For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jdam_41848's avatar
jdam_41848
Icon for Altocumulus rankAltocumulus
Feb 17, 2016

IP Intelligence policy

Hi all,

 

Is there a way to add a custom list to an IP Intelligence policy?

 

Currently we have an iRule that drops traffic based on addresses/networks we add to a data group. We also have AFM and IP Intelligence available and would like to utilize the Global policy feature to not only use the IP Intelligence database but also our custom list of "bad" IP addresses. I know I can add feeds to the policy but we don't have an internal "feed".

 

Has anyone else done this? Anyone have any creative ways to accomplish what I am looking to do?

 

Thanks in advance

 

AFM
application delivery
IP Intelligence Services
security

3 Replies

  • mo_99289's avatar
    mo_99289
    Historic F5 Account
    Feb 17, 2016

    it might be a possible way, hope it could help. it still use feed, but make use of httpd service on bigip. BE AWARE THAT THIS CONFIG IS NOT officially supported by F5.

    [root@ve3:Active:Standalone] config  cat << EOF > /etc/httpd/conf.d/feeds.conf 
> 
>     DocumentRoot /var/feeds
>     LogLevel debug
>     
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride None
>     
>     KeepAlive Off
> 
> Listen 127.0.0.1:8123
> EOF
[root@ve3:Active:Standalone] config  cat /etc/httpd/conf.d/feeds.conf          

    DocumentRoot /var/feeds
    LogLevel debug
    
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
    
    KeepAlive Off

Listen 127.0.0.1:8123
[root@ve3:Active:Standalone] config  bigstart restart httpd
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]
[root@ve3:Active:Standalone] config  netstat -anp | grep 8123
tcp        0      0 127.0.0.1:8123              0.0.0.0:*                   LISTEN      14055/httpd         
[root@ve3:Active:Standalone] config  mkdir /var/feeds; cat << EOF > /var/feeds/feeds.txt
> 10.2.22.177,32,bl,test_blacklist_category_1
> EOF
[root@ve3:Active:Standalone] config  cat /var/feeds/feeds.txt 
10.2.22.177,32,bl,test_blacklist_category_1
[root@ve3:Active:Standalone] config  tmsh list security ip-intelligence
security ip-intelligence blacklist-category test_blacklist_category_1 { }
security ip-intelligence feed-list test_feed_list {
    feeds {
        feed_list_1 {
            default-blacklist-category test_blacklist_category_1
            poll {
                url http://127.0.0.1:8123/feeds.txt
            }
        }
    }
}
security ip-intelligence global-policy {
    ip-intelligence-policy test_ip_intelligence
}
security ip-intelligence policy ip-intelligence { }
security ip-intelligence policy test_ip_intelligence {
    blacklist-categories {
        test_blacklist_category_1 {
            match-direction-override match-source
        }
    }
    default-log-blacklist-hit-only yes
    default-log-blacklist-whitelist-hit yes
    feed-lists {
        test_feed_list
    }
    • jdam_41848's avatar
      jdam_41848
      Icon for Altocumulus rankAltocumulus
      Feb 18, 2016
      Thanks mo. So let me see if I understand your response. You are creating an http listener on the BigIP itself with feeds.conf and using /var/feeds as the root for this web instance. You put a file feeds.txt in /var/feeds to be your feed list of IP addresses. You add this feed to your test_ip_intelligence policy which is your global policy. To add addresses to this list, you manually update the feeds.txt file and the changes get picked up by the BigIP by calling itself (127.0.0.1:8123). Do I have this correct?