Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

AFM Feed List - how to use?

Hi,

I just tried to setup IP Intelligence policy that is using Feed List. I did all the steps found in docs but still IP defined in my Feed List is not logged or blocked - and I am running out of ideas what could be wrong with my setup. IP's in Feed List are used to block internal users access to sites in Internet (users are accessing Internet via forward proxy defined on BIG-IP)

Scenario (based on 12.0.0HF1 VE):

  • Defined feed.txt file containing just one entry IP,,,
  • Created Virtual Directory on IIS pointing to folder with my list - all settings are OK here, I can retrieve list using browser and the same link used in Feed List definition on BIG-IP. I can as well see requests for feed.txt from BIG-IP, reply is 200 OK.
  • Created Feed List def on BIG-IP using defined URL and existing Blacklist Category "additional". As I mentioned I can see communication between BIG-IP and IIS server hosting my Feed List.
  • Created IP Intelligence Policy with settings like below: Image Text BTW: I was not able to find description for Match Override field in manuals - even for version 12.0.0 for both IP Intelligence Policy definition as well as for Black List Category definition (Match Type). My assumption is that when Source is chosen then IP is blocked if connection is initiated from this IP, when Destination then IP is block if it's destination IP for connection and for Both Source and Destination IP is blocked both when it's src IP or dst IP.
  • Assigned Policy to Virtual Server via Security -> IP Intelligence

After configuring BIG-IP like that I started tests. Results are as described:

  • When I start HTTP connection via forward proxy to IP defined in my Feed List nothing happens:
  • Connection is not blocked
  • Nothing is logged in Security ›› Event Logs : Network : IP Intelligence
  • iprep_lookup is reporting "iprep_lookup not found for ip"
  • iRule using IP Reputation is: [IP::reputation [IP::local_addr]] do not detect IP as blocked or belonging to any category
  • When I am using other IP that is detected by iprep_lookup as belonging to proxy category (see proxy category added to IP Intelligence policy above) in URL it's correctly detected by iRule, connection is blocked, I can see entries in Security ›› Event Logs : Network : IP Intelligence

What is wrong with my configuration?

Piotr

0
Rate this Discussion
Comments on this Discussion
Comment made 31-Mar-2016 by Chris Grant
Can you change match override to match source and destination and retest?
0
Comment made 31-Mar-2016 by Piotr Lewandowski 1162
Hi, When changed on proxy category connections are not blocked to address from this category. When changed on additional category (the one assigned to my Feed List) nothing changes. Anyway why setting to source & desination should start block if we are talking about accessing IP defined in Feed List from internal LAN in Internet - so IP in Feed List is dst IP not src - opposite when IP Intelligence is used to protect VS against traffic from Internet - or I am wrong here? Piotr
0
Comment made 08-Mar-2017 by NikhilB

I would think match override would do the opposite of what is listed in "Action" item defined.

0

Replies to this Discussion

placeholder+image

Hi,

Only way to block given custom IP seems to be add it using IP Intelligence Insert in Security ›› Network Firewall : IP Intelligence : Black List Categories.

When IP (same as defined in Feed List file) is temporary added this way it is indeed blocked by IP Intelligence policy attached to VS.

Some success but still can't make Feed List work :-(

Piotr

0
placeholder+image

Hi,

Answering my own question :-)

Feed List is nice feature but hard to troubleshoot :-(.

In my case it turned out that my feed list file encoding was wrong. For some reason when I created feed list file by accident UTF-8 with BOM encoding was used. It adds some garbage to the file. F5 do not like this garbage at all :-) I switched to ASCII encoding and everything started to work. Probably UTF-8 without BOM will work as well but I did not have time to test.

Piotr

0
Comments on this Reply
Comment made 10-Jan-2018 by elvis chavez 54

Hi Piotr, I have similar issue a questions: -now, can you see the output of "iprep_lookup"? -Are you using a external http web for feed list? (for example http:/feed.txt)

0
Comment made 11-Jan-2018 by Piotr Lewandowski 1162

Hi,

It was long time ago when I played with this feature. Right now I have no working config to test. Considering second question - yes I used external web server to host feed file, and if I can recall it was working without issue.

Piotr

0