Forum Discussion

Seçkin's avatar
Seçkin
Icon for Cirrus rankCirrus
Oct 10, 2022

Global Blacklist or Whitelist

Does anyone know f5 has blacklist or whitelist globally not per security policy? Thanks
security
Seçkin's avatar
Seçkin
Icon for Cirrus rankCirrus

Thanks Niko but this solution is not effective for my solution because of you need to attach this irule or local traffic policy to your all virtual servers manually. If you think you have 200 virtual servers, that would be really hard for you.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 12, 2022

You may call me Nik 😉 as a shortcut. I was going to also suggest to make a parent policy to attach the whitelist under it or to script the 200 VIP iRule attachment as no one will do this manually but Mohamed's solution seems nice as I did not know packet filters will unblock ASM/aWAF policy or DDOS blocking as this never crossed my mind as I thought that packet filters are just  stateless layer 3/4 access lists that do not affect something like layer 7 Security but if that is the case it seems easy to do it  and I may try it as well for some clients 😀

  • Mohamed_Salah_'s avatar
    Mohamed_Salah_
    Icon for MVP rankMVP
    Oct 12, 2022

    Hello Nik,

    I think the packet filter rules are occurring before the ASM is applied to the request as this event is based on the IP/port and the ASM is an event that matched when the client sends an HTTP request which is after the "client accepted" event, so I thought these rules are occurring before L7 requests are being sent to the F5.

    As the matching criteria are:

    • The source IP address of a packet
    • The destination IP address of a packet
    • The destination port of a packet

    BR,

    Mohamed Salah

  • Seçkin's avatar
    Seçkin
    Icon for Cirrus rankCirrus
    Oct 12, 2022

    Hello Nik thanks, actually Packet Filters is a solution but i heard that its dangerous and be carefull to use it :)) Parent policy is another option but i need to add to this parent policy to every child policy again and i think its not effective as well. Script also should be considered 🙂 Thanks again...  

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Moderator rankModerator
      Oct 12, 2022

      Packet Filtering is just one of many ways that AFM could help filter traffic before a packet even hits your virtual server. Packet filtering comes with a performance hit that is somewhat variable, depending on what you are doing because you may have to go into payload.. layer 7. That's not all you can do with AFM, though.. 

       

      AFM has the ability to create allow / deny lists based on a number of criteria. You can also choose from a slew of actions to take on ACLs - INCLUDING iRules! You can apply IP Intelligence.. you can filter dns requests by query type.. you can deny smpt to an ip.. or a range of IPs.. or a manicured list of IPs.. without going to layer 7.. or ever having to touch a VIP. On top of that, protocol throttling, flood defense.. flowspec integration to trigger upstream route defense..

       

      https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations.html