F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see tha...

application delivery

ASM Advanced WAF

iRules

security

Daniel_Wolf
Jun 22, 2021
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.

For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.

Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.

Daniel_Wolf

MVP

Jun 21, 2021

What are you trying to achieve? A way to block a source IP that has caused n ASM violations in x seconds for a specific amount of time on Layer 3?

Nikoolayy1
MVP
Jun 21, 2021
Yes but also first using the "ASM::fingerprint" if present as this is more granular and only if there is no Device ID then the source IP address. With the table command I should be able to do something like that but I was wondering if the F5 ASM correlation data and its Incidents can't be used in some way with or without irule for such tasks?
- Daniel_Wolf
  MVP
  Jun 21, 2021
  I had a different train of thought. Use the Source IP from the logs (Splunk, ELK, similar) and create a dynamic IP Intelligence feed list from this data.
  
  Not sure about the Device ID... That fact that there is Device ID+ and Shape Recognize makes me wonder if you should build a solution based on Device ID. It might be a feature that could be deprecated at a certain point in the future.
- Daniel_Wolf
  MVP
  Jun 22, 2021
  To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.
  
  For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.
  
  Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
  This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.
- Nikoolayy1
  MVP
  Jun 22, 2021
  What you are suggesting sounds like a good option and this way all the F5 devices will block the same source but for IP Intelligence don't you need a license even when using custom feeds?
  
  Also the iRule table command has timeout and lifetime and this makes easier stop blocking an IP address automatically after time. Too bad that there are no REST-API commands for manipulating the data in a table just data group.
  
  Another thing that I was thinking off that could be to used BIG-IQ script option to make all the F5 devices to check a file on a source server that is made with logs from Splunk, ELK, etc. and to update the information in the external data group. I hope F5 to add the option to BIG-IQ to schedule when the scrpts to be run otherwise a cron job on the BIG-IQ may trigger the script feature that will execute the data group to refresh its data.
  
  https://clouddocs.f5.com/training/community/big-iq-cloud-edition/html/class5/module1/lab6.html
  
  example command to run in the BIG-IQ script feature:
  
  tmsh modify sys file data-group ban_ip type ip source-path https://x.x.x.x/files/bad_ip.txt
  
  Also without BIG-IQ Ansible playbook can be used to manage many groups on the F5 devices:
  
  https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_data_group_module.html

Forum Discussion

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

High availability on big ip 2600 device

Another Bash script to backup a BIG-IP device.

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Re: Automate Data Group updates on many Big-IP devices using Big-IQ or Ansible

Separating False Positives from Legitimate Violations