For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jdam_41848's avatar
jdam_41848
Icon for Altocumulus rankAltocumulus
Feb 17, 2016

IP Intelligence policy

Hi all,   Is there a way to add a custom list to an IP Intelligence policy?   Currently we have an iRule that drops traffic based on addresses/networks we add to a data group. We also have AFM...
AFM
application delivery
IP Intelligence Services
security
mo_99289's avatar
mo_99289
Historic F5 Account
Feb 17, 2016

it might be a possible way, hope it could help. it still use feed, but make use of httpd service on bigip. BE AWARE THAT THIS CONFIG IS NOT officially supported by F5.

[root@ve3:Active:Standalone] config  cat << EOF > /etc/httpd/conf.d/feeds.conf 
> 
>     DocumentRoot /var/feeds
>     LogLevel debug
>     
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride None
>     
>     KeepAlive Off
> 
> Listen 127.0.0.1:8123
> EOF
[root@ve3:Active:Standalone] config  cat /etc/httpd/conf.d/feeds.conf          

    DocumentRoot /var/feeds
    LogLevel debug
    
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
    
    KeepAlive Off

Listen 127.0.0.1:8123
[root@ve3:Active:Standalone] config  bigstart restart httpd
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]
[root@ve3:Active:Standalone] config  netstat -anp | grep 8123
tcp        0      0 127.0.0.1:8123              0.0.0.0:*                   LISTEN      14055/httpd         
[root@ve3:Active:Standalone] config  mkdir /var/feeds; cat << EOF > /var/feeds/feeds.txt
> 10.2.22.177,32,bl,test_blacklist_category_1
> EOF
[root@ve3:Active:Standalone] config  cat /var/feeds/feeds.txt 
10.2.22.177,32,bl,test_blacklist_category_1
[root@ve3:Active:Standalone] config  tmsh list security ip-intelligence
security ip-intelligence blacklist-category test_blacklist_category_1 { }
security ip-intelligence feed-list test_feed_list {
    feeds {
        feed_list_1 {
            default-blacklist-category test_blacklist_category_1
            poll {
                url http://127.0.0.1:8123/feeds.txt
            }
        }
    }
}
security ip-intelligence global-policy {
    ip-intelligence-policy test_ip_intelligence
}
security ip-intelligence policy ip-intelligence { }
security ip-intelligence policy test_ip_intelligence {
    blacklist-categories {
        test_blacklist_category_1 {
            match-direction-override match-source
        }
    }
    default-log-blacklist-hit-only yes
    default-log-blacklist-whitelist-hit yes
    feed-lists {
        test_feed_list
    }
  • jdam_41848's avatar
    jdam_41848
    Icon for Altocumulus rankAltocumulus
    Feb 18, 2016
    Thanks mo. So let me see if I understand your response. You are creating an http listener on the BigIP itself with feeds.conf and using /var/feeds as the root for this web instance. You put a file feeds.txt in /var/feeds to be your feed list of IP addresses. You add this feed to your test_ip_intelligence policy which is your global policy. To add addresses to this list, you manually update the feeds.txt file and the changes get picked up by the BigIP by calling itself (127.0.0.1:8123). Do I have this correct?
  • mo_99289's avatar
    mo_99289
    Historic F5 Account
    Feb 19, 2016
    your understand is correct.