Forum Discussion

Daniel_Wolf's avatar
Jun 25, 2021
Solved

Add address to IP Address Exception via REST API

Hi all,

 

I am trying to add an IP address to Security ›› Application Security : IP Addresses : IP Address Exceptions. I guess that the API endpoint would be "/mgmt/tm/security/ip-intelligence", but I can't figure out how to do it. Am I looking in the wrong place? Can someone tell me how to do it?

 

KR

Daniel

9 Replies

  • From what I know this feature is for the ASM security policy to learn violations faster like the "trusted ip address" option, bypass the ip intelligence , etc. ,this is why I don't think it is under ip-intelligence. You can check your versions F5 device rest api support by going to https://<YourF5 Ip address>/mgmt/toc as I don't see this option to be in the REST-API under the ASM tab.

     

     

     

    If you want to resolve a blocked ip address by the ip intelligence with an automation/REST-API you may try to feed it with a whitelist of the bad ip address as whitelists overide blacklists:

     

     

    https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-13-1-0/7.html

     

     

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      Hi,

       

      from my knowledge, when using ASM, IP Intelligence can be applied at three levels. Global and per Virtual. These settings are configured in Security ›› Network Firewall : IP Intelligence.

      The third level can be configured per Security Policy, this can be configured in Security ›› Application Security : IP Addresses.

      The posibility to use a feed list is only available with AFM provisioned.

       

      Also looking at the ToC, as you suggested, I could not find a clue how to add an IP exception to an IP Intelligence Policy that is configured on the level of the ASM policy.

       

      KR

      Daniel

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        This first link was the clue I needed. Here's my curl command:

        curl --location -g --request POST 'https://{{mgmt-address}}/mgmt/tm/asm/policies/{{asm_policy_hash}}/whitelist-ips' \
        --header 'X-F5-Auth-Token: {{f5-auth-token}}' \
        --header 'Content-Type: application/json' \
        --data-raw '{
            "blockRequests": "policy-default",
            "description": "My Test IP address",
            "ignoreAnomalies": false,
            "ignoreIpReputation": true,
            "ipAddress": "10.20.30.40",
            "ipMask": "255.255.255.255",
            "isInherited": false,
            "lastUpdateMicros": 0,
            "neverLearnRequests": false,
            "neverLogRequests": false,
            "trustedByPolicyBuilder": false
        }'

         Thank you!

  • By the way I have seen similar post for IP address exception not for ip-intelligence but for trusted ip but the idea was the same and the answer was not found how you can do this with REST-API/Ansible :(.

     

     

    Still to use whitelist feed list that the ASM can check from time to time or trying to populate it with the REST-API maybe a workaround for the issue.