Manual Chapter : About IP Address Intelligence in the Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About IP Address Intelligence in the Network Firewall

 

About IP intelligence policies in the network firewall

In the network firewall, you can configure policies to check traffic against an IP intelligence database. Such traffic can be handled automatically if it originates from known-bad or questionable IP addresses. In addition, you can configure policies to automatically query feed lists that specify blacklist and whitelist IP address entries, and configure actions for those entries. You can control the actions for each IP intelligence category by specifying such actions in a policy. Furthermore, you can configure policies to apply default actions to feed lists, and apply such policies at the global context, to a virtual server, or on a route domain.

IP Intelligence Policy container, and included elements

Enabling IP address intelligence

The requirements for using IP address intelligence are:
  • The system must have an IP Intelligence license.
  • The system must have an Internet connection either directly or through an HTTP proxy server.
  • The system must have DNS configured (go to System > Configuration > Device > DNS ).
Important: IP address intelligence is enabled by default. You only need to enable it if it was previously disabled.
To enable IP address intelligence on the BIG-IP® system, you enable auto-update to connect the system to the IP intelligence database.
  1. Log in to the command line for the BIG-IP® system.
  2. To determine whether IP intelligence is enabled, type the following command: tmsh list sys db iprep.autoupdate
    If the value of the iprep.autoupdate variable is disable, IP intelligence is not enabled. If it is enable, your task is complete.
  3. At the prompt, type tmsh modify sys db iprep.autoupdate value enable
    The system downloads the IP intelligence database and stores it in the binary file, /var/IpRep/F5IpRep.dat. It is updated every 5 minutes.
  4. If the BIG-IP system is behind a firewall, make sure that the BIG-IP system has external access to vector.brightcloud.com using port 443.
    That is the IP Intelligence server from which the system gets IP Intelligence information.
  5. Optional: If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables.
    1. Type tmsh modify sys db proxy.host value hostname to specify the host name of the proxy server.
    2. Type tmsh modify sys db proxy.port value port_number to specify the port number of the proxy server.
    3. Type tmsh modify sys db proxy.username value username to specify the user name to log in to the proxy server.
    4. Type tmsh modify sys db proxy.password value password to specify the password to log in to the proxy server.
The IP address intelligence feature remains enabled unless you disable it with the command tmsh modify sys db iprep.autoupdate value disable.
You can configure IP intelligence for Advanced Firewall Manager by assigning IP intelligence policies to the global, route domain, or virtual server context.

IP address intelligence categories

Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.

Category Name Description
Botnets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
Cloud Provider Networks IP addresses and networks that are used by cloud providers.
Denial-of-Service IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond quickly enough and become bogged down or unable to service legitimate clients.
Illegal Web sites IP addresses that contain criminally obscene or potentially criminal internet copyright and intellectual property violations.
Infected Sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.
Phishing IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.
Proxy/Anonymous Proxies IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). This category also includes TOR anonymizer addresses.
Scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.
Spam Sources IP addresses that are known to distribute large amounts of spam email by tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.
Web Attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
Windows Exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.

About IP intelligence blacklist classes

Blacklist classes are categories you can use to differentiate between types of blacklisted URLs. You can specify up to 62 blacklist classes, including 11 that are predefined on the system. A blacklist class definition consists only of a name and description. You can specify actions and logging options for each blacklist class you create, and for predefined classes, in an IP intelligence policy. The 11 predefined blacklist classes are automatically available for selection in an IP intelligence policy.

Creating a blacklist class

You can create a blacklist class to configure policy-based responses to specific types of addresses. Then you can specify an address as belonging to a blacklist class so you can see the types of classes that are triggered in the logs, and so you can provide unique responses on a per-class basis.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Blacklist Classes .
    The Blacklist Classes screen opens.
  2. Click Create to create a new IP Intelligence blacklist class.
  3. In the Name field, type a name for the blacklist class.
  4. In the Description field, type a description for the blacklist class.
  5. Click Finished.
    The list screen and the new item are displayed.

About IP intelligence feed lists

A feed list retrieves blacklists and whitelists from specified URLs. You can use a feed list to dynamically update blacklists and whitelists.

A feed list can retrieve multiple feeds from FTP, HTTP, or HTTPS addresses. You can specify whether a feed is a blacklist or whitelist, and the default class for the feed list. You can also configure a polling interval.

After a blacklist or whitelist is defined in a feed list, you add the feed list to an IP Intelligence policy. The list is then used by the policy to retrieve feeds and dynamically adjust the blacklist and whitelist policy.

Feed list settings

Feed lists dynamically define IP addresses that have been blacklisted or whitelisted. The IP Intelligence policy uses feed lists to dynamically filter traffic.

A feed list defines the feeds that dynamically update the IP address intelligence database for your systems.

Feed List setting Description
URL Select FTP, HTTP, or HTTPS, then specify the URL for the feed. Feeds are typically text files. An example for a local file might be http://172.10.1.23/feed.txt .
List Type Whitelist or Blacklist. Specifies the default classification for all URLs in the feed for which a class is not specified.
Blacklist Class Specifies a default class for the list. This is the default blacklist class for all blacklist URLs in the feed for which a class is not specified. On the BIG-IP® system, you can specify a total of 62 classes; however, 9 classes are used by the IP Intelligence database.
Poll Interval Specifies how often the feed URL is polled for new feeds.
Username The user name to access the feed list file, if required.
Password The password to access the feed list file, if required.
Feed URLs In this area you can add, replace, or delete feed URLs from the feed list.

A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated values per line.

Position Value Definition
1 IP Address The IP address to be blacklisted or whitelisted. This is the only field that is required in each entry in the file. All other entries are optional.
Important: Note that if you append a route domain with a percentage sign and the route domain number, the route domain is not used.
2 Network Mask (Optional) The Network Mask for the IP address, as a CIDR (e.g., 24 for 255.255.255.0). This field is optional.
Note: When IP 0.0.0.0 is mentioned in feed list without netmask, it is considered as a wild card IP and traffic from all the sources is blocked. If traffic from source IP 0.0.0.0 must be blocked, then add network mask of 32 as part of the blacklist entry.
3 Whitelist/Blacklist (Optional) Whether the IP address is a whitelist or blacklist address. You can type wl, bl, whitelist, or blacklist, with any capitalization. Leave this field blank to take the default specified for the feed.
4 Class (Optional) Type the class name for the entry. Leave this field blank to take the default specified for the feed.

In this feed file example, only the first entry specifies a value for every field. The third and fourth entries, 213.155.14.161 and 10.0.5.20, will be set to blacklist or whitelist depending on the setting for the feed. 213.155.14.161 is specified with a category of botnet; however, if the default setting for the feed is a whitelist, this is ignored. Note that when an IP address has both a blacklist and a whitelist entry from the configuration, the whitelist entry takes precedence.

1.214.221.242,,bl,spam_sources
67.195.160.76,,wl,
213.155.14.161,,,botnet
10.0.5.20,,,
10.0.0.13,,bl,

Creating a feed list

You can add whitelist and blacklist IP addresses to your configuration automatically by setting up feeds and capturing them with a feed list.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Feed Lists .
    The Feed Lists screen opens.
  2. Click Create to create a new IP Intelligence feed list.
  3. In the Name field, type a name for the feed list.
  4. Configure Feed URLs with an HTTP, HTTPS, or FTP URL, the list type, the blacklist class, and the polling interval. Specify a username and password, if required to access the feed list.
    A feed URL includes the actual URL to the text file, and information about the defaults for that file. Within the feed file, however, any URL can be configured to be a whitelist or blacklist entry, and assigned to a blacklist class.
  5. Click the Add button to add a feed URL to the feed list.
  6. Click Finished.
    The list screen and the new item are displayed.

Configuring a policy to check addresses against IP intelligence

You can verify IP addresses against the preconfigured IP Intelligence database, and against IPs from your own feed lists, by creating an IP Intelligence policy.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Policies .
    The IP Intelligence Policies screen opens.
  2. Click Create to create a new IP Intelligence policy.
  3. In the Name field, type a name for the IP intelligence policy.
  4. To add feed lists to the policy, click on the name of an available feed list, and click the << button to add it to the Selected list.
  5. Set the default action for the policy to Accept or Reject.
    • Select Accept to allow packets from uncategorized addresses on the feed list.
    • Select Reject to drop and send a reject message for packets from uncategorized addresses on the feed list.
    The default action applies to addresses that are not assigned a blacklist class in the feed list. The IP Intelligence feature uses the action specified in a feed list entry, when available.
  6. Set the default log action.
    • Disabled does not log matches.
    • Log Black List Class Matches logs IP addresses that match blacklist classes.
    • Log White List Overrides logs only whitelist matches that override blacklist matches.
    • Log Black List Class Matches and White List Overrides logs all black list matches, and all whitelist matches that override blacklist matches.
    Note: Whitelist matches always override blacklist matches.
  7. To configure matching actions and logging for custom blacklist classes, add Blacklist Classes in the Blacklist Matching Policy area. Select a class from the list of predefined and user-defined blacklist classes, and set the default action and default logging action for the class, then click Add to add the blacklist class to the policy.
    Note: The default action for a blacklist class is always Reject.
  8. For each class, you can select a default action.
    • Select Accept to allow packets from sources of the specified type, as identified by the IP address intelligence database.
    • Select Reject to drop and send a reject message for packets from sources of the specified type, as identified by the IP address intelligence database.
  9. Set the default log action for the blacklist class.
    • Disabled does not log matches.
    • Log Matches logs IP addresses that match blacklist classes.
    • Log Overrides logs only whitelist matches that override blacklist matches.
    • Log Matches and Overrides logs all black list matches, and all whitelist matches that override blacklist matches.
    Note: Whitelist matches always override blacklist matches.
  10. Click Finished.
    The list screen and the new item are displayed.

Assigning a global IP Intelligence policy

You can assign an IP Intelligence policy globally, to apply blacklist and whitelist matching actions and logging to all traffic.
  1. On the Main tab, click Security > Network Firewall > IP Intelligence > Policies .
    The IP Intelligence Policies screen opens.
  2. From the Global Policy list, select the IP Intelligence policy to apply to all traffic on the BIG-IP system.
  3. Click Update.
    The list screen and the updated item are displayed.
The specified IP Intelligence policy is applied to all traffic.

Assigning an IP Intelligence policy to a virtual server

You can assign an IP Intelligence policy to a virtual server, to apply blacklist and whitelist matching actions and logging to traffic on that virtual server only.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Security menu, choose Policies.
  4. Next to IP Intelligence, select Enabled, then select the IP intelligence policy to apply to traffic on the virtual server.
  5. Click Update.
    The list screen and the updated item are displayed.
The specified IP Intelligence policy is applied to traffic on the selected virtual server.

Assigning an IP Intelligence policy to a route domain

You can assign an IP Intelligence policy to a route domain, to apply blacklist and whitelist matching actions and logging to route domain traffic.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. From the IP Intelligence Policy list, select an IP Intelligence policy to enforce on this route domain.
  4. Click Update.
    The system displays the list of route domains on the BIG-IP system.
The specified IP Intelligence policy is applied to traffic on the route domain.