Forum Discussion

Nikoolayy1's avatar
Jun 21, 2021

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

Hello to All,     I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see tha...
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Jun 22, 2021

    To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.

     

    For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.

     

    Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?

    This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.