cancel
Showing results for 
Search instead for 
Did you mean: 

ASM IP Exceptions

crowe
Cirrus
Cirrus

We are new to having ASM implemented on our main virtual servers, over the past couple months I keep having to add IP exceptions for for valid customer IP's that get blocked as "malicious". I assume the goal would not be to have a large list of IP's in this list, any advice on how to tune this a little better, docs etc? I'm have around 50's IP's currently whitelisted due to being blocked as malicious, any advice would be great!

1 ACCEPTED SOLUTION

You need to leave Alarm enabled for malicious IP - in such case you will have ability to monitor how it works and detect (but not prevent) possible attack

View solution in original post

14 REPLIES 14

youssef1
Cumulonimbus
Cumulonimbus

Hi,

 

the most important is when building your security policy. You can deploy your policy in staging mode (learning and automatic deployment when required). this will allow you to have an optimal security policy, because as soon as you have a false positive you can create an exception in an explicit way...

 

to summarize it is relatively important to deploy your security policy in an optimal way and indeed avoid whitelisting. if you have a blocking you must see if it is a false positive and if yes, make the necessary exception at the ASM level (explicitly so as not to make an opening too wide)...

 

Users are blocked by IP intelligence or by security policy?

 

regards

crowe
Cirrus
Cirrus

Hi Youssef, thanks for the reply. We do have IP intelligence enabled, so I take it when this happens that is what is causing the request to be blocked. I came in after this was all implemented and it was done by a third party consulting firm. We were told they did it using the learning procedures and once we started having the weekly whitelisting taking place they slowly stopped responding to my emails of concern.

 

It sounds like things need to go back to a learning mode to get this fine tuned. My colleague that worked with them is no longer with us so I'm trying to get caught up and lined out so we are not getting these false positives.

 

Would allowing these request via the ASM Utility as they are blocked cause it to learn and possibly line out or should we take it back to transparent mode to do so?

 

Thanks in advance.

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Crowe,

 

  1. Is your IP Intelligence database update periodically?
  2. In what IP Intelligence category do you have false-positives? Only in one or in several? If in one, then may be you can just disable this category.
  3. Learning works in any mode (Transparent or Blocking). You should see learning suggestions on "Security ›› Application Security : Policy Building : Traffic Learning" page.

 

Thanks, Ivan

 

  • Hello, the category that seems to be blocking the valid traffic is "Botnets", you would still recommend removing that category? or would I make adjustments on the policy learning section?0691T000008tvH6QAI.png

 

Hello Crowe,

 

Image is not available...

If these are different IP addresses, but from the same subnet, then you can just add this subnet into Application Security : IP Addresses : IP Address Exceptions and Ignore IP Intelligence for it.

If these are totally different IP addresses, but all of them are valid - it sounds strange for me, but in this case you can disable the whole category, to not add them one by one as exception via learning.

If both case aren't good for you, then yes - proceed through the learning.

 

Thanks, Ivan

It is strange indeed as it is always different public IP addresses being blocked, that is why we have ended up with three pages of /32 addresses in the IP exceptions list. Yesterday was the first day in two weeks since I have received a block, I'll give it more time to see if they are consistently the same category. Thank you.

The image was just the details of what I'm seeing in ASM logs regarding the latest block.

 

0691T000008tvH6QAI.png

Unfortuantely, the false positives are coming in under different categories. I just got a new one that is "Windows Exploits - Scanners".

Yes, it really looks strange...

  1. Are you sure that all detected malicious IP are false-positive?
  2. Do you have any malicious IP, which is blocked correctly?
  3. Why it was suggested to enable malicious IP detection? What was the reason?

 

If there was no exact reason and you didn't get any real malicious IP for a long time, then I suggest to disable Block flag per violation (leave Alarm flag enabled for monitoring) or at least disable Block flag for each category, which provides false-positive.

 

Thanks, Ivan

  1. The IPs being blocked are in fact showing reputations so I guess I would have to say they are being blocked appropriately if I thought about it. I say they are valid connections because its one of our consultants emailing that they are being blocked. We have over 60k consultants though, so, maybe its the case that when it was setup, malicious detection should not have been enabled.

2. As stated above, they are flagged by bright cloud so they are actually being blocked correctly according to our policy.

 

3. No one is left that was involved, the only thing I am aware of is we were having trouble with bots and sql injections attempts. I am not aware that we needed the malicious setting enabled, I was just trying to leave as much security in place as I could but make it work the best way possible.

 

With that. said, I am going to disable the malicious blocking and see how things go. I am new to ASM and I wasn't aware how much learning/tweaking is really possible if bright cloud is detecting an issue...

 

If I leave the malicious blocking disabled, what is the best method or view in ASM to monitor to know if its becoming an actual issue in the future?

 

Thank you again in advance for walking through this, it was handed to me by default and I am working on getting into some ASM training to help make sure things are correct.

You need to leave Alarm enabled for malicious IP - in such case you will have ability to monitor how it works and detect (but not prevent) possible attack

Thanks you, that is what I have done.

crowe
Cirrus
Cirrus

Hello Ivan,

 

  1. Yes, I have it set to autoupdate and it is staying current as you can see below:

 

Last time the server was contacted for updates   06/25/2020 14:05:08

Last time an update was received          06/25/2020 14:05:09

Total number of IP Addresses in the database          4473532

Number of IP Addresses received in the last update         37

 

2. I don't have any in the logs to look at the movement, I will make note as they come in regarding categories and take your advice on disabling it only one.

 

3. Thank you for pointing this out, I will start monitoring as valid blocks occur.

 

 

 

 

 

 

the F5 IP Intelligence is maintained by brightcloud(thirdparty)

you may request them to whitelist the IP with proper reason.(not sure whether they will do for free or charge some amount)

It is always different IPs so I feel like there is something not set right with what the consultant setup in our policy etc. Thanks though for the idea.