Manual Chapter : Managing IP Intelligence Settings

Applies To:

Show Versions Show Versions
Manual Chapter

Managing IP Intelligence Settings

Overview of IP intelligence settings

In a network firewall, you can configure IP intelligence policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses.
You can dynamically adjust the blacklists and whitelists used in the policy by creating feed lists. A
feed list
retrieves blacklists and whitelists from specified URLs. You can also set up blacklist matching criteria within the IP intelligence policy, and you may create additional blacklist categories to use in the matching criteria.
You can use global IP intelligence policies to select options that will be used for all your IP intelligence policies.
BIG-IQ Centralized Management supports the IP Intelligence feature in BIG-IP versions 12.0 or later.

Create blacklist categories

You create blacklist categories to use when matching blacklists in an IP intelligence policy when existing categories are insufficient. The blacklist category groups related untrustworthy IP addresses.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Blacklist Categories
    .
  2. On the Blacklist Categories screen, click
    Create
    .
  3. In the
    Category Name
    field, type the name of the category.
    You cannot change this when modifying a category.
  4. In the
    Description
    field, type a description of the category.
  5. In the
    Match Type
    setting, specify the criteria that defines a blacklist match.
    You can require a source match, a destination match, or both a source and destination match.
    • Select
      Both Source and Destination
      to require that both the source and the destination match the blacklist.
    • Select
      Destination
      to have the destination only match the blacklist.
    • Select
      Source
      to have the source only match the blacklist.
  6. Save your work.
You can now use this blacklist category in an IP intelligence policy.

Create feed lists

You create feed lists containing URLs to dynamically adjust the blacklists and whitelists in an IP intelligence policy to allow more automatic handling of those lists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Feed Lists
    .
  2. On the Feed Lists screen, click
    Create
    .
  3. In the
    Name
    field, type a unique name for the feed list.
  4. In the
    Description
    field, type an optional description for the feed list.
  5. In the
    Partition
    setting, the default is
    Common
    . Type a different partition if needed.
  6. In the Feed URLs area, click
    Create
    to create a feed URL and add it to the feed list.
    The Feed URL properties screen opens. You may want to add multiple feed URLs to the feed list.
  7. In the
    Name
    field, type a name for the feed URL.
  8. In the
    URL
    field, type the URL for the feed.
  9. For the
    List Type
    setting, select the list type to specify whether the list is by default a whitelist or blacklist. This applies only to items on the list that are not specified as blacklist or whitelist items.
  10. For the
    Blacklist Category
    setting, select a default category for the list.
  11. In the
    Poll Interval
    field, type a number that specifies how often the feed URL is polled for new feeds, in seconds.
    The default value is 300, which is the minimum.
  12. In the
    Username
    field, type a user name used to access the feed list file, if required.
  13. In the
    Password
    field, type a password used to access the feed list file, if required.
    In some cases, the value of the Password setting may be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
  14. If the
    Password
    setting is used, in the
    Confirm Password
    field, type the password again to confirm it.
  15. Click
    OK
    to save the changes to the feed URL.
  16. Continue to add or change the feed URLs in the feed list until it is complete.
  17. Save your work.
You can now create and add more feed URLs to the feed list or add the feed list to an IP intelligence policy.

Create IP intelligence policies

You create an IP intelligence policy to check traffic against an IP intelligence database and determine whether to allow it.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    IP Intelligence Policies
    .
  2. In the IP Intelligence Policies screen, click
    Create
    .
    The IP Intelligence Policy Properties screen opens.
  3. In the
    Name
    setting, type a unique name for the policy.
  4. In the
    Description
    setting, type an optional description.
  5. The
    Partition
    setting shows the default,
    Common
    , but you can type a different partition if needed.
  6. In the
    Feed Lists
    setting, specify the feed lists to be used in the policy.
  7. For the
    Default Action
    setting, specify the default action that the policy takes on identified blacklist items (for which no action is specified).
  8. In the
    Default Log Actions
    setting, specify what actions to log by default.
    1. In the
      Log Whitelist Overrides
      setting, select whether to log whitelist overrides.
    2. In the
      Log Blacklist Category Matches
      setting, select whether to log blacklist category matches.
  9. Click
    Save
    to save your work before creating a black list matching policy.
  10. In the Blacklist Matching Policies area, click
    Create
    to create a new blacklist matching policy for the IP intelligence policy.
    The blacklist matching policy properties screen opens, which has the same name as the IP intelligence policy.
  11. For the
    Blacklist Categories
    setting, select the category for which you are configuring settings in this policy.
  12. For the
    Action
    setting, select the action for this policy.
    • Select
      Use Policy Default
      to use the default action for this policy.
    • Select
      Drop
      for the policy to use the drop action.
    • Select
      Accept
      for the policy to use the accept action.
  13. For the
    Log Blacklist Category Matches
    setting, select the log action for this policy.
    • Select
      Use Policy Default
      to use the default log action for logging blacklist category matches.
    • Select
      Yes
      to override the default action and enable logging of blacklist category matches.
    • Select
      No
      to override the default log action, and disable logging of blacklist category matches.
    • Select
      Limited
      to override the default action and enable limited logging of blacklist category matches.
  14. For the
    Log Whitelist Overrides
    setting, select
    Use Policy Default
    to use the default log action for whitelist overrides. Select
    Yes
    or
    No
    to override the default action.
    • Select
      Use Policy Default
      to use the default log action for logging whitelist overrides.
    • Select
      Yes
      to override the default action and enable logging of whitelist overrides.
    • Select
      No
      to override the default log action, and disable logging of whitelist overrides.
  15. For the
    Match Override
    setting, specify the matching criteria that overrides a blacklist match.
    You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist (
    Match Source and Destination
    ,
    Match Source
    , or
    Match Destination
    ).
  16. Click
    OK
    to save your work on the blacklist matching policy
    The screen closes and the blacklist matching policy you created is listed on the IP intelligence policy screen.
  17. Save your work on the IP intelligence policy.

Configure the global IP intelligence policy

You can configure an IP Intelligence policy to be used globally to apply blacklist and whitelist matching actions and logging to all traffic on the BIG-IP device.
  1. Click
    Configuration
    SECURITY
    Shared Security
    IP Intelligence
    Global Policies
    .
  2. Click the name of the BIG-IP device on which to use the global IP intelligence policy.
  3. In the
    Description
    field, type a description for the global IP intelligence policy.
  4. In the
    IP Intelligence Policy
    setting, select the policy to use as the global IP intelligence policy.
    The default policy is
    Common/ip-intelligence
    .
  5. Save your work.