Enabling alarm and block of IP Intelligence through CLI and curl
Is there an API for IP Intelligence enabling and disabling as well as for enabling alerting and/or blocking of items within the IP Intelligence feature in ASM. I am wanting to run a curl command like I do for IP Whitelisting and stuff to make a mass update of all ASM policies to enable IP Intelligence on all of them in one go. Please advise.
IP Intelligence
Hello, We've deployed IP Intelligence in our organization and some questions arise: Due to the nature of the dynamic IPs, the update of the database should also include the removal of those IPs no longer considered as bad reputation, right? The update details shows the "number of IP Addresses received in the last update" but it does not mention nothing about IPs removed. Does IP Intelligence take place before any other protection? I mean, if a suspicious IP arrives, it is blocked by the IPI and not analysed by the DoS or web scrapping policies, correct? Thanks.IP Intelligence Categories
Hi, Can anyone recommend a resource where I can read more about the 10 specific categories in IP Intelligence. I have a brief one line description of each category however I'd like more information about exactly what would be blocked, how it is identified, how and when the rules are updated for each category, the standard expectation on false positives, why each category should or should not be enabled. Eg, the Cloud-based security category seems quite broad to block all this traffic.IP Intelligence - The Scanners category
Hi, One of the categories that can be enabled to monitor or block with IP Intelligence via the ASM is "Scanners". The definition for this reads "The Scanners category includes all reconnaissance, such as probes, host scan, domain scan, and password brute force." My question is, if this category is enabled and set to block, will it block search engine bots? Will any category in IP Intelligence block search engine traffic? As you can imagine, this is not a desired outcome. Thank youWeb Attacks in IP Intelligence Vs ASM Policy
Hi, We have a variety of applications that each have ASM policies to protect against web attacks etc. We also have IP Intelligence enabled in monitoring mode at the moment which we will switch to blocking mode for some categories shortly. One of the available categories in the IPI setup is "Web Attacks". I am curious as to whether there is any benefit or risk enabling this if I already have a tailored, configured ASM policy. Which takes precedence, the ASM Policy Rules or the IPI Rules if they are each running. I expect if both the ASM Policy and IPI web attack prevention are each enabled, then the traffic would be subject to both sets of rules? Thank you.
IP Intelligence ASM Whitelisting and Route Domains
Hello, we are using ASM with IP Intelligence, and need to whitelist some IPs. We have entered the IP addresses to the whitelist, but they keep being blocked by the ASM Violations related to IP Intelligence. In the ASM Logs they appear with the Route Domain ID, that creates some confusion. Have some of you used IP Intelligence in a F5 with Route Domains? Could it be that those IPs are not being blocked because we haven't specified the associated route domain in the whitelist entry? If the same F5 has several route domains, and with several applications protected by ASM, should we enter the combination of [whitelisted ip]%[routedomain] for each IP for each route domain involved? Thank you in advance!
