Forum Discussion
F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
- Jun 22, 2021
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.
For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.
Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.
Yes but also first using the "ASM::fingerprint" if present as this is more granular and only if there is no Device ID then the source IP address. With the table command I should be able to do something like that but I was wondering if the F5 ASM correlation data and its Incidents can't be used in some way with or without irule for such tasks?
I had a different train of thought. Use the Source IP from the logs (Splunk, ELK, similar) and create a dynamic IP Intelligence feed list from this data.
Not sure about the Device ID... That fact that there is Device ID+ and Shape Recognize makes me wonder if you should build a solution based on Device ID. It might be a feature that could be deprecated at a certain point in the future.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com