Manual Chapter : Managing IP Address Exceptions

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Managing IP Address Exceptions

Overview: Managing IP address exceptions

An
IP address exception
is an IP address that you want the system to treat in a specific way for a security policy. For example, you can specify IP addresses from which the system should always trust traffic, IP addresses for which you do not want the system to generate learning suggestions for the traffic, and IP addresses for which you want to exclude information from the logs. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception, and instruct the system how to handle traffic coming from that address.
You can view a centralized list of IP address exceptions, and you can add new IP address exceptions to the list. The list of IP address exceptions shows exceptions that you add directly to the list, or those which you add from other locations, as shown by the following examples:
  • When creating a security policy, you can specify IP addresses that you want the Policy Builder to always trust.
  • When creating a security policy that is integrated with a vulnerability assessment tool, you can configure the scanner IP address as an IP address exception.
  • When setting up anomaly detection (such as for DoS, brute force, and web scraping protections), you can specify IP addresses that the system should consider legitimate (called
    whitelists
    ).
  • When setting up IP address intelligence, you can add IP addresses that the system should allow even if the IP address is in the IP intelligence database.
The IP Address Exceptions list shows in one location all of the IP exceptions configured for this security policy. You can view or modify IP exceptions both from the centralized IP exception list and from the specific feature screens.
This implementation describes how to create, delete, and update the list of IP address exceptions.

Creating IP address exceptions

For each security policy, you can create a list of IP address exceptions, and indicate how you want the system to handle the traffic from these IP addresses. From the centralized IP Address Exceptions list, you can configure whitelists or blacklists to allow or block traffic from an IP address or subnet.
  1. On the Main tab, click
    Security
    Application Security
    IP Addresses
    IP Address Exceptions
    .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click
    Create
    .
    The New IP Address Exception screen opens.
  3. In the
    IP Address
    field, type the IP address that you want the system to trust.
    To add a route domain, type
    %
    n
    after the IP address where
    n
    is the route domain identification number.
  4. In the
    Netmask
    field, type the netmask of the IP address exception.
    If you omit the netmask value, the system uses a default value of
    255.255.255.255
    . So to block the
    10.10.0.0
    subnet, specify
    10.10.0.0
    as the IP address and
    255.255.0.0
    as the Netmask.
  5. To consider traffic from this IP address as being safe, for the
    Policy Builder trusted IP
    setting, select
    Enabled
    .
    The system adds this IP address to the
    Trusted IP Addresses
    list on the Learning and Blocking Settings screen.
  6. To ignore this IP address when performing brute force and web scraping detection, for the
    Ignore in Anomaly Detection and do not collect Device ID
    setting, select
    Enabled
    .
    The system adds this IP address to the
    IP Address Whitelist
    setting on the anomaly detection screens for configuring brute force and web scraping.
  7. If you do not want the system to generate learning suggestions for traffic sent from this IP address, for the
    Ignore in Learning Suggestions
    setting, select
    Enabled
    .
    Application Security Manager does not generate learning suggestions for requests that result in the web server returning HTTP responses with 400 or 404 status codes unless the security policy is configured to learn and block traffic (the
    Ignore in Learning Suggestions
    check box cannot be selected and the
    Block this IP Address
    cannot be set to
    Never Block this IP
    ).
  8. For
    Block this IP Address
    :
    • To never block traffic from this IP address, select
      Never block this IP Address
      .
    • To always block traffic from this IP address, select
      Always block this IP
      .
    • To block according to policy rules, select
      Policy Default
      .
  9. To disable logging for this address, enable
    Never log traffic from this IP Address
    .
    The system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic.
  10. To consider traffic from this IP address to be legitimate even if it is found in the IP Intelligence database, for the
    Ignore IP Address Intelligence
    setting, select
    Enabled
    .
    The system adds this IP address to the
    IP Address Whitelist
    setting on the IP Address Intelligence screen.
  11. Click
    Create
    .
    The IP Address Exceptions screen opens and shows all of the exceptions configured for the security policy including the one you created.
You can view and manage all of your IP address exceptions from the centralized IP Address Exceptions screen.

Deleting IP address exceptions

If you no longer want an IP address on the exceptions list, you can delete the IP address exceptions.
  1. On the Main tab, click
    Security
    Application Security
    IP Addresses
    IP Address Exceptions
    .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Select the IP address exception you want to delete and click
    Delete
    .
    The IP address exception is deleted from the list.
  3. You can also delete IP address exceptions from the anomaly detection whitelists, the IP address intelligence whitelist, and the policy building configuration. On any of these screens, select the IP address, and click
    Delete
    .
    The system removes the IP address from the whitelist on the screen. However, the IP address remains on the IP Address Exceptions screen with the related setting changed. For example, if you deleted the IP address from an anomaly detection whitelist, the Anomaly Detection column for that IP address in the exceptions list changes from Ignore IP to say Include IP.
  4. In the editing context area, click
    Apply Policy
    to put the changes into effect.

Updating IP address exceptions

You can update IP address exceptions from the centralized list of IP address exceptions.
  1. On the Main tab, click
    Security
    Application Security
    IP Addresses
    IP Address Exceptions
    .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click the IP address of the IP address exception you want to modify.
    The IP Address Exception Properties screen opens.
  3. Change the settings as needed.
  4. Click
    Update
    .
  5. In the editing context area, click
    Apply Policy
    to put the changes into effect.