IP Intelligence
Hi Everyone. I need help checking a list of IP addressed within a blacklist category, is there a command i can run that will dump the IPs contained in that blacklist category? I found the command "tmsh show security ip-intelligence info address x.y.z.k" how ever with this one i found that i need to already know the IP Address for me to check. Help will be much appreciated65Views0likes1CommentEnabling alarm and block of IP Intelligence through CLI and curl
Is there an API for IP Intelligence enabling and disabling as well as for enabling alerting and/or blocking of items within the IP Intelligence feature in ASM. I am wanting to run a curl command like I do for IP Whitelisting and stuff to make a mass update of all ASM policies to enable IP Intelligence on all of them in one go. Please advise.813Views0likes3CommentsAdd address to IP Address Exception via REST API
Hi all, I am trying to add an IP address to Security››Application Security : IP Addresses : IP Address Exceptions. I guess that the API endpoint would be "/mgmt/tm/security/ip-intelligence", but I can't figure out how to do it. Am I looking in the wrong place? Can someone tell me how to do it? KR DanielSolved2.4KViews0likes9CommentsIP Intelligence
Hello, We've deployed IP Intelligence in our organization and some questions arise: Due to the nature of the dynamic IPs, the update of the database should also include the removal of those IPs no longer considered as bad reputation, right? The update details shows the "number of IP Addresses received in the last update" but it does not mention nothing about IPs removed. Does IP Intelligence take place before any other protection? I mean, if a suspicious IP arrives, it is blocked by the IPI and not analysed by the DoS or web scrapping policies, correct? Thanks.272Views0likes2CommentsCan I view only the ASM Events Triggered by IP Intelligence?
Hi All, We have IP Intelligence enabled in monitoring mode and I see the events that are alarmed in the ASM Event log however I can't see how I can view only the events that alarmed as part of IPI. When I look at the advanced search categories I can see the "Access from Malicious IP Address" violation which is triggered under the "Anonymous Proxy" category of IPI however I am not able to see any other violations that relate to IPI. It would be great if I could restrict the logs as per the 10 categories of IP Intelligence. Is there any way to do that that I am missing? Thank you.Solved460Views0likes3CommentsIP Intelligence Categories
Hi, Can anyone recommend a resource where I can read more about the 10 specific categories in IP Intelligence. I have a brief one line description of each category however I'd like more information about exactly what would be blocked, how it is identified, how and when the rules are updated for each category, the standard expectation on false positives, why each category should or should not be enabled. Eg, the Cloud-based security category seems quite broad to block all this traffic.210Views0likes1CommentIP Intelligence - The Scanners category
Hi, One of the categories that can be enabled to monitor or block with IP Intelligence via the ASM is "Scanners". The definition for this reads "The Scanners category includes all reconnaissance, such as probes, host scan, domain scan, and password brute force." My question is, if this category is enabled and set to block, will it block search engine bots? Will any category in IP Intelligence block search engine traffic? As you can imagine, this is not a desired outcome. Thank you220Views0likes1CommentWeb Attacks in IP Intelligence Vs ASM Policy
Hi, We have a variety of applications that each have ASM policies to protect against web attacks etc. We also have IP Intelligence enabled in monitoring mode at the moment which we will switch to blocking mode for some categories shortly. One of the available categories in the IPI setup is "Web Attacks". I am curious as to whether there is any benefit or risk enabling this if I already have a tailored, configured ASM policy. Which takes precedence, the ASM Policy Rules or the IPI Rules if they are each running. I expect if both the ASM Policy and IPI web attack prevention are each enabled, then the traffic would be subject to both sets of rules? Thank you.253Views0likes1CommentIP Intelligence ASM Whitelisting and Route Domains
Hello, we are using ASM with IP Intelligence, and need to whitelist some IPs. We have entered the IP addresses to the whitelist, but they keep being blocked by the ASM Violations related to IP Intelligence. In the ASM Logs they appear with the Route Domain ID, that creates some confusion. Have some of you used IP Intelligence in a F5 with Route Domains? Could it be that those IPs are not being blocked because we haven't specified the associated route domain in the whitelist entry? If the same F5 has several route domains, and with several applications protected by ASM, should we enter the combination of [whitelisted ip]%[routedomain] for each IP for each route domain involved? Thank you in advance!317Views0likes2Comments