Forum Discussion

Hugo_Frauches_2's avatar
Aug 03, 2017

Difference between ASM IP Address Intelligence and AFM IP Intelligence

Hello,

 

I recently activate the IP Address Intelligence subscription in my client BIG-IP and its working just fine with the ASM Module, this give me a lot of violations in ASM events Logs based in IP reputation, but i have notice that i can configure IP intelligence in AFM and i would like to know what’s the difference between this feature and also how can i see logs about IPI violations in AFM module.

 

  • Hi,

    To put it simply, you have to know that IP Inteligence is an independent function (it does not need a very specific module to work), you can use it with ltm, asm, afm, ...

    this function acts on the IP source in order defined IP classification configured in IP intelligence policies. F5 utilises the IP intelligence (reputation) database to drop traffic from source IP that match the threat categories from WebRoot...

    Example with ltm you can use this functionality trough an Irule:

    when HTTP_REQUEST {
    
       use [HTTP::header values "X-Forwarded-For"] in replacement of [IP::client_addr] if using the x forwarded for testing 
        set ip_reputation_categories [IP::reputation [IP::client_addr]]
            set is_reject 0
            if {($ip_reputation_categories contains "Windows Exploits")} {
           set is_reject 1 
        } 
            if {($ip_reputation_categories contains "Web Attacks")} {  
            set is_reject 1 
        } 
        if {($ip_reputation_categories contains "Scanners")}{  
            set is_reject 1 
        } 
        if {($ip_reputation_categories contains "Proxy")}{  
            set is_reject 1 
        } 
    
        if {($is_reject)} {
            log local0. "Attempted access from malicious IP address 
            [IP::client_addr]($ip_reputation_categories), request was rejected"
    
            HTTP::respond 200 content "
            
            
            Rejected Request
            
            The request was rejected. 
    Attempted access from malicious IP address
            "
        }
    } 
    

    Irule source: https://devcentral.f5.com/questions/ip-intelligence-irule