Manual Chapter : AFM IP Intelligence

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

AFM IP Intelligence

Overview: IP Intelligence

All network traffic has a source IP address, and the BIG-IP AFM IP Intelligence feature uses lists of IP addresses, known as feed lists, to either reject (blacklist) or accept (whitelist) incoming network traffic based on source IP address. AFM IP Intelligence can use two types of feed lists:
  • Webroot BrightCloud - a subscription-based service that requires an additional F5 add-on license.

  • Custom feed list - a list of source IP addresses maintained on a remote server.

About feed lists and feed files

If you are not planning to use the BrightCloud subscription-based service, you can configure custom feed lists to allow or deny remote clients based on their source IP address. Feed lists pull feed files rom remote systems and are then reference by an IP Intelligence policy. You should familiarize yourself with how feed lists and feed files work together.

Feed Files

Feed files are simple text files, created and updated on a remote HTTP/S or FTP server. Feed files contain four comma-separated directives, and only one, the IP address, is required. This table describes the four comma-separated directives.

Position 1 2 3 4
Entry IP Address Network Mask Whitelist or Blacklist Category

This is an example feed file.

10.10.10.2,32,bl,spam_sources
10.10.11.0,24,wl,
10.10.12.3,,bl,botnets
10.0.0.12,,,

Feed lists are configuration objects on the BIG-IP AFM system used to obtain feed files from remote systems using either HTTP or FTP. When creating a new feed list object, you define the remote server and URL containing the feed file. You can also define a polling interval that determines how often the AFM system will obtain an updated feed file. One or more feed lists can then be used later when creating or modifying IP Intelligence policies.

AFM IP Intelligence policies

BIG-IP AFM IP Intelligence policies are configuration objects that reference one or more feed lists and define an action, such as drop or accept, when a match occurs. IP Intelligence policies can be applied to either the global, route domain, or virtual server contexts, and perform these functions:

  • Reference one or more feed lists.

  • Specify an action when a match is made: Accept or Deny.

  • Override the directives in the feed file.

  • Enable or disable logging when a packet match is made.

  • Apply to either the global or virtual server contexts

Creating an AFM IP Intelligence policy

In this scenario, you create a remote feed list and apply a new IP Intelligence policy to the global context, blacklisting a single IP address: 10.10.10.1.
Creating and applying a new IP Intelligence policy involves several tasks.

Task list

  1. Create the feed file.
  2. Create a custom feed list category.
  3. Create the IP Intelligence feed list.
  4. Create the IP Intelligence policy.
  5. Apply the IP Intelligence policy.

Create the feed file

Before you start this task, you need a remote HTTP/S or FTP server that is accessible by the BIG-IP AFM system to store the feed file.
You can create a feed file that contains one or more IP addresses on a remote HTTP or FTP server. This example task shows how to create a new feed file with a single IP address entry.
  1. In an accessible directory on an HTTP or FTP server, create a new file named feed_list1.
  2. The file should contain one entry, for example 10.10.10.1,32,bl,.
  3. Save the file to the file system.
A new feed file now exists on the remote server.
Next, you probably want to create a custom feed list category and feed list to identify and obtain the feed file.

Create a custom feed list category

BIG-IP AFM provides a number of standard feed list categories, such as botnets, scanners, and phishing. In this task, you create a create a custom feed list category to identify the custom feed file.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Blacklist Categories .
    Note: Although this screen is named Blacklist Categories, it can also be used to create whitelists.
  2. At the far right, click Create.
  3. In the Name field, type a unique name for the custom feed file.
    For this example, type spam_attacks.
  4. Ensure that the Match Type is set to Source.
  5. Click Finished.
The new custom category is now listed under Blacklist Category.
Next, you create a new IP Intelligence feed list that obtains the feed file.

Create the IP Intelligence feed list

To complete this task, you must first have a feed file on remote HTTP/S or FTP server that is accessible to the BIG-IP AFM system.
Feed list objects contain information about the remote server such as connection protocol, feed file name, feed list category, and the polling interval for retrieving updated information. In this task, you create a new IP Intelligence feed list and obtain the feed file.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Feed Lists .
  2. On the far right of the page, click Create.
  3. In the Name field, type a unique name for the feed list.
    For this example, type corp_feedlist.
  4. In the Feed List Properties area, for Feed URLs, type a name for the feed file.
    For this example, type custom_spam_sources.
  5. From the URL protocol list, select HTTP, HTTPS, or FTP.
    For this example, select HTTP.
  6. In the URL field, type the full URL path to the feed file.
    For this example, type http://192.168.10.100/feeds/corp_feed_file.txt.
  7. Below Password, click Add.
  8. Click Finished.
A new feed list now exists on the Feed Lists screen.
Next, you might want to create an IP Intelligence policy that references the new feed list.

Create the IP Intelligence policy

IP Intelligence policies are containers for one or more feed lists and are applied to either the device level or virtual servers. This task shows how to create a new IP Intelligence policy that references the new feed list.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Policies .
  2. Click Create.
  3. In the Name field, type a unique name for the IP Intelligence policy.
    For this example, type corp_policy.
  4. For Feed Lists, select the new feed list in the Available box and move it to the Selected box.
    For this example, select and move custom_spam_sources.
  5. Ensure that the Default Action is set to Drop.
  6. For Blacklist Matching Policy setting, set the Blacklist Category to spam_attacks.
  7. Click Add
  8. Click Finished
The new policy is now listed in the IP Intelligence policy list.
The final task in this scenario is to apply the IP Intelligence policy to the AFM system global context.

Apply the IP Intelligence policy

You can apply IP Intelligence policies to the global or virtual server contexts. This task shows how to apply the new IP Intelligence policy to the AFM system's global context.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence .
  2. From the IP Intelligence policy list, select the new IP Intelligence policy.
    For this example, select corp_policy.
  3. Click Update.
This applies the IP Intelligence policy blocking a single IP address to the AFM system's global context.