IP intelligence feed list for ASM/WAF?
Hi all, Just started learning about ASM and AFM via documentation. AFM seems to allow importing of external ip list into IP intelligence database, but ASM/WAF seems to use Webroot for its database. Can ASM use external feeds like AFM? OR Can ASM use another source besides webroot feed? Thanks in advance for helping the noob!
Explicit forward proxy for HTTP(S), FTP(S), SFTP and SOCKS
Hi folks, I wanna setup a BIG-IP as a simple explicit forwarding proxy for several services: HTTP(S) FTP(S) SFTP SOCKS There is no need for caching, URL filtering or authentication just IP Intelligence should be used. So to my understanding LTM and an IPI license are sufficienct. Moreover the encrypted protocols (HTTPS, SFTP, FTPS) shouldnt be intercepted. I have read a few implementation guides for SWG which gave me an idea what to do: First of all I think I need 4 virtual servers to use as forward proxy servers (they act as listeners for the client proxy connections): VS_Forward_8080 (for receiving and forwarding the client HTTP(S) requests) VS_Forward_2121 (for receiving and forwarding the client FTP(S) requests) VS_Forward_22 (for receiving and forwarding the client SFTP requests) VS_Forward_1080 (for receiving and forwarding the client SOCKS requests) Moreover 4 tunnels are needed: tunnel_http tunnel_ftp tunnel_sftp tunnel_socks And last but not least I need six virtual servers who finally handle the client requests (name resolution, IPI check via iRule, SNAT and routing to the Internet): VS_HTTP_80 VS_HTTPS_443 VS_FTP_21 VS_FTPS_990 VS_SFTP_22 VS_SOCKS_1080 The tunnels link the forwarding proxy severs. A high level overwiew looks like that: My questions regarding that sceanrio: Does it work in principal? Is there a better/easier way to achieve what I want? Is it possible to avoid interception of the encrypted connections? If yes, how is name resolution possible for the destination hosts? Shall Fast L4 or Standard VS be used? Many thanks for your ideas and comments!Microsoft Office 365 IP intelligence
Problem this snippet solves: This snippet adds Microsoft Office 365 IP intelligence. This snippet parses the O365IPAddresses.xml file that Microsoft supplies to help identify Microsoft URLs and IP address ranges. With this snippet you can check if an IP address belongs to Microsoft and let the BIG-IP decide to allow or deny traffic. For more info see: Office 365 URLs and IP address ranges DISCLAIMER: This code has never been tested outside a lab environment. Consider this snippet to be a proof-of-concept. How to use this snippet: Prepare BIG-IP Create LX Workspace: office365_ipi Add iRule: office365_ipi_irule Add Extension: office365_ipi_extension Add LX Plugin: office365_ipi_plugin -> From Workspace: office365_ipi Install node.js modules # cd /var/ilx/workspaces/Common/office365_ipi/extensions/office365_ipi_extension # npm install xml2js https repeat lokijs ip-range-check --save office365_ipi_irule ### ### Name : office365_ipi_irule ### Author : Niels van Sluis, (niels@van-sluis.nl) ### Version: 0.1 ### Date : 2017-07-25 ### when RULE_INIT { # set table timeout to 1 hour set static::office365_ipi_timeout 3600 set static::office365_ipi_lifetime 3600 } when CLIENT_ACCEPTED { # Valid product names are: # o365, LYO, Planner, Teams, ProPlus, OneNote, Yammer, # EXO, Identity, Office365Video, WAC, SPO, RCA, Sway, # EX-Fed, OfficeMobile, CRLs, OfficeiPad, EOP # # Use 'any' to match an IP address in all products. set productName "o365" set ipAddress [IP::client_addr] set key $productName:$ipAddress set verdict [table lookup -notouch $key] if { $verdict eq "" } { log local0. "Need to retrieve verdict via iruleslx" set rpc_handle [ILX::init office365_ipi_plugin office365_ipi_extension] if {[catch {ILX::call $rpc_handle checkProductIP $productName $ipAddress} verdict]} { log local0.error "Client - [IP::client_addr], ILX failure: $verdict" return } log local0. "The verdict for $ipAddress: $verdict"; # cache verdict table set $key $verdict $static::office365_ipi_timeout $static::office365_ipi_lifetime } # verdict is 0 (reject) or 1 (allow) if { !($verdict) } { log local0. "rejected IP address: $ipAddress" reject } } Code : /** *** Name : office365_ipi_extension *** Author : Niels van Sluis, *** Version: 0.1 *** Date : 2017-07-25 **/ 'use strict'; // Import the f5-nodejs module and others. var f5 = require('f5-nodejs'); var parseString = require('xml2js').parseString; var https = require('https'); var repeat = require('repeat'); var loki = require('lokijs'); var ipRangeCheck = require('ip-range-check'); // Create (in-memory) LokiJS database. var db = new loki('db.json'); var products = db.addCollection('products'); // Create a new rpc server for listening to TCL iRule calls. var ilx = new f5.ILXServer(); // URL to Microsoft Office 365 XML file. var url = "https://support.content.office.net/en-us/static/O365IPAddresses.xml"; // Function to get XML file and convert to JSON object. function xmlToJson(url, callback) { var req = https.get(url, function(res) { var xml = ''; res.on('data', function(chunk) { xml += chunk; }); res.on('error', function(e) { callback(e, null); }); res.on('timeout', function(e) { callback(e, null); }); res.on('end', function() { if(res.statusCode == 200) { parseString(xml, function(err, result) { callback(null, result); }); } }); }); } // Function that uses the data in the XML file to create a database // that can be used to perform IP address and URL lookups. function getOffice365() { xmlToJson(url, function(err,data) { if(err) { console.log("Error: xmlToJson failed"); return; } // if xml happens to be empty due to an error, do not continue. if(!data) { console.log("Error: No data in XML file"); return; } // Get date updated: 7/13/2017 var productsUpdated = data.products.$.updated; // Only update if version changed var versionCheck = products.findObject({'name':'any'}); if(versionCheck && versionCheck.version == productsUpdated) { console.log("Info: product version didn't changed; No update required"); return; } var allIpAdresses = []; var allUrls = []; data.products.product.forEach(function (product) { var ipAddresses = []; var urls = []; product.addresslist.forEach(function (addresslist) { if(addresslist.$.type == "IPv4" || addresslist.$.type == "IPv6") { if ( typeof addresslist.address !== 'undefined' && addresslist.address ) { addresslist.address.forEach(function (address) { ipAddresses.push(address); allIpAdresses.push(address); }); } } else if(addresslist.$.type == "URL") { if ( typeof addresslist.address !== 'undefined' && addresslist.address ) { addresslist.address.forEach(function (address) { urls.push(address); allUrls.push(address); }); } } }); var p = products.findObject({'name':product.$.name.toLowerCase()}); if(!p) { products.insert({ name: product.$.name.toLowerCase(), ipAddresses: ipAddresses, urls: urls, version: productsUpdated }); } else { p.ipAddresses = ipAddresses; p.urls = urls; p.version = productsUpdated; } }); var p = products.findObject({'name':'any'}); if(!p) { products.insert({ name: 'any', ipAddresses: allIpAdresses, urls: allUrls, version: productsUpdated }); } else { p.ipAddresses = Array.from(new Set(allIpAdresses)); p.urls = Array.from(new Set(allUrls)); p.version = productsUpdated; } console.log("Info: update finished; " + products.data.length + " product records in database."); }); } // refresh Microsoft Office 365 XML every hour repeat(getOffice365).every(1, 'hour').start.now(); // ILX::call to check if an IP address is part of Office365 ilx.addMethod('checkProductIP', function(objArgs, objResponse) { var productName = objArgs.params()[0]; var ipAddress = objArgs.params()[1]; // fail-open = true, fail-close = false var verdict = true; var req = products.findObject( { 'name':productName.toLowerCase()}); if(req) { verdict = ipRangeCheck(ipAddress, req.ipAddresses); } // return AuthnRequest to Tcl iRule objResponse.reply(verdict); }); // Start listening for ILX::call and ILX::notify events. ilx.listen(); Tested this on version: 13.0
Block Known Threats Using F5's IP Intelligence Service
Sadly, one of my favorite things to do lately is sit in my home office and view IP Intelligence logs and charts. To see something so simple but so powerful in action is quite intriguing. If you are not familiar with F5's IP Intelligence capability, it is an add-on service that integrates with both the Advanced Firewall Manager and Application Security Manager. The service provides a database of threatening IP addresses and can be updated as frequently as 5 minutes in order to block sources of known bad IP addresses as well as identify and block communications with new threatening IP addresses. Below is a list of each of the protection categories. Now you might be asking how in the world does F5 get a list of known bad IP addresses? While F5 does have their own internal groups that do a lot of super secret stuff on the dark web for the greater good, this service is actually driven through a relationship with Brightcloud. Brightcloud's security platform scans billions of IP addresses and billions of URLs across millions of domains, in addition to millions of mobile apps, and leverages machine learning to classify and categorize each according to the threat it represents to your business. If you would like to read more info on Brightcloud, you can access their web page here. Now that we have discussed IPI at a high level, let's deploy it! Prerequisites F5 IP Intelligence Service add-on license Internet connectivity DNS configured *Advanced Firewall Manager licensed and provisioned *Application Security Manager licensed and provisioned Note: There are many ways to configured F5's IPI and we will review using iRules, AFM and ASM to block known bad traffic. While AFM and ASM are not required, they can ease the deployment process. Verify the IP Reputation Database is Current Log into the BIG-IP system command line. Run tmsh list sys db iprep.autoupdate. The IP reputation DB is configured to auto-update by default. If this is has been disabled, run the following command to enable the auto-update feature. Run tmsh modify sys db iprep.autoupdate value enable. Run tmsh show sys iprep-status. If the previous command provides no data then the IP reputation DB has not been downloaded. Validate internet connectivity and name resolution. If nslookup or a dig fails, validate you have configured a name server in the system configuration. Run tmsh modify sys db iprep.intervalmin value 5. The screenshot above shows the result of no IP reputation DB and upon resolving my DNS issue and modifying the interval to 1 minute a successful download occurs. Creating an iRule to reject requests with questionable IP addresses Navigate to Local Traffic >> iRules. Click Create. In the Definition field, copy and paste the following example iRule. when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content " The request was rejected. Attempted access from malicious IP address " } } Click Finished. Note: When the system receives traffic from an IP address that is included in the IP intelligence database, the system prints the IP Intelligence information in the /var/log/ltm log. Assign the iRule to a BIG-IP Virtual Server Navigate to Local Traffic >> Virtual Servers. Select the Resources tab. Select Manage from iRules. Move the iRule created in the previous step to Enabled. Click Finish. IP Intelligence for Advanced Firewall Manager Configure a Global IP Intelligence Policy Login into the Traffic Management User Interface (TMUI). Navigate to Security >> Network Firewall >> IP Intelligence >> Policies. From the Global Policy list, select the IP Intelligence policy to apply to all traffic on the BIG-IP system. Click Update. The IP Intelligence policy is now applied to all traffic. Assigning an IP Intelligence Policy to a Virtual Server You can assign an IP Intelligence policy to a virtual server, to apply blacklist and whitelist matching actions and logging to traffic on that virtual server only. Navigate to Local Traffic >> Virtual Servers . Click the name of the virtual server you want to modify. On the menu bar, from the Security menu, choose Policies. Next to IP Intelligence, select Enabled, then select the IP intelligence policy to apply to traffic on the virtual server. Click Update. The specified IP Intelligence policy is applied to traffic on the selected virtual server. Assigning an IP Intelligence policy to a route domain Navigate to Network >> Route Domains. In the Name column, click the name of the relevant route domain. From the IP Intelligence Policy list, select an IP Intelligence policy to enforce on this route domain. Click Update. The specified IP Intelligence policy is applied to traffic on the route domain. IP Intelligence for Application Security Manager Navigate to Security >> Application Security : IP Addresses : IP Intelligence. Place a check in enabled by clicking the box. Once enabled, you are presented with all IPI categories, you can select which category you would like to Alarm and/or Block. In this example I am configuring all Categories to Alarm and Block. Select Save. Apply Security Policy by clicking Apply Policy at the top of the screen. The specified IP Intelligence policy is applied to the ASM Security Policy. If the security policy has not been applied to a virtual server, do so at this time. View Traffic Blocked by the IPI Reputation Database Navigate to Security >> Reporting >>Application >> Charts. From the View By drop-down menu, select IP Intelligence. Navigate to Security >> Reporting >> Network >> IP Intelligence. You have now successfully deployed F5's IP Intelligence service and are blocking threats using iRules, Advanced Firewall Manager and Application Security Manager. Until next time!
Can Akamai CDN and GTM work together to achieve ACTIVE ACTIVE Load Balaing
We want to achieve Global server load Balancing with existing Akamai CDN solution scenario as below, Customer is using Akamai CDN solution for few of their Websites by adding CNAME record in the Zone file. For Example: If any request come for abc.example.com then CNAME record is added pointing towards x13.akmainet.com i.e abc.example.com CNAME x13.akmainet.com. Request will go to akmai from there it will come to the Application server hosted in DC, application can only see Akamai IP address as source. Now customer is building new DC and they want to achieve ACTIVE ACTIVE Load Balancing between two DCs by using GTM. Please help me to understand How can we achieve solution in this case by using GTM? can Akamai and F5 GTM work together ?
Manually add or remove IP address from IP Intelligence blacklist category
Hello, I'd like to know if it is possible to use a CLI command to add (or remove) an IP address to (from) an IPI category blacklist. I need to do this from a bash shell script... I know it is possible using the GUI: "Security >> Network Firewall : IP Intelligence : Black List Categories", then select the blacklist category and click "Add to Category" or "Remove from Category". I cannot find the CLI equivalent in the documentation/ASkF5/DevCentral... -Frank
"Spam Sources" blacklist category missing from IP Address Intelligence Categories area
In version BIG-IP ASM v 12.1.2, "Spam Sources" is the only one of the blacklist categories that is not in the IP Address Intelligence Categories area of the Security policy so cannot be selected for Learn, Alarm or Block. I have implemented a tactical fix by using IP::reputation in an iRule, but this is CPU-intensive. Is this a bug that will be resolved, or a design decision?Configuring VIP through Ansible playbook by leveraging F5 AS3 declarative approach
Hi,I need to configure a VIP with Ansible playbook by leveraging the AS3's declaration, my target is to eliminate jinja templates, in this way I will be able to have one playbook for all the tasks required. Is there someone that can help me? Thanks in advance
