Forum Discussion
Nikoolayy1
MVP
MVPF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see tha...
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.
For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.
Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.
Nikoolayy1MVP
MVPYes but also first using the "ASM::fingerprint" if present as this is more granular and only if there is no Device ID then the source IP address. With the table command I should be able to do something like that but I was wondering if the F5 ASM correlation data and its Incidents can't be used in some way with or without irule for such tasks?
Daniel_WolfMVP
MVPI had a different train of thought. Use the Source IP from the logs (Splunk, ELK, similar) and create a dynamic IP Intelligence feed list from this data.
Not sure about the Device ID... That fact that there is Device ID+ and Shape Recognize makes me wonder if you should build a solution based on Device ID. It might be a feature that could be deprecated at a certain point in the future.