Whitelist Override Ip Intelligence

Question

Hello&nbsp;
I want to know , how is the best way to configure a Whitelist for Overriding IP intelligence function. I don`t understand very well the Feed Lists. With AFM is possible create a Local list in the Big-Ip ?&nbsp;

kevin_davies_40 · Answer

IP intelligence uses a mutiple sources which are aggregated. One is the feed list the other is the service from Brightcloud. A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated values per line. They are IP address, netmask, type and category. The last three are optional and will use defaults specified when you added the feed. Here is an example
10.0.0.2,32,bl,spam_sources
10.0.0.3,,wl,
10.10.0.12,,botnets
10.0.0.12,,,
10.0.0.13,,bl,

In the first line we have the address 10.0.0.2 with a /32 netmask. This is a blacklist item as specified by "bl" and the category is spam_sources. This list format is plain text. Store the file on a webserver and refer to it using the full URL. I am not aware of a on-box IP intelligence whitelist for AFM in 11.6.0. More information can be found here.

john_beckmann · Answer

You can use the following iRule to create a feedlist on one of your VS:-
when RULE_INIT {
set static::MY_WL {
10.0.0.2,32,bl,spam_sources,
10.0.0.3,,wl,
10.10.0.12,,botnets,
10.0.0.12,,,
10.0.0.13,,bl,,}
}
when HTTP_REQUEST {
  if { [HTTP::uri] eq "/My_White_List.html" } {
    HTTP::respond 200 content $static::MY_WL
  }
}

You then just create a Feedlist:-
http(s)://My_White_List.html

paolo_di_liber1 · Answer

Hi,
this iRule allows you to have a dynamic feed list populated with datagroups (ipi_wl and ipi_wl in my case).So you can add/remove white(black)listed ip/subnets.
You have to add a new feed pointing to the VS that is hosting the feed  (/whitelist.html) and (/blacklist.html).
It is not optimized but it works:
when RULE_INIT {
set datagroup names for whitelist and blacklist
set static::dgroup_whitelist "ipi_wl"
set static::dgroup_blacklist "ipi_bl"
}

switch -glob [string tolower [HTTP::uri]] {
    "/whitelist*" { 
        set class_name $static::dgroup_whitelist
        set id [class startsearch $class_name]
        set whitelist ""
         Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set whitelist [concat $whitelist
$entry]
        }
         Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $whitelist
    }
    "/blacklist*" { 
        set class_name $static::dgroup_blacklist
        set id [class startsearch $class_name]
        set blacklist ""
         Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set blacklist [concat $blacklist
$entry]
        }
         Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $blacklist
    }
    default { HTTP::respond 200 content "IP Intelligence Feed List Virtual Server Available" }
  }

}

Forum Discussion

Whitelist Override Ip Intelligence

3 Replies

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

The Power of IP Intelligence (IPI)

Intelligent Proxy Steering - Office365

IP-Intelligence and IP-Shunning

Enriching AFM with public domain Threat Intelligence

The BIG-IP Application Security Manager Part 6: IP Address Intelligence and Whitelisting