Forum Discussion

3 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Nov 14, 2015

    IP intelligence uses a mutiple sources which are aggregated. One is the feed list the other is the service from Brightcloud. A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated values per line. They are IP address, netmask, type and category. The last three are optional and will use defaults specified when you added the feed. Here is an example

    10.0.0.2,32,bl,spam_sources
10.0.0.3,,wl,
10.10.0.12,,botnets
10.0.0.12,,,
10.0.0.13,,bl,

    In the first line we have the address 10.0.0.2 with a /32 netmask. This is a blacklist item as specified by "bl" and the category is spam_sources. This list format is plain text. Store the file on a webserver and refer to it using the full URL. I am not aware of a on-box IP intelligence whitelist for AFM in 11.6.0. More information can be found here.

    • John_Beckmann's avatar
      John_Beckmann
      Icon for Employee rankEmployee
      Feb 15, 2017

      You can use the following iRule to create a feedlist on one of your VS:-

      when RULE_INIT {
set static::MY_WL {
10.0.0.2,32,bl,spam_sources,
10.0.0.3,,wl,
10.10.0.12,,botnets,
10.0.0.12,,,
10.0.0.13,,bl,,}
}
when HTTP_REQUEST {
  if { [HTTP::uri] eq "/My_White_List.html" } {
    HTTP::respond 200 content $static::MY_WL
  }
}

      You then just create a Feedlist:-

      http(s)://My_White_List.html

    • Paolo_Di_Liber1's avatar
      Paolo_Di_Liber1
      Icon for Employee rankEmployee
      Apr 18, 2017

      Hi, this iRule allows you to have a dynamic feed list populated with datagroups (ipi_wl and ipi_wl in my case).So you can add/remove white(black)listed ip/subnets. You have to add a new feed pointing to the VS that is hosting the feed (/whitelist.html) and (/blacklist.html). It is not optimized but it works:

      when RULE_INIT {
set datagroup names for whitelist and blacklist
set static::dgroup_whitelist "ipi_wl"
set static::dgroup_blacklist "ipi_bl"
}

switch -glob [string tolower [HTTP::uri]] {
    "/whitelist*" { 
        set class_name $static::dgroup_whitelist
        set id [class startsearch $class_name]
        set whitelist ""
         Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set whitelist [concat $whitelist\r\n$entry]
        }
         Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $whitelist
    }
    "/blacklist*" { 
        set class_name $static::dgroup_blacklist
        set id [class startsearch $class_name]
        set blacklist ""
         Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set blacklist [concat $blacklist\r\n$entry]
        }
         Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $blacklist
    }
    default { HTTP::respond 200 content "IP Intelligence Feed List Virtual Server Available" }
  }

}