Manual Chapter :
Configuring AFM IP Address Intelligence
Applies To:
Show VersionsBIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Configuring AFM IP Address Intelligence
About AFM IP intelligence
In the BIG-IP Network Firewall,
you can configure policies to validate traffic against an IP intelligence database. Such
traffic can be handled automatically if it originates from known-bad or questionable IP
addresses. To use existing lists of known bad IPs, you can configure policies to automatically
query
feed lists
that specify blacklist and whitelist IP
address entries, and assign default classes and blacklist or whitelist behaviors to those feed
lists. In addition, you can manually add an IP address to a blacklist category, or remove an
IP address from a blacklist category.You can control the actions for each blacklist category by specifying such
actions in a policy, and you can configure default action and default logging for each policy.
Furthermore, you can configure logging and actions per category. You can apply IP Intelligence
policies at the global context, to a virtual server, or on a route domain.
Downloading the IP intelligence database
The requirements for using IP Intelligence are:
- The system must have an IP Intelligence license.
- The system must have an Internet connection either directly or through an HTTP proxy server (see proxy configuration values below).
- The system must have DNS configured (go to).
When an HTTP proxy server is configured, DNS configuration is not always required. However, in some cases, such as when the
proxy.host
is not defined as the IP address, DNS is required. IP Intelligence is enabled by default if you have a license for it. You only need to enable it if it was previously disabled.
- Log in to the command line for the BIG-IP system.
- To determine whether IP intelligence auto-update is enabled, type the following command:tmsh list sys db iprep.autoupdateIf the value of theiprep.autoupdatevariable isdisable, IP intelligence is not enabled. If it isenable, your task is complete. No further steps are necessary.
- If disabled, at the prompt, typetmsh modify sys db iprep.autoupdate value enableThe system downloads the IP intelligence database and stores it in the binary file,/var/IpRep/F5IpRep.dat. It is updated every 5 minutes.
- If the BIG-IP system is behind a firewall, make sure that the BIG-IP system has external access tovector.brightcloud.comusing port443.That is the IP Intelligence server from which the system gets IP Intelligence information.
- If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables.
- Typetmsh modify sys db proxy.host valueto specify the host name of the proxy server.hostname
- Typetmsh modify sys db proxy.port valueto specify the port number of the proxy server.port_number
- Typetmsh modify sys db proxy.username valueto specify the user name to log in to the proxy server.username
- Typetmsh modify sys db proxy.password valueto specify the password to log in to the proxy server.password
The IP Intelligence feature remains enabled unless you disable it with the command
tmsh modify sys db
iprep.autoupdate value disable
. You can create iRules to instruct the system how to handle traffic from IP addresses with questionable reputations, or use Application Security Manager to configure IP Intelligence blocking.
You can configure IP intelligence for Advanced Firewall Manager by assigning IP intelligence policies to the global, route domain, or virtual server context.
Blacklist categories
Along with the IP address, the IP intelligence database stores the category that
explains the reason that the IP address is considered untrustworthy.
Category Name | Description |
---|---|
additional | IP addresses that are added from additional categories not more
explicitly defined. |
appiq_badactors | IP addresses gathered from AppIQ central management. |
application_denial_of_service | IP addresses involved in application DoS Attacks, or anomalous
traffic detection. |
attacked_ips | Destination IP addresses under attack. |
botnets | IP addresses of computers that are infected with malicious software
(Botnet Command and Control channels, and infected zombie machines) and
are controlled as a group by a Bot master, and are now part of a botnet.
Hackers can exploit botnets to send spam messages, launch various
attacks, or cause target systems to behave in other unpredictable ways.
|
cloud_provider_networks | IP addresses and networks that belong to cloud providers, which offer
services hosted on their servers via the Internet. |
denial_of_service | IP addresses that have launched denial-of-service (DoS) attacks,
distributed denial-of-service (DDoS) attacks, anomalous SYN flood
attacks, or anomalous traffic detection. These attacks are usually
requests for legitimate services, but occur at such a fast rate that
targeted systems cannot respond quickly enough and become bogged down or
unable to service legitimate clients. |
infected_sources | Active IP addresses that issue HTTP requests with a low reputation
index score, or that are known malicious web sites offering or
distributing malware, shell code, rootkits, worms, or viruses. |
mobile_threats | IP addresses of malicious and unwanted mobile applications. |
phishing | IP addresses that host phishing sites, and other kinds of fraud
activities, such as ad click fraud or gaming fraud. |
proxy | IP addresses that are associated with web proxies that shield the
originator's IP address (such as proxy and anonymization services). This
category also includes TOR anonymizer addresses in versions prior to
13.1.0. |
scanners | IP addresses that are involved in reconnaissance, such as probes,
host scan, domain scan, and password brute force, typically to identify
vulnerabilities for later exploits. |
spam_sources | IP addresses tunneling spam messages through proxy, anomalous SMTP
activities and forum spam activities. |
tor_proxy | IP addresses acting as exit nodes for the Tor Network. Exit nodes are
the last point along the proxy chain and make a direct connection to the
originator’s intended destination. |
web_attacks | IP addresses involved in cross site scripting, iFrame injection, SQL
injection, cross domain injection, or domain password brute
force. |
windows_exploits | Active IP addresses that have exercised various exploits against
Windows resources by offering or distributing malware, shell code,
rootkits, worms, or viruses using browsers, programs, downloaded files,
scripts, or operating system vulnerabilities. |
About IP intelligence
blacklist categories
Blacklist categories
are used to categorize IP addresses by type. For example, the default category infected_sources
, represents the IP addresses of hosts distributing viruses, worms or malware. You can create new customized categories, or use the default AFM system blacklist categories. Once created, you can add IP addresses to a blacklist category in one of three ways:- Single IPv4 or IPv6 addresses
- Fully Qualified Domain Names (FQDN)
- Geographic Locations
If you intend to use FQDN, you must add a DNS resolver with a forward zone entry for the FQDN. Review the next section;
Creating a DNS Resolver for FQDNs
.The AFM system can have up to 62 blacklist
categories. Once created, blacklist categories are available for association with an IP Intelligence
policy.
Create a DNS Resolver for FQDNs
You must have one or more remote DNS resolver IP addresses.
You must add a DNS Resolver object with a forward zone entry if you intend to add fully qualified domain names (FQDN) to a blacklist category.
- On the Main tab, click.
- ClickCreate.
- Type a unique name for the remote DNS resolver object in theNamefield.
- ClickFinished.The DNS Resolver object appears in the DNS Resolver List.
- Click theNameof the new DNS Resolver object.
- ClickForward Zonesin the menu bar at the top of the page
- ClickAddto the far right of the page.
- In theNamefield, type the name of the FQDN being added to the blacklist category.To forward requests for any FQDN, specify . (period) as the name.For example,.orsite.example.comare valid zone names.
- Add one or more nameservers:
- In theAddressfield, type the IPv4 or IPv6 address of the DNS nameserver that is considered authoritative for the zone.
- ClickAdd.The address is added to the list.
The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to. - ClickFinished
You have added a DNS Resolver object to resolve a FQDN entry added to a blacklist category.
Create a
blacklist category
You can create a blacklist category to configure
policy-based responses to specific types of addresses. Then you can specify an address
as belonging to a blacklist category so you can see the types of categories that are
triggered in the logs, and so you can provide unique responses on a per-category
basis.
- On the Main tab, click.The Blacklist Categories screen opens.
- ClickCreateto create a new IP Intelligence blacklist category.
- In theNamefield, type a name for the blacklist category.
- In theDescriptionfield, type a description for the blacklist category.
- Select theMatch Typefor the IP intelligence category.By default, IP intelligence blacklist categories matchSourceonly, but you can configure categories to matchSource and DestinationorDestinationonly.
- ClickFinished.The list screen and the new item are displayed.
Blacklist IP addresses
You can add single IP addresses, Fully Qualified Domain Names (FQDN) or Geographic Locations to a selected blacklist category. The
settings defined in an IP intelligence policy will be
applied to the IP address.
- On the Main tab, click.The Blacklist Categories screen opens.
- Select the check box next to an IP intelligence category.You can select more than one IP intelligence category.
- Click theAdd to Categorybutton.TheAdd Entrypopup screen appears.
- In theInsertfield, type a single IPv4 or IPv6 address, a Geographic Location, or an FQDN.
- In theSecondsfield, specify the duration for which the address should be added to the blacklist category.
- To allow the IP address to be advertised to edge routers so they will null route the traffic, selectAllow Advertisements.
- Click theAdd Addressbutton.The IP address is added to the blacklist category or categories.
Remove an individual IP address from a blacklist
You can easily remove single IP address from a blacklist manually. You do this by
selecting the blacklist category, and removing the IP address.
- On the Main tab, click.The Blacklist Categories screen opens.
- Select the check box next to an IP intelligence category.You can select more than one IP intelligence category.
- Click theDelete from Categorybutton.TheDelete Entrypopup screen appears.
- In theDelete (IP Address)field, type an IP address to remove from the selected blacklist category or categories.TheDelete Entrypopup screen appears.
- In theInsert (IP Address)field, type an IP address to add to the blacklist category or categories.
- Click theDelete Addressbutton.The IP address is removed from the blacklist category or categories.
About IP Intelligence
feed lists
A
feed list
is used to retrieve IP Address blacklists and
whitelists from remote servers. Blacklists and whitelists are also referred to as feed files
, and are typically located at specified URLs. A feed list can retrieve feed files using FTP, HTTP, or HTTPS protocols. If you choose the HTTPS protocol, the remote server's SSL certificate must be in the BIG-IP system's ca-bundle.crt file. Refer to article K54041205: Configure AFM IP Intelligence to validate third party Certificate Authorities at https://support.f5.com/csp/article/K54041205.
Once a feed list is created, you associate the feed
list with an IP Intelligence policy. The list is then used by the policy to retrieve feed files and
dynamically update the blacklist and whitelist policy.
Feed list settings
Feed lists dynamically define IP addresses that have been blacklisted or whitelisted.
The IP Intelligence policy uses feed lists to dynamically filter traffic.
A feed list defines the feeds that dynamically update the IP address intelligence database
for your system.
Feed list setting | Description |
---|---|
URL | Select FTP , HTTP , or
HTTPS , then specify the URL for the feed. Feeds are
typically text files. An example for a local file might be
http://172.10.1.23/feed.txt . |
List Type | Whitelist or Blacklist . Specifies
the default classification for all URLs in the feed for which a category is not
specified. |
Blacklist Category | Specifies a default category for the list. This is the default blacklist
category for all blacklist URLs in the feed for which a category is not specified.
On the BIG-IP system, you can specify a total of 62
categories; however, 9 categories are used by the IP Intelligence database. |
Poll Interval | Specifies how often the feed URL is polled for new feeds. |
Username | The user name to access the feed list file, if required. |
Password | The password to access the feed list file, if required. |
Feed URLs | In this area you can add, replace, or delete feed URLs from the feed
list. |
A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated
values per line.
Position | Value | Definition |
---|---|---|
1 | IP Address | The IP address to be blacklisted or whitelisted. This is the only field that is
required in each entry in the file. All other entries are optional. If you append a route domain with a percentage sign and the route
domain number, the route domain is not used. |
2 | Network Mask | (Optional) The network mask for the IP address as a CIDR (such as,
24 for 255.255.255.0 ). This field is
optional.When IP 0.0.0.0 is mentioned in feed list without netmask, it is considered as a wild card IP and traffic from all the sources is blocked. If traffic from source IP 0.0.0.0 must be blocked, then add network mask of 32 as part of the blacklist entry. |
3 | Whitelist/Blacklist | (Optional) Identifies whether the IP address is a whitelist or blacklist
address. You can type wl , bl ,
whitelist , or blacklist , with any
capitalization. Leave this field blank to retain the default specified for the
feed. |
4 | Category | (Optional) Type the category name for the entry. Leave this field blank to
retain
the default specified for the feed. |
In this feed list file example, only the first entry specifies a value for every field. The
third and fourth entries, 10.10.0.12 and 10.0.0.12, will be set to blacklist or whitelist
entries depending on the setting for the feed. 10.10.0.12 is specified with a category of
botnets
; however, if the default setting for the feed is a
whitelist, this is ignored. When an IP address has both a blacklist and a whitelist entry
from the configuration, the whitelist entry takes
precedence. The more
specific entry takes precedence, so if an entry in the feed list file specifies a setting,
that setting overrules the default setting for the feed list or
category.10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,
Create a feed list
You can add whitelist and blacklist IP addresses to your configuration automatically by
setting up feeds and capturing them with a feed list.
- On the Main tab, click.The Feed Lists screen opens.
- ClickCreateto create a new IP Intelligence feed list.
- In theNamefield, type a name for the feed list.
- Configure Feed URLs with an HTTP, HTTPS, or FTP URL, the list type, the blacklist category, and the polling interval. Specify a user name and password, if required to access the feed list.A feed URL includes the actual URL to the text file, and information about the defaults for that file. Within the feed file, however, any URL can be configured to be a whitelist or blacklist entry, and assigned to a blacklist category.
- Click theAddbutton to add a feed URL to the feed list.
- ClickFinished.The list screen and the new item are displayed.
Configuring and assigning IP intelligence policies
An IP intelligence policy combines combines feed lists, default actions, logging settings, and
actions for blacklist categories into a container that you can apply to a virtual server or route
domain.
Create a policy
to check addresses against IP Intelligence
You can verify IP addresses against the
preconfigured IP Intelligence database, and against IPs from your own feed lists, by
creating an IP Intelligence policy.
- On the Main tab, click.The IP Intelligence Policies screen opens.
- ClickCreateto create a new IP Intelligence policy.
- In theNamefield, type a name for the IP intelligence policy.
- To add feed lists to the policy, click the name of anAvailablefeed list, and then add it to theSelectedlist.
- ForDefault Action, set the default action for the IP intelligence policy as a whole.
- SelectAcceptto allow packets from categorized addresses that have no action applied on the feed list.
- SelectDropto drop packets from categorized addresses that have no action applied on the feed list.
The default action applies to addresses that are not assigned a blacklist category in the feed list. The IP Intelligence feature uses the action specified in a feed list entry, when available. - SetDefault Log Actionsfor the IP intelligence policy as a whole.
- Log Whitelist Overrideslogs only whitelist matches that override blacklist matches.
- Log Blacklist Category Matcheslogs IP addresses that match blacklist categories.
- Select bothLog Blacklist Category MatchesandLog Whitelist Overridesto log all blacklist matches, and all whitelist matches that override blacklist matches.
Whitelist matches always override blacklist matches. - To customize default actions and logging for any of the blacklist categories, specify default actions in theBlacklist Matching Policysetting.The default action for a blacklist category is alwaysReject.For each category that you want to customize:
- From theBlacklist Categorylist, select a category.
- ForAction, selectUse Policy Defaultto use the default action for this policy; selectDropto drop packets from sources of the specified type, as identified by the IP address intelligence database; or selectAcceptto allow packets in this category.
- ForLog Blacklist Category Matches, selectUse Policy Defaultto use the default log action for blacklist matches;Yesaffords visibility into blacklist matches and logs all packets, but provides no hardware acceleration data;Limitedlogs statistics every 256 packets and includes hardware acceleration;Nodoes not log blacklist matches but provides the highest performance with hardware acceleration.Hardware acceleration in IP Intelligence (IPI) is only applicable for source IPs and not applicable for destination IPs.
- ForLog Whitelist Overrides, selectUse Policy Defaultto use the default log action for whitelist overrides; selectYesorNoto override the default action.
- ForMatch Override, select the matching criteria that overrides a blacklist match. You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist.
- ClickAddto add the custom defaults for the category.You can also selectReplaceto replace the defaults for a category.
- Repeat these steps for any category for which you want to customize default actions.
The custom categories are listed at the bottom. You can select and delete them if things change. - ClickFinished.
You created an IP
intelligence policy. Next, it needs to be assigned globally to the BIG-IP system, to a
specific virtual server, or a route domain so that it is applied to the correct
traffic.
Assign a global
IP Intelligence policy
You can assign an IP Intelligence policy
globally, to apply blacklist and whitelist matching actions and logging to all traffic.
- On the Main tab, click.The IP Intelligence Policies screen opens.
- From theGlobal Policylist, select the IP Intelligence policy to apply to all traffic on the BIG-IP system.
- ClickUpdate.The list screen and the updated item are displayed.
The specified IP Intelligence policy is applied to all traffic.
Assign an IP
Intelligence policy to a virtual server
You can assign an IP Intelligence policy to a
virtual server, to apply blacklist and whitelist matching actions and logging to traffic
on that virtual server only.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, from the Security menu, choose Policies.
- Next toIP Intelligence, selectEnabled, then select the IP intelligence policy to apply to traffic on the virtual server.
- ClickUpdate.The list screen and the updated item are displayed.
The specified IP Intelligence policy is applied to traffic on the selected virtual
server.
Assign an IP
Intelligence policy to a route domain
You can assign an IP Intelligence policy to a
route domain, to apply blacklist and whitelist matching actions and logging to route
domain traffic.
- On the Main tab, click.The Route Domain List screen opens.
- In the Name column, click the name of the relevant route domain.
- From theIP Intelligence Policylist, select an IP Intelligence policy to enforce on this route domain.
- ClickUpdate.The system displays the list of route domains on the BIG-IP system.
The specified IP Intelligence policy is applied to traffic on the route
domain.