Applies To:
Show Versions
BIG-IP AFM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
IP Address Intelligence in the Network Firewall
About IP intelligence policies in the Network Firewall
In the BIG-IP® Network Firewall, you can configure policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses. In addition, you can configure policies to automatically query feed lists that specify blacklist and whitelist IP address entries, and assign default classes and blacklist or whitelist behaviors to those feed lists. You can control the actions for each IP intelligence category by specifying such actions in a policy, and you can configure default action and default logging for each policy. Furthermore, you can configure logging and actions per category. You can apply IP Intelligence policies at the global context, to a virtual server, or on a route domain.

IP Intelligence Policy container and included elements
Enabling IP address intelligence
- The system must have an IP Intelligence license.
- The system must have an Internet connection either directly or through an HTTP proxy server.
- The system must have DNS configured (go to ).
IP address intelligence categories
Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.
Category Name | Description |
---|---|
Botnets | IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways. |
Cloud Provider Networks | IP addresses and networks that are used by cloud providers. |
Denial-of-Service | IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond quickly enough and become bogged down or unable to service legitimate clients. |
Illegal Web sites | IP addresses that contain criminally obscene or potentially criminal internet copyright and intellectual property violations. |
Infected Sources | Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses. |
Phishing | IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud. |
Proxy/Anonymous Proxies | IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). This category also includes TOR anonymizer addresses. |
Scanners | IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits. |
Spam Sources | IP addresses that are known to distribute large amounts of spam email by tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. |
Web Attacks | IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force. |
Windows Exploits | Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. |
About IP intelligence blacklist categories
Blacklist categories are categories you can use to differentiate between types of blacklisted URLs. You can specify up to 62 blacklist categories, including 11 that are predefined on the system. A blacklist category definition consists only of a name and description. You can specify actions and logging options for each blacklist category you create, and for predefined categories, in an IP Intelligence policy. The 11 predefined blacklist categories are automatically available for selection in an IP Intelligence policy.
Creating a blacklist category
About IP intelligence feed lists
A feed list retrieves blacklists and whitelists from specified URLs. You can use a feed list to dynamically update blacklists and whitelists.
A feed list can retrieve multiple feeds from FTP, HTTP, or HTTPS addresses. You can specify whether a feed is a blacklist or whitelist, and the default category for the feed list. You can also configure a polling interval.
After a blacklist or whitelist is defined in a feed list, you add the feed list to an IP Intelligence policy. The list is then used by the policy to retrieve feeds and dynamically adjust the blacklist and whitelist policy.
Feed list settings and IP Intelligency policy
Feed lists dynamically define IP addresses that have been blacklisted or whitelisted. The IP Intelligence policy uses feed lists to dynamically filter traffic.
A feed list defines the feeds that dynamically update the IP address intelligence database for your systems.
Feed list setting | Description |
---|---|
URL | Select FTP, HTTP, or HTTPS, then specify the URL for the feed. Feeds are typically text files. An example for a local file might be http://172.10.1.23/feed.txt . |
List Type | Whitelist or Blacklist. Specifies the default classification for all URLs in the feed for which a category is not specified. |
Blacklist Category | Specifies a default category for the list. This is the default blacklist category for all blacklist URLs in the feed for which a category is not specified. On the BIG-IP® system, you can specify a total of 62 categories; however, 9 categories are used by the IP Intelligence database. |
Poll Interval | Specifies how often the feed URL is polled for new feeds. |
Username | The user name to access the feed list file, if required. |
Password | The password to access the feed list file, if required. |
Feed URLs | In this area you can add, replace, or delete feed URLs from the feed list. |
A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated values per line.
Position | Value | Definition |
---|---|---|
1 | IP Address | The IP address to be blacklisted or whitelisted. This is the only field that is required in each entry in the file. All other entries are optional. Important: If you append a route domain with a percentage sign and the route domain number, the route domain is not used.
|
2 | Network Mask | (Optional) The network mask for the IP address as a CIDR (such as, 24 for 255.255.255.0). This field is optional. Note: When IP 0.0.0.0 is mentioned in feed list without netmask, it is considered as a wild card IP and traffic from all the sources is blocked. If traffic from source IP 0.0.0.0 must be blocked, then add network mask of 32 as part of the blacklist entry.
|
3 | Whitelist/Blacklist | (Optional) Identifies whether the IP address is a whitelist or blacklist address. You can type wl, bl, whitelist, or blacklist, with any capitalization. Leave this field blank to retain the default specified for the feed. |
4 | Category | (Optional) Type the category name for the entry. Leave this field blank to take the default specified for the feed. |
In this feed list file example, only the first entry specifies a value for every field. The third and fourth entries, 10.10.0.12 and 10.0.0.12, will be set to blacklist or whitelist entries depending on the setting for the feed. 10.10.0.12 is specified with a category of botnets; however, if the default setting for the feed is a whitelist, this is ignored. When an IP address has both a blacklist and a whitelist entry from the configuration, the whitelist entry takes precedence.
10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,