Forum Discussion
Nikoolayy1
MVP
MVPF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see tha...
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.
For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.
Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.
The_Nirvana
Altocumulus
AltocumulusHello Nikoolayy1 ,
Instead of using iRule to create this functionality, you can use the session tracking feature in the AWAF module to obtain the same feature.
Session Tracking requires you to define a violation detection period during which it will track the violations based on username, session, device ID and IP address. You can customize the thresholds for each category. Usually, for IP address, it is recommended to set the threshold higher because it can be a natted IP and a whole organisation may be using a single IP to access your services.