cancel
Showing results for 
Search instead for 
Did you mean: 

Add address to IP Address Exception via REST API

Hi all,

 

I am trying to add an IP address to Security ›› Application Security : IP Addresses : IP Address Exceptions. I guess that the API endpoint would be "/mgmt/tm/security/ip-intelligence", but I can't figure out how to do it. Am I looking in the wrong place? Can someone tell me how to do it?

 

KR

Daniel

1 ACCEPTED SOLUTION

Well you got me almost out of ideas.

 

The two things I will suggest as my final ideas:

 

 

 

 

%%%%%%%%%%%

 

 

You may see this post that I found if it helps as there could be way to add an Ip address to the ASM policy ip exceiption with ""ignoreIpReputation": true," (as I mentioned before if this can be done with REST-API the REST API call should be under the asm policy for ip exception not the IP intelligence):

 

 

https://devcentral.f5.com/s/question/0D51T00006i7ju3/automate-the-ip-whitelist-creation-in-bulk-for-...

 

 

 

My other suggestion is as you mentioned for now only the AFM supports custom feed lists other than "webroot" for some reason but you can still try adding one using the REST-API. F5 may have locked this or not if there is no AFM module but who knows:

 

 

https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_feed-list.html

 

 

 

 

 

%%%%%%%%%%%

View solution in original post

9 REPLIES 9

From what I know this feature is for the ASM security policy to learn violations faster like the "trusted ip address" option, bypass the ip intelligence , etc. ,this is why I don't think it is under ip-intelligence. You can check your versions F5 device rest api support by going to https://<YourF5 Ip address>/mgmt/toc as I don't see this option to be in the REST-API under the ASM tab.

 

 

 

If you want to resolve a blocked ip address by the ip intelligence with an automation/REST-API you may try to feed it with a whitelist of the bad ip address as whitelists overide blacklists:

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-imple...

 

 

Hi,

 

from my knowledge, when using ASM, IP Intelligence can be applied at three levels. Global and per Virtual. These settings are configured in Security ›› Network Firewall : IP Intelligence.

The third level can be configured per Security Policy, this can be configured in Security ›› Application Security : IP Addresses.

The posibility to use a feed list is only available with AFM provisioned.

 

Also looking at the ToC, as you suggested, I could not find a clue how to add an IP exception to an IP Intelligence Policy that is configured on the level of the ASM policy.

 

KR

Daniel

What you can try if you don't find the REST-API command (as I also couldn't and under another post it was still not found) is to turn off the Ip inteliigence for the asm security policies that you have issues and enable it under the virtual servers with an irule and make data group that will be checked and if the client ip address is not in the data group then use the IP intelligence. Something like whitelist and the Data groups can be managed and updated with REST-API and ansible:

 

 

https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_data_group_module.ht...

 

 

 

 

F5 Irule links from where I got the idea:

 

 

https://clouddocs.f5.com/api/irules/IP-reputation.html

 

https://clouddocs.f5.com/api/irules/IP__intelligence.html

 

https://clouddocs.f5.com/api/irules/class.html

 

 

F5 article that you probably know that again shows how to use irule with ip intelligence and the asm module:

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/8.ht...

 

 

example:

 

 

 

when CLIENT_ACCEPTED {

 

if { [class match [IP::client_addr] equals "whitelist_dg" ] } {

 

 

# Do nothing if it matches the witelist

 

 

} else {

 

 

# Check if the IP reputation list for the client IP is not 0

if {[llength [IP::reputation [IP::client_addr]]] != 0}{

 

# Drop the connection

drop

}

 

}

}

A more optimized version of the irule:

 

 

when CLIENT_ACCEPTED {

 

 

# Check if the IP reputation list for the client IP is not 0 and not matching the data group

 

if { ([llength [IP::reputation [IP::client_addr]]] != 0) && (not([class match [IP::client_addr] equals "whitelist_dg"])) } {

 

# Drop the connection

drop

 

}

}

 

Unfortunately, the solution you suggest is more sort of a workaround. I would need to extend it's logic to match certain URIs and apply different matching categories (Botnets, Denial of Service) on differnet URIs. This will quickly become a beast of an iRule.

 

Based on my requirements I would need to find a way to automatically update IP Intelligence Exceptions on a IPI policy that is applied on a per security policy basis.

As an alternative updating the IP Intelligence Exceptions on a IPI policy that is applied on a per VS basis would be also fine.

AFM and a feed list is not an option, I have only AdvWAF provisioned.

Well you got me almost out of ideas.

 

The two things I will suggest as my final ideas:

 

 

 

 

%%%%%%%%%%%

 

 

You may see this post that I found if it helps as there could be way to add an Ip address to the ASM policy ip exceiption with ""ignoreIpReputation": true," (as I mentioned before if this can be done with REST-API the REST API call should be under the asm policy for ip exception not the IP intelligence):

 

 

https://devcentral.f5.com/s/question/0D51T00006i7ju3/automate-the-ip-whitelist-creation-in-bulk-for-...

 

 

 

My other suggestion is as you mentioned for now only the AFM supports custom feed lists other than "webroot" for some reason but you can still try adding one using the REST-API. F5 may have locked this or not if there is no AFM module but who knows:

 

 

https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_feed-list.html

 

 

 

 

 

%%%%%%%%%%%

This first link was the clue I needed. Here's my curl command:

 

curl --location -g --request POST 'https://{{mgmt-address}}/mgmt/tm/asm/policies/{{asm_policy_hash}}/whitelist-ips' \ --header 'X-F5-Auth-Token: {{f5-auth-token}}' \ --header 'Content-Type: application/json' \ --data-raw '{ "blockRequests": "policy-default", "description": "My Test IP address", "ignoreAnomalies": false, "ignoreIpReputation": true, "ipAddress": "10.20.30.40", "ipMask": "255.255.255.255", "isInherited": false, "lastUpdateMicros": 0, "neverLearnRequests": false, "neverLogRequests": false, "trustedByPolicyBuilder": false }'

 Thank you!

Np. Glad to help out as I am also getting help from the community.

By the way I have seen similar post for IP address exception not for ip-intelligence but for trusted ip but the idea was the same and the answer was not found how you can do this with REST-API/Ansible :(.

 

 

Still to use whitelist feed list that the ASM can check from time to time or trying to populate it with the REST-API maybe a workaround for the issue.