F5 BIG-IP Phantom Cyber app

Problem this snippet solves:

At World Wide Technology, we are engaging with customers in their evaluation of Phantom and this video clip provides a demonstration of the playbooks and apps developed to ingest data through the REST API and then implement a firewall rule on a F5 BIG-IP appliance to block the source IP address identified in the artifact.

This video illustrates the app. https://youtu.be/1lktjQzVcQQ and this link provides additional background on the use case. https://blog.phantom.us/2016/03/31/community-magic/

The app imports (reuses) an Ansible module which uses the iControl REST interface. The Phantom app is available here.

How to use this snippet:

The app can be installed in Phantom and referenced in playbooks. This app supports containment actions like 'block ip' or 'unblock ip' on a F5 BIG-IP appliance. There must be a firewall policy (Security››Network Firewall:Policies) configured on the BIG-IP and the name of the policy must be specified in the Action Parameters.

Code :

https://github.com/joelwking/ansible-f5/blob/master/icontrol_install_config.py

Tested this on version:

11.6
Published Jun 16, 2016
Version 1.0

Was this article helpful?

7 Comments