cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

IP intelligence feed list for ASM/WAF?

nafooesi
Altostratus
Altostratus

Hi all,

 

Just started learning about ASM and AFM via documentation. AFM seems to allow importing of external ip list into IP intelligence database, but ASM/WAF seems to use Webroot for its database. Can ASM use external feeds like AFM? OR Can ASM use another source besides webroot feed?

 

Thanks in advance for helping the noob!

 

11 REPLIES 11

Erik_Novak
F5 Employee
F5 Employee

Currently, ASM/Advanced WAF only works with webroot.

Samir
Nacreous
Nacreous

Yes, Can add the IP/Subnet in ASM/WAF IP intelligent database.

 

Go here* Security > Application Security > IP Addresses > IP Address Intelligence 

 

Find the below image

0691T000008GrFDQA0.jpg

0691T000008GrFIQA0.jpg

Thanks

Hi Samir, thanks for replying. Yes ASM can add individual​ IP/subnet exception, but I was referring to adding an external feed with a list of IPs or Subnets for black listing.

Samir
Nacreous
Nacreous

Such configuration not seen. Go with   answer

nafooesi
Altostratus
Altostratus

Does Application Service 3 (AS3) extension provide any method to update feed list? https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/

no, it is for deploying config

PeteWhite
F5 Employee
F5 Employee

IP intelligence is a licensable feature, it uses the same feed for all related areas ie both AFM and ASM use the same feed

AFM does allow adding external feeds to IP intelligence though:

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policie...

 

So if AFM enriches IPI via external feed (besides webroot), perhaps ASM could take advantage of it as well?

 

Yes, I also wonder why you can't do this with the ASM/Adv. WAF 😞

ernest8478
Nimbostratus
Nimbostratus

Thanks for sharing such great information, I found very thankful and helpful information here.

I am starting to wonder if by using the REST-API can a feed list be created without the AFM module. I may try in the future but if someone has tested this they can share if it works.

 

 

https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_ip-intelligence_info.html

 

 

 

Another way could be to use the CVS tabular imported that I am using for importing a list of bad IP addresses or using external data group and populating it or using ansible or BIG-IQ with external data groups:

 

 

https://devcentral.f5.com/s/articles/csv-tabular-data-sideband-importer

 

https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections

 

 

https://devcentral.f5.com/s/question/0D51T00006aFjFFSA0/managing-datagroups-from-bigiq

 

 

There are some free lists from free or payed providers with palo alto minemeld or misp free systems.