F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IQ Centralized Management: Security
  3. Managing IP Intelligence Settings
Manual Chapter : Managing IP Intelligence Settings

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.1
Manual Chapter

Managing IP Intelligence Settings

Overview of IP intelligence settings

In a network firewall, you can configure IP intelligence policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses.
You can dynamically adjust the blacklists and whitelists used in the policy by creating feed lists. A
feed list
 retrieves blacklists and whitelists from specified URLs. You can also set up blacklist matching criteria within the IP intelligence policy, and you may create additional blacklist categories to use in the matching criteria.
You can use global IP intelligence policies to select options that will be used for all your IP intelligence policies.
BIG-IQ® Centralized Management supports the IP Intelligence feature in BIG-IP® versions 12.0 or later.

Create blacklist categories

You create blacklist categories to use when matching blacklists in an IP intelligence policy when existing categories are insufficient. The blacklist category groups related untrustworthy IP addresses.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Blacklist Categories
    .
  2. On the Blacklist Categories screen, click
    Create
    .
  3. In the
    Category Name
     field, type the name of the category.
    You cannot change this when modifying a category.
  4. In the
    Description
     field, type a description of the category.
  5. In the
    Match Type
     setting, specify the criteria that defines a blacklist match.
    You can require a source match, a destination match, or both a source and destination match.
    • Select
      Both Source and Destination
       to require that both the source and the destination match the blacklist.
    • Select
      Destination
       to have the destination only match the blacklist.
    • Select
      Source
       to have the source only match the blacklist.
  6. Save your work.
You can now use this blacklist category in an IP intelligence policy.

Create feed lists

You create feed lists containing URLs to dynamically adjust the blacklists and whitelists in an IP intelligence policy to allow more automatic handling of those lists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Feed Lists
    .
  2. On the Feed Lists screen, click
    Create
    .
  3. In the
    Name
     field, type a unique name for the feed list.
  4. In the
    Description
     field, type an optional description for the feed list.
  5. In the
    Partition
     setting, the default is
    Common
    . Type a different partition if needed.
  6. In the Feed URLs area, click
    Create
     to create a feed URL and add it to the feed list.
    The Feed URL properties screen opens. You may want to add multiple feed URLs to the feed list.
  7. In the
    Name
     field, type a name for the feed URL.
  8. In the
    URL
     field, type the URL for the feed.
  9. For the
    List Type
     setting, select the list type to specify whether the list is by default a whitelist or blacklist. This applies only to items on the list that are not specified as blacklist or whitelist items.
  10. For the
    Blacklist Category
     setting, select a default category for the list.
  11. In the
    Poll Interval
     field, type a number that specifies how often the feed URL is polled for new feeds, in seconds.
    The default value is 300, which is the minimum.
  12. In the
    Username
     field, type a user name used to access the feed list file, if required.
  13. In the
    Password
     field, type a password used to access the feed list file, if required.
    In some cases, the value of the Password setting may be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
  14. If the
    Password
     setting is used, in the
    Confirm Password
     field, type the password again to confirm it.
  15. Click
    OK
     to save the changes to the feed URL.
  16. Continue to add or change the feed URLs in the feed list until it is complete.
  17. Save your work.
You can now create and add more feed URLs to the feed list or add the feed list to an IP intelligence policy.

Create IP intelligence policies

You create an IP intelligence policy to check traffic against an IP intelligence database and determine whether to allow it.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    IP Intelligence Policies
    .
  2. In the IP Intelligence Policies screen, click
    Create
    .
    The IP Intelligence Policy Properties screen opens.
  3. In the
    Name
     setting, type a unique name for the policy.
  4. In the
    Description
     setting, type an optional description.
  5. The
    Partition
     setting shows the default,
    Common
    , but you can type a different partition if needed.
  6. In the
    Feed Lists
     setting, specify the feed lists to be used in the policy.
  7. For the
    Default Action
    setting, specify the default action that the policy takes on identified blacklist items (for which no action is specified).
  8. In the
    Default Log Actions
     setting, specify what actions to log by default.
    1. In the
      Log Whitelist Overrides
       setting, select whether to log whitelist overrides.
    2. In the
      Log Blacklist Category Matches
       setting, select whether to log blacklist category matches.
  9. Click
    Save
     to save your work before creating a black list matching policy.
  10. In the Blacklist Matching Policies area, click
    Create
     to create a new blacklist matching policy for the IP intelligence policy.
    The blacklist matching policy properties screen opens, which has the same name as the IP intelligence policy.
  11. For the
    Blacklist Categories
     setting, select the category for which you are configuring settings in this policy.
  12. For the
    Action
     setting, select the action for this policy.
    • Select
      Use Policy Default
       to use the default action for this policy.
    • Select
      Drop
       for the policy to use the drop action.
    • Select
      Accept
       for the policy to use the accept action.
  13. For the
    Log Blacklist Category Matches
     setting, select the log action for this policy.
    • Select
      Use Policy Default
       to use the default log action for logging blacklist category matches.
    • Select
      Yes
       to override the default action and enable logging of blacklist category matches.
    • Select
      No
       to override the default log action, and disable logging of blacklist category matches.
    • Select
      Limited
       to override the default action and enable limited logging of blacklist category matches.
  14. For the
    Log Whitelist Overrides
     setting, select
    Use Policy Default
     to use the default log action for whitelist overrides. Select
    Yes
     or
    No
     to override the default action.
    • Select
      Use Policy Default
       to use the default log action for logging whitelist overrides.
    • Select
      Yes
       to override the default action and enable logging of whitelist overrides.
    • Select
      No
       to override the default log action, and disable logging of whitelist overrides.
  15. For the
    Match Override
     setting, specify the matching criteria that overrides a blacklist match.
    You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist (
    Match Source and Destination
    ,
    Match Source
    , or
    Match Destination
    ).
  16. Click
    OK
     to save your work on the blacklist matching policy
    The screen closes and the blacklist matching policy you created is listed on the IP intelligence policy screen.
  17. Save your work on the IP intelligence policy.

Configure the global IP intelligence policy

You can configure an IP Intelligence policy to be used globally to apply blacklist and whitelist matching actions and logging to all traffic on the BIG-IP device.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Global Policies
    .
  2. Click the name of the BIG-IP device on which to use the global IP intelligence policy.
  3. In the
    Description
     field, type a description for the global IP intelligence policy.
  4. In the
    IP Intelligence Policy
     setting, select the policy to use as the global IP intelligence policy.
    The default policy is
    Common/ip-intelligence
    .
  5. Save your work.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information