Manual Chapter : AFM IP Intelligence

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

AFM IP Intelligence

Overview: IP Intelligence

All network traffic has a source IP address, and the BIG-IP AFM IP Intelligence feature uses lists of IP addresses, known as
feed lists
, to either reject (
blacklist
) or accept (
whitelist
) incoming network traffic based on source IP address. AFM IP Intelligence can use two types of feed lists:
  • Webroot BrightCloud - a subscription-based service that requires an additional F5 add-on license.
  • Custom feed list - a list of source IP addresses maintained on a remote server.

About feed lists and feed files

If you are not planning to use the BrightCloud subscription-based service, you can configure custom feed lists to allow or deny remote clients based on their source IP address. Feed lists pull feed files rom remote systems and are then reference by an IP Intelligence policy. You should familiarize yourself with how feed lists and feed files work together.

Feed Files

Feed files
are simple text files, created and updated on a remote HTTP/S or FTP server. Feed files contain four comma-separated directives, and only one, the IP address, is required. This table describes the four comma-separated directives.
Position
1
2
3
4
Entry
IP Address
Network Mask
Whitelist or Blacklist
Category
This is an example feed file.
10.10.10.2,32,bl,spam_sources 10.10.11.0,24,wl, 10.10.12.3,,bl,botnets 10.0.0.12,,,

Feed Lists

Feed lists
are configuration objects on the BIG-IP AFM system used to obtain feed files from remote systems using either HTTP or FTP. When creating a new feed list object, you define the remote server and URL containing the feed file. You can also define a polling interval that determines how often the AFM system will obtain an updated feed file. One or more feed lists can then be used later when creating or modifying IP Intelligence policies.

AFM IP Intelligence policies

BIG-IP AFM IP Intelligence policies are configuration objects that reference one or more feed lists and define an action, such as drop or accept, when a match occurs. IP Intelligence policies can be applied to either the global, route domain, or virtual server contexts, and perform these functions:
  • Reference one or more feed lists.
  • Specify an action when a match is made: Accept or Deny.
  • Override the directives in the feed file.
  • Enable or disable logging when a packet match is made.
  • Apply to either the global or virtual server contexts

Creating an AFM IP Intelligence policy

In this scenario, you create a remote feed list and apply a new IP Intelligence policy to the global context, blacklisting a single IP address:
10.10.10.1
.
Creating and applying a new IP Intelligence policy involves several tasks.

Task list

  1. Create the feed file.
  2. Create a custom feed list category.
  3. Create the IP Intelligence feed list.
  4. Create the IP Intelligence policy.
  5. Apply the IP Intelligence policy.

Create the feed file

Before you start this task, you need a remote HTTP/S or FTP server that is accessible by the BIG-IP AFM system to store the feed file.
You can create a feed file that contains one or more IP addresses on a remote HTTP or FTP server. This example task shows how to create a new feed file with a single IP address entry.
  1. In an accessible directory on an HTTP or FTP server, create a new file named
    feed_list1
    .
  2. The file should contain one entry, for example
    10.10.10.1,32,bl,
    .
  3. Save the file to the file system.
A new feed file now exists on the remote server.
Next, you probably want to create a custom feed list category and feed list to identify and obtain the feed file.

Create a custom feed list category

BIG-IP AFM provides a number of standard feed list categories, such as botnets, scanners, and phishing. In this task, you create a create a custom feed list category to identify the custom feed file.
  1. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Blacklist Categories
    .
    Although this screen is named Blacklist Categories, it can also be used to create whitelists.
  2. At the far right, click
    Create
    .
  3. In the
    Name
    field, type a unique name for the custom feed file.
    For this example, type
    spam_attacks
    .
  4. Ensure that the
    Match Type
    is set to
    Source
    .
  5. Click
    Finished
    .
The new custom category is now listed under Blacklist Category.
Next, you create a new IP Intelligence feed list that obtains the feed file.

Create the IP Intelligence feed list

To complete this task, you must first have a feed file on remote HTTP/S or FTP server that is accessible to the BIG-IP AFM system.
Feed list objects contain information about the remote server such as connection protocol, feed file name, feed list category, and the polling interval for retrieving updated information. In this task, you create a new IP Intelligence feed list and obtain the feed file.
  1. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Feed Lists
    .
  2. On the far right of the page, click
    Create
    .
  3. In the
    Name
    field, type a unique name for the feed list.
    For this example, type
    corp_feedlist
    .
  4. In the Feed List Properties area, for
    Feed URLs
    , type a name for the feed file.
    For this example, type
    custom_spam_sources
    .
  5. From the
    URL
    protocol list, select
    HTTP
    ,
    HTTPS
    , or
    FTP
    .
    For this example, select
    HTTP
    .
  6. In the
    URL
    field, type the full URL path to the feed file.
    For this example, type
    http://192.168.10.100/feeds/corp_feed_file.txt
    .
  7. Below
    Password
    , click
    Add
    .
  8. Click
    Finished
    .
A new feed list now exists on the Feed Lists screen.
Next, you might want to create an IP Intelligence policy that references the new feed list.

Create the IP Intelligence policy

IP Intelligence policies are containers for one or more feed lists and are applied to either the device level or virtual servers. This task shows how to create a new IP Intelligence policy that references the new feed list.
  1. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Policies
    .
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the IP Intelligence policy.
    For this example, type
    corp_policy
    .
  4. For
    Feed Lists
    , select the new feed list in the
    Available
    box and move it to the
    Selected
    box.
    For this example, select and move
    custom_spam_sources
    .
  5. Ensure that the
    Default Action
    is set to
    Drop
    .
  6. For
    Blacklist Matching Policy
    setting, set the
    Blacklist Category
    to
    spam_attacks
    .
  7. Click
    Add
  8. Click
    Finished
The new policy is now listed in the IP Intelligence policy list.
The final task in this scenario is to apply the IP Intelligence policy to the AFM system global context.

Apply the IP Intelligence policy

You can apply IP Intelligence policies to the global or virtual server contexts. This task shows how to apply the new IP Intelligence policy to the AFM system's global context.
  1. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    .
  2. From the IP Intelligence policy list, select the new IP Intelligence policy.
    For this example, select
    corp_policy
    .
  3. Click
    Update
    .
This applies the IP Intelligence policy blocking a single IP address to the AFM system's global context.