Manual Chapter : Managing IP Intelligence Settings
Applies To:Show Versions
BIG-IQ Centralized Management
Managing IP Intelligence Settings
Overview of IP intelligence settings
In a network firewall, you can configure IP intelligence policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses.
You can dynamically adjust the blacklists and whitelists used in the policy by creating feed lists. A
feed listretrieves blacklists and whitelists from specified URLs. You can also set up blacklist matching criteria within the IP intelligence policy, and you may create additional blacklist categories to use in the matching criteria.
You can use global IP intelligence policies to select options that will be used for all your IP intelligence policies.
BIG-IQ® Centralized Management supports the IP Intelligence feature in BIG-IP® versions 12.0 or later.
Create blacklist categories
You create blacklist categories to use when matching blacklists in an IP intelligence policy when existing categories are insufficient. The blacklist category groups related untrustworthy IP addresses.
- On the Blacklist Categories screen, clickCreate.
- In theCategory Namefield, type the name of the category.You cannot change this when modifying a category.
- In theDescriptionfield, type a description of the category.
- In theMatch Typesetting, specify the criteria that defines a blacklist match.You can require a source match, a destination match, or both a source and destination match.
- SelectBoth Source and Destinationto require that both the source and the destination match the blacklist.
- SelectDestinationto have the destination only match the blacklist.
- SelectSourceto have the source only match the blacklist.
- Save your work.
You can now use this blacklist category in an IP intelligence policy.
Create feed lists
You create feed lists containing URLs to dynamically adjust the blacklists and whitelists in an IP intelligence policy to allow more automatic handling of those lists.
- On the Feed Lists screen, clickCreate.
- In theNamefield, type a unique name for the feed list.
- In theDescriptionfield, type an optional description for the feed list.
- In thePartitionsetting, the default isCommon. Type a different partition if needed.
- In the Feed URLs area, clickCreateto create a feed URL and add it to the feed list.The Feed URL properties screen opens. You may want to add multiple feed URLs to the feed list.
- In theNamefield, type a name for the feed URL.
- In theURLfield, type the URL for the feed.
- For theList Typesetting, select the list type to specify whether the list is by default a whitelist or blacklist. This applies only to items on the list that are not specified as blacklist or whitelist items.
- For theBlacklist Categorysetting, select a default category for the list.
- In thePoll Intervalfield, type a number that specifies how often the feed URL is polled for new feeds, in seconds.The default value is 300, which is the minimum.
- In theUsernamefield, type a user name used to access the feed list file, if required.
- In thePasswordfield, type a password used to access the feed list file, if required.In some cases, the value of the Password setting may be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
- If thePasswordsetting is used, in theConfirm Passwordfield, type the password again to confirm it.
- ClickOKto save the changes to the feed URL.
- Continue to add or change the feed URLs in the feed list until it is complete.
- Save your work.
You can now create and add more feed URLs to the feed list or add the feed list to an IP intelligence policy.
Create IP intelligence policies
You create an IP intelligence policy to check traffic against an IP intelligence database and determine whether to allow it.
- In the IP Intelligence Policies screen, clickCreate.The IP Intelligence Policy Properties screen opens.
- In theNamesetting, type a unique name for the policy.
- In theDescriptionsetting, type an optional description.
- ThePartitionsetting shows the default,Common, but you can type a different partition if needed.
- In theFeed Listssetting, specify the feed lists to be used in the policy.
- For theDefault Actionsetting, specify the default action that the policy takes on identified blacklist items (for which no action is specified).
- In theDefault Log Actionssetting, specify what actions to log by default.
- In theLog Whitelist Overridessetting, select whether to log whitelist overrides.
- In theLog Blacklist Category Matchessetting, select whether to log blacklist category matches.
- ClickSaveto save your work before creating a black list matching policy.
- In the Blacklist Matching Policies area, clickCreateto create a new blacklist matching policy for the IP intelligence policy.The blacklist matching policy properties screen opens, which has the same name as the IP intelligence policy.
- For theBlacklist Categoriessetting, select the category for which you are configuring settings in this policy.
- For theActionsetting, select the action for this policy.
- SelectUse Policy Defaultto use the default action for this policy.
- SelectDropfor the policy to use the drop action.
- SelectAcceptfor the policy to use the accept action.
- For theLog Blacklist Category Matchessetting, select the log action for this policy.
- SelectUse Policy Defaultto use the default log action for logging blacklist category matches.
- SelectYesto override the default action and enable logging of blacklist category matches.
- SelectNoto override the default log action, and disable logging of blacklist category matches.
- SelectLimitedto override the default action and enable limited logging of blacklist category matches.
- For theLog Whitelist Overridessetting, selectUse Policy Defaultto use the default log action for whitelist overrides. SelectYesorNoto override the default action.
- SelectUse Policy Defaultto use the default log action for logging whitelist overrides.
- SelectYesto override the default action and enable logging of whitelist overrides.
- SelectNoto override the default log action, and disable logging of whitelist overrides.
- For theMatch Overridesetting, specify the matching criteria that overrides a blacklist match.You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist (Match Source and Destination,Match Source, orMatch Destination).
- ClickOKto save your work on the blacklist matching policyThe screen closes and the blacklist matching policy you created is listed on the IP intelligence policy screen.
- Save your work on the IP intelligence policy.
Configure the global IP intelligence
You can configure an IP Intelligence policy to be used globally to apply blacklist and whitelist matching actions and logging to all traffic on the BIG-IP device.
- Click the name of the BIG-IP device on which to use the global IP intelligence policy.
- In theDescriptionfield, type a description for the global IP intelligence policy.
- In theIP Intelligence Policysetting, select the policy to use as the global IP intelligence policy.The default policy isCommon/ip-intelligence.
- Save your work.