F5 AFM IP intelligence whitelist content
We have F5 AFM IP intelligence and we dont use the AFM license so no external feed list but only the local categories on the system. it is licensed with IP intelligence, now the question. How can we see the whitelist category content from CLI or GUI? Security››Network Firewall:IP Intelligence:Blacklist Categorieswhitelist Here in the menu you have the option Add to gategory and delete from category but how can we see the content of the whitelist category? Hence then we know if this list is still accurate....
traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and geolocation
I want to know how the traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and Geolocation (using irule for Geolocation). I am using Global IPI (mean IPI does not attached to any VS) and have an irule for Geolocation and only have module ASM and LTM (No APM and AFM). I understand that irule can be arranged by the order. The application security policy, bot detection, DoS protection, irule are attached to VS. Here is what I understand the traffic flow. The traffic hits Global IPI -> reached VS for irules in order (including Geolocation, I always put Geolocation at first place) -> Application security policy -> DoS -> Bot detection. Is this correct? Or will application security policy , Dos, Bot detection happen at the same time? What is the best practice for Geolocation? Using an irule for Geolocation or using Geolocation in application security policy?
best way to reject SSL Connections
We use IPI and we drop the requests via iRule because we cannot use ASM at every VS. today we reject the connect in then CLIENT_ACCEPTED but the result is a SSL Handshake failed for TCP xxx.xxx.xxx.xxx:nnn -> xxx.xxx.xxx.xxx:nnn in ltm log. do we have to accept that or is there a better way to reject connections like that? let the connect go on until HTTP_REQUEST is not option because we have the same problem when we use a required Client Certificate where we check for example the UPN and we like to drop the connection if the UPN is invalid or missing.IP Intelligence Categories
Hi, Can anyone recommend a resource where I can read more about the 10 specific categories in IP Intelligence. I have a brief one line description of each category however I'd like more information about exactly what would be blocked, how it is identified, how and when the rules are updated for each category, the standard expectation on false positives, why each category should or should not be enabled. Eg, the Cloud-based security category seems quite broad to block all this traffic.Web Attacks in IP Intelligence Vs ASM Policy
Hi, We have a variety of applications that each have ASM policies to protect against web attacks etc. We also have IP Intelligence enabled in monitoring mode at the moment which we will switch to blocking mode for some categories shortly. One of the available categories in the IPI setup is "Web Attacks". I am curious as to whether there is any benefit or risk enabling this if I already have a tailored, configured ASM policy. Which takes precedence, the ASM Policy Rules or the IPI Rules if they are each running. I expect if both the ASM Policy and IPI web attack prevention are each enabled, then the traffic would be subject to both sets of rules? Thank you.
