Manual Chapter : Managing IP Address Exceptions

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Managing IP Address Exceptions

Overview: Managing IP address exceptions

An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. For example, you can specify IP addresses from which the system should always trust traffic, IP addresses for which you do not want the system to generate learning suggestions for the traffic, and IP addresses for which you want to exclude information from the logs. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception, and instruct the system how to handle traffic coming from that address.

You can view a centralized list of IP address exceptions, and you can add new IP address exceptions to the list. The list of IP address exceptions shows exceptions that you add directly to the list, or those which you add from other locations, as shown by the following examples:

  • When creating a security policy, you can specify IP addresses that you want the Policy Builder to always trust.
  • When creating a security policy that is integrated with a vulnerability assessment tool, you can configure the scanner IP address as an IP address exception.
  • When setting up anomaly detection (such as for DoS, brute force, and web scraping protections), you can specify IP addresses that the system should consider legitimate (called whitelists).
  • When setting up IP address intelligence, you can add IP addresses that the system should allow even if the IP address is in the IP intelligence database.

The IP Address Exceptions list shows in one location all of the IP exceptions configured for this security policy. You can view or modify IP exceptions both from the centralized IP exception list and from the specific feature screens.

This implementation describes how to create, delete, and update the list of IP address exceptions.

Creating IP address exceptions

For each security policy, you can create a list of IP address exceptions, and indicate how you want the system to handle the traffic from these IP addresses.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click Create.
    The New IP Address Exception screen opens.
  3. In the IP Address field, type the IP address that you want the system to trust.
    Note: To add a route domain, type %n after the IP address where n is the route domain identification number.
  4. In the Netmask field, type the netmask of the IP address exception.
    If you omit the netmask value, the system uses a default value of 255.255.255.255.
  5. To consider traffic from this IP address as being safe, for the Policy Builder trusted IP setting, select Enabled.
    The system adds this IP address to the Trusted IP Addresses setting on the Automatic Configuration screen for the Policy Builder.
  6. To ignore this IP address when performing DoS, brute force, and web scraping detection, for the Ignore in Anomaly Detection setting, select Enabled.
    The system adds this IP address to the IP Address Whitelist setting on the anomaly detection screens for DoS attacks, brute force, and web scraping.
  7. If you do not want the system to generate learning suggestions for traffic sent from this IP address, for the Ignore in Learning Suggestions setting, select Enabled.
    Note: Application Security Manager does not generate learning suggestions for requests that result in the web server returning HTTP responses with 400 or 404 status codes unless the security policy is configured to learn and block traffic (here both the Ignore in Learning Suggestions check box and the Never block this IP Address check box need to be disabled).
  8. To never block traffic from this IP address, for the Never block this IP Address setting, select Enabled.
    If the check box is cleared, a system in blocking mode blocks requests sent from this IP address according to the violation settings on the Policy Blocking Settings screen.
  9. To prevent the system from logging requests (either legal or illegal) from this IP address, for the Never log requests from this IP setting, select Enabled.
  10. To consider traffic from this IP address to be legitimate even if it is found in the IP Intelligence database, for the Ignore IP Intelligence setting, select Enabled.
    The system adds this IP address to the IP Address Whitelist setting on the IP Address Intelligence screen.
  11. Click Create.
    The IP Address Exceptions screen opens and shows all of the exceptions configured for the security policy including the one you created.
You can view and manage all of your IP address exceptions from the centralized IP Address Exceptions screen.

Deleting IP address exceptions

If you no longer want an IP address on the exceptions list, you can delete the IP address exceptions.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Select the IP address exception you want to delete and click Delete.
    The IP address exception is deleted from the list.
  3. You can also delete IP address exceptions from the anomaly detection whitelists, the IP address intelligence whitelist, and the policy building configuration. On any of these screens, select the IP address, and click Delete.
    The system removes the IP address from the whitelist on the screen. However, the IP address remains on the IP Address Exceptions screen with the related setting changed. For example, if you deleted the IP address from an anomaly detection whitelist, the Anomaly Detection column for that IP address in the exceptions list changes from Ignore IP to say Include IP.
  4. In the editing context area, click Apply Policy to put the changes into effect.

Updating IP address exceptions

You can update IP address exceptions from the centralized list of IP address exceptions.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click the IP address of the IP address exception you want to modify.
    The IP Address Exception Properties screen opens.
  3. Change the settings as needed.
  4. Click Update.
  5. In the editing context area, click Apply Policy to put the changes into effect.