In a network firewall, you can configure IP intelligence policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses.

You can dynamically adjust the blacklists and whitelists used in the policy by creating feed lists. A feed list retrieves blacklists and whitelists from specified URLs. You can also set up blacklist matching criteria within the IP intelligence policy, and you may create additional blacklist categories to use in the matching criteria.

You can use global IP intelligence policies to select options that will be used for all your IP intelligence policies.

BIG-IQ^® Centralized Management supports the IP Intelligence feature in BIG-IP^® versions 12.0 or later.

1. Click Configuration > SECURITY > Shared Security > IP Intelligence > Blacklist Categories .
2. On the Blacklist Categories screen, click Create.
3. In the Category Name field, type the name of the category.
   You cannot change this when modifying a category.
4. In the Description field, type a description of the category.
5. In the Match Type setting, specify the criteria that defines a blacklist match.
   You can require a source match, a destination match, or both a source and destination match.
   • Select Both Source and Destination to require that both the source and the destination match the blacklist.
   • Select Destination to have the destination only match the blacklist.
   • Select Source to have the source only match the blacklist.
6. Save your work.

1. Click Configuration > SECURITY > Shared Security > IP Intelligence > Feed Lists .
2. On the Feed Lists screen, click Create.
3. In the Name field, type a unique name for the feed list.
4. In the Description field, type an optional description for the feed list.
5. In the Partition setting, the default is Common. Type a different partition if needed.
6. In the Feed URLs area, click Create to create a feed URL and add it to the feed list.
   The Feed URL properties screen opens. You may want to add multiple feed URLs to the feed list.
7. In the Name field, type a name for the feed URL.
8. In the URL field, type the URL for the feed.
9. For the List Type setting, select the list type to specify whether the list is by default a whitelist or blacklist. This applies only to items on the list that are not specified as blacklist or whitelist items.
10. For the Blacklist Category setting, select a default category for the list.
11. In the Poll Interval field, type a number that specifies how often the feed URL is polled for new feeds, in seconds.
    The default value is 300, which is the minimum.
12. In the Username field, type a user name used to access the feed list file, if required.
13. In the Password field, type a password used to access the feed list file, if required.
    Note: In some cases, the value of the Password setting may be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
14. If the Password setting is used, in the Confirm Password field, type the password again to confirm it.
15. Click OK to save the changes to the feed URL.
16. Continue to add or change the feed URLs in the feed list until it is complete.
17. Save your work.

1. Click Configuration > SECURITY > Shared Security > IP Intelligence > IP Intelligence Policies .
2. In the IP Intelligence Policies screen, click Create.
   The IP Intelligence Policy Properties screen opens.
3. In the Name setting, type a unique name for the policy.
4. In the Description setting, type an optional description.
5. The Partition setting shows the default, Common, but you can type a different partition if needed.
6. In the Feed Lists setting, specify the feed lists to be used in the policy.
7. For the Default Action setting, specify the default action that the policy takes on identified blacklist items (for which no action is specified).
8. In the Default Log Actions setting, specify what actions to log by default.
   1. In the Log Whitelist Overrides setting, select whether to log whitelist overrides.
   2. In the Log Blacklist Category Matches setting, select whether to log blacklist category matches.
9. Click Save to save your work before creating a black list matching policy.
10. In the Blacklist Matching Policies area, click Create to create a new blacklist matching policy for the IP intelligence policy.
    The blacklist matching policy properties screen opens, which has the same name as the IP intelligence policy.
11. For the Blacklist Categories setting, select the category for which you are configuring settings in this policy.
12. For the Action setting, select the action for this policy.
    • Select Use Policy Default to use the default action for this policy.
    • Select Drop for the policy to use the drop action.
    • Select Accept for the policy to use the accept action.
13. For the Log Blacklist Category Matches setting, select the log action for this policy.
    • Select Use Policy Default to use the default log action for logging blacklist category matches.
    • Select Yes to override the default action and enable logging of blacklist category matches.
    • Select No to override the default log action, and disable logging of blacklist category matches.
    • Select Limited to override the default action and enable limited logging of blacklist category matches.
14. For the Log Whitelist Overrides setting, select Use Policy Default to use the default log action for whitelist overrides. Select Yes or No to override the default action.
    • Select Use Policy Default to use the default log action for logging whitelist overrides.
    • Select Yes to override the default action and enable logging of whitelist overrides.
    • Select No to override the default log action, and disable logging of whitelist overrides.
15. For the Match Override setting, specify the matching criteria that overrides a blacklist match.
    You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist (Match Source and Destination, Match Source, or Match Destination).
16. Click OK to save your work on the blacklist matching policy
    The screen closes and the blacklist matching policy you created is listed on the IP intelligence policy screen.
17. Save your work on the IP intelligence policy.

1. Click Configuration > SECURITY > Shared Security > IP Intelligence > Global Policies .
2. Click the name of the BIG-IP device on which to use the global IP intelligence policy.
3. In the Description field, type a description for the global IP intelligence policy.
4. In the IP Intelligence Policy setting, select the policy to use as the global IP intelligence policy.
   The default policy is Common/ip-intelligence.
5. Save your work.