Manual Chapter : Managing IP Address Exceptions

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.0.0
Manual Chapter

Overview: Managing IP address exceptions

An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. For example, you can specify IP addresses from which the system should always trust traffic, IP addresses for which you do not want the system to generate learning suggestions for the traffic, and IP addresses for which you want to exclude information from the logs. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception, and instruct the system how to handle traffic coming from that address.

You can view a centralized list of IP address exceptions, and you can add new IP address exceptions to the list. The list of IP address exceptions shows exceptions that you add directly to the list, or those which you add from other locations, as shown by the following examples:

  • When creating a security policy, you can specify IP addresses that you want the Policy Builder to always trust.
  • When creating a security policy that is integrated with a vulnerability assessment tool, you can configure the scanner IP address as an IP address exception.
  • When setting up anomaly detection (such as for DoS, brute force, and web scraping protections), you can specify IP addresses that the system should consider legitimate (called whitelists).
  • When setting up IP address intelligence, you can add IP addresses that the system should allow even if the IP address is in the IP intelligence database.

The IP Address Exceptions list shows in one location all of the IP exceptions configured for this security policy. You can view or modify IP exceptions both from the centralized IP exception list and from the specific feature screens.

This implementation describes how to create, delete, and update the list of IP address exceptions.

Creating IP address exceptions

For each security policy, you can create a list of IP address exceptions, and indicate how you want the system to handle the traffic from these IP addresses. From the centralized IP Address Exceptions list, you can configure whitelists or blacklists to allow or block traffic from an IP address or subnet.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click Create.
    The New IP Address Exception screen opens.
  3. In the IP Address field, type the IP address that you want the system to trust.
    Note: To add a route domain, type %n after the IP address where n is the route domain identification number.
  4. In the Netmask field, type the netmask of the IP address exception.
    If you omit the netmask value, the system uses a default value of 255.255.255.255. So to block the 10.10.0.0 subnet, specify 10.10.0.0 as the IP address and 255.255.0.0 as the Netmask.
  5. To consider traffic from this IP address as being safe, for the Policy Builder trusted IP setting, select Enabled.
    The system adds this IP address to the Trusted IP Addresses list on the Learning and Blocking Settings screen.
  6. To ignore this IP address when performing brute force and web scraping detection, for the Ignore in Anomaly Detection and do not collect Device ID setting, select Enabled.
    The system adds this IP address to the IP Address Whitelist setting on the anomaly detection screens for configuring brute force and web scraping.
  7. If you do not want the system to generate learning suggestions for traffic sent from this IP address, for the Ignore in Learning Suggestions setting, select Enabled.
    Note: Application Security Manager does not generate learning suggestions for requests that result in the web server returning HTTP responses with 400 or 404 status codes unless the security policy is configured to learn and block traffic (the Ignore in Learning Suggestions check box cannot be selected and the Block this IP Address cannot be set to Never Block this IP).
  8. For Block this IP Address:
    • To never block traffic from this IP address, select Never block this IP Address.
    • To always block traffic from this IP address, select Always block this IP.
    • To block according to policy rules, select Policy Default.
  9. To disable logging for this address, enable Never log traffic from this IP Address.
    The system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic.
  10. To consider traffic from this IP address to be legitimate even if it is found in the IP Intelligence database, for the Ignore IP Address Intelligence setting, select Enabled.
    The system adds this IP address to the IP Address Whitelist setting on the IP Address Intelligence screen.
  11. Click Create.
    The IP Address Exceptions screen opens and shows all of the exceptions configured for the security policy including the one you created.
You can view and manage all of your IP address exceptions from the centralized IP Address Exceptions screen.

Deleting IP address exceptions

If you no longer want an IP address on the exceptions list, you can delete the IP address exceptions.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Select the IP address exception you want to delete and click Delete.
    The IP address exception is deleted from the list.
  3. You can also delete IP address exceptions from the anomaly detection whitelists, the IP address intelligence whitelist, and the policy building configuration. On any of these screens, select the IP address, and click Delete.
    The system removes the IP address from the whitelist on the screen. However, the IP address remains on the IP Address Exceptions screen with the related setting changed. For example, if you deleted the IP address from an anomaly detection whitelist, the Anomaly Detection column for that IP address in the exceptions list changes from Ignore IP to say Include IP.
  4. In the editing context area, click Apply Policy to put the changes into effect.

Updating IP address exceptions

You can update IP address exceptions from the centralized list of IP address exceptions.
  1. On the Main tab, click Security > Application Security > IP Addresses > IP Address Exceptions .
    The IP Address Exceptions screen opens, and displays a centralized list of configured IP address exceptions.
  2. Click the IP address of the IP address exception you want to modify.
    The IP Address Exception Properties screen opens.
  3. Change the settings as needed.
  4. Click Update.
  5. In the editing context area, click Apply Policy to put the changes into effect.