Manual Chapter : AFM IP Intelligence
Applies To:Show Versions
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
AFM IP Intelligence
Overview: IP Intelligence
All network traffic has a source IP address, and the BIG-IP AFM IP Intelligence feature uses lists of IP addresses, known as
feed lists, to either reject (
blacklist) or accept (
whitelist) incoming network traffic based on source IP address. AFM IP Intelligence can use two types of feed lists:
- Webroot BrightCloud - a subscription-based service that requires an additional F5 add-on license.
- Custom feed list - a list of source IP addresses maintained on a remote server.
About feed lists and feed files
If you are not planning to use the BrightCloud subscription-based service, you can configure custom feed lists to allow or deny remote clients based on their source IP address. Feed lists pull feed files rom remote systems and are then reference by an IP Intelligence policy. You should familiarize yourself with how feed lists and feed files work together.
Feed filesare simple text files, created and updated on a remote HTTP/S or FTP server. Feed files contain four comma-separated directives, and only one, the IP address, is required. This table describes the four comma-separated directives.
Whitelist or Blacklist
This is an example feed file.
10.10.10.2,32,bl,spam_sources 10.10.11.0,24,wl, 10.10.12.3,,bl,botnets 10.0.0.12,,,
Feed listsare configuration objects on the BIG-IP AFM system used to obtain feed files from remote systems using either HTTP or FTP. When creating a new feed list object, you define the remote server and URL containing the feed file. You can also define a polling interval that determines how often the AFM system will obtain an updated feed file. One or more feed lists can then be used later when creating or modifying IP Intelligence policies.
AFM IP Intelligence policies
BIG-IP AFM IP Intelligence policies are configuration objects that reference one or more feed lists and define an action, such as drop or accept, when a match occurs. IP Intelligence policies can be applied to either the global, route domain, or virtual server contexts, and perform these functions:
- Reference one or more feed lists.
- Specify an action when a match is made: Accept or Deny.
- Override the directives in the feed file.
- Enable or disable logging when a packet match is made.
- Apply to either the global or virtual server contexts
Creating an AFM IP Intelligence policy
In this scenario, you create a remote feed list and apply a new IP Intelligence policy to the global context, blacklisting a single IP address:
Creating and applying a new IP Intelligence policy involves several tasks.
- Create the feed file.
- Create a custom feed list category.
- Create the IP Intelligence feed list.
- Create the IP Intelligence policy.
- Apply the IP Intelligence policy.
Create the feed file
Before you start this task, you need a remote HTTP/S or FTP server that is accessible by the BIG-IP AFM system to store the feed file.
You can create a feed file that contains one or more IP addresses on a remote HTTP or FTP server. This example task shows how to create a new feed file with a single IP address entry.
- In an accessible directory on an HTTP or FTP server, create a new file namedfeed_list1.
- The file should contain one entry, for example10.10.10.1,32,bl,.
- Save the file to the file system.
A new feed file now exists on the remote server.
Next, you probably want to create a custom feed list category and feed list to identify and obtain the feed file.
Create a custom feed list category
BIG-IP AFM provides a number of standard feed list categories, such as botnets, scanners, and phishing. In this task, you create a create a custom feed list category to identify the custom feed file.
- On the Main tab, click.Although this screen is named Blacklist Categories, it can also be used to create whitelists.
- At the far right, clickCreate.
- In theNamefield, type a unique name for the custom feed file.For this example, typespam_attacks.
- Ensure that theMatch Typeis set toSource.
The new custom category is now listed under Blacklist Category.
Next, you create a new IP Intelligence feed list that obtains the feed file.
Create the IP Intelligence feed list
To complete this task, you must first have a feed file on remote HTTP/S or FTP server that is accessible to the BIG-IP AFM system.
Feed list objects contain information about the remote server such as connection protocol, feed file name, feed list category, and the polling interval for retrieving updated information. In this task, you create a new IP Intelligence feed list and obtain the feed file.
- On the Main tab, click.
- On the far right of the page, clickCreate.
- In theNamefield, type a unique name for the feed list.For this example, typecorp_feedlist.
- In the Feed List Properties area, forFeed URLs, type a name for the feed file.For this example, typecustom_spam_sources.
- From theURLprotocol list, selectHTTP,HTTPS, orFTP.For this example, selectHTTP.
- In theURLfield, type the full URL path to the feed file.For this example, typehttp://192.168.10.100/feeds/corp_feed_file.txt.
- BelowPassword, clickAdd.
A new feed list now exists on the Feed Lists screen.
Next, you might want to create an IP Intelligence policy that references the new feed list.
Create the IP Intelligence policy
IP Intelligence policies are containers for one or more feed lists and are applied to either the device level or virtual servers. This task shows how to create a new IP Intelligence policy that references the new feed list.
- On the Main tab, click.
- In theNamefield, type a unique name for the IP Intelligence policy.For this example, typecorp_policy.
- ForFeed Lists, select the new feed list in theAvailablebox and move it to theSelectedbox.For this example, select and movecustom_spam_sources.
- Ensure that theDefault Actionis set toDrop.
- ForBlacklist Matching Policysetting, set theBlacklist Categorytospam_attacks.
The new policy is now listed in the IP Intelligence policy list.
The final task in this scenario is to apply the IP Intelligence policy to the AFM system global context.
Apply the IP Intelligence policy
You can apply IP Intelligence policies to the global or virtual server contexts. This task shows how to apply the new IP Intelligence policy to the AFM system's global context.
- On the Main tab, click.
- From the IP Intelligence policy list, select the new IP Intelligence policy.For this example, selectcorp_policy.
This applies the IP Intelligence policy blocking a single IP address to the AFM system's global context.