For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jdam_41848's avatar
jdam_41848
Icon for Altocumulus rankAltocumulus
Feb 17, 2016

IP Intelligence policy

Hi all,   Is there a way to add a custom list to an IP Intelligence policy?   Currently we have an iRule that drops traffic based on addresses/networks we add to a data group. We also have AFM...
AFM
application delivery
IP Intelligence Services
security
mo_99289's avatar
mo_99289
Historic F5 Account
Feb 17, 2016

it might be a possible way, hope it could help. it still use feed, but make use of httpd service on bigip. BE AWARE THAT THIS CONFIG IS NOT officially supported by F5.

[root@ve3:Active:Standalone] config  cat << EOF > /etc/httpd/conf.d/feeds.conf 
> 
>     DocumentRoot /var/feeds
>     LogLevel debug
>     
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride None
>     
>     KeepAlive Off
> 
> Listen 127.0.0.1:8123
> EOF
[root@ve3:Active:Standalone] config  cat /etc/httpd/conf.d/feeds.conf          

    DocumentRoot /var/feeds
    LogLevel debug
    
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
    
    KeepAlive Off

Listen 127.0.0.1:8123
[root@ve3:Active:Standalone] config  bigstart restart httpd
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]
[root@ve3:Active:Standalone] config  netstat -anp | grep 8123
tcp        0      0 127.0.0.1:8123              0.0.0.0:*                   LISTEN      14055/httpd         
[root@ve3:Active:Standalone] config  mkdir /var/feeds; cat << EOF > /var/feeds/feeds.txt
> 10.2.22.177,32,bl,test_blacklist_category_1
> EOF
[root@ve3:Active:Standalone] config  cat /var/feeds/feeds.txt 
10.2.22.177,32,bl,test_blacklist_category_1
[root@ve3:Active:Standalone] config  tmsh list security ip-intelligence
security ip-intelligence blacklist-category test_blacklist_category_1 { }
security ip-intelligence feed-list test_feed_list {
    feeds {
        feed_list_1 {
            default-blacklist-category test_blacklist_category_1
            poll {
                url http://127.0.0.1:8123/feeds.txt
            }
        }
    }
}
security ip-intelligence global-policy {
    ip-intelligence-policy test_ip_intelligence
}
security ip-intelligence policy ip-intelligence { }
security ip-intelligence policy test_ip_intelligence {
    blacklist-categories {
        test_blacklist_category_1 {
            match-direction-override match-source
        }
    }
    default-log-blacklist-hit-only yes
    default-log-blacklist-whitelist-hit yes
    feed-lists {
        test_feed_list
    }
mo_99289's avatar
mo_99289
Historic F5 Account
Feb 19, 2016
your understand is correct.