Forum Discussion

dariusz_19888's avatar
dariusz_19888
Icon for Nimbostratus rankNimbostratus
Mar 22, 2017

IPI - Custom Black List Category

Hello, Is it possible to see ip addresses contained in a custom IPI black list category?

 

AFM
security
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Mar 22, 2017

    By category are you referring to the blacklist classes that are used to provide unique responses on a per-class basis?

     

    You can confirm if an ip address is blacklisted using:

     

    tmsh show security ip-intelligence info address

     

  • Maciej_Waliszko's avatar
    Maciej_Waliszko
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2017

    I think the idea behind this question is different. Let's say that some source IP addresses are misbehaving and because of that they are automatically added to a custom blacklist category named for example BANNED_IPs. The question is: how to check if that category has some IPs in it?

     

    • Tikka_Nagi_1315's avatar
      Tikka_Nagi_1315
      Historic F5 Account
      Mar 23, 2017

      tmctl -w120 ip_intelligence_stat

       

      will give you the list of blacklisted ips for each category.

       

    • Tikka_Nagi_1315's avatar
      Tikka_Nagi_1315
      Historic F5 Account
      Mar 24, 2017

      I believe the output of tmctl ip_intelligence_stat is correct. AFM_WHITE_LIST category shows 0 ip addresses blacklisted.

       

  • Maciej_Waliszko's avatar
    Maciej_Waliszko
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2017

    [root@afm-lb1:Active:In Sync] config tmctl -w130 ip_intelligence_stat context_type context_name category src_ip_blacklist dst_ip_blacklist

     

    global AFM_DROP 3258 0 global AFM_WHITE_LIST 0 0 global AFM_bogons 66767993 0 global WHITELIST 5015160 4806173

     

    This command doesn't display IPs. Only their number within the corresponding catgeory. The question is still not answered. BTW. What is WHITELIST category? Where did it come from? It was not created by me.

     

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Mar 24, 2017

    I don't believe there is way to display all ip addresses contained in a blacklist but You can confirm if an ip address is blacklisted using:

     

    tmsh show security ip-intelligence info address

     

    Additionally, tmctl -w120 ip_intelligence_stat will give you number of ip addresses by category. I mentioned this command in response to the question posted in the first answer: "The question is: how to check if that category has some IPs in it?"

     

    • jimmythegeek_10's avatar
      jimmythegeek_10
      Historic F5 Account
      Apr 13, 2017

      Yeah. There are potentially hundreds of thousands (or more!) of entries in a blacklist or whitelist, and dumping that info across an internal bottleneck poses a significant risk to system stability. That's why you can't dump the entire table but can only query for an individual address.