5 is internet facing and behind F5 we have palo alto firewall. So, we are blocking malicious Ips in F5 and palo alto to secure the network. Now, palo alto blocking group limit is exceeded, and they are not able to block more ips in palo alto. We need to use F5 for blocking ips in future. We have an internet to internal rule for blocking and now we are going to create a rule for internal to external (internal network to malicious IP group). I hope F5 network firewall will be able to block all these internal to internet and internet to internal communications using AFM.

Thanks

Bilal

AFM
afm ddos
  • Aswin_mk's avatar
    Aswin_mk
    Aug 18, 2025

    Hello saddiq_bilal​ 

     

    Address list should support 65k ips, the limit on the firewall address-list / port-lists is due to the mcpd DB size so you might need to adjust it– see https://my.f5.com/manage/s/article/K17883124

    However, performance degradation might occur with large numbers of IPs, so I advise to test it. check MCPD and and increase if you have less free space .

     

     

7 Replies

  • Aswin_mk's avatar
    Aswin_mk
    Icon for MVP rankMVP
    Aug 18, 2025

    Hi,

     

    We can block the malicious IPs in global rule, using AFM and block the DDOS as well.

    One question in this - how many IPs in your current blocking rule group?

  • Aswin_mk's avatar
    Aswin_mk
    Icon for MVP rankMVP
    Aug 18, 2025

    Hello saddiq_bilal​ 

     

    Address list should support 65k ips, the limit on the firewall address-list / port-lists is due to the mcpd DB size so you might need to adjust it– see https://my.f5.com/manage/s/article/K17883124

    However, performance degradation might occur with large numbers of IPs, so I advise to test it. check MCPD and and increase if you have less free space .

     

     

  • Brandon_'s avatar
    Brandon_
    Icon for Employee rankEmployee
    Aug 25, 2025

    You can also leverage shun lists in FPGA on the hardware appliances. These lists aren’t limited by mcpd and can grow much larger.

    https://community.f5.com/kb/technicalarticles/ip-intelligence-and-ip-shunning/286783

  • Melissa_C's avatar
    Melissa_C
    Icon for Moderator rankModerator
    Aug 29, 2025

    Hello saddiq_bilal​

    I see you have had a few great responses from members of the community. Wanted to remind you if these have assisted in answering your question or if you have gotten the answer outside of your post to provide an update and mark what solved this for you. 

    Thank you for being part of our DevCentral Community! 

    -Melissa