Forum Discussion

MVP

Jun 21, 2021

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see tha...

Daniel_Wolf
Jun 22, 2021
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.

For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.

Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.

Nikoolayy1

MVP

Yes but also first using the "ASM::fingerprint" if present as this is more granular and only if there is no Device ID then the source IP address. With the table command I should be able to do something like that but I was wondering if the F5 ASM correlation data and its Incidents can't be used in some way with or without irule for such tasks?

Nikoolayy1

MVP

Jun 22, 2021

Hello Danie, For the iRule table command there a way when as you say the user makes another violation the tmeout field to be reset in the table and the user's blocking will continie for another 9.5 (4.5 + 5) minutes. I have tested using the sideband function to update the irule table objects from cvs file external server and this way many f5 devices can access a central repository.

https://devcentral.f5.com/s/articles/csv-tabular-data-sideband-importer

For Data groups I think the solution could be to be to use external data groups with external file and the key to be the IP address and the value to be the date when the Ip address was added to the data group and to have another bash script that with a cron job is run every day that checks if there are entries with older than for example than 7 days values and script to remove them from the file.

From what I see and you suggestions I can use the splunk and maybe the correlation logs to create a CVS list of bad ip addresses for the table sideband irule or a file for the external data group and make all the F5 devices to check the central repository when the file was changed by using Ansible, Python SDK, Big-IQ etc. or simple curl bash script if the sideband importer is used as just connecting to the VIP will force the F5 devices to update the table using the CVS file. For everyone that has Ip Intelligence they can also use a custom feed list as you mentioned.

I will share what was the final solution when I get there.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

Recent Discussions

Big-IP VE edition for MacBook M4 Chip

Management IP F5 cant be accessed

301 redirect and waf policy log problem

ASD

Background Tasks

Related Content

High availability on big ip 2600 device

Another Bash script to backup a BIG-IP device.

Ways to correlate client side and server side connections

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Re: Automate Data Group updates on many Big-IP devices using Big-IQ or Ansible

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS